Democratizing the Secure Software Development Life Cycle
Unity is sharing an open version of its internal Secure Software Development Life Cycle (SSDLC) so that others can benefit from our work. Even better, we’re inviting everyone to contribute to improving them so that we can refine standards for best practices together.
Unity’s security team documented its SSDLC for developers who work at Unity to ensure the quality of our codebase security. This content comes from a variety of sources and distills industry best practices and the combined experience of our security team.
This information is not exhaustive, complete, or perfect, but we’re publishing it anyway – Unity’s SSDLC is now public, with a broad open-source license.
By releasing this set of documents openly, we hope to contribute to the broader security community and help other teams that are in the process of defining and developing their own SSDLC.
We also see this as a rare opportunity to recognize the excellent work of our security engineers. Security engineering efforts often go unrecognized, with little to no credit for establishing the practices that become industry standards. Authorship and attribution are a core tenet of this documentation. If it’s adopted by other companies, then we invite them to also share it with their customers as well. Finally, it’s a chance for us to share some of the steps we take in securing our products with you, since we also want the creators and customers we serve to have the best advice possible to secure their hard work.
What’s in our SSDLC?
Without digging deep into the fine details, this section breaks down the structure of our library. We’ve organized our articles into five broad categories: Coding Practice, Language Best Practices, Security Process, Tools and Automation, and Training.
Coding Practice captures common security best practices from a source code perspective. Here, you’ll find our recommendations to developers around API best practices, common web attacks, and secrets management.
The Language Best Practices section digs into security considerations specific to different programming languages, with recommendations for Node.js, Golang, C#, and Ruby. We’d love to see you help us expand this section – there are a lot of languages out there!
The Security Process articles are potentially the most important, if least technical, area. This section will help you to establish consistency in your program and provide a process to properly triage risk in your organization. Here we cover our bug bar and risk rating systems, security requirements, and design and implementation reviews.
We’ll be adding to Tools and Automation and Training sections after the team has prepared some of Unity’s internal security tooling for this open-source release.
Want our SSDLC? You can have it.
We designed this SSDLC for you to use it as your own. That means you can clone or fork this repository, find and replace “Unity” with “WidgetCo.,” and share it with your developers. The measure of our success for this project is that you clone and reuse it.
This release is just the beginning. We want your feedback. Fork it and make it better (and let us know so that we can adopt your version to improve our own), but please be sure to respect the contribution guidelines and share your knowledge and experience with the community. We’re excited to see our best practices merge with the community’s into a cohesive framework.