Our great sponsors
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
oss-vulnerability-guide
A guide on coordinated vulnerability disclosure for open source projects. Includes templates for security policies (security.md) and disclosure notifications. (by ossf)
-
cli
JavaScript security CLI that allow you to deeply analyze the dependency tree of a given package or local Node.js project. (by NodeSecure)
-
harden-runner
Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
As I was working on an open source security project, I put pressure on myself to be ready. Also as a member of the Node.js Security WG I thought it was an interesting topic and that I was probably not the only one who was worried about not being up to the task 😖.
The OSSF scorecard initiative is really good to assess your project against security best practices. I am not the first to write about this.
I don't want to bullshit you, so let me share with you the OpenSSF guide that helped me set up my first reporting strategy: Guide to implementing a coordinated vulnerability disclosure process for open source projects.
📢 By the way NodeSecure CLI has a first-class support of the scorecard.
Fortunately there is a great free online tool that help you by doing all the hard work (it will open a pull-request and automatically fix issues).