Closed SecurityCRob closed 9 months ago
I received an interesting suggestion offline: renumbering the principles somewhat chronologically to map to product development lifecycles. Sounds reasonable to me! The suggested revised order would be as follows:
I suggest swapping 1 and 2, so the first one becomes "To employ development practices that are in conformance with modern, industry-accepted secure development methods." That is basically the high-level overall statement, and you could argue all the rest are specific examples of that.
It's a long name, but I think this should be named the "Secure Software Development Guiding Principles"? There's nothing here about operating production systems, or how to consume software as an end-user.
nothing here about operating production systems, or how to consume software as an end-user
Should recommendations for operating production systems be added? With things like GitOps and Infrastructure as Code, many of the characteristics of operating productions systems are "developed". As far as consuming, the below speaks to it somewhat but, maybe there could be recommendations to adhere to a secure consumptions model (i.e. S2C2F)?
prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the Secure Software Guiding Principles
Might be a bit too early but, have there been any recommendations yet on how to make the pledge or find others who have?
Should recommendations for operating production systems be added? With things like GitOps and Infrastructure as Code, many of the characteristics of operating productions systems are "developed".
Hmm, could this fit into the planned implementation guide in relation to Principle #5?
As far as consuming, the below speaks to it somewhat but, maybe there could be recommendations to adhere to a secure consumptions model (i.e. S2C2F)?
For sure in the implementation guide there will be specific mention of S2C2F (and other frameworks/resources/methodologies).
have there been any recommendations yet on how to make the pledge or find others who have?
Happy to take suggestions!! Initial thoughts have ranged from using PRs to add names to a list to submitting signed documents (with signatories reflected on website).
Here are a couple minor suggestions. I haven't been tracking this carefully and these may be too specific to be principles.
To provide reasonable advance notice before ending security fixes.
To provide software (including security updates) securely.
To provide reasonable advance notice before ending security fixes.
To provide software (including security updates) securely.
I think these would be great additions to the planned Implementation Guide!
this has been published.
We would like feedback from the group on the Secure Software Guiding Principles document(1) that the team recently agreed to collaborate on. Please provide feedback and comments here in this issue, or file PRs with larger discrete sections of suggested wording. We will review this as a group at our 29Aug WG call. Thanks all.
(1) - https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/SecureSoftwareGuidingPrinciples.md