diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md new file mode 100644 index 00000000..4ca265da --- /dev/null +++ b/TI-reports/2024/2024-Q3-BEST-WG.md @@ -0,0 +1,164 @@ +# 2024 Q3 BEST WG + + +## Overview +The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF +Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them. + +We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation. + +The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices. This is done through the combination of training collateral, best practices guides, and educational awareness. + +- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. +- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. +- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work. + + + +The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendance generally is down, and several former key contributors no longer attend meetings. + + +### Key Resources +- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers) +- Best Practices Guides [link](https://openssf.org/resources/guides/) +- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/) +- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt) + +### Sub-groups +- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs) +- EDU.SIG - [link](https://github.com/ossf/education/) +- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety) +- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/) +- Scorecard - [link](https://github.com/ossf/scorecard) +- Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals) +- Security Baseline - [link](https://github.com/ossf/security-baseline) + +### Leads +- WG - CRob +- BP Badge and SecDev course - David Wheeler +- Compiler Hardening Guides - Thomas Nyman & Georg Kunz +- EDU SIG - CRob & Dave Russo +- Mem Safety SIG - Nell Shamrell-Harrignton & Avishay Balter +- Python Hardening Guide - Helge & Georg +- Scorecard - Laurent Simon & Stephen Augustus +- Security Baseline - Eddie Knight +- WebDev Sec BP - Daniel Appelquist + +## Activity +### Best Practices Badge +#### Purpose +- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. +#### Current Status +- OpenSSF Best Practice Badge continues to gain users, as shown in its project statistics. As of 2024-08-04 it has 7,383 participating projects and 1,450 passing projects. We occasionally process special requests, such as ownership changes, and update dependencies (especially if a vulnerability is found in a dependency). +- #### Up Next +- The current plan is to continue to maintain the project as needed. + + +### Developing Secure Software Fundamentals Course (LFD121) +#### Purpose +Provide baseline security education for developers. +#### Current Status +- The LFD121 course is occasionally updated as suggestions are made or new issues are discovered. +#### Up Next +- We are developing a set of interactive labs for the course. To see them and their current status, see the labs README. + + +### Concise Guides +#### Purpose +- Artifacts that consolidate BEST practices in OSS software development and management techniques +#### Current Status +- Continued revisions, updates, & enhancements to these core guides +#### Up Next +- TBD + +### Compiler Hardening Guides +#### Purpose +- Help C and C++ developers and those who compile C/C++ code, e.g., package maintainers, ensure that produced application binaries (libraries and executables) are equipped with security mechanisms provided by compilers against potential attacks and/or misbehavior. +#### Current Status +- Continued revision, updates, & enhancement, e.g., keeping the compiler options hardening guide up-to-date with upstream options additions and changes in GCC and Clang/LLVM. +#### Up next +- Compiler annotations guide for C and C++ (in incubation), expanding compiler options guide to also cover other compilers, such as Microsoft MSVC (tracked in [BEST Issue 150](https://github.com/ossf/wg-best-practices-os-developers/issues/150)) +- Outreach, e.g., upcoming talk at Nordic Software Security Summit 2024 + +### EDU.SIG +#### Purpose +- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners. +Materials will be maximally accessible and easy to consume for all learners. +#### Current Status +- Many simultaneous activities +- Recent release of LF Research study on Security Edutation for Developers +- Academic Accredidation team working on kicking off program to "certify" collegiate programs that meet OpenSSF & CNCF best practices +- Security for Developer Managers class progressing into two pieces of collateral: Manager class & terms-definitions +#### Up Next +- Security Architect class outline reviewed and content development will come next +- "201 level" class will come after +- +### Memory Safety SIG +#### Purpose +- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. +#### Current Status +- Have drafted a “Memory Safety Continuum” concept document +- Have gathered guides/practices related to best memory safety practices in both memory safe by default and non memory safe by default languages +#### Up Next +- Produce a Memory Safety workshop (modeled after W3C workshops). Theme is “Improving Memory Safety in an Imperfect World” +- Finalize Memory Safety Continuum doc + +### Python Hardening Guide +#### Purpose +- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules. +- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern. +#### Current Status + +#### Up Next +- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue 531 +- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from 531 and contribute content +- Use the opportunity to give a lightning talk at SOSS Community Day EU to solicit more contributors + + + +### Scorecard +#### Purpose +-To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. +- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. +#### Current Status + +#### Up Next + + +### Security Baseline +#### Purpose +- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption. +- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation. +- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum. +#### Current Status +- on 16 July the WG voted to adopt the OpenSSF Security Baseline as a SIG within our group. +- Eddie Knight will help lead the cross-foundation effort. +- SIG resources setup completed (Gitbug, mailing list, slack, community meeting time, etc.). +- 5 OpenSSF Projects are actively piloting the security baseline adoption to comply with the Security Baseline by 9/15/2024, inlcuding OpenVEX, Protobom, RSTUF, GUAC, and Scorecard. +- Tracking of the adoption friction points and adoption prgress is in progress. +- Removing adoption friction points is in progress via security baseline SIG repo issues and PR's. +- 2FA will be enabled at the OpenSSF enterprise level on Auguest 6, 2024. +- OpenSSF technology consumption architecuture for depenednecy management is up for review. Reviewers needed! +- Survey for security baseline for Linux Foundation wide adoption is being actively worked on. +- CNCF & FINOS will be collaborating on this effort. +#### Up Next +- Continue tracking and removing security baseline pilot adoption friction points. +- Pilot projects continue to make progress on security baseline compliance. +- Develop openSSF technology consumption architecuture for vulnerability management. +- Publish the survey for security baseline for Linux Foundation wide adoption is being actively worked on. +- First community meeting on 8/6/2024. + +### Web Developer Security Guide +#### Purpose + +#### Current Status + +#### Up Next- Joint venture with W3C, focused on improving education & awareness for web developers +- [BEST Issue 367](https://github.com/ossf/wg-best-practices-os-developers/issues/367) + + + +## Previous Updates +[April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/) +[Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/) +[Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/)