From 3c8c268e2a32e19958f3ecfeaa33d67751d281c1 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Mon, 16 Dec 2024 12:43:06 +0100 Subject: [PATCH 01/26] Q4 2024 Best Practices WG TAC Update Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 224 +++++++++++++++++++++++++++++ 1 file changed, 224 insertions(+) create mode 100644 TI-reports/2024/2024-Q4-BEST-WG.md diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md new file mode 100644 index 00000000..fc5a8130 --- /dev/null +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -0,0 +1,224 @@ +# 2024 Q3 BEST WG + +## Overview + +The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF +Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them. + +We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation. + +The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices. This is done through the combination of training collateral, best practices guides, and educational awareness. + +- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. +- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. +- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work. + + + +The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendance generally is down, and several former key contributors no longer attend meetings. + + +### Key Resources + +- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers) +- Best Practices Guides [link](https://openssf.org/resources/guides/) +- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/) +- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt) + + +### Sub-groups + +- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs) +- EDU.SIG - [link](https://github.com/ossf/education/) +- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety) +- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/) +- Scorecard - [link](https://github.com/ossf/scorecard) +- Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) +- Security Baseline - [link](https://github.com/ossf/security-baseline) + + +### Leads + +- WG - Avishay Balter & Georg Kunz +- Best Practices Badge and SecDev course - David Wheeler +- Compiler Hardening Guides - Thomas Nyman & Georg Kunz +- EDU SIG - CRob & Dave Russo +- Memory Safety SIG - Nell Shamrell-Harrignton & Avishay Balter +- Python Hardening Guide - Helge Wehder & Georg Kunz +- Scorecard - Laurent Simon & Stephen Augustus +- Security Baseline - Eddie Knight +- WebDev Sec BP - Daniel Appelquist + + +## Activity + +### Best Practices Badge + +#### Purpose + +- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. + +#### Current Status + +- TODO + +- #### Up Next + +- TODO + + +### Developing Secure Software Fundamentals Course (LFD121) + +#### Purpose + +- Provide baseline security education for developers. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Concise Guides + +#### Purpose + +- Artifacts that consolidate BEST practices in OSS software development and management techniques + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Compiler Hardening Guides + +#### Purpose + +- Help C and C++ developers and those who compile C/C++ code, e.g., package maintainers, ensure that produced application binaries (libraries and executables) are equipped with security mechanisms provided by compilers against potential attacks and/or misbehavior. + +#### Current Status + +- TODO + +#### Up next + +- TODO + + +### EDU.SIG + +#### Purpose + +- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners. +Materials will be maximally accessible and easy to consume for all learners. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Memory Safety SIG + +#### Purpose + +- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Python Hardening Guide + +#### Purpose + +- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules. +- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Scorecard + +#### Purpose + +- To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. +- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Security Baseline + +#### Purpose + +- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption. +- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. +- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum. + +#### Current Status + +- TODO + +#### Up Next + +- TODO + +### Web Developer Security Guide + +#### Purpose + +- TODO + +#### Current Status + +- TODO + +#### Up Next + +- TODO + + +### Questions/Issues for the TAC + +- TODO + +## Additional Information + +_Optional: Please provide any additional information that you feel would be useful for TAC to be aware._ + + + +## Previous Updates + +- [Q3 2024](https://github.com/ossf/tac/blob/main/TI-reports/2024/2024-Q3-BEST-WG.md) +- [April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/) +- [Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/) +- [Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/) From d9514b4c3c0e1206ed601adb435c4f0dba598268 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:03:16 +0100 Subject: [PATCH 02/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Thomas Nyman Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index fc5a8130..aef86293 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -105,7 +105,7 @@ The group continues to be active and is working on several simultaneous projects #### Current Status -- TODO +- Continued revision, updates, & enhancement, e.g., keeping the compiler options hardening guide up-to-date with upstream options additions and changes in GCC and Clang/LLVM and addressing feedback from Linux distribution communities. #### Up next From abbb8ca3f4bc9b6f0a8d27ae0b8f880fd5cd292c Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:03:51 +0100 Subject: [PATCH 03/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Thomas Nyman Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index aef86293..bf112202 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -109,7 +109,8 @@ The group continues to be active and is working on several simultaneous projects #### Up next -- TODO +- Microsoft MSVC guidance planned for 2025 (tracked in [BEST Issue 150](https://github.com/ossf/wg-best-practices-os-developers/issues/150)) +- Plan outreach activities for 2025, possibly talks aimed at C++ conferences. ### EDU.SIG From a8507db1f429e2570a51d892a787bd6d1ae3e047 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:02 +0100 Subject: [PATCH 04/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index bf112202..f72017c1 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -35,7 +35,7 @@ The group continues to be active and is working on several simultaneous projects - Scorecard - [link](https://github.com/ossf/scorecard) - Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) - Security Baseline - [link](https://github.com/ossf/security-baseline) - +- Web (with SWAG) - [link](https://github.com/w3c-cg/swag/) ### Leads From 62fe4f0ac1a8498618d108fbdc32ea0db2fc6e1f Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:18 +0100 Subject: [PATCH 05/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index f72017c1..c965b807 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -40,7 +40,7 @@ The group continues to be active and is working on several simultaneous projects ### Leads - WG - Avishay Balter & Georg Kunz -- Best Practices Badge and SecDev course - David Wheeler +- OpenSSF Best Practices Badge and Developing Secure Software (LFD121) course - David A. Wheeler - Compiler Hardening Guides - Thomas Nyman & Georg Kunz - EDU SIG - CRob & Dave Russo - Memory Safety SIG - Nell Shamrell-Harrignton & Avishay Balter From 20c71c4c5123590f905a10159c75981ad2ff3bcb Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:48 +0100 Subject: [PATCH 06/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index c965b807..9b359113 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -196,7 +196,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Purpose -- TODO +- Develop security best practice and guidelines specifically aimed at web developers. #### Current Status From 04f98edf01f7e1b0a417f4a684785339e6d35caa Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 20 Dec 2024 13:04:56 +0100 Subject: [PATCH 07/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 9b359113..a8600788 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -200,7 +200,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- TODO +- We started the W3C SWAG group earlier this year and we've been holding weekly calls. The calls are minuted here: https://github.com/w3c-cg/swag/tree/main/meetings. We've so far produced an early draft security guidelines doc for web developers https://github.com/w3c-cg/swag/blob/main/docs/security_guidelines.md and we have another work item which is a guidelines doc for library developers. I've presented this work to the OpenJS Foundation security coord group as well to socialize it widely. We anticipate starting work on the libraries doc after the new year and as well continue to develop the web developer guide. Both documents will be at the level of detail of the "concise guide" document. We also held a special call where some Google security folks came to talk about tooling they are building around CSP and Trusted Types. Those talks will be posted shortly. #### Up Next From 0219623bb332e52cecb42f7a3a4bcf410018d0b1 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Thu, 2 Jan 2025 11:09:12 +0100 Subject: [PATCH 08/26] Update Best WG Q4 TAC update Co-authored-by: Daniel Appelquist Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index a8600788..8b02a8f0 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -200,11 +200,11 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- We started the W3C SWAG group earlier this year and we've been holding weekly calls. The calls are minuted here: https://github.com/w3c-cg/swag/tree/main/meetings. We've so far produced an early draft security guidelines doc for web developers https://github.com/w3c-cg/swag/blob/main/docs/security_guidelines.md and we have another work item which is a guidelines doc for library developers. I've presented this work to the OpenJS Foundation security coord group as well to socialize it widely. We anticipate starting work on the libraries doc after the new year and as well continue to develop the web developer guide. Both documents will be at the level of detail of the "concise guide" document. We also held a special call where some Google security folks came to talk about tooling they are building around CSP and Trusted Types. Those talks will be posted shortly. +- We started the W3C SWAG group earlier this year and we've been holding weekly calls. The calls are minuted here: https://github.com/w3c-cg/swag/tree/main/meetings. We've so far produced an early draft security guidelines doc for web developers https://github.com/w3c-cg/swag/blob/main/docs/security_guidelines.md and we have another work item which is a guidelines doc for library developers. I've presented this work to the OpenJS Foundation security coord group as well to socialize it widely. #### Up Next -- TODO +- We anticipate starting work on the libraries doc after the new year and as well continue to develop the web developer guide. Both documents will be at the level of detail of the "concise guide" document. We also held a special call where some Google security folks came to talk about tooling they are building around CSP and Trusted Types. Those talks will be posted shortly. ### Questions/Issues for the TAC From 23461e022481406737176e7d97e9567d2c9e4819 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:54:43 -0500 Subject: [PATCH 09/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 8b02a8f0..39cdbcad 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -60,7 +60,8 @@ The group continues to be active and is working on several simultaneous projects #### Current Status -- TODO +- As of 2024-12-31 there were 7,851 OSS projects pursuing an OpenSSF Best Practices badge, with 1,585 projects achieving at least a passing level badge. +- Many housekeeping updates were done, including updating Rails 7.0 -> 7.1 -> 7.2 -> 8.0, Font Awesome, papertrail. These required code changes, such as how secrets and icons are managed. It also required unexpected changes such as switching past papertrail records from YAML to the jsonb PostgreSQL data format. We added the use of Solid Queue to use a database for jobs, so that when the system is restarted the jobs for cleaning the CDN cache are retained and eventually completed. - #### Up Next From b278b579ed727a6a02464447bfcbd8d8efc7a993 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:54:53 -0500 Subject: [PATCH 10/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 39cdbcad..b091630f 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -65,7 +65,7 @@ The group continues to be active and is working on several simultaneous projects - #### Up Next -- TODO +- Investigate potential use of the best practices badge with baseline. Both have a set of leveled criteria for OSS projects. However, baseline has a different set of requirements, and at the time of writing tends to assume OSS projects have many developers (most OSS projects have 1 developer), so exactly how this will work is to be determined. ### Developing Secure Software Fundamentals Course (LFD121) From 619053bdd990c3fa4aed61915a3748d88f6c7160 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:55:06 -0500 Subject: [PATCH 11/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index b091630f..0d9a2ec7 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -76,7 +76,9 @@ The group continues to be active and is working on several simultaneous projects #### Current Status -- TODO +- Our total 2024 enrollments for our "Developing Secure Software" course (LFD121) is 9,361. That was a dramatic increase from 2023 enrollments in LFD121, which was 6,658, and far exceeded our goal of 7,990. +- Added labs for *all* of the "top tier" sections. These labs require no software installation; users just use their browsers. They also provide hints for those who are stuck. +- Made various improvements, e.g., explained what open source software is, added various "story time" real-world examples from CrowdStrike and Meta, #### Up Next From 57129f91e2d1125f6b8f5a94a4dcb82bcb42020c Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:55:16 -0500 Subject: [PATCH 12/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 0d9a2ec7..4926d13d 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -82,7 +82,7 @@ The group continues to be active and is working on several simultaneous projects #### Up Next -- TODO +- Continue to maintain content. ### Concise Guides From cfe0964dbff59bbb11991017140a11c68a128b56 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:55:25 -0500 Subject: [PATCH 13/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 4926d13d..a4927be0 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -125,7 +125,8 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- TODO +- As noted above, LFD121 enrollment in 2024 was 9,361 and we completed all top-tier labs for it. +- Draft course for managers developed, reviewed by LF Education, and their comments have been incorporated. #### Up Next From 568d2672a50e74efc52f5139c3c862bf119c043b Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:55:34 -0500 Subject: [PATCH 14/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index a4927be0..e5063ab9 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -130,7 +130,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Up Next -- TODO +- Complete the manager's course and have it posted. ### Memory Safety SIG From ea65aac4f3f45feac5ce37c56b744570f92c052c Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:55:45 -0500 Subject: [PATCH 15/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Eddie Knight Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index e5063ab9..ed13afa0 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -190,7 +190,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- TODO +- Wrapping up the final review/polish process for the 2025 release #### Up Next From cd196cb0ab5633fd2cca86dc5ba98c35993f7550 Mon Sep 17 00:00:00 2001 From: CRob <69357996+SecurityCRob@users.noreply.github.com> Date: Thu, 2 Jan 2025 12:55:57 -0500 Subject: [PATCH 16/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Eddie Knight Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> --- TI-reports/2024/2024-Q4-BEST-WG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index ed13afa0..af606243 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -194,7 +194,8 @@ Materials will be maximally accessible and easy to consume for all learners. #### Up Next -- TODO +- A few open PRs on the baseline criteria definitions are currently pending prior to release of the 2025 version +- Integration into automated validation tools has already begun, in preparation for the official release ### Web Developer Security Guide From 27ffc0dcc800418b71f46e162f54bfd26d02da81 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Fri, 3 Jan 2025 10:26:20 +0100 Subject: [PATCH 17/26] Update Best Practices WG Q4 TAC Update Adding update for Python Coding Guide. Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index af606243..583de0eb 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -157,11 +157,13 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- TODO +- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531). +- Dave and Bart gave a lightning talk at SOSS Community Day EU and demoed the ongoing work at the OpenSSF booth at Open Source Summit EU 2024. #### Up Next -- TODO +- We want to further grow the community by raising more awareness, for instance by publishing a blog post. +- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531) and contribute content. ### Scorecard From b41685e87e2872ec90c252d5bf51a51547ecbfc0 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Mon, 6 Jan 2025 14:13:29 +0100 Subject: [PATCH 18/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Avishay Balter Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 583de0eb..97668fc3 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -137,7 +137,7 @@ Materials will be maximally accessible and easy to consume for all learners. #### Purpose -- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. +- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to understand and reduce memory safety vulnerabilities in OSS. #### Current Status From 35e005373e26da0c006ab1afbb8eab5e585151c0 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Mon, 6 Jan 2025 14:14:24 +0100 Subject: [PATCH 19/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Avishay Balter Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 97668fc3..61fd19ea 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -141,7 +141,9 @@ Materials will be maximally accessible and easy to consume for all learners. #### Current Status -- TODO +- Defined the SIG's focus and terminology. +- Collaborated with ecosystem SMEs to compile tailored memory safety best practices for both memory-safe-by-default and non-memory-safe-by-default languages. +- Drafted the The Memory Safety Continuum document that aims to guide developers to becoming more memory safe through iterative process. #### Up Next From 6af4a2ba13cd4663764416a1b9504407dfc7d84d Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Mon, 6 Jan 2025 14:15:39 +0100 Subject: [PATCH 20/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Avishay Balter Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 61fd19ea..6e6ec8ef 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -147,7 +147,8 @@ Materials will be maximally accessible and easy to consume for all learners. #### Up Next -- TODO +- Release the Memory Safety Continuum document +- Focus on interoperability and interfacing between memory safe by default and non-memory safe by default languages in software. ### Python Hardening Guide From 064575d6a9afca9ca5080c0d4b48e90ef77c1aee Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Mon, 6 Jan 2025 14:28:45 +0100 Subject: [PATCH 21/26] Best Practices WG TAC Q4 Update Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 59 +++++++++++++++++------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 6e6ec8ef..7a72f345 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -85,6 +85,23 @@ The group continues to be active and is working on several simultaneous projects - Continue to maintain content. +### EDU.SIG + +#### Purpose + +- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners. +Materials will be maximally accessible and easy to consume for all learners. + +#### Current Status + +- As noted above, LFD121 enrollment in 2024 was 9,361 and we completed all top-tier labs for it. +- Draft course for managers developed, reviewed by LF Education, and their comments have been incorporated. + +#### Up Next + +- Complete the manager's course and have it posted. + + ### Concise Guides #### Purpose @@ -93,14 +110,16 @@ The group continues to be active and is working on several simultaneous projects #### Current Status -- TODO +- Guides under active development: + - [C/C++ Compiler Option Hardening](#cc-compiler-option-hardening-guide) + - [Python Secure Coding Guide](#python-secure-coding-guide) #### Up Next -- TODO +- See status updates of respective guides -### Compiler Hardening Guides +### C/C++ Compiler Option Hardening Guide #### Purpose @@ -116,21 +135,25 @@ The group continues to be active and is working on several simultaneous projects - Plan outreach activities for 2025, possibly talks aimed at C++ conferences. -### EDU.SIG +### Python Secure Coding Guide #### Purpose -- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners. -Materials will be maximally accessible and easy to consume for all learners. +- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules. +- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern. #### Current Status -- As noted above, LFD121 enrollment in 2024 was 9,361 and we completed all top-tier labs for it. -- Draft course for managers developed, reviewed by LF Education, and their comments have been incorporated. +- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531). +- Dave and Bart gave a lightning talk at SOSS Community Day EU and demoed the ongoing work at the OpenSSF booth at Open Source Summit EU 2024. #### Up Next -- Complete the manager's course and have it posted. +- We want to further grow the community by raising more awareness, for instance by publishing a blog post. +- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531) and contribute content. + + + ### Memory Safety SIG @@ -151,22 +174,7 @@ Materials will be maximally accessible and easy to consume for all learners. - Focus on interoperability and interfacing between memory safe by default and non-memory safe by default languages in software. -### Python Hardening Guide - -#### Purpose - -- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules. -- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern. - -#### Current Status - -- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531). -- Dave and Bart gave a lightning talk at SOSS Community Day EU and demoed the ongoing work at the OpenSSF booth at Open Source Summit EU 2024. - -#### Up Next -- We want to further grow the community by raising more awareness, for instance by publishing a blog post. -- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from [531](https://github.com/ossf/wg-best-practices-os-developers/issues/531) and contribute content. ### Scorecard @@ -223,8 +231,7 @@ Materials will be maximally accessible and easy to consume for all learners. ## Additional Information -_Optional: Please provide any additional information that you feel would be useful for TAC to be aware._ - +- We expect close collaboration between the Best Practices WG and the newly created [Global Cyber Policy WG](https://github.com/ossf/wg-globalcyberpolicy). ## Previous Updates From 438c2d0332a2fd125bcd276ce5f3e289edac5e58 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Mon, 6 Jan 2025 17:23:50 -0500 Subject: [PATCH 22/26] Add OpenSSF Scorecard to Best WG Q4 updates Signed-off-by: Stephen Augustus --- TI-reports/2024/2024-Q4-BEST-WG.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 7a72f345..0cb7c650 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -32,7 +32,7 @@ The group continues to be active and is working on several simultaneous projects - EDU.SIG - [link](https://github.com/ossf/education/) - Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety) - OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/) -- Scorecard - [link](https://github.com/ossf/scorecard) +- OpenSSF Scorecard - [link](https://github.com/ossf/scorecard) - Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) - Security Baseline - [link](https://github.com/ossf/security-baseline) - Web (with SWAG) - [link](https://github.com/w3c-cg/swag/) @@ -45,7 +45,7 @@ The group continues to be active and is working on several simultaneous projects - EDU SIG - CRob & Dave Russo - Memory Safety SIG - Nell Shamrell-Harrignton & Avishay Balter - Python Hardening Guide - Helge Wehder & Georg Kunz -- Scorecard - Laurent Simon & Stephen Augustus +- OpenSSF Scorecard - Stephen Augustus, Raghav Kaul, Jeff Mendoza, Spencer Schrock - Security Baseline - Eddie Knight - WebDev Sec BP - Daniel Appelquist @@ -177,20 +177,26 @@ Materials will be maximally accessible and easy to consume for all learners. -### Scorecard +### OpenSSF Scorecard #### Purpose -- To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. -- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. +- Automate analysis and trust decisions on the security posture of open source projects. +- Use this data to proactively improve the security posture of the critical projects the world depends on. #### Current Status -- TODO +- Became an OpenSSF Incubating project +- Community-led contributions for NuGet, Erlang, and Azure DevOps support #### Up Next -- TODO +- Make OpenSSF Scorecard (and its GitHub Action) easier to run on groups of repositories +- Build contributor base +- Work towards project graduation +- Request TI funding for security audit +- Refine project release cadence +- Align with forthcoming OpenSSF persona work ### Security Baseline From 19e231da50cf272fb87f495c996ba13485f83158 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Tue, 7 Jan 2025 14:53:33 +0100 Subject: [PATCH 23/26] Update Best Practices WG Q4 TAC update Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 0cb7c650..4fe056ad 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -233,7 +233,7 @@ Materials will be maximally accessible and easy to consume for all learners. ### Questions/Issues for the TAC -- TODO +- none (for the moment) ## Additional Information From 0ce35613d689a0bb5ec0855ee4cabb6bea4e0a77 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Tue, 7 Jan 2025 16:46:43 +0100 Subject: [PATCH 24/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Avishay Balter Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 4fe056ad..8f0cc336 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -172,7 +172,7 @@ Materials will be maximally accessible and easy to consume for all learners. - Release the Memory Safety Continuum document - Focus on interoperability and interfacing between memory safe by default and non-memory safe by default languages in software. - +- Implement and merge the first pass for the [Memory Safety Scorecard probe](https://github.com/ossf/Memory-Safety/issues/33) From 7229120fa0c0b66d6113e6f06a6256474164106a Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Wed, 8 Jan 2025 22:11:23 +0100 Subject: [PATCH 25/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Co-authored-by: Stephen Augustus Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index 8f0cc336..d2643cb2 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -1,4 +1,4 @@ -# 2024 Q3 BEST WG +# 2024 Q4 BEST WG ## Overview From 87769be64cb25d5808e856910370771544fbe4e6 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Tue, 14 Jan 2025 10:42:19 +0100 Subject: [PATCH 26/26] Update TI-reports/2024/2024-Q4-BEST-WG.md Signed-off-by: Georg Kunz --- TI-reports/2024/2024-Q4-BEST-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2024/2024-Q4-BEST-WG.md b/TI-reports/2024/2024-Q4-BEST-WG.md index d2643cb2..cadefcd2 100644 --- a/TI-reports/2024/2024-Q4-BEST-WG.md +++ b/TI-reports/2024/2024-Q4-BEST-WG.md @@ -65,7 +65,7 @@ The group continues to be active and is working on several simultaneous projects - #### Up Next -- Investigate potential use of the best practices badge with baseline. Both have a set of leveled criteria for OSS projects. However, baseline has a different set of requirements, and at the time of writing tends to assume OSS projects have many developers (most OSS projects have 1 developer), so exactly how this will work is to be determined. +- Investigate potential use of the best practices badge with baseline. Both have a set of leveled criteria for OSS projects which may need alignment. ### Developing Secure Software Fundamentals Course (LFD121)