Table Top Exercise for SOSS Community day NA 2024 Seattle

[Danajoyluck]

The foundation is planning a table top exercise event as part of the SOSS Community Day NA 2024 in Seattle. Would like to get input from TAC.

The TTX planning proposal below.

[hythloda]

Overview

OpenSSF will conduct a Tabletop Exercise (TTX) during OpenSSF NA 2024 in Seattle. The TTX will be curated by OpenSSF, with support from ControlPlane.

Goals

We hope to achieve these goals through the TTX:

1. Provide a TTX template/formula for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response
2. Provide education for developers who are learning security
3. Demonstrate how current OpenSSF technologies may be helpful during a security incident
4. Determine opportunities to enhance existing technologies or develop new ones to support incident response.

Requirements for Scenario Development

As we develop TTX scenarios, we need to ensure these requirements are covered: :

1. Built below OpenSSF focus areas into the TTX scenarios
   1. SBOM
   2. Scorecard
   3. SLSA
   4. OpenVEX
   5. Security Insights
2. Identify security tools from other foundations to be included into the TTX if possible ( nice to have )
3. Leverage the TTX to Identify operational issues with OpenSSF or our projects so we can ensure they are addressed
4. Work with US Public Sector (CSRB, CISA) to craft a realistic scenario.

TTX Scenarios

IN A SEPARATE DOC

TAC Review

Opened a review issue with TAC on Github to seek TAC input.

TTX Event Registration

The TTX will be a 60-minute interactive session in the main OpenSSF conference room. 20 active participants and open to conference attendees as observers (minimal input, can raise questions via Slido).

OpenSSF will work with the LF event team on TTX registration. The registration will need to accommodate both TTX active participants (who actively get engaged in scenarios) and the observers (the event attendees who observe the TTX).

The active participants are limited to 20 on the panel. To select these participants, we will make an open invitation to the community. For a diverse panel, we will select participants on a first-come, first-serve basis while considering the diversity of the representation already on the panel, such as the companies already represented and the gender and community representation.

TTX Post Event

After the event, a retrospective will be conducted to gauge the success of the event.

[JustinCappos]

How do others (both individuals and OpenSSF projects) participate in this?

[SecurityCRob]

We'll be discussing at the 9Jan TAC call. @Danajoyluck should be able to brief everyone about the exercise there and answer questions asynch here

[steiza]

First a disclaimer: there's a lot I don't know about running table-top exercises.

I think I understand how goals 2 ("Provide education for developers who are learning security") and 3 ("Demonstrate how current OpenSSF technologies may be helpful during a security incident") can be met by this event, and how goal 4 ("Determine opportunities to enhance existing technologies or develop new ones to support incident response.") can come from the retrospective.

But it's not clear to me how goal 1 ("Provide a TTX template/formula for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response") will be met. Will someone be writing up and publishing this guidance after the event? Is there an OpenSSF Technical Initiative associated with this exercise that could then publish this content on a page like https://best.openssf.org/?

[SecurityCRob]

This should live within the Vuln Disclosure WG, this stuff is kinda their jam. Yes, documentation should be written up and published alongside our other materials like the CVD Guides.

[SecurityCRob]

this even was held at oss-na 2024.