Creation of Working Group for Project Security Governance/process

[TheFoxAtWork]

From today's TAC call there is a need to develop a Project Security Governance/process working group to assist the TAC in its projects in establishing good security practices and bootstrapping vulnerability management and response for projects.

Individuals interested in participating should comment on this issue for when the TAC approves this request.

[planetf1]

Interested in participating, in particular as I see this as crucial for PQCA given it's aim in developing secure cryptographic algorithms. We need the processes around that to be best practice. (including closely following OSSF for example)

[planetf1]

Ref: OSSF. In addition to scorecard, in a previous project we pursued the CII best practices badges (we got to one off gold) https://github.com/coreinfrastructure/best-practices-badge to help improve our processes and docs (plus code)

[planetf1]

For anyone interested, there was a recent OpenSSF talk on scorecard. https://youtu.be/hKPsu72ol4s?si=rqrETyaj1_HrrEtj

[Naomi-Wash]

Hello everyone, the TAC approved the creation of the PQCA Security Working Group. A mailing list, GH repo, and a Discord channel have been created. Please be sure to subscribe/join!

• Mailing List: https://lists.pqca.org/g/wg-security
• GH Repo: https://github.com/PQCA/wg-security
• Discord Channel: https://discord.com/channels/1202723482224295936/1233455131660390511

[planetf1]

As this is a PQCA level workgroup I think we need to document/recommend best practice for the other projects within PQCA to follow insomuch as it makes sense.

A quick definition of what this workgroup is could be a good deliverable to share back to the pqca

Some of the areas to look at are covered above. We could add security of any hosted resources, build process integrity, SBOM & CBOM generation, static code scanning, dependency scans/management, dynamic code scanning. (Note: liboqs does do some of these)

To make this happen I'm thinking

• followup on the mailing list, discord etc to solicit more interest
• arrange a workgroup call once we have a few people wanting to help out in this effort
• start tracking issues/todos/ideas in the new github repo specific for the security wg
• initially creating any material in markdown, but aiming to agree/move to a more complete docs site (mkdocs etc) asap (perhaps a pqca docs repo, with one section being for workgroups/ security )

[Naomi-Wash]

@planetf1 Completely agree. Other open source projects model their working group creation best practices on the CNCF Working Group Model (https://github.com/cncf/toc/blob/main/workinggroups/README.md) and I think we should as well.

In addition, for ease of tracking, I'd like to create a GHI template, so when new working group suggestions come up the community can submit the request to PQCA.