The first version of this guide provided concrete advice for anyone involved in developing or managing software for scientific projects. This new version of the guide expands both coverage and depth of the topics. This guide provides an understanding of many of the security issues faced when producing software and actionable advice on how to deal with these issues. New topics include approaches to avoiding software exploits (injection attacks, buffer overflows and overruns, numeric errors, exceptions, serialization, directory traversal, improper set of permissions, and web security); securing the software supply chain; secure design; software analysis tools; fuzz testing; and code auditing.
The new version of the guide is available at https://doi.org/10.5281/zenodo.8137009.
If you write code, this guide is for you. And if you write scientific software, your software is likely to be shared or deployed as a service. Once that step happens, you and the people who use or deploy your software, will be confronted with software security concerns.
To address these concerns, you will need a variety of skills. However, it may be daunting just to know what are the concerns to address and what are the skills that you need. The goal of this guide is to provide an introduction to these topics.
You can read this guide beginning-to-end as a tutorial to introduce you to the topic of secure software development, or you can read it selectively to help understand specific issues. In either case, this guide will introduce you to a variety of topics and then provide you with a list of resources to dive deeper into those topics.
It is our hope that our continued efforts in the area of software assurance will help scientific software projects better understand and ameliorate some of the most important gaps in the security of scientific software, and also to help policymakers understand those gaps so they can better understand the need for committing resources to improving the state of scientific software security. Ultimately, we hope that this effort will support scientific discovery itself by shedding light on the risks to science incurred in creating and using software.