wg-vulnerability-disclosures icon indicating copy to clipboard operation
wg-vulnerability-disclosures copied to clipboard

Published 20 hours ago verified publisher icon ossf

Project Idea - create plugins and/or other tooling to enable CVD Guides

Open SecurityCRob opened this issue 3 years ago • 7 comments

Talked about in out 9/27/2022 call, Francis suggested we build/find tools/automation that can help maintainers and others implement suggestions in CVD guides

SecurityCRob avatar Oct 05 '22 16:10 SecurityCRob

The group may want to consider the impact that US Government activities will influence direction and adoption of software supply chain practices. The Office of Management and Budget issued memo M-22-18 advising Federal Agencies on steps to meet NIST Guidance for secure software development practices and the need to supply a self-attestation letter:

rjb4standards avatar Oct 21 '22 14:10 rjb4standards

I am interested to be a part of the sub-working group or SIG for this project

yogeshnmittal avatar Dec 14 '22 16:12 yogeshnmittal

@rjb4standards - M-22-18 is about SBOMs being generated, I think we would like the Vuln disclosure working group to be trying to work on vulnerability handling and coordination topics. The SBOM working group is definitely on top of that memo :)

See https://github.com/ossf/sbom-everywhere for the current work.

If you are referring to tools that could be used to generate SBOMs, that working group will be it as well.

u269c avatar Jan 10 '23 17:01 u269c

The M-22-18 memo refers to "NIST Guidance", which incorporate SBOM, vulnerability reporting and other attestations. See this article for more details on this point. and this article on NIST VDR attestations

CISA is working on a guideline "Buyers Guide" that includes vulnerability management guidance as part of the ICT_SCRM Task Force SW Assurance work group that aligns with NIST guidance in M-22-18

rjb4standards avatar Jan 10 '23 17:01 rjb4standards

Sorry, I'm not very familiar with the memo, thank you for the clarification.

Would love to hear more about the work being done in that task force, if you're able to provide information or entry points in there :)

u269c avatar Jan 10 '23 20:01 u269c

The link to M-22-18 is listed in this article: https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements

rjb4standards avatar Jan 10 '23 20:01 rjb4standards

By the way, people sometimes complain that "OSS doesn't get enough funding", yet I personally think this is an opportunity to help. US government, if you want a self-attestation, that's great... please pay $X for us to develop and provide one (without a promise of changes, but with a promise to create a proposal for any improvements desired). Say, $10K. If the government isn't willing to pay for an attestation, then it's obviously not serious about needing it. I'm sure that not everyone will think this is a good idea, but really, I think it's reasonable to ask someone to pay you if you don't want to do the work for free.

david-a-wheeler avatar Jan 10 '23 21:01 david-a-wheeler