Achieve CII Best Practices Badge

[jorgeyp]

Further info

• Have a stable website, which says:
  • what it does
  • how to get it
  • how to give feedback
  • how to contribute and preferred styles
• Explicitly specify a FLOSS license
• Support HTTPS on the project sites
• Document how to install and run (securely), and any API
• Have a distributed **public version control system,
• including changes between releases**:
  • Give each release a unique version, using semantic versioning format
  • Give a summary of changes for each release, identifying any fixed vulnerabilities
• Allow bug reports to be submitted, archived and tracked:
  • Acknowledge/respond to bugs & enhancement requests, rather than ignoring them
  • Have a secure, documented process for reporting vulnerabilities
  • Respond within 14 days, and fix vulnerabilities, within 60 days if they're public
• Have a build that works, using standard open-source tools
  • Enable (and fix) compiler warnings and lint-like checks
  • Run other static analysis tools and fix exploitable problems
• Have an automated test suite that covers most of the code/functionality, and officially require new tests for new code
• Automate running the tests on all changes, and apply dynamic checks:
  • Run memory/behaviour analysis tools (sanitizers/Valgrind etc.)
  • Run a fuzzer or web-scanner over the code
• Have a developer who understands secure software and common vulnerability errors
• If cryptography is used:
  • Use public protocols/algorithm
  • Don't re-implement standard functionality
  • Use open-source cryptography
  • Use key lengths that will stay secure
  • Don't use known-broken or known-weak algorithms
  • Use algorithms with forward secrecy
  • Store any passwords with iterated, salted, hashes using a key-stretching algorithm
  • Use cryptographic random number sources