Hello again #AppSec friends, and welcome to sprint four of OneHourAppSec.
After our adventures with automation last sprint, it’s time for us to get stuck back into our foundations and make sure we are securing our source code.
Without source code, there is no software. That’s not philosophy, it’s fact. Not only do we need to make sure we write high-quality code but also that we protect that code through its life.
This sprint we will take a look at some of the foundations of securing our source code, from access control, to configuration and beyond. These beautiful basics ensure that the root of our software success is given the security attention it deserves.
Our goals for this sprint:
- Examine the ways in which source code can be vulnerable and what steps we can take to protect it
- Review the source code security for a project and take steps to improve it
Without source code, we would all be unemployed so let’s celebrate and protect our most precious bits and pieces – let’s go!👏
📽️ [VIDEO] Introducing Sprint 4 (3 minutes)
Your introduction to sprint four, where we start to protect your source code, the source of all software and software vulnerabilities.
📽️ [VIDEO] Why protecting our source code is as important as writing good code? (7 minutes)
In this short video we will look at why your source code is a valuable target for attackers and needs to be protected.
📑 Securing your GitHub Repository (5 mins)
If your source code is stored in GitHub, read this handy guide from GitHub HQ on how to secure your repositories.
📑 Securing your GitLab Repository (5 mins)
If your source code is stored in GitLab, read this handy guide from GitLab HQ on how to secure your repositories.
📑 Securing your BitBucket Cloud (5 mins)
If your source code is stored in BitBucket Cloud, read this handy guide from Atlassian on how to secure your repositories.
📽️ [VIDEO] The importance of access control for source code (5 minutes)
Join Laura as she discusses why access control is a critical part of protecting our source code and how this involves more than just your version control system.
📑 Review the configuration of a source code repository (35 minutes)
Now you know what to look for, its time to get going. Using the relevant guidelines from above, review one of your software repositories and add any changes or work to be done to your security debt list.
Tip: There are tools on each of these checklists that we have yet to cover in this program, don’t worry if you need a little help. We will revisit these in much more depth soon.