The development of secure system software (like an operating system or a DBMS) and ensuring trust in it are complicated scientific and technical tasks. In our presentation, we will demonstrate how we resolved these tasks for the Astra Linux OS certified to comply with the highest security classes. We will discuss the key directions of our activities, from the formation of national standards to the development and verification of the formal access model, which is the basis for the attack surface protection mechanism on the OS's level. We will also share how we apply the methods and technologies of dynamic and static analysis of the program code and, finally, we will explain how we collect and analyze the data we get from analyzing the OS code. We will also discuss how to fix the code errors in the project with continuous integration.