Today, we are excited to announce version 1.0 of the Secure Software Development Guiding Principles. These 10 principles describe a series of foundational practices that, if followed, can help provide better assurance and security for organizations leveraging them. Though aspirational, they provide a set of core practices that producers and suppliers of software can pledge to align with and follow throughout their development lifecycles helping create more secure software.Ā
The OpenSSF Governing Board has voted to approve the Principles and sign on as signatories along with many others. Individuals, organizations, and projects are invited to continue to sign on by submitting a pull request.
Statements of Support from Ecosystem Partners
āAt the Eclipse Foundation, weāre committed to championing the Secure Software Development Guiding Principles among communities and promoting security as a fundamental part of the software creation process. Our support for these principles in our projects reflects our dedication to cultivating a leading collaborative development model that values security, trust, and resilience as highly as we value community-driven open source best practices.ā
– MikaĆ«l Barbero, Head of Security, Eclipse Foundation
āThe Rust Foundation is dedicated to ensuring that Rust is safe, secure and sustainable, and we are delighted to support these Secure Software Development Guiding Principles, which clearly lay out best practice, and demonstrate our commitment to developing software that is secure by default.ā
– Rebecca Rumbul, CEO, Rust Foundation
The Guiding Principles developed by the OpenSSF Best Practices Working Group are a companion piece to the OpenSSF End User Working Group’s Open Source Consumption Manifesto. We welcome every organization producing and supplying software that uses open source components to consider following and signing on endorsing these practices.
The list of principles can be found in the Best Practices Working Group GitHub repo and below:
Secure Software Development Guiding Principles version 1.0
As developers of software, we are committed to enhancing the security and transparency of the software supply chain by pledging the following for all software we produce, both proprietary and open source, whether embedded in a device, released on a standalone basis, or designed to operate as a service, with the goal of creating software that is secure by default:
- To employ development practices that are in conformance with modern, industry-accepted secure development methods.
- To learn and apply secure software design principles (such as least privilege).
- To learn the most common kinds of vulnerabilities and to take steps to make them unlikely or limit their impact.
- To check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.
- To harden and secure our software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.
- To prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the Secure Software Development Guiding Principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.
- To provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.
- To manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.
- To publish security advisories consistent with evolving industry best practices.
- To actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and to evangelize adoption of the Secure Software Development Guiding Principles among our industry peers.