How to Improve Open Source Security Practices

I’m a Sr. Security Engineer, and after seeing the latest incidents and news, this is what I’d recommend to engineering teams and developers out there. After the LiteLLM supply chain compromise on PyPI, the Axios npm compromise, and Anthropic's exposure of Claude Code internals through a release packaging mistake, one thing is clear: your codebase is not the only thing you need to protect. Your package pipeline, build path, and release process now matter just as much. [1] Pin versions, commit lockfiles, and stop pulling “latest” in CI - If your build grabs whatever was published a few minutes ago, you are letting the internet choose your production inputs. - Use exact versions, commit lockfiles, and add a small cooldown before new packages can enter staging or prod. [2] Keep your dependency tree small and review critical packages properly - Every package brings maintainers, transitive dependencies, install scripts, and release workflows into your trust boundary. - Be extra careful with packages that sit in auth, crypto, HTTP clients, AI gateways, and CI tooling. [3] Make builds isolated, reproducible, and boring - Build from clean environments, not from a developer laptop full of cached state and old credentials. - Use internal mirrors, approved registries, and separate publishing from day to day development work. LiteLLM’s own post-incident changes went in this direction for a reason. [4] If you installed a bad version, assume credential theft until proven otherwise - Rolling back the package is not enough if the malicious code ran during install. - Revoke and rotate secrets, inspect build logs, check outbound traffic, and review what that machine could access. Axios guidance explicitly treated this as a potential full compromise scenario. [5] Add supply chain guardrails that still work when humans are tired - Turn on dependency scanning, image scanning, SBOM generation, review gates for version bumps, and alerts for unusual install-time network calls. - These controls matter because many modern package attacks abuse normal release behavior, not obvious malware paths. [6] Separate build credentials from developer credentials - A lot of these attacks start with a stolen maintainer token. If your CI/CD uses the same identity and long-lived tokens as your devs, one account can poison your whole release path. - Use Trusted Publishers with OIDC, keep release accounts separate from daily dev accounts, enforce MFA, and prefer short-lived publishing credentials scoped to one release. Your app can have clean code and still get compromised through the release pipeline. That is why package security, build security, and credential hygiene now matter just as much as application security. -- 📢 Follow saed for more & subscribe to the newsletter: https://lnkd.in/eD7hgbnk I am now on 📸 Instagram: instagram.com/saedctl say hello, DMs are open

🛑 Strengthening Security for Open Source Projects on GitHub 🛑 Open source security has become a priority for industries and governments, with regulations such as the US EO 14028 on cybersecurity, the EU Cyber Resilience Act (CRA), and other global efforts placing increased responsibility on maintainers & organizations to secure the software supply chain. Whether managing a small repo or a large GH org, you must take proactive steps to secure your codebases and protect your users, contributors, and ecosystem. ✅ To help with that, here’s a checklist of key security best practices that you can implement for GH-based projects: Identity and Access Management ☑️ Enforce 2FA for all org members & collaborators ☑️ Use GH's role-based access controls ☑️ Regularly audit team and member access to repositories Code Change Management ☑️ Enable branch protection rules ☑️ Use CODEOWNERS to assign reviewers for specific files or directories ☑️ Mandate signed commits using GPG or GH's verified commit signing Security During Development ☑️ Implement structured code reviews emphasizing security hygiene ☑️ Integrate GH advanced security tools (code scanning, secret scanning for credential leaks, dependabot for automated dependency updates, and vulnerability alerts) ☑️ Use the GH Advisory Database to inform dependency choices ☑️ Complement with 3rd party tools for deeper or language-specific analysis CI/CD Security: Secure GH Actions workflows by ☑️ Pinning action versions ☑️ Using permissions blocks to minimize token access ☑️ Avoiding untrusted PRs from running with secrets ☑️ Setting up ephemeral environments and ensuring artifact integrity ☑️ Monitor CI/CD pipelines as part of your attack surface Policies & Process ☑️ Publish a SECURITY .md file, include vulnerability disclosure policy & contact details ☑️ Setup a point of contact for triaging & fixing reported vulnerabilities ☑️ Use GH Security Advisories to privately coordinate fixes and publish transparent disclosures Open Source Maturity & Benchmarking ☑️ Achieve the OpenSSF Best Practices Badge https://lnkd.in/dNZ-DAjX ☑️ Run OpenSSF Scorecard https://lnkd.in/dy4DGVeK ☑️ Track progress over time using Scorecard metrics and GH Insights People & Education ☑️ Provide security training for contributors & maintainers ☑️ Use tools like Allstar to enforce security policies across your org 📕 Download ebook: "Recommended Practices for Hosting and Managing Open Source Projects on GitHub": https://lnkd.in/djf5729z. 📣 Security is a shared responsibility. The tools exist, the standards are emerging, and the open source community is better equipped than ever to defend itself. Every open source project is part of someone’s software supply chain. Acting with transparency and adopting layered security practices is part of maintaining that trust. #OSPO #OpenSource #Security The Linux Foundation Linux Foundation Japan Linux Foundation Europe OpenChain Project SPDX SBOM OpenSSF

As an industry, we’ve poured billions into #ZeroTrust for users, devices, and networks. But when it comes to software - the thing powering every modern business, we’ve made one glaring exception: OPEN SOURCE SOFTWARE! Every day, enterprises ingest unvetted, unauthenticated code from strangers on the internet. No questions asked. No provenance checked. No validation enforced. We assume OSS is safe because everyone uses it. But last week’s #npm attacks should be a wake-up call. That’s not Zero Trust. That’s blind trust. If 80% of your codebase is open source, it’s time to extend Zero Trust to the software supply chain. That means: • Pin every dependency. • Delay adoption of brand-new versions. • Pull trusted versions of OSS libraries where available. #Google's Assured OSS offering is a good one for this. • Assess health and risk of malicious behavior before you approve a package. • Don’t just scan for CVEs—ask if the code is actually exploitable. Use tools that give you evidence and control, not just noise. I wrote more about this in the blog linked 👇 You can’t have a Zero Trust architecture while implicitly trusting 80% of your code. It's time to close the gap and mandate Zero Trust for OSS. #OSS #npmattacks #softwaresupplychainsecurity

If you’re looking to practice DevSecOps — here are 2 projects you should definitely check out.. (and the key processes you should know) TL;DR : DevSecOps = DevOps + Security, built in from the start. When I started exploring this practice, I realized I was already using parts of it in my day-to-day work. The security layer wasn’t just about adding tools — it was about thinking end-to-end across the whole DevOps workflow. Here are the few key components: → Security Checks & Scans Catch issues early with automated code and app security tests. → Vulnerability Management Scan, prioritize, and patch vulnerabilities regularly. → Threat Modeling Identify possible risks and plan mitigations before release. → Key Management Keep secrets, API keys, and certificates secure. → CI/CD with Security Automate builds and deployments with security gates built in. → Infrastructure as Code (IaC) Define infra in code for consistency and secure provisioning. → Container Security Scan images and protect containers during runtime. → Continuous Monitoring Track logs, activity, and network traffic for anomalies. → QA Integration & Collaboration Embed QA and make security part of team culture. ⸻ 2 Projects to Implement: 1. Netflix Clone with DevSecOps Pipeline • Covers CI/CD, container scans, secrets management, monitoring. • GitHub : https://lnkd.in/dWR4GV7m • Youtube: https://lnkd.in/dkSjBcNM 2. DevSecOps CI/CD Implementation • Implementing a pipeline for a Tic-Tac-Toe game application.. • GitHub : https://lnkd.in/d3WgCuKY • Youtube: https://lnkd.in/dTQcw3Sw Any other projects or topics you'd like to add? Comment below 👇 If you found this useful: • • • I regularly share bite-sized insights on Cloud & DevOps (through my newsletter as well) — if you're finding them helpful, hit follow (Vishakha) and feel free to share it so others can learn too! Image Src : ByteByteGo

𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐢𝐧𝐠 𝐄𝐧𝐭𝐞𝐫𝐩𝐫𝐢𝐬𝐞-𝐆𝐫𝐚𝐝𝐞 𝐂𝐨𝐝𝐞 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 📊 In an era where a single code vulnerability can compromise millions, secure coding isn't just best practice—it's mission-critical business resilience. 𝐊𝐞𝐲 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐑𝐞𝐪𝐮𝐢𝐫𝐞𝐦𝐞𝐧𝐭𝐬 𝐀𝐜𝐡𝐢𝐞𝐯𝐞𝐝: ✅ NIST SP 800-53 Security Controls ✅ SOC 2 Code Integrity Standards ✅ OWASP Top 10 Mitigation ✅ PCI DSS Code Review Protocols 𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐚𝐭𝐢𝐨𝐧 𝐀𝐩𝐩𝐫𝐨𝐚𝐜𝐡: - Integrated security from development inception - Established multi-layered verification processes - Created automated and manual review checkpoints - Developed comprehensive threat modeling 𝐒𝐭𝐫𝐚𝐭𝐞𝐠𝐢𝐜 𝐓𝐨𝐨𝐥𝐜𝐡𝐚𝐢𝐧: 🛡️ SonarQube (Static Code Analysis) 🔍 Fortify (Enterprise Security Testing) 🚨 Snyk (Dependency Vulnerability Detection) 🧰 Apiiro (Risk-Based Code Security Platform) 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞𝐬 𝐎𝐯𝐞𝐫𝐜𝐨𝐦𝐞: - Reduced false positive security alerts by 40% - Decreased vulnerability resolution time by 65% - Standardized security practices across engineering teams 𝐏𝐫𝐨 𝐓𝐢𝐩: Security is a culture, not a checklist. Invest in continuous education and make security everyone's responsibility. 𝐖𝐡𝐨'𝐬 𝐭𝐫𝐚𝐧𝐬𝐟𝐨𝐫𝐦𝐢𝐧𝐠 𝐭𝐡𝐞𝐢𝐫 𝐜𝐨𝐝𝐞 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡 𝐭𝐡𝐢𝐬 𝐪𝐮𝐚𝐫𝐭𝐞𝐫? 💡 #CodeSecurity #DevSecOps #CyberResilience