Difference between revisions of "OSGeo Security Initiative"
(Created page with "OSGeo Security initiative is *proposed* but not yet active. If you are interested in this activity please volunteer by adding your name to this wiki page. Volunteers: * Jody...") |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
* Jody Garnett (GeoCat) | * Jody Garnett (GeoCat) | ||
+ | This is a challenging but important topic: | ||
− | + | * Regulation, such as Cyber Resilience Act, place increased demands OSGeo Service providers. | |
* Supply chain attacks taking advantage of Open Source communities causes real harm. Automated tools for reviewing software components are providing much greater transparency into supply chain attacks, but also putting a lot of pressure on open source projects. | * Supply chain attacks taking advantage of Open Source communities causes real harm. Automated tools for reviewing software components are providing much greater transparency into supply chain attacks, but also putting a lot of pressure on open source projects. | ||
− | * The relationship established between industry and security researchers has resulted in an | + | * The relationship established between industry and security researchers has resulted in an "Common Vulnerabilities and Exposures (CVE)" system to track and disclose vulnerabilities. Communication and response times established do not reflect the availability of resources to Open Source projects. |
Once critical mass is reached we will ask the board to be created in order to pursue the above goals. | Once critical mass is reached we will ask the board to be created in order to pursue the above goals. | ||
− | * | + | * While a specific mandate is not yet available while the committee forms, see initiative proposal by Jody Garnett for some ideas |
− | * Option: Establish an ongoing committee that can review incoming funding requests in a secure fashion on behalf of the board. This has privacy issues similar to | + | * Option: Update the financial guidance document with clear examples for security issue funding (in the same fashion as code sprints have clear guidance). As an example requesting projects should have a clear CVE established and have assessed their project as vulnerable before seeking support. A similar cost-sharing arrangement to codesprints is anticpated. There is already a secure line of communication available to community members to contact the board. |
+ | |||
+ | * Option: Establish an ongoing committee that can review incoming funding requests in a secure fashion on behalf of the board. This has privacy issues similar to board communication and code of conduct committee and workflow would need to be carefully considered. | ||
While this initiative is not yet active, if your project faced with unexpected crisis please should reach out to OSGeo for assistance using the financial guidance document below. | While this initiative is not yet active, if your project faced with unexpected crisis please should reach out to OSGeo for assistance using the financial guidance document below. | ||
Line 23: | Line 26: | ||
* [https://github.com/OSGeo/osgeo/blob/master/board/documents/osgeo_financial_guidence.pdf OSGeo Financial Guidance] provides application process | * [https://github.com/OSGeo/osgeo/blob/master/board/documents/osgeo_financial_guidence.pdf OSGeo Financial Guidance] provides application process | ||
+ | |||
+ | ==== Revised 2024 Proposal ==== | ||
+ | |||
+ | Revised proposal: | ||
+ | |||
+ | <blockquote> | ||
+ | '''proposed security initiative''' | ||
+ | |||
+ | Work with service providers to provide an operational response for OSGeo projects face with increasing regulation by "cyber resilience act" (and other regulation world wide). | ||
+ | |||
+ | </blockquote> | ||
+ | |||
+ | ==== Initial 2023 Proposal ==== | ||
+ | |||
+ | This is the initial proposal to the board: | ||
+ | |||
+ | <blockquote> | ||
+ | '''proposed security initiative''' | ||
+ | |||
+ | An idea that occurred to me last year, after [https://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html successful running a fundraising effort] in response to log4j security issues, was that ... 2022 was terrible. | ||
+ | |||
+ | With this in mind I would like to propose an "osgeo security initiative" with very limited emergency scope. | ||
+ | |||
+ | # Projects apply when faced with an emergency in a fashion similar to the code-sprint initiative | ||
+ | # Projects would require registration of a formal CVE number for the vulnerability (in practice security researchers register these numbers on a project's behalf.) | ||
+ | # Projects would require a clear budget for the request (standard practice just like a code sprint or event) | ||
+ | # Challenge: Some secure channel is required for this communication because mean people exist | ||
+ | # Challenge: Funding for preventative measures is not supported to limit scope of this initiative | ||
+ | |||
+ | If done correctly the initiative can raise funds as more organizations are sensitive to the security of the open-source components they have come to depend on. Ideally it can also be an outreach opportunity to engage with security professionals. | ||
+ | |||
+ | I have added this topic to both the [[Board Meeting 2023-01-30|upcoming meeting]] and [[OSGeo_Budget_2023#OSGeo_Initiatives|2023 budget]]. | ||
+ | |||
+ | </blockquote> | ||
+ | |||
+ | This while the committee was not ready in time for the budget process the OSGeo board is following up on the activity [https://git.osgeo.org/gitea/osgeo/todo/issues/145 here]. | ||
+ | |||
+ | |||
+ | [[Category:Initiative]] |
Latest revision as of 09:30, 21 November 2023
OSGeo Security initiative is *proposed* but not yet active. If you are interested in this activity please volunteer by adding your name to this wiki page.
Volunteers:
- Jody Garnett (GeoCat)
This is a challenging but important topic:
- Regulation, such as Cyber Resilience Act, place increased demands OSGeo Service providers.
- Supply chain attacks taking advantage of Open Source communities causes real harm. Automated tools for reviewing software components are providing much greater transparency into supply chain attacks, but also putting a lot of pressure on open source projects.
- The relationship established between industry and security researchers has resulted in an "Common Vulnerabilities and Exposures (CVE)" system to track and disclose vulnerabilities. Communication and response times established do not reflect the availability of resources to Open Source projects.
Once critical mass is reached we will ask the board to be created in order to pursue the above goals.
- While a specific mandate is not yet available while the committee forms, see initiative proposal by Jody Garnett for some ideas
- Option: Update the financial guidance document with clear examples for security issue funding (in the same fashion as code sprints have clear guidance). As an example requesting projects should have a clear CVE established and have assessed their project as vulnerable before seeking support. A similar cost-sharing arrangement to codesprints is anticpated. There is already a secure line of communication available to community members to contact the board.
- Option: Establish an ongoing committee that can review incoming funding requests in a secure fashion on behalf of the board. This has privacy issues similar to board communication and code of conduct committee and workflow would need to be carefully considered.
While this initiative is not yet active, if your project faced with unexpected crisis please should reach out to OSGeo for assistance using the financial guidance document below.
References:
- OSGeo Financial Guidance provides application process
Revised 2024 Proposal
Revised proposal:
proposed security initiative
Work with service providers to provide an operational response for OSGeo projects face with increasing regulation by "cyber resilience act" (and other regulation world wide).
Initial 2023 Proposal
This is the initial proposal to the board:
proposed security initiative
An idea that occurred to me last year, after successful running a fundraising effort in response to log4j security issues, was that ... 2022 was terrible.
With this in mind I would like to propose an "osgeo security initiative" with very limited emergency scope.
- Projects apply when faced with an emergency in a fashion similar to the code-sprint initiative
- Projects would require registration of a formal CVE number for the vulnerability (in practice security researchers register these numbers on a project's behalf.)
- Projects would require a clear budget for the request (standard practice just like a code sprint or event)
- Challenge: Some secure channel is required for this communication because mean people exist
- Challenge: Funding for preventative measures is not supported to limit scope of this initiative
If done correctly the initiative can raise funds as more organizations are sensitive to the security of the open-source components they have come to depend on. Ideally it can also be an outreach opportunity to engage with security professionals.
I have added this topic to both the upcoming meeting and 2023 budget.
This while the committee was not ready in time for the budget process the OSGeo board is following up on the activity here.