Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create 2024-Q3-BEST-WG.md #359

Merged
merged 12 commits into from
Aug 20, 2024
164 changes: 164 additions & 0 deletions TI-reports/2024/2024-Q3-BEST-WG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
# 2024 Q3 BEST WG


## Overview
The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF <img align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100">
Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them.

We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation.

The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices. This is done through the combination of training collateral, best practices guides, and educational awareness.

- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified.
- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types.
- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work.

<img align="top" src="https://github.com/ossf/wg-best-practices-os-developers/blob/main/img/OpenSSF%20Dev%20Best%20Practices%20Projects%20Relations.png">

The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendance generally is down, and several former key contributors no longer attend meetings.


### Key Resources
- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers)
- Best Practices Guides [link](https://openssf.org/resources/guides/)
- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/)
- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt)

### Sub-groups
- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs)
- EDU.SIG - [link](https://github.com/ossf/education/)
- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety)
- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/)
- Scorecard - [link](https://github.com/ossf/scorecard)
- Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals)
- Security Baseline - [link](https://github.com/ossf/security-baseline)

### Leads
- WG - CRob
- BP Badge and SecDev course - David Wheeler
SecurityCRob marked this conversation as resolved.
Show resolved Hide resolved
- Compiler Hardening Guides - Thomas Nyman & Georg Kunz
- EDU SIG - CRob & Dave Russo
- Mem Safety SIG - Nell Shamrell-Harrignton & Avishay Balter
- Python Hardening Guide - Helge & Georg
- Scorecard - Laurent Simon & Stephen Augustus
- Security Baseline - Eddie Knight
- WebDev Sec BP - Daniel Appelquist

## Activity
### Best Practices Badge
#### Purpose
- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice.
#### Current Status
- OpenSSF Best Practice Badge continues to gain users, as shown in its project statistics. As of 2024-08-04 it has 7,383 participating projects and 1,450 passing projects. We occasionally process special requests, such as ownership changes, and update dependencies (especially if a vulnerability is found in a dependency).
- #### Up Next
- The current plan is to continue to maintain the project as needed.


### Developing Secure Software Fundamentals Course (LFD121)
#### Purpose
Provide baseline security education for developers.
#### Current Status
- The LFD121 course is occasionally updated as suggestions are made or new issues are discovered.
#### Up Next
- We are developing a set of interactive labs for the course. To see them and their current status, see the labs README.


### Concise Guides
#### Purpose
- Artifacts that consolidate BEST practices in OSS software development and management techniques
#### Current Status
- Continued revisions, updates, & enhancements to these core guides
#### Up Next
- TBD

SecurityCRob marked this conversation as resolved.
Show resolved Hide resolved
### Compiler Hardening Guides
#### Purpose
- Help C and C++ developers and those who compile C/C++ code, e.g., package maintainers, ensure that produced application binaries (libraries and executables) are equipped with security mechanisms provided by compilers against potential attacks and/or misbehavior.
#### Current Status
- Continued revision, updates, & enhancement, e.g., keeping the compiler options hardening guide up-to-date with upstream options additions and changes in GCC and Clang/LLVM.
#### Up next
- Compiler annotations guide for C and C++ (in incubation), expanding compiler options guide to also cover other compilers, such as Microsoft MSVC (tracked in [BEST Issue 150](https://github.com/ossf/wg-best-practices-os-developers/issues/150))
- Outreach, e.g., upcoming talk at Nordic Software Security Summit 2024

### EDU.SIG
#### Purpose
- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners.
Materials will be maximally accessible and easy to consume for all learners.
#### Current Status
- Many simultaneous activities
- Recent release of LF Research study on Security Edutation for Developers
- Academic Accredidation team working on kicking off program to "certify" collegiate programs that meet OpenSSF & CNCF best practices
- Security for Developer Managers class progressing into two pieces of collateral: Manager class & terms-definitions
#### Up Next
- Security Architect class outline reviewed and content development will come next
- "201 level" class will come after
-
### Memory Safety SIG
#### Purpose
- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.
#### Current Status
- Have drafted a “Memory Safety Continuum” concept document
- Have gathered guides/practices related to best memory safety practices in both memory safe by default and non memory safe by default languages
#### Up Next
- Produce a Memory Safety workshop (modeled after W3C workshops). Theme is “Improving Memory Safety in an Imperfect World”
- Finalize Memory Safety Continuum doc

### Python Hardening Guide
#### Purpose
- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules.
- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern.
#### Current Status

SecurityCRob marked this conversation as resolved.
Show resolved Hide resolved
#### Up Next
- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue 531
- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from 531 and contribute content
- Use the opportunity to give a lightning talk at SOSS Community Day EU to solicit more contributors



SecurityCRob marked this conversation as resolved.
Show resolved Hide resolved
### Scorecard
#### Purpose
-To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
#### Current Status

#### Up Next
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inside the OpenSSF, I feel like people generally understand that Scorecard is a framework for maintainers to walk them through improving their secure software development practices - sort of a gamified maturity model, if you will.

Outside the OpenSSF, we've seen a fair amount of confusion as to if the Scorecard scores should be used by consumers of open source software as a way to boil down risk assessment into a single number, the most recent example of this being https://openssf.slack.com/archives/C019M98JSHK/p1720098402786119.

I think the OpenSSF is aligned on that Scorecard is meant for maintainers and not consumers. Have we thought about how we might adjust our messaging to prevent this confusion in the future? I'm specifically thinking of places like https://github.com/ossf/scorecard and https://securityscorecards.dev/, but I'm open to other suggestions!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Counter point: I've seen enterprises seek to understand scorecard/scores as a way to automate risk when they consume OSS, and create mechanisms to automate OSS ingestion. The Metrics API SIG (under the former Metrics and Metadata WG) was creating an API where enterprises could pull Scorecard and other data into their processes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relevant scorecard issue: ossf/scorecard#4219

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err... The README starts with:

We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.



### Security Baseline
#### Purpose
- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption.
- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation.
- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum.
#### Current Status
- on 16 July the WG voted to adopt the OpenSSF Security Baseline as a SIG within our group.
- Eddie Knight will help lead the cross-foundation effort.
- SIG resources setup completed (Gitbug, mailing list, slack, community meeting time, etc.).
- 5 OpenSSF Projects are actively piloting the security baseline adoption to comply with the Security Baseline by 9/15/2024, inlcuding OpenVEX, Protobom, RSTUF, GUAC, and Scorecard.
- Tracking of the adoption friction points and adoption prgress is in progress.
- Removing adoption friction points is in progress via security baseline SIG repo issues and PR's.
- 2FA will be enabled at the OpenSSF enterprise level on Auguest 6, 2024.
- OpenSSF technology consumption architecuture for depenednecy management is up for review. Reviewers needed!
- Survey for security baseline for Linux Foundation wide adoption is being actively worked on.
- CNCF & FINOS will be collaborating on this effort.
#### Up Next
- Continue tracking and removing security baseline pilot adoption friction points.
- Pilot projects continue to make progress on security baseline compliance.
- Develop openSSF technology consumption architecuture for vulnerability management.
- Publish the survey for security baseline for Linux Foundation wide adoption is being actively worked on.
- First community meeting on 8/6/2024.

### Web Developer Security Guide
#### Purpose

#### Current Status

#### Up Next- Joint venture with W3C, focused on improving education & awareness for web developers
- [BEST Issue 367](https://github.com/ossf/wg-best-practices-os-developers/issues/367)



## Previous Updates
[April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/)
[Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/)
[Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/)