Practical Security Guide for OSS Developers

Open Source Software (OSS) powers the modern digital world — but with great power comes great responsibility. In an age of increasing supply chain attacks and vulnerabilities, securing open source projects is no longer optional. However, most OSS developers operate with minimal resources, limited time, and without dedicated security teams/guidance.

This hands-on workshop is designed specifically for open source developers who want to learn how to build and maintain secure software with limited resources. We’ll explore practical, actionable techniques to secure the OSS development lifecycle — from securing source code and managing dependencies to hardening CI/CD pipelines and publishing software securely.

We will more or less cover the following:

• Security while coding

  • Using security linters and useful extensions

• Security in Version Control System

  • Securing your VCS (Git)

    • Security best practices in Git

  • Implementing security using Git Hooks

  • A case for using tools like gittuf, talisman and gitguardian

• Implementing security in Continuous Integration (CI) pipeline

  • Static Analysis tools to identify security issues and secrets

  • Dependency & Vulnerability Scanning

• Securing your CI pipeline (Woodpecker CI)

• Publishing your OSS projects securely

  • Publishing your OSS inventory

  • Securing the build artifacts

• OpenSSF ecosystem and how you can leverage it to secure your OSS lifecycle

• Real world case-studies

Open Source Developers will gain practical knowledge around tools and techniques to secure OSS projects that can be implemented immediately

Open Source Developers will understand the security ecosystem and efforts to secure OSS which they can use to build a security process for their projects.