If you're a programmer and you've heard it once, you've heard it a thousand times. "Build security into your programs!" That's easy to say, but how, exactly, do you do that? The Linux Foundation's Open Source Security Foundation (OpenSSF) has an answer: A set of three free classes and a certification program to get your security skills up to speed.
The three free courses on how to develop secure software will be offered on the edX learning platform. These classes are intended for the full range of software developers, including DevOps professionals, software engineers, and web application developers. Indeed, anyone interested in learning how to develop secure software will find these courses useful. Besides teaching you how to develop secure software, they also deal with how to reduce damage when a bug is found. They will also help you learn how to quickly analyze and fix security holes when one is found.
The classes are:
- Secure Software Development: Requirements, Design, and Reuse
- Secure Software Development: Implementation
- Secure Software Development: Verification and More Specialized Topics
The courses focus on practical developer steps you can use to counter the most common kinds of attacks.
Specifically, they dig into common risks and requirements, design principles, and evaluating code (such as packages) for reuse. They also focus on key implementation issues, including input validation, processing data securely, calling out to other programs, sending output, cryptography, error handling, and incident response. This is followed by a discussion on various kinds of verification issues, including security testing and penetration testing, and security tools. The classes conclude with a discussion on deployment and handling vulnerability reports.
The OpenSSF training program includes a Professional Certificate program: Secure Software Development Fundamentals. Enrollment for the courses and certificate is open now. Course content and the Professional Certificate program tests will become available on Nov. 5.
This is an online, self-paced program. The course work was created by the well known David A. Wheeler. The Linux Foundation's Director of Open Source Supply Chain Security. OpenSSF and edX estimates it will take an hour or two a week for five months to master the coursework and be able to pass the certification test. While the classes are free, the certification program currently costs a discounted $537.30.
Mike Dolan, The Linux Foundation's Senior VP and GM of Projects, said: "We're excited to offer the Secure Software Development Fundamentals professional certificate program to support an informed talent pool about open source security best practices." You should be excited, too. As the recent 2020 Open Source Jobs Report showed, demand is higher than ever for open-source and Linux savvy employees and 52% of hiring managers are more likely to hire you if you have appropriate certification.
One final note, the OpenSSF is incorporating the Core Infrastructure Initiative (CII) projects. CII has been working on securing older, popular open-source programs, which were not receiving enough funding. These programs include the CII Census, a quantitative analysis to identify critical OSS projects; CII Best Practices badge project; and the CII FOSS Contributor Survey, a quantitative survey of OSS developers. Both will become part of the OpenSSF Securing Critical Projects working group. These efforts will continue to be implemented by the Laboratory for Innovation Science at Harvard (LISH).