adding CNCF GOSST GSoC Collaboration project idea #1197
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -31,6 +31,23 @@ You can find the project ideas from previous year [here](./2023.md). | |
|
|
||
| ### Proposals | ||
|
|
||
| #### CNCF GOSST | ||
|
|
||
| ##### CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem | ||
|
|
||
| - Description: This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is on identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. | ||
nate-double-u marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - Expected Outcome: | ||
| * Integration or enhancement of fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/) for CNCF projects | ||
| * Remediation of known vulnerabilities within the CNCF ecosystem | ||
| * Improved build/release security by automating builds, releases, added build provenance, signing and improved reproducibility | ||
| * Enhanced [OpenSSF Scorecard](https://securityscorecards.dev/) and [CLOMonitor](https://clomonitor.io/search?foundation=cncf&page=1) scores for CNCF projects. | ||
nate-double-u marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - Recommended Skills: Security analysis, CI/CD practices, programming (preferably Go), knowledge of CNCF projects. | ||
|
There was a problem hiding this comment. Not sure about this skill set. Dustin, if you have thoughts I'm happy for this to change. There was a problem hiding this comment. Thanks for tagging me. I like the idea, but the details of implementation, execution, and resulting impact must be dutifully weighed for impact versus toil on cloud native projects. I am happy to discuss this more in depth There was a problem hiding this comment. Thank you so much for your feedback!
As i mentioned above, I'd like to merge this in as is for timing, but am happy to continue to massage the proposal.
Thanks, I'll reach out offline. |
||
| - Expected project size: medium (~175 hour projects) or large (~350 hour projects) | ||
nate-double-u marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - Mentor(s): | ||
| - Nate Waddington (@nate-double-u, [email protected]) | ||
| - Dustin Ingram ([email protected]) | ||
| - Upstream Issue (URL): https://github.com/cncf/mentoring/issues/1196 | ||
|
|
||
| #### Falco | ||
|
|
||
| ##### Upgrading event-generator and automating Falco performance testing | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds amazing! I am +100 on the proposal, thank you.
I think we need to figure out the process though. I have a few questions.
This proposal sounds like it is to be done by 1 mentee for multiple CNCF projects. Is that the case? Unless I misunderstand something, it would be very hard. So, I assume that we go with 1 mentee per CNCF project that's interested in participating.
So, IMO, we should find projects that are interested in participating in this initiative. We can ask in CNCF project communities to gather interest and find mentors who can help out in the project side. Then we can create a proposal in the ideas list per interested CNCF project maybe, instead of going with this meta proposal? (we need to be quick though, the contributor application period started already)
Project communities won't know too much about OSS fuzzing, and I understand that's where Dustin helps. Is there a limit for number of projects Dustin can support on the OSS Fuzz side?
I wonder what CNCF TAG Security thinks about this. I am sure they'll like the idea, but I would be interested in involving them for any possible additional input. Pinging TAG chairs @sublimino @PushkarJ @mnm678 and @TheFoxAtWork
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am supportive of this and dividing into multiple projects. There is also a dedicated CNCF partnership on fuzzing through AdaLogics: https://www.cncf.io/blog/2023/04/18/cncf-fuzzing-open-source-projects-for-security-and-reliability/ cc @caniszczyk where there might be opportunities to collaborate.
Sorry if this was already called out, I haven't read the proposal fully.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we may need to pare the scope down -- I think the primary goal should be: All graduated and incubating CNCF projects using OpenSSF Scorecards with a Stretch goal of including all the sandbox projects too. I think that a single candidate could do all this, and that it would probably be a couple hours per project (so it would be a large project).
I'm wondering if we should drop the OSS-Fuzz and build improvement outcomes. I'm tempted to leave them in as a part of remediating things as found goal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of actually improving build/release security, the candidates may opt to identify improvements by opening issues, but how they want to approach this is something I'd leave for them to explore as a part of their proposal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds like a good effort and I hope that TAG security can help. The security slam effort has been working with projects to use CLOmonitor, and we'll want to make sure the addition of Scorecards adds new information about project security. If this is done, we need to carefully message this to project maintainers to make sure that they see the need, and are willing to participate. In addition it will require careful mentoring to ensure we do not place unnecessary additional burdens on project maintainers who have to make sure any prs are polished and follow individual project guidelines.