Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding CNCF GOSST GSoC Collaboration project idea #1197

Merged
merged 5 commits into from
Mar 22, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions programs/summerofcode/2024.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,24 @@ You can find the project ideas from previous year [here](./2023.md).

### Proposals

#### CNCF GOSST

##### CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem
Copy link
Member

@aliok aliok Mar 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds amazing! I am +100 on the proposal, thank you.

I think we need to figure out the process though. I have a few questions.

This proposal sounds like it is to be done by 1 mentee for multiple CNCF projects. Is that the case? Unless I misunderstand something, it would be very hard. So, I assume that we go with 1 mentee per CNCF project that's interested in participating.

  • So, IMO, we should find projects that are interested in participating in this initiative. We can ask in CNCF project communities to gather interest and find mentors who can help out in the project side. Then we can create a proposal in the ideas list per interested CNCF project maybe, instead of going with this meta proposal? (we need to be quick though, the contributor application period started already)

  • Project communities won't know too much about OSS fuzzing, and I understand that's where Dustin helps. Is there a limit for number of projects Dustin can support on the OSS Fuzz side?

  • I wonder what CNCF TAG Security thinks about this. I am sure they'll like the idea, but I would be interested in involving them for any possible additional input. Pinging TAG chairs @sublimino @PushkarJ @mnm678 and @TheFoxAtWork

Copy link

@PushkarJ PushkarJ Mar 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am supportive of this and dividing into multiple projects. There is also a dedicated CNCF partnership on fuzzing through AdaLogics: https://www.cncf.io/blog/2023/04/18/cncf-fuzzing-open-source-projects-for-security-and-reliability/ cc @caniszczyk where there might be opportunities to collaborate.

Sorry if this was already called out, I haven't read the proposal fully.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This proposal sounds like it is to be done by 1 mentee for multiple CNCF projects. Is that the case? Unless I misunderstand something, it would be very hard.

I think we may need to pare the scope down -- I think the primary goal should be: All graduated and incubating CNCF projects using OpenSSF Scorecards with a Stretch goal of including all the sandbox projects too. I think that a single candidate could do all this, and that it would probably be a couple hours per project (so it would be a large project).

I'm wondering if we should drop the OSS-Fuzz and build improvement outcomes. I'm tempted to leave them in as a part of remediating things as found goal.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of actually improving build/release security, the candidates may opt to identify improvements by opening issues, but how they want to approach this is something I'd leave for them to explore as a part of their proposal.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like a good effort and I hope that TAG security can help. The security slam effort has been working with projects to use CLOmonitor, and we'll want to make sure the addition of Scorecards adds new information about project security. If this is done, we need to carefully message this to project maintainers to make sure that they see the need, and are willing to participate. In addition it will require careful mentoring to ensure we do not place unnecessary additional burdens on project maintainers who have to make sure any prs are polished and follow individual project guidelines.


- Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who is providing the security expertise to support projects in remediating these findings? I really love this idea but I am deeply concerned that this will create additional work for projects that are not structured or experienced enough to intake these findings, triage, or remediate. Particularly as the scorecards indicators (and I admit it has been at least a year since I have evaluated them last) are not strong, still requires human review, and is yet another out of band activity for maintainers.

How can we make this frictionless, a value-add, and add on to the projects' work?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who is providing the security expertise to support projects in remediating these findings?

Dustin and other GOSST folks would act as the security experts -- We may shift the actual mentors as this work gets firmed up. I'll act as a liason between the mentee, GOSST folks and our projects.

How can we make this frictionless, a value-add, and add on to the projects' work?

Part of the GSoC process is getting candidates to write proposals, and I think this concern is going to be a part of our selection criteria.

- Expected Outcome:
* All graduated and incubating CNCF projects using OpenSSF Scorecards to assess and enhance their security postures. Stretch goal: all (including sandbox) CNCF projects using OpenSFF Scorecards.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not believe there is appetite to modify the criteria to require this for projects. This would be suggestion only for them. It is also highly unlikely to add this for sandbox projects due to their early maturity and focus on experimentation.

Copy link
Member Author

@nate-double-u nate-double-u Mar 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is indicating a requirement for CNCF projects -- this is a goal for this collaboration. As a part of this work there would need to be communication with the projects, if they're not interested then we'd move on to the next one that is.

* Remediation of identified vulnerabilities based on scorecard findings

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As written this is too broad.

projects seeking graduation are required to resolve all critical and high vulnerabilities from their security audit. Last I checked, scorecards results are not all vulnerabilities, it is the evaluations of a project's conformance to best practices which does include listing some vulnerabilities being present in the code base - which is a version match, and may not appropriately reflect whether the project is vulnerable to a particular issue or if they have mitigating measures in place.

There is value in the scorecards. But as it exists today, is too opinionated and therefore prone to introduce bias against projects for not scoring high enough due to missing, incomplete, or noisy information.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As written this is too broad.

I appreciate this feedback, and think I agree that this project idea is written quite broadly. Because the GSoC program includes a proposal writing phase, I'd like to see if scope is something that candidates can potentially specify.

This is an experiment. I'd like to merge this project idea in (as is) as we're already a bit late for project ideas and providing visibility for candidates finding and writing proposals against this. Once it's merged, i'm happy to have changes suggested (both in the idea listing, and in the upstream issue I've opened #1196)

* Where CNCF projects are already using [OpenSSF Scorecard](https://securityscorecards.dev/), improved scores (remediating [various risk assessments](https://securityscorecards.dev/#the-checks)
* Integration or enhancement of fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/) for CNCF projects
* Improved build/release security by automating builds and releases, added build provenance, signing, and improved reproducibility
- Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about this skill set. Dustin, if you have thoughts I'm happy for this to change.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tagging me.

I like the idea, but the details of implementation, execution, and resulting impact must be dutifully weighed for impact versus toil on cloud native projects.

I am happy to discuss this more in depth

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for your feedback!

I like the idea, but the details of implementation, execution, and resulting impact must be dutifully weighed for impact versus toil on cloud native projects.

As i mentioned above, I'd like to merge this in as is for timing, but am happy to continue to massage the proposal.

I am happy to discuss this more in depth

Thanks, I'll reach out offline.

- Expected project size: large (~350 hour projects)
- Mentor(s):
- Nate Waddington (@nate-double-u, [email protected])
- Dustin Ingram ([email protected])
- Upstream Issue (URL): https://github.com/cncf/mentoring/issues/1196

#### Falco

##### Upgrading event-generator and automating Falco performance testing
Expand Down
Loading