New cheat sheet proposal: Best Practices for sharing online code

[briancyber]

Good day,

As requested by Dominique, here's my question to the group.

I am trying to compile a list of best practices in my business on how to share code responsibly and securely.

In basic terms, I’m trying to come out with a short of checklist for our coders like a best practices or do’s and don’ts on how to make sure your code is clean to post online to open source repositories like GitHub and others.

Because right now, it’s like the wild, wild, west. Upper management is telling coders to do everything in the cloud and share your code, but they do so carelessly.

In big, am trying to see if you offer such a list or ideas what to do, like an OWASP top 10.

Stuff I know I need my coders to look for is;

• Ensuring that no internal server names or IP addresses are posted in the code
• To use caution when posting DB’s and ensuring that they only contain non-sensitive / test data and not actual client data.
• Usernames, passwords, private keys to be removed and /or replaced as appropriate
• Scan code with security tool

If you do have guidelines or checklist for this type of security / sanitation, I would appreciate being guided towards it.

Here are the answers to the template for new issues/proposal:

1. Which security issues are bring or commonly meet when someone must work on this topic?
   Safe sharing of corporate code information and apps, without leaking corporate data and simply be more vigilant.
2. What is the objective of the cheat sheet?
   Help out the community on best practices for sharing clean code online (not only format, but what to include and what not to include)
3. What the CS will bring to the reader?
   Another great arsenal for the OWASP community and a safer internet

Any help on this subject is greatly appreciated.

Best Regards,

Brian Maher

[righettod]

Hi,
Unfortunately we do not have such content yet.
So I convert your question to a new CS issue and I add it in the backlog.

[rbsec]

NCSC's Secure Developer Guidelines could be a basis for this.

Some key areas:

• Choosing a repository for code (public vs private cloud vs internally hosted)
• Access control
  • Access to repo
  • Push rights to key branches
• Backups
• Avoiding sensitive data in repo
  • Secrets management (New cheat sheet proposal: Secrets Management #124)
  • Pre-commit hooks to identify sensitive information
  • Regular scan of repo to identify sensitive information
  • Process for dealing with sensitive information that's been committed
• Migrating code from private to public repos
  • Squashing commits/rewriting history
• Code reviews/change management (not really sure if this is appropriate here?)

Thoughts?

[mackowski]

It looks like a good start but I am not sure if this is in scope of this project?

[mackowski]

We did not do anything about it for over the year I will close it.