►
From YouTube: Building Secure Open Source Communities From the Ground Up- Kiran 'Rin' Oliver, Camunda
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Building Secure Open Source Communities From the Ground Up- Kiran 'Rin' Oliver, Camunda
When bringing together open source projects and contributions into a GitHub Organization or a collection of projects, it can be challenging to implement security best practices, outline how to best handle dependency management and vulnerability scanning, and how to balance the load of your Developer Experience team with the day-to-day work undertaken by open source maintainers to ensure their projects are secure. Building and implementing security policies for an open-source, community led project, or community GitHub Organization comes with a learning curve, but it’s not unachievable. In this presentation, attendees will learn how to evaluate and implement existing open source technologies such as Renovate, Trivy, JFrog X-Ray, CodeCov, and Dependabot to better empower and enable their open source project maintainers. This presentation will also explore how to write clear, scalable, and impactful policies and documentation that lays the foundational groundwork for a more secure and stable open source community.
A
Hi
everyone
I'm
rin
oliver
and
I
use
the
heat
pronouns,
I'm
a
non-binary,
multiple
neurodivergent
technical
community
builder
at
camunda.
You
can
find
me
on
twitter
at
karen
underscore
oliver
on
github
slant.
I'm
here
to
talk
to
you
today
about
building
secure,
open
source
communities
from
the
ground
up.
A
A
So
what
you
need
to
do
is
define
a
baseline
of
what
security
means
to
your
project
or
your
organization
and
improve
it
alongside
your
community,
whatever
security
looks
like
that's
unique
to
your
community
itself
doesn't
have
to
be
the
same
as
everyone.
That's
in
your
ecosystem,
it's
going
to
be
unique
and
it
has
to
be
yours.
Security
can
be
influenced
by
your
peers,
but
in
the
end
it
has
to
be
tailored
to
you
and
your
developer
community
itself.
A
You
should
have
strategies
in
place
that
will
detail
when
and
how
community
members
should
report
vulnerabilities.
What
constitutes
what
a
vulnerability
is
and
evaluate
dependency,
management
for
your
community
maintained,
extensions
or
public
forks
or
whatever
community
contributions.
Those
are.
Are
you
going
to
require
people
to
keep
their
dependencies
up
to
date?
Are
you
going
to
have
a
policy
that
says
if
something
isn't
updated
within
30
60
90
days,
you
will
face
some
sort
of
action,
etc.
Having
those
things
defined
beforehand
helps
make
your
security
policies
and
governance
easier,
especially
when
your
community
is
scaling.
A
A
There
are
a
variety
of
container
scanning
tools
available
to
you,
such
as
aqua
securities,
trivi
and
jfrog
maven,
x-ray,
trivia
scans
docker
files,
and
it
works
with
kubernetes
terraform,
a
variety
of
operating
system
configurations
and
much
more
and
looking
for
vulnerabilities.
It
also
scans
for
common
configuration
issues
and
will
alert
you
if
something
is
configured
incorrectly.
A
A
And
to
that
extent,
when
all
else
fails
use
bash?
Why?
Because
sometimes
the
solution
you
want
to
use
might
not
be
the
one
you
actually
can
use
in
reality
at
commenda
we
originally
had
hoped
to
use
trivia
with
github
actions,
but
the
way
our
action
was
written
up
until
recently,
github
actions
did
not
have
the
ability
to
write
concurrent
actions
in
that
you
could
not
use
the
uses
and
with
keywords
in
the
same
github
action.
A
Now
you
can
do
that
as
of
august
25th,
or
so
they
actually
put
patch
that
in,
but
it's
still
in
the
works.
So
we
had
to
end
up
pair
programming
across
our
departments,
with
myself
on
the
developer,
experience
team
and
the
infrastructure
team
to
come
up
with
a
way
to
get
trivi
into
our
automated
release
action
without
using
github
actions.
A
So,
although
we
couldn't
use
github
actions
entirely
with
trivia
at
the
time
bashed
into
the
rescue
and
in
the
end
we
had
to
be
flexible
and
we
had
to
cooperate
across
teams
to
get
that
done,
and
it's
working
out
really
well,
you
can
take
a
look
at
it
in
the
community
community
hub
and
check
out
how
we
did
it
and
the
community
action
move
and
release
tool.
It's
really
great
and
it
was
a
collaboration
between
our
developer
experience,
team
and
our
infrastructure
team.
A
But
that's
okay,
because
that's
telling
you
a
lot
of
things
that
you'll
need
to
know:
there's
code,
cov,
white
source,
renovate
and
dependabot,
which
is
the
one
that
everybody
knows
because
it
was
recently
made
part
of
github
itself
so
code
cov
is
source
code
coverage
for
over
20
languages
can't
list
them
all,
but
codecov
covers
a
lot
and
it's
also
cic
diagnostic,
so
whatever
cicd,
tooling
you're
using
code,
cov
probably
works
with
it.
It's
also
usable
with
multiple
cloud
platforms
that
works
with
azure
works
with
gcp,
etc.
A
A
Renovate
is
really
awesome
in
that
it's
an
alternative
to
dependable
and
renovate.
Depending
on
what
you're
doing
can
be
better
or
worse
for
you
than
the
pandabot
I'd
highly
recommend,
comparing
and
contrasting
the
two,
not
necessarily
apples
to
oranges,
more
like
apples
to
a
different
kind
of
apples,
which
is
fine,
but
in
the
end
it
really
depends
on
what
your
use
case
and
your
scenario
is,
I
like
both
of
these
things,
because
they
do
slightly
different
things
and
slightly
are
slightly
better
depending
on
the
particular
use
case.
You're
using.
A
I
right
now
prefer
renovate,
but
that's
just
because
of
the
amount
of
projects
and
the
type
of
projects
I'm
working
with
renovate
detects
dependencies
number
projects
in
a
repository
and
checks
that
newer
versions
are
available.
It
also
creates
commits
and
merges
pull
requests
to
apply
those
changes,
and
it
also
includes
release
notes,
which
is
really
awesome,
love
that,
because
nobody
likes
to
write,
release,
notes
and
renovate
will
do
it
for
you
to
an
extent.
It
will
at
least
give
you
the
building
blocks
to
write
better
release.
A
Notes,
dependable
also
creates
pull
requests
to
keep
dependencies
up
to
date,
and
it
will
slowly
open
prs
over
time,
unlike
renovate
which
can
open
about
12.
At
a
time,
and
in
contrast
to
renovate
dependabot
will
tell
you
release
notes
as
well,
and
it
will
also
monitor
security
advisors
for
eight
common
languages.
So,
as
I
said,
apples
to
different
kinds
of
apples
renovate
will
also
tell
you
the
amount
of
individuals
that
have
actually
installed
that
fix
and
whether
or
not
they
believe
it
is
trustworthy
to
install
it.
A
Dependable
is
great
in
that
it's
already
integrated
with
github,
so
that
does.
That
means
that
you
don't
have
to
necessarily
bring
on
anything
new.
You
don't
have
to
scratch
your
head
and
go.
What
should
we
do
dependable?
Is
there
in
github
waiting
for
you
to
use
it
and
make
use
of
it?
And
if
you
are
part
of
the
alert
fatigue,
you
can
actually
customize
renovate
and
dependable
to
reduce
the
number
of
those
notifications
and
filter
those
out
to
make
sure
that
people
aren't
getting
notifications
every
time.
A
A
A
A
I
don't
want
to
do
this
anymore,
and
so
we
had
to
figure
out
a
life
cycle
for
these
extensions
to
say
this
is
deprecated
people
shouldn't
use
it
introduce
shields
dot,
io
badges
that
gave
people
a
way
to
navigate
directly
to
that
repo
and
said
okay,
this
is
deprecated.
I
should
probably
shouldn't
put
this
into
production,
probably
shouldn't
use
it
in
my
product
and
so
by
introducing
those
life
cycle
badges
and
that
life
cycle
pathway.
A
A
A
A
If
you're,
if
it
seems
impossible,
don't
worry,
just
break
it
down
compartmentalize
it's
going
to
be
okay.
If,
by
breaking
down
a
task
you
can
make
it
seem
a
lot
more
manageable.
First,
things
first
is
to
evaluate
that
task
is
now
the
right
time.
Do
we
need
to
do
this
at
this
very
moment?
What
will
happen
if
we
don't?
What
happens
then
so
evaluating
that
task
is
critical.
A
So
ask
yourself
is
now
the
right
time
and
next
you
should
probably
do
some
research
confirm.
That
hypothesis
is
what
I
think
actually
correct,
or
am
I
going
to
end
up
sitting
there
saying
this
actually
wasn't
correct
and
having
to
go
back
to
step
one
so
by
doing
research
and
making
sure
you
have
all
of
your
proverbial
ducks
in
a
row,
you'll
make
sure
that
you're
not
going
to
sit
there
and
go
in
circles
and
once
you've
done
your
research
and
that
hypothesis
is
confirmed,
you
get
to
implement
it.
Do
the
thing
you
did
it?
A
Congratulations
so
by
breaking
things
down,
you
can
actually
make
sure
that
you're
not
overwhelming
yourself.
It
doesn't
all
have
to
be
done
at
once.
Taking
it
step
by
step
means
that
it's
going
to
be
realistic
and
achievable
for
everyone
on
your
team,
and
it
means
that
you're
reducing
burnout
and
that
you're
not
driving
people
to
a
place
where
they
can't
meet
their
deadlines,
and
they
can't
meet
their
obligations.
A
I've
got
a
quote
here
by
one
of
my
friends,
alyssa
miller
and
alyssa,
has
said
as
digital
transformation
trends
continue.
Security
has
to
be
a
part
of
every
phase
of
our
business.
So
why
then,
don't
leaders
look
to
grow
security,
expertise
in
all
business
functions
and
alyssa
is
wonderful
and
is
at
global
ratings
and
is
a
biso
at
s
p
in
global
ratings,
and
that's
a
pretty
accurate
quote:
if
we're
not
grooming
security
expertise
across
the
business,
it
can't
just
be
the
security
team.
It's
everyone.
It's
developer
relations.
It's
developer,
advocacy!