Threat Model for an Open Source Project - Yes/No?

[Danajoyluck]

This is related to security baseline and I'd like to get TAC vote on threat modeling......should a graduated project have threat modeling done if the project provides internet service? For example, Sigstore. The work can be done via TI funding.

[sevansdell]

I am supportive of this. Threat modeling is a good best practice. Would the threat modeling occur through a TI funding request or some other mechanism?

I think in addition to the threat modeling, there should be a plan to prioritize and close risks identified by the threat model in a reasonable time frame. One time costs to accelerate closing higher priority risks may be incurred that could be part of the TI funding process.

[lehors]

@Danajoyluck Can you please expand on what this implies?

Do you mean this would be a requirement for projects to do to move to graduated status or something they should once they are graduated?

Is that something they are expecting to do on their own or is that something we'd allocate resource to get done for them?

For reference, in Hyperledger graduated projects get to have security audits done for them. This is a benefit: they don't have to do anything other than possibly answer some questions from the auditing firm (and they are given a chance to review and ask questions on the findings of course). The cost is covered by the foundation.

Is this the kind of stuff you're thinking about?

Thanks.

[Danajoyluck]

@Danajoyluck Can you please expand on what this implies?

Do you mean this would be a requirement for projects to do to move to graduated status or something they should once they are graduated?

Is that something they are expecting to do on their own or is that something we'd allocate resource to get done for them?

For reference, in Hyperledger graduated projects get to have security audits done for them. This is a benefit: they don't have to do anything other than possibly answer some questions from the auditing firm (and they are given a chance to review and ask questions on the findings of course). The cost is covered by the foundation.

Is this the kind of stuff you're thinking about?

Thanks.

Thanks @lehors for the information. Yes, this issue is focused on if threat modeling should be done . The when and how needs to decided after this. Or can be bundled into this issue.

Agree....Threat modeling is a specialized security domain that needs to be democratized before we ask maintainers to do it on their own. There are education and training opportunities here, and potentially adopting a simplified threat modeling framework to lower the entry of barrier.

[Danajoyluck]

I am supportive of this. Threat modeling is a good best practice. Would the threat modeling occur through a TI funding request or some other mechanism?

I think in addition to the threat modeling, there should be a plan to prioritize and close risks identified by the threat model in a reasonable time frame. One time costs to accelerate closing higher priority risks may be incurred that could be part of the TI funding process.

Thanks @sevansdell thanks for the inout. Agree....Threat modeling can be done through TI funding, and risk based approach on addressing threats identified through the modeling.

[lehors]

@Danajoyluck Can you please expand on what this implies? Do you mean this would be a requirement for projects to do to move to graduated status or something they should once they are graduated? Is that something they are expecting to do on their own or is that something we'd allocate resource to get done for them? For reference, in Hyperledger graduated projects get to have security audits done for them. This is a benefit: they don't have to do anything other than possibly answer some questions from the auditing firm (and they are given a chance to review and ask questions on the findings of course). The cost is covered by the foundation. Is this the kind of stuff you're thinking about? Thanks.

Thanks @lehors for the information. Yes, this issue is focused on if threat modeling should be done . The when and how needs to decided after this. Or can be bundled into this issue.

Agree....Threat modeling is a specialized security domain that needs to be democratized before we ask maintainers to do it on their own. There are education and training opportunities here, and potentially adopting a simplified threat modeling framework to lower the entry of barrier.

Ok but I don't think we can just decide in a vacuum that projects should have a threat model without taking into consideration what this might entail. As in everything else in life there is a trade-off and we have to find the right balance. We cannot do so if we only look at one side of the problem.

In particular, we have to remember that while OpenSSF projects ought to be role models when it comes to security best practices we've heard loud and clear that adding to the maintainers' burden by keeping on increasing the number of requirements for them to fulfill is not helpful.

[Danajoyluck]

@Danajoyluck Can you please expand on what this implies? Do you mean this would be a requirement for projects to do to move to graduated status or something they should once they are graduated? Is that something they are expecting to do on their own or is that something we'd allocate resource to get done for them? For reference, in Hyperledger graduated projects get to have security audits done for them. This is a benefit: they don't have to do anything other than possibly answer some questions from the auditing firm (and they are given a chance to review and ask questions on the findings of course). The cost is covered by the foundation. Is this the kind of stuff you're thinking about? Thanks.

Thanks @lehors for the information. Yes, this issue is focused on if threat modeling should be done . The when and how needs to decided after this. Or can be bundled into this issue. Agree....Threat modeling is a specialized security domain that needs to be democratized before we ask maintainers to do it on their own. There are education and training opportunities here, and potentially adopting a simplified threat modeling framework to lower the entry of barrier.

Ok but I don't think we can just decide in a vacuum that projects should have a threat model without taking into consideration what this might entail. As in everything else in life there is a trade-off and we have to find the right balance. We cannot do so if we only look at one side of the problem.

In particular, we have to remember that while OpenSSF projects ought to be role models when it comes to security best practices we've heard loud and clear that adding to the maintainers' burden by keeping on increasing the number of requirements for them to fulfill is not helpful.

@lehors I hear you.....I made the ask more specific. Thoughts?

[ctcpip]

Recommending it would be fine, but I would caution against requiring. It's a big ask for projects and it can't be done in a vacuum. Meaning, even if you fund an entity to assist with security policy, including threat model development, those processes still require the active participation of project maintainers.

[lehors]

@Danajoyluck Thanks for the revised proposal, it sounds good to me although there still are some open questions such as whether this is a one time request or ongoing, and if the latter how often does the project have to actively review their threat model and revise it if necessary.

[SecurityCRob]

I love me some threat modeling. I'm curious of what the vision is for this in execution? Will someone from LF or a community member work with the project teams to conduct the TM? Will the project need to figure this out for themselves? Would we contract this out to a specialist? Will the LF/OSSF provide any tooling or guidance/documentation on what is desired?

[ljharb]

Threat modeling by definition requires maintainer input, and in practice will require paid expertise to help maintainers create the model. nvm recently developed a threat model in partnership with a security firm and OSTIF, funded by OpenJS via the Sovereign Tech Fund, and I couldn’t have done it otherwise.

Is OpenSSF prepared to fund similar efforts? If so, great! If not, I’m not sure what we hope to achieve.

[Danajoyluck]

Thanks all......will use security audit to bundle threat model in. TAC has security audit defined as graduation criteria. https://github.com/ossf/tac/blob/main/process/project-lifecycle.md#incubating

Closing this issue.

[Danajoyluck]

This is not needed