Tooling: Instead of just definitions, how about a short guide to security tools? Here's a first draft!


David A. Wheeler
 

In our last meeting we discussed defining terms, in particular different defining different types of tools.
I think defining terms is great, but after thinking about it, I’m concerned that won’t be very helpful
by itself. I suspect that most developers don’t want just a dictionary.

So: I propose that instead of *just* creating a list of definitions, that we create
a short guide to selecting & using security tools, and *then* define our terms as we go along.
We still define terms (that’s important!), but we would do it in a document that’d be more
directly useful to software developers.

Of course, it’s easy to say “Let’s do a lot more work!” If someone else will do the work.
So I’ve cobbled up a first draft of what I have in mind here:

https://github.com/david-a-wheeler/wg-security-tooling/blob/add_guide/guide.md

I used mostly text from the edX course on developing secure software.

I created a pull request to merge this first draft into our repo:
https://github.com/ossf/wg-security-tooling/pull/24

Do people think that’s a good overall direction?
If so, what changes do you suggest? (I’m sure there are many changes that can & should be
made, but I want to see if others like the idea first.)

Thanks!

--- David A. Wheeler


Ware, Ryan R
 

David, first, THANK YOU! I whole heartedly agree that just a list of definitions isn't adequate. I hope I didn't imply that. I *do* think it's important to have definitions to help explain to developers why specific tools are important. I also look at this as something that hopefully can be part of a broader cycle.

From a developer's perspective, they simply want to 1) know what the best practices for them to be doing are, 2) how do they set that up in the easiest manner, and 3) how do they show people that they're following those best practices.

To get there, there's some things that need to happen:

* Create or borrow the terms we want to use
* Curate a list of common tools in the above categories that we think would help developers create secure code
* Document how developers can easily incorporate those tools into common development solutions
* Work with the best-practices WG to best determine how badging can show developers utilizing the right tools

I think you're right that we do have a lot of work ahead of us.

Ryan

On Mon, Mar 29, 2021 at 11:16:15, David A. Wheeler wrote:
Subject: [openssf-wg-security-tooling] Tooling: Instead of just
definitions, how about a short guide to security tools? Here's a first
draft!

In our last meeting we discussed defining terms, in particular different
defining different types of tools.
I think defining terms is great, but after thinking about it, I’m
concerned that won’t be very helpful by itself. I suspect that most
developers don’t want just a dictionary.

So: I propose that instead of *just* creating a list of definitions, that
we create a short guide to selecting & using security tools, and *then*
define our terms as we go along.
We still define terms (that’s important!), but we would do it in a
document that’d be more directly useful to software developers.

Of course, it’s easy to say “Let’s do a lot more work!” If someone else
will do the work.
So I’ve cobbled up a first draft of what I have in mind here:

https://github.com/david-a-wheeler/wg-security-
tooling/blob/add_guide/guide.md

I used mostly text from the edX course on developing secure software.

I created a pull request to merge this first draft into our repo:
https://github.com/ossf/wg-security-tooling/pull/24

Do people think that’s a good overall direction?
If so, what changes do you suggest? (I’m sure there are many changes that
can & should be made, but I want to see if others like the idea first.)

Thanks!

--- David A. Wheeler