Brainstorm Around Q4 Security Engineering Champion Milestones

[bensternthal]

Let's get some ideas around the work to support the Q4 milestones, what we want to accomplish and most importantly, what done looks like.

Q4 Milestones / Milestone 3

• Security Implementation: Report on OpenSSF Best Practices Badge program for JavaScript published
• Security Ongoing / Self-sustaining post contract:
  • Content documented: customized best practices recommended by OpenSSF
  • Best practices JavaScript checklist completed
  • Templates documented
  • Compliance tools created
  • SBOM Generation / Tooling Best Practices updated and documented

For Reference.. All Milestones

Milestone 1

• Infra Discovery: Project, stakeholders, and requirements gathering completed
• Infra Planning: Project and program scoping completed
• Security Planning: Security engineer, Audit Vendor, and Training Vendor hired
• Security Planning: Inventory and analysis audit completed to establish project
  Tiers. Top 10 Tier 1 projects to start identified.
• Security Implementation: Provided direct support to maintainers on the menu of
  OpenSSF Best Practices Badge program
• Security Implementation: Provided direct support for secure releases and CVE
  management

Milestone 2

• Infra Planning: SOW and communication strategy created
• Security Implementation: Broad JavaScript ecosystem education and outreach
  on OpenSSF Best Practices Badge program completed
• Security Ongoing:
  o Content development update: customized best practices recommended
  by OpenSSF
  o SBOM Generation / Tooling Best Practices created.
  o Compliance Report / Audits / Dashboard created and populated by Tier 2
  projects

Milestone 3

• Infra Design: CI/CD and productivity tools standardization exercise completed
• Infra Design: Proof of concept where needed implemented
• Security Implementation: Report on OpenSSF Best Practices Badge program for
  JavaScript published
• Security Ongoing / Self-sustaining post contract:
  o Content documented: customized best practices recommended by
  OpenSSF
  o Best practices JavaScript checklist completed
  o Templates documented
  o Compliance tools created
  o SBOM Generation / Tooling Best Practices updated and documented

Milestone 4

• Infra Design: Proof of concept user acceptance validation completed
• Infra Implementation: Onboarded projects into tooling where needed
• Security Implementation: Secondary Tier projects started. Educate and onboard
  through consensus with projects’ technical steering committees or individual
  maintainers
• Security Implementation: OpenJS and audit vendor publish an Impact Report,
  summarizing all results of security audits. Example:
  https://openssf.org/blog/2023/02/01/independent-security-audit-impact-report/
• Security Implementation: JavaScript training launched
• Security Implementation: Compliance Report / Audits / Dashboard created and
  populated by Tier 2 projects
• Security Ongoing:
  o Direct support to maintainers on the menu of OpenSSF Best Practices
  Badge program
  o Direct support for secure releases and CVE management
  o Content development: customized best practices recommended by
  OpenSSF
  o SBOM Generation / Tooling Best Practices created

Milestone 5

• Infra Implementation: Targeted project transition of productivity and CI/CD
  complete (Target projects to be identified via SOW) (Phase 1)
• Security Implementation: Badges implemented on Tier 2 Projects
• Security Ongoing:
  o Direct support for secure releases and CVE management.
  o Content development: customized best practices recommended by
  OpenSSF
  o SBOM Generation / Tooling Best Practices created.
  o Compliance Report / Audits / Dashboard created and populated by Tier 2
  projects.

Milestone 6

• Infra Implementation: Targeted project transition of productivity and CI/CD
  complete (Target projects to be identified via SOW) (Phase 2)
• Security Implementation: Broad JavaScript ecosystem education and outreach
  on OpenSSF Best Practices Badge program
• Security Ongoing:
  o Content development update: customized best practices recommended
  by OpenSSF
  o SBOM Generation / Tooling Best Practices created.
  o Compliance Report / Audits / Dashboard created and populated by Tier 2
  projects

Milestone 7

• Infra Implementation: Targeted project transition of productivity and CI/CD
  complete (Target projects to be identified via SOW) (Phase 3)
• Infra Finalization of transition work
• Project sunsetting completed
• Infra: Internal and external support documentation created
• Infra Formalization of budget forecasting
• Security Implementation: Public report on OpenSSF Best Practices Badge
  program for JavaScript
• Security Ongoing / Self-sustaining post contract:
  o Content documented: customized best practices recommended by
  OpenSSF
  o Best practices JavaScript checklist created
  o Templates documented
  o Compliance tools created
  o SBOM Generation / Tooling Best Practices updated and documented

[bensternthal]

Notes From Discussion with Robin, Jordan, and Ben on Oct 9, 2023

Security Implementation: Report on OpenSSF Best Practices Badge program for JavaScript published

• Implement badges on Tier-1 projects, have all 7 projects be passing
  • Gaps in silver are explained
• Report:
  • Status of the projects, for those that have gaps, explanation of them and next steps
  • Breakdown of what work was done by the project and what work was done by Jordan
  • Recommendations and analysis of gaps (e.g. single contributor project)
  • Analysis of the project state (are things better than we thought they were)
• Audience For Report
  • Internal - OpenJS projects, STF
  • External - Developers using OpenJS projects

Security Ongoing / Self-sustaining post contract:

Content documented: customized best practices recommended by OpenSSF

• Analysis: are there other best practices beyond Badges, Secure Releases, SBOMS and what should we adapt and adopt (list of what we looked at, and decisions on each)
  • Engage with OpenSSF best practices working group

Best practices JavaScript checklist completed

• Dashboard will be where the checklist lives
• Done for this one means, it's populated with all our agreed-upon best practices and approved by the Collab Space
• Checklist will be a living document

Templates documented

• Nothing obvious for this item at this time. Likely will create future concise guides based on the checklist.

Compliance tools created

• Gov compliance - too early to do this officially
• OpenJS compliance - what do we want to bake into the project lifecycle
• Tools vs Shaping policy
  • Prob can not move forward with tools since compliance standards have not been published yet
  • Working directly with Fiona and Tara
  • 1 pager inventory on things in motion and areas that we should be involved in/prioritized

SBOM Generation / Tooling Best Practices updated and documented

• Publishing of our SBOM primer/recommendation
• Additional tasks will be dependent on what the final recommendation is.

[bensternthal]

Brainstorm complete. Next steps are @ljharb integrating this into his planning for Q4.