Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project Idea - create plugins and/or other tooling to enable CVD Guides #116

Open
SecurityCRob opened this issue Oct 5, 2022 · 7 comments
Open

Project Idea - create plugins and/or other tooling to enable CVD Guides #116

SecurityCRob opened this issue Oct 5, 2022 · 7 comments
Labels
Product: CVD Guides

Comments

@SecurityCRob
Copy link
Contributor

Talked about in out 9/27/2022 call, Francis suggested we build/find tools/automation that can help maintainers and others implement suggestions in CVD guides
@rjb4standards
Copy link

The group may want to consider the impact that US Government activities will influence direction and adoption of software supply chain practices. The Office of Management and Budget issued memo M-22-18 advising Federal Agencies on steps to meet NIST Guidance for secure software development practices and the need to supply a self-attestation letter:

@taladrane taladrane mentioned this issue Nov 16, 2022
Open
@yogeshnmittal
Copy link

I am interested to be a part of the sub-working group or SIG for this project

@u269c
Copy link
Contributor

u269c commented Jan 10, 2023

@rjb4standards - M-22-18 is about SBOMs being generated, I think we would like the Vuln disclosure working group to be trying to work on vulnerability handling and coordination topics. The SBOM working group is definitely on top of that memo :)

See https://github.com/ossf/sbom-everywhere for the current work.

If you are referring to tools that could be used to generate SBOMs, that working group will be it as well.

@rjb4standards
Copy link

The M-22-18 memo refers to "NIST Guidance", which incorporate SBOM, vulnerability reporting and other attestations. See this article for more details on this point.
and this article on NIST VDR attestations

CISA is working on a guideline "Buyers Guide" that includes vulnerability management guidance as part of the ICT_SCRM Task Force SW Assurance work group that aligns with NIST guidance in M-22-18

@u269c
Copy link
Contributor

u269c commented Jan 10, 2023

Sorry, I'm not very familiar with the memo, thank you for the clarification.

Would love to hear more about the work being done in that task force, if you're able to provide information or entry points in there :)

@rjb4standards
Copy link

The link to M-22-18 is listed in this article: https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18-requirements

@david-a-wheeler
Copy link
Contributor

By the way, people sometimes complain that "OSS doesn't get enough funding", yet I personally think this is an opportunity to help. US government, if you want a self-attestation, that's great... please pay $X for us to develop and provide one (without a promise of changes, but with a promise to create a proposal for any improvements desired). Say, $10K. If the government isn't willing to pay for an attestation, then it's obviously not serious about needing it. I'm sure that not everyone will think this is a good idea, but really, I think it's reasonable to ask someone to pay you if you don't want to do the work for free.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Product: CVD Guides
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@david-a-wheeler @rjb4standards @u269c @SecurityCRob @yogeshnmittal