DEVOPSdigest

The Open Source Security Foundation (OpenSSF) announced an expansion of its free course “Developing Secure Software” (LFD121).

The course now features interactive learning scenarios to better equip developers to build software that resists modern cyberattacks.

While threats continue to evolve, secure software starts with fundamental design principles. However, OpenSSF research shows that most practitioners (69%) learn on the job and 53% have not taken courses on developing secure software. LFD121 provides developers with a simple, self-directed opportunity to learn the basics of secure software development—now with interactive labs, quizzes, and other hands-on activities to boost engagement and knowledge retention.

“OpenSSF recognizes the need for security education. Developing software to counter today’s attackers requires that software developers know how to counter them. We are constantly improving to provide broad access and better education opportunities for software developers,” said David A. Wheeler, director, open source supply chain security at OpenSSF. “We’ve created multiple labs where developers can experiment with practical techniques that counter common attacks. The labs include helpful hints to make it easy for practitioners to learn quickly and effectively.”

Secure Software Development Course Components

Since its inception, more than 25,000 individuals have enrolled in this course material; over 18,000 enrolled in LFD121, over 6,000 enrolled in LFD104x (the first section of its equivalent on edX), and over 1,000 enrolled in its Japanese translations. The virtual course is available for free on the Linux Foundation Education platform. Developers who complete the 14-18 hour course and pass the final exam will earn a certificate of completion, valid for two years. The course includes the following components:

- Part I, Requirements, Design, and Reuse: Introduces the basics of secure software development including how to implement secure design principles and how to secure your software supply chain by picking the right components and dependencies.

- Part II, Implementation: Focuses on implementation and practical steps to improve security so that developers can counter the most common kinds of attacks.

- Part III, Verification and More Specialized Topics: Discusses security testing, including static and dynamic analysis, and how to apply these tools in CI/CD pipelines. It also discusses more specialized topics, such as threat modeling, fielding, and formal methods to justify that software is secure.

The easy-to-access interactive labs are optional but recommended for an enhanced education experience. No special software is required; labs launch directly in users’ web browsers, enabling an immediate hands-on experience. Once initiated, labs provide background and information on the specific task, then users are asked to complete the task and are told when they solve it. Users who get stuck can ask for a hint, which will give them a context-specific hint on how to complete the lab. These hints help users quickly move to mastery of a concept, even in programming languages they are less familiar with.

Course content is also freely available on GitHub under a Creative Commons Attribution License (CC-BY) version 4.0. Accredited Educational Institutions and OpenSSF Premier members are eligible to host this security training course on their Learning Management System (LMS) for unlimited, complimentary access for students and employees. For LMS integration details, interested parties can complete a request form.