►
From YouTube: Moving Beyond CVEs: Why We Need a Strong Security Posture in Open Source? - Alice Chen & Beth Fuller
Description
Moving Beyond CVEs: Why We Need a Strong Security Posture in Open Source? - Alice Chen, Armory & Beth Fuller, Themist
At last year's Spinnaker Summit, Beth shared the Security SIG's progress in implementing a Vulnerability Management Process for OSS Spinnaker, and the "why" behind it. Digging more into security has highlighted the importance of implementing and communicating intentional security practices in an OSS project. In this talk, we'll look beyond Spinnaker to explain why having a good security posture means a lot more than just CVEs. What does it look like to shift left in OSS? How does doing so make life easier for the Security Engineer persona? We'll make a case for codifying open source security processes through both automation and governance, and recommend an upstream CI experience to make projects safer and OSS users' lives easier.
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
A
A
common
vulnerability
scoring
system
is
the
scoring
system
that
you
use
in
order
to
identify
the
score
that
a
cve
came
with
and
whether
or
not
that
matches
with
everything
that
and
whether
or
not
that
matches
with
your
application
stack
and
one
of
the
ways
that
you
do,
that
is
via
a
threat
model.
So
the
threat
model
essentially
is
the
justification
and
making
it
defensible
in
order
for
you
to
decide
if
something
is
or
is
not
a
high
rated
cve
after
you
do
that
you
decide.
Are
you
going
to
patch
it?
A
Are
you
going
to
document
it?
What
are
you
gonna
do
and
then
all
of
that
process
kind
of
like
tidies
up
and
you
move
on
to
the
next
iteration,
and
that
brings
us
to
shifting
left
so
in
this.
What
we're
gonna
do
is
we're
going
to
basically
have
a
q,
a
style
as
we
go
through,
where
I
am
the
question
and
alice
is
the
answer.
A
B
So,
first
of
all
for
oss
projects
and
any
project
any
you
need
a
security
team.
But
more
specifically,
if
you
have
an
open
source
project,
you
would
probably
want
to
create
a
security
sig.
So
that
way
you
can
recruit
the
right
people
in
security
and
other
areas
to
help
you
define
the
process
that
you're
going
to
need
to
follow
for
fixing
different
security
things
and
then
obviously
that
you
need
participation.
A
B
A
B
No,
so
it
means
like
say
if
you
have
a
security
vulnerability
that
is
related
to
say
network
or
to
your
host
machines
like
typically,
then
you,
you
should
defer
to
your
operations,
people
or
your
network
engineers
or
whatever,
because
they
are
the
sme
of
that
particular
like
they
are.
The
experts
in
that
particular
field.
A
I,
like
that,
it's
it's
like
actually
working
together
as
a
team,
which
seems
that
seems
pretty
handy.
It
is
so
then.
The
next
thing
we
kind
of
talk
about
is
the
notion
of
guard
rails.
So
if
you
have
everyone
who's,
the
appropriate
expert
and
you're,
you
have
those
policies,
then
then
talk
about
why
it's
important
to
have
guard
rails.
A
B
So
when
you
have
like
guardrails
in
place,
and
especially
if
you
have
like
policies
as
code
first
of
all,
like
anybody
then
can
go
view
the
policies
and
see
like
if
they
have
questions
they
can
talk
to
their
security
engineers
or
whatnot
or,
let's
say
like
if
the
your
policies
are
actually
implemented
in
your
lower
environments,
also,
except
maybe
with
it
as
a
warning
rather
than
a
hard
stop.
Then,
as
the
developers
or
operations
engineers
bump
up
against
all
these
different
policies
like
they
can
they
can.
B
You
know
they
can
then
make
the
decision
and
hey
okay,
this
this
is
this.
Is
this
doesn't
work
for
me
or
oh,
I
just
didn't
know
about
this
and
then
change
their
behavior
accordingly.
So
you
you
get
to.
You
can
mitigate
a
whole
bunch
of
risks
earlier
in
your
development
life
cycle,
if
you're,
if
you
especially
if
you
implement
like
the
policies
as
code
and
some
of
these
other
things
earlier,
so
everybody
gets
used
to
it
earlier.
If
you
don't,
then
you
end
up
with
a
gigantic.
B
You
know
fire
in
production,
typically
like
when
things
start
going
wrong
or
when
things
get
accidentally
deployed
with
too
many
permissions
or
or
you
know
too
open
to
the
world
and
which
then
also
you
know,
the
company
then
usually
typically
has
a
lot
of
security
risk.
Just
from
that
one
deployment,
okay,.
A
So
the
next
one
we
have
is
scanning
all
the
things,
and
this
is
kind
of
my
favorite,
because
I
learned
from
you
that
there
is
more
to
scanning
than
just
cves
that
there's
a
whole
lot
of
things
that
you
need
to
scan
and
there's
a
variety
of
reasons
in
which
you
need
to
scan
them.
And
so
it's
a
much
it's
a
much
bigger
issue.
So
can
you
talk
to
us
a
little
bit
about
that.
B
B
If
you
don't
have
the
code,
it
involves
like
the
the
host
that
this
application
is
on,
whether
it's
like
in
a
container
in
a
vm
or
some
lambda
function
or
whatever,
and
it
also
includes
things
like
you
know,
like
the
network,
and
you
know
all
the
other
things
related
to
this
application.
That's
that's
coming
in
so
like
that.
Basically
has
one
application
has
essentially
a
lot
of
vectors
that
can
possibly
be
attacked
right,
and
so
all
those
like,
if
you
can
scan
as
many
of
those
vectors
as
possible.
B
A
A
So
as
we're
kind
of
coming
in
and
talking
about
this
one
of
the
things
that
the
industry
talks
an
awful
lot
about,
is
the
importance
of
shifting
left
everyone's
all
about
how
do
you
shift
left?
So
what
I've
I've
heard
from
you
is
one
of
the
important
things
about
shifting
left
is
making
sure
that
you
have
appropriate
levels
of
collaboration
and
you've
kind
of
talked
about
that
as
we
go
through.
So
did
you
want
to
talk
a
little
more
about
what
like?
What
are
your
thoughts
on
that.
B
Yeah,
so
you
you
can't
like
you,
you
can't
you
can't
shift
left
or
you
can't.
You
can't
do
anything
earlier
in
development
right,
if
not
everybody's
kind
of
on
the
same
page
right.
So
it's
a
it
it
just
it's
it's
a
there's.
A
thing
like
I
was
talking
about
earlier,
whereas
if
you
find
when
you
find
a
security
problem
after
something
has
gone
to
production,
typically
you're
gonna
have
you're.
B
B
A
Right
no-
and
I
I
like
that,
and
and
I
like
the
idea
that,
with
that
shift,
left
the
the
importance
and
the
emphasis
is
really
like
the
closer
you
get
to
writing
actual
code,
really
that's
when
it's
cheap
to
make
changes
and
to
throw
something
away,
yeah,
which,
which
is
important.
I
think
we
know
that,
but
we
don't
know
that,
like
we
know
that
logically,
but
putting
all
the
parts
and
pieces
together.
It
was
really
helpful
for
me
to
kind
of
hear
about
that
from
you.
A
B
So
for
for
an
oss
project
or
any
project
like
if
you
don't
have
a
security
team,
you
need
to
get
one
pronto.
So
in
the
oss
project
you
want
to
create
a
security
sig.
So
for
you
know,
whoever
is
most
interested
in
doing
security
and
also
recruit
your
security
experts
or
some
of
your
security
experts
to
help
create
like
the
processes
and
policies
and
procedures
for
the
project,
and
then,
of
course
you
need,
because
you
really
need
cross-collaboration.
B
You
would
also
want
to
make
sure
you
recruit,
like
your
the
developers
and
the
people
that
are
interested
in
infrastructure
and
all
these
other
all
the
other
kinds
of
experts,
that's
needed
for
your
project
to
collaborate
in
this
in
the
securities
thing
and
then,
of
course,
you
yourself
should
try
to
contribute,
like
whatever
expertise
you
have
and
then,
most
importantly,
ask
questions
without
any
questions.
Nobody
knows
what's
going
on
like
in
with.
A
That
is
amazing.
Thank
you,
so
much
alice.
So,
let's
see
oh,
I
think
I
went
a
little
bit
out
of
order,
so
in
terms
of
the
successfully
shifting
left-
and
I
didn't
go
out
of
order-
so
we
talked
about
what
it
is
that
we
need
in
order
to
set
everything
up.
But
how
do
we
make
sure
that
we
continue
to
be
successful
as
we're
going
through,
because
they're
they're
a
little
bit
different?
It's
like
great.
We
have
this
process
and
now
what
so
do
you
is
that?
B
A
B
And
the
other
thing
is
that
you
know
you're
going
to
create
something
that
is
well
known,
called
alert
fatigue.
So
people
like
the
the
more
things
that
they
look
at
that
doesn't
or
they
think
doesn't
relate
to
them.
The
less
they're
going
to
pay
attention
to
said
alerts
and
notification
right.
So
you
would
rather
just
you
know,
have
like
a
alert
or
notification
for
something.
That's
super
critical
at
the
very
beginning
of
your
project
and
only
a
couple
of
them
like
a
week
or,
however
many
like.
A
A
A
Yes,
they
do,
and
with
that
I
actually
wanted
to
share
with
everyone
before
we
go
to
the
question
slide
that
we're
not
lying
there's
a
whole
website
that
is
dedicated
to
this.
In
case
you
are
curious
and
if
you
want
to
see
the
little
acorn
and
where
they
impact
directly
there,
you
have
it
so
a
fun
little
project
from
some
of
our
security
friends
and
what
they
are
doing
in
the
world
today
to
keep
all
of
us
safe
from
the
mighty
squirrel,
all
right.
A
A
All
right,
hi,
no
they're
real
squirrels
fernando
there.
There
is
actually
somebody
who
tracks
all
the
cyber
attacks.
There
was
actually
a
fairly
sick.
I
think
it
was
a
significant
one
in
I
want
to
say
vancouver
bc,
and
it
was
because
a
beaver
was
making
their
dam
and
chewed
through
the
fiber
line
and
took
everything
out,
so
they
do
literally
track.
All
of
that
and
some
of
the
challenges
that
nature
can
cause
from
a
cyber
issue.
So
with
that,
does
anyone
have
any
questions.
A
It
is
cooler,
and-
and
that
was
that
was
from
the
there's-
a
hacker
slack
slack
group-
that
someone
actually
maintains
that
and
they
track
it
year
over
year.
So
the
link
you
can
actually
look
for
all
animals
versus
squirrels
and
where
they
happen,
and
you
can
break
it
down.
So
it's
kind
of
it's
a
fun
little
thing.
A
The
more
important
thing
is:
does
anyone
have
any
questions
for
alice
or
myself,
probably
more
alice
than
myself?
I
don't
have
to
facilitate
because
she's
right
here
live
and
in
person
and
in
terms
of
what
kind
of
things
how
how
you
might
get
started
with
setting
up
a
security,
posture
and
kind
of
the
moving
beyond
some
of
the
basic
kind
of
the
basic
stuff
that
we
had
talked
about
or
I
had
talked
about
last
year.
A
B
B
Oss
communities
that
successfully
shift
security
to
the
left,
even
if
it's
just
a
little
bit,
I
have
I
I'm
pretty
sure
there
are,
but
I
haven't
actually
monitored
a
lot
of
these
oss
projects.
I
know
like
certain
certain
ones
with
the
apache
foundation.
They
do
do
some
of
this
security
things
because
for
for
part
of
it,
it's
like
they
it's
it's
part
of
their
ci
process.
B
Let's
just
put
it
this
way,
so,
but
it's
like
to
various
extents
right,
like
some
of
them
just
do
license
scanning.
Some
of
them
do
a
little
bit
more.
They
do
you
know,
code
scanning
and,
and
it
I
think
it
really
kind
of
depends
on
how
just
how
everybody
does
it
together.
Like
I,
I
would
say
your
best
bet.
If
you
want
to
look
at
it,
is
probably
look
at
an
oss
security
project.
B
A
A
A
A
All
right,
I
guess
I
forget
how
long
we
have
like
we
can
certainly
hang
out.
We
have
two
more
minutes.
We
only
have
two
more
minutes.
So
if
you
have
any
more
questions,
you've
got
to
make
it
fast.
Otherwise
you
know
you
can
also
spend
time
checking
out
cyber
squirrel,
because
I
find
that
endlessly
delightful
and
also
I
just
want
everyone
to
understand
the
restraint
that
I
was
able
to
have
out
of
respect
for
alice
that
I
didn't
cover
everything
keanu
reeves.
A
A
A
I
think
for
me
it's
just
a
matter
of
understanding
and
talking
about
plain
language,
how
many
people
are
actually
moving
towards
using
plain
language
and
have
you
seen
that
work?
Have
you
seen
that
shift
of
going
from
strong
security,
language
to
plain
language
and
other
people's
ability
to
actually
participate
in
the
security
process?.
B
So
I
was
a
good
indication
of
that.
It's
like,
if
security
sends
you
like
a
cbe
report
like
do
you
even
understand
like
what
that
report
is
actually
telling
you
like,
and
what
what?
What
is
the?
How
do
we
mitigate
the
things
in
the
report?
If
you
can't
figure
that
out
without
pestering
them
and
asking
them
a
million
questions,
it
is
not
in
plain
language,
yep
yep,.
A
Yeah
and
I
think
so,
I
think-
that's
kind
of
an
important
shift.
I
know
a
number
of
people
within
the
security
community
are
working
really
hard
to
kind
of
make
things
more
approachable
and
make
themselves
more
approachable,
and
so
I
guess
in
closing
it,
I
would
just
say
if
you're
not
actually
in
security,
be
open
to
reaching
out
to
your
security
team.
As
alice
said,
ask
questions,
ask
all
the
questions.
A
They
want
the
questions,
because
if
you
might
have
something
that
you
think
is
insignificant,
but
it
turns
out
to
be
something:
that's
fairly
significant
and
you're
going
to
make
a
make
a
big
difference
by
asking
that
and
then
they
know
how
to
educate
the
teams
more
effectively.
So
don't
be
afraid
to
ask.
B
Yeah
more
questions:
they
have
the
better
they
they
they
can
come
up
with
these
answers
beforehand,
among
other
things,
and
that
might
also
then
prompt
them
to
move
to
more
plain
language,
like
you
know,
reports
and
that
type
of
stuff,
when
communicating
with
everybody
else
too,
because
they
shouldn't
want
to
be
doing
or
answering
the
same
questions
over
and
over
and
over
and
over
again,
if
they
can
help
it
right
so
yep,
it's
like
you
need
to
give
them
the
feedback
that
we
do
not
understand
what
on
earth.
You
just
said.