-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create 2024-Q3-BEST-WG.md #359
Conversation
@SecurityCRob thanks a lot for the security baseline SIG update. I'm in the process of creating implementation plan to create the GitHub repo. Will share update as I make more progress. The doodle poll is rolling in, will share meeting time this Friday. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One question / comment, but generally LGTM!
- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. | ||
#### Current Status | ||
|
||
#### Up Next |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inside the OpenSSF, I feel like people generally understand that Scorecard is a framework for maintainers to walk them through improving their secure software development practices - sort of a gamified maturity model, if you will.
Outside the OpenSSF, we've seen a fair amount of confusion as to if the Scorecard scores should be used by consumers of open source software as a way to boil down risk assessment into a single number, the most recent example of this being https://openssf.slack.com/archives/C019M98JSHK/p1720098402786119.
I think the OpenSSF is aligned on that Scorecard is meant for maintainers and not consumers. Have we thought about how we might adjust our messaging to prevent this confusion in the future? I'm specifically thinking of places like https://github.com/ossf/scorecard and https://securityscorecards.dev/, but I'm open to other suggestions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Counter point: I've seen enterprises seek to understand scorecard/scores as a way to automate risk when they consume OSS, and create mechanisms to automate OSS ingestion. The Metrics API SIG (under the former Metrics and Metadata WG) was creating an API where enterprises could pull Scorecard and other data into their processes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relevant scorecard issue: ossf/scorecard#4219
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Err... The README starts with:
We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the update
Signed-off-by: CRob <[email protected]>
typo Signed-off-by: CRob <[email protected]>
e9734ca
to
96ddb2f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Co-authored-by: Marcela Melara <[email protected]> Signed-off-by: CRob <[email protected]>
Added more information for current state and next steps. Signed-off-by: Dana Wang <[email protected]>
updates per wheeler Signed-off-by: CRob <[email protected]>
I merged in David's updates for Badges and the Fundamentals class |
wheeler changes Signed-off-by: CRob <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some bullet covering the Python Secure Coding Guide.
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: CRob <[email protected]>
added suggestions from gkunz Signed-off-by: CRob <[email protected]>
more contributor feedback Signed-off-by: CRob <[email protected]>
Co-authored-by: Thomas Nyman <[email protected]> Signed-off-by: CRob <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-Would love to see a BEST chair co-lead
-Many thanks to Ericson for their contributions to the C++ Hardening Guide
-Kudos to OpenJS for contributing feedback to the Security Baseline SIG.
initial load of BEST WG TAC report. still waiting for WG member feedback prior to presenting