Closed Danajoyluck closed 4 months ago
OpenSSF will conduct a Tabletop Exercise (TTX) during OpenSSF NA 2024 in Seattle. The TTX will be curated by OpenSSF, with support from ControlPlane.
We hope to achieve these goals through the TTX:
As we develop TTX scenarios, we need to ensure these requirements are covered: :
IN A SEPARATE DOC
Opened a review issue with TAC on Github to seek TAC input.
The TTX will be a 60-minute interactive session in the main OpenSSF conference room. 20 active participants and open to conference attendees as observers (minimal input, can raise questions via Slido).
OpenSSF will work with the LF event team on TTX registration. The registration will need to accommodate both TTX active participants (who actively get engaged in scenarios) and the observers (the event attendees who observe the TTX).
The active participants are limited to 20 on the panel. To select these participants, we will make an open invitation to the community. For a diverse panel, we will select participants on a first-come, first-serve basis while considering the diversity of the representation already on the panel, such as the companies already represented and the gender and community representation.
After the event, a retrospective will be conducted to gauge the success of the event.
How do others (both individuals and OpenSSF projects) participate in this?
We'll be discussing at the 9Jan TAC call. @Danajoyluck should be able to brief everyone about the exercise there and answer questions asynch here
First a disclaimer: there's a lot I don't know about running table-top exercises.
I think I understand how goals 2 ("Provide education for developers who are learning security") and 3 ("Demonstrate how current OpenSSF technologies may be helpful during a security incident") can be met by this event, and how goal 4 ("Determine opportunities to enhance existing technologies or develop new ones to support incident response.") can come from the retrospective.
But it's not clear to me how goal 1 ("Provide a TTX template/formula for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response") will be met. Will someone be writing up and publishing this guidance after the event? Is there an OpenSSF Technical Initiative associated with this exercise that could then publish this content on a page like https://best.openssf.org/?
This should live within the Vuln Disclosure WG, this stuff is kinda their jam. Yes, documentation should be written up and published alongside our other materials like the CVD Guides.
this even was held at oss-na 2024.
The foundation is planning a table top exercise event as part of the SOSS Community Day NA 2024 in Seattle. Would like to get input from TAC.
The TTX planning proposal below.