Date   

Meeting 9/21 Cancelled

Ware, Ryan R
 

I’m sorry folks but I have a conflict for this coming Tuesday so we will not be having it.  Let’s pick things back up on 10/5.

 

Ryan

 


Re: July 27th Meeting Canceled

David A. Wheeler
 

NOTE! The *TAC* meeting *IS* taking place now (Ryan Ware != Ryan Haning).

--- David A. Wheeler

On Jul 26, 2021, at 9:34 PM, Ware, Ryan R <ryan.r.ware@...> wrote:

We won't be having a meeting on July 27th.  We have no agenda items.  That said, the following meeting, we will have Crob come in from the Best Practices WG to discuss what they're doing and how we can better collaborate.  If you have any other agenda items you'd like to see, let me know.

Best Regards,
Ryan

 





July 27th Meeting Canceled

Ware, Ryan R
 

We won't be having a meeting on July 27th.  We have no agenda items.  That said, the following meeting, we will have Crob come in from the Best Practices WG to discuss what they're doing and how we can better collaborate.  If you have any other agenda items you'd like to see, let me know.

Best Regards,

Ryan

 




No Meeting June 29th

Ware, Ryan R
 

Folks, I need to cancel the meeting for the 29th.  I've had an issue and won't be able to host the meeting.  I'm hoping that John Speed Meyers & IDT Labs can reschedule their presentation for the next meeting.  I'd also like to discuss some of issues that @Matt Rutkowski brought up in 2 weeks.  Sorry for the last minute notice.

 

Ryan

 


No Meeting Today

Ware, Ryan R
 


I apologize folks but I hurt my back pretty badly last night. Let’s pick back up in 2 weeks. If someone could let folks on Slack know, I’d appreciate it. 

Ryan


Readme Update

Ware, Ryan R
 

Folks,

I updated the README as well as the CHARTER with the information we discussed in our last meeting.  Sorry I didn't get the update out last week but I was ill.  Please feel free to submit pull requests for suggested changes.  Also, note I didn't change any of the boiler plate in the CHARTER.  Just added (in the appropriate places) our WG name and mission.

FYI, one of the things I'd like to discuss this week is this PR.  I'd like to see if there's any changes that are needed for it.

Best Regards,

Ryan

 





Re: Tooling: Instead of just definitions, how about a short guide to security tools? Here's a first draft!

Ware, Ryan R
 

David, first, THANK YOU! I whole heartedly agree that just a list of definitions isn't adequate. I hope I didn't imply that. I *do* think it's important to have definitions to help explain to developers why specific tools are important. I also look at this as something that hopefully can be part of a broader cycle.

From a developer's perspective, they simply want to 1) know what the best practices for them to be doing are, 2) how do they set that up in the easiest manner, and 3) how do they show people that they're following those best practices.

To get there, there's some things that need to happen:

* Create or borrow the terms we want to use
* Curate a list of common tools in the above categories that we think would help developers create secure code
* Document how developers can easily incorporate those tools into common development solutions
* Work with the best-practices WG to best determine how badging can show developers utilizing the right tools

I think you're right that we do have a lot of work ahead of us.

Ryan

On Mon, Mar 29, 2021 at 11:16:15, David A. Wheeler wrote:
Subject: [openssf-wg-security-tooling] Tooling: Instead of just
definitions, how about a short guide to security tools? Here's a first
draft!

In our last meeting we discussed defining terms, in particular different
defining different types of tools.
I think defining terms is great, but after thinking about it, I’m
concerned that won’t be very helpful by itself. I suspect that most
developers don’t want just a dictionary.

So: I propose that instead of *just* creating a list of definitions, that
we create a short guide to selecting & using security tools, and *then*
define our terms as we go along.
We still define terms (that’s important!), but we would do it in a
document that’d be more directly useful to software developers.

Of course, it’s easy to say “Let’s do a lot more work!” If someone else
will do the work.
So I’ve cobbled up a first draft of what I have in mind here:

https://github.com/david-a-wheeler/wg-security-
tooling/blob/add_guide/guide.md

I used mostly text from the edX course on developing secure software.

I created a pull request to merge this first draft into our repo:
https://github.com/ossf/wg-security-tooling/pull/24

Do people think that’s a good overall direction?
If so, what changes do you suggest? (I’m sure there are many changes that
can & should be made, but I want to see if others like the idea first.)

Thanks!

--- David A. Wheeler





Tooling: Instead of just definitions, how about a short guide to security tools? Here's a first draft!

David A. Wheeler
 

In our last meeting we discussed defining terms, in particular different defining different types of tools.
I think defining terms is great, but after thinking about it, I’m concerned that won’t be very helpful
by itself. I suspect that most developers don’t want just a dictionary.

So: I propose that instead of *just* creating a list of definitions, that we create
a short guide to selecting & using security tools, and *then* define our terms as we go along.
We still define terms (that’s important!), but we would do it in a document that’d be more
directly useful to software developers.

Of course, it’s easy to say “Let’s do a lot more work!” If someone else will do the work.
So I’ve cobbled up a first draft of what I have in mind here:

https://github.com/david-a-wheeler/wg-security-tooling/blob/add_guide/guide.md

I used mostly text from the edX course on developing secure software.

I created a pull request to merge this first draft into our repo:
https://github.com/ossf/wg-security-tooling/pull/24

Do people think that’s a good overall direction?
If so, what changes do you suggest? (I’m sure there are many changes that can & should be
made, but I want to see if others like the idea first.)

Thanks!

--- David A. Wheeler


FYI: Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace

David A. Wheeler
 

FYI:

Someone appears to have found a way to *significantly* increase performance for coverage-guided buzzers:
https://blog.trailofbits.com/2021/03/19/un-bee-lievable-performance-fast-coverage-guided-fuzzing-with-honeybee-and-intel-processor-trace/
Basically, they use the Intel CPU IPT (for tracing) & extract its results at speed by
precalculating a cache.

One big problem: I think IPT is Intel-specific (hence the “I”). To my knowledge it’s not supported by AMD.
But maybe AMD has a similar mechanism (or could eventually add one).

--- David A. Wheeler


Meeting Cancelled

Ware, Ryan R
 

Folks,

I'm sorry but I need to cancel today's meeting. Please let folks know. 

Ryan


New Google Meet Link

Ware, Ryan R
 

I want to make sure folks know that tomorrow we have a new Google Meet meeting link.  I've updated it on the calendar and the repo on GitHub, but wanted to send it out here as well: https://meet.google.com/nid-mxeg-xwt

I look forward to talking Tuesday.

Ryan


PLEASE REGISTER for the upcoming OpenSSF Town Hall on Monday, February 22, 1:00-2:00p ET (1800-1900 UTC)

David A. Wheeler
 

The OpenSSF community has been working fast and furious since its formation last year to improve the security of the open source ecosystem. We all know this is no small mission and so we’re taking a moment to report out on all the work that’s happening and invite you to participate.

We hope to see you at our next OpenSSF Town Hall Meeting on Monday, February 22, 1:00-2:00p ET (1800-1900 UTC). It’s open to the public; please tell others so that they can join us!

PLEASE REGISTER HERE if you’re able to join us: <https://zoom.us/webinar/register/WN_5iCAH2-ETaGpiI7UQNSMXw>

NOTE: Please edit the “to” field if you reply to this email, as this is a cross-posted message.

--- David A. Wheeler


Security Tooling WG Handover

Simon Bennetts
 

Hi folks,


I’ve been ‘leading’ the Security Tooling Working Group for the last 2 quarters and I think it’s time for someone else to have a go. I’m still planning on attending the meetings but I haven't been able to spend as much time on OSSF related things as I would have liked to have done.

Leading the group isn't an onerous task, so if it's something you might be interested in then just let me know.


Cheers,


Simon


--
OWASP ZAP Project leader

1 - 13 of 13