Understanding Secure Software Development Essentials
April 08, 2024

Omkhar Arasaratnam
OpenSSF

Using open source software has many benefits for organizations. It fosters transparency and innovation, provides flexibility and customization, cuts cost on development and enables collaboration among other developers.

However, organizations could open themselves up to risks if the open source software isn't developed securely. According to a recent report, nearly three-quarters of all commercial codebases contain open source software with high-risk vulnerabilities. These vulnerabilities could lead to holes in the software supply chain for bad actors to exploit, risking malicious attacks and data breaches within organizations.

Vulnerabilities have become pervasive across the software supply chain, as have the malicious actors seeking to exploit them, prompting organizations to bolster security throughout the entire software development life cycle (SDLC) to protect their assets. This emphasis on security is particularly critical for those organizations involved in producing and distributing software that utilizes open source components.

Securely developing open source software is crucial for fostering community trust and ensuring safe, global accessibility while also promoting rapid innovation and maintaining legal compliance. Properly executed, it helps organizations see real measurable change in the health of software supply chains.


A Call for Open Source Security Standardization

A high-profile example of how a vulnerability in open source software can result in catastrophic impact is the Log4J incident. Dubbed "Log4Shell," one of the most widespread security vulnerabilities in recent years, Log4J's popular open source logging tool left millions of organizations susceptible to hackers infiltrating and taking total control of their systems. Organizations that were spared direct attacks scrambled to remediate their systems in late 2021, during a typically quiet period.

The vulnerability was even exploited by state-sponsored hackers to target US critical infrastructure and it was used by top ransomware groups LockBit and ALPHV/BlackCat in attacks. The effects were so devastating that years later, companies are dealing with the fallout, all because one open source link in the software supply chain was not secure.

However, identifying the risks within a software supply chain can be challenging. The best way to protect assets and ensure the integrity of the applications and development pipelines is to develop software with security in mind from the start. Failing to do so could have devastating effects.

There is a strong need for standardized security guidelines to enable open source software developers to prioritize security from the outset. Although the advantages of doing so are clear, building universally agreed-upon frameworks and implementing them at scale is a massive undertaking — one that has yet to be fulfilled.

In lieu of standardization, developers can adopt best practices for better software security. From risk assessment to secure coding practices, these principles can foster a proactive approach to mitigating vulnerabilities and enhancing overall software resilience, and act as a roadmap for developers to embed security into every stage of the software development life cycle.

Top 10 Secure Software Development Guiding Principles

Adopting robust guiding principles for secure software development can enhance both the security and transparency of the software supply chain. The following guidelines developed by the Open Source Security Foundation (OpenSSF) End Users Working Group, encourage software organizations to take responsibility for their consumption of open source software by focusing on activities with the greatest impact and providing a roadmap to implement supply chain security best practices.

1. Employ development practices that are in conformance with modern, industry-accepted secure development methods.

2. Learn and apply secure software design principles (such as least privilege).

3.Learn the most common kinds of vulnerabilities and take steps to make them unlikely or limit their impact.

4. Check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.

5. Harden and secure your software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.

6. Prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the secure software development guiding principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.

7. Provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.

8. Manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.

9. Publish security advisories consistent with evolving industry best practices.

10. Actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and evangelize adoption of the secure software development guiding principles among your industry peers.

As the benefits of using open source software are clear, developers need to find ways to create and use it safely to protect the whole software supply chain ecosystem. Developing with security in mind from inception and following the top 10 secure software development guiding principles will help increase transparency and security. Following these steps will put you on the path to ensuring you won't be impacted by the next Log4J — or worse — in the future.

Omkhar Arasaratnam is GM at OpenSSF
Share this

Industry News

May 08, 2025

AWS announced the preview of the Amazon Q Developer integration in GitHub.

May 08, 2025

The OpenSearch Software Foundation, the vendor-neutral home for the OpenSearch Project, announced the general availability of OpenSearch 3.0.

May 08, 2025

Jozu raised $4 million in seed funding.

May 07, 2025

Wix.com announced the launch of the Wix Model Context Protocol (MCP) Server.

May 07, 2025

Pulumi announced Pulumi IDP, a new internal developer platform that accelerates cloud infrastructure delivery for organizations at any scale.

May 07, 2025

Qt Group announced plans for significant expansion of the Qt platform and ecosystem.

May 07, 2025

Testsigma introduced autonomous testing capabilities to its automation suite — powered by AI coworkers that collaborate with QA teams to simplify testing, speed up releases, and elevate software quality.

May 06, 2025

Google is rolling out an updated Gemini 2.5 Pro model with significantly enhanced coding capabilities.

May 06, 2025

BrowserStack announced the acquisition of Requestly, the open-source HTTP interception and API mocking tool that eliminates critical bottlenecks in modern web development.

May 06, 2025

Jitterbit announced the evolution of its unified AI-infused low-code Harmony platform to deliver accountable, layered AI technology — including enterprise-ready AI agents — across its entire product portfolio.

May 05, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, and Synadia announced that the NATS project will continue to thrive in the cloud native open source ecosystem of the CNCF with Synadia’s continued support and involvement.

May 05, 2025

RapDev announced the launch of Arlo, an AI Agent for ServiceNow designed to transform how enterprises manage operational workflows, risk, and service delivery.

May 01, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.

May 01, 2025

Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.

May 01, 2025

Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.