[Proposal] Guidance for projects on evaluation and tracking security dependencies

[ultrasaurus]

This has come up in discussions in meetings about whether we might help projects through the assessment process by recommending best practices or common techniques for projects to consider, evaluate and track security of their dependencies

@lumjjb comment

Within the ecosystem, is there a concern of delegation of security responsibilities from one project to another and vice versa? Perhaps a project is relying on security mechanisms of another CNCF technology which has not been reviewed yet? How would this affect the security posture of the project? I suppose that this would be a rare case that can be handled whenever it comes up.

[ficcaglia]

Taking a cue from Ash's OPA write up he mentions the CII badge framework so I posted a "worksheet" in #153 (comment)

They don't explicitly talk of dependencies until the "beyond basics" level:
https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/other.md#externally-maintained-components

I added it - and the other Silver level items - to the worksheet.

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[mattklein123]

FYI this is an issue we are planning on putting a considerable amount of effort into within Envoy. See envoyproxy/envoy#10471 for more information and discussion. From my perspective there is a lot of overlap between what we need to do for Envoy and what other projects also need, so it would be a shame to duplicate effort.

Is this worth a chat in one of the SIG meetings? cc @htuch @justincormack

[justincormack]

Yes I think it would be a good discussion topic, with the aim of trying to set up a useful outcome for projects eg guidelines, working group, amendments for CII or whatever seems most useful.

[htuch]

Please count me in on any meeting here. We are likely to formulate an Envoy-side policy as a starting point, but would like to ensure it has alignment with best practices across CNCF. Our main focus is in the C++ dependency space and establishing a consistent set of guidelines for when it is reasonable to add an additional dependency to Envoy. We are also interested in tooling that can allow us to propagate dependency information to determine the security posture of Envoy components such as extensions.

[anvega]

@mlieberman85 is currently reevaluating this proposal as part of the supply chain security workgroup

[mlieberman85]

Will write something a bit more extensive up later but the gist of what some folks have been asking for is:

• A self-assessment for supply chain security best practices with Guidance on how to hit the requirements, e.g. SSCP.
• An automated assessment along with automated remediation of any gaps, e.g. OpenSSF Scorecard
• Some sort of program sponsored through LF to help provide security help on certain CNCF projects that critically need it.

[anvega]

The scope of this proposal has been subsumed by the charter of the TAG's Supply Chain working group, and it's captured as an active effort that they are driving towards to. We'll close this proposal as this is now acted upon the workgroup's active efforts.