Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: Expanding Security Benchmarks for Critical OSS in OpenSSF #352

Closed
fredgan opened this issue Jul 10, 2024 · 8 comments
Closed

Proposal: Expanding Security Benchmarks for Critical OSS in OpenSSF #352

fredgan opened this issue Jul 10, 2024 · 8 comments
Labels
For Review Next Meeting TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.

Comments

@fredgan
Copy link

fredgan commented Jul 10, 2024

Hi everyone,

I've recently noticed a proliferation of security parameter/configuration specifications within our company, such as the "Redis security configuration baseline."

Upon reviewing these specifications, I discovered many rules originate from the CIS Benchmark (https://www.cisecurity.org/cis-benchmarks), which offers valuable benchmarks for various OSS projects like Docker, Kubernetes, MongoDB, and Nginx.

However, there's a concerning gap in coverage for critical OSS projects like Spring Boot, Beego, Jenkins, Etcd, and Zookeeper.

Proposal:

I propose establishing a Working Group (WG) within OpenSSF to develop security configuration benchmarks for these currently unsupported critical OSS projects.

Benefits:

Standardized security baselines for essential OSS components.
Reduced burden on individual companies for creating their own specifications.
Improved overall security posture across the industry.
I believe this initiative would significantly benefit companies and individuals by providing a centralized resource for robust security configurations.

Thank you for your time and consideration.

@SecurityCRob
Copy link
Contributor

@fredgan would you be able to join us on the next TAC call on 23July2024 to discuss your proposal?

@SecurityCRob SecurityCRob added For Review Next Meeting TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review. labels Jul 18, 2024
@fredgan
Copy link
Author

fredgan commented Jul 19, 2024

OK,I will. Thanks for your inviting. @SecurityCRob

@sevansdell
Copy link
Contributor

Thank you for presenting today. I'd like to get you scheduled to speak to the OpenSSF Project Alpha/Omega. @scovetta, @bobcallaway. Is working with the ecosystem to get CIS benchmarks (or something similar in security audits) something that already exists/could be added to Alpha / Omega? If not, want to understand why not, and help Fred find a place to land this work in OpenSSF.

@david-a-wheeler
Copy link
Contributor

The OpenSSF Securing Critical Projects Working Group has a Set of Critical Open Source Projects version 1.1, which uses a set of data sources including the Harvard "Census II" study. That might be a reasonable place to look for critical OSS.

There are several different configurations to consider:

  1. Build-time
  2. As released
  3. As used in the field by widely-used systems

The challenge will be ensuring that the configurations are evaluated by those who understand the projects well, and that these improved configurations become widely used (e.g., because they're the default).

Instead of independently releasing configurations, maybe these should work with the key projects to ensure that these projects' documentation & default configurations are more secure, however the project releases them. Then we don't have to try to redirect people to the OpenSSF - they'll just get the better configuration. Anyway, that might be one way to proceed.

@fredgan
Copy link
Author

fredgan commented Sep 3, 2024

Thank you for presenting today. I'd like to get you scheduled to speak to the OpenSSF Project Alpha/Omega. @scovetta, @bobcallaway. Is working with the ecosystem to get CIS benchmarks (or something similar in security audits) something that already exists/could be added to Alpha / Omega? If not, want to understand why not, and help Fred find a place to land this work in OpenSSF.

OK, thanks for your suggestions. I will try to discuss it in the Slack https://app.slack.com/client/T019QHUBYQ3/C02LUUWQZNK

@fredgan
Copy link
Author

fredgan commented Sep 3, 2024

The OpenSSF Securing Critical Projects Working Group has a Set of Critical Open Source Projects version 1.1, which uses a set of data sources including the Harvard "Census II" study. That might be a reasonable place to look for critical OSS.

There are several different configurations to consider:

  1. Build-time
  2. As released
  3. As used in the field by widely-used systems

The challenge will be ensuring that the configurations are evaluated by those who understand the projects well, and that these improved configurations become widely used (e.g., because they're the default).

Instead of independently releasing configurations, maybe these should work with the key projects to ensure that these projects' documentation & default configurations are more secure, however the project releases them. Then we don't have to try to redirect people to the OpenSSF - they'll just get the better configuration. Anyway, that might be one way to proceed.

I agree that the configurations should be evaluated by those who understand the projects well. But that's not enough, they should also be expert on cybersecurity. As far as I know, no such configuration benchmarks are release by any project community. Maybe there are some gaps with this, lack of motivation, or lack of time, or lack of expertising on cybersecurity.

If communities releases some such security standards later, these standards may vary widely in format. Standardized specifications would be a better option. How do you think about this?

@sevansdell
Copy link
Contributor

It's not clear to me what funding is being requested. I believe we should defer this request until the effort is aligned with/creates a TI, and has a specific defined budget request/goal. Looking forward to seeing this one back in the future.

@SecurityCRob
Copy link
Contributor

A quorum of the TAC met on 17Sept to discuss Q3 TI Funding Requests.

The group suggests that this idea should be taken to the Securing Critical Projects WG to see if they are interested in collaborating on this effort. There may be community members there that agree with the value this work could provide and take that up as a SIG under their umbrella.

As there is no financial request, no further action is needed for the TAC. Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
For Review Next Meeting TI Funding Request Quarterly TI requests for funding. Needs 5 approvals, 7d review.
Projects
Development

No branches or pull requests

4 participants