Top 4 source code security best practices

1. Acquire secure external source code

Verify the legitimacy of all source code acquired from third parties, whether for internal use or if planning to bundle it with products or services. Only download source code from authoritative websites and use integrity-checking measures, such as verifying cryptographic hashes. Rely on automation to avoid human error, such as typing a URL incorrectly or forgetting to compare cryptographic hash values.

2. Protect source code access and storage

Store source code in well-secured code repositories. Only grant the necessary permissions to people, applications and services, and be especially careful about permissions to enable source code modifications. Authenticate each repository user with modify permissions -- human or not -- and configure repositories to keep audit logs of all changes. Require developers to store all third-party source code in the code repositories.

3. Analyze source code

Whether you write or acquire your source code, use static analysis tools to scan for vulnerabilities and malicious code. Don't just scan the code when it gets acquired. Have tools that scan frequently, if not continuously. While tools can do most of the work, people should review and investigate what the tools find. Ensure your incident response plans and processes are prepared to handle the discovery of malicious code.

4. Identify source code components

The security and software development communities increasingly recognize the importance of knowing what source code components are in the software used and acquired by enterprises. Be on the lookout for announcements about new vulnerabilities in these components. Knowing about these vulnerabilities will help security teams mitigate new threats more quickly.

Source code is increasingly coming with a software bill of materials, which lists its components. Alternatively, security teams could employ tools for source code composition analysis to help identify any third-party components in use.