WG Best practices: Learning platform GTM

[xcorail]

Problem statement

The Best Practices WG wants to prepare the Go to market of the learning platform. This learning platform is leveraging the existing OWASP Security Knowledge Framework. This platform is available for everyone to deploy locally but we'd like to offer a public instance on the cloud, that the community could contribute to in terms of labs and content.
The requests below are needed to prepare this go to market

Questions / Requests

• Need for development and ops resources:
  • 120 dev hours for SKF
  • 180 dev hours for SKF-Labs
  • Permanent: 8h / week for operations
  • These are approximations, details are documented
• Need 2 k8s clusters on a cloud (GCP? Azure? ...)
• What will the promotion plan look like? SKF is currently an OWASP project. Apart from putting the OSSF logo and text on the SKF platform and project, and referencing the project on the OSSF page, is there something else we want to do?

[dlorenc]

We don't currently have any mechanisms for funding or hiring permanent staff in the OSSF. This is something we'll need to discuss in the next TAC meeting and with the Governing Board.

[dlorenc]

Is this related at all to the work @david-a-wheeler is doing with EdX in ossf/wg-best-practices-os-developers#4 ?

[mayakacz]

No, those are separate efforts. The platform was already being developed by the WG.
I think the question is how this effort should/could be funded, recognizing that there is ongoing opex for a project like this.

[dlorenc]

Makes sense. At the foundation/charter level we have a couple of models:

• The OSSF Governing Board can choose to raise funds (we decided not to initially). See Section 3, Part h, Paragraph i and Part i, Paragraph vii and Section 12. Those funds could then be distributed as the GB sees fit.
• The Working Groups themselves can raise funds that would be used specifically for that WG. See Section 3, Part i, Paragraph viii. The GB would have to approve that.

We're planning on making use of the second mechanism in the Securing Critical Projects WG eventually.

[dlorenc]

Note that both of these are really outside the scope of the TAC though, and fall under the GB's responsibilities.

The TAC canis responsible for "working with the Technical Initiatives to identify any resource or funding requirements and prioritizing recommendations to the Governing Board", though (Section 6, Part 3, Paragraph iv).

[xcorail]

Thanks @dlorenc @mayakacz

So the TAC is only useful here to give advice on the cloud platform choice, right?
Is there a way I can raise the rest of the questions to the GB?

[dlorenc]

So the TAC is only useful here to give advice on the cloud platform choice, right?
Is there a way I can raise the rest of the questions to the GB?

I'm not sure how to raise this with the GB. The TAC will eventually have a representative at the GB that could raise this for you, but that person hasn't been selected yet. See #12 for that.

[dlorenc]

The reason I asked earlier if this is related to @david-a-wheeler's work is that the LF might have some funding already set aside for stuff like this (and David's work). If these can be reconciled that might help.

[mayakacz]

So it seems we have a need to discuss in the TAC,

• can these efforts be merged/ should they be merged

"working with the Technical Initiatives to identify any resource or funding requirements and prioritizing recommendations to the Governing Board"

• if needed and worth pursuing, do we want to make a recommendation to fund an effort

[david-a-wheeler]

Just the clarify: the course I've developed is completely separate from the OWASP Security Knowledge Framework.

[dlorenc]

Added to the agenda for the next TAC meeting.

[dlorenc]

As discussed in the meeting yesterday, there's no budget right now. The best place to discuss this topic is the joint GB/TAC strategy meeting, which is weekly, Mondays at 10am pacific time.

[dcmiddle]

So the TAC is only useful here to give advice on the cloud platform choice, right?
Is there a way I can raise the rest of the questions to the GB?

I'm not sure how to raise this with the GB. The TAC will eventually have a representative at the GB that could raise this for you, but that person hasn't been selected yet. See #12 for that.

@dlorenc I guess you are now officially on the hook for notifying the board about this issue :)

(Incidentally I think #12 was for the TAC chair vs. the TAC rep to the GB. I don't see an issue for the latter but for the curious out there, the appointment/vote took place at the 2020-09-22 TAC meeting)

[SecurityCRob]

This can be closed. SKF was given funding from OSSF in 2021 to migrate from a battery of Raspberry Pis under a desk in Europe to THE CLOUD..... (wow!). We thank the TAC & GB for helping that project scale and serve more developers!

[SecurityCRob]

closing issue- resolved