The Linux Foundation Japan
OpenSSF “Guidelines for Secure Software Development” Top 10 Announced ……
This blog is based on OpenSSF Releases Top 10 Secure Software Development Guiding Principles
(https://openssf.org/blog/2023/12/03/openssf-releases-top-10-secure-software-development-guiding-principles/
[Image
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/securesoftwaredevelopmentguidingprinciples-signatures.md was approved. We continue to invite many other individuals,
organizations, and projects to join the petition by submitting pull requests.
Statement of support from ecosystem partners (from original text) “At the Eclipse Foundation, we’re committed to championing the Secure Software Development Guiding Principles among communities and promoting security as a fundamental part of the software creation process. Our support for these principles in our projects reflects our dedication to cultivating a leading collaborative development model that values security, trust, and resilience as highly as we value community-driven open source best practices.” – Mikael Barbero, Head of Security, Eclipse Foundation
“The Rust Foundation is dedicated to ensuring that Rust is safe, secure and sustainable, and we are delighted to support these Secure Software Development Guiding Principles, which clearly lay out best practice, and demonstrate our commitment to developing software that is secure by default. ” – Rebecca Rumbul, CEO at the Rust Foundation These guidelines, developed by the OpenSSF Best Practices Working Group, are based on the Open Source Consumption Manifesto of the OpenSSF End User Working Group
(https://openssf.org/blog/2023/08/24/join-us-in-adopting
-the-open-source-consumption-manifesto/ ). We encourage all
organizations that produce and supply software using open source components to follow these guidelines and consider signing in support. A list of principles can be found in the Best Practices Working Group’s GitHub repository at
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md or see:
Guidelines for Secure Software Development Version 1.0
As a software developer, my goal is to create highly secure software without having to do anything, whether proprietary or open source, designed to be embedded in a device, released independently, or operated as a service. We are committed to strengthening the security and transparency of our software supply chain by making the following commitments for all software we produce:
Adopt development practices that adhere to the latest
industry-accepted secure development practices.
Learn and apply secure software design principles, such as least privilege. Learn the most common types of vulnerabilities and take steps to reduce their likelihood or limit their impact.
We check for and address known and potentially critical
vulnerabilities before releasing software, and monitor vulnerabilities throughout the product’s support life.
Harden and secure software development infrastructures to prevent breaches and intrusions that disrupt the guidelines, practices, and expectations set for the software developed and built on those infrastructures.
Sourcing from suppliers and developers who are committed to developing in accordance with the Secure Software Development Guidelines, publicly reporting security health metrics, managing the
tamper-proofing of software packages, and ensuring known/ Prioritize sourcing software from projects that actively address discovered malicious software.
Demystify and help software consumers understand that your software supply chain is aligned with evolving industry standards, practices, and tools.
Manage and deliver a responsible vulnerability disclosure program that includes upstream dependencies and publicly documents vulnerability reporting and remediation policies.
Publish security advisories that align with evolving industry best practices. Actively collaborate and participate in industry/regulatory
initiatives related to securing the software supply chain and promote adoption of the Secure Software Development Guidelines among industry colleagues.
organizations, and projects to join the petition by submitting pull requests.
Statement of support from ecosystem partners (from original text) “At the Eclipse Foundation, we’re committed to championing the Secure Software Development Guiding Principles among communities and promoting security as a fundamental part of the software creation process. Our support for these principles in our projects reflects our dedication to cultivating a leading collaborative development model that values security, trust, and resilience as highly as we value community-driven open source best practices.” – Mikael Barbero, Head of Security, Eclipse Foundation
“The Rust Foundation is dedicated to ensuring that Rust is safe, secure and sustainable, and we are delighted to support these Secure Software Development Guiding Principles, which clearly lay out best practice, and demonstrate our commitment to developing software that is secure by default. ” – Rebecca Rumbul, CEO at the Rust Foundation These guidelines, developed by the OpenSSF Best Practices Working Group, are based on the Open Source Consumption Manifesto of the OpenSSF End User Working Group
(https://openssf.org/blog/2023/08/24/join-us-in-adopting
-the-open-source-consumption-manifesto/ ). We encourage all
organizations that produce and supply software using open source components to follow these guidelines and consider signing in support. A list of principles can be found in the Best Practices Working Group’s GitHub repository at
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md or see:
Guidelines for Secure Software Development Version 1.0
As a software developer, my goal is to create highly secure software without having to do anything, whether proprietary or open source, designed to be embedded in a device, released independently, or operated as a service. We are committed to strengthening the security and transparency of our software supply chain by making the following commitments for all software we produce:
Adopt development practices that adhere to the latest
industry-accepted secure development practices.
Learn and apply secure software design principles, such as least privilege. Learn the most common types of vulnerabilities and take steps to reduce their likelihood or limit their impact.
We check for and address known and potentially critical
vulnerabilities before releasing software, and monitor vulnerabilities throughout the product’s support life.
Harden and secure software development infrastructures to prevent breaches and intrusions that disrupt the guidelines, practices, and expectations set for the software developed and built on those infrastructures.
Sourcing from suppliers and developers who are committed to developing in accordance with the Secure Software Development Guidelines, publicly reporting security health metrics, managing the
tamper-proofing of software packages, and ensuring known/ Prioritize sourcing software from projects that actively address discovered malicious software.
Demystify and help software consumers understand that your software supply chain is aligned with evolving industry standards, practices, and tools.
Manage and deliver a responsible vulnerability disclosure program that includes upstream dependencies and publicly documents vulnerability reporting and remediation policies.
Publish security advisories that align with evolving industry best practices. Actively collaborate and participate in industry/regulatory
initiatives related to securing the software supply chain and promote adoption of the Secure Software Development Guidelines among industry colleagues.