- Section Lead - Dave Russo
- Section Team - Sal Kimmich, Emily Fox, Judy Kelly, VMB, Randall T. Vasquez, Christine Abernathy, CRob, Eric Tice, David A. Wheeler, Brian Fox, Avishay Balter
- Section Meeting Time/Details - Thursday 9:00am Eastern, starting Thursday Sept 1, recurring every 2 weeks
- Section Meeting Zoom link
- Section Meeting Notes
Before any meaningful learning can be developed or shared, an inventory of useful existing resources should be collected. This allows for the alignment with learning paths and objectives, as well as highlighting gaps and areas that are missing from the current Common Body of Knowledge (CBK). This information helps Section 2 to develop more complete coursework, labs, and supplementary materials as well as helps with the understanding of what existing materials may need updated to current practices and techniques.Section 3 will provide means to reward and encourage developers ans tudents of all types to adopt and uses these secure development and management techniques.
Before training can be expanded, materials should be collected to understand what is available and what gaps exist in current artifacts so that new materials can be created to fill those gaps or desired new areas
- None
(YEAR 1)
- M1: Create a working document to record existing secure development materials [Sept 2022]
- Working document: here
- issue1.1M1
- M2: Create a Materials Matrix, including defining a structure to organize the content that we are collecting [Oct 2022]
- Spreadsheet working doc here
- issue1.1M2
- M3: Review existing secure development materials from the following sources: Linux Foundation / OpenSSF, OWASP and other OSSF member organizations [Q1 2023]
- Send an e-mail to all OSSF member orgs for feedback/comment
- issue1.1M3
- M4: Prepare and conduct a survey to find out “what’s missing” / “what's wrong” from the existing secure development materials (Dependent upon the list of existing materials) [Q2 2023]
- Determine the criteria and audience for the survey
- Determine the questions to be included in the survey
- Determine potential respondents and ways to solicit responses, focus on reaching a diverse audience and reducing bias
- Perform gap analysis against existing OSSF materials & classes; document areas new content is desired/required [Q3 2023]
- Determine the format of the deliverable report
- issue1.1M4
- M5: Hire Education Program Manager
Hire Program Manager(PgM) to oversee the execution of the EDU.SIG plan, and then facilitate and coordinate the EUD.SIG as it enters operations. This role will need to be one of the first steps undertaken as the EDU.SIG plan is being implemented to ensure its smooth delivery. The EDU.SIG PgM will collect and report out on key metrics of the EDU.SIG program, will coordinate onboarding and training of new EDU.SIG volunteers, amongst other duties.
- M5.1: Create job description + roles & responsibilities for EDU.SIG PgM
- M5.2: Hire PgM
- M5.3: On-board PgM and get them up to speed to start managing plan implementation
- issue1.1M5
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | xx | xx | xx | ➡️ Y1 |
| M2 | 2 | 04 | 08 | ➡️ Y1 |
| M3 | 10 | 14 | 140 | ➡️ Y1 |
| M4 | 4 | 04 | 16 | ➡️ Y1 |
| M5 | 4-5 | 18 | 68-84 | ➡️ Y1 |
- Estimated Total Combined Volunteer Hours: Y1 232-248
- EDU Program Manager - 1 FTE ($300k yearly)
After materials have been collected and reviewed by the OER Librarian, it needs to be integrated into the SKF platform so the SKF Ops team can make the new materials available
- Materials Matrix complete - [ ] issue1.1M2
- Review of existing materials and verification of public availability/usage complete
(YEAR 1)
- M1: Hire OER Librarian to manage, coordinate, and maintain the content library [Q2 2023]
- M1.1: Create job description + roles & responiblities for EDU.SIG PgM
- M1.2: Hire PgM
- M1.3: On-board PgM and get them up to speed to start managing plan implementation
- issue1.2M1
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | 4-5 | 18 | 68-84 | ➡️ Y1 |
- Estimated Total Combined Volunteer Hours: Y1 68-84
- OER Librarian - 1 FTE ($300k yearly)
Create a list of training personas, learning paths, and channels that educational content will be delivered in
- Materials matrix complete - [ ] issue1.1M2
(YEAR 1)
-
M1: Determine personas that align with the Materials Matrix [TBD]
- Higher Ed
- Trade school/boot camp/professional
- Job change training (new to the career path)
- Primary/secondary Pre-career education
- Managers of software developers
- Trainers ( Aka Train the trainers )
- Contributor/Maintainer training (how to do a pr, maintenance)
- Compliance
- issue1.3M1
-
M2: Formally document these personas for use by the EDU SIG and other OSSF workgroups [TBD]
- issue1.3M2
-
M3: Using 1.3M1 create a crosswalk of available training compared to Learner Personas/Learning Paths.
- issue1.3M3
- M3.1: Provide a list of gaps from issue1.3M# assessment for new content creation.
-
M4: Provide training on the above for at least four major open source developer or security conferences during 2023 (e.g. FOSDEM, SCALE, Open Source Summit, KubeCon). Different curricula will be needed to target the developer audiences of security, devops. [TBD]
- issue1.3M4
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | 5 | 4 | 20 | ➡️ Y1 |
| M2 | 2 | 2 | 4 | ➡️ Y1 |
| M3 | 5 | 10 | 50 | ➡️ Y1 |
| M4 | 4 | 24 | 96 | ➡️ Y1 |
- Estimated Total Combined Volunteer Hours: Y1 170
Determine topics desired for educational materials. To help focus efforts of the SIG to identify and address training/education opportunities in priority order and curate backlog of future/"next" materials needed
(YEAR 1)
- M1: Focus not just on development skills and techniques, but also on associated skills modern developers need such as:
- M1.1: access controls
- M1.2: testing /validation
- M1.3: how to build, deploy, and maintain software in DevSecOps scenarios
- M1.4: training for managers of developers or who oversee open source
- M1.5: Web/API
- M1.6: Infrastructure management/config and CI/CD
- M1.7: Desktop applications
- M1.8: Mobile
- issue1.4M1
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | 5 | 20 | 100 | ➡️ Y1 |
- Estimated Total Combined Volunteer Hours: Y1 100
Determine the highest-value content to be translated for a global audience
(YEAR 1)
- M1: After existing content has been collected and curated [ ] issue1.1M2, create a prioritized list of most-valuable content to translate
- issue1.5M1
- M2: Circulate list for comment/feedback
- issue1.5M2
- M3: Identify translators for 5 human, non-English languages
- issue1.5M3
- M4: Localize training to 5 human, non-English languages [TBD]
- M4.1: Spanish
- M4.2: French
- M4.3: German
- M4.4: Chinese/Mandarian
- M4.5: Japanese
- issue1.5M4
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | 4 | 4 | 16 | ➡️ Y1 |
| M2 | 12 | 2 | 24 | ➡️ Y1 |
| M3 | 2 | 4 | 8 | ➡️ Y2 |
| M4 | xx | TBD | TBD | ➡️ Y2 |
- Estimated Total Combined Volunteer Hours: Y1 - 40 Y2 8+
- Localization Costs ($200k x5 = $1M) Y2
There are many organisations that have also their own training materials that they might want to contribute. We don't want to duplicate materials so we want to reach out and see if they can make it available to us
-
M1: Request content from member organizations for donation or reference
- IBM: Jeff Boerck
- Intel: CRob
- [ x ] Microsoft: Avishay Balter
- Contact LF Education for existing resources
- Contact Major League Hackathons for existing resources
- Contact Community Classrooms for existing resources
-
M2:
- Review donated/reference materials
- Determine what content will be integrated into existing content
- Determine what content will be provided as new content
- Proposed courses for training integration
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | 4 | 16 | 64 | ➡️ Y1 |
| M2 | 5 | 40 | 80 | ➡️ Y1 |
- Estimated Total Combined Volunteer Hours: Y1 144
Consult with LF Education to create curricula and "learner journey" to map personas to training materials to develop coursework
- M1: Using Goal1.3 and Goal1.4 map out Learner Pathways and develop course curriculum to acheive learning goals for each desired learner type
- Create a matrix of learner goals and personas lined to existing materials & gaps
- issue1.7M1
- M2: Consult with LF Education team to develop curriculum
- Talk with LF Education team
- Adjust plan accordingly
- Assign high-priority gaps to find/create materials
- issue1.7M2
| Milestone | Estimated Volunteers | Estimated Individual Hours | Estimated Total Hours | Stage |
|---|---|---|---|---|
| M1 | 4 | 24 | 96 | ➡️ Y1 |
| M2 | 2 + LF EDU | 40 | 80 | ➡️ Y1 |
- Estimated Total Combined Volunteer Hours: Y1 176 + LF EDU involvement
Continue to Section 2 - Expand Training
Recommendations from (Randall, Sal, David, Xavier) Crowdsourcing idea: if the person finds a vulnerable / buggy highly voted SO answer, they just have to do a GitHub search of the snippet itself, and if it’s a highly voted answer, they WILL find occurrences. Then they can write / launch / test their CodeQL query on those occurrences. No need to create a dummy file, etc.
Another possibility, even simpler: just write the CodeQL query for the pattern, and launch it on the 1000 most critical projects (as per the OpenSSF critical projects WG) for this language blindly to check if you find something. Because if you find nothing, even if it’s a highly voted answer, then it means that this pattern, fortunately, didn’t make it into the most used projects, so 🤷
Possibility: a browser extension allowing you to declare some code snippets as vulnerable