OpenSSF Best Practices Working Group (WG)

This is a list of materials (documents, services, and so on) released by the Open Source Security Foundation (OpenSSF) Best Practices Working Group (WG).

Guides

• Concise Guide for Developing More Secure Software
• Concise Guide for Evaluating Open Source Software (Swedish)
• npm Best Practices Guide
• Source Code Management Platform Configuration Best Practices Guide
• Compiler Options Hardening Guide for C and C++
• Correctly Using Regular Expressions for Secure Input Validation
• Simplifying Software Component Updates
• The Memory Safety Continuum
• Cyber Resilience Act (CRA) Brief Guide for Open Source Software (OSS) Developers
• Security Focused Guide for AI Code Assistant Instructions

Note: You can also see the larger list of Guides released by the OpenSSF.

Educational materials (courses)

• Developing Secure Software (LFD121) - a free course for software developers focusing on how to develop secure software (open source software or closed source software). Also called our Secure Software Development Fundamentals Course.
  • To propose changes and/or reuse the material, see the course content repository on GitHub.
  • The presentation “A Brief Introduction to Developing Secure Software” summarizes its content
• Security for Software Development Managers (LFD125). We thank Intel for contributing the starting material for this course.
  • The presentation from LFD125 is available if you want to propose changes or reuse it for special purposes (CC-BY-4.0)
• Understanding the EU Cyber Resilience Act (CRA) (LFEL1001). Developed with the OpenSSF Global Cyber Policy WG.
  • A brief webinar summarizing the CRA is available
  • The presentation from LFEL1001 is available if you want to propose changes or reuse it for special purposes (CC-BY-4.0)
• Secure AI/ML-Driven Software Development (LFEL1012), to be released 2025-10-16. Developed with the OpenSSF AI/ML WG.
  • The presentation from LFEL1012 is available if you want to propose changes or reuse it for special purposes (CC-BY-4.0)

See the Education SIG page for more information.

OSS Project Evaluation

• Security Scorecard - automated scoring of OSS projects
• OpenSSF Best Practices badge - a way for Free/Libre/Open Source Software projects to show that they follow best practices (you can also see its source code repository).

Ongoing work

The OpenSSF Best Practices WG is working on many more materials, such as more educational materials through our education special interest group (SIG), compiler hardening guides, guidance about memory safety through our memory safety SIG, and so on.

Examples of ongoing work include:

• Secure Coding One Stop Shop for Python
• Compiler Annotations for C and C++

We typically use the Simplest Possible Process (SPP) to publish our results on the web.

Please join the OpenSSF Best Practices working group if you’re interested in helping!

Please also see the main OpenSSF website to learn more about the OpenSSF.