I wrote a pair of blog posts for work that came out last month!
Many developers don’t feel qualified to make security decisions. In many ways, that’s a perfectly healthy attitude to have: Security decisions are hard, and even folk with training make mistakes. But a healthy respect for a hard problem shouldn’t result in decisions that make a hard problem even harder to solve. Sometimes, we need to recognize that a lot of architectural decisions in a project are security decisions, whether we like it or not. We need to figure out how to make better choices.
The posts are about how to do very simple security risk assessments on open source packages, so you can make more informed choices about what you include in your code and get a sense of what makes a library look scary to security folk. They’ve got lots of real life examples of things we’ve seen, good, bad and embarrassing, and there’s a nice scorecard at the end that you can use to help you do quick assessments of your own. There are even some cat memes included!
I’m pretty proud to be able to share some of the things we’ve learned about open source security risk with the greater world and these posts fall in the category of “things I’ve made” so I thought I’d link them here. Hope you like them!