Secure Library Development May 24, 2024 Nextbeat Tech Bar: The First Discussion on Library Development Yuki Yamazaki Practical OSS Security with OpenSSF 

Introduction Yuki Yamazaki ( a.k.a. kamiazya) github.com/kamiazya @kamiazya iRidge, Inc. Development, maintenance, and operation of a mobile application development support kit (SaaS + SDK). 2 

Hobbies: npm Library Development github.com/ts-graphviz/ts-graphviz ts-graphviz Sponsor A TypeScript-friendly Graphviz wrapper npm library. 2,000,000+ DL/M opencollective.com/ts-graphviz 3 ts-graphviz 

“Dependency Vulnerabilities” Dependency (Source: xkcd.com, CC-BY-NC-2.5 License) Security is critical in library development. Libraries support many applications. xkcd.com/2347 4 

Security Concerns in Library Development 🤔 Is the security of my library sufficient? Where should I start with security measures? Lack of knowledge about security, making it difficult to evaluate. 5 

Discovery of OpenSSF ● Established in 2020 under the Linux Foundation. ● Aims to ensure the sustainable safety of OSS development, maintenance, and use. ● Promotes initiatives to secure OSS itself and its supply chain. github.com/ossf @openssf openssf.org 6 

3 Security Measures Implemented in ts-graphviz As an OSS user, understanding OSS security measures helps in developing more secure software To Inspire Security Enhancements in Other Projects from 

1. OpenSSF Guides Comprehensive guidelines to improve the security of open source software. Useful for both OSS developers and users. openssf.org/resources/guides github.com/ossf/wg-best-practices-os-developers Principles for Package Repository Security Concise Guide for Developing More Secure Software Concise Guide for Evaluating Open Source Software Compiler Options Hardening Guide for C and C++ Guide to becoming a CVE Numbering Authority as an Open Source project Source Code Management Best Practices Guide npm Best Practices Guide Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects 8 

2. OpenSSF Best Practices Badge github.com/coreinfrastructure/best-practices-badge www.bestpractices.dev OSS Developers OSS developers can self-certify their projects by answering security-related questions. By working to meet the criteria, you can make your packages more secure. 9 

2. OpenSSF Best Practices Badge github.com/coreinfrastructure/best-practices-badge www.bestpractices.dev/ja OSS Users OSS users can evaluate if a project follows best practices. Helps in selecting safer OSS for use. Confirming the safety of the projects you want to use 10 

3. OpenSSF Scorecard A tool that automatically checks and evaluates security risks. github.com/ossf/scorecard securityscorecards.dev Can be integrated with CI tools for continuous evaluation. Installable in <10 mins on GitHub Actions. Automatically publishes reports when integrated with CI. https://scorecard.dev/viewer/?uri=github.com/ts-graphviz/ts -graphviz 11 

OpenSSF is also promoting various other projects. 12 

Summary Utilizing OpenSSF initiatives has enabled me to confidently advance the security measures for ts-graphviz. 13 Provides safer libraries for users. 

Let's Create More Secure Software with OpenSSF Initiatives. 

Thank You for Your Attention! 15 

Additional Information Links are also provided within the slides. Links to official websites and other resources are provided at the top of the slides. 16 

Q&A Q. What specific measures do OSS developers take? A. For example, measures include protecting the default branch, testing in CI, static analysis, fuzzing, and setting up two-factor authentication, among others. It's recommended to work on obtaining the best practices badge introduced today as part of these measures, as it covers a wide range of security practices. For those who are not OSS developers, reading guides like "Concise Guide for Developing More Secure Software" can deepen your understanding. 17 

Q&A Q. What is the current status and progress of the security measures in the ts-graphviz project? A. It’s challenging to set a definitive goal for security, so I believe it’s an ongoing process. Security measures are not something that can be completed once; they require continuous efforts. For instance, in the ts-graphviz project, we are continuously advancing our security measures. Security must be constantly updated and improved to respond to evolving threats. While we use OpenSSF guidelines and tools to enhance our security, there is no such thing as perfect security. It’s essential to continuously improve the ability to manage risks and respond appropriately. 18 

“Supply chain threats” Source Package Build Dependencies Submit unauthorized change Producer Consumer Use compromised dependency Compromise source repo Build from modified source Upload modified package Use compromised package Source theats Build threats Dependency threats Compromise build process Compromised package registory SLSA 1.0 (Supply chain threats) https://slsa.dev/spec/v1.0/threats-overview Even software that is not directly related to security faces various threats before reaching the user, including those in the supply chain. It is important to protect the software throughout the entire process. 19 

Needs Your Support! 💰 🐛 🌟 Star the project on GitHub Report bugs Financial support Any form of support is greatly appreciated, so thank you in advance! 󰳕 Contribute to development ts-graphviz 20 Project