Episode 97: Practitioner Guides: #4 Security episode artwork

EPISODE · Nov 14, 2024 · 31 MIN

Episode 97: Practitioner Guides: #4 Security

from CHAOSScast · host CHAOSS Project

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 97 In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more! [00:02:02] Dawn starts out with providing an overview of CHAOSS Project’s Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide. [00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background. [00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security. [00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity. [00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF’s tag-security, for maintainers looking to improve security. [00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports. [00:15:47] Dawn suggests consulting the Practitioners Guide’s “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement. [00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security. [00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements. [00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects. [00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner’s Guide. Adds (Picks) of the week: [00:26:55] Dawn’s pick is 3D printing and learning how to design new things. [00:28:02] Emily’s pick is taking a break from the internet and doing something outside. [00:28:45] Harmony’s pick is creating personalized templates to help with document preparation and tasks. Panelists: Harmony Elendu Dawn Foster Guest: Emily Fox Links: CHAOSS CHAOSS Project X CHAOSScast Podcast [email protected] Harmony Elendu X Dawn Foster X Emily Fox LinkedIn CHAOSS Practitioner Guides CHAOSS Practitioner Guide: Security Libyears Release Frequency Cloud Native Contributors Security Guidelines for New Projects GitHub Docs-Adding a security policy to your repository OpenSSF Scorecard OpenSSF-Source Code Management Platform Configuration Best Practices CNCF tag-security: Self-assessment CHAOSScast Podcast-Episode 85: Introducing CHAOSS Practitioner Guides: #1 Responsiveness CHAOSScast Podcast-Episode 88: Practitioner Guides: #2 Contributor Sustainability CHAOSScast Podcast-Episode 89: Practitioner Guides: #3 Organizational Participation CHAOSScast Podcast-Episode 93: Guest Episode-Sustain meets CHAOSScast to talk about Practitioner Guides Dawn Foster- Maker World Special Guest: Emily Fox.

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 97 In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more! [00:02:02] Dawn starts out with providing an overview of CHAOSS Project’s Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide. [00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background. [00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security. [00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity. [00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF’s tag-security, for maintainers looking to improve security. [00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports. [00:15:47] Dawn suggests consulting the Practitioners Guide’s “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement. [00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security. [00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements. [00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects. [00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner’s Guide. Adds (Picks) of the week: [00:26:55] Dawn’s pick is 3D printing and learning how to design new things. [00:28:02] Emily’s pick is taking a break from the internet and doing something outside. [00:28:45] Harmony’s pick is creating personalized templates to help with document preparation and tasks. Panelists: Harmony Elendu Dawn Foster Guest: Emily Fox Links: CHAOSS CHAOSS Project X CHAOSScast Podcast [email protected] Harmony Elendu X Dawn Foster X Emily Fox LinkedIn CHAOSS Practitioner Guides CHAOSS Practitioner Guide: Security Libyears Release Frequency Cloud Native Contributors Security Guidelines for New Projects GitHub Docs-Adding a security policy to your repository OpenSSF Scorecard OpenSSF-Source Code Management Platform Configuration Best Practices CNCF tag-security: Self-assessment CHAOSScast Podcast-Episode 85: Introducing CHAOSS Practitioner Guides: #1 Responsiveness CHAOSScast Podcast-Episode 88: Practitioner Guides: #2 Contributor Sustainability CHAOSScast Podcast-Episode 89: Practitioner Guides: #3 Organizational Participation CHAOSScast Podcast-Episode 93: Guest Episode-Sustain meets CHAOSScast to talk about Practitioner Guides Dawn Foster- Maker World Special Guest: Emily Fox.Support CHAOSScast

NOW PLAYING

Episode 97: Practitioner Guides: #4 Security

0:00 31:25

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

No similar episodes found.

No similar podcasts found.

Frequently Asked Questions

How long is this episode of CHAOSScast?

This episode is 31 minutes long.

When was this CHAOSScast episode published?

This episode was published on November 14, 2024.

What is this episode about?

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 97 In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science...

Can I download this CHAOSScast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!