-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Expanding Security Benchmarks for Critical OSS in OpenSSF #352
Comments
@fredgan would you be able to join us on the next TAC call on 23July2024 to discuss your proposal? |
OK,I will. Thanks for your inviting. @SecurityCRob |
Thank you for presenting today. I'd like to get you scheduled to speak to the OpenSSF Project Alpha/Omega. @scovetta, @bobcallaway. Is working with the ecosystem to get CIS benchmarks (or something similar in security audits) something that already exists/could be added to Alpha / Omega? If not, want to understand why not, and help Fred find a place to land this work in OpenSSF. |
The OpenSSF Securing Critical Projects Working Group has a Set of Critical Open Source Projects version 1.1, which uses a set of data sources including the Harvard "Census II" study. That might be a reasonable place to look for critical OSS. There are several different configurations to consider:
The challenge will be ensuring that the configurations are evaluated by those who understand the projects well, and that these improved configurations become widely used (e.g., because they're the default). Instead of independently releasing configurations, maybe these should work with the key projects to ensure that these projects' documentation & default configurations are more secure, however the project releases them. Then we don't have to try to redirect people to the OpenSSF - they'll just get the better configuration. Anyway, that might be one way to proceed. |
OK, thanks for your suggestions. I will try to discuss it in the Slack https://app.slack.com/client/T019QHUBYQ3/C02LUUWQZNK |
I agree that the configurations should be evaluated by those who understand the projects well. But that's not enough, they should also be expert on cybersecurity. As far as I know, no such configuration benchmarks are release by any project community. Maybe there are some gaps with this, lack of motivation, or lack of time, or lack of expertising on cybersecurity. If communities releases some such security standards later, these standards may vary widely in format. Standardized specifications would be a better option. How do you think about this? |
It's not clear to me what funding is being requested. I believe we should defer this request until the effort is aligned with/creates a TI, and has a specific defined budget request/goal. Looking forward to seeing this one back in the future. |
A quorum of the TAC met on 17Sept to discuss Q3 TI Funding Requests. The group suggests that this idea should be taken to the Securing Critical Projects WG to see if they are interested in collaborating on this effort. There may be community members there that agree with the value this work could provide and take that up as a SIG under their umbrella. As there is no financial request, no further action is needed for the TAC. Closing |
Hi everyone,
I've recently noticed a proliferation of security parameter/configuration specifications within our company, such as the "Redis security configuration baseline."
Upon reviewing these specifications, I discovered many rules originate from the CIS Benchmark (https://www.cisecurity.org/cis-benchmarks), which offers valuable benchmarks for various OSS projects like Docker, Kubernetes, MongoDB, and Nginx.
However, there's a concerning gap in coverage for critical OSS projects like Spring Boot, Beego, Jenkins, Etcd, and Zookeeper.
Proposal:
I propose establishing a Working Group (WG) within OpenSSF to develop security configuration benchmarks for these currently unsupported critical OSS projects.
Benefits:
Standardized security baselines for essential OSS components.
Reduced burden on individual companies for creating their own specifications.
Improved overall security posture across the industry.
I believe this initiative would significantly benefit companies and individuals by providing a centralized resource for robust security configurations.
Thank you for your time and consideration.
The text was updated successfully, but these errors were encountered: