From c1d3fa1cf68f2e2a94070c5999e3b67ffbc04180 Mon Sep 17 00:00:00 2001 From: Nate W Date: Tue, 19 Mar 2024 11:06:47 +0100 Subject: [PATCH 1/5] adding CNCF GOSST GSoC Collaboration project proposal Signed-off-by: Nate W --- programs/summerofcode/2024.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/programs/summerofcode/2024.md b/programs/summerofcode/2024.md index d44b7136..44ef36f0 100644 --- a/programs/summerofcode/2024.md +++ b/programs/summerofcode/2024.md @@ -31,6 +31,23 @@ You can find the project ideas from previous year [here](./2023.md). ### Proposals +#### CNCF GOSST + +##### CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem + +- Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is on identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. +- Expected Outcome: + * Integration or enhancement of fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/) for CNCF projects + * Remediation of known vulnerabilities within the CNCF ecosystem + * Improved build/release security by automating builds, releases, added build provenance, signing and improved reproducibility + * Enhanced [OpenSSF Scorecard](https://securityscorecards.dev/) and [CLOMonitor](https://clomonitor.io/search?foundation=cncf&page=1) scores for CNCF projects. +- Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. +- Expected project size: medium (~175 hour projects) or large (~350 hour projects) +- Mentor(s): + - Nate Waddington (@nate-double-u, natew@cncf.io) + - Dustin Ingram (dustiningram@google.com) +- Upstream Issue (URL): https://github.com/cncf/mentoring/issues/1196 + #### Falco ##### Upgrading event-generator and automating Falco performance testing From 84d53379a90c995cfc50728342437b4fe42ff978 Mon Sep 17 00:00:00 2001 From: Nate W Date: Wed, 20 Mar 2024 09:44:00 +0100 Subject: [PATCH 2/5] Update programs/summerofcode/2024.md Signed-off-by: Nate W --- programs/summerofcode/2024.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/summerofcode/2024.md b/programs/summerofcode/2024.md index 44ef36f0..44bafd5a 100644 --- a/programs/summerofcode/2024.md +++ b/programs/summerofcode/2024.md @@ -42,7 +42,7 @@ You can find the project ideas from previous year [here](./2023.md). * Improved build/release security by automating builds, releases, added build provenance, signing and improved reproducibility * Enhanced [OpenSSF Scorecard](https://securityscorecards.dev/) and [CLOMonitor](https://clomonitor.io/search?foundation=cncf&page=1) scores for CNCF projects. - Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. -- Expected project size: medium (~175 hour projects) or large (~350 hour projects) +- Expected project size: small (~90 hour projects) - Mentor(s): - Nate Waddington (@nate-double-u, natew@cncf.io) - Dustin Ingram (dustiningram@google.com) From 564862afc1bf53a2408c1d991e4bc30ffd6b1cc9 Mon Sep 17 00:00:00 2001 From: Nate W Date: Wed, 20 Mar 2024 09:50:16 +0100 Subject: [PATCH 3/5] Update programs/summerofcode/2024.md Signed-off-by: Nate W --- programs/summerofcode/2024.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/summerofcode/2024.md b/programs/summerofcode/2024.md index 44bafd5a..cab6e85c 100644 --- a/programs/summerofcode/2024.md +++ b/programs/summerofcode/2024.md @@ -42,7 +42,7 @@ You can find the project ideas from previous year [here](./2023.md). * Improved build/release security by automating builds, releases, added build provenance, signing and improved reproducibility * Enhanced [OpenSSF Scorecard](https://securityscorecards.dev/) and [CLOMonitor](https://clomonitor.io/search?foundation=cncf&page=1) scores for CNCF projects. - Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. -- Expected project size: small (~90 hour projects) +- Expected project size: large (~350 hour projects) - Mentor(s): - Nate Waddington (@nate-double-u, natew@cncf.io) - Dustin Ingram (dustiningram@google.com) From 8c8018eef98ca88eb49953cbb6a5de09e5d40dab Mon Sep 17 00:00:00 2001 From: Nate W Date: Wed, 20 Mar 2024 10:01:30 +0100 Subject: [PATCH 4/5] Update programs/summerofcode/2024.md Signed-off-by: Nate W --- programs/summerofcode/2024.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/summerofcode/2024.md b/programs/summerofcode/2024.md index cab6e85c..ce160051 100644 --- a/programs/summerofcode/2024.md +++ b/programs/summerofcode/2024.md @@ -35,7 +35,7 @@ You can find the project ideas from previous year [here](./2023.md). ##### CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem -- Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is on identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. +- Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings. - Expected Outcome: * Integration or enhancement of fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/) for CNCF projects * Remediation of known vulnerabilities within the CNCF ecosystem From ed502585363220b07621861171a305a0b441d4e1 Mon Sep 17 00:00:00 2001 From: Nate W Date: Wed, 20 Mar 2024 10:04:17 +0100 Subject: [PATCH 5/5] Update programs/summerofcode/2024.md Signed-off-by: Nate W --- programs/summerofcode/2024.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/programs/summerofcode/2024.md b/programs/summerofcode/2024.md index ce160051..2ebb9b2a 100644 --- a/programs/summerofcode/2024.md +++ b/programs/summerofcode/2024.md @@ -37,10 +37,11 @@ You can find the project ideas from previous year [here](./2023.md). - Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings. - Expected Outcome: + * All graduated and incubating CNCF projects using OpenSSF Scorecards to assess and enhance their security postures. Stretch goal: all (including sandbox) CNCF projects using OpenSFF Scorecards. + * Remediation of identified vulnerabilities based on scorecard findings + * Where CNCF projects are already using [OpenSSF Scorecard](https://securityscorecards.dev/), improved scores (remediating [various risk assessments](https://securityscorecards.dev/#the-checks) * Integration or enhancement of fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/) for CNCF projects - * Remediation of known vulnerabilities within the CNCF ecosystem - * Improved build/release security by automating builds, releases, added build provenance, signing and improved reproducibility - * Enhanced [OpenSSF Scorecard](https://securityscorecards.dev/) and [CLOMonitor](https://clomonitor.io/search?foundation=cncf&page=1) scores for CNCF projects. + * Improved build/release security by automating builds and releases, added build provenance, signing, and improved reproducibility - Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. - Expected project size: large (~350 hour projects) - Mentor(s):