adding CNCF GOSST GSoC Collaboration project idea #1197
Conversation
Signed-off-by: Nate W <[email protected]>
| * Remediation of known vulnerabilities within the CNCF ecosystem | ||
| * Improved build/release security by automating builds, releases, added build provenance, signing and improved reproducibility | ||
| * Enhanced [OpenSSF Scorecard](https://securityscorecards.dev/) and [CLOMonitor](https://clomonitor.io/search?foundation=cncf&page=1) scores for CNCF projects. | ||
| - Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. |
There was a problem hiding this comment.
Not sure about this skill set. Dustin, if you have thoughts I'm happy for this to change.
| @@ -31,6 +31,23 @@ You can find the project ideas from previous year [here](./2023.md). | |||
|
|
|||
| ### Proposals | |||
|
|
|||
| #### CNCF GOSST | |||
|
|
|||
| ##### CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem | |||
There was a problem hiding this comment.
This sounds amazing! I am +100 on the proposal, thank you.
I think we need to figure out the process though. I have a few questions.
This proposal sounds like it is to be done by 1 mentee for multiple CNCF projects. Is that the case? Unless I misunderstand something, it would be very hard. So, I assume that we go with 1 mentee per CNCF project that's interested in participating.
-
So, IMO, we should find projects that are interested in participating in this initiative. We can ask in CNCF project communities to gather interest and find mentors who can help out in the project side. Then we can create a proposal in the ideas list per interested CNCF project maybe, instead of going with this meta proposal? (we need to be quick though, the contributor application period started already)
-
Project communities won't know too much about OSS fuzzing, and I understand that's where Dustin helps. Is there a limit for number of projects Dustin can support on the OSS Fuzz side?
-
I wonder what CNCF TAG Security thinks about this. I am sure they'll like the idea, but I would be interested in involving them for any possible additional input. Pinging TAG chairs @sublimino @PushkarJ @mnm678 and @TheFoxAtWork
There was a problem hiding this comment.
I am supportive of this and dividing into multiple projects. There is also a dedicated CNCF partnership on fuzzing through AdaLogics: https://www.cncf.io/blog/2023/04/18/cncf-fuzzing-open-source-projects-for-security-and-reliability/ cc @caniszczyk where there might be opportunities to collaborate.
Sorry if this was already called out, I haven't read the proposal fully.
There was a problem hiding this comment.
This proposal sounds like it is to be done by 1 mentee for multiple CNCF projects. Is that the case? Unless I misunderstand something, it would be very hard.
I think we may need to pare the scope down -- I think the primary goal should be: All graduated and incubating CNCF projects using OpenSSF Scorecards with a Stretch goal of including all the sandbox projects too. I think that a single candidate could do all this, and that it would probably be a couple hours per project (so it would be a large project).
I'm wondering if we should drop the OSS-Fuzz and build improvement outcomes. I'm tempted to leave them in as a part of remediating things as found goal.
There was a problem hiding this comment.
Instead of actually improving build/release security, the candidates may opt to identify improvements by opening issues, but how they want to approach this is something I'd leave for them to explore as a part of their proposal.
There was a problem hiding this comment.
This sounds like a good effort and I hope that TAG security can help. The security slam effort has been working with projects to use CLOmonitor, and we'll want to make sure the addition of Scorecards adds new information about project security. If this is done, we need to carefully message this to project maintainers to make sure that they see the need, and are willing to participate. In addition it will require careful mentoring to ensure we do not place unnecessary additional burdens on project maintainers who have to make sure any prs are polished and follow individual project guidelines.
Signed-off-by: Nate W <[email protected]>
nate-double-u
changed the title
Signed-off-by: Nate W <[email protected]>
Signed-off-by: Nate W <[email protected]>
Signed-off-by: Nate W <[email protected]>
|
|
||
| ##### CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem | ||
|
|
||
| - Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings. |
There was a problem hiding this comment.
Who is providing the security expertise to support projects in remediating these findings? I really love this idea but I am deeply concerned that this will create additional work for projects that are not structured or experienced enough to intake these findings, triage, or remediate. Particularly as the scorecards indicators (and I admit it has been at least a year since I have evaluated them last) are not strong, still requires human review, and is yet another out of band activity for maintainers.
How can we make this frictionless, a value-add, and add on to the projects' work?
There was a problem hiding this comment.
Who is providing the security expertise to support projects in remediating these findings?
Dustin and other GOSST folks would act as the security experts -- We may shift the actual mentors as this work gets firmed up. I'll act as a liason between the mentee, GOSST folks and our projects.
How can we make this frictionless, a value-add, and add on to the projects' work?
Part of the GSoC process is getting candidates to write proposals, and I think this concern is going to be a part of our selection criteria.
|
|
||
| - Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings. | ||
| - Expected Outcome: | ||
| * All graduated and incubating CNCF projects using OpenSSF Scorecards to assess and enhance their security postures. Stretch goal: all (including sandbox) CNCF projects using OpenSFF Scorecards. |
There was a problem hiding this comment.
I do not believe there is appetite to modify the criteria to require this for projects. This would be suggestion only for them. It is also highly unlikely to add this for sandbox projects due to their early maturity and focus on experimentation.
There was a problem hiding this comment.
I don't think this is indicating a requirement for CNCF projects -- this is a goal for this collaboration. As a part of this work there would need to be communication with the projects, if they're not interested then we'd move on to the next one that is.
| - Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings. | ||
| - Expected Outcome: | ||
| * All graduated and incubating CNCF projects using OpenSSF Scorecards to assess and enhance their security postures. Stretch goal: all (including sandbox) CNCF projects using OpenSFF Scorecards. | ||
| * Remediation of identified vulnerabilities based on scorecard findings |
There was a problem hiding this comment.
As written this is too broad.
projects seeking graduation are required to resolve all critical and high vulnerabilities from their security audit. Last I checked, scorecards results are not all vulnerabilities, it is the evaluations of a project's conformance to best practices which does include listing some vulnerabilities being present in the code base - which is a version match, and may not appropriately reflect whether the project is vulnerable to a particular issue or if they have mitigating measures in place.
There is value in the scorecards. But as it exists today, is too opinionated and therefore prone to introduce bias against projects for not scoring high enough due to missing, incomplete, or noisy information.
There was a problem hiding this comment.
As written this is too broad.
I appreciate this feedback, and think I agree that this project idea is written quite broadly. Because the GSoC program includes a proposal writing phase, I'd like to see if scope is something that candidates can potentially specify.
This is an experiment. I'd like to merge this project idea in (as is) as we're already a bit late for project ideas and providing visibility for candidates finding and writing proposals against this. Once it's merged, i'm happy to have changes suggested (both in the idea listing, and in the upstream issue I've opened #1196)
| * Where CNCF projects are already using [OpenSSF Scorecard](https://securityscorecards.dev/), improved scores (remediating [various risk assessments](https://securityscorecards.dev/#the-checks) | ||
| * Integration or enhancement of fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/) for CNCF projects | ||
| * Improved build/release security by automating builds and releases, added build provenance, signing, and improved reproducibility | ||
| - Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. |
There was a problem hiding this comment.
Thanks for tagging me.
I like the idea, but the details of implementation, execution, and resulting impact must be dutifully weighed for impact versus toil on cloud native projects.
I am happy to discuss this more in depth
There was a problem hiding this comment.
Thank you so much for your feedback!
I like the idea, but the details of implementation, execution, and resulting impact must be dutifully weighed for impact versus toil on cloud native projects.
As i mentioned above, I'd like to merge this in as is for timing, but am happy to continue to massage the proposal.
I am happy to discuss this more in depth
Thanks, I'll reach out offline.
|
@nate-double-u I have a question, do we need to reach out the proprietary project "gray ones in landscape" owners to ask about the security ? |
|
Please don't reach out to any CNCF projects yet. If you have ideas for how to approach this work, please write up a proposal and submit it through the GSoC platform. |
|
If you have questions, the upstream issue is probably the better place for discussion: #1196 |
|
Thanks @nate-double-u. I am not reaching out to any project, was drafting the proposal and it was just a random question that came to mind. |
|
Hi Everyone, I'd like to introduce @harshitasao, she was accepted to GSoC 2024, and will be working with us on this collaboration. You can follow along with our work over on issue #1196. |
Adding CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem Google Summer of Code 2024 project.