Secure Software Development Guiding Principles version 1.0
The Secure Software Development Guiding Principles (SSDGP) are a series of core tenets that producers and suppliers of software can pledge to align with and follow throughout their development lifecycles. The principles describe a series of foundational practices that, if followed, can help provide better assurance and security for organizations leveraging them. The Guiding Principles are a companion piece to the OpenSSF End User Working Group’s Open Source Consumption Manifesto, which focuses on individuals and organizations using (aka consuming) open source software. We welcome every organization producing and supplying software that uses open source components to consider following and signing on endorsing these great practices.
As developers of software, we are committed to enhancing the security and transparency of the software supply chain by pledging the following for all software we produce, both proprietary and open source, whether embedded in a device, released on a standalone basis, or designed to operate as a service, with the goal of creating software that is secure by default:
- To employ development practices that are in conformance with modern, industry-accepted secure development methods.
- To learn and apply secure software design principles (such as least privilege).
- To learn the most common kinds of vulnerabilities and to take steps to make them unlikely or limit their impact.
- To check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.
- To harden and secure our software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.
- To prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the Secure Software Development Guiding Principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.
- To provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.
- To manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.
- To publish security advisories consistent with evolving industry best practices.
- To actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and to evangelize adoption of the Secure Software Development Guiding Principles among our industry peers.
Signatures
Anyone interested in pledging to follow Principles is encouraged to file a Pull Request and add your name or organization to the Signatories.