Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • OpenSSF badging:
  • Applicability to "non-code" projects
    • David invites review of the best-practices, and then providing feedback to him
  • Re-starting badging effort
    • Should be possible
  • Training 
    • There is a LF certificate that is good for two year
    • Recommend to have one maintainer take at least one course
  • Automatic scorecards
    • Automatically scan the repos
    • SLSA
  • Sigstore
    • Verify public key used
    • detect malicious signing, revocation
    • Facilitates easy signing of artifacts
    • There are several integrations ready, e.g. Maven
  • Recommendations:
    • Learn to develop secure code
    • OpenSSF badging
    • Use vulnerability tools
    • Monitor for vulnerabilities
    • Enable rapid updates
    • Already have several of the automated tools integrated
  • Muddasar Ahmed - - Security Automation Framework for DevOps pipelines
  • Muddasar Ahmed - Any best practices for people and processes (in addition to the code itself)? 
    • The training course is people oriented
    • Some of the badging are process oriented
    • New initiative "Secure Software Factory" - aimed at recommending a pipeline for secure software production
  • Follow-up