...
| Name | Affiliations | Interests |
|---|---|---|
| SamsungLF, ONAP TSC, LFN TAC, LFN MAC | Cross-community collaboration | |
| Tony Hansen | AT&T, ONAP SECCOM | best practices, tools, cross-community collaboration, CII badging |
| LFN, ONAP, Anuket, US-GOV-OPS | best practices, considerations for software release | |
| LFN, LFN MAC | Messaging, communications, content | |
| MITRE Corp, ONAP SECCOM | Adversarial threat, Threat Informed Defense | |
| Muddasar Ahmed | MITRE Corp, ONAP SECCOM | Adversarial threat, Threat Informed Defense |
| Ericsson, ONAP Architecture Subcommittee, SECCOM | security architecture, best practices, industry trends | |
| Amy Zwarico | AT&T, ONAP SECCOM | Security architecture, software composition analysis, static application security testing, software bill of materials, PKI, cross community collaboration |
| F5 Networks, ONAP SECCOM | Best practices sharing accross LFN projects, security architecture, automation, software composition analysis, static application security testing, software bill of materials, security in the containers scanning, adoption of tools to increase software security. | |
| Orange, Anuket | Cross-community collaboration, tools, open source software security, software bill of materials, zero trust architecture | |
| Ruben Merz | Swisscom | Security architecture, cross-community collaboration, security automation, zero-trust architecture, PKI, telco security topics, supply-chain security, secure CI/CD |
| Ragashree M C | Nokia, CNCF, Anuket, OWASP | Security architecture, best practices, industry trends, cross-community collaboration, security automation, |
| Samuli Kuusela | Ericsson, ONAP SECCOM, Anuket | Cross-community collaboration, best practices, security architecture |
...
| Table of Contents | ||
|---|---|---|
|
April-21-2022 Meeting with David Wheeler
- OpenSSF badging:
- Applicability to "non-code" projects
- David invites review of the best-practices, and then providing feedback to him
- Re-starting badging effort
- Should be possible
- Training
- There is a LF certificate that is good for two year
- Recommend to have one maintainer take at least one course
- Automatic scorecards
- Automatically scan the repos
- SLSA
- Sigstore
- Verify public key used
- detect malicious signing, revocation
- Facilitates easy signing of artifacts
- There are several integrations ready, e.g. Maven
- Recommendations:
- Learn to develop secure code
- OpenSSF badging
- Use vulnerability tools
- Monitor for vulnerabilities
- Enable rapid updates
- LFX SECURITY DASHBOARDS
- Already have several of the automated tools integrated
- Muddasar Ahmed - https://saf.mitre.org/#/ - Security Automation Framework for DevOps pipelines
- Muddasar Ahmed - Any best practices for people and processes (in addition to the code itself)?
- The training course is people oriented
- Some of the badging are process oriented
- New initiative "Secure Software Factory" - aimed at recommending a pipeline for secure software production
- Follow-up
- The OpenSSF is open to everyone
- If you can't find what you were looking for, contact David Wheeler - dwheeler@linuxfoundatioh.org
Slides: https://docs.google.com/presentation/d/1VrLTfSV4K75XZCG7Mtb00RXQcGJFKk6Y0QQ91BVflCw/edit
Recording:video1793455011.mp4
August-18-2021 Forum kick-off meeting
...