Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!
CHAOSScast – Episode 97
In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more!
[00:02:02] Dawn starts out with providing an overview of CHAOSS Project’s Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide.
[00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background.
[00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security.
[00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity.
[00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF’s tag-security, for maintainers looking to improve security.
[00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports.
[00:15:47] Dawn suggests consulting the Practitioners Guide’s “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement.
[00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security.
[00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements.
[00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects.
[00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner’s Guide.
Adds (Picks) of the week:
- [00:26:55] Dawn’s pick is 3D printing and learning how to design new things.
- [00:28:02] Emily’s pick is taking a break from the internet and doing something outside.
- [00:28:45] Harmony’s pick is creating personalized templates to help with document preparation and tasks.
Panelists:
Harmony Elendu
Dawn Foster
Guest:
Emily Fox
Links:
CHAOSS
CHAOSS Project X
CHAOSScast Podcast
podcast@chaoss.community
Harmony Elendu X
Dawn Foster X
Emily Fox LinkedIn
CHAOSS Practitioner Guides
CHAOSS Practitioner Guide: Security
Libyears
Release Frequency
Cloud Native Contributors Security Guidelines for New Projects
GitHub Docs-Adding a security policy to your repository
OpenSSF Scorecard
OpenSSF-Source Code Management Platform Configuration Best Practices
CNCF tag-security: Self-assessment
CHAOSScast Podcast-Episode 85: Introducing CHAOSS Practitioner Guides: #1 Responsiveness
CHAOSScast Podcast-Episode 88: Practitioner Guides: #2 Contributor Sustainability
CHAOSScast Podcast-Episode 89: Practitioner Guides: #3 Organizational Participation
CHAOSScast Podcast-Episode 93: Guest Episode-Sustain meets CHAOSScast to talk about Practitioner Guides
Dawn Foster- Maker World
Special Guest: Emily Fox.
Support CHAOSScast
