Welcome to the Open Source Security Coalition’s repo! The purpose of this repo is to provide a comprehensive overview of the Open Source Security Coalition (OSSC), its priorities, working groups, and projects happening within its working groups.
The coalition’s mission is to bring together companies and organizations committed to help secure open source software globally. We seek to create a space for collaboration of members’ existing initiatives while encouraging the generation of new efforts.
The coalition is guided by its seven key values:
-
Openness and Transparency: We commit to encouraging all interested stakeholders to participate in the coalition and its working groups. The coalition’s work will be made publicly available.
-
Maintainers First: We approach the work of contributing to improving the security of open source software with a strong respect for open source maintainers and developers, with an intent to create resources and tooling to help scale security improvements to benefit the open source ecosystem as a whole.
-
Diversity, Inclusion, and Representation: We work to actively invite and include people from a range of backgrounds, locations, identities, and perspectives, and promote a culture of mutual respect and inclusiveness as a requirement for participation
-
Agility and Delivery: We work to deliver concrete and useful outputs and tools to help make open source more secure. Wedo so in a manner that enables us to learn from experience and experiment, and improve our outputs accordingly.
-
Credit where credit is due: We commit to a culture where people’s contributions are recognized and acknowledged fairly.
-
Neutrality: We don't bias toward any ecosystem, vendor or platforms.
-
Empathy: We recognize and understand each other's challenges, perspective and circumstances. We commit to a culture of listening and caring for multiple opinions.
The coalition currently comprises four main working groups.
Our vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months.
The first objectives we’re using to track our progress towards the vision are:
- Create a unified format and API for vulnerability reporting (from researchers to maintainers) and drive broad adoption of it across the open source software ecosystem
- Create a unified format, API, and process for coordinated disclosure (from maintainers to users/the world) and drive broad adoption
We’re collaborating with existing vulnerability format drivers like the CVE Automation WG and Quality WG and looking to use existing standards like purl (Package URL) wherever possible, rather than inventing something new.
The group’s objective is to enable stakeholders to have informed confidence in the security of open source projects. At the macro level, this includes identifying threats to the open source ecosystem and recommending practical mitigations. At the micro level, we will identify a set of key metrics and build tooling (API, web UI) to communicate those metrics to stakeholders, enabling those stakeholders to better understand the security posture of individual open source components.
Current Project Work
Designing a security dashboard & API: Identifying meaningful metrics and usable representations of those metrics to help contributors to and users of open source software understand security risk and mitigations specific to a given repository or project. Near-term output from this effort will include specification for both a GUI dashboard as well as an API from which metrics can be obtained.
The objective of this WG is to provide open source developers with best practices recommendations. Unlike other existing best practices lists, we want it to be widely distributed to open source developers, community-sourced, and easy to learn and apply.
Current Project Work
Learning platform: The group is currently focusing on a learning platform that makes it easy for open source developers to learn about security research and vulnerabilities. The purpose of this platform is to aggregate existing security courses and encourage a user or learner to engage in coding exercises and other courses related to a given vulnerability. This platform:
- Can integrate exercises from different training platforms;
- Can collect completion information and provide the learner with progress status for a given learning path, or achievement badges;
- Can integrate with the development workflow and propose exercises related to the requirement.
The objective of this working group is to bring security tooling closer and more accessible for OSS developers. Its high-level areas of focus are Uniform build systems, scaling fuzzing efforts and connecting with better reporting, embedding static code analyzers into platforms and finding better ways to benchmark security tools.
The OSSC wants your input. As a first step, we encourage you to please first share your thoughts and feedback via Discussions with the owners of this repository. More robust guidance on contribution and code of conduct is coming soon.
Currently, we have paused accepting new members while we finalize our organizational structure and governance model. Once our governance is in place, we will update this section with the best way to become a member of this coalition. For more information on the coalition and its working groups, please reach out to us at oss-coalition@googlegroups.com.