OpenSSF Securing Critical Projects WG, 1 Jun 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Securing Critical Projects WG Bi-Weekly (June 1 2023)

Description

Agenda: https://docs.google.com/document/d/1MIXxadtWsaROpFcJnBtYnQPoyzTCIDhd0IGV8PIV0mQ/edit?usp=sharing

A

B

Hello greetings.

B

So this other presentation this morning with the spdx but Glock.

A

A

C

Hello how's it going.

B

So the business model for guacas or sorry is to have companies import their private uh best bombs and dependency chains and into the the rest and connect that up to the public graph that you created and then that concern will keep that information. Cordoned off and proprietary yeah.

A

I mean I think there's a lot of options for kind of early days, so, okay, uh yeah and like run guac or you know, people are going to need a lot of help getting like a process for, however, they build software and s-bombs to all like beat into block. And then what do you do once you have that data like do you build policies, or you know like procedures on top of that and integrate that with the rest of your your company, yeah.

B

I mean I was you know, honestly sort of worried that the next thing or I mean one of this? Is you combine it with the policy? And you say: oh you know, you know your social credit isn't good, so we're gonna, just you know, remove your deployment abilities so automatically.

B

Yeah autonomic use of this uh this this graph could be interesting.

A

A

um So the risk of repeating myself, I'll, say I think so our our meeting invite got updated. um The meeting notes document was replaced. The old one I think it was. It was owned by Dan and it wasn't shared to everybody and we had to join the group to access it.

A

So the the Linux Foundation PM team took over the ownership and now it's set to um World writable. So, like anybody can edit it, you don't have to join them. The group I don't know how that's going to play out. It's.

C

Like random Anonymous foxes and people in the dark side,.

C

I just started today's.

A

Thanks yeah I would like I, wasn't even sure which one it was opening because they look the same yeah.

C

I I just picked the link and was like I think it's this one well.

A

My my calendar wasn't updating too so, like I, have a couple different Google accounts and like in one I, was seeing it at the wrong time and the other one I was saying at the right time and I didn't know which one had the new link or the Old Link. Oh.

B

No yeah I mean I found that even when I went I mean I, I use, Google, Calendar and I can never get it to actually copy it. From the openssf calendar into my calendar at the alternating times. It always puts it at the whatever it was. Originally the West Coast select I mean you know: yeah I'll go in there and say: okay, yeah I, see it at 6 pm and I'm in East, Coast us and let me copy this and then it copies it and puts it. It's like no.

A

Yeah I think they have to manually go and change each other every other one. And so, when you copy the series you get the base series, you don't get all the.

C

A

C

The way to do it is to actually create the two meetings separately. Two.

A

Separate series.

C

A different time yeah two series that, like interleave right every second week, every Fortnight as we say down here.

B

C

Month, yeah, sorry.

B

Right so did we I mean I, didn't I mean there seems there was a rather low turnout last time is there any did? Did you Jeff? Did you just decide the rest of them? For us? We still have work to do.

A

Still have work to do: yeah, I, don't I, don't know who shot up last time. I think nobody! Okay! Well, let's, let's go through some of them.

B

A

Okay, okay, thank you. Caleb.

A

A

All right, can you see my screen.

B

A

So this is the old, the new one I think that's there and.

C

Then I put this.

A

On the other one, so if you see this at the top you're in the wrong line and then that's 518, okay, okay, cool, let's go back to here all right! uh Let's keep these two skipped again. These last few lines uh sonar Cube.

A

It has high Docker pull count. Data.

C

Hopefully, that's not that's someone's CI system.

A

A

It's definitely a correlation between things used in CI and full County.

B

It's written in Java what could go wrong.

C

It's a code, quality analysis, thing, yeah.

B

B

I mean in some places, they're like self-referential. I'm, like we're I, mean part of what the open ssf is trying to do now is create this Sterling tool chain. So it was the Sterling tool chain automatically become critical software because it's a sterling control chain, I, would say: I mean it's like you know, art, I, guess, I, guess we need to call our I mean by definition. Our tools have to be critical right. We open ssf right all right, I, don't think so. No okay, I mean I just realized.

B

What's wrong with you, Jeff block isn't listed. Why okay, everybody's in favor of Glock, being critical software.

C

There needs to be like a minimum age for a project.

B

I agree: I'm, trying to give you a free one here, Jeff.

A

B

Go to the VCS and say: look we're already critical software. You know you got to understand this game. Jeff I mean you're part of the startup. What's wrong with you. Well, you make the big bucks.

C

The the thing that would so assuming we like accept that Sona Sona cube is popular. The thing it's placed in the CI chain is interesting and the like the fact that it's parsing source code um is interesting as well, but I really don't know who's using it.

A

Do we know, is this like this? Isn't a super high GitHub members here right or is it.

A

Don't seem very active.

C

Their last release was February this year, so it's not uh and and if Sona Source like. If this is a the Nexus of their development, then okay, that's not a whole lot of activity. But if it's.

B

Not listed in the Omega 10 000 projects.

A

Yeah I, don't I, don't think we're finding any reason to say yes to this, so I'm gonna propose now.

B

C

I'd propose no as well but again. I have very narrow view of the world.

B

A

What is highest doctor will count.

C

Teamspeak is a fairly popular voice, chat, thingy I mean it's been around since I was in like since the early 2000s like.

C

um Is it a client that we're like is the? Is it a server like? What are we actually right.

A

C

To here is that a client, the server is it um more than one aspect like it's not actually clear what we are actually asked to be um yeah well,.

B

B

So it's basically VoIP, no, no but yeah. This is the gifts. Okay, we don't have a link to the reaper, so.

A

Yeah I know this is another doctor pull account.

B

Yeah but what's what's the repo yeah what's in the repo.

C

Yeah, that's a fair point um and it's like technically uh like the licenses. We.

A

Use it looks like you have to accept a license agreement to use the software.

C

Like I like on licensing terms, this could be a dubiously tricky one to deal with um the free like there's a free server license. But what is the license itself.

A

Yeah, this isn't.

C

So it's a teams yeah, it's a customer license I would claim this is not quite open source, yeah, yeah I. Think um it's probably it's not to say it's not popular right.

B

I I agree: that's a telegraph. Okay,.

C

B

C

B

A

C

Telegraph, what you.

C

Know you know when you see plug-in systems, you know, there's an entire ecosystem of plugins somewhere that nobody's looking at.

C

Although they appear to have a um the plugins are built, there are plugins built into the repo itself.

A

We had a criticality score on this one.

C

A

And that's how.

C

A

Going sorry yeah, I'm, sorry.

C

Yeah Telegraph: um do you want me to find one.

C

We are still trying to fix the.

C

The prod system for criticality score.

C

Telegraph all right, let's find it.

A

There's like a lot of it's like there's a lot of users.

A

B

Amazon plug-in for it that could be a big driver. Puppet I mean it definitely seems to be sort of a Nexus for a lot of other yeah.

A

B

Ecosystems, Homebrew.

B

But the thing is, it's, you know I, guess he uses it in Flex data, so I mean we need to make sure that our people commenting about Telegraph itself or about influx data, which is itself used a lot.

C

There's also looking at this there's a telegraph. Oh this repo itself has a the score that I had from it. Last time was uh hang on, If Only, The Columns are in order default score is 0.65.

C

A

Is that high or low.

C

It's kind of in like uh it's not high, that's for sure.

A

Okay, I mean I think this is one that like we could see it becoming critical if it had more evidence, um but it's like it seems like a popular and used projects that, in.

B

Exactly it's popular, but it doesn't seem to be on the critical path.

A

Yeah, oh yeah, then my other argument is like yeah things that are like necessarily like outside of the you know. Your core infrastructure like collecting, processing, aggregating metrics, like if that's compromised, and you have like a true zero trust architecture. Then like what can it access like I? Don't know you know.

C

A

A reading system, the.

C

The danger will be not the collection system, it will be the agents that do the.

A

Cloud yeah yeah, so.

C

It depends on how they are architected. um Usually, though, you have agents living inside the um inside the kind of software that you're monitoring. So this one is like it would be worth looking at um what was the other one um there's another one that I was hit around, for that was right at the top and I can't remember what it's called because I'm having a blank on it at the moment, um that's quite popular um going through the main set. Let's see if I can see it.

C

um We may have already rejected it actually I'm, like hang on a sec.

C

I'll figure it Sentry. That was the other one that we were talking about. I.

A

C

We rejected it.

A

That is the sound here.

A

uh Consensus and uh no in the arguments.

B

A

This is a very high performance.

A

C

They've split the columns yeah yeah two billion is huge. That's almost three. What is that.

C

'd be interesting to see like this in comparison to um like.

B

A

C

And um ha proxy all right all right. Let's.

C

I mean I, don't think it's as popular as hija proxy.

C

um Or an nginx is like far outs to trip them yeah, um but it may be that it suits itself more too I mean there are to like uh kubernetes uses, so it depends on right, like yeah. It's like kubernetes native API thing like I, think it's tying itself to that.

B

But I'm leading to yes on this, for you.

C

It's certainly more interesting than some of the other ones, yeah.

A

C

Docker pool counts um and it's the sort of thing where, like it's accepting internet connections, I mean the others are kind of like.

B

C

Mean it seems, sort.

B

Of critical I mean that that you know it's purpose is.

A

Yeah I definitely agree that it's like in a part of like the purpose of the software, is the critical in the critical path and would be very important but um yeah. The question is the usage like how many like, or should we just say, nginx is your proxy or and then this is next or can.

C

We identify it in a showdown query.

C

Let's do a test, let's see if.

B

I mean you know, even if, if it's in the uh you know duopoly or triopoly, it's still uh seems important. There.

A

Yeah but if it's like a distant third in usage,.

B

Yeah, but that doesn't mean it's not critical. I mean it's like. If you know it says: I mean yes, you don't want. You know ones you chooses, but if it's still used by, if there's some specific kubernetes configuration, you know that that uses a lot, that it just gets embedded into lots and lots of microservices or lots and lots of well I mean lots of containers everywhere. So it just becomes.

A

B

A

Is it lots or is it not lots like I, don't know.

B

Right I mean two trillions: yeah.

A

C

A lot yeah and it's and it's not going to be like the difference between this and some others- is that some are like part of the CI chain of tooling. This is kind of more on the edge of your actual infrastructure um and given like the prep, like the popularity in web attacks or HTTP attacks. This.

A

C

A reasonable one to include.

A

um Yeah I guess so the pull count like if it's you know every time a part, a node starts or something it has to pull this down. Yeah.

C

That's also not helpful.

A

But I mean it kind of shows it, so people are actually using it. If you.

B

Know if it's right.

A

B

Is a good and it says I mean I, mean love, didn't trust, I mean the you.

C

B

It's see success stories, um Dupont NASA.

C

Everyone loves putting NASA on the list.

B

Carfax Expedia.

B

All right, eBay classified groups, sainsbury Bose,.

B

Expedient listed Expedia listed twice.

B

Well, that's a negative.

B

uh People wouldn't notice that.

A

So you're thinking, yes.

B

One thing they said just sort of looking: if there's a specific um configuration that use like you know, why would somebody I mean you know if there's a specific kubernetes configuration that itself, we would agree, is critical that prefers this then I think that, given as as we've been saying, this is the you know: external visibility. It's the.

A

B

This is the proxy that I can definitely, you know, go along with um you know if by default, somebody's downloading, some, you know standard Docker configuration for some. You know Docker image, that's always using traffic.

B

That involves um that in some ways it's even more critical, because it's this you know web front end is the interface and people are using this um without thinking, I mean, in other words, if it's just there and they're, using that, it's even more that this is something that just needs to be um robust, because people aren't actually bothering to think about the configuration.

A

um Yeah I'm, okay, so yeah I'm good with yes consensus on the consensus. What about you? Caleb? Keep.

C

Falling uh I I would lean to Yes um yeah, just because it is like on the edge of the network by its definition.

C

And and the sort of stuff that is probably protecting or sitting behind it.

A

um Let's go next the vault. Clearly it's there was a lot of passwords.

A

C

A

Yeah yeah I think it's pretty widely used unless people just use their built-in Cloud. You know Secret store, which.

A

You know if you're going to use a Secret store. That's not the one! That's built into your cloud provider you're going to use this.

B

Yeah I'm leading to yes, yes, clearly.

A

It's going to have all the keys to the kingdom.

C

And it's also the de facto standard as far as these.

A

I think it is yeah.

C

A

C

Was building a system and I need Security Storage I'd be like Vault would be on the top of like on the short list. I.

A

Think yeah I've been but it'll be right behind, like it's like the gcp Secret store or whatever.

C

Yeah yeah, so any like Cloud native storage, yes, but um the fact that it's kind of agnostic, um yeah I, think I have used it before as well.

C

But crypto is notoriously full of fails. So.

B

Off Community Edition.

A

A

You have an issue here.

A

Must have been suggested, some other format, Community Edition, that.

C

Means like somebody in.

A

The community, like added out of the line or something or like suggested it in the slack or I, don't know in some way that wasn't I want to get an issue. Yeah.

C

It'd be nice if they came with a rationale: yeah.

A

B

um Oh, you just want everything given to you. Yeah.

C

Even if it's like uh I think a lot of people use this project like anything.

B

Yeah, more than.

C

B

I mean I'm trying to understand if they're confused between This and like wife as a the security.

C

Yeah they've not done a great job distinguishing themselves from the the web, application firewall and.

B

Right, so that's what I thought they meant so like if a person saying yes the web application, maybe that's what the person meant is the web application firewall that yeah.

C

B

C

B

Wife, I don't get.

C

It's a build system is.

B

Yeah I know I know, but I mean I I, but we don't know which walk they were actually referring to.

A

uh But we're gonna go with this one. Then, okay,.

B

All right, so you know those yeah I think so too.

A

C

Mean the only thing that's really interesting is that it's used for the same bar like um but I, don't think it's like in the same way.

A

B

Well, there's never been a security problem there. So yes.

C

It is critical, the only question I've got is it also has a lot of eyes on it.

A

Yeah I, don't think we consider that here. So if.

C

We don't consider that here then it's yeah.

A

The only the only thing I have is like, where do people run with WordPress and like what's the big deal like? Is it there's? There's a.

C

A

Of stuff, but what if it all gets compromised.

C

So online Commerce is often run on WordPress stuff, um so yeah and lots. Oh man, it's so much yeah gets run on WordPress, like the obvious thing, is a lot of blogs and Company websites run on WordPress, um but there are plugins that, like letter, do other things like data collection and uh like online shopping and things like that. So yeah, it's it's. The sort of thing where I plug in getting compromised that runs on enough websites ends up as a news item. So.

A

um What would you say like a data acquisition or.

C

So yeah I don't know it's just the the fact that like if you were not wanting to spend a lot of time, yeah uh building a website um or if you're, a an agency building websites, you may use WordPress as the basis for how you stand these things up. um So the sheer scale of Wordpress is yeah.

A

C

C

Still, amazing that it's like the thing that won it's like yeah, I,.

B

Was just there early I mean it was yes easy to do and you know I mean that was back I mean it's. Is it still a PHP or so uses PHP a lot? Oh yeah, oh yeah, so.

C

B

Know I mean it was the early I mean you know the early webs I mean you know. Apache hdb I mean you there weren't a lot of other.

B

um You know back end, so it's just you know, I just remember, WordPress, being around forever yeah.

C

It is owned by automatic who also you know crazy. Other number of things.

A

C

We all like to know where our stuff is.

A

My instinct is yes on zookeeper, unless it's like falling out of favor but I. Think.

C

Do people still use the Alternatives um I mean.

C

Zookeeper is very popular.

A

Yeah I mean I, think anything. That's like Apache Java, you know, enterprisey is gonna, help, zookeeper or somewhere any kind of big systems.

C

Like hccd was the kind of another flavor of it. Oh.

A

C

That's late, okay, but it came out a long time later. Yeah.

C

That's funny trap. The traffic is listed as an alternative on one of and search.

A

Let me say yes, anyway,.

C

A

Yep cool all right, we're done I think we'll leave those two for later. um So the thing that we didn't do yet is go through this current set and see. If there's anything, we want to take off.

A

um I did kind of ask people to put some stuff in, but I don't know. If anybody did um do, we want to do like an offline pass on this and maybe see if there's something anything that pops up. If not, then we ignore it or you want to go through this live.

C

They're all really good.

C

Yeah like on first pass, I, wouldn't turn any of these out.

C

Yeah, it's it's you'd almost have to um stack rank them and which is itself like almost impossible to figure out what stuff floats to the bottom yeah.

C

And I I suspect that any stack ranking will be. um Everyone agrees on the stuff at the top, but then at the bottom, like the lists are totally different. So it's gonna be hard.

C

I can't believe Joomla is still around.

A

A

um Did you all have any thought on we'll go down something.

A

C

Okay, so the difference is this: one has more.

A

Yeah this is the Ten Thousand, like a list of about ten thousand right, so I I.

A

You know it's also automated yeah, it should be. Oh man.

B

I think part of this was to for eign critical projects to take sort of ownership. Yeah absolutely of this yeah list.

A

B

I mean there's these things, don't I mean there there's ownership or so, like you know, tender current feeding of it versus also I think we were talking about using this as a starting point to eventually automate the critical. It's not use this as the critical projects, but use this as sort of an input for the critical projects. Yeah.

A

I mean this that the second half of what you said is a potential but absolutely not like um tied to this as a requirement for you know if we I think the proposal here is that we own the list as part of the working group and what we do with it. We can discuss too if we need to clean on it, but um yeah. Essentially, we take over the ownership, uh I I. Think I should ask Jonathan to um do any, do a little presentation on it too.

A

um Maybe at the next meeting, if you can and if there's any Automation- and you know what he would be interested in doing for us, but um overall I think it makes sense, and we should we should accept it.

C

Yeah I think it makes sense it just I'd like to were there? Is there details in the dock around how it's generated um like what does it actually mean to manage? It.

A

Yeah, that's what I want him to present right, yeah.

C

Yeah, sorry, okay, that's good yeah!.

B

Okay, yeah, we were all agreeing, yes, you know. Yes, what did we just agree to? Yes,.

B

Yes, we'll do this, what did we just agree to.

C

Well, yeah, it's like it makes sense. Please give.

A

Us, but but yeah, okay, cool.

C

A

All right, well, I'll, have Jonathan um present to us what it what it means to make it and run it and stuff.

B

And, of course, now that we've accepted this, the software to generate this now itself is a critical project.

C

I'd love to see those sorts of attacks against.

A

I'm not signed in here by switching topics a little bit uh I know that they they change all the GitHub permissions. um I'm gonna stop presenting them. You know present the other tab um so for our group we should probably have like um and then, if we do vote like, if we do voting for this uh accepting this uh list into the working group, we should probably have an idea of like who's a member.

A

So maybe we can use these um GitHub teams to indicate who's. A member of the working group and and I think being a member is just you know, showing us them participating, um so any any thoughts there. uh What we should do on the if the GitHub group makes sense.

C

uh Do they do? They include people who are contributors, but who may not be in the like regular contributors who are not in the um in any of those lists like either as attendees to the meeting or as members of the groups.

A

Well, we'll be on we'll be owners of the of the um the list, so we can put whoever we want in the list. Okay,.

C

Oh, that's: fair, yeah,.

A

So let me share yeah.

A

Very good: can you see my screen yeah? Okay, let's.

B

A

Moved us because they oops this was really really bad. uh Okay, so we were under working groups, as was package. Analysis was a working group and then I told them. Oh no package analysis is not a working group move it to projects, but they moved us to project and they.

C

Haven't fixed because is it because projects is in the name yeah? Maybe.

A

So we're here and I was trying to get him to create multiple ones. So I don't think we need all these teams. We probably just need like admins or write access for me in a mirror, and then we can use this group.

A

A

That's part of the that's a member? Let's say um David you're not on here.

C

A

C

A

B

Yeah, how do I join that or how am I get added? Is this you.

A

A

Not a member of this organization so do.

B

I need to be a member of openssf organization, yeah.

A

And I had you or do you have the request? They were saying they're going to open that up to everybody and then I could add. You I, don't know.

A

Okay, let me see, maybe I don't have permissions to just add people, but.

B

B

A

In this team Caleb, you might be worried about this, oh well, it used to be right. This team used to have right access to criticality score. They gave like uh all these people write access to criticality scores.

C

Look uh those people are all fine to have the right access to.

A

That person yeah, but you know what I mean like it's yeah.

C

A

Said make another criticality score team and because uh you're like I I me and Amir, don't need access to right access to criticality score yeah. That's.

C

Yeah, that's yeah.

C

Long term, it's a good like having the extra granularity is good.

B

B

How do I join? What's the current way to join an organization, because there's only I mean is who's allowed to join the open ssf organization?

B

Let's see Jeff you're a member.

B

Okay, so the organization needs to send an invite I, don't think it can request.

A

Okay: okay I'll message: the PM team and figure out how people can join because I want to set up the um permissions.

B

For this yeah not.

A

Just permissions but yeah I want to have our well. The voting use I mean yeah. I want to have you yeah, exactly yeah I want to have our team here represent, who um you know I'll go through the the meeting notes from the last year and had every person here or something you know: okay,.

C

A

Of something or other for how how the kids get up to date, and this would represent kind of who's. The member of the the working group.

B

A

B

um Sounds like a plan yeah.

A

um I haven't been a thing: that's called big, the notes other than that I think we're done for today. Unless.

B

We want to go back to those two that you, oh, the.

A

Last chance, um yeah I mean I, you can yeah I.

B

Mean we still really arguing about puppet or whatever? Is that really.

B

Covenant live websockets or we really.

A

So this one we nobody's really worried about it. It's just that. um What's his name, um a guy from Intel said he would go and ask the Octo project about it.

B

Okay, if you've never heard back and and puppet what I mean, why is there? Why is this remain controversial.

A

So I think the question about puppet was: um if the open source puppet was something that's actually widely used or not. Oh.

B

A

At the open source versus okay, yeah versus the Enterprise version, okay,.

B

We should probably put then put let's put that in the key, or can you put that in the arguments for against why or it's justification what this is, what we're worried about the proprietary versus you know: proprietary Enterprise versus open source version.

B

Okay, that that's a very fine question.

A

Yeah because I think we know it's puppets widely used, but.

C

A

I, don't know how functional it is like at scale you're, not using Enterprise like yep.

B

A

And we didn't hear anybody say: I, don't know about that. I don't know if we have a plan for these two, maybe we'll just skip on. If we can't find the answer, I don't know.

B

Okay, fine, that's good enough to table that for the time being, okay, yeah I! Think that's the other topics for me.

B

Thanks for clarifying yeah.

A

No worries, um okay, yeah I, think that brings the end. Let's have um a little break back and thanks everybody for joining, see you in two weeks, except for you, calebra.

C

That's probably not gonna happen, yeah.

A

uh Yeah have a good time thanks. Everyone yeah thanks, bye,.

C