All: I would like to propose the following for Monday's discussion: The OpenSSF is expected to have a press release at the end of October. It would be very good to have a few concrete results to annou

This week we had a vote on Doodle for the question: > Should OpenSSF release “Fundamentals of Developing Secure S/W”? The voting period has ended. The vote was 10 yes and 0 no, so it passed overwhelmi

I propose that this best practices WG coordinate with the "security threats" WG on any future criteria changes in the CII Best Practices badge, e.g., by voting on such changes by members of either WG.

This morning the OpenSSF Best Practices WG and Security Threats WG each voted that the CII Best Practices badge project should move into their respective WGs. I think there was general agreement that

One point of confusion that seemed to come up is around what the two working groups in question plan to do, and what they would like to do with the CII Badging program. Would it make sense to wait unt

i'm not sure we really reached a concrete plan here in the last TAC meeting. Does anyone have any feedback on my suggestions above? I want to make sure we unblock the decisions and give the WGs and th

I was at the last TAC meeting. Here’s *my* understanding of the plan: 1. Each WG will propose its scope; the TAC will review/tweak and eventually approve them. I imagine that will be a key topic on Oc

Hello everyone, I intended to come in today and introduce myself but unfortunately got stuck on an errand. I'm here on behalf of Intel and look forward to working with you all. There's a huge amount o

We decided at the end of the last TAC meeting that I would create doc detailing the current scope/work of the two working groups and make a recommendation based on their current charters. This documen

Here’s the direct Google Docs link: https://docs.google.com/document/d/1Y3CX6LZME-gryWDxPXOqAbvcGsELZCJjA9gfGy5KX0E/edit?usp=sharing -Ryan From: Dan Lorenc <dlorenc@...> Date: Monday, October 26, 2020

All: Per our discussion today, we now have a new GitHub repo for the EdX course on "Secure Software Development Fundamentals”. If you have thoughts about the course, please file an issue here: https:/

The TAC can choose to do whatever it wants to do! I thought the WGs would first propose their charters to the TAC, the TAC would vote to approve (or not) each charter, and after the charters were appr

Hi Dan, The leads of the Best Practices and the Identifying Security Threats working groups are meeting tomorrow to discuss this (CRob has the invite). As the leaders of those WGs, let’s allow them to

Hi folks, I have been thinking about this and wondering how to find a positive way forward. This is an important decision. It is also one of our first opportunities as a community to work through a co

+1 to Chris and Dan’s comments. Also, thank you to everyone’s continued feedback while we work to resolve this. I know everyone is trying to do the right thing here and that we have some growing pains

Below is an email response about the “libyears” metric, a metric which *might* be useful for measuring age of dependencies. I thought it would be worth pointing out. I’m adding the Best Practices WG,

The Content for the “Secure Software Development Fundamentals” course hosted on edX is posted as a Google document here: https://docs.google.com/document/d/1oN6juqVR7KXuvclHvoY0pr_XQmC6t6uXMLcYphPsUsA

All: Now that the CII Best Practices badge is part of the OpenSSF, it would make sense to discuss if it should eventually be rebranded to specifically note the OpenSSF, and if so, what its new names/U

FYI: I was on FLOSS Weekly #609 to talk about “Open Source Security”. It’s available here: https://twit.tv/shows/floss-weekly/episodes/609?autostart=false I pointed out the CII Best Practices badge, t

Hey All, I wrote up a quick blog post on the Envoy project using Security Scorecards for their external dependency policy. Check it out: https://blog.envoyproxy.io/security-scorecards-envoy-automating