diff --git a/Minutes/2023 Meeting Notes.md b/Minutes/2023 Meeting Notes.md new file mode 100644 index 0000000..a1a252c --- /dev/null +++ b/Minutes/2023 Meeting Notes.md @@ -0,0 +1,941 @@ + + + +

OpenSSF OSS-SIRT SIG Meeting Notes - 2023

+ + +**Antitrust Policy Notice** + +Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. + +Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at [http://www.linuxfoundation.org/antitrust-policy](http://www.linuxfoundation.org/antitrust-policy). If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation. + +All OpenSSF meeting participants must comply with the OpenSSF Code of Conduct: + +[https://openssf.org/community/code-of-conduct/](https://openssf.org/community/code-of-conduct/) + +Upcoming Topics + +Please add your agenda item, name and approximate time allocation to the bottom of the list. + +

Resources

+ + + + + + + + + + + + +
: Repo | Discussions + Tuesday, January 10, 2023 +

+(occurs every 2 weeks) \ +đź•—: 6:00a PT/9:00a ET +

+ + +: Zoom +

📧📭: OpenSSF* (Mailing List) +

+* Join the Mailing List to receive the calendar meeting invite. +

+ + + + +: OpenSSF (New!) +
+ + +

Meetings

+ + +**Please use the [2024 Meeting Notes](https://docs.google.com/document/d/1FZpsZ5hbid7EcbCoRVDLttv5fOZm48bblJinuIB2USE/edit?usp=sharing)** + +**NOTE: SIG calls are on hold, pending GB funding decision. As status changes, the group will be re-engaged to collaborate further as needed.** + +

2020502 - CALL CANCELED

+ + +

20230404

+ + +

Attendees

+ + +(please **Mark your name is black if you are here,** or add-row name/email/affiliation if joining) + + + + + + + + + + + + + + + +
Name + Email + Affiliation + Pronouns +
CRob + CRob@intel.com + Intel + he/him +
+ + +

Agenda

+ + + + +* Who wants to help out and scribe for us today? +* Welcome new friends +* Collect Opens +* SIG/WG Business +* Where do we want to start? + * Security questionnaire + * “Walking around deck” for recruiting + * Process/workflow +* +* + +

Opens (pending)

+ + + + +* + +

Meeting Notes

+ + + + +* + +

20230321

+ + +

Attendees

+ + +(please **Mark your name is black if you are here,** or add-row name/email/affiliation if joining) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Name + Email + Affiliation + Pronouns +
CRob + CRob@intel.com + Intel/OSSF + he/him +
Randall T. Vasquez + randall@icloud.com + Gentoo + he/him +
Emily Fox + themoxiefoxatwork@gmail.com + Apple, CNCF TOC + she/her +
Avishay Balter + avbalter@microsoft.com + Microsoft + he/him +
+ + +

Agenda

+ + + + +* Who wants to help out and scribe for us today? +* Welcome new friends +* Collect Opens +* SIG/WG Business +* Where do we want to start? + * Security questionnaire + * Feedback from other SIRTs what worked well and what hasn’t; Engage the SIRTs of GB members Next Thursday is the meeting of the FIRST PSIRT SIG; we can ask them to complete the survey + 1. Most common type of incident experienced in the past + 1. Short list of incidents - needs to develop + 2. How do you currently handle incidents, managed ad hoc or with a dedicated team? + 2. SOP + 3. Surge from different parts of the org + 4. Dedicated teams + 5. Insider threat, corporate security, product security, Foundation level teams, versus with projects. + 3. Number of people that respond or manage a security incident? (radio) + 6. 1-2, 3-5,6-10, 11+ + 4. Is this the right size for the kind of incidents you work with? + 5. What are the main challenges you have in managing XX security in your XX product/project/enterprise? + 7. Intake? + 8. Communication? + 9. Prioritization? + 10. Fix/ Remediation/ Mitigation? + 11. Notifying impacted users to upgrade? + 12. Post-Mortem? + 6. How would you describe the level of expertise /expertise areas for security issues and challenges amongst your members, contributors, and employees? (check box) + 13. Early career + 14. Mid career + 15. Senior career + 16. Expert in the tech + 17. General infra expert + 18. Language expert + 7. What are your expectations for an external SIRT team in respect to support communication and response time? + 19. What types of capabilities or services would like to see from a central Open Source Security Incident Response Team (at a project level, foundation level, and general service for all open source)? + 20. What types gaps do you see with the existing external and internal SIRTs? + 8. Which communication channels and tools do you use to track security issues? (Check box) + 21. Email lists? + 22. Dependency graph? + 23. Vulnerability feed subscriptions? + 24. GitHub advisories? + 25. Commercial Tooling or open source equivalent? + 26. Security Audits? + 27. Community members? + 28. List some common things? + 9. Do you already or would you be interested in learning more about best practices, techniques, security updates, advisories, etc relevant to your group, product, project? Akin to a newsletter like this week in SIRT news? (check box) + 29. List options here + 30. Website + 31. Webinars + 32. Newsletters + 33. etc. + 10. Are there any specific vulns or risk you are concerned about in your project/product? + 34. Break up into two areas after pulling t[he GitHub blog Jonathan is going to share,](https://github.blog/2021-09-09-analysis-developer-security-researcher-interactions-vulnerability-disclosure/) and getting the themes from the maintainer workshop. + 11. What areas do you think an external SIRT would provide value to you or your project/product? + 35. Related to #6 above - recommend removal + 12. How do you currently prioritize or categorize security incidents, + 36. List a few frameworks. + 37. Merge with # 9 + 38. Rough in some categories of incident types and groupings of vulns (CVE v. CWE) + 13. Would you be open to adopting an approach or framework recommended by the SIRT? + 14. Do you have any policies, procedures or guidelines for dealing with or managing incidents, can these be shared with the SIRT? - related to #3 & #4 + 15. What level of collaboration and information sharing would you be comfortable with sharing between the project and the SIRT? + 39. Ask before 12… + 40. What kind of info do you need to diagnose an incident from a reporter? + 41. What kind of info do you ask for or have been provided? + 16. What are the most important qualities and skills you would expect from an external SIRT team? + 42. Merge with 5 + 17. How can the SIRT best align with your project's SDLC to minimize disruption and minimize security issues effectively? + 43. Can you describe your SDLC and identify areas where engagement with a SIRT would be beneficial? + 18. Are you willing to provide a point of contact to serve as advocate/champion to the SIRT and collaborate with them? + 19. Generalize a time when an incident didnt go well and how it didnt go well? + 20. How important is post-incident analysis to your process? Would you be interested in receiving feedback of that analysis for improvements? Such as a runbook on collecting data for evaluation? + 21. Would you prefer the SIRT for focus on proactive or reactive or some combination thereof? + 44. Reactive as primary + 45. Proactive as secondary + 46. SIRT to provide reporting to the TAC - update 3.5 to provide high level common issues being engaged by the SIRT so the TAC may take action on amplifying that feedback through initiatives. + * Once questionaire is completed/revised, @ jonathan to forward to “the github stars” + * “Walking around deck” for recruiting + * Process/workflow +* What is our first focus? + * Is it only the most important projects or is it all projects? + * +* CRoB will look at converting to survey monkey +* Jonathan will share with GitHub Stars slack channel when done. +* figure out SurveyMonkey to eventually send out survey + +

Opens (pending)

+ + + + +* + +

Meeting Notes

+ + + + +* + +

20230307

+ + +

Attendees

+ + +(please **Mark your name is black if you are here,** or add-row name/email/affiliation if joining) + + + + + + + + + + + + + + + + + + + + + +
Name + Email + Affiliation + Pronouns +
CRob + CRob@intel.com + Intel/OSSF + he/him +
Randall T. Vasquez + randall@icloud.com + Gentoo + he/him +
+ + +

Agenda

+ + + + +* Who wants to help out and scribe for us today? +* Welcome new friends +* Collect Opens +* [CRob] Upcoming TAC elections: + * **Voter Eligibility (Electorate) Self-Nomination Process** + * Any contributor to OpenSSF working groups or initiatives is eligible to participate in the election. Valid contributions include: commits or submitted pull requests via Github; public edits or comments on Google docs or other work products associated with OpenSSF; posting messages to any mailing list or on Slack; and beyond that any other form of positive engagement with OpenSSF activities. The form asks you for an example of your contributions; this is merely to make it easier for election observers and OpenSSF staff to validate. If you have in any way been involved in or care about OpenSSF, but are in doubt as to whether your contribution “counts”, please fill it out anyways, and we will follow up. + * Deadline: March 12, 2023 + * [Voter Eligibility Self-Nomination Form](https://docs.google.com/forms/d/e/1FAIpQLSdgQdwnRH5nMLkYUDhuM7LYxUynairprGc_xAPIZm9SGaytfg/viewform?usp=sf_link) + * **TAC Self-Nomination Process** + * The OpenSSF Technical Advisory Council (TAC) is composed of seven total individuals, four of whom are elected annually. If you are interested in serving on the TAC, and qualify as an eligible voter as above, please complete the self-nomination form below, + * Deadline: March 12, 2023 + * [TAC Candidate Self-Nomination Form](https://docs.google.com/forms/d/e/1FAIpQLSdn91eLxfVYwiDw4OrAw3lSYVPVqOkcTJl2VzX07Q7idONefQ/viewform?usp=sf_link) + * **SCIR Self-Nomination Information and Process** + * [Since early in its existence](https://openssf.org/blog/2020/10/07/openssf-seeks-security-community-individual-representative-for-governing-board/), the OpenSSF Governing Board has sought to ensure it gets adequate input from voices in the software security community who would otherwise not be at the table. We seek candidates for the Security Community Individual Representative (SCIR) who can represent those voices, while also being a subject matter expert in the field with their own set of perspectives. Familiarity with the different OpenSSF working groups and projects, and being able to dedicate the time to be sufficiently informed on the issues that arise in our monthly calls and ongoing discussions, is highly desired. It is also highly desired, but not required, that the SCIR be a contributor and thus eligible to vote in the election. + * Deadline: March 12, 2022 + * [SCIR Candidate Self-Nomination Form](https://docs.google.com/forms/d/e/1FAIpQLSfsbVO1wMfEXZNJmYqjm2ND929HHYgwGrNu-uRifV5xwszLCw/viewform?usp=sf_link) +* Update on plan proposal….. +* Where do we want to start? + * Security questionnaire + * “Walking around deck” for recruiting + * Process/workflow +* + +

Opens (pending)

+ + + + +* + +

Meeting Notes

+ + + + +* + +

20230221

+ + +

Attendees

+ + +(please **Mark your name is black if you are here,** or add-row name/email/affiliation if joining) + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Name + Email + Affiliation + Pronouns +
CRob + CRob@intel.com + Intel/OSSF + he/him +
Emily Fox + themoxiefoxatwork@gmail.com + Apple, CNCF TOC + she/her +
Art Manion + zmanion@protonmail.com + ANALYGENCE + +
+ + +

Agenda

+ + + + +* Welcome new friends +* Who wants to help out and scribe for us today? +* Collect Opens +* SIG/WG Business + +

Opens (pending)

+ + + + +* + +

Meeting Notes

+ + + + +* + +

20230207 - CANCELED

+ + +

20230124 - CANCELED

+ + +

Attendees

+ + +(please **Mark your name is black if you are here,** or add-row name/email/affiliation if joining) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Name + Email + Affiliation + Pronouns +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + +

Agenda

+ + + + +* Welcome new friends +* Who wants to help out and scribe for us today? +* Collect Opens +* SIG/WG Business +* Plan still under review by TAC (Issue [131](https://github.com/ossf/tac/issues/131)) +* + +

Opens (pending)

+ + + + +* + +

Meeting Notes

+ + + + +* Team Activities + * Team 1 - Problem Space (Randall) + * + * Team2 - ID core services (Art) + * + * Team 3 - Execution () + * + +

20230110

+ + +

Attendees

+ + +(please **Mark your name is black if you are here,** or add-row name/email/affiliation if joining) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Name + Email + Affiliation + Pronouns +
CRob + CRob@intel.com + Intel/OSSF + he/him +
Randall T. Vasquez + randall@icloud.com + Gentoo + he/him +
Marta Rybczynska + rybczynska@gmail.com + Syslinbit/Eclipse + she/her +
Avishay Balter + avbalter@microsoft.com + Microsoft + he/him +
Jeffrey + Borek + IBM + +
+ + +

Agenda

+ + + + +* Welcome new friends +* Who wants to help out and scribe for us today? +* Collect Opens +* SIG/WG Business +* OSS-SIRT plan is still under review by TAC. CRob will provide update after call today +* Randall was contacted by Zero-Day group to talk about the OSS-SIRT; team will start to organize to approach to talk to upstream/devs about SIRT-needs +* Art - kernel security views on vuln identifiers. Would this be a useful task for an OSS-SIRT team? + +

Opens (pending)

+ + + + +* + +

Meeting Notes

+ + + + +* Team Activities + * Team 1 - Problem Space (Randall) + * + * Team2 - ID core services (Art) + * + * Team 3 - Execution (Francis) + * + +