Proposal: Expanding Security Benchmarks for Critical OSS in OpenSSF

[fredgan]

Hi everyone,

I've recently noticed a proliferation of security parameter/configuration specifications within our company, such as the "Redis security configuration baseline."

Upon reviewing these specifications, I discovered many rules originate from the CIS Benchmark (https://www.cisecurity.org/cis-benchmarks), which offers valuable benchmarks for various OSS projects like Docker, Kubernetes, MongoDB, and Nginx.

However, there's a concerning gap in coverage for critical OSS projects like Spring Boot, Beego, Jenkins, Etcd, and Zookeeper.

Proposal:

I propose establishing a Working Group (WG) within OpenSSF to develop security configuration benchmarks for these currently unsupported critical OSS projects.

Benefits:

Standardized security baselines for essential OSS components. Reduced burden on individual companies for creating their own specifications. Improved overall security posture across the industry. I believe this initiative would significantly benefit companies and individuals by providing a centralized resource for robust security configurations.

Thank you for your time and consideration.