From 3c8c268e2a32e19958f3ecfeaa33d67751d281c1 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Mon, 16 Dec 2024 12:43:06 +0100 Subject: [PATCH 1/8] Q4 2024 Best Practices WG TAC Update Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 224 +++++++++++++++++++++++++++++ 1 file changed, 224 insertions(+) create mode 100644 TI-reports/2024/2024-Q4-BEST-WG.md diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md new file mode 100644 index 00000000..fc5a8130 --- /dev/null +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -0,0 +1,224 @@ +# 2024 Q3 BEST WG + +## Overview + +The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF +Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them. + +We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation. + +The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices. This is done through the combination of training collateral, best practices guides, and educational awareness. + +- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. +- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. +- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work. + + + +The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendance generally is down, and several former key contributors no longer attend meetings. + + +### Key Resources + +- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers) +- Best Practices Guides [link](https://openssf.org/resources/guides/) +- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/) +- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt) + + +### Sub-groups + +- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs) +- EDU.SIG - [link](https://github.com/ossf/education/) +- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety) +- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/) +- Scorecard - [link](https://github.com/ossf/scorecard) +- Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) +- Security Baseline - [link](https://github.com/ossf/security-baseline) + + +### Leads + +- WG - Avishay Balter & Georg Kunz +- Best Practices Badge and SecDev course - David Wheeler +- Compiler Hardening Guides - Thomas Nyman & Georg Kunz +- EDU SIG - CRob & Dave Russo +- Memory Safety SIG - Nell Shamrell-Harrignton & Avishay Balter +- Python Hardening Guide - Helge Wehder & Georg Kunz +- Scorecard - Laurent Simon & Stephen Augustus +- Security Baseline - Eddie Knight +- WebDev Sec BP - Daniel Appelquist + + +## Activity + +### Best Practices Badge + +#### Purpose + +- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. + +#### Current Status + +- TODO + +- #### Up Next + +- TODO + + +### Developing Secure Software Fundamentals Course (LFD121) + +#### Purpose + +- Provide baseline security education for developers. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Concise Guides + +#### Purpose + +- Artifacts that consolidate BEST practices in OSS software development and management techniques + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Compiler Hardening Guides + +#### Purpose + +- Help C and C++ developers and those who compile C/C++ code, e.g., package maintainers, ensure that produced application binaries (libraries and executables) are equipped with security mechanisms provided by compilers against potential attacks and/or misbehavior. + +#### Current Status + +- TODO + +#### Up next + +- TODO + + +### EDU.SIG + +#### Purpose + +- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners. +Materials will be maximally accessible and easy to consume for all learners. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Memory Safety SIG + +#### Purpose + +- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Python Hardening Guide + +#### Purpose + +- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules. +- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Scorecard + +#### Purpose + +- To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. +- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Security Baseline + +#### Purpose + +- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption. +- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. +- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + +### Web Developer Security Guide + +#### Purpose + +- TODO + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Questions/Issues for the TAC + +- TODO + +## Additional Information + +_Optional: Please provide any additional information that you feel would be useful for TAC to be aware._ + + + +## Previous Updates + +- [Q3 2024](https://github.com/ossf/tac/blob/main/TI-reports/2024/2024-Q3-BEST-WG.md) +- [April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/) +- [Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/) +- [Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/) From d9514b4c3c0e1206ed601adb435c4f0dba598268 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:03:16 +0100 Subject: [PATCH 2/8] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Thomas Nyman Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index fc5a8130..aef86293 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -105,7 +105,7 @@ The group continues to be active and is working on several simultaneous projects #### Current Status -- TODO +- Continued revision, updates, & enhancement, e.g., keeping the compiler options hardening guide up-to-date with upstream options additions and changes in GCC and Clang/LLVM and addressing feedback from Linux distribution communities. #### Up next From abbb8ca3f4bc9b6f0a8d27ae0b8f880fd5cd292c Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:03:51 +0100 Subject: [PATCH 3/8] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Thomas Nyman Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index aef86293..bf112202 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -109,7 +109,8 @@ The group continues to be active and is working on several simultaneous projects #### Up next -- TODO +- Microsoft MSVC guidance planned for 2025 (tracked in [BEST Issue 150](https://github.com/ossf/wg-best-practices-os-developers/issues/150)) +- Plan outreach activities for 2025, possibly talks aimed at C++ conferences. ### EDU.SIG From a8507db1f429e2570a51d892a787bd6d1ae3e047 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:02 +0100 Subject: [PATCH 4/8] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index bf112202..f72017c1 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -35,7 +35,7 @@ The group continues to be active and is working on several simultaneous projects - Scorecard - [link](https://github.com/ossf/scorecard) - Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) - Security Baseline - [link](https://github.com/ossf/security-baseline) - +- Web (with SWAG) - [link](https://github.com/w3c-cg/swag/) ### Leads From 62fe4f0ac1a8498618d108fbdc32ea0db2fc6e1f Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:18 +0100 Subject: [PATCH 5/8] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index f72017c1..c965b807 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -40,7 +40,7 @@ The group continues to be active and is working on several simultaneous projects ### Leads - WG - Avishay Balter & Georg Kunz -- Best Practices Badge and SecDev course - David Wheeler +- OpenSSF Best Practices Badge and Developing Secure Software (LFD121) course - David A. Wheeler - Compiler Hardening Guides - Thomas Nyman & Georg Kunz - EDU SIG - CRob & Dave Russo - Memory Safety SIG - Nell Shamrell-Harrignton & Avishay Balter From 20c71c4c5123590f905a10159c75981ad2ff3bcb Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:48 +0100 Subject: [PATCH 6/8] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index c965b807..9b359113 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -196,7 +196,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Purpose -- TODO +- Develop security best practice and guidelines specifically aimed at web developers. #### Current Status From 04f98edf01f7e1b0a417f4a684785339e6d35caa Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:56 +0100 Subject: [PATCH 7/8] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 9b359113..a8600788 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -200,7 +200,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- TODO +- We started the W3C SWAG group earlier this year and we've been holding weekly calls. The calls are minuted here: https://github.com/w3c-cg/swag/tree/main/meetings. We've so far produced an early draft security guidelines doc for web developers https://github.com/w3c-cg/swag/blob/main/docs/security_guidelines.md and we have another work item which is a guidelines doc for library developers. I've presented this work to the OpenJS Foundation security coord group as well to socialize it widely. We anticipate starting work on the libraries doc after the new year and as well continue to develop the web developer guide. Both documents will be at the level of detail of the "concise guide" document. We also held a special call where some Google security folks came to talk about tooling they are building around CSP and Trusted Types. Those talks will be posted shortly. #### Up Next From 6166fabf1c9d3238a91e8177ac27b0e99247590c Mon Sep 17 00:00:00 2001 From: Daniel Appelquist Date: Thu, 2 Jan 2025 09:44:20 +0000 Subject: [PATCH 8/8] Update 2024-Q4-BEST-WG.md --- TI-reports/2024/2024-Q4-BEST-WG.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index a8600788..2ea24527 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -200,16 +200,15 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- We started the W3C SWAG group earlier this year and we've been holding weekly calls. The calls are minuted here: https://github.com/w3c-cg/swag/tree/main/meetings. We've so far produced an early draft security guidelines doc for web developers https://github.com/w3c-cg/swag/blob/main/docs/security_guidelines.md and we have another work item which is a guidelines doc for library developers. I've presented this work to the OpenJS Foundation security coord group as well to socialize it widely. We anticipate starting work on the libraries doc after the new year and as well continue to develop the web developer guide. Both documents will be at the level of detail of the "concise guide" document. We also held a special call where some Google security folks came to talk about tooling they are building around CSP and Trusted Types. Those talks will be posted shortly. +- We started the W3C SWAG group earlier this year and we've been holding weekly calls. The calls are minuted here: https://github.com/w3c-cg/swag/tree/main/meetings. We've so far produced an early draft security guidelines doc for web developers https://github.com/w3c-cg/swag/blob/main/docs/security_guidelines.md and we have another work item which is a guidelines doc for library developers. I've presented this work to the OpenJS Foundation security coord group as well to socialize it widely. #### Up Next -- TODO - +- We anticipate starting work on the libraries doc after the new year and as well continue to develop the web developer guide. Both documents will be at the level of detail of the "concise guide" document. We also held a special call where some Google security folks came to talk about tooling they are building around CSP and Trusted Types. Those talks will be posted shortly. ### Questions/Issues for the TAC -- TODO +- None at this time. ## Additional Information