The “Developing Secure Software” (LFD121) course is available on the Linux Foundation Training & Certification platform. It focuses on the fundamentals of developing secure software. Both the course and certificate of completion are free. It is entirely online, takes about 14-18 hours to complete, and you can go at your own pace. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years.
| CARVIEW |
Select Language
HTTP/2 301
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET,POST
access-control-allow-origin: *
cache-control: max-age=3600
content-security-policy: default-src 'none'; script-src 'nonce-62696a4c48' 'strict-dynamic';script-src-elem 'self' 'nonce-62696a4c48' *.hsforms.net *.hs-scripts.com *.googletagmanager.com *.google.com *.osano.com *.hubspot.com *.hsadspixel.net *.hscollectedforms.net *.hsleadflows.net *.hs-banner.com *.facebook.net js.zi-scripts.com ws.zoominfo.com tags.clickagy.com ws-assets.zoominfo.com schedule.zoominfo.com api.schedule.zoominfo.com *.buzzsprout.com snap.licdn.com *.google-analytics.com *.hs-analytics.net *.usemessages.com googleads.g.doubleclick.net js-agent.newrelic.com https://www.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.9.0/slick.js;style-src 'unsafe-inline' 'self' *.fontawesome.com fonts.googleapis.com https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com *.osano.com https://cdn.jsdelivr.net/jquery.slick/1.3.15/slick.css; object-src 'self' *.osano.com; base-uri 'self'; connect-src 'self' api-gw.platform.linuxfoundation.org js.zi-scripts.com *.hsforms.com *.hscollectedforms.net analytics.google.com *.google-analytics.com *.hubspot.com *.doubleclick.net *.hubapi.com *.linkedin.com *.osano.com aorta.clickagy.com hemsync.clickagy.com ws.zoominfo.com api.schedule.zoominfo.com *.googleadservices.com www.googletagmanager.com *.google.com js-agent.newrelic.com; font-src 'self' data: *.fontawesome.com fonts.gstatic.com; frame-src 'self' *.osano.com *.hsforms.com *.youtube.com *.google.com *.openssf.org *.landscape2.io *.buzzsprout.com aorta.clickagy.com hemsync.clickagy.com *.doubleclick.net zoom-lfx.platform.linuxfoundation.org; img-src 'self' data: *.buzzsprout.com *.hsforms.com *.hubspot.com *.hubspot.net *.linkedin.com *.ads.linkedin.com secure.gravatar.com *.w.org *.google.com *.google-analytics.com *.facebook.com *.linuxfoundation.org https://googletagmanager.com https://www.googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://fonts.gstatic.com *.amazonaws.com;manifest-src 'self'; media-src 'self'; worker-src blob: *.osano.com; frame-ancestors 'self'; form-action 'self' *.hsforms.com;
content-type: text/html; charset=UTF-8
cross-origin-embedder-policy: unsafe-none; report-to='default'
cross-origin-embedder-policy-report-only: unsafe-none; report-to='default'
cross-origin-opener-policy: unsafe-none
cross-origin-opener-policy-report-only: unsafe-none; report-to='default'
cross-origin-resource-policy: cross-origin
expires: Fri, 26 Dec 2025 12:30:02 GMT
location: https://openssf.org/training/courses/
permissions-policy: browsing-topics=(), accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), gamepad=(), serial=()
referrer-policy: strict-origin-when-cross-origin
server: nginx
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-security-policy: default-src 'self'; img-src *; media-src * data:;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-pantheon-styx-hostname: styx-fe3-b-576d655bff-x58z4
x-permitted-cross-domain-policies: none
x-redirect-by: WordPress
x-styx-req-id: 38331ab6-e24e-11f0-a6bb-7a46072c0c22
x-xss-protection: 1; mode=block
age: 0
accept-ranges: bytes
via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
date: Fri, 26 Dec 2025 11:30:03 GMT
x-served-by: cache-chi-klot8100077-CHI, cache-bom-vanm7210092-BOM, cache-bom-vanm7210051-BOM, cache-bom-vanm7210051-BOM
x-cache: MISS, MISS, MISS, MISS
x-cache-hits: 0, 0, 0, 0
x-timer: S1766748603.550410,VS0,VE884
vary: Cookie, Cookie
content-length: 0
HTTP/2 200
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET,POST
access-control-allow-origin: *
cache-control: public, max-age=60, s-maxage=43200, stale-while-revalidate=86400, stale-if-error=604800
content-encoding: gzip
content-security-policy: default-src 'none'; script-src 'nonce-62696a4c48' 'strict-dynamic';script-src-elem 'self' 'nonce-62696a4c48' *.hsforms.net *.hs-scripts.com *.googletagmanager.com *.google.com *.osano.com *.hubspot.com *.hsadspixel.net *.hscollectedforms.net *.hsleadflows.net *.hs-banner.com *.facebook.net js.zi-scripts.com ws.zoominfo.com tags.clickagy.com ws-assets.zoominfo.com schedule.zoominfo.com api.schedule.zoominfo.com *.buzzsprout.com snap.licdn.com *.google-analytics.com *.hs-analytics.net *.usemessages.com googleads.g.doubleclick.net js-agent.newrelic.com https://www.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.9.0/slick.js;style-src 'unsafe-inline' 'self' *.fontawesome.com fonts.googleapis.com https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com *.osano.com https://cdn.jsdelivr.net/jquery.slick/1.3.15/slick.css; object-src 'self' *.osano.com; base-uri 'self'; connect-src 'self' api-gw.platform.linuxfoundation.org js.zi-scripts.com *.hsforms.com *.hscollectedforms.net analytics.google.com *.google-analytics.com *.hubspot.com *.doubleclick.net *.hubapi.com *.linkedin.com *.osano.com aorta.clickagy.com hemsync.clickagy.com ws.zoominfo.com api.schedule.zoominfo.com *.googleadservices.com www.googletagmanager.com *.google.com js-agent.newrelic.com; font-src 'self' data: *.fontawesome.com fonts.gstatic.com; frame-src 'self' *.osano.com *.hsforms.com *.youtube.com *.google.com *.openssf.org *.landscape2.io *.buzzsprout.com aorta.clickagy.com hemsync.clickagy.com *.doubleclick.net zoom-lfx.platform.linuxfoundation.org; img-src 'self' data: *.buzzsprout.com *.hsforms.com *.hubspot.com *.hubspot.net *.linkedin.com *.ads.linkedin.com secure.gravatar.com *.w.org *.google.com *.google-analytics.com *.facebook.com *.linuxfoundation.org https://googletagmanager.com https://www.googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://fonts.gstatic.com *.amazonaws.com;manifest-src 'self'; media-src 'self'; worker-src blob: *.osano.com; frame-ancestors 'self'; form-action 'self' *.hsforms.com;
content-type: text/html; charset=UTF-8
cross-origin-embedder-policy: unsafe-none; report-to='default'
cross-origin-embedder-policy-report-only: unsafe-none; report-to='default'
cross-origin-opener-policy: unsafe-none
cross-origin-opener-policy-report-only: unsafe-none; report-to='default'
cross-origin-resource-policy: cross-origin
link: ; rel="alternate"; title="JSON"; type="application/json"
link: ; rel=shortlink
permissions-policy: browsing-topics=(), accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), gamepad=(), serial=()
referrer-policy: strict-origin-when-cross-origin
server: nginx
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-security-policy: default-src 'self'; img-src *; media-src * data:;
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-pantheon-styx-hostname: styx-fe3-a-779bbcb77d-7zf64
x-permitted-cross-domain-policies: none
x-styx-req-id: 3a27b38a-e242-11f0-9fd8-62980638cd26
x-tec-api-origin: https://openssf.org
x-tec-api-root: https://openssf.org/wp-json/tribe/events/v1/
x-tec-api-version: v1
x-xss-protection: 1; mode=block
age: 5151
accept-ranges: bytes
via: 1.1 varnish, 1.1 varnish, 1.1 varnish, 1.1 varnish
date: Fri, 26 Dec 2025 11:30:03 GMT
x-served-by: cache-chi-kigq8000151-CHI, cache-bom-vanm7210062-BOM, cache-bom-vanm7210051-BOM, cache-bom-vanm7210051-BOM
x-cache: HIT, MISS, MISS, MISS
x-cache-hits: 2, 0, 0, 0
x-timer: S1766748603.456969,VS0,VE219
vary: Accept-Encoding, Cookie, Cookie
content-length: 23602
Free Course: Developing Secure Software (LFD121) – Open Source Security Foundation
Free Course: Developing Secure Software (LFD121)
Course Also Available on edX
If you prefer, the same lesson content is available on edX as part of the Secure Software Development Fundamentals Professional Certificate program. You can audit the course (to learn the material) for free. If you want to try to earn a certificate of completion on edX (to prove that you learned the material), there’s a fee.
On edX, the content is split into three courses: Secure Software Development: Requirements, Design, and Reuse (LFD104x), Secure Software Development: Implementation (LFD105x), and Secure Software Development: Verification and More Specialized Topics (LFD106x).
Course Content Repository
To propose changes to the course content and/or reuse the material,
see the course content repository on GitHub.
Host Course on Your Learning Management System
Accredited Educational Institutions and OpenSSF Premier members are eligible to host this security training course, on their Learning Management System (LMS) for unlimited, complimentary access for students and employees. For more details and to indicate your interest, visit this request form.
We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.
Get Involved
Subscribe to the OpenSSF Newsletter!
Get the latest announcements, event info, and the community news in your inbox
Copyright © 2024 The Linux Foundation® . All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.