Q4 2024 Best Practices WG TAC Update

TI-reports/2024/2024-Q4-BEST-WG.md

@@ -0,0 +1,224 @@
+# 2024 Q3 BEST WG
+
+## Overview
+
+The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF <img align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100">
+Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them.
+
+We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation.
+
+The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices.  This is done through the combination of training collateral, best practices guides, and educational awareness.
+
+- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified.
+- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types.
+- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work.
+
+<img align="top" src="https://github.com/ossf/wg-best-practices-os-developers/blob/main/img/OpenSSF%20Dev%20Best%20Practices%20Projects%20Relations.png">
+
+The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision.  Attendance generally is down, and several former key contributors no longer attend meetings.
+
+
+### Key Resources
+
+- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers)
+- Best Practices Guides [link](https://openssf.org/resources/guides/)
+- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/)
+- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt)
+
+
+### Sub-groups
+
+- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs)
+- EDU.SIG - [link](https://github.com/ossf/education/)
+- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety)
+- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/)
+- Scorecard - [link](https://github.com/ossf/scorecard)
+- Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals)
+- Security Baseline - [link](https://github.com/ossf/security-baseline)
+
+
+### Leads
+
+- WG - Avishay Balter & Georg Kunz  
+- Best Practices Badge and SecDev course - David Wheeler
+- Compiler Hardening Guides - Thomas Nyman & Georg Kunz
+- EDU SIG - CRob & Dave Russo
+- Memory Safety SIG - Nell Shamrell-Harrignton & Avishay Balter
+- Python Hardening Guide - Helge Wehder & Georg Kunz
+- Scorecard - Laurent Simon & Stephen Augustus
+- Security Baseline - Eddie Knight
+- WebDev Sec BP - Daniel Appelquist
+
+
+## Activity
+
+### Best Practices Badge
+
+#### Purpose
+
+- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice.
+
+#### Current Status
+
+- TODO
+
+- #### Up Next
+
+- TODO
+
+
+### Developing Secure Software Fundamentals Course (LFD121)
+
+#### Purpose
+
+- Provide baseline security education for developers.
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Concise Guides
+
+#### Purpose
+
+- Artifacts that consolidate BEST practices in OSS software development and management techniques
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Compiler Hardening Guides
+
+#### Purpose
+
+- Help C and C++ developers and those who compile C/C++ code, e.g., package maintainers, ensure that produced application binaries (libraries and executables) are equipped with security mechanisms provided by compilers against potential attacks and/or misbehavior.
+
+#### Current Status
+
+- TODO
+
+#### Up next
+
+- TODO
+
+
+### EDU.SIG
+
+#### Purpose
+
+- Deliver Baseline Secure Software Development Education and Certification to All.  Provide access to open and widely available education materials to all learners.
+Materials will be maximally accessible and easy to consume for all learners.
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Memory Safety SIG
+
+#### Purpose
+
+- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Python Hardening Guide
+
+#### Purpose
+
+- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules.
+- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern.
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Scorecard
+
+#### Purpose
+
+- To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
+- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Security Baseline
+
+#### Purpose
+
+- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption.
+- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation.
+- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum.
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+### Web Developer Security Guide
+
+#### Purpose
+
+- TODO
+
+#### Current Status
+
+- TODO
+
+#### Up Next
+
+- TODO
+
+
+### Questions/Issues for the TAC
+
+- TODO
+
+## Additional Information
+
+<mark>_Optional: Please provide any additional information that you feel would be useful for TAC to be aware._
+</mark>
+
+
+## Previous Updates
+
+- [Q3 2024](https://github.com/ossf/tac/blob/main/TI-reports/2024/2024-Q3-BEST-WG.md)
+- [April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/)
+- [Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/)
+- [Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/)