Building reliable, trusted systems requires software that's secure by default. The Open Source Security Foundation (OpenSSF) aims to make security a top priority for developers through a series of core tenets outlined in the new Secure Software Development Guiding Principles (SSDGP).
For those who don’t know, the OpenSSF is a collaborative effort that brings together leaders from across the open ecosystem to improve the security of open source software through the development and promotion of technologies, standards, and best practices. Intel has been working with the OpenSSF since its inception to help develop secure open source technology and is actively involved in the OpenSSF’s governing board, Technical Advisory Council (TAC), and multiple working groups.
Intel led the drafting of the SSDGP, working collaboratively with a group of software producers and software security experts before the document was accepted by the OpenSSF’s Best Practices Working Group for further development and refinement. From there, we helped shepherd the SSDGP through review and approval by the TAC, which unanimously voted to recommend adoption of the SSDGP by the governing board. The governing board, in turn, voted unanimously to approve the principles and sign on as signatories.
The SSDGP outlines high-level best practices that any software producer should follow as part of their development process to build secure software. Following secure development practices is mission critical to Intel as well as to organizations around the globe. Given the near ubiquitous dependence on open source software and the ever-increasing count of vulnerabilities that threaten it, ensuring software security is paramount.
Solid, Accessible, and Flexible
Why is the SSDGP significant? For starters, the guidelines were created by a community of security practitioners, not just one voice putting pen to paper. Achieving consensus required ongoing negotiation and cooperation among the drafters, resulting in a solid set of core principles approved by industry leaders.
The SSDGP also uses plain language intended to make the guidelines readily comprehensible to all audiences across the software supply chain. The OpenSSF worked to make the SSDGP easy to access and understand with the goal of improving trust and accountability between both producers and consumers of open source software, advancing the industry as a whole.
The principles are intentionally not prescriptive around implementation details—they’re sufficiently abstracted so that software producers have the flexibility to adopt different solutions and continue to evolve those solutions as the security environment changes. The SSDGP outlines foundational principles that hold true over time and provide a secure framework for development that puts security first.
Putting Security First
When someone makes a public pledge to follow the SSDGP, they’re committing to using development practices that align with each of the 10 principles. By adhering to these common tenets, software developers help to improve the security of the entire software supply chain by working in a transparent manner consistent with a set of best practices promulgated by the top security minds in the industry. In prioritizing security from the start, proactively managing risks, and embracing continuous learning, the SSDGP lays the foundation for building a resilient software ecosystem.
The SSDGP aligns with Intel’s existing Security First Pledge in which Intel commits to unwavering customer focus, continuous technology innovation, robust incident response, security by design, and community advocacy. Everyone who plays a role in software development is encouraged to become familiar with both the SSDGP and OpenSSF. By actively engaging in industry security initiatives and mutually committing to follow best practices, we can help collectively tighten our ecosystem’s security posture, one program at a time.