Implement the application in a memory- and type-safe
language. Appeals to use an unsafe language for performance must be
substantiated with profile traces based on real-world usage. (Not
microbenchmarks.) Even then, only implement the performance-sensitive
components in the unsafe language.
The application must have high unit test coverage.
If the application parses data, include fuzzers in the
source tree and continuously run them on at least one (preferably thousands) of
If the application communicates on the network, it must use
secure (authenticated, confidential) transport only (not
optionally). Preferably, peers should pin each others’ public keys.
Fix security-relevant bugs in the open, and clearly
mark them as such.
Provide frequent updates, delivered securely (e.g.
signed and automatically — not manually — validated).
Minimize dependencies, and ensure that all dependencies