Skip to content

Latest commit

 

History

History
299 lines (208 loc) · 15.4 KB

1.0 Collect and Curate Content.md

File metadata and controls

299 lines (208 loc) · 15.4 KB

1.0 - COLLECT AND CURATE CONTENT

  • Section Lead - Dave Russo
  • Section Team - Sal Kimmich, Emily Fox, Judy Kelly, VMB, Randall T. Vasquez, Christine Abernathy, CRob, Eric Tice, David A. Wheeler, Brian Fox, Avishay Balter
  • Section Meeting Time/Details - Thursday 9:00am Eastern, starting Thursday Sept 1, recurring every 2 weeks
  • Section Meeting Zoom link
  • Section Meeting Notes

Introduction

Before any meaningful learning can be developed or shared, an inventory of useful existing resources should be collected. This allows for the alignment with learning paths and objectives, as well as highlighting gaps and areas that are missing from the current Common Body of Knowledge (CBK). This information helps Section 2 to develop more complete coursework, labs, and supplementary materials as well as helps with the understanding of what existing materials may need updated to current practices and techniques.Section 3 will provide means to reward and encourage developers ans tudents of all types to adopt and uses these secure development and management techniques.

1.1 Goal: Review existing educational materials for gaps and opportunities

Before training can be expanded, materials should be collected to understand what is available and what gaps exist in current artifacts so that new materials can be created to fill those gaps or desired new areas

Dependencies

  • None

Key Steps/Milestones

(YEAR 1)

  • M1: Create a working document to record existing secure development materials [Sept 2022]
    • Working document: here
    • issue1.1M1
  • M2: Create a Materials Matrix, including defining a structure to organize the content that we are collecting [Oct 2022]
    • Spreadsheet working doc here
    • issue1.1M2
  • M3: Review existing secure development materials from the following sources: Linux Foundation / OpenSSF, OWASP and other OSSF member organizations [Q1 2023]
    • Send an e-mail to all OSSF member orgs for feedback/comment
    • issue1.1M3
  • M4: Prepare and conduct a survey to find out “what’s missing” / “what's wrong” from the existing secure development materials (Dependent upon the list of existing materials) [Q2 2023]
    • Determine the criteria and audience for the survey
    • Determine the questions to be included in the survey
    • Determine potential respondents and ways to solicit responses, focus on reaching a diverse audience and reducing bias
    • Perform gap analysis against existing OSSF materials & classes; document areas new content is desired/required [Q3 2023]
    • Determine the format of the deliverable report
    • issue1.1M4
  • M5: Hire Education Program Manager Hire Program Manager(PgM) to oversee the execution of the EDU.SIG plan, and then facilitate and coordinate the EUD.SIG as it enters operations. This role will need to be one of the first steps undertaken as the EDU.SIG plan is being implemented to ensure its smooth delivery. The EDU.SIG PgM will collect and report out on key metrics of the EDU.SIG program, will coordinate onboarding and training of new EDU.SIG volunteers, amongst other duties.
    • M5.1: Create job description + roles & responsibilities for EDU.SIG PgM
    • M5.2: Hire PgM
    • M5.3: On-board PgM and get them up to speed to start managing plan implementation
    • issue1.1M5

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 xx xx xx ➡️ Y1
M2 2 04 08 ➡️ Y1
M3 10 14 140 ➡️ Y1
M4 4 04 16 ➡️ Y1
M5 4-5 18 68-84 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 232-248
  • Budget Requests

  • EDU Program Manager - 1 FTE ($300k yearly)

1.2 Goal: Content curator of the education materials sources (OER Librarian)

After materials have been collected and reviewed by the OER Librarian, it needs to be integrated into the SKF platform so the SKF Ops team can make the new materials available

Dependencies

  • Materials Matrix complete - [ ] issue1.1M2
  • Review of existing materials and verification of public availability/usage complete

Key Steps/Milestones

(YEAR 1)

  • M1: Hire OER Librarian to manage, coordinate, and maintain the content library [Q2 2023]
    • M1.1: Create job description + roles & responiblities for EDU.SIG PgM
    • M1.2: Hire PgM
    • M1.3: On-board PgM and get them up to speed to start managing plan implementation
    • issue1.2M1

Time & resource estimate 1 FTE YEAR 1

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 4-5 18 68-84 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 68-84
  • Budget Requests

  • OER Librarian - 1 FTE ($300k yearly)

1.3 Goal: Determine venues and personas that content will be created for/delivered to

Create a list of training personas, learning paths, and channels that educational content will be delivered in

Dependencies

  • Materials matrix complete - [ ] issue1.1M2

Key Steps/Milestones

(YEAR 1)

  • M1: Determine personas that align with the Materials Matrix [TBD]

    • Higher Ed
    • Trade school/boot camp/professional
    • Job change training (new to the career path)
    • Primary/secondary Pre-career education
    • Managers of software developers
    • Trainers ( Aka Train the trainers )
    • Contributor/Maintainer training (how to do a pr, maintenance)
    • Compliance
    • issue1.3M1
  • M2: Formally document these personas for use by the EDU SIG and other OSSF workgroups [TBD]

    • issue1.3M2
  • M3: Using 1.3M1 create a crosswalk of available training compared to Learner Personas/Learning Paths.

    • issue1.3M3
    • M3.1: Provide a list of gaps from issue1.3M# assessment for new content creation.
  • M4: Provide training on the above for at least four major open source developer or security conferences during 2023 (e.g. FOSDEM, SCALE, Open Source Summit, KubeCon). Different curricula will be needed to target the developer audiences of security, devops. [TBD]

    • issue1.3M4

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 5 4 20 ➡️ Y1
M2 2 2 4 ➡️ Y1
M3 5 10 50 ➡️ Y1
M4 4 24 96 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 170
  • Budget Requests


1.4 Goal: Define training areas of focus

Determine topics desired for educational materials. To help focus efforts of the SIG to identify and address training/education opportunities in priority order and curate backlog of future/"next" materials needed

Dependencies

Key Steps/Milestones

(YEAR 1)

  • M1: Focus not just on development skills and techniques, but also on associated skills modern developers need such as:
    • M1.1: access controls
    • M1.2: testing /validation
    • M1.3: how to build, deploy, and maintain software in DevSecOps scenarios
    • M1.4: training for managers of developers or who oversee open source
    • M1.5: Web/API
    • M1.6: Infrastructure management/config and CI/CD
    • M1.7: Desktop applications
    • M1.8: Mobile
    • issue1.4M1

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 5 20 100 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 100
  • Budget Requests


1.5 Goal: Identify and prioritize training content to be localized

Determine the highest-value content to be translated for a global audience

Dependencies

Key Steps/Milestones

(YEAR 1)

  • M1: After existing content has been collected and curated [ ] issue1.1M2, create a prioritized list of most-valuable content to translate
    • issue1.5M1
  • M2: Circulate list for comment/feedback
    • issue1.5M2
  • M3: Identify translators for 5 human, non-English languages
    • issue1.5M3
  • M4: Localize training to 5 human, non-English languages [TBD]
    • M4.1: Spanish
    • M4.2: French
    • M4.3: German
    • M4.4: Chinese/Mandarian
    • M4.5: Japanese
  • issue1.5M4

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 4 4 16 ➡️ Y1
M2 12 2 24 ➡️ Y1
M3 2 4 8 ➡️ Y2
M4 xx TBD TBD ➡️ Y2
  • Estimated Total Combined Volunteer Hours: Y1 - 40 Y2 8+
  • Budget Requests

  • Localization Costs ($200k x5 = $1M) Y2

1.6 Goal: Member organizations asked to contribute existing internal secdev training materials

There are many organisations that have also their own training materials that they might want to contribute. We don't want to duplicate materials so we want to reach out and see if they can make it available to us

Key Steps/Milestones

  • M1: Request content from member organizations for donation or reference

    • IBM: Jeff Boerck
    • Intel: CRob
    • [ x ] Microsoft: Avishay Balter
    • Contact LF Education for existing resources
    • Contact Major League Hackathons for existing resources
    • Contact Community Classrooms for existing resources
  • M2:

    • Review donated/reference materials
    • Determine what content will be integrated into existing content
    • Determine what content will be provided as new content
    • Proposed courses for training integration

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 4 16 64 ➡️ Y1
M2 5 40 80 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 144

1.7 Goal: Develop Learner Pathways to create a training curriculum for targeted personas

Consult with LF Education to create curricula and "learner journey" to map personas to training materials to develop coursework

Dependencies

Key Steps/Milestones

  • M1: Using Goal1.3 and Goal1.4 map out Learner Pathways and develop course curriculum to acheive learning goals for each desired learner type
    • Create a matrix of learner goals and personas lined to existing materials & gaps
    • issue1.7M1
  • M2: Consult with LF Education team to develop curriculum
    • Talk with LF Education team
    • Adjust plan accordingly
    • Assign high-priority gaps to find/create materials
    • issue1.7M2

Time & resource estimate

Milestone Estimated Volunteers Estimated Individual Hours Estimated Total Hours Stage
M1 4 24 96 ➡️ Y1
M2 2 + LF EDU 40 80 ➡️ Y1
  • Estimated Total Combined Volunteer Hours: Y1 176 + LF EDU involvement

Miscellaneous Notes

Recommendations from (Randall, Sal, David, Xavier) Crowdsourcing idea: if the person finds a vulnerable / buggy highly voted SO answer, they just have to do a GitHub search of the snippet itself, and if it’s a highly voted answer, they WILL find occurrences. Then they can write / launch / test their CodeQL query on those occurrences. No need to create a dummy file, etc.

Another possibility, even simpler: just write the CodeQL query for the pattern, and launch it on the 1000 most critical projects (as per the OpenSSF critical projects WG) for this language blindly to check if you find something. Because if you find nothing, even if it’s a highly voted answer, then it means that this pattern, fortunately, didn’t make it into the most used projects, so 🤷

Possibility: a browser extension allowing you to declare some code snippets as vulnerable