Awesome
OSSF Security Tooling
Anyone is welcome to join our open discussions related to the group's mission and charter.
Motivation
Most developers are not security experts and even the most seasoned developers, security experts or not, make mistakes. Tools can be used to help weed out security defects allowing developers to focus on the features they want to develop.
Objective
Our mission is to Identify, Evaluate, Improve, Develop & Ease Deployment of universally-accessible, developer focused tooling to help the open source community secure their code. This space allows members to collaborate together on these goals.
- Identify - There are a large number of tools that developers can utilize in various development environments. We need to ensure we understand the options available.
- Evaluate - Some tools are better than others. We need to ensure quality tools are available to the open source community.
- Improve - Some tools need just a little bit of help to offer the best solution. We need to, where possible, contribute to improve those tools.
- Develop - Despite the large number of tools available, there are still large areas of the security problem space that do not have tools to help developers find issues. We will develop those tools where there is interest and bandwidth.
- Ease Deployment - Most critically, open source developers need to know what tools they should be using and how to easily integrate them into their development process. Unless developers have an easy way to drop in security tooling, it is unlikely to be included. We will provide this information to open source developers.
Vision
Our vision is to improve the perception of security in open source software.
Governance
The CHARTER.md outlines the scope and governance of our group activities.
This group is chaired by Ryan Ware.
Get Involved
- Current Meeting Minutes
- Previous Meeting Minutes
- Mailing list. Manage your subscriptions to Open SSF mailing lists.
- Slack
Meeting Times
Zoom every other Friday at 16:00 GMT from Nov 17.
The meeting invite is available on the public OSSF calendar.
Meeting Notes
Meeting notes are maintained in a Google Doc. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.
Antitrust Policy Notice
Special Interest Groups (SIGs) and Projects
SBOM Everywhere SIG
- Mission: Improve Software Bill-of-Materials (SBOMs) tooling, training and adoption for the open software ecosystem.
- Meeting Times: Monthly on the first Tuesday @10:30am Pacific Time starting January 15, 2023
- Where: https://zoom.us/j/96699865335?pwd=QlFiNjU0OTdrOTE1KzBQcDV0Q1RHZz09 (overlaps WG call time)
- Meeting notes: https://docs.google.com/document/d/1LS5PxWP4-dycCLCaZjf_DZtG-XJy2PUoq5jJQvDMQa8/edit
- Mailing list: https://lists.openssf.org/g/openssf-sig-sbom
OSS Fuzzing SIG
- Mission: Improve open source code fuzzing via open source tooling
- Meeting Times: Every 2 weeks on Tuesday @8:00am Pacific Time
- Where: https://zoom.us/j/99960722134?pwd=ZzZqdzY1eG9tMzQxWFI1Z0RhTkUxZz09
- Meeting notes: https://docs.google.com/document/d/1u4_vL0UK69C7D3qatP9Q6gjGX1PMJjWnO4-3F4pJ0oo/edit#
- Mailing list: https://groups.google.com/g/fuzzing-collaboration
- Related work (non-OpenSSF):
- OSS-Fuzz: Continuous fuzzing for open source software
- FuzzBench: Fuzzer Benchmarking As a Service
- Fuzz-introspector - a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.
Past SIGs
Guide to Security Tools SIG
False Positive Suppression Specification SIG
CVE Benchmark SIG
- The CVE benchmarking initiative was announced at BlackHat Europe 2020, presented by Bas van Schaik and Kevin Backhouse.
OSS Fuzzing
-
Fuzzing Collaboration subgroup - focuses on improving fuzzing
- Meets montly starting 2022-01-04 at 10:30am Pacific Time (see the OpenSSF calendar) via this Zoom link
- Meeting notes
- Has its own fuzzing-collaboration mailing list on Google Groups
-
Fuzz-introspector - a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.
Antitrust policy
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.