Software Manager education

[david-a-wheeler]

Managers who oversee software developers also need education!

First, they need "why it matters" - including past $ fines, big events, etc.

They also need to know what software developers need to know. They don't need to know it themselves, but managers need to know what to look for. Here's my propose list of knowledge areas:

1. (Requirements) Typical security requirements, what they mean, and how to identify them.
2. (Risk Management) What are risks (they include likelihood and impact), “no risk” is not practical, the importance of risk management.
3. (Design) Key secure design principles, such as least privilege, and how to apply them. Many secure design principles were identified by Saltzer and Schroeder in the 1970s, and they continue to be true, yet software developers are still often unaware of them.
4. (Threat modeling) Methods for analyzing designs for security (threat modeling / attack modeling)
5. (Acceptlists) How to use acceptlists (and not denylists) to constrain untrusted inputs, as these techniques significantly constrain attacks.
6. (Top vulnerability types) The most common kinds of vulnerabilities (at least those identified by the “CWE Top 25” and “OWASP top 10”), including exactly what they are, how to recognize them, and practical general techniques to broadly prevent each one. For example, “The State of Developer-Driven Security Survey by Secure Code Warrior in 2022” said that 89% of developers report they’ve received “sufficient training” in secure coding skills, yet their self-evaluation was clearly mistaken; the majority were not familiar with common software vulnerabilities, didn’t know how to avoid them, and didn’t know how they can be exploited. Instead, developers have unreasonably low expectations and are surrounded by others who don’t know much either.
7. (Hardening) Hardening methods so bugs (which are inevitable) are less likely to become vulnerabilities or will tend to have a lower impact.
8. (Tools) The different kinds of tools that can be used to detect vulnerabilities, their pros and cons, how they can be used, and how to add tools to their continuous integration (CI) pipeline. These include static source code analyzers, fuzzers, web application scanners, and software composition analysis (SCA) tools. Modern software is too complex to depend solely on manual approaches. However, developers won’t apply tools if they don’t know what they are.
9. (Reuse) Material specific to evaluating potential reusable components, including open source software (OSS). Today applications are on average 70-90% OSS components; wisely selecting OSS is key for modern software development.
10. (Testing) The importance of having an automated test suite and applying negative testing. Many developers, including those who apply Test Driven Development (TDD), mistakenly only create tests to verify that functionality that should occur does occur. However, most security requirements are negative requirements, that is, they specify something that should not occur. Therefore, an adequate automated test suite must test that prohibited behavior (such as allowing users to change data without authorization) does not occur.
11. (Secrets) How to properly handle secrets, including how to correctly apply cryptography, store secrets in general (as opposed to storing them in inappropriate places like source code repositories), store passwords (using iterated salted cryptographic hash algorithms like argon2id), and properly erase secrets.
12. (Supply chains) How to secure the supply chains going into them and going out of them.The LF certs are the gold standard in the open-source DevSecOps community because the Linux Foundation certifications are designed to demonstrate real-world functional expertise. The following link speaks to functional DevSecOps expertise that the various training and certifications provide.

This list of items is from "LINUX FOUNDATION & OPEN SOURCE SECURITY FOUNDATION INPUT TO CYBERSECURITY RFI FROM THE OCND" by Clyde Seepersad, David A. Wheeler, and John Ogle.

I'm sure they need to know other things!

[david-a-wheeler]

@SecurityCRob - plausible?

[SecurityCRob]

heck yeah. Let's make sure the high-level is captured in the plan, and we can add this to the list of stuff to create/find.

[SecurityCRob]

Related to Goal 1.3 [1] & 1.4 [2]. As we build out specifics of desired content and learning paths we'll want to ensure this perspective is accounted for.

[1] -https://github.com/ossf/education/blob/main/plan/1.0%20Collect%20and%20Curate%20Content.md#13-goal-determine-venues-and-personas-that-content-will-be-created-fordelivered-to [2] - https://github.com/ossf/education/blob/main/plan/1.0%20Collect%20and%20Curate%20Content.md#14-goal-define-training-areas-of-focus

[jstclair2019]

@SecurityCRob @david-a-wheeler good stuff. Haven't opened a separate issue yet, but the FINOS Open Source Readiness (OSR) SIG is working with TODO Group and others to develop a Body of Knowledge for readiness and maturity. We've love to incorporate OpenSSF education into our BoK, oriented towards the roles and personas we are mapping out, both in the OSPO and organization. Please let me know how best to collaborate.

[SecurityCRob]

Sounds good. There are multiple ways to collaborate:

• Feel free to attend any of our SIG calls!
• Monitor our meeting minutes & recorded meetings
• Keep an eye on our slack channel, that’s typically where we’ll real-time share things

As the OSSF TAC and GB review, edit, and ideally approve the plan, we’ll start to form back up again in small focus groups. As that happens perhaps we could have a joint call to talk about your personas and what you’d like to see out of the group deliverables.

Cheers,

CRob Director of Security Communications Intel Product Assurance and Security

From: Jim St.Clair @.> Sent: Tuesday, February 7, 2023 10:11 AM To: ossf/education @.> Cc: Robinson, Christopher @.>; Mention @.> Subject: Re: [ossf/education] Software Manager education (Issue #48)

@SecurityCRobhttps://github.com/SecurityCRob @david-a-wheelerhttps://github.com/david-a-wheeler good stuff. Haven't opened a separate issue yet, but the FINOS Open Source Readiness (OSR) SIG is working with TODO Group and others to develop a Body of Knowledge for readiness and maturity. We've love to incorporate OpenSSF education into our BoK, oriented towards the roles and personas we are mapping out, both in the OSPO and organization. Please let me know how best to collaborate.

— Reply to this email directly, view it on GitHubhttps://github.com/ossf/education/issues/48#issuecomment-1420936330, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQRFDLECGG6SCN4PSLQ2XFDWWJQ2DANCNFSM6AAAAAASIJWWQY. You are receiving this because you were mentioned.Message ID: @.**@.>>