security-README file, “SECURITY.md”

“Security is not about speed but finding help when there is a security issue should be.”

The “tl;dr”Security readme file has the project’s “security policy” and “vulnerability reporting” (A.K.A – “responsible security disclosure policy”) in a separate file. The security readme file is in the root directory of an open source project. Security readme files for open source repositories should be a new guideline.

I am asking the JavaScript ecosystem to use a “SECURITY.md” (also referred to as a “security readme file”) to their repositories. My goal is to improve open source security by making policies more accessible and reporting security vulnerabilities easier for everyone.

This isn’t a new thought! While giving a talk at SFNode about “Node.js Security best practices” I realized “security.txt” functions in a similar way. Unfortunately, the “security.txt” file is not intended for humans to read. This is a standard for websites and servers to use in the wild ( A.K.A – the intra/internet ). BUT the idea is the same, provide a route for contributors to report a security issue easily.

Thank you to Rich Trott of Node.js for taking my talking point and running with it. I also want to take a moment to thank these other projects for already using security readme files (SECURITY.md).

Visit my GitHub repository “security-README”. I welcome comments to this idea so we can make the open source community a better place than we found it.

Please help me:

  1. Star this GitHub repo
    ( https://github.com/Trewaters/security-README )
  2. Star this GitHub repo
    https://github.com/Trewaters/SFNode-Nov-2018 )
  3. Follow me “@trewaters” on GitHub
     ( https://github.com/Trewaters )
  4. Follow me on Twitter
    https://twitter.com/trewaters )

SFNode Meetup, Nov 2018 talk

Thursday, November 1st, 2018

I ( Tre’ Grisby ) talked at a SFNode Meetup. The meetup was hosted by Quantcast in San Francisco, California. Quantcast was a great host and had one of the best receptions. I want to give a big thanks to Quantcast for being such gracious host!

My talk was titled “Node.js Security, best practices“. It was a top ten list of security practices that are beneficial for anyone getting started in node. The goal was to identify possible threats and tools a developer could use to minimize exposure to these threats.

I will not write out all my notes again here. Below is a link to all the resources I used in the talk.

security.md

As part of my talk I introduced a thought. In the pursuit of making security more accessible, and reporting vulnerabilities easier. I  asked the JavaScript open source ecosystem to start using a “security.md” file in github repositories. ( Read more here… )

The tl;dr is… adding this file to the root directory should be a new standard. This file will have the project’s “security policy” and “vulnerability reporting expectations”. This way anyone that wants to report an issue can do so easily. This is modeled on the “security.txt” file. Check out my github repo and make comments to help me improve this proposed standard.

Please help me:

  1. Star this github repo
    https://github.com/Trewaters/SFNode-Nov-2018 )
  2. Follow me “@trewaters” on github
    https://github.com/Trewaters )
  3. Follow me on Twitter
    https://twitter.com/trewaters )