NCSSRs should address software development vulnerabilities and processes

[BenWilson-Mozilla]

Currently, the NCSSRs do not state what is required to ensure secure software development.

[clintwilson]

Discussed on June 3, 2025 NSWG call.
This is a topic where we could possibly incorporate external frameworks or standards, such as NIST 800-218, ISO 27000, CIS Control 16, etc.
This is also a type of recommendation that need not be limited to software development practices, e.g. extending this to include operational practices may be beneficial.
Either way, there's more that we could expand upon within the NCSSRs to provide better guidance.