The OPEA Security Working Group aims to establish a "Security First" mindset in the community in order to prevent and respond to security issues.
It’s often the case that security is only prioritized after a problem – at which point it’s the hardest most expensive time to address. Moreover without a structured response process in place security issues are even more difficult to remediate.
The Security Working Group will adopt best practices from established security organizations and educate the community to ensure widespread adoption, i.e., security is everyone's responsibility. Working Group members will also act as subject matter experts to help review pull requests for secure design and implementation.
EOY 2024 Goals
- Coach maintainers through OpenSSF Security Best Practices Badge process [1].
- Get our OpenSSF scorecard up and the scores understood [2].
- Add security deployment mechanisms like Confidential Computing [3].
- Add secure (vulnerability) reporting process [4].
[1] https://www.bestpractices.dev/en
[2] https://github.com/ossf/scorecard
[3] https://confidentialcomputing.io/
[4] https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md
Most initiatives are intended to be realized through existing community mechanisms like pull requests to the main repositories. In rare cases where the working group may need to make decisions outside of existing processes we will prefer consensus decision making and escalate to the TSC as needed.