From 88902d405bc445df85efbd48823112b017b0b2e5 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Wed, 17 Jul 2024 09:38:48 -0400 Subject: [PATCH] Create 2024-Q3-BEST-WG.md Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q3-BEST-WG.md | 130 +++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 TI-reports/2024/2024-Q3-BEST-WG.md diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md new file mode 100644 index 00000000..e0726032 --- /dev/null +++ b/TI-reports/2024/2024-Q3-BEST-WG.md @@ -0,0 +1,130 @@ +# 2024 Q3 BEST WG + + +## Overview +The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF +Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them. + +We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation. + +The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices. This is done through the combination of training collateral, best practices guides, and educational awareness. + +- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. +- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. +- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work. + + + +The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendence generally is down, and several former key contributors no longer attend meetings. + + +### Key Resources +- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers) +- Best Practices Guides [link](https://openssf.org/resources/guides/) +- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/) +- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt) + +### Sub-groups +- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs) +- EDU.SIG - [link](https://github.com/ossf/education/) +- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety) +- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/) +- Scorecard - [link](https://github.com/ossf/scorecard) +- Secure Software Development Fundamentals course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) +- Security Baseline - [link]( + +### Leads +- WG - CRob +- BP Badge and SecDev course - David Wheeler +- Compiler Hardening Guides - Thomas Nyman & Geog Kunz +- EDU SIG - CRob & Dave Russo +- Mem Safety SIG - Nell Shamrell-Harrignton & Avishay Balter +- Python Hardening Guide - Helge & Georg +- Scorecard - Laurent Simon & Stephen Augustus +- Security Baseline - Eddie Knight +- WebDev Sec BP - Daniel Appelquist + +## Activity +### Best Practices Badge +#### Purpose +- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. +#### Current Status +- +- #### Up Next +- TBD + +### Concise Guides +#### Purpose +- Artifacts that consolidate BEST practices in OSS software development and management techniques +#### Current Status +- Continued revisions, updates, & enhancements to these core guides +#### Up Next +- TBD + +### EDU.SIG +#### Purpose +- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners. +Materials will be maximally accessible and easy to consume for all learners. +#### Current Status +- Many simultaneous activities +- Recent release of LF Research study on Security Edutation for Developers +- Academic Accredidation team working on kicking off program to "certify" collegiate programs that meet OpenSSF & CNCF best practices +- Security for Developer Managers class progressing into two pieces of collateral: Manager class & terms-definitions +#### Up Next +- Security Architect class outline reviewed and content development will come next +- "201 level" class will come after +- +### Memory Safety SIG +#### Purpose +- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. +#### Current Status +-Have drafted a “Memory Safety Continuum” concept document +- Have gathered guides/practices related to best memory safety practices in both memory safe by default and non memory safe by default languages +#### Up Next +- Produce a Memory Safety workshop (modeled after W3C workshops). Theme is “Improving Memory Safety in an Imperfect World” +- Finalize Memory Safety Continuum doc + +### Python Hardening Guide +#### Purpose + +#### Current Status + +#### Up Next + +### Scorecard +#### Purpose +-To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. +- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. +#### Current Status + +#### Up Next + + +### Security Baseline +#### Purpose +- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption. +- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. +- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum. +#### Current Status +- on 16July the WG voted to adopt the OpenSSF Security Baseline as a SIG within our group. +- Eddie Knight will help lead the cross-foundation effort +- 3 OpenSSF Projects will work to comply with the Security Baseline by this fall. +- CNCF & FINOS will also be collaborating on this effort +#### Up Next +- Get SIG resources setup (Gitbug, mailing list, slack,etc.) +- Determine meeting time + +### Web Developer Security Guide +#### Purpose + +#### Current Status + +#### Up Next- Joint venture with W3C, focused on improving education & awareness for web developers +- [BEST Issue 367](https://github.com/ossf/wg-best-practices-os-developers/issues/367) + + + +## Previous Updates +[April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/) +[Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/) +[Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/)