A focus on JavaScript security at OpenJS #826
Comments
|
As I've argued on twitter, large part of the problem is systemic and a direct outcome of open source sustainability issues. What can we do help alleviate those? In particular what can we do to help
More concretely, for OpenJSF projects, we should have an up to date list of project dependencies, define their risk factor, and piggyback on @jorydotcom's amazing work with OpenWebDocs to do a pilot paid maintenance project with a particularly critical and at risk dependency. |
|
Action items from last meeting for discussion:
|
|
The security template from Node.js was removed, but it provides an opportunity for OpenJS to provide something similar. We should add this to the list of things to do with Security work. |
|
Thanks for opening up and raising this issue. I believe that in order to understand the scope and charter at the OpenJS Foundation level, it would be beneficial to survey maintainers and open source contributors in order to produce a requirements specification. This would help in understanding the overall problem space folks need help with. What do we think about doing that? |
|
Initial next steps are to create a repository for our work and to find a time to schedule a recurring meeting. Look for those things to happen soon and you can also follow along on any conversations in the #security slack channel in the OpenJS Slack. |
|
The Security Collab Space meetings are now scheduled on our OpenJS public calendar. You’ll find the calendar link and OpenJS Slack invite here: https://openjsf.org/collaboration/. |
|
New repo here: https://github.com/openjs-foundation/security-collab-space/ |
JavaScript touches nearly every part of the web today, and maintainers at OpenJS Foundation-hosted projects are working tirelessly to keep critical infrastructure secure. The Cross Project Council can leverage its Better Together approach by sharing best practices among OpenJS and other JS projects in the ecosystem, and by establishing baseline requirements for security practices. Additionally, our team at the OpenJS Foundation, together with the Linux Foundation, can provide support and advocate for resources to further strengthen our projects.
We have been having conversations with the Linux Foundation Open Source Security Foundation (OpenSSF), and the Open Source Technology Improvement Fund (OSTIF), with a request for collaboration and funding this calendar year.
What more can we do as a global community and global foundation to strengthen security across the JavaScript ecosystem? How can we reduce the risk and take ambitious security goals for all our OpenJS projects? Let’s further define, document, and measure in an open and transparent way.
RESOURCES
OpenJS Foundation Package Vulnerability Management & Reporting Collaboration Space https://github.com/openjs-foundation/pkg-vuln-collab-space
Project participation in OpenSSF Best Practices Badge Program https://bestpractices.coreinfrastructure.org/en
Project onboarding for LFX Security https://security.lfx.linuxfoundation.org/#/
Project participation in the OpenSSF “Great MFA Distribution Project” https://openssf.org/blog/2021/12/10/great-mfa-distribution/
Project requirements around the use of SBOM formats like SPDX https://spdx.dev/
Secure development training for project maintainers and contributors such as the OpenSSF & LF Training offerings https://openssf.org/training/courses/
OpenSSF Criticality Score https://github.com/ossf/criticality_score
Whitepaper: Threats, Risks, and Mitigations in the Open Source Ecosystem, Michael Scovetta in collaboration with the Open Source Security Coalition https://github.com/ossf/wg-identifying-security-threats/blob/main/publications/threats-risks-mitigations/v1/Threats,%20Risks,%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.pdf
The text was updated successfully, but these errors were encountered: