Episode 97: Practitioner Guides: #4 Security

12 snips

Nov 14, 2024

Harmony Elendu talks with Emily Fox, the Emerging Technology Security Lead at Red Hat, and Dawn Foster, the Director of Data Science at CHAOSS. They delve into the new Security Practitioner Guide aimed at helping maintainers unfamiliar with security practices. Key topics include essential security steps, the significance of vulnerability reporting, and the thoughtful design of projects. They also stress the importance of adaptable guides and community support for enhancing security in open-source projects.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Security Guide Simplifies Security Start

The Security Practitioner Guide helps maintainers without a security background start essential security practices.
It provides resources and actionable steps to keep security top of mind and learn next steps.

INSIGHT

Key Security Metrics

Dependency freshness (LibYears) and release frequency are key security metrics in open source projects.
These metrics help maintainers track security in project dependencies and timely vulnerability fixes.

ADVICE

Guide Contributors on Security

Provide clear contributor guidelines to help new contributors avoid insecure code.
Encourage proper code reviews to catch security risks even if maintainers lack expertise.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 97

In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more!

[00:02:02] Dawn starts out with providing an overview of CHAOSS Project’s Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide.

[00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background.

[00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security.

[00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity.

[00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF’s tag-security, for maintainers looking to improve security.

[00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports.

[00:15:47] Dawn suggests consulting the Practitioners Guide’s “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement.

[00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security.

[00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements.

[00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects.

[00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner’s Guide.

Adds (Picks) of the week:

[00:26:55] Dawn’s pick is 3D printing and learning how to design new things.
[00:28:02] Emily’s pick is taking a break from the internet and doing something outside.
[00:28:45] Harmony’s pick is creating personalized templates to help with document preparation and tasks.

Panelists:

Harmony Elendu

Dawn Foster

Guest:

Emily Fox

Links:

CHAOSS

CHAOSS Project X

CHAOSScast Podcast

podcast@chaoss.community

Harmony Elendu X

Dawn Foster X