Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create security_baseline_sandbox_stage.md #354

Merged
merged 5 commits into from
Jul 23, 2024
Merged
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
## Creation of a new Special Interest Group (SIG) at Sandbox stage

### Proposed focus, intent, goals, and/or deliverables

The goal of this SIG is to evolve [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) for Linux Foundation wide adoption.

For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to achieve the objectives of the baseline, and for OpenSSF to develop the roadmap for refining the baseline and future roadmaps. The pilot adoption builds the foundation for wider adoption of the baseline in OpenSSF and in Linux Foundation.

This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the baseline is applicable for, the effectiveness measurement of the baseline, and the adoption path of the baseline at the minimum.

Members of this group will be from various Linux foundations and entities outside of Linux Foundation. Reducing duplicate effort and achieving a higher level of security across Linux FOundation participating foundations is one of the goal of the group.


### List SIG Lead(s)
The SIG must have a minimum of 1 Lead
* Eddie Knight, OpenSSF Security Insights lead, Sonatype, GitHub ID: eddie-knight

Check failure on line 16 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`eddie` is not a recognized word. (unrecognized-spelling)
* Michael Lieberman, OpenSSF GUAC lead, Kusari, GitHub ID: mlieberman85

Check failure on line 17 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`mlieberman` is not a recognized word. (unrecognized-spelling)

### List of interested individuals
The SIG have a minimum of 3 members with 2 different organizational affiliations.
* Adolfo "Puerco" García Veytia, CNCF kubernetes SIG Release Technical Lead, OpenSSF Protobom, OpenVEX maintainer, Staklock, GitHub ID: puerco

Check failure on line 21 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`Staklock` is not a recognized word. (unrecognized-spelling)
* Justin Cappos, CNCG TUF, in-toto, Uptane, OpenSSF gittuf maintainer, New York University. GitHUb ID: JustinCappos

Check failure on line 22 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`Uptane` is not a recognized word. (unrecognized-spelling)

Check failure on line 22 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`CNCG` is not a recognized word. (unrecognized-spelling)
* David Wheeler, OpenSSF Best Practice Badge maintainer, OpenSSF, GitHub ID: david-a-wheeler
* Dana Wang, OpenSSF security baseline maintainer, OpenSSF, GitHub ID: danajoyluck

Check failure on line 24 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`danajoyluck` is not a recognized word. (unrecognized-spelling)

### Governing Body
SIGs may report to an existing OpenSSF Working Group or directly to the TAC as their governing body. The SIG commits to providing the governing body quarterly updates on progress.
* Security Best Practices Working Group

CRob and Dana Wang had conversations about this inititve. CRob has agreed to be the sponsor of this SIG and welcome the group to join Security Best Practices Working Group.

Check failure on line 30 in process/sig-lifecycle-documents/security_baseline_sandbox_stage.md

View workflow job for this annotation

GitHub Actions / Check Spelling

`inititve` is not a recognized word. (unrecognized-spelling)
lehors marked this conversation as resolved.
Show resolved Hide resolved

### SIG References
The SIG should provide a list of existing resources with links to the repository, and if available, website, a roadmap, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the SIG.
| Reference | URL |
|---------------------|-----|
| Repo | |
| Meeting Agenda | |
| OSSF Calendar Entry | |
| Website | |
| Security.md | |
| Roadmap | |
| code-of-conduct.md | |
| Demos | |
| Other | [OpenSSF security baseline](https://github.com/ossf/tac/blob/a90b9838739ac18df43197fdd89f045c1a1e4dc3/process/security_baseline.md) |
Loading