Software Security Supply Chain - Working Group Meeting - Thursday 20 Jun 2023

[mcleo-d]

Date

Thursday 20 Jun 2023 - 09:00 EST / 14:00 UK

Untracked attendees

Name	Firm	Comment

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• [ ] Convene, roll call, welcome new people
• [ ] Approve previous meeting minutes
• [ ] Review working group project board
• [ ] Slides from FINOS Member Meeting Roundtable
  • https://groups.google.com/a/finos.org/g/devops-mutualization/c/JrUVAV_rKUI
  • FINOS Member Meeting Roundtable Slides
• [ ] AOB, Q&A & Adjourn (5mins)

Decisions Made

• [ ] Decision 1
• [ ] Decision 2
• [ ] ...

Action Items

• [ ] Action 1
• [ ] Action 2
• [ ] ...

Zoom info

Join Zoom Meeting

• https://zoom.us/j/95521041942?pwd=dHgwREU2TzBsS242ak1zYWZsUW9OUT09
• Meeting ID: 955 2104 1942
• Passcode: 443820
• Find your local number: https://zoom.us/u/aesEqmNODb

Github Repo: https://github.com/finos/devops-automation/

Project Board: https://github.com/orgs/finos/projects/33

Mailing List: Email devops-mutualization+subscribe@finos.org to subscribe to our mailing list

[robmoffat]

Rob / FINOS 👟

[psmulovics]

Peter Smulovics / Morgan Stanley 🏦

[mcleo-d]

James McLeod / FINOS

[Iletee]

Ilkka Turunen / Sonatype

[johnmark]

JM Walker / Fannie Mae

[ashukla13]

Amol Shukla / Morgan Stanley

[josspo]

Joss Poupeney / FINOS

[maoo]

Maurizio Pillitu / FINOS

[brunon]

Bruno Navert / Morgan Stanley

[adrianbele]

Adrian Bele / Red Hat

[brooklynrob]

Rob Underwood / JPMC

[jonmuk]

Jon Meadows (Citi)

[brunon]

Challenge: lack of visibility. Applications have hundreds of OSS software components, where are the real issues, how do we identify and surface them to focus on the important things?

[rhyddian]

Rhyddian Olds @ Citi

[johnmark]

Rob U: top 1000 open source projects used in FS? We have limited resources - are we willing to contribute actual resources to this? Will we commit to using output?

[johnmark]

Jonathan Meadows: can we use the output of the FSI threat intelligence group fsisac.com - 50K banks - connected to openssf

• what is the work product? Created top 100 list of open source libraries
• put together primer - general threat model, ingestion of OSS, white paper
• looking to distribute OSS projects?
• announced public partnership with OpenSSF

[rhyddian]

Jonathan Meadows: can we use the output of the FSI threat intelligence group fsisac.com - 50K banks - connected to openssf

* what is the work product? Created top 100 list of open source libraries

Financial Services Information Sharing and Analysis Center (FS-ISAC)

[johnmark]

Rob U: between FS-ISAC and this group - do we need to exist? James: can we still pull learning from other groups into larger devops automation group? Rhyddian: if there are gaps, let's examine the gaps Rob M: are there introductory docs we can point people to

[johnmark]

Decision: for orgs that haven't signed a CLA, they can open/amend issues, which project leads then convert into cards on the project board

Boundaries (James) - are we focusing on internal processes, proprietary or non-proprietary products?

• cannot become advocate for proprietary products
• possible to make recommendations that become requirement for proprietary products - we should watch out for that

[robmoffat]

I am interested in building a view on what the state of the art looks like - these are the docs we want for osr.finos.org. If that helps drive out an understanding of the gaps, then that's great. Happy to work on these docs with the group.

[nitinNayar]

nitin semgrep

[robmoffat]

Regarding threat models: I think this is something we could review as a group.

• There are some here: https://cloud.google.com/software-supply-chain-security/docs/attack-vectors
• Some on page 6 of this: https://github.com/ossf/s2c2f/blob/main/specification/Secure_Supply_Chain_Consumption_Framework_(S2C2F).pdf
• And some in The Mitre Att&ck Model
• Probably more in FS-ISAC (although as a non-member I can't read it)
• Also, a talk I attended by Eclipse Foundation detailed a few others that seem novel.

Is there a definitively maintained list anywhere?

Also useful:

• SLSA
• Supply Chain Best Practices

[brunon]

Gaps to discuss: lack of common industry-standard solutions to address software end-of-life in financial services