[Proposal] Security Baseline WG

[eddie-knight]

Description:

Create a new Working Group designed to interface with OpenSSF projects, SIGs, and WGs.

After reviewing feedback from @TheFoxAtWork and @caniszczyk, the STAG Co-Chairs (myself, @mnm678, and @PushkarJ) have concluded that future security hygiene recommendations for CNCF projects should align closely with corresponding OpenSSF recommendations. Additionally, any future tooling efforts should not duplicate work from that foundation.

Previously the STAG and TOC have voiced hesitation due to the lack of a firm bridge to share knowledge across the foundations. Now, the OpenSSF has agreed to create avenues for TAG Security to help define the OpenSSF Security Baseline.

Impact:

This can become a very hands-on partnership, with coordinated opportunities to contribute to the respective codebases, standards, and publications.

1. Create avenues for TAG Security to help define the OpenSSF Security Baseline
2. Streamline opportunities for STAG members to help shape and contribute to security hygiene tooling
3. Simplification of Security Slam planning efforts as we align our hygiene standards with OpenSSF
4. Potential for Security Slam participants to have their progress highlighted in OpenSSF publications

Scope:

This effort involves self-determined participation. Logistic coordination will be the responsibility of OpenSSF, not the STAG Project Lead.

Initial efforts will only explicitly include collaboration with OpenSSF on the Security Baseline.

Intent to lead:

• [x] I volunteer to be a project lead on this proposal if the community is interested in pursing this work. This statement of intent does not preclude others from co-leading or becoming lead in my stead.

Proposal to Project:

• [x] Added to the planned meeting template for mm dd
• [x] Raised in a Security TAG meeting to determine interest - July 10 2024
• [x] Collaborators comment on issue for determine interest and nominate project lead
• [x] Scope determined via meeting mm dd and/or shared document add link with call for participation in #tag-security slack channel thread add link and mailing list email add link
• [x] Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

• [x] Security TAG Leadership Representative: @mlieberman85
• [x] Project leader(s): @eddie-knight
• [x] Issue is assigned to project leaders and Security TAG Leadership Representative
• [x] Project Members: @JustinCappos @TheFoxAtWork @mlieberman85 @jkjell
• [ ] Fill in addition TODO items here so the project team and community can see progress!
• [ ] Scope
• [ ] Deliverable(s)
• [ ] Project Schedule
• [ ] Slack Channel (as needed)
• [ ] Meeting Time & Day:
• [ ] Meeting Notes (link)
• [ ] Meeting Details (zoom or hangouts link)
• [ ] Retrospective

[TheFoxAtWork]

I'm very interested in being involved with this in some capacity - (schedule allowing)

[JustinCappos]

I'm happy to help out here as well. I have TAG Security tech lead / maintainer (TUF, in-toto) roles on the CNCF side. From the OpenSSF side, I was elected to the GB of the OpenSSF and am a maintainer of two projects there as well (gittuf, SBOMit).

On Mon, Jul 8, 2024 at 5:55 PM Emily Fox @.***> wrote:

I'm very interested in being involved with this in some capacity - (schedule allowing)

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1313#issuecomment-2215415128, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD64PE5HAJ5SNMTR5RDZLMDGDAVCNFSM6AAAAABKNXSVG6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJVGQYTKMJSHA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[jkjell]

I'm also very interested in contributing to this and can show up to help. I have a pretty significant overlap with @JustinCappos in far as project representation, in CNCF and OpenSSF, but I would represent a different background from the industry perspective.

[PushkarJ]

Potentially next steps:

• Monthly call, between OpenSSF and CNCF TAG Security
• Share this more within OpenSSF
• Identify a Lead, who wears both hats within OpenSSF and CNCF
• Scoping it to baseline may make sense for now

Feel free to add more

[eddie-knight]

After some follow-up discussion, I will take the lead on this and pull in others who have expressed interest.

Additionally I have restricted the scope in the description to only explicitly include the Security Baseline contributions (though followup opportunities are not excluded from future discussion).

I have also changed the issue title accordingly.

[mlieberman85]

I'm a STAG lead, OSSF TAC and GB member, maintainer of several OSSF projects including GUAC which plans to be part of the baseline pilot. I also volunteered to co-chair the OSSF Baseline SIG that is working on this from OpenSSF side.

[mrcdb]

I am interested in getting involved in this!

[eddie-knight]

Scope & Deliverables

Create a recurring meeting where members may discuss how best to represent the TAG during the development of the Open Source Project Security Baseline.

The WG will be spun down with the publication of the Baseline Whitepaper in January, or sooner if appropriate.

Meeting Info

Fortnightly, Wednesdays at 1030 EST / 1530 BST — First meeting July 31 2024

[dehatideep]

@eddie-knight, I had expressed my interest on slack channel but expressing it here again that if I do get the opportunity to work on this one, I'll dedicate required time and effort needed in this regard. I work for Cisco and have been focusing on security issues, product security baseline, compliance, architecture, design, coding, and whatever else is needed for a commercial product to have required level of security and compliance, from last 10 years. I am a newbie eager to contribute to CNCF. Until now, I have been an end user of open-source software and many of the recommendations, but I am now keen to contribute actively. Thank you for considering my application.

[eddie-knight]

The WG meeting has been created for every other Wednesday following the EMEA meeting, and can be found here:

https://zoom-lfx.platform.linuxfoundation.org/meetings/cncf?view=week

[SophiaUgo]

I'm going through the documents, tho quite cumbersome but I'm hoping to catch up to speed.

Brief Intro: I'm a Cybersecurity Analyst and interested in Cloud Security, new to Open Source and Looking to contributing to projects under LFX

[ai2017]

I will be interested to contribute to do the warm reach out to few cncf project maintainers on the survey

[eddie-knight]

Hey @ai2017 :wave: I've created #1336 to track that workstream!