10 Guidelines for Secure Software Development from OpenSSF

The Open Source Software Foundation (OpenSSF) has released a list of 10 Secure Software Development Guiding Principles to help organizations align their development efforts around recommended best practices.

In line with the OpenSSF’s earlier Open Source Consumption Manifesto, these principles “describe a series of foundational practices that, if followed, can help provide better assurance and security for organizations leveraging them,” the announcement states.

The principles, which apply to both proprietary and open source software, spell out core practices as follows:

  1. To employ development practices that are in conformance with modern, industry-accepted secure development methods.
  2. To learn and apply secure software design principles (such as least privilege).
  3. To learn the most common kinds of vulnerabilities and to take steps to make them unlikely or limit their impact.
  4. To check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.
  5. To harden and secure our software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.
  6. To prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the Secure Software Development Guiding Principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.
  7. To provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.
  8. To manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.
  9. To publish security advisories consistent with evolving industry best practices.
  10. To actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and to evangelize adoption of the Secure Software Development Guiding Principles among our industry peers.

The list can also be found in the Best Practices Working Group GitHub repo, and individuals, organizations, and projects are invited to sign on by submitting a pull request.

Looking for a job?
Sign up for job alerts and check out the latest listings at Open Source JobHub.

FOSSlife Newsetter