search

ossf / wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
https://openssf.org
Apache License 2.0
175 stars 40 forks source link

Project Idea - create plugins and/or other tooling to enable CVD Guides #116

Open SecurityCRob opened 1 year ago

SecurityCRob commented 1 year ago

Talked about in out 9/27/2022 call, Francis suggested we build/find tools/automation that can help maintainers and others implement suggestions in CVD guides

rjb4standards commented 1 year ago

The group may want to consider the impact that US Government activities will influence direction and adoption of software supply chain practices. The Office of Management and Budget issued memo M-22-18 advising Federal Agencies on steps to meet NIST Guidance for secure software development practices and the need to supply a self-attestation letter:

yogeshnmittal commented 1 year ago

I am interested to be a part of the sub-working group or SIG for this project

u269c commented 1 year ago

@rjb4standards - M-22-18 is about SBOMs being generated, I think we would like the Vuln disclosure working group to be trying to work on vulnerability handling and coordination topics. The SBOM working group is definitely on top of that memo :)

See https://github.com/ossf/sbom-everywhere for the current work.

If you are referring to tools that could be used to generate SBOMs, that working group will be it as well.

rjb4standards commented 1 year ago

The M-22-18 memo refers to "NIST Guidance", which incorporate SBOM, vulnerability reporting and other attestations. See this article for more details on this point. and this article on NIST VDR attestations

CISA is working on a guideline "Buyers Guide" that includes vulnerability management guidance as part of the ICT_SCRM Task Force SW Assurance work group that aligns with NIST guidance in M-22-18

u269c commented 1 year ago

Sorry, I'm not very familiar with the memo, thank you for the clarification.

Would love to hear more about the work being done in that task force, if you're able to provide information or entry points in there :)

rjb4standards commented 1 year ago

The link to M-22-18 is listed in this article: https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements

david-a-wheeler commented 1 year ago

By the way, people sometimes complain that "OSS doesn't get enough funding", yet I personally think this is an opportunity to help. US government, if you want a self-attestation, that's great... please pay $X for us to develop and provide one (without a promise of changes, but with a promise to create a proposal for any improvements desired). Say, $10K. If the government isn't willing to pay for an attestation, then it's obviously not serious about needing it. I'm sure that not everyone will think this is a good idea, but really, I think it's reasonable to ask someone to pay you if you don't want to do the work for free.