Create MVSR for the BEST WG

[SecurityCRob]

MVSR (Mission, Vision, Strategy, Roadmap)[1] is a tool that helps provide a consistent way of expressing our goals and efforts across the foundation. All working groups have been asked to express themselves using this format which should also help the group plan for future work/projects. All are welcome to participate, I've created a copy[2] of the template for our group to use in this exercise. I've provided an example of how an MVSR could look from the Security Toolbelt group[3] for reference.

[1] - https://docs.google.com/document/d/1p6hOlE4eH1xvQ9pP7swCH2tmIJJ-6G3vnYI8MDzSCQk/edit [2] - https://docs.google.com/document/d/1_l6Yvvjmg2QMqVnWlgw9l6L2Xug2dHnkuZgK5CsDSak/edit [3] - https://github.com/ossf/Diagrammers-Society/tree/main/SecurityToolbelt

[ccpalmer]

A common challenge to those wanting to (or being driven to) move to memory safer programming languages is the extreme hurdle of legacy code. What could we do to ease this transition?

[SecurityCRob]

I've summarized the comments/feedback to date into a "TL/DR" version that sits at the bottom of our gdoc. Pasting here for documentation in our issue:

TL/DR BEST MVSR

Mission Our Mission is to provide open source developers with best practices recommendations and easy ways to learn and apply them. We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation.

Vision We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified. We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types. We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work.

Strategy

• To achieve our Mission and Vision, the BEST Working group will execute on the following strategy:
• Collaborate with security experts to draft a comprehensive set of best practices tailored for open-source projects.
• Identify gaps in tools and resources that can promote secure development practices.
• Evangelize and drive adoption of our artifacts (ex: guides, trainings, tools) through community outreach and targeted maintainer engagement.
• Collaborate with other OpenSSF and open source efforts to provide comprehensive guidance, advice, and tooling for software developers and open source software consumers to use, implement, and evaluate the security qualities of software.

Roadmap To deliver on our Strategy, the BEST Working Group will do the following:

• Evangelize OpenSSF “best practices” and tooling through blogs, podcasts, conference presentations, and the like.
• -Create a “Secure from the (open) source” expert podcast to showcase the work across the foundation.
• Create express learning classes for our body of work: working group explainer, SCM BP Guide, C/C++ Guide, Scorecard/Badges, Concise Guides
• Create a “Best Practices Member Badge” for member organizations
• Support and promote our sub-projects with contributions and feedback - Scorecard, BP Badges, SKF, Classes, and Guides.
• Create a Memory Safety W3C-style workshop to assemble development leaders to talk about how to integrate memory safe languages and techniques more deeply into the oss ecosystem.
• Expand DEI AMA Office Hours to more broadly engage new-to-oss individuals and provide a forum for mentorship and guidance as they launch into and grow within their careers. -Identify, curate, produce, and deliver new secure development education such as Developer Manager Training, Implementing/Integrating OSSF tools such as Scorecard, Badges, OSV, OpenVEX, etc), advanced secure development techniques, and more.

[SecurityCRob]

A common challenge to those wanting to (or being driven to) move to memory safer programming languages is the extreme hurdle of legacy code. What could we do to ease this transition?

This is a challenge our Memory Safety SIG(https://github.com/ossf/Memory-Safety) is attempting to tackle @ccpalmer . any thoughts you may have are welcome!

[SecurityCRob]

group talked through and approved 1st draft of MVSR for the team. We will continue to refine and update via PRs going forward