Understanding Secure Software Development Essentials
April 08, 2024

Omkhar Arasaratnam
OpenSSF

Using open source software has many benefits for organizations. It fosters transparency and innovation, provides flexibility and customization, cuts cost on development and enables collaboration among other developers.

However, organizations could open themselves up to risks if the open source software isn't developed securely. According to a recent report, nearly three-quarters of all commercial codebases contain open source software with high-risk vulnerabilities. These vulnerabilities could lead to holes in the software supply chain for bad actors to exploit, risking malicious attacks and data breaches within organizations.

Vulnerabilities have become pervasive across the software supply chain, as have the malicious actors seeking to exploit them, prompting organizations to bolster security throughout the entire software development life cycle (SDLC) to protect their assets. This emphasis on security is particularly critical for those organizations involved in producing and distributing software that utilizes open source components.

Securely developing open source software is crucial for fostering community trust and ensuring safe, global accessibility while also promoting rapid innovation and maintaining legal compliance. Properly executed, it helps organizations see real measurable change in the health of software supply chains.


A Call for Open Source Security Standardization

A high-profile example of how a vulnerability in open source software can result in catastrophic impact is the Log4J incident. Dubbed "Log4Shell," one of the most widespread security vulnerabilities in recent years, Log4J's popular open source logging tool left millions of organizations susceptible to hackers infiltrating and taking total control of their systems. Organizations that were spared direct attacks scrambled to remediate their systems in late 2021, during a typically quiet period.

The vulnerability was even exploited by state-sponsored hackers to target US critical infrastructure and it was used by top ransomware groups LockBit and ALPHV/BlackCat in attacks. The effects were so devastating that years later, companies are dealing with the fallout, all because one open source link in the software supply chain was not secure.

However, identifying the risks within a software supply chain can be challenging. The best way to protect assets and ensure the integrity of the applications and development pipelines is to develop software with security in mind from the start. Failing to do so could have devastating effects.

There is a strong need for standardized security guidelines to enable open source software developers to prioritize security from the outset. Although the advantages of doing so are clear, building universally agreed-upon frameworks and implementing them at scale is a massive undertaking — one that has yet to be fulfilled.

In lieu of standardization, developers can adopt best practices for better software security. From risk assessment to secure coding practices, these principles can foster a proactive approach to mitigating vulnerabilities and enhancing overall software resilience, and act as a roadmap for developers to embed security into every stage of the software development life cycle.

Top 10 Secure Software Development Guiding Principles

Adopting robust guiding principles for secure software development can enhance both the security and transparency of the software supply chain. The following guidelines developed by the Open Source Security Foundation (OpenSSF) End Users Working Group, encourage software organizations to take responsibility for their consumption of open source software by focusing on activities with the greatest impact and providing a roadmap to implement supply chain security best practices.

1. Employ development practices that are in conformance with modern, industry-accepted secure development methods.

2. Learn and apply secure software design principles (such as least privilege).

3.Learn the most common kinds of vulnerabilities and take steps to make them unlikely or limit their impact.

4. Check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.

5. Harden and secure your software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.

6. Prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the secure software development guiding principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.

7. Provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.

8. Manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.

9. Publish security advisories consistent with evolving industry best practices.

10. Actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and evangelize adoption of the secure software development guiding principles among your industry peers.

As the benefits of using open source software are clear, developers need to find ways to create and use it safely to protect the whole software supply chain ecosystem. Developing with security in mind from inception and following the top 10 secure software development guiding principles will help increase transparency and security. Following these steps will put you on the path to ensuring you won't be impacted by the next Log4J — or worse — in the future.

Omkhar Arasaratnam is GM at OpenSSF
Share this

Industry News

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024

Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.

May 15, 2024

Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.

May 15, 2024

NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.

May 14, 2024

IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.

May 14, 2024

StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.

May 14, 2024

GitKraken acquired code health innovator, CodeSee.

May 13, 2024

ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.

May 13, 2024

Security Innovation has added new skills assessments to its Base Camp training platform for software security training.

May 13, 2024

CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.

May 09, 2024

Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.

May 09, 2024

Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.