[2024-03-01] TODO General Member Friday Touchpoint

[anajsana]

Agenda (2024-03-01)

All content has been anonymized and future meeting entries must follow the same process.

Featured Topics

• Housekeeping
• Volunteer(s) to scribe today’s meeting
  • Chatham House Rule
  • Updates from TODO Europe Touchpoints Meeting notes
    • See Summary on GH Discussions here: Link to issue
• Deep Dive on Security management with OpenSSF

Meeting Notes

Q&A Session: Deep Dive on Security management with OpenSSF

• Slides

• https://github.com/ossf/community

• Automation in Security for Risk Management

  • Scorecard + AllStar
  • Potential future functionality: different score / policies based on selected and weighed checks

• Complementary tooling:

  • https://github.com/todogroup/awesome-ospo
  • https://github.com/uwu-tools/peribolos
  • https://github.com/actions/dependency-review-action
  • Installer: https://github.com/ossf/scorecard-action/tree/main/cmd/installer
  • Scorecard Monitor: https://github.com/UlisesGascon/openssf-scorecard-monitor
  • API Visualizer: https://github.com/KoolTheba/openssf-scorecard-api-visualizer

• Best practices from the OpenSSF Scorecard project

  • https://github.com/ossf/scorecard-action/tree/main/cmd/installer
  • Complementary dashboard: https://clomonitor.io/

• Supply chain security

• Dependency management data

  • Have we talked about this yet?
  • Crunching dependency data in graph databases, e.g. to identify "problematic"dependencies
  • Q: What is the desired / ultimate purpose of dependency management
  • Enable devs to pick the best tool for the job
  • Dependency management == Actively manage the job ?
  • Choose the right tooling and actively manage those dependency trees (not just see the problem, but take action)

• Question to think about: Why some OSPOs are not open-sourcing by default all the tools they use in their operations (in terms of, for instance, security) to ease their work?