In 2021, Trusted CI is conducting our focused "annual challenge" on the security (sometimes called "assurance") of software used by scientific computing and cyberinfrastructure. The goal of this year-long project, involving seven Trusted CI members, is to broadly improve the robustness of software used in scientific computing with respect to security. During the first part of the year, Trusted CI interviewed creators of scientific software and released a findings report based on those conversations. Part of that effort focused on identifying gaps in the software security of the projects and analyzing what barriers prevented them from being addressed. This guide is a direct result of those findings and attempts to begin bridging those gaps by providing concrete advice for anyone involved in developing or managing software for scientific projects. It is our hope that this effort will help scientific software projects better understand and ameliorate some of the most important gaps in the security of scientific software, and also to help policymakers understand those gaps so they can better understand the need for committing resources to improving the state of scientific software security. Ultimately, we hope that the effort will support scientific discovery itself by shedding light on the risks incurred in creating and using scientific software.

This document is a product of Trusted CI. Trusted CI is supported by the National Science Foundation under Grant #1920430. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.