Security checklist
One-time activities are marked with ☑️, and the recurrent ones with 🔁.
When utilizing the suggested security tools, please consider using the cheat sheet.
I. Proactive vulnerability discovery
☑️ Create a threat model.
☑️ Choose a suite of security tools to scan your codebase.
☑️ Automate the suite of security tools in local/development environments and CI/CD pipelines, with quality gates.
☑️ Request the integration of your project with OSS-Fuzz.
🔁 Periodically check for vulnerabilities in your dependencies.
🔁 Constantly validate the warnings from your security tooling.
🔁 Keep the threat model updated.
II. Secure users
☑️ Design your software to be secure by default.
☑️ Have security recommendations for users.
☑️ Create SBOMs.
III. Established security reporting process
☑️ Have a standardised, documented process for responding to vulnerabilities.
☑️ Create a security policy with preferred way to contact and report format.
☑️ Find backup security responders.
🔁 Be transparent and verbose with the reported vulnerabilities: mention patching commits, attach security tags to issues, and request CVE IDs.