...
- OpenSSF badging:
- Applicability to "non-code" projects
- David invites review of the best-practices, and then providing feedback to him
- Re-starting badging effort
- Should be possible
- Training
- There is a LF certificate that is good for two year
- Recommend to have one maintainer take at least one course
- Automatic scorecards
- Automatically scan the repos
- SLSA
- ---
- Sigstore
- Verify public key used
- detect malicious signing, revocation
- Facilitates easy signing of artifacts
- There are several integrations ready, e.g. Maven
- Recommendations:
- Learn to develop secure code
- OpenSSF badging
- Use vulnerability tools
- Monitor for vulnerabilities
- Enable rapid updates
- LFX SECURITY DASHBOARDS
- Already have several of the automated tools integrated
- Muddasar Ahmed - https://saf.mitre.org/#/ - Security Automation Framework for DevOps pipelines
- Muddasar Ahmed - Any best practices for people and processes (in addition to the code itself)?
- The training course is people oriented
- Some of the badging are process oriented
- New initiative "Secure Software Factory" - aimed at recommending a pipeline for secure software production
- Follow-up
- The OpenSSF is open to everyone
- If you can't find what you were looking for, contact David Wheeler - dwheeler@linuxfoundatioh.org
Slides:
Recording:video1793455011.mp4
August-18-2021 Forum kick-off meeting
...