Document status: ⚠️ DRAFT

[!CAUTION] What you see here is a DRAFT of the CPAN Author's Security Guide by the CPAN Security Group (CPANSec). As long as this document is in DRAFT, all of the points and ideas below are open to revision, deletion or amending – by you!

Learn the basics

  1. Read the perlsec page to familiarize yourself with Perl’s security features
  2. Read the OpenSSF Open Source Best Practices Badge program, and

Write code that is Secure by Design

Keep your security metadata up-to-date

  1. Read the CPAN::META::Spec and make sure all relevant fields are correct and up-to-date
  2. Ensure also that your list of dependencies is complete and correct

Share your security metadata

  1. Add a security.txt file to your project website
  2. Add a security policy to your Github project

Add security tests to your code

  1. Learn how to use perltaint to detect and defang input from untrusted sources
  2. Add tests for taintedness to your codebase, to verify that your code actually handles untrusted input as expected

Practice symbol import discipline

  1. Use App::perlimports to get a better idea of what symbols you are using.

Reduce the amount transitive dependencies

  1. The more modules you depend on, the larger the attack surface you may have to defend.

Ensure your project is sustainable

  1. Have at least one other trusted co-maintainer
    • You can add a co-maintainer in PAUSE
  2. Have a succession plan
    • Describe who among your co-maintainers will take over your project if you become permanently unavailable

Select an appropriate Open Source license

  • Pick an OSI-approved Open Source license, and add it both to your project repo and other metadata.

Relevant documentation and guides

License and use of this document

You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.