Tracker: Adoptium Secure Software Development Framework (SSDF) #120
Comments
|
Thank you for kicking off this initiative @jiekang. It has already been discussed at the PMC, where there was enthusiastic support for this work. I see you have already got some good level of detail with the approach and areas for Adoptium to address. I think it would be helpful to spend a short time introducing this topic to the community and ensuring an understanding for the direction proposed. As you wrote above:
Would you like to introduce this in the #general channel as a starting point? Once underway it may well warrant a specific channel for SSDF discussions, but let's start there. |
|
Adding this comment, based on discussions in the March 10, 2022 Steering Committee call, and as a reminder and invitation for members to provide input and feedback. Most of our expected activities will be documenting what we already do at the project, using the NIST SSDF outline as a guide. We have selected the US government based NIST framework as a model to follow in this exercise as it seems thorough and rigorous. We recognize there may be other models and are open to input if there are other references that we should consider as part of this work (especially if they are more rigorous, though an initial scan indicated that the NIST SSDF to be satisfyingly thorough, we did look at BSA and SLSA v0.1). The checklist provided by the SSDF framework encompasses many activities that we already do, or have initiated at the project, so much of the effort related to this issue will take the form of assessment, documentation and identifying whether there are any gaps that the technical teams should try to fill. We believe this effort will help to further stabilize the project and is a step along our path of continuously improving how we build, test, and deliver software. Hopefully, as we identify and clearly articulate areas of improvement, we can engage experts from our community to join this effort. As a personal observation, I also believe that this effort is not just of value to Adoptium, but to the ecosystem at large and I will be happy to see and share the progress more broadly. EDIT SL/Nov23: To clarify, we are using SSDF and SLSA as frameworks that guide us in our mission to ensure secure software development. In most cases, the criteria of each framework overlaps. If there are unique criteria in one or the other framework, we will attempt to achieve them, but first focussing on the overlap criteria present in both. |
|
Important documentation for initial compliance - this information should ultimately be put under version control in this repository.
|
|
For reference, we have recently published two blog posts on the secure development processes:
|
|
Plan of attack for some of the more important parts of SSDF during 2023. Note that I've tentatively planned in two months for each phase of this, so the estimated target dates against each plan reflect that: Done
Phase 1 (2023-05)
Phase 2
Phase 3
Phase 4
|
Maybe point to the approved project plan? I've just uploaded the latest version via the WG mailing list.
Will be helpful when the EF declarative policies and permissions code is rolled out for repos. In the meantime perhaps we can list our critical repos and point to the OSSF scorecard reports.
+1 to all those.
+1 again.
Consider moving to earlier phase?
Happy with those. Lots of work! |
|
@tellison The MFA one for infra was mostly in phase 3 because there was quite a lot in 2 and I didn't want to take anything out, but I'm shifting it up to phase 2 so that it is at least started earlier. This will mean it can be more swiftly included in the documentation of onboarding/offboarding which is part of Phase 1. Added link to the plan now that it's available :-) On the OSSF scorecards is there a specific artefact produced from those or are you'd like to point at or would it just be the executions of the actions workflows? |
Security is of critical importance to Adoptium in order to maintain the trust of its community in the integrity of the work that it does. There are evolving market requirements for software providers to meet for using secure development practices. The Adoptium SSDF, based directly on the NIST SSDF [1], represents a commitment to meet these requirements.
[1]
https://csrc.nist.gov/Projects/ssdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
This issue tracks the work to be done against the SSDF framework. The intention is for individual points of the framework to be investigated, documented, and completed, to then arrive at an overall Adoptium SSDF that can be maintained into the future. I intend to create an epic issue for each point that will serve as a tracker for relevant issues across the Adoptium organization’s repositories.
Epics are split into areas following the table in [1] (page 14 onwards). A subset of entries in [1] are proposed for work here, based on relevance to the Adoptium project. Discussion and debate is open for the entire process, as well as the reference framework Adoptium chooses to follow.
Other resources of interest include:
CNCF Paper on Secure Supply Chain:
https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf
Supply Chain Levels for Software Artifacts:
https://slsa.dev/
I believe the underlying work will be similar regardless of the framework it is organized under, and am proposing to follow the NIST SSDF, at least to drive the initial work towards secure Adoptium releases. The work is open for any willing contributors, and Red Hat contributors will participate.
Epics:
PO: Prepare the organization (#122)
PS: Protect software (#123)
PW: Produce well secured software (#124)
RV: Assess, prioritize and remediate vulnerabilities (#125)
As well as the areas above that directly follow the NIST SSDF, I propose an area for additional items for Adoptium
A: Secure Adoptium (#126)
The text was updated successfully, but these errors were encountered: