Developing Secure Software Course
I do want to highlight a course that came up during the Open Source Software Security Summit II a couple of weeks ago. The importance of teaching secure software development principles was one of the recommendations to improve the resiliency of open source software. Good news – the LF offers the “Developing Secure Software” (LFD121) course. It focuses on the fundamentals of developing secure software. Both the course and certificate of completion are free. It is entirely online, takes about 14-18 hours to complete, and you can go at your own pace. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years.
It is geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software. It focuses on practical steps that can be taken, even with limited resources, to improve information security.
Why is it needed? Many software developers have never been told how to effectively counter the ever-increasing barrage of cyberattacks. This course explains the fundamentals of developing secure software. A basic security principle – build it more secure in the beginning and you will spend less time fending off attacks later. From the course description:
This course starts by discussing the basics of cybersecurity, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. This first part of the course then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security. The second part of this course focuses on key implementation issues: input validation (such as why allowlists should be used and not denylists), processing data securely, calling out to other programs, sending output, and error handling. It focuses on practical steps that you (as a developer) can take to counter the most common kinds of attacks. The third part of the course discusses how to verify software for security. In particular, it discusses the various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities.
You can learn more about the course and enroll for free here.
We are always working to improve and expand what we offer. There are a lot of exciting announcements coming up next month during the Open Source Summit North America, including insights from our 10th Annual Open Source Jobs Report, the winners of the 500 LiFT Scholarships for 2022, some new training courses, and more. Even if you aren’t able to attend, keep an eye out for our announcements. Some exciting stuff, but I have said too much already. Sign up for the newsletter so you are the first to know when new courses are offered, and – arguably more importantly – get access to promotions. I mean – new skills and saving money, how can you say no.
I hope you have an opportunity to take some of our courses and become certified. You will be a better person for it.