Listen "Episode 97: Practitioner Guides: #4 Security"
Episode Synopsis
Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast!
CHAOSScast – Episode 97
In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more!
[00:02:02] Dawn starts out with providing an overview of CHAOSS Project’s Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide.
[00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background.
[00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security.
[00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity.
[00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF’s tag-security, for maintainers looking to improve security.
[00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports.
[00:15:47] Dawn suggests consulting the Practitioners Guide’s “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement.
[00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security.
[00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements.
[00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects.
[00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner’s Guide.
Adds (Picks) of the week:
[00:26:55] Dawn’s pick is 3D printing and learning how to design new things.
[00:28:02] Emily’s pick is taking a break from the internet and doing something outside.
[00:28:45] Harmony’s pick is creating personalized templates to help with document preparation and tasks.
Panelists:
Harmony Elendu
Dawn Foster
Guest:
Emily Fox
Links:
CHAOSS (https://chaoss.community/)
CHAOSS Project X (https://twitter.com/chaossproj?lang=en)
CHAOSScast Podcast (https://podcast.chaoss.community/)
[email protected] (mailto:[email protected])
Harmony Elendu X (https://x.com/ogaharmony)
Dawn Foster X (https://twitter.com/geekygirldawn?lang=en)
Emily Fox LinkedIn (https://www.linkedin.com/in/themoxiefox/)
CHAOSS Practitioner Guides (https://chaoss.community/about-chaoss-practitioner-guides/)
CHAOSS Practitioner Guide: Security (https://chaoss.community/practitioner-guide-security/)
Libyears (https://chaoss.community/kb/metric-libyears/#:~:text=Libyears%20measure%20the%20cumulative%20age,pre%2Drelease%20or%20draft%20versions.)
Release Frequency (https://chaoss.community/kb/metric-release-frequency/#:~:text=A%20higher%20frequency%20of%20releases,release%20frequency%20is%20highly%20variable.)
Cloud Native Contributors Security Guidelines for New Projects (https://contribute.cncf.io/maintainers/security/security-guidelines/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428)
GitHub Docs-Adding a security policy to your repository (https://contribute.cncf.io/maintainers/security/security-guidelines/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428)
OpenSSF Scorecard (https://scorecard.dev/)
OpenSSF-Source Code Management Platform Configuration Best Practices (https://best.openssf.org/SCM-BestPractices/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428)
CNCF tag-security: Self-assessment (https://github.com/cncf/tag-security/blob/main/community/assessments/guide/self-assessment.md)
CHAOSScast Podcast-Episode 85: Introducing CHAOSS Practitioner Guides: #1 Responsiveness (https://podcast.chaoss.community/85)
CHAOSScast Podcast-Episode 88: Practitioner Guides: #2 Contributor Sustainability (https://podcast.chaoss.community/88)
CHAOSScast Podcast-Episode 89: Practitioner Guides: #3 Organizational Participation (https://podcast.chaoss.community/89)
CHAOSScast Podcast-Episode 93: Guest Episode-Sustain meets CHAOSScast to talk about Practitioner Guides (https://podcast.chaoss.community/93)
Dawn Foster- Maker World (https://makerworld.com/en/@user_3491927221)
Special Guest: Emily Fox.
CHAOSScast – Episode 97
In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more!
[00:02:02] Dawn starts out with providing an overview of CHAOSS Project’s Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide.
[00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background.
[00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security.
[00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity.
[00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF’s tag-security, for maintainers looking to improve security.
[00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports.
[00:15:47] Dawn suggests consulting the Practitioners Guide’s “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement.
[00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security.
[00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements.
[00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects.
[00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner’s Guide.
Adds (Picks) of the week:
[00:26:55] Dawn’s pick is 3D printing and learning how to design new things.
[00:28:02] Emily’s pick is taking a break from the internet and doing something outside.
[00:28:45] Harmony’s pick is creating personalized templates to help with document preparation and tasks.
Panelists:
Harmony Elendu
Dawn Foster
Guest:
Emily Fox
Links:
CHAOSS (https://chaoss.community/)
CHAOSS Project X (https://twitter.com/chaossproj?lang=en)
CHAOSScast Podcast (https://podcast.chaoss.community/)
[email protected] (mailto:[email protected])
Harmony Elendu X (https://x.com/ogaharmony)
Dawn Foster X (https://twitter.com/geekygirldawn?lang=en)
Emily Fox LinkedIn (https://www.linkedin.com/in/themoxiefox/)
CHAOSS Practitioner Guides (https://chaoss.community/about-chaoss-practitioner-guides/)
CHAOSS Practitioner Guide: Security (https://chaoss.community/practitioner-guide-security/)
Libyears (https://chaoss.community/kb/metric-libyears/#:~:text=Libyears%20measure%20the%20cumulative%20age,pre%2Drelease%20or%20draft%20versions.)
Release Frequency (https://chaoss.community/kb/metric-release-frequency/#:~:text=A%20higher%20frequency%20of%20releases,release%20frequency%20is%20highly%20variable.)
Cloud Native Contributors Security Guidelines for New Projects (https://contribute.cncf.io/maintainers/security/security-guidelines/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428)
GitHub Docs-Adding a security policy to your repository (https://contribute.cncf.io/maintainers/security/security-guidelines/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428)
OpenSSF Scorecard (https://scorecard.dev/)
OpenSSF-Source Code Management Platform Configuration Best Practices (https://best.openssf.org/SCM-BestPractices/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428)
CNCF tag-security: Self-assessment (https://github.com/cncf/tag-security/blob/main/community/assessments/guide/self-assessment.md)
CHAOSScast Podcast-Episode 85: Introducing CHAOSS Practitioner Guides: #1 Responsiveness (https://podcast.chaoss.community/85)
CHAOSScast Podcast-Episode 88: Practitioner Guides: #2 Contributor Sustainability (https://podcast.chaoss.community/88)
CHAOSScast Podcast-Episode 89: Practitioner Guides: #3 Organizational Participation (https://podcast.chaoss.community/89)
CHAOSScast Podcast-Episode 93: Guest Episode-Sustain meets CHAOSScast to talk about Practitioner Guides (https://podcast.chaoss.community/93)
Dawn Foster- Maker World (https://makerworld.com/en/@user_3491927221)
Special Guest: Emily Fox.