Originally published at: 5 Ways Nextcloud Develops its Product with Respect to your Privacy and Security - Nextcloud
In the beginning, we started Nextcloud because of privacy and security challenges that cloud service users faced. It is engrained in our strategy and company values. So how do we keep your data safe? An important element for that is how we develop Nextcloud!
Our product development follows industry leading security processes. We like to say security bugs are like technical debt: fixing them later is expensive. Our strategy is to prevent them from happening from the get-go through a rigorous focus on security throughout the entire life cycle of our product. We aim to get those which find their way through, and fix them as soon as possible.
“Security bugs are like technical debt: fixing them later is expensive.”
1. Security Training
First off, we provide detailed documentation about common web security vulnerabilities that anyone can use and learn from.
Due to Nextcloud’s community focus, we also organize public security trainings for the community’s benefit. The next opportunity is at the Nextcloud Conference happening in-person in Berlin on October 1st and 2nd. There’s going to be plenty of opportunities to learn about security at the event!
Furthermore, developers are asked to fix security issues that they caused themselves. We do this because it’s an opportunity to learn from your mistake and make sure it doesn’t happen again.
Privacy and security risks are constantly analyzed and then requirements are established.
For instance, we employ advanced threat modeling / attack surface analysis.
Designs are also always reviewed for security implications.
As for when new code is developed for Nextcloud or a Nextcloud app, we employ a strict, mandatory code review process with two reviewers beside the original developer.
In addition, unsafe functions are forbidden e.g. unserialized, non-prepared statements, and unsafe comparisons.
Furthermore, our internal functions are designed to provide secure defaults for developers.
In general, Nextcloud follows industry-standard security processes and have them all independently verified.
For example, you can see an analysis of Nextcloud on OpenSSF Best Practices passing for all six sections.
About two weeks after a Nextcloud release, we disclose any and all security issues that we fixed. These are paired with advisories with CVE identifiers.
As a result of our response, statistics show a massive decrease of external security reports.
To learn more about Nextcloud security and advisories, see here.