layout: page title: CPAN Author’s Secure Coding Guide description: A security guide for CPAN Distribution Authors toc: true —-

Document status: ⚠️ DRAFT

[!CAUTION] What you see here is a DRAFT of the CPAN Author's Security Guide by the CPAN Security Group (CPANSec). As long as this document is in DRAFT, all of the points and ideas below are open to revision, deletion or amending – by you!

Contribute on Github: https://github.com/CPAN-Security/security.metacpan.org/blob/cpan-author-guide/docs/cpan-author-guide.md

Discuss on IRC: ircs://ssl.irc.perl.org:7062/#cpan-security

Discuss on Matrix: https://matrix.to/#/#cpansec:matrix.org

Learn the basics

Read the perlsec page to familiarize yourself with Perl’s security features
Read the OpenSSF Open Source Best Practices Badge program, and try to at least achieve a passing badge. (You can also see how well other Perl projects do in this regard!)

Write code that is Secure by Design

CISA’s Secure by Design Pledge

Keep your security metadata up-to-date

Read the CPAN::META::Spec and make sure all relevant fields are correct and up-to-date

Add a security.txt file to your project website
Add a security policy to your Github project

Add security tests to your code

Add tests for taintedness to your codebase

Practice symbol import discipline

Use App::perlimports to get a better idea of what symbols you are using.

Reduce the amount transitive dependencies

The more modules you depend on, the larger the attack surface you’ll have to defend.

Ensure you have trusted co-maintainers

Add a co-maintainer in PAUSE

Have a succession plan

Describe who among your co-maintainers will take over your project if you become unavailable

Select an appropriate Open Source license

Pick an OSI-approved Open Source license, and add it both to your project repo and other metadata.

Relevant documentation and guides

License and use of this document

Version: 0.5.1
License: CC-BY-SA-4.0

You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.