Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create 2024-Q3-BEST-WG.md #359

Merged
merged 12 commits into from
Aug 20, 2024
Merged

Create 2024-Q3-BEST-WG.md #359

merged 12 commits into from
Aug 20, 2024

Conversation

SecurityCRob
Copy link
Contributor

initial load of BEST WG TAC report. still waiting for WG member feedback prior to presenting

@SecurityCRob SecurityCRob requested a review from a team as a code owner July 17, 2024 13:39
@SecurityCRob SecurityCRob self-assigned this Jul 17, 2024
@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. Content Updates/additions to TAC content/process. Must include a changelog entry. Needs 3 approvals. labels Jul 17, 2024
@Danajoyluck
Copy link
Contributor

@SecurityCRob thanks a lot for the security baseline SIG update. I'm in the process of creating implementation plan to create the GitHub repo. Will share update as I make more progress. The doodle poll is rolling in, will share meeting time this Friday.

Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question / comment, but generally LGTM!

- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
#### Current Status

#### Up Next
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inside the OpenSSF, I feel like people generally understand that Scorecard is a framework for maintainers to walk them through improving their secure software development practices - sort of a gamified maturity model, if you will.

Outside the OpenSSF, we've seen a fair amount of confusion as to if the Scorecard scores should be used by consumers of open source software as a way to boil down risk assessment into a single number, the most recent example of this being https://openssf.slack.com/archives/C019M98JSHK/p1720098402786119.

I think the OpenSSF is aligned on that Scorecard is meant for maintainers and not consumers. Have we thought about how we might adjust our messaging to prevent this confusion in the future? I'm specifically thinking of places like https://github.com/ossf/scorecard and https://securityscorecards.dev/, but I'm open to other suggestions!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Counter point: I've seen enterprises seek to understand scorecard/scores as a way to automate risk when they consume OSS, and create mechanisms to automate OSS ingestion. The Metrics API SIG (under the former Metrics and Metadata WG) was creating an API where enterprises could pull Scorecard and other data into their processes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relevant scorecard issue: ossf/scorecard#4219

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err... The README starts with:

We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.

Copy link
Contributor

@sevansdell sevansdell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the update

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
typo

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@SecurityCRob SecurityCRob added the DRAFT Indicates that a PR should not merge because it is a work in progress. label Jul 23, 2024
@sevansdell sevansdell marked this pull request as draft July 23, 2024 14:44
Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

TI-reports/2024/2024-Q3-BEST-WG.md Outdated Show resolved Hide resolved
TI-reports/2024/2024-Q3-BEST-WG.md Outdated Show resolved Hide resolved
SecurityCRob and others added 2 commits July 31, 2024 09:31
Co-authored-by: Marcela Melara <marcela.melara@intel.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Added more information for current state and next steps. 

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
@SecurityCRob SecurityCRob marked this pull request as ready for review August 2, 2024 14:02
updates per wheeler

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@SecurityCRob
Copy link
Contributor Author

I merged in David's updates for Badges and the Fundamentals class

@SecurityCRob SecurityCRob removed the DRAFT Indicates that a PR should not merge because it is a work in progress. label Aug 13, 2024
wheeler changes

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Copy link
Contributor

@gkunz gkunz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some bullet covering the Python Secure Coding Guide.

TI-reports/2024/2024-Q3-BEST-WG.md Outdated Show resolved Hide resolved
TI-reports/2024/2024-Q3-BEST-WG.md Show resolved Hide resolved
TI-reports/2024/2024-Q3-BEST-WG.md Show resolved Hide resolved
TI-reports/2024/2024-Q3-BEST-WG.md Outdated Show resolved Hide resolved
TI-reports/2024/2024-Q3-BEST-WG.md Outdated Show resolved Hide resolved
SecurityCRob and others added 4 commits August 14, 2024 13:00
Co-authored-by: Georg Kunz <georg.kunz@ericsson.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: Georg Kunz <georg.kunz@ericsson.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: Georg Kunz <georg.kunz@ericsson.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
added suggestions from gkunz

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
more contributor feedback

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: Thomas Nyman <thomasnyman@users.noreply.github.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Copy link
Contributor

@sevansdell sevansdell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-Would love to see a BEST chair co-lead
-Many thanks to Ericson for their contributions to the C++ Hardening Guide
-Kudos to OpenJS for contributing feedback to the Security Baseline SIG.

@SecurityCRob SecurityCRob merged commit bce3a6f into main Aug 20, 2024
1 check passed
@SecurityCRob SecurityCRob deleted the SecurityCRob-patch-3 branch August 20, 2024 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Content Updates/additions to TAC content/process. Must include a changelog entry. Needs 3 approvals. documentation Improvements or additions to documentation TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants