Create 2024-Q3-BEST-WG.md #359
Conversation
SecurityCRob
added
documentation
|
@SecurityCRob thanks a lot for the security baseline SIG update. I'm in the process of creating implementation plan to create the GitHub repo. Will share update as I make more progress. The doodle poll is rolling in, will share meeting time this Friday. |
| - Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. | ||
| #### Current Status | ||
|
|
||
| #### Up Next |
There was a problem hiding this comment.
Inside the OpenSSF, I feel like people generally understand that Scorecard is a framework for maintainers to walk them through improving their secure software development practices - sort of a gamified maturity model, if you will.
Outside the OpenSSF, we've seen a fair amount of confusion as to if the Scorecard scores should be used by consumers of open source software as a way to boil down risk assessment into a single number, the most recent example of this being https://openssf.slack.com/archives/C019M98JSHK/p1720098402786119.
I think the OpenSSF is aligned on that Scorecard is meant for maintainers and not consumers. Have we thought about how we might adjust our messaging to prevent this confusion in the future? I'm specifically thinking of places like https://github.com/ossf/scorecard and https://securityscorecards.dev/, but I'm open to other suggestions!
There was a problem hiding this comment.
Counter point: I've seen enterprises seek to understand scorecard/scores as a way to automate risk when they consume OSS, and create mechanisms to automate OSS ingestion. The Metrics API SIG (under the former Metrics and Metadata WG) was creating an API where enterprises could pull Scorecard and other data into their processes.
There was a problem hiding this comment.
Relevant scorecard issue: ossf/scorecard#4219
There was a problem hiding this comment.
Err... The README starts with:
We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
Signed-off-by: CRob <[email protected]>
typo Signed-off-by: CRob <[email protected]>
lehors
force-pushed
the
SecurityCRob-patch-3
branch
from
e9734ca
to
96ddb2f
Compare
SecurityCRob
added
the
DRAFT
Co-authored-by: Marcela Melara <[email protected]> Signed-off-by: CRob <[email protected]>
Added more information for current state and next steps. Signed-off-by: Dana Wang <[email protected]>
updates per wheeler Signed-off-by: CRob <[email protected]>
|
I merged in David's updates for Badges and the Fundamentals class |
SecurityCRob
removed
the
DRAFT
wheeler changes Signed-off-by: CRob <[email protected]>
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: CRob <[email protected]>
Co-authored-by: Georg Kunz <[email protected]> Signed-off-by: CRob <[email protected]>
added suggestions from gkunz Signed-off-by: CRob <[email protected]>
more contributor feedback Signed-off-by: CRob <[email protected]>
Co-authored-by: Thomas Nyman <[email protected]> Signed-off-by: CRob <[email protected]>
initial load of BEST WG TAC report. still waiting for WG member feedback prior to presenting