diff --git a/.github/scripts/fetch_readmes.js b/.github/scripts/fetch_readmes.js index b12f3c5..9134caa 100644 --- a/.github/scripts/fetch_readmes.js +++ b/.github/scripts/fetch_readmes.js @@ -15,8 +15,7 @@ const DIR_PATH = path.join(__dirname, "..", ".."); const repoList = yaml.load(fs.readFileSync(REPO_LIST_PATH, "utf8")); const sectionOrder = [ - ["Motivation"], - ["Objective"], + ["Mission"], ["Vision"], ["Scope"], ["Current Work", "Active Projects"], @@ -112,9 +111,11 @@ function appendRepoInfoToMainReadme() { const logoUrl = repoData.logo ? `https://raw.githubusercontent.com/${orgName}/community/main/.github/logos/${repoData.logo}` : null; newSectionContent += `\n ### [${repoData.newRepoName}](${newRepoUrl})\n`; + if (logoUrl) { - newSectionContent += `\n ![Logo](${logoUrl})\n`; + newSectionContent += `\n image\n`; + } newSectionContent += `\n ${repoData.description}\n`; @@ -171,6 +172,6 @@ async function fetchReadmes() { appendRepoInfoToMainReadme(); } - -fetchReadmes(); +appendRepoInfoToMainReadme(); +//fetchReadmes(); diff --git a/README.md b/README.md index c8bb73f..5f19545 100644 --- a/README.md +++ b/README.md @@ -461,7 +461,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a ## Work Group Information -### [tac](https://github.com/ossf/tac) + + ### [tac](https://github.com/ossf/tac) The OpenSSF Technical Advisory Council is responsible for oversight of the various Technical Initiatives (TI) of the OpenSSF. @@ -477,9 +478,10 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Christopher CRob Robinson](https://github.com/SecurityCRob) -
### [wg-best-practices-os-developers](https://github.com/ossf/wg-best-practices-os-developers) +
+ ### [wg-best-practices-os-developers](https://github.com/ossf/wg-best-practices-os-developers) - ![Logo](https://raw.githubusercontent.com/ossf/community/main/.github/logos/best_logo.png) + image Want to help drive open source security education or help develop best practices? We have a lot of projects and groups that are working towards these goals. @@ -495,7 +497,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Christopher CRob Robinson](https://github.com/SecurityCRob) -
### [ai-ml-security](https://github.com/ossf/ai-ml-security) +
+ ### [ai-ml-security](https://github.com/ossf/ai-ml-security) We formed in September 2023 after the growing problem of AI/ML Security in open source. Join is to discuss the possible security impacts of AI / ML technologies on open source software, maintainers, communities, and their adopters, along with how OSS projects could safely or effectively leverage LLMs to improve their security posture. @@ -511,9 +514,10 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Mihai Maruseac](https://github.com/mihaimaruseac) -
### [wg-vulnerability-disclosures](https://github.com/ossf/wg-vulnerability-disclosures) +
+ ### [wg-vulnerability-disclosures](https://github.com/ossf/wg-vulnerability-disclosures) - ![Logo](https://raw.githubusercontent.com/ossf/community/main/.github/logos/vuln_logo.png) + image We are improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication. @@ -529,7 +533,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Christopher CRob Robinson](https://github.com/SecurityCRob) -
### [wg-dei](https://github.com/ossf/wg-dei) +
+ ### [wg-dei](https://github.com/ossf/wg-dei) We formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce. @@ -545,7 +550,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Jay White](https://github.com/camaleon2016) -
### [wg-endusers](https://github.com/ossf/wg-endusers) +
+ ### [wg-endusers](https://github.com/ossf/wg-endusers) We represent the interests of public and private sector organizations that primarily consume open source rather than produce it. Right now, we are focusing on threat modeling. Join us to see how threat modeling works and get your ideas in the current scope. @@ -561,7 +567,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Jonathan Meadows](https://github.com/jonmuk) -
### [wg-identifying-security-threats](https://github.com/ossf/wg-identifying-security-threats) +
+ ### [wg-identifying-security-threats](https://github.com/ossf/wg-identifying-security-threats) Now called Metrics & Metadata! We enable informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. Our WG has mostly projects that focus on the code to get this done. @@ -577,7 +584,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Michael Scovetta](https://github.com/scovetta) -
### [wg-security-tooling](https://github.com/ossf/wg-security-tooling) +
+ ### [wg-security-tooling](https://github.com/ossf/wg-security-tooling) Our mission is to provide the best security tools for open source developers and make them universally accessible. We talk a lot about SBOMs currently. @@ -593,7 +601,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Ryan Ware](https://github.com/ware) -
### [wg-securing-software-repos](https://github.com/ossf/wg-securing-software-repos) +
+ ### [wg-securing-software-repos](https://github.com/ossf/wg-securing-software-repos) We provide a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories. Our current project is Repository Service for TUF, join to learn more. @@ -609,7 +618,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a **Our Group Lead(s):** - [Dustin Ingram](https://github.com/di) -
### [wg-supply-chain-integrity](https://github.com/ossf/wg-supply-chain-integrity) +
+ ### [wg-supply-chain-integrity](https://github.com/ossf/wg-supply-chain-integrity) We are helping people understand and make decisions on the provenance of the code they maintain, produce and use. We have great projects like GUAC, SLSA and gittuf that you can work with. @@ -626,7 +636,8 @@ We meet on the first Wednesday of each month or join us on the slack channel [#a - [Isaac Hepworth](https://github.com/hepwori) - [Dan Lorenc](https://github.com/dlorenc) -
### [wg-securing-critical-projects](https://github.com/ossf/wg-securing-critical-projects) +
+ ### [wg-securing-critical-projects](https://github.com/ossf/wg-securing-critical-projects) Wonder how critical OSS projects are selected? Then join us! We have progress reports every other week on each project/SIG so it is easy to jump in and get going. diff --git a/ai-ml-security/README.md b/ai-ml-security/README.md deleted file mode 100644 index edbf3ec..0000000 --- a/ai-ml-security/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# AI/ML Security WG - -We formed in September 2023 after the growing problem of AI/ML Security in open source. Join is to discuss the possible security impacts of AI / ML technologies on open source software, maintainers, communities, and their adopters, along with how OSS projects could safely or effectively leverage LLMs to improve their security posture. - - - The designated lead(s): -- [Mihai Maruseac](https://github.com/mihaimaruseac) - -This is the GitHub repository of the [OpenSSF](https://openssf.org) Artificial Intelligence / Machine Learning (AI/ML) Security Working Group (WG). The OpenSSF Technical Advisory Council (TAC) approved its creation on 2023-09-05. - -Anyone is welcome to join our open discussions. - -WG Co-Chairs: - -Jay White - GitHub @camaleon2016 - -Mihai Maruseac - GitHub @mihaimaruseac - - - - - - - - -## Motivation - -TBD - -## Objective - -TBD - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -We welcome contributions, suggestions and updates to our projects. To contribute to work on GitHub, please fill in an issue or create a pull request.. - - - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -TBD - -## Meeting times - -TBD - -## Meeting Notes - -TBD - -## Licenses - -Unless otherwise specifically noted, software released by this working -group is released under the [Apache 2.0 license](LICENSES/Apache-2.0.txt), -and documentation is released under the -[CC-BY-4.0 license](LICENSES/CC-BY-4.0.txt). -Formal specifications would be licensed under the -[Community Specification License](https://github.com/CommunitySpecification/1.0). - -## Charter - -Like all OpenSSF working groups, this working group reports to the -[OpenSSF Technical Advisory Council (TAC)](https://github.com/ossf/tac). -For more organizational information, see the -[OpenSSF Charter](https://openssf.org/about/charter/). - -## Governance - -TBD - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -## How to Participate - -* We have bi-weekly meetings via Zoom. To join, please see the [OpenSSF Public Calendar](https://calendar.google.com/calendar/u/0/r?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) -* Informal chat is welcome on the [OpenSSF Slack channel #wg_ai_ml_security](https://openssf.slack.com/archives/C0587E513KR) (these disappear over time) -* Mailing list [openssf-wg-ai-ml-security](https://lists.openssf.org/g/openssf-wg-ai-ml-security) \ No newline at end of file diff --git a/tac/README.md b/tac/README.md deleted file mode 100644 index 63e48a8..0000000 --- a/tac/README.md +++ /dev/null @@ -1,155 +0,0 @@ -# OpenSSF Technical Advisory Council (TAC) - -The OpenSSF Technical Advisory Council is responsible for oversight of the various Technical Initiatives (TI) of the OpenSSF. - - - The designated lead(s): -- [Christopher CRob Robinson](https://github.com/SecurityCRob) - -The OpenSSF Technical Advisory Council is responsible for oversight of the various Technical Initiatives (TI) of the OpenSSF. - -## Motivation - -TBD - -## Objective - -TBD - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -TBD - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -Although the TAC is composed of a set of official members listed below, any community member is welcome to participate in the TAC discussions. - -Official communications occur on the [TAC mailing list](https://lists.openssf.org/g/openssf-tac/topics). [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups). - -Informal discussions occur in the TAC channel of the [OpenSSF Slack](https://slack.openssf.org/). -To join, use the following [invite link](https://join.slack.com/t/openssf/shared_invite/zt-xoktwsef-VzM~b22G2gfT_~4woTTsQA). - -Use [GitHub Issues](https://github.com/ossf/tac/issues) to request and discuss agenda items. - -If you need support in any part of the process, please email [operations@openssf.org](mailto:operations@openssf.org?subject=GitHub%20Issue). - -## Meeting times - -TBD - -## Meeting Notes - -TBD - -## Licenses - -TBD - -## Charter - -The TAC is chartered as part of the [Open Source Security Foundation Charter](https://openssf.org/about/charter/). - -## Governance - -TBD - -## Antitrust Policy - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -## Antitrust Policy Notice - -TBD - -## Meetings - -The TAC [meetings minutes](https://docs.google.com/document/d/1706vJpuyq4NpHpVYsOTeU90j5RpoJREX7MRlhAo-CW4/edit?usp=sharing) are online and appear on the [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). - -Meetings are also recorded and posted to the [OpenSSF YouTube channel](https://www.youtube.com/channel/UCUdhiXNEBEayowJXY_v7AXQ/). - -## TAC Members - -| Name | Position | Email | Organization | Term | -| ---------------- | :--------: | ------------------------------ | ------------ | --------------------------| -| Arnaud J Le Hors | Vice Chair | lehors@us.ibm.com | IBM | April 2023 - March 2024\* | -| Bob Callaway | | bcallaway@google.com | Google | April 2023 - March 2024 | -| Christopher "CRob" Robinson | Chair | christopher.robinson@intel.com | Intel | April 2023 - March 2024\* | -| Dan Appelquist | | dan@torgo.com | Independent | August 2023 - March 2024 | -| Dustin Ingram | | dii@google.com | Google | April 2023 - March 2024 | -| Michael Lieberman| | mike@kusari.dev | Kusari | July 2023 - March 2024 | -| Zach Steindler | | steiza@github.com | GitHub | April 2023 - March 2024\* | - -NOTE: \* marked entries denote OpenSSF Governing Board appointed members, others are community elected. - -## Technical Initiatives - -The governance of TIs is documented in [the process section](process). This section provides you with all the information about the different types of initiatives and how they are managed, as well as how to propose a new initiative. It also covers the different levels of maturity a TI can be in, the requirements that must be met to move up to the next level, as well as the benefits that come with each level. - -The following Technical Initiatives have been approved by the TAC: - -### Working Groups - -| Name | Repository | Notes | Status | -| ---------------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------- | -| Vulnerability Disclosures | https://github.com/ossf/wg-vulnerability-disclosures | [Meeting Notes](https://github.com/ossf/wg-vulnerability-disclosures/tree/main/docs/meeting-notes) | Incubating | -| Security Tooling | https://github.com/ossf/wg-security-tooling | [Meeting Notes](https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c/edit#heading=h.wdz394z3k3h2) | Incubating | -| Security Best Practices | https://github.com/ossf/wg-best-practices-os-developers | [Meeting Notes](https://github.com/ossf/wg-best-practices-os-developers/blob/main/meeting-minutes.md) | Incubating | -| Identifying Security Threats | https://github.com/ossf/wg-identifying-security-threats | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit) | Incubating | -| Securing Critical Projects | https://github.com/ossf/wg-securing-critical-projects | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Incubating | -| Supply Chain Integrity | https://github.com/ossf/wg-supply-chain-integrity | [Meeting Notes](https://docs.google.com/document/d/1xPs2sSbH3I9Ich7OyLOzl85oJshnK8Q6WoAgREE5-zA/edit) | Incubating | -| Securing Software Repositories | https://github.com/ossf/wg-securing-software-repos | [Meeting Notes](https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit) | Incubating | -| End Users | https://github.com/ossf/wg-endusers | [Meeting Notes](https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I/edit) | Incubating | - -### Overview Diagrams - -Diagrams with an overview of the OpenSSF, including its projects and SIGs, are available in the presentation [OpenSSF Introduction (including Diagrammers’ Society diagrams)](https://docs.google.com/presentation/d/1DpB-WPz4yimdF7DDH4waR_zdi7X5WumgoptcqwkMg-s/edit?usp=sharing) as created and maintained by the [OpenSSF Diagrammer's Society](https://github.com/ossf/Diagrammers-Society). - -### Projects - -| Name | Repository/Home Page | Notes | Sponsoring Org | Status | -| ---------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------- |---------- | -| Allstar | https://github.com/ossf/allstar | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | Securing Critical Projects WG | TBD | -| Best Practices Badge | https://github.com/coreinfrastructure/best-practices-badge | [Mailing list](https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges) | Best Practices WG | TBD | -| Criticality Score | https://github.com/ossf/criticality_score | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit?usp=sharing) | Securing Critical Projects WG | TBD | -| Fuzz Introspector | https://github.com/ossf/fuzz-introspector | [Meeting Notes](https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c/edit?usp=sharing) | Security Tooling WG | TBD | -| GUAC | https://github.com/guacsec/guac | [Meeting Notes](https://docs.google.com/document/d/1ImSlr_t3WNZ3zWqpmfqkw1mi6_nkv3enkQ7snWDomKA/edit) | Supply Chain Integrity WG | Incubating | -| gittuf | https://github.com/gittuf/gittuf | TBD | Supply Chain Integrity WG | Sandbox | -| OSV Schema | https://github.com/ossf/osv-schema | [Meeting Notes](https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA/edit?usp=sharing) | Vulnerability Disclosures WG | TBD | -| Package Analysis | https://github.com/ossf/package-analysis | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD | -| Package Feeds | https://github.com/ossf/package-feeds | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD | -| Repository Service for TUF | https://github.com/repository-service-tuf/repository-service-tuf | [Meeting Notes](https://docs.google.com/document/d/13a_AtFpPK9WO4PlAN6ciD-G1jiBU3gEDtRD1OUinUFY/edit) | Securing Software Repositories WG | Sandbox | -| SBOMit | https://github.com/sbomit | [Meeting Notes](https://docs.google.com/document/d/1-nHXMqvWNzgOxAq08O8Wu2BTHz0U60yBoAklrJAMaRc/edit?usp=sharing) | Security Tooling WG | Sandbox | -| Scorecard | https://github.com/ossf/scorecard | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | Best Practices WG | TBD | -| Security Insights Spec | https://github.com/ossf/security-insights-spec | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit?usp=sharing) | Identifying Security Threats WG | TBD | -| Security Metrics | https://github.com/ossf/Project-Security-Metrics | [Meeting Notes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit#heading=h.apj7ueyomk4r) | Identifying Security Threats WG | TBD | -| Sigstore | https://github.com/sigstore | [Meeting Notes](https://docs.google.com/document/d/1bsl-Y0KulSD7O_nTekad1sAKOVRb80wyGb-Q5x-zdg0/edit) | OpenSSF TAC | TBD | -| SLSA Tooling | https://github.com/ossf/wg-supply-chain-integrity/blob/main/slsa-tooling.md | [Meeting Notes](https://docs.google.com/document/d/18oj3CLJQhZj1dMHKDTq_1kKg0syysKCS7pLyXlw1SRc/edit#heading=h.yfiy9b23vayj) | Supply Chain Integrity WG | TBD | - -### OpenSSF affiliated projects - -| Name | Repository | Notes | Status | -| -------------------------- | ----------------------------------- | ----- | ------ | -| Core Toolchain Infrastructure | Coming Soon | TBD | TBD | -| Alpha Omega | https://github.com/ossf/alpha-omega | TBD | TBD | \ No newline at end of file diff --git a/wg-best-practices-os-developers/README.md b/wg-best-practices-os-developers/README.md deleted file mode 100644 index 0ed46fa..0000000 --- a/wg-best-practices-os-developers/README.md +++ /dev/null @@ -1,261 +0,0 @@ -# Best Practices for Open Source Developers - -Want to help drive open source security education or help develop best practices? We have a lot of projects and groups that are working towards these goals. - - - The designated lead(s): -- [Christopher CRob Robinson](https://github.com/SecurityCRob) - -[![GitHub Super-Linter](https://github.com/ossf/wg-best-practices-os-developers/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter) - -Anyone is welcome to join our open discussions related to the group's mission and charter. - -## Motivation - -TBD - -## Objective - -TBD - -## Vision -- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. -- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. -- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work. - - - -## Scope - -The Developer Best Practices group wants to help identify and curate an accessible [inventory](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/inventory.md) of best practices - -- Prioritized according to ROI for open source developers -- Categorized per technology, language, framework -- Community-curated - -## Current Work -We welcome contributions, suggestions and updates to our projects. To contribute please fill in an [issue](https://github.com/ossf/wg-best-practices-os-developers/issues) or create a [pull request](https://github.com/ossf/wg-best-practices-os-developers/pulls). - -We typically use the [Simplest Possible Process (SPP)](https://best.openssf.org/spp/Simplest-Possible-Process) to publish and maintain the documents we publish; see the [SPP documentation](https://best.openssf.org/spp/Simplest-Possible-Process) if you have questions about it. - -Our work is organized into several discrete-yet-related projects that help us achieve our goals: - -| Effort | Description | Git Repo | Slack Channel | Mailing List | -| ------------------ | ------------------------ | ------------------- | ----------- | ---------- | -| Best Practices Guides | Longer reference documents on implementing specific secure techniques | - [Compiler Options Hardening Guide for C and C++](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++),

- [Existing Guidelines for Developing and Distributing Secure Software](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Existing%20Guidelines%20for%20Developing%20and%20Distributing%20Secure%20Software.md),

- [Package Manager Best Practices (incubating)](https://github.com/ossf/package-manager-best-practices),

- [npm Best Practices Guide](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md),

- [Source Code Management Platform Configuration Best Practices](docs/SCM-BestPractices/README.md) | [SCM Slack](https://openssf.slack.com/archives/C058EC1EZ5Y) | -| Concise Guides SIGs | Quick Guidance around Open Source Software Develpment Good Practices | - [Concise Guide for Developing More Secure Software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software),

- [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software) | | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| Education SIG - (incubating) | To provide industry standard secure software development training materials that will educate learners of all levels and backgrounds on how to create, compose, deploy, and maintain software securely using best practices in cyber and application security. | [EDU.SIG](https://github.com/ossf/education/) | [stream-01-security-education](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) | -|[OpenSSF Best Practices Badge - formerly CII Best Practices badge](https://www.bestpractices.dev/) | Identifies FLOSS best practices & implements a badging system for those practices, | | | -| OpenSSF Scorecard Project | Automate analysis and trust decisions on the security posture of open source projects |[Scorecard Repo](https://github.com/ossf/scorecard) | [security_scorecards](https://openssf.slack.com/archives/C0235AR8N2C) | | -| [Secure Software Development Fundamentals - online course](https://openssf.org/training/courses/) |Teach software developers fundamentals of developing secure software | [GitHub](https://github.com/ossf/secure-sw-dev-fundamentals) | | | -| Memory Safety SIG | The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. |[Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) | -| The Security Toolbelt | Assemble a “sterling” collection of capabilities (**software frameworks, specifications, and human and automated processes**) that work together to **automatically list, scan, remediate, and secure the components flowing through the software supply chain** that come together as software is written, built, deployed, consumed, and maintained. Each piece of the collection will represent an **interoperable** link in that supply chain, enabling adaptation and integration into the major upstream language toolchains, developer environments, and CI/CD systems. | [Security Toolbelt](https://github.com/ossf/toolbelt) | [security-toolbelt](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List](Openssf-sig-sterling-toolchain@lists.openssf.org) | -| [SKF - Security Knowledge Framework](https://www.securityknowledgeframework.org/) | Learn to integrate security by design in your web application | | | - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -## Get Involved - -Anyone is welcome to join our open discussions related to the group's mission and charter. - -- [2023 Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) -- [2022 Meeting Minutes](https://docs.google.com/document/d/159RLmTvW-G6DqDOw3ya-7RI5KNNd1yHxQ5XP0D9OB4o/edit?usp=sharing) -- [Historic Group Notes 1](https://github.com/ossf/wg-best-practices-oss-developers/blob/main/meeting-minutes.md) -- [Historic Notes 2021](https://docs.google.com/document/d/1Fw6EIk47_rUFmi6m7jYObFofcD6gj1FK-QgGC8YuUr0/edit?usp=sharing) -- [Recent WG report to the TAC on activities and project statuses](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/edit?pli=1#slide=id.g24e2f2581b2_0_147) -- [Discussions](https://github.com/ossf/wg-best-practices-os-developers/discussions) -- Official communications occur on the Best Practices [mailing list](https://lists.openssf.org/g/openssf-wg-best-practices) -- [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups) -- Join the conversation on [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) - -## Meeting Times - -Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the [public OSSF calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) - -| Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List | -| :----------: | :------------------------------------------------------: | :------------------------: | :-------------------: | :-----------: | :----------: | -| Full WG | Every 2nd Tuesday 7:00a PT/10:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| Concise Guides - C/C++ Compiler Hardening Options | Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler_Hardening_Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| Concise Guides - Source Code Management Best Practices | Occurs every 2nd Thursday 7:00a PT/10:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/SCM-BestPractices) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| EDU.SIG | Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1NPk5HZLfSMLpUsqaqVcbUSmSR66gS8WoJmEqfsCwrrE/edit#heading=h.yi1fmphbeqoj) | [Git Repo](https://github.com/ossf/education) | [Slack](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) | -| EDU.SIG - DEI Subcommittee | Occurs every 2nd Tuesday 8:00a PT/11:00a ET/1600 UTC | [Meeting Notes](https://docs.google.com/document/d/1LdQ07veOcJ596Vo3aQZCFy-HHeEO7cHnbE_6u_uq9Fk/edit#) | [Git Repo](https://github.com/ossf/education) | [Slack](https://openssf.slack.com/archives/C04FMD5HSC9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education-dei) | -| Memory Safety SIG | Every 2nd Thursday 10:00a PT/1:00p ET/1500 UTC | [Meeting Notes](https://docs.google.com/document/d/1KgWw0co9xvUfCqQYW6Qei2lii2Fl-t-L7gYkAZBYDWg/edit?usp=sharing) | [Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) | -| Scorecard | Occurs every 2nd Thursday 1:00p PT/4:00p ET/1800 UTC | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | [Git Repo](https://github.com/ossf/scorecard) | [Slack](https://openssf.slack.com/archives/C0235AR8N2C ) | Mailing List | -| Security Knowledge Framework - SKF | TBD | Meeting Notes | Git Repo | [Slack](https://openssf.slack.com/archives/C04B7EZLTM1) | Mailing List | -| The Security Toolbelt | Every Tuesday Noon/12pm ET | [Meeting Notes](https://docs.google.com/document/d/1H3Nk0PwmylLg5F7pqrIvyKzTyXAll0-f50B7DdqOh4A/edit#heading=h.a615m7qzeitc) | [Git Repo](https://github.com/ossf/toolbelt) | [Slack](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List](Openssf-sig-sterling-toolchain@lists.openssf.org) | - -## Meeting Notes - -Meeting notes are maintained in a Google Doc found in the above table. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black. - -## Licenses - -Unless otherwise specifically noted, software released by this working -group is released under the [Apache 2.0 license](LICENSES/Apache-2.0.txt), -and documentation is released under the -[CC-BY-4.0 license](LICENSES/CC-BY-4.0.txt). -Formal specifications would be licensed under the -[Community Specification License](https://github.com/CommunitySpecification/1.0) -(though at this time we don't have any examples of that). - -## Charter - -Like all OpenSSF working groups, this working group reports to the -[OpenSSF Technical Advisory Council (TAC)](https://github.com/ossf/tac). -For more organizational information, see the -[OpenSSF Charter](https://openssf.org/about/charter/). - -## Governance - -The [CHARTER.md](CHARTER.md) outlines the scope and governance of our group activities. - -- Lead - [Christopher "CRob" Robinson](https://github.com/SecurityCRob) -- Co-Lead - -- Backlog Warden - -- "*" denotes a project/SIG lead - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -## Mission - -Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them. - -We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation. - -## Strategy - -To achieve our Mission and Vision, the BEST Working group will execute on the following strategy: - -- Collaborate with security experts to draft a comprehensive set of best practices tailored for open-source projects. -- Identify gaps in tools and resources that provide opportunities to promote and implement secure development practices. -- Evangelize and drive adoption of our artifacts (ex: guides, trainings, tools) through community outreach and targeted maintainer engagement. -- Collaborate with other OpenSSF and open source efforts to provide comprehensive guidance, advice, and tooling for software developers and open source software consumers to use, implement, and evaluate the security qualities of software. - -## Roadmap - -To deliver on our Strategy, the BEST Working Group will do the following: - -- Evangelize OpenSSF “best practices” and tooling through blogs, podcasts, conference presentations, and the like. --- Create a “Secure from the (open) source” expert podcast to showcase the work across the foundation. --- As new guides/best practices are launched, we will create blogs and a conference presentation to raise awareness about it. --- Amplify talks and artifacts created by other groups within the foundation --- Create 3 EvilTux artifacts each quarter -- Create express learning classes for our body of work: working group explainer, SCM BP Guide, C/C++ Guide, Scorecard/Badges, Concise Guides -- Create a “Best Practices Member Badge” for member organizations -- Support and promote our sub-projects with contributions and feedback - Scorecard, BP Badges, OpenSSF - SkillFoundry, Classes, and Guides, Secure Software Guiding Principles (SSGP) -- Create a Memory Safety W3C-style workshop to assemble development leaders to talk about how to integrate memory safe languages and techniques more deeply into the oss ecosystem. -- Expand DEI AMA Office Hours to more broadly engage new-to-oss individuals and provide a forum for mentorship and guidance as they launch into and grow within their careers. -- Identify, curate, produce, and deliver new secure development education such as Developer Manager Training, Implementing/Integrating OSSF tools such as Scorecard, Badges, OSV, OpenVEX, etc), advanced secure development techniques, and more. -- Evangelize and embed all of our guides across OpenSSF Technical Initiatives and understand what makes sense to integrate into Scorecard - -## Help build a community - -- Program to attract open source contributors and incentivize them to use and contribute to the inventory - -Supply a Learning platform --Any free course can be integrated into the platform - -- The learner can follow a track, track their progress and get badges -- A suite of exercises are available for each best practice of the inventory - -## Past Work/Greatest Hits -- _Interactive artwork_ - (incubating) - - Place where we want to guide developers in what stage they can use what type of tooling or approach. We have tons of great tools and materials but hard to find for devs, using this page and interactive loop we want to guide them to find the right stuff. -- _Great MFA Distribution Project_ - (archived) - - Distribute MFA tokens to OSS developers and best practices on how to easily use them -- [Recommended compiler option flags for C/C++ programs](https://docs.google.com/document/d/1SslnJuqbFUyTFnhzkhC_Q3PPGZ1zrG89COrS6LV6pz4/edit#heading=h.b3casmpemf1b). - -## Related Activities - -There are many great projects both within and outside the Foundation that compliment and intersect our work here. Some other great projects/resources to explore: - -- _SLSA Supply-chain Levels for Software Artifacts_ - - - Purpose - A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity - -### Areas that need contributions - -- Any topics related to helping developers more easily make more secure software or consumers to better understand the security qualities of the software they wish to ingest - -### Where to file issues - -- Issues can be reviewed and filed [here](https://github.com/ossf/wg-best-practices-os-developers/issues) - -### Project Maintainers -- [Christopher "CRob" Robinson*, Intel](https://github.com/SecurityCRob) -- [David A Wheeler, LF/OSSF](https://github.com/david-a-wheeler) -- [Dave Russo*, Red Hat](https://github.com/drusso-rh) - -### Project Collaborators -- [Arnaud J Le Hors, IBM](https://github.com/lehors) -- Avishay Balter, Microsoft -- [Christine Abernathy*, F5](https://github.com/caabernathy) -- [Daniel Applequist*, Snyk](https://github.com/Torgo) -- [Georg Kunz, Ericsson](https://github.com/gkunz) -- [Glenn ten Cate*, OWASP/SKF](https://github.com/) -- [Jay White, Microsoft](https://github.com/camaleon2016) -- Jonathan Leitschuh*, Dan Kaminsky Fellowship @ Human Security -- [Judy Kelly, Red Hat](https://github.com/judyobrienie) -- [Marta Rybczynska, Syslinbit](https://github.com/mrybczyn) -- Noam Dotan, Legit Security -- [Randall T. Vasquez*, Gentoo/Homebrew](https://github.com/ran-dall) -- [Roberth Strand, Amesto Fortytwo / Cloud Native Norway](https://github.com/roberthstrand) -- [Sal Kimmich, EscherCloud](https://github.com/salkimmich) -- [Thomas Nyman*, Ericsson](https://github.com/thomasnyman) -- Yotam Perkal, Rezilion - -### Project Contributors -- [Chris de Almeida, IBM](https://github.com/ctcpip) -- [Jeffrey Borek, IBM](https://github.com/jtborek) -- Ixchel Ruiz, jfrog -- Laurent Simon*, Google/Scorecard -- [Matt Rutkowski, IBM](https://github.com/mrutkows) -- Riccardo ten Cate, SKF -- Spyros Gasteratos*, OWASP/CRE - -### Toolbelt Collaborators -- [Andrea Frittoli, IBM](https://github.com/afrittoli) -- [Arnaud Le Hors, IBM](https://github.com/lehors) -- [Behan Webster, The Linux Foundation](https://github.com/) -- [Brandon Mitchell, IBM](https://github.com/sudo-bmitch) -- [Brian Behlendorf, The Linux Foundation](https://github.com/} -- [Brian Wagner, IBM](https://github.com/wags007) -- [Christopher "CRob" Robinson, Intel](https://github.com/SecurityCRob) -- [Daniel Appelquist, Synk](https://github.com/Torgo) -- [David A Wheeler, LF/OSSF](https://github.com/david-a-wheeler) -- [Georg Kunz, Ericsson](https://github.com/} -- [Jacques Chester, independent](https://github.com/jchester) -- [Jay White, Microsoft](https://github.com/camaleon2016) -- [Jeff Borek, IBM](https://github.com/jtborek) -- [Jon Meadows, Citi](https://github.com/} -- [Josh Clements, Analog Devices](https://github.com/} -- [Joshua Lock, Verizon](https://github.com/} -- [Kris Borchers, independent](https://github.com/} -- [Marcela Melara, Intel](https://github.com/marcelamelara) -- [Matt Rutkowski, IBM](https://github.com/mrutkows) -- [Melba Lopez, IBM](https://github.com/} -- [Michael Leiberman, Kusari](https://github.com/mlieberman85) -- [Phil Estes, AWS](https://github.com/estesp) -- [Ryan Ware, Intel](https://github.com/ware) -- [Sal Kimmich, EscherCloud AI](https://github.com/salkimmich) -- [Sarah Evans, Dell](https://github.com/sevansdell) -- [Steve Taylor, Deployhub/Ortelius/Pyrsia](https://github.com/} -- [Tom Hennen, Google](https://github.com/TomHennen) -- [Tracy Ragan, Deployhub/Ortelius/CDEvents](https://github.com/} - -A listing of our current and past group [members](https://github.com/ossf/wg-best-practices-os-developers/blob/main/members.md). \ No newline at end of file diff --git a/wg-best-practices/README.md b/wg-best-practices/README.md deleted file mode 100644 index 0ed46fa..0000000 --- a/wg-best-practices/README.md +++ /dev/null @@ -1,261 +0,0 @@ -# Best Practices for Open Source Developers - -Want to help drive open source security education or help develop best practices? We have a lot of projects and groups that are working towards these goals. - - - The designated lead(s): -- [Christopher CRob Robinson](https://github.com/SecurityCRob) - -[![GitHub Super-Linter](https://github.com/ossf/wg-best-practices-os-developers/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter) - -Anyone is welcome to join our open discussions related to the group's mission and charter. - -## Motivation - -TBD - -## Objective - -TBD - -## Vision -- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. -- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. -- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work. - - - -## Scope - -The Developer Best Practices group wants to help identify and curate an accessible [inventory](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/inventory.md) of best practices - -- Prioritized according to ROI for open source developers -- Categorized per technology, language, framework -- Community-curated - -## Current Work -We welcome contributions, suggestions and updates to our projects. To contribute please fill in an [issue](https://github.com/ossf/wg-best-practices-os-developers/issues) or create a [pull request](https://github.com/ossf/wg-best-practices-os-developers/pulls). - -We typically use the [Simplest Possible Process (SPP)](https://best.openssf.org/spp/Simplest-Possible-Process) to publish and maintain the documents we publish; see the [SPP documentation](https://best.openssf.org/spp/Simplest-Possible-Process) if you have questions about it. - -Our work is organized into several discrete-yet-related projects that help us achieve our goals: - -| Effort | Description | Git Repo | Slack Channel | Mailing List | -| ------------------ | ------------------------ | ------------------- | ----------- | ---------- | -| Best Practices Guides | Longer reference documents on implementing specific secure techniques | - [Compiler Options Hardening Guide for C and C++](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++),

- [Existing Guidelines for Developing and Distributing Secure Software](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Existing%20Guidelines%20for%20Developing%20and%20Distributing%20Secure%20Software.md),

- [Package Manager Best Practices (incubating)](https://github.com/ossf/package-manager-best-practices),

- [npm Best Practices Guide](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md),

- [Source Code Management Platform Configuration Best Practices](docs/SCM-BestPractices/README.md) | [SCM Slack](https://openssf.slack.com/archives/C058EC1EZ5Y) | -| Concise Guides SIGs | Quick Guidance around Open Source Software Develpment Good Practices | - [Concise Guide for Developing More Secure Software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software),

- [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software) | | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| Education SIG - (incubating) | To provide industry standard secure software development training materials that will educate learners of all levels and backgrounds on how to create, compose, deploy, and maintain software securely using best practices in cyber and application security. | [EDU.SIG](https://github.com/ossf/education/) | [stream-01-security-education](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) | -|[OpenSSF Best Practices Badge - formerly CII Best Practices badge](https://www.bestpractices.dev/) | Identifies FLOSS best practices & implements a badging system for those practices, | | | -| OpenSSF Scorecard Project | Automate analysis and trust decisions on the security posture of open source projects |[Scorecard Repo](https://github.com/ossf/scorecard) | [security_scorecards](https://openssf.slack.com/archives/C0235AR8N2C) | | -| [Secure Software Development Fundamentals - online course](https://openssf.org/training/courses/) |Teach software developers fundamentals of developing secure software | [GitHub](https://github.com/ossf/secure-sw-dev-fundamentals) | | | -| Memory Safety SIG | The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. |[Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) | -| The Security Toolbelt | Assemble a “sterling” collection of capabilities (**software frameworks, specifications, and human and automated processes**) that work together to **automatically list, scan, remediate, and secure the components flowing through the software supply chain** that come together as software is written, built, deployed, consumed, and maintained. Each piece of the collection will represent an **interoperable** link in that supply chain, enabling adaptation and integration into the major upstream language toolchains, developer environments, and CI/CD systems. | [Security Toolbelt](https://github.com/ossf/toolbelt) | [security-toolbelt](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List](Openssf-sig-sterling-toolchain@lists.openssf.org) | -| [SKF - Security Knowledge Framework](https://www.securityknowledgeframework.org/) | Learn to integrate security by design in your web application | | | - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -## Get Involved - -Anyone is welcome to join our open discussions related to the group's mission and charter. - -- [2023 Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) -- [2022 Meeting Minutes](https://docs.google.com/document/d/159RLmTvW-G6DqDOw3ya-7RI5KNNd1yHxQ5XP0D9OB4o/edit?usp=sharing) -- [Historic Group Notes 1](https://github.com/ossf/wg-best-practices-oss-developers/blob/main/meeting-minutes.md) -- [Historic Notes 2021](https://docs.google.com/document/d/1Fw6EIk47_rUFmi6m7jYObFofcD6gj1FK-QgGC8YuUr0/edit?usp=sharing) -- [Recent WG report to the TAC on activities and project statuses](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/edit?pli=1#slide=id.g24e2f2581b2_0_147) -- [Discussions](https://github.com/ossf/wg-best-practices-os-developers/discussions) -- Official communications occur on the Best Practices [mailing list](https://lists.openssf.org/g/openssf-wg-best-practices) -- [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups) -- Join the conversation on [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) - -## Meeting Times - -Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the [public OSSF calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) - -| Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List | -| :----------: | :------------------------------------------------------: | :------------------------: | :-------------------: | :-----------: | :----------: | -| Full WG | Every 2nd Tuesday 7:00a PT/10:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| Concise Guides - C/C++ Compiler Hardening Options | Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler_Hardening_Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| Concise Guides - Source Code Management Best Practices | Occurs every 2nd Thursday 7:00a PT/10:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/SCM-BestPractices) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| EDU.SIG | Occurs every 2nd Wednesday 6:00a PT/9:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1NPk5HZLfSMLpUsqaqVcbUSmSR66gS8WoJmEqfsCwrrE/edit#heading=h.yi1fmphbeqoj) | [Git Repo](https://github.com/ossf/education) | [Slack](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) | -| EDU.SIG - DEI Subcommittee | Occurs every 2nd Tuesday 8:00a PT/11:00a ET/1600 UTC | [Meeting Notes](https://docs.google.com/document/d/1LdQ07veOcJ596Vo3aQZCFy-HHeEO7cHnbE_6u_uq9Fk/edit#) | [Git Repo](https://github.com/ossf/education) | [Slack](https://openssf.slack.com/archives/C04FMD5HSC9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education-dei) | -| Memory Safety SIG | Every 2nd Thursday 10:00a PT/1:00p ET/1500 UTC | [Meeting Notes](https://docs.google.com/document/d/1KgWw0co9xvUfCqQYW6Qei2lii2Fl-t-L7gYkAZBYDWg/edit?usp=sharing) | [Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) | -| Scorecard | Occurs every 2nd Thursday 1:00p PT/4:00p ET/1800 UTC | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | [Git Repo](https://github.com/ossf/scorecard) | [Slack](https://openssf.slack.com/archives/C0235AR8N2C ) | Mailing List | -| Security Knowledge Framework - SKF | TBD | Meeting Notes | Git Repo | [Slack](https://openssf.slack.com/archives/C04B7EZLTM1) | Mailing List | -| The Security Toolbelt | Every Tuesday Noon/12pm ET | [Meeting Notes](https://docs.google.com/document/d/1H3Nk0PwmylLg5F7pqrIvyKzTyXAll0-f50B7DdqOh4A/edit#heading=h.a615m7qzeitc) | [Git Repo](https://github.com/ossf/toolbelt) | [Slack](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List](Openssf-sig-sterling-toolchain@lists.openssf.org) | - -## Meeting Notes - -Meeting notes are maintained in a Google Doc found in the above table. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black. - -## Licenses - -Unless otherwise specifically noted, software released by this working -group is released under the [Apache 2.0 license](LICENSES/Apache-2.0.txt), -and documentation is released under the -[CC-BY-4.0 license](LICENSES/CC-BY-4.0.txt). -Formal specifications would be licensed under the -[Community Specification License](https://github.com/CommunitySpecification/1.0) -(though at this time we don't have any examples of that). - -## Charter - -Like all OpenSSF working groups, this working group reports to the -[OpenSSF Technical Advisory Council (TAC)](https://github.com/ossf/tac). -For more organizational information, see the -[OpenSSF Charter](https://openssf.org/about/charter/). - -## Governance - -The [CHARTER.md](CHARTER.md) outlines the scope and governance of our group activities. - -- Lead - [Christopher "CRob" Robinson](https://github.com/SecurityCRob) -- Co-Lead - -- Backlog Warden - -- "*" denotes a project/SIG lead - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -## Mission - -Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them. - -We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation. - -## Strategy - -To achieve our Mission and Vision, the BEST Working group will execute on the following strategy: - -- Collaborate with security experts to draft a comprehensive set of best practices tailored for open-source projects. -- Identify gaps in tools and resources that provide opportunities to promote and implement secure development practices. -- Evangelize and drive adoption of our artifacts (ex: guides, trainings, tools) through community outreach and targeted maintainer engagement. -- Collaborate with other OpenSSF and open source efforts to provide comprehensive guidance, advice, and tooling for software developers and open source software consumers to use, implement, and evaluate the security qualities of software. - -## Roadmap - -To deliver on our Strategy, the BEST Working Group will do the following: - -- Evangelize OpenSSF “best practices” and tooling through blogs, podcasts, conference presentations, and the like. --- Create a “Secure from the (open) source” expert podcast to showcase the work across the foundation. --- As new guides/best practices are launched, we will create blogs and a conference presentation to raise awareness about it. --- Amplify talks and artifacts created by other groups within the foundation --- Create 3 EvilTux artifacts each quarter -- Create express learning classes for our body of work: working group explainer, SCM BP Guide, C/C++ Guide, Scorecard/Badges, Concise Guides -- Create a “Best Practices Member Badge” for member organizations -- Support and promote our sub-projects with contributions and feedback - Scorecard, BP Badges, OpenSSF - SkillFoundry, Classes, and Guides, Secure Software Guiding Principles (SSGP) -- Create a Memory Safety W3C-style workshop to assemble development leaders to talk about how to integrate memory safe languages and techniques more deeply into the oss ecosystem. -- Expand DEI AMA Office Hours to more broadly engage new-to-oss individuals and provide a forum for mentorship and guidance as they launch into and grow within their careers. -- Identify, curate, produce, and deliver new secure development education such as Developer Manager Training, Implementing/Integrating OSSF tools such as Scorecard, Badges, OSV, OpenVEX, etc), advanced secure development techniques, and more. -- Evangelize and embed all of our guides across OpenSSF Technical Initiatives and understand what makes sense to integrate into Scorecard - -## Help build a community - -- Program to attract open source contributors and incentivize them to use and contribute to the inventory - -Supply a Learning platform --Any free course can be integrated into the platform - -- The learner can follow a track, track their progress and get badges -- A suite of exercises are available for each best practice of the inventory - -## Past Work/Greatest Hits -- _Interactive artwork_ - (incubating) - - Place where we want to guide developers in what stage they can use what type of tooling or approach. We have tons of great tools and materials but hard to find for devs, using this page and interactive loop we want to guide them to find the right stuff. -- _Great MFA Distribution Project_ - (archived) - - Distribute MFA tokens to OSS developers and best practices on how to easily use them -- [Recommended compiler option flags for C/C++ programs](https://docs.google.com/document/d/1SslnJuqbFUyTFnhzkhC_Q3PPGZ1zrG89COrS6LV6pz4/edit#heading=h.b3casmpemf1b). - -## Related Activities - -There are many great projects both within and outside the Foundation that compliment and intersect our work here. Some other great projects/resources to explore: - -- _SLSA Supply-chain Levels for Software Artifacts_ - - - Purpose - A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity - -### Areas that need contributions - -- Any topics related to helping developers more easily make more secure software or consumers to better understand the security qualities of the software they wish to ingest - -### Where to file issues - -- Issues can be reviewed and filed [here](https://github.com/ossf/wg-best-practices-os-developers/issues) - -### Project Maintainers -- [Christopher "CRob" Robinson*, Intel](https://github.com/SecurityCRob) -- [David A Wheeler, LF/OSSF](https://github.com/david-a-wheeler) -- [Dave Russo*, Red Hat](https://github.com/drusso-rh) - -### Project Collaborators -- [Arnaud J Le Hors, IBM](https://github.com/lehors) -- Avishay Balter, Microsoft -- [Christine Abernathy*, F5](https://github.com/caabernathy) -- [Daniel Applequist*, Snyk](https://github.com/Torgo) -- [Georg Kunz, Ericsson](https://github.com/gkunz) -- [Glenn ten Cate*, OWASP/SKF](https://github.com/) -- [Jay White, Microsoft](https://github.com/camaleon2016) -- Jonathan Leitschuh*, Dan Kaminsky Fellowship @ Human Security -- [Judy Kelly, Red Hat](https://github.com/judyobrienie) -- [Marta Rybczynska, Syslinbit](https://github.com/mrybczyn) -- Noam Dotan, Legit Security -- [Randall T. Vasquez*, Gentoo/Homebrew](https://github.com/ran-dall) -- [Roberth Strand, Amesto Fortytwo / Cloud Native Norway](https://github.com/roberthstrand) -- [Sal Kimmich, EscherCloud](https://github.com/salkimmich) -- [Thomas Nyman*, Ericsson](https://github.com/thomasnyman) -- Yotam Perkal, Rezilion - -### Project Contributors -- [Chris de Almeida, IBM](https://github.com/ctcpip) -- [Jeffrey Borek, IBM](https://github.com/jtborek) -- Ixchel Ruiz, jfrog -- Laurent Simon*, Google/Scorecard -- [Matt Rutkowski, IBM](https://github.com/mrutkows) -- Riccardo ten Cate, SKF -- Spyros Gasteratos*, OWASP/CRE - -### Toolbelt Collaborators -- [Andrea Frittoli, IBM](https://github.com/afrittoli) -- [Arnaud Le Hors, IBM](https://github.com/lehors) -- [Behan Webster, The Linux Foundation](https://github.com/) -- [Brandon Mitchell, IBM](https://github.com/sudo-bmitch) -- [Brian Behlendorf, The Linux Foundation](https://github.com/} -- [Brian Wagner, IBM](https://github.com/wags007) -- [Christopher "CRob" Robinson, Intel](https://github.com/SecurityCRob) -- [Daniel Appelquist, Synk](https://github.com/Torgo) -- [David A Wheeler, LF/OSSF](https://github.com/david-a-wheeler) -- [Georg Kunz, Ericsson](https://github.com/} -- [Jacques Chester, independent](https://github.com/jchester) -- [Jay White, Microsoft](https://github.com/camaleon2016) -- [Jeff Borek, IBM](https://github.com/jtborek) -- [Jon Meadows, Citi](https://github.com/} -- [Josh Clements, Analog Devices](https://github.com/} -- [Joshua Lock, Verizon](https://github.com/} -- [Kris Borchers, independent](https://github.com/} -- [Marcela Melara, Intel](https://github.com/marcelamelara) -- [Matt Rutkowski, IBM](https://github.com/mrutkows) -- [Melba Lopez, IBM](https://github.com/} -- [Michael Leiberman, Kusari](https://github.com/mlieberman85) -- [Phil Estes, AWS](https://github.com/estesp) -- [Ryan Ware, Intel](https://github.com/ware) -- [Sal Kimmich, EscherCloud AI](https://github.com/salkimmich) -- [Sarah Evans, Dell](https://github.com/sevansdell) -- [Steve Taylor, Deployhub/Ortelius/Pyrsia](https://github.com/} -- [Tom Hennen, Google](https://github.com/TomHennen) -- [Tracy Ragan, Deployhub/Ortelius/CDEvents](https://github.com/} - -A listing of our current and past group [members](https://github.com/ossf/wg-best-practices-os-developers/blob/main/members.md). \ No newline at end of file diff --git a/wg-dei/README.md b/wg-dei/README.md deleted file mode 100644 index f40258d..0000000 --- a/wg-dei/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Example .allstar Quickstart Repository - -We formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce. - - - The designated lead(s): -- [Jay White](https://github.com/camaleon2016) - - - -## Motivation - -TBD - -## Objective - -TBD - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -TBD - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -TBD - -## Meeting times - -TBD - -## Meeting Notes - -TBD - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -TBD - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -TBD \ No newline at end of file diff --git a/wg-endusers/README.md b/wg-endusers/README.md deleted file mode 100644 index 2d0fc15..0000000 --- a/wg-endusers/README.md +++ /dev/null @@ -1,126 +0,0 @@ -# OpenSSF End Users - -We represent the interests of public and private sector organizations that primarily consume open source rather than produce it. Right now, we are focusing on threat modeling. Join us to see how threat modeling works and get your ideas in the current scope. - - - The designated lead(s): -- [Jonathan Meadows](https://github.com/jonmuk) - -Anyone is welcome to join our open discussions. - -## Motivation - -TBD - -## Objective - -The End User Working Group aims to ensure that the distinct and impactful voice of end users is heard in the development and delivery of the technical vision of The Open Source Security Foundation (OpenSSF). - -## Vision - -The End Users Working Group (WG) represents the interests of public and private sector organizations that primarily consume open source rather than produce it. - -We strive to: - -- Ensure that the use cases for end user consumption of open-source software are understood and factored into OSSF programs. -- Provide the resources required by end users to develop and implement more efficient and effective strategies, processes, tools, best practices and solutions that secure software supply-chains. -- Provide a forum for learning from the experience and insights of peers. -- Create an End Users Working Group, with representation from key private industry, public sectors, and multiple geographical regions. -- Establish end user representation and active participation in OpenSSF working groups and leadership, both in the TAC and the Governing Board. - -## Scope - -Based on the objective, mission, and goals above, we look to deliver specific delivereables: - -- _Ensure that the use cases for end user consumption of open-source software are understood and factored into OSSF programs._ - - Refine Personas document - - Develop a high level architecture and threat model of an end user within the supply chain - - Identify controls/checks of interest to end users when ingesting OSS / vendor software (OSSF Scorecard) -- _Provide the resources required by end users to develop and implement more efficient and effective strategies, processes, tools, best practices and solutions that secure software supply-chains_ - - Bring more end users and their perspectives into the End Users Working Group, ensuring representation from as many industries, sectors and geographical regions as possible - - Contact list showing multiple Linux Foundation groups contacted, individual companies also contacted - - Development of guides, whitepapers, and materials focused on strategies and solutions for better security in software supply chains, open source software, and targeted towards end users. - - Phase 1: Identify which guides / material is missing from existing material -- _Provide a forum for learning from the experience and insights of peers_ - - Establish end user representation and active participation in OpenSSF leadership, both TAC and the Governing Board_ - - Create matrix to show representation within working groups - - Identify sub-team / focus areas - - Recruitment - - Marketing - - Promote best practices and outreach - -## Current Work - -TBD - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -## Get Involved - -TBD - -### Meeting times - -Every 2 weeks, Thursday 10am EST/3pm UTC. The meeting invite with zoom details is available on the [public OSSF calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) - -### Meeting notes - -Meeting notes are [maintained in a Google Doc](https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I/edit). If attending please add your name, and if a returning attendee, please change the color of your name from gray to black. - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -The [CHARTER.md](CHARTER.md) outlines the scope and governance of our group activities. - -- Lead - Jon Meadows -- Co-Lead - - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -### Areas that need contributions - -- WG Documentation -- Others TBD - -### Where to file issues - -Issues can be reviewed and filed [here](https://github.com/ossf/wg-endusers/issues) - -## Related Activities - -TBD - -### Project Maintainers - -TBD - -### Project Collaborators - -TBD - -### Project Contributors - -TBD \ No newline at end of file diff --git a/wg-identifying-security-threats/README.md b/wg-identifying-security-threats/README.md deleted file mode 100644 index f903330..0000000 --- a/wg-identifying-security-threats/README.md +++ /dev/null @@ -1,135 +0,0 @@ -# Identifying Security Threats in Open Source Projects - -Now called Metrics & Metadata! We enable informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. Our WG has mostly projects that focus on the code to get this done. - - - The designated lead(s): -- [Michael Scovetta](https://github.com/scovetta) - -The purpose of this working group is to enable stakeholders to have informed -confidence in the security of open source projects. We do this by collecting, -curating, and communicating relevant metrics and metadata from open source -projects and the ecosystems of which they are a part. - -### Motivation - -Open source software is an essential part of modern software development, and -of practically all technology solutions. Adoption of open source software has -grown over the past two decades, powering everything from tiny "Internet of -Things" devices to the most advanced supercomputers in the world. This has led -to enormous productivity gains, allowing software engineers to focus more on -solving business problems and less on creating and re-creating the same -building blocks needed in many situations. - -With these benefits, however, comes some risk. Attackers frequently target -open source projects and the ecosystems they are a part of in order to -compromise the organizations or users that use those projects. It's -essential that we understand these threats and work to build defenses against -them. - -### Objective - -Our objective is to enable stakeholders to have informed confidence in the -security of open source projects. This includes identifying threats to the -open source ecosystem and recommending practical mitigations. We will also -identify a set of key metrics and build tooling to communicate those metrics -to stakeholders, enabling a better understanding of the security posture of -individual open source software components. - -## Vision - -TBD - -### Scope - -The scope of this working group includes "security", as opposed to privacy, -resiliency, or other related areas. We also consider the broad open source -ecosystem, as opposed to focusing exclusively on critical open source projects. - -## Current Work - -TBD - -### Active Projects - -* [Alpha-Omega](https://openssf.org/community/alpha-omega) - * Leads: Michael Scovetta, Michael Winser, Brian Behlendorf - -* [Office Hours](https://openssf.slack.com/archives/C03LTHA6M61) - * Lead: Marta Rybczynska - -* [Security Insights](https://github.com/ossf/security-insights-spec) - Provides a mechanism for projects to report information about their security practices in a machine-readable way. - * Lead: Luigi Gubello - -* [Security Metrics](https://metrics.openssf.org) - - This project's purpose is to collect, organize, and provide interesting security metrics for - open source projects to stakeholders, including users. - * Lead: Michael Scovetta [existing implementation] - * Leads: Vinod, Jay White, Christine Abernathy - -* [Security Reviews](https://github.com/ossf/security-reviews) - - This repository contains a collection of security reviews of open source software. - -## Contribute - -TBD - -### Quick Start - -The best way to get started is to simply join a working group meeting. You can also -read our [Meeting Minutes](https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit?usp=sharing) to get up to speed with what we're up to. - -### Get Involved - -* Please get involved with our specific projects, e.g,. -* [Mailing List](https://lists.openssf.org/g/openssf-wg-security-threats) and [Security Reviews](https://github.com/ossf/security-reviews). - ([Manage your subscriptions to OpenSSF mailing lists](https://lists.openssf.org/g/main/subgroups)) -* [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) -* [Join us on Slack](https://openssf.slack.com/archives/C01A50B978T) - -### Meeting Times - -* We meet every other week on Wednesdays. See the - [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). - -### Meeting Notes - -[Meeting Minutes](https://docs.google.com/document/d/14_ILDhSK3ymKqUTQeQBRgJKgfiy_ePoGZIe8s7p3K5E/edit?usp=sharing) If attending please add your name, and if a returning attendee, please change the color of your name from gray to black. - -## Licenses - -TBD - -## Charter - -TBD - -### Governance - -The [CHARTER](https://github.com/ossf/wg-identifying-security-threats/blob/main/CHARTER.md) -document outlines the scope and governance of our group activities. - -* Lead: [Michael Scovetta](mailto:michael.scovetta@microsoft.com - -## Antitrust Policy - -TBD - -### Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation. - -### Inactive Projects - -* [Threats, Risks, and Mitigations in the Open Source Ecosystem](https://github.com/ossf/wg-identifying-security-threats/blob/main/publications/threats-risks-mitigations/v1.1/Threats%2C%20Risks%2C%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.1.pdf) - -### Related Work - -* [OpenSSF Best Practices Badge Program](https://bestpractices.coreinfrastructure.org/) - an input to the metrics dashboard generated by the Security Metrics project (formerly named CII Best Practices Badge Program). -* [OpenSSF Scorecard](https://github.com/ossf/scorecard) - another input to the metrics dashboard - -* [CHAOSS](https://chaoss.community) - develops definitions of metrics - -* All of [OpenSSF](https://openssf.org/) \ No newline at end of file diff --git a/wg-securing-critical-projects/README.md b/wg-securing-critical-projects/README.md deleted file mode 100644 index a1afa18..0000000 --- a/wg-securing-critical-projects/README.md +++ /dev/null @@ -1,194 +0,0 @@ -# WG Securing Critical Projects - -Wonder how critical OSS projects are selected? Then join us! We have progress reports every other week on each project/SIG so it is easy to jump in and get going. - - - The designated lead(s): -- [Jeff Mendoza](https://github.com/jeffmendoza) -- [Amir Hossin Montazery](https://github.com/amirhmh3) - -This charter describes operations as an [OSSF Technical Initiative](https://github.com/ossf/tac/blob/master/charters/). -The [Focus](#focus) section below describes what is in and out of scope, -and [Governance](#governance) section describes how our operations are consistent with OSSF policies with links to more detailed documents. - -## Motivation - - - - -
Source. Randall Munroe. Licensed under CC BY-NC 2.5
- -Open Source Software has long suffered from a "tragedy of the commons" problem. -Organizations large and small make use of OSS every day, but many projects are struggling for the time, resources and attention they need. - -This is a resource allocation problem - and we can help solve it together. -We need ways to connect critical projects we all rely on with organizations that can provide them with support. - -Whether it is dedicated help from specialized experts or simply grant money or cloud credits, we recognize that no two -projects are the same, and support can come in many shapes. -We intend to work with upstream maintainers to understand what help and support they need, and then develop scalable processes to make -this help available. - -### Objective - -To the best of our efforts, the goals of the working group are: - -1. Identify critical open source software (OSS) projects. -2. Secure those projects. - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -* [Securing Critical Projects: List of Critical Open Source Projects, Components, and Frameworks](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit) - current version - * Leads: Amir Montazery and Julia Ferraioli - * Contributors: David Wheeler, Caleb Brown, Michael Scovetta, Georg Kunz -* [criticality_score](https://github.com/ossf/criticality_score) - this attempts to estimate criticality using the algorithm described in ["Quantifying Criticality" by Rob Pike](https://github.com/ossf/criticality_score/blob/main/Quantifying_criticality_algorithm.pdf); you can see the [Hacker News Discussion](https://news.ycombinator.com/item?id=25381397). A known challenge is that it emphasizes activity, and some critical projects aren't active. - * Lead: Caleb Brown -* Harvard research - [Census II](https://www.linuxfoundation.org/research/census-ii-of-free-and-open-source-software-application-libraries) [Preliminary Census II](https://www.coreinfrastructure.org/programs/census-program-ii/) -* [package-feeds](https://github.com/ossf/package-feeds) - * Lead: Caleb Brown -* [package-analysis](https://github.com/ossf/package-analysis) - * Lead: Caleb Brown -* [allstar](https://github.com/ossf/allstar) - * Lead: Jeff Mendoza - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -TBD - -## Meeting times - -TBD - -#### Meeting Notes - -Meeting Notes and Agendas are available on [Google Drive](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit?usp=sharing). - -Meeting Recordings are available on Youtube at: https://www.youtube.com/playlist?list=PLVl2hFL_zAh-cAfx6y4k-fODfbHeQzb_O. - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -This group is chaired by Amir Montazery (OSTIF) and Jeff Mendoza (Kusari). - -Full details of process and roles are linked from [governance README](/governance). - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -## Focus - -### Role Definitions - -* Lead: Drives work forward -* Contributor: Available for taking work and completing - -## How were critical OSS projects selected? - -[Securing Critical Projects: List of Critical Open Source Projects, Components, and Frameworks](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit) is our current (in progress) list of critical OSS projects. - -For our purposes, a critical OSS project is an OSS project that can have -an especially large impact if it has a significant unintentional vulnerability, -or if it is subverted in either its source repository or -distribution package(s). -There are literally millions of open source software (OSS) projects today, -making it difficult to create a focused list of "critical OSS projects". - -The list of critical OSS projects was developed for the Great MFA Distribution -Project by the -[OpenSSF Securing Critical Projects Working Group (WG)](https://github.com/ossf/wg-securing-critical-projects). -This OpenSSF working group has been *specifically* working on this problem! - -There are many ways to identify "critical" projects, so the -Securing Critical Projects WG combined the results of several different -analyses (the analyses are also called "Selection Criteria"), -The WG then used human group review of this combined set of top candidates -to create a final defensible list. The analyses ("selection criteria") for -identifying candidate critical OSS projects included: - -* [OpenSSF Criticality Score](https://github.com/ossf/criticality_score): A top OpenSSF criticality score value. This metric prefers projects that are extremely active on specific forges. Such projects are likely to be important (at least to the participants). However, this is not a perfect measure; some projects will score low here and yet be very critical. Also, it currently only considers GitHub-hosted projects. As of 2021-11-23 the projects with the top scores are node, kubernetes, rust, and spark. -* [Census Program II](https://www.coreinfrastructure.org/programs/census-program-ii/): Harvard preliminary analysis, uses SCA & dependency data. This tends to emphasize lower-level libraries that are depended on, transitively, by many. -* OSTIF Managed Audit Program: Programs OSTIF has recommended for audit. These were selected earlier from research sources, focusing on securing the most critical projects. You can see the [OSTIF Managed Audit Program (MAP25)](https://docs.google.com/spreadsheets/d/1oytKuD7UCX6nDXWQMr6ZgYYgap_SH_JVBof5gNrgSxo/edit#gid=0) -* [Top Google Project](https://opensource.google/projects/list/featured): Featured on Google Open Source page and widely adopted. -* [Top Microsoft Project](https://opensource.microsoft.com/projects/): Featured on Microsoft Open Source page and widely adopted. -* [Top Linux Foundation Project](https://www.linuxfoundation.org/projects/): Featured on Linux Foundation Project page and related to supply chains. -* Secure Supply Chain Tool: Directly related to supply chain security (identified by WG) -* Survey Response: [Response to public survey](https://forms.gle/19PKPS17zkL5fTFUA) -* Language implementation: Identified by community as a widely-used language implementation -* Community Addition: Separately identified by the community as important. -* Previously subverted: If software has been previously attacked & it made headlines, it must be critical enough to attack. - -Every method for identify critical OSS projects has its strengths and -weaknesses; we believe the combination of analysis combined with human review -is better than trying to do any one of them. -For example, high criticality score tends to emphasize very busy projects; -human review can remove projects that are busy but for whatever reason -are less critical. -Some projects are very important yet not active; by using other measures -(not just the OpenSSF criticality score) we can still identify them. - -We have no doubt that other OSS projects will be added to the -critical OSS projects list over time. If you're interested in helping -to do that, please join the working group. - -## Related work to quantitatively identify critical projects - -* [*Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software*](https://www.coreinfrastructure.org/programs/census-program-ii/) by Frank Nagle, Jessica Wilkerson, James Dana, and Jennifer L. Hoffman, Linux Foundation & Harvard, February 2020. -* [Open Source Software Projects Needing Security Investments](https://www.coreinfrastructure.org/wp-content/uploads/sites/6/2018/04/pub_ida_lf_cii_070915.pdf) by David A. Wheeler & Samir Khakimov, June 19, 2015 -* ["The Dark Reality of Open Source Through the Lens of Threat and Vulnerability Management" by Risksense](https://risksense.com/wp-content/uploads/2020/09/RiskSense-Spotlight-The-Dark-Reality-of-Open-Source.pdf), which identifies OSS with the most publicly-reported vulnerabilities reported as CVEs. Having more reported vulnerabilities does not mean that the software is necessarily more vulnerable; it often means that more people are looking for vulnerabilities & that there's a robust process for processing them. However, if so many people are searching for vulnerabilities in a product, that suggests it's an important (critical) project) -* OSTIF's list of critical projects for Managed Audit Program (link to more info [here.](https://docs.google.com/spreadsheets/d/1oytKuD7UCX6nDXWQMr6ZgYYgap_SH_JVBof5gNrgSxo/edit#gid=0) -* [Core Infrastructure Initiative (CII) Open Source Software Census II Strategy](https://www.ida.org/research-and-publications/publications/all/c/co/core-infrastructure-initiative-cii-open-source-software-census-ii-strategy) by David A. Wheeler & Jason N. Dossett, October 2017 -* [Report on the 2020 FOSS Contributor Survey](https://www.linuxfoundation.org/blog/2020/12/download-the-report-on-the-2020-foss-contributor-survey/) by Frank Nagle, David A. Wheeler, Hila Lifshitz-Assaf, Haylee Ham, and Jennifer L. Hoffman - -## Operations - -WG-Securing-Critical-Projects operations are consistent with standard operating guidelines -provided by the OSSF Technical Advisory Committee -[TAC](https://github.com/ossf/tac). - -### Meetings Times - -Meetings will all be published on the [OSSF Community Calendar](https://calendar.google.com/calendar/r?cid=s63voefhp5i9pfltb5q67ngpes@group.calendar.google.com). - -### Communications - -We have a public email list available here: https://lists.openssf.org/g/openssf-wg-securing-crit-prjs - -You can also join us for day-to-day conversations on slack: https://openssf.slack.com/messages/wg_securing_critical_projects - -## Identifying Critical Projects - -[See information on identifying critical projects](https://github.com/ossf/wg-securing-critical-projects/tree/main/Initiatives/Identifying-Critical-Projects) \ No newline at end of file diff --git a/wg-securing-software-repos/README.md b/wg-securing-software-repos/README.md deleted file mode 100644 index 7bb05fe..0000000 --- a/wg-securing-software-repos/README.md +++ /dev/null @@ -1,126 +0,0 @@ -# wg-securing-software-repos - -We provide a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories. Our current project is Repository Service for TUF, join to learn more. - - - The designated lead(s): -- [Dustin Ingram](https://github.com/di) - -OpenSSF Working Group on Securing Software Repositories - -## Motivation - -This working group is for and focuses on the maintainers of software repositories, software registries, and tools which rely on them, at various levels including system, language, plugin, extensions and container systems. It provides a forum to share experiences and to discuss shared problems, risks and threats. - -## Objective - -* Enable faster cross-pollination of existing ideas across ecosystems (including technical measures, infrastructure approaches, and policies) -* Act as a clearinghouse for new ideas that could benefit multiple ecosystems -* Enable maintainers to better align and coordinate policies and changes between different ecosystems -* Identify & escalate needs for infrastructure and assistance for shared tooling and/or services (to be filled by supportive or sponsoring organizations (such as the [OpenSSF](https://www.openssf.org/))) -* Develop methods for sharing data related to software repositories, software registries, and tools which rely on them -* Delegate solving particular problems and goals to subgroups or other workgroups as appropriate - -The working group may create: - -* Normative, non-binding recommendations on common schemas -* Descriptive documentation of experiences and best practices - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -TBD - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -TBD - -## Meeting times - -[Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/98058137343?password=28dafc6e-cfcf-440d-bb63-ca73a1739f06) every other Wednesday, alternating between EMEA (13:00 UTC) and APAC-friendly times (22:00 UTC). - -The meeting invite is available on the public [OSSF calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). - -## Meeting Notes - -Meeting notes are maintained in a [Google Doc](https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit). If attending please add your name, and if a returning attendee, please change the color of your name from gray to black. - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -The [CHARTER.md](https://github.com/ossf/wg-securing-software-repos/blob/main/CHARTER.md) outlines the scope and governance of our group activities, as well as the maintainers of this repository. - -This group is co-chaired by [Dustin Ingram](https://github.com/di) and [Zach Steindler](https://github.com/steiza). - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation. - -### Antigoals - -* The working group is not a governing body and does not create binding obligations on members -* The working group does not dictate technologies, tools or solutions, though members are free to recommend them to one another - -## Published work - -See also https://repos.openssf.org/ - -* **[Build Provenance and Code-signing for Homebrew](https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew)** - July 2023 - > A proposal for introducing build provenance and cryptographic signatures to the Homebrew package manager. -* **[Build Provenance for All Package Registries](https://repos.openssf.org/build-provenance-for-all-package-registries)** - July 2023 - > Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions. -* **[The Package Manager Landscape Survey](https://github.com/ossf/wg-securing-software-repos/blob/main/survey/2022/README.md)** - December 2022 - > A survey/landscape of different security mechanisms and features that are implemented across the different ecosystems as they pertain to security critical user journeys. - -## Projects - -| Name | Repository/Home Page | Notes | Status | -| --- | --- | --- | --- | -| Repository Service for TUF | https://github.com/repository-service-tuf/repository-service-tuf | [Meeting Notes](https://docs.google.com/document/d/13a_AtFpPK9WO4PlAN6ciD-G1jiBU3gEDtRD1OUinUFY/edit) | Sandbox | - -## Communication - -* [Meeting Minutes](https://docs.google.com/document/d/1-f6m442MHg9hktrbcp-4sM9GbZC3HLTpZPpxMXjMCp4/edit) -* [Mailing list](https://lists.openssf.org/g/openssf-wg-securing-software-repos). [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups). -* [OpenSSF Slack](https://openssf.slack.com/archives/C034CBLMQ9G) instance in the `#wg_securing_software_repos` channel (see [here](https://openssf.slack.com/join/shared_invite/zt-xoktwsef-VzM~b22G2gfT_~4woTTsQA#/shared-invite/email) for an invite) - -## Intellectual Property - -In accordance with the [OpenSSF Charter (PDF)](https://charter.openssf.org/), work produced by this group is licensed as follows: - -1. **Software source code**: Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0; -2. **Data**: Any of the Community Data License Agreements, available at https://www.cdla.io; -3. **Specifications**: Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0; -4. **All other Documentation**: Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0 \ No newline at end of file diff --git a/wg-security-tooling/README.md b/wg-security-tooling/README.md deleted file mode 100644 index 5a57d85..0000000 --- a/wg-security-tooling/README.md +++ /dev/null @@ -1,124 +0,0 @@ -# OSSF Security Tooling - -Our mission is to provide the best security tools for open source developers and make them universally accessible. We talk a lot about SBOMs currently. - - - The designated lead(s): -- [Ryan Ware](https://github.com/ware) - -Anyone is welcome to join our open discussions related to the group's mission and charter. - -## Motivation - -Most developers are not security experts and even the most seasoned developers, security experts or not, make mistakes. Tools can be used to help weed out security defects allowing developers to focus on the features they want to develop. - -## Objective - -Our mission is to Identify, Evaluate, Improve, Develop & Ease Deployment of universally-accessible, developer focused tooling to help the open source community secure their code. This space allows members to collaborate together on these goals. - -* Identify - There are a large number of tools that developers can utilize in various development environments. We need to ensure we understand the options available. -* Evaluate - Some tools are better than others. We need to ensure quality tools are available to the open source community. -* Improve - Some tools need just a little bit of help to offer the best solution. We need to, where possible, contribute to improve those tools. -* Develop - Despite the large number of tools available, there are still large areas of the security problem space that do not have tools to help developers find issues. We will develop those tools where there is interest and bandwidth. -* Ease Deployment - __Most critically__, open source developers need to know what tools they should be using and how to easily integrate them into their development process. Unless developers have an easy way to drop in security tooling, it is unlikely to be included. We will provide this information to open source developers. - -## Vision - -Our vision is to improve the perception of security in open source software. - -# Governance - -The [CHARTER.md](CHARTER.md) outlines the scope and governance of our group activities. - -This group is chaired by [Ryan Ware](https://github.com/ware). - -## Scope - -TBD - -## Current Work - -TBD - -## Active projects - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -* [Meeting Minutes](https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c/edit?usp=sharing) -* [Mailing list](https://lists.openssf.org/g/openssf-wg-security-tooling). [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups). -* [Slack](https://openssf.slack.com/archives/C019Q1VEA87) - -## Meeting Times - -[Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/94897563315?password=7f03d8e7-7bc9-454e-95bd-6e1e09cb3b0b) every other Friday at 16:00 GMT from Nov 17. - -The meeting invite is available on the public [OSSF calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). - -## Meeting Notes - -Meeting notes are maintained in a [Google Doc](https://docs.google.com/document/d/1jzxhzIfkOMTagpeFWYoZpMKwHYeO4Gc7Eq5FcMFEw2c/edit?usp=sharing). If attending please add your name, and if a returning attendee, please change the color of your name from gray to black. - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -TBD - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation. - -### SBOM Everywhere SIG - -* [SBOM Everywhere Google Drive folder](https://drive.google.com/drive/folders/154MCLeIOQEgPpTUL7yzplOiipBVJ5KZJ) -* [Mailing list](https://lists.openssf.org/g/openssf-sig-sbom) - -### (DRAFT) False Positive Suppression Specification - -* [(DRAFT) False Positive Suppression Specification](https://docs.google.com/document/d/1811qanC8h9egv3Iszn_rrXGtAoSCz0YJGzp9vACjjH8/edit#) (Sandbox DRAFT) - -### Guide - -* [Guide to Security Tools](https://github.com/ossf/wg-security-tooling/blob/main/guide.md) - -### CVE benchmarking initiative -* The [CVE benchmarking initiative](https://github.com/ossf-cve-benchmark/ossf-cve-benchmark) was announced at [BlackHat Europe 2020](https://www.blackhat.com/eu-20/briefings/schedule/#fps-are-cheap-show-me-the-cves-21345), presented by [Bas van Schaik](https://github.com/sj) and [Kevin Backhouse](https://github.com/kevinbackhouse). - -### OSS Fuzzing -* Fuzzing Collaboration subgroup - focuses on improving fuzzing - - Meets montly starting 2022-01-04 at 10:30am Pacific Time (see the OpenSSF calendar) via [this Zoom link](https://zoom.us/j/99960722134?) - - [Meeting notes](https://docs.google.com/document/d/1TmhqYpB1Ly-5o-F31RVHxgpunW6qeDTVopBCtCmKhs0/edit?usp=sharing) - - Has its own [fuzzing-collaboration mailing list on Google Groups](https://groups.google.com/g/fuzzing-collaboration) -* [Fuzz-introspector](https://github.com/ossf/fuzz-introspector/) - a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers. - -### DAST scanning and web application definition -* Lead: Simon Bennetts -* [Web Application Definition 1.0.0](https://github.com/ossf/wg-security-tooling/wiki/WebAppDefn) - -## Related non-OpenSSF work - -* [OSS-Fuzz: Continuous fuzzing for open source software](https://github.com/google/oss-fuzz) -* [FuzzBench: Fuzzer Benchmarking As a Service](https://github.com/google/fuzzbench) - -### CodeQL rules -* Comin \ No newline at end of file diff --git a/wg-supply-chain-integrity/README.md b/wg-supply-chain-integrity/README.md deleted file mode 100644 index 6b209ab..0000000 --- a/wg-supply-chain-integrity/README.md +++ /dev/null @@ -1,118 +0,0 @@ -# Supply Chain Integrity WG - -We are helping people understand and make decisions on the provenance of the code they maintain, produce and use. We have great projects like GUAC, SLSA and gittuf that you can work with. - - - The designated lead(s): -- [Isaac Hepworth](https://github.com/hepwori) -- [Dan Lorenc](https://github.com/dlorenc) - -# Supply Chain Integrity WG - -## Motivation - -Supply chain issues and attacks cause significant damage worldwide including lost revenue, costs of ransomware payments, costs of mitigation, denial of access to resources, reduced customer trust, and public deception. As a matter of public trust, governments are beginning to mandate actions aimed at improving the security and integrity of supply chains. The [US White House Executive Order on Improving the Nation’s Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) is one such example. - -## Objective - -The objective of the Supply Chain Integrity Working Group (WG) is to provide a global community for collaborating to help individuals and organizations assess and improve the security of end-to-end supply chains for open source software. - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -TBD - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -TBD - -## Meeting times - -TBD - -## Meeting Notes - -TBD - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -This WG is chaired by Isaac Hepworth. Melba Lopez and Jay White are co-chairs. - -Working Group operations are consistent with standard operating guidelines provided by the OSSF Technical Advisory Committee -[TAC](https://github.com/ossf/tac). - -Full details of process and roles are linked from [governance README](/governance). - -New SCI WG Charter can be read from [governance CHARTER](/governance/CHARTER.MD) - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation - -## Communications - -We have a public email list available here: https://lists.openssf.org/g/openssf-supply-chain-integrity - -See Google Groups for past archive: https://groups.google.com/forum/#!forum/ossf-wg-developer-identity - -You can also join our Slack channel at https://openssf.slack.com/messages/wg_supply_chain_integrity - -## Meetings Times - -The working group meets every other Wednesday at 9 AM Pacific. The public calendar is available here: https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com&ctz=America%2FLos_Angeles - -Subscribe to the calendar for meeting details. - -## Meetings Notes - -Meeting Notes and Agendas are available on [Google Drive](https://docs.google.com/document/d/1moVFPn5pLi-uGs840_YBCrwdpHajU0ptFmlL4F9GryQ/edit). - -## Documents - -* [User Stories](https://docs.google.com/document/d/1_TQizML8sXAm3OdoNA_plihZ14OHng_XRvJXKv_o_bs/edit?usp=sharing) - -## Activities - -* [Supply-chain Levels for Software Artifacts (SLSA, pronounced ”salsa”)](https://slsa.dev/) - see also the [SLSA repository](https://github.com/slsa-framework/slsa) -* [SLSA Tooling Project](slsa-tooling.md) -* [Factory for Repeatable Secure Creation of Artifacts (FRSCA, pronounced "fresca")](https://buildsec.github.io/frsca) - see also the [FRSCA repository](https://github.com/buildsec/frsca) -* [Secure Supply Chain Consumption Framework (S2C2F) Special Interest Group (SIG)](https://github.com/ossf/s2c2f) -* Supply Chain Integrity Positioning Special Interest Group (SIG) -* [gittuf: A security layer for Git repositories](https://github.com/gittuf/gittuf) - -Older activities (as Digital Identity Attestation WG): - * [Former Digital Identity Attestation WG Readme](https://github.com/ossf/wg-supply-chain-integrity/blob/0804679461f7ed288d50d70da7ae9c7152b1e51d/README.md) - * [Recap](https://openssf.org/blog/2021/01/27/digital-identity-attestation-roundup/) \ No newline at end of file diff --git a/wg-vulnerability-disclosures/README.md b/wg-vulnerability-disclosures/README.md deleted file mode 100644 index 56b1fba..0000000 --- a/wg-vulnerability-disclosures/README.md +++ /dev/null @@ -1,206 +0,0 @@ -# **Vulnerability Disclosures** - -We are improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication. - - - The designated lead(s): -- [Christopher CRob Robinson](https://github.com/SecurityCRob) - -[![GitHub Super-Linter](https://github.com/ossf/wg-vulnerability-disclosures/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter) - -The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication. - - - -## Motivation - -TBD - -## Objective - -TBD - -## Vision - -TBD - -## Scope - -TBD - -## Current Work - -TBD - -## Active Projects - -TBD - -## Contribute - -TBD - -## Quick Start - -TBD - -## Get Involved - -TBD - -## Meeting times - -TBD - -## Meeting Notes - -TBD - -## Licenses - -TBD - -## Charter - -TBD - -## Governance - -TBD - -## Antitrust Policy - -TBD - -## Antitrust Policy Notice - -TBD - -## **Mission** -The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping develop and advocate well-managed vulnerability reporting and communication. We serve open source maintainers and developers, assist security researchers, and help downstream open source software consumers. - -## **Vision** -A world where coordinated vulnerability disclosure is a normal, easy, and expected process that is supported by guidance, automation, and tooling for maintainers, consumers, researchers, and vendors, with the goal of making open source software and the open source software supply chain more secure for everyone. - -A world where coordinated vulnerability disclosure is: -- a common, easy, and expected process -- supported by well-documented guidance, automation, and tooling for open source maintainers and consumers, security researchers, and vendors -- with the goal of making open source software and supply chains more secure for everyone. - -## **Strategy** - -We plan on addressing this challenge through the following actions: - -- Documenting and promoting reasonable vulnerability disclosure and coordination practices within the OSS ecosystem for component maintainers and community members by providing documented guidance and educational materials. -- Identifying vulnerability disclosure pain points and incentives for OSS maintainer, consumers, and security researchers and taking steps to address them. -- Facilitate the development and adoption of a standards-based OSS Vulnerability Exchange (VEX) that uses existing industry formats and allows OSS projects of all sizes to be able to report, share, and learn about vulnerabilities within OSS components. - -## **Roadmap** - -- Evangelize artifacts and tooling from the group through podcasts, conference presentations, blogs, etc. for things like the CVD guides, OSV, & VEX --- Podcasts --- Blogs --- Conferences --- Open office hours to interact with Open Source project managers and help them. -- Support industry-wide vuln coordination efforts with good practices identified by the OSS-SIRT SIG -- Expand use of VEX by upstream projects through the advocacy and use of VEX and VEX-creation tools (such as OpenVEX). Issuance of VEX documents upstream helps the whole ecosystem understand what is needed and how to effectively execute, providing critical vuln affectedness data to downstream consumers so they can understand how to incorporate with other vuln info (CSAF, OSV, SBOM, etc). -- Increase awareness and use of CVD guides, techniques, and tools -- Increase the awareness and use of OSV -- Participate in forthcoming industry “VulnCon” and related conferences to share OSS vuln mgmt perspectives with broad PSIRT/CSIRT/CERT ecosystem -- Provide guidance, documentation, and templates to the OpenSSF and the broader OSS community for use as security policies and vulnerability management processes (security.md, vuln disclosure policy, etc.) - -## **Current work** - - - -- [Guides to coordinated vulnerability disclosure for open source software projects](https://github.com/ossf/oss-vulnerability-guide) to assist projects in handling vulnerabilities. -- [Open Source Vulnerability Schema](https://github.com/ossf/osv-schema) - see also [osv.dev](https://osv.dev). -- [OSS-SIRT SIG](https://github.com/ossf/SIRT) (incubating) - SIG dedicated to update of OpenSSF Mobilization Plan Stream 5 working to create upstream open source incident response team. -- Vulnerability AutoFix SIG (incubating) - Group dedicated to finding best practices in disclosing open source vulnerabilities and fixes to projects at scale -- [OpenVEX SIG](https://github.com/ossf/OpenVEX) (sandbox)- Group dedicated to OpenVEX and VEX industry work. OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable. - -## **Past Work** - -- [Unified list of metadata for vulnerability reports and disclosures](https://docs.google.com/spreadsheets/d/1eZpBk2aIup29KcWwN5MAhvkk60EE_DRt2YRtLo8P0zs/edit?usp=sharing) -- [OpenSSF Recommendations for Open Source Software Vulnerability Disclosure Whitepaper](https://docs.google.com/document/d/1ggvl7_p7-tmieP5He1dSmRbndDz1CG2_BqNpk6ss6ks/edit) (incubating) - a draft longer paper on various related topics - -## **Get Involved** - -We communicate on the Vulnerability Disclosure [mailing list](https://lists.openssf.org/g/openssf-wg-vul-disclosures). [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups). - -Join us on Slack at - -- Recent Update to OSSF TAC on [WG activities](https://docs.google.com/presentation/d/1MKncQFHZpzKNugk8k5NkNXbmtxbXC5WBqJl1Jlh35iw/edit?usp=sharing) - -## **Meeting Times** - -The working group meets every two weeks, on Wednesdays at 11:00 AM ET / 8:00 AM PT. Currently we are using Zoom for working group meetings. The invite is available on the [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). - -The Working Group will hold a monthly APAC-friendly call at 6:00pm ET / 3:00pm PT the last Thursday of each month. The invite is available on the [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). - -| Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List | -| :--------------: | :-----------------------------------------------------: | :---------------------------------------------------------------------------------------------------------------: | :--------------------------------------------------------------: | :----------------------------------------------------------------------------: | :----------------------------------------------------------------------------: | -| Full WG | Every 2nd Wednesday 8:00a PT/11:00a ET/1500 UTC | [Meeting Notes](https://docs.google.com/document/d/1AXkapzjZ-SxwcBN7rZeSstkzdapd3sbzfHDxz6A59Ic/edit) | [Git Repo](https://github.com/ossf/wg-vulnerability-disclosures) | [Slack](https://openssf.slack.com/archives/C019Y2A28Q6) | [Mailing List](https://lists.openssf.org/g/openssf-wg-vul-disclosures) | -| WG - APAC TZ | Occurs Last Thursday monthly 3:00p PT/6:00p ET/2200 UTC | [Meeting Notes](https://docs.google.com/document/d/1wSugi_EjgQ6ttINg1yXqsVAO9V3B-v2jdQT1RX22MZQ/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-vulnerability-disclosures) | [Slack](https://openssf.slack.com/archives/C019Y2A28Q6) | [Mailing List](https://lists.openssf.org/g/openssf-wg-vul-disclosures) | -| OSS-SIRT | Every 2nd Tuesday 6:00a PT/9:00a ET/1300 UTC | [Meeting Notes](https://docs.google.com/document/d/1sUZNQgU6E5lha7WH0_9YOvoegLeLTs9dv9QZj8dwjJM/edit?usp=sharing) | [Git Repo](https://github.com/ossf/SIRT) | [Slack](https://openssf.slack.com/messages/stream-05-vulnerability-disclosure) | [Mailing List](https://lists.openssf.org/g/openssf-sig-osssirt/topics) | -| OSV schema | TBD | [Meeting Notes]() | [Git Repo](https://github.com/ossf/osv-schema) | [Slack]() | [Mailing List]() | -| OpenVEX | Every 2nd Monday 12:00p PT/3:00p ET/1900 UTC | [Meeting Notes](https://docs.google.com/document/d/1C-L0JDx5O35TjXb6dcyL6ioc5xWUCkdR5kEbZ1uVQto/edit?usp=sharing) | [Git Repo](https://github.com/ossf/OpenVEX) | [Slack](https://openssf.slack.com/archives/C05009RHCNT) | [Mailing List](https://lists.openssf.org/g/openssf-sig-openvex) | -| Vuln Autofix SIG | Occurs every 2nd Wednesday 1:00p PT/4:00p ET/2000 UTC | [Meeting Notes](https://docs.google.com/document/d/1wSugi_EjgQ6ttINg1yXqsVAO9V3B-v2jdQT1RX22MZQ/edit?usp=sharing) | [Git Repo]() | [Slack](https://openssf.slack.com/archives/C04MW17FK8X) | [Mailing List](https://lists.openssf.org/g/openssf-wg-vul-disclosures-autofix) | - -### **Meeting Notes** - -- [2024 Meeting Minutes](https://docs.google.com/document/d/1AXkapzjZ-SxwcBN7rZeSstkzdapd3sbzfHDxz6A59Ic/) -- [2023 Meeting Minutes](https://docs.google.com/document/d/1wSugi_EjgQ6ttINg1yXqsVAO9V3B-v2jdQT1RX22MZQ/edit?usp=sharing) -- [2022 Meeting Minutes](https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA/edit?usp=sharing) -- [2021 Meeting Notes](https://docs.google.com/document/d/1v9WKzitA7fxGwkP8j3nanXYbzhkkgCDpQYBNI0lDJfY/edit#) -- [Pre 2021 Meeting notes](docs/meeting-notes) - -## **Governance** - -We use the [vulnerability-disclosures-wg](https://github.com/orgs/ossf/teams/vulnerability-disclosures-wg) GitHub team. - -The [CHARTER.md](CHARTER.md) outlines the scope and governance of our group activities. - -- Lead - [Christopher "CRob" Robinson](https://github.com/SecurityCRob) -- Co-Lead - -- Backlog Warden - -- - -### Project Maintainers - -- [Christopher "CRob" Robinson, Intel](https://github.com/SecurityCRob) - -### Project Collaborators - -- [Jonathan Leitschuh, Dan Kaminsky Fellowship - HUMAN](https://github.com/) -- [Madison Oliver, GitHub Security Lab](https://github.com/) -- [David A Wheeler, LF/OSSF](https://github.com/david-a-wheeler) -- [Randall T. Vasquez (SKF/Gentoo/Homebrew)](https://github.com/ran-dall) - -### Project Contributors - -- [Adolfo García Veytia, Chainguard & OpenVEX](https://github.com/puerco) -- Andrew Pollock, Google & OSV -- [Arnaud Le Hors, IBM](https://github.com/lehors) -- [Art Manion, ANALYGENCE](https://github.com/zmanion) -- [Avishay Balter, Microsoft](https://github.com/balteravishay) -- [Chris de Almeida, IBM](https://github.com/ctcpip) -- [Jason Keirstead, IBM](https://github.com/JasonKeirstead) -- [Jay White, Microsoft](https://github.com/camaleon2016) -- Jeffrey Borek, IBM -- Jennifer Mitchell, Tidelift -- [Ixchel Ruiz, JFrog](https://github.com/ixchelruiz) -- [Marcus Meissner (SUSE)](https://github.com/msmeissn) -- [Nathan Menhorn, AMD](https://github.com/nathan-menhorn) -- [Nicole Schwartz, ActiveState](https://github.com/NicoleSchwartz/CircuitSwan) -- Oliver Chang, Google & OSV -- [Paulo Flabiano Smorigo (Ubuntu/Canonical)](https://github.com/pfsmorigo) -- Yotam Perkal, Rezilion - -A listing of our current and past group [members](https://github.com/ossf/wg-vulnerability-disclosures/blob/main/members.md). - -## **Antitrust Policy Notice** - -Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. - -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation \ No newline at end of file