Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create security_baseline.md #353

Merged
merged 25 commits into from
Jul 23, 2024
Merged

Create security_baseline.md #353

merged 25 commits into from
Jul 23, 2024

Conversation

Danajoyluck
Copy link
Contributor

GitHub version of the security baseline for TAC review.

GitHub version of the security baseline for TAC review. 

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
@Danajoyluck Danajoyluck requested a review from a team as a code owner July 10, 2024 22:53
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
@lehors
Copy link
Contributor

lehors commented Jul 11, 2024

LGTM but I have a couple of nits and a comment/question:

  • I don't think we should add a baseline folder, just add the file in the process folder.
  • the file extension should be .md rather than .MD

If, as discussed, we create a SIG to work on this, are we expecting them to work on this document in the TAC repo? That doesn't seem really desirable. Maybe they could create a copy of this document to work on in another repo. The instance in the TAC repo would then be refreshed from time to time when the SIG produces a new version that the TAC agrees to adopt. So, the instance in the TAC repo would remain the governing version while another copy exists in some other repo for the SIG to work on. Does that sound like a workable process? Any other idea?

@mlieberman85
Copy link
Contributor

LGTM but I have a couple of nits and a comment/question:

  • I don't think we should add a baseline folder, just add the file in the process folder.
  • the file extension should be .md rather than .MD

If, as discussed, we create a SIG to work on this, are we expecting them to work on this document in the TAC repo? That doesn't seem really desirable. Maybe they could create a copy of this document to work on in another repo. The instance in the TAC repo would then be refreshed from time to time when the SIG produces a new version that the TAC agrees to adopt. So, the instance in the TAC repo would remain the governing version while another copy exists in some other repo for the SIG to work on. Does that sound like a workable process? Any other idea?

I agree that we should have something external and only when read do we bring it into the TAC repo. I am making the assumption here that any material change to the baseline would require the TAC to approve.

@lehors
Copy link
Contributor

lehors commented Jul 11, 2024

I am making the assumption here that any material change to the baseline would require the TAC to approve.

Exactly. That's my assumption too. I don't think we want to delegate the responsibility of managing the baseline for the whole organization to the SIG.

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
This is to fix the path issue in PR #353. Unfortunately I cannot use the original PR to move the file to the parent folder. 

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Moving the file to process folder

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
@lehors lehors changed the title Create security_baseline.MD Create security_baseline.md Jul 11, 2024
@david-a-wheeler
Copy link
Contributor

Is this baseline only for the OpenSSF, or is the intention for this be a baseline applicable to many foundations? Perhaps at one time this was OpenSSF-only, but I think the longer goal is to create a "security baseline" that's useful for many foundations.

It's fine to put in the TAC repo in the short term, but I think in the long term it should NOT be in the TAC repo. It should instead eventually have its own repo or be part of the Best Practices WG repo (the latter would probably be easiest). I think that location will provide a stronger indication that this baseline can be used by other foundations.

@Danajoyluck
Copy link
Contributor Author

Is this baseline only for the OpenSSF, or is the intention for this be a baseline applicable to many foundations? Perhaps at one time this was OpenSSF-only, but I think the longer goal is to create a "security baseline" that's useful for many foundations.

It's fine to put in the TAC repo in the short term, but I think in the long term it should NOT be in the TAC repo. It should instead eventually have its own repo or be part of the Best Practices WG repo (the latter would probably be easiest). I think that location will provide a stronger indication that this baseline can be used by other foundations.

The baseline is for OpenSSF. Can we put it here for now so that we can start updating the life cycle document and get the adoption going?

@lehors
Copy link
Contributor

lehors commented Jul 11, 2024

@david-a-wheeler, that's what @mlieberman85 and I were talking about. My take is that this is only meant for OpenSSF for now. When a SIG is launched with a goal to create one for the larger community they can create their own. Then, the TAC can decide how/when to revise this one.

@david-a-wheeler
Copy link
Contributor

@lehors said:

My take is that this is only meant for OpenSSF for now. When a SIG is launched with a goal to create one for the larger community they can create their own. Then, the TAC can decide how/when to revise this one.

Oh, I see. This PR is for an OpenSSF-specific baseline, and there will likely be a SIG created that starts with & builds on this material to create something for multiple foundations. Presumably, when that SIG is done, the TAC will decide if this PR's text will be replaced. That makes sense. Thanks so much for the clarification!

Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this PR @Danajoyluck ! I've reviewed the first half of the document, and I like the direction this is going. I do have several comments around clarity and specificity that will hopefully help improve this document.

process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
Danajoyluck and others added 4 commits July 12, 2024 12:37
fix a  typo

Co-authored-by: Marcela Melara <marcela.melara@intel.com>
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Agree with the recommendation.

Co-authored-by: Marcela Melara <marcela.melara@intel.com>
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
agree with the recommendation

Co-authored-by: Marcela Melara <marcela.melara@intel.com>
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Updated the basic operating principles:

changed "without imposing new requirements" to "with minimal new requirements" for principle "Minimal, Achievable, and Practical Baseline Requirements"

updated "Documented Governance Process" to make the objective more clear


Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Show resolved Hide resolved
Danajoyluck added a commit that referenced this pull request Jul 12, 2024
Updated two sections of the life cycle:
1.  added "Baseline - Once Sandbox" link to "Sandbox" -> "Project Responsibilities"
2. added "Baseline - To Become Incubating" link to "Incubating" -> "Incubation Entry Requirements and Considerations"

The links reference to merging security baseline to TAC repo. I will update the links once the baseline merge is complete. #353 

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
added reference for automation and automatibility RE @marcelamelara comment.


Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
address comments from @marcelamelara 
Updated success criteria around adoption, made adoption more specific. Consolidated continuous improvements operating principle into governance process 

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
added reference for automation 

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
@Danajoyluck Danajoyluck requested a review from lumjjb July 17, 2024 13:09
Danajoyluck and others added 5 commits July 17, 2024 08:12
Co-authored-by: Marcela Melara <marcela.melara@intel.com>
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Co-authored-by: Marcela Melara <marcela.melara@intel.com>
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
@marcelamelara added goals for once sandbox

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Updated "SHOULD" to "MUST" for Scorecard onboarding for to becoming incubating

Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
A few changes:
For "Data in transit must be protected by cryptographic means.", added "TAC project lifecycle governance process SHALL be followed if encryption is not achievable" 

Change "Baseline" to "Security Baseline" for the heading of each  level

Changed "internet service" to "internet or infrastructure service" to consider RSTUF as an infrastructure service


Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve

Copy link
Contributor

@mlieberman85 mlieberman85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, there's a few caveats but as mentioned in chat I think we are at the point where we can iterate in the SIG and among the pilot projects like GUAC, OpenVEX, protobom, etc.

Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I look forward to seeing how our pilot projects work through achieving the baseline!

@SecurityCRob SecurityCRob added the documentation Improvements or additions to documentation label Jul 18, 2024
Copy link
Contributor

@lehors lehors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@torgo torgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Danajoyluck Danajoyluck requested review from torgo and lehors July 21, 2024 17:23
process/security_baseline.md Outdated Show resolved Hide resolved
Copy link
Contributor

@mlieberman85 mlieberman85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a bunch of minor, nit-picky feedback. Great job synthesizing this complex topic, and I can't wait to get feedback from projects as we roll this out!

process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
process/security_baseline.md Show resolved Hide resolved
process/security_baseline.md Outdated Show resolved Hide resolved
Copy link
Contributor

@torgo torgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @Danajoyluck ! There are still some edits I'd like to see eventually, but I think this is ready for us and the SIG to begin iterating over.

Danajoyluck and others added 2 commits July 23, 2024 11:04
Co-authored-by: Zach Steindler <steiza@github.com>
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Co-authored-by: Zach Steindler <steiza@github.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
@SecurityCRob SecurityCRob merged commit 638cede into main Jul 23, 2024
4 checks passed
@SecurityCRob SecurityCRob deleted the Danajoyluck-patch-1 branch July 23, 2024 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation Major Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review. TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.