Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ossf/wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
https://github.com/ossf/wg-metrics-and-metadata

Last synced: about 1 month ago
JSON representation

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.

Awesome Lists containing this project

README

        

# Metrics and Metadata in Open Source Projects

The purpose of this working group is to enable stakeholders to have informed
confidence in the security of open source projects. We do this by collecting,
curating, and communicating relevant metrics and metadata from open source
projects and the ecosystems of which they are a part.

### Motivation

Open source software is an essential part of modern software development, and
of practically all technology solutions. Adoption of open source software has
grown over the past two decades, powering everything from tiny "Internet of
Things" devices to the most advanced supercomputers in the world. This has led
to enormous productivity gains, allowing software engineers to focus more on
solving business problems and less on creating and re-creating the same
building blocks needed in many situations.

With these benefits, however, comes some risk. Attackers frequently target
open source projects and the ecosystems they are a part of in order to
compromise the organizations or users that use those projects. It's
essential that we understand these threats and work to build defenses against
them.

### Objective

Our objective is to enable stakeholders to have informed confidence in the
security of open source projects. This includes identifying threats to the
open source ecosystem and recommending practical mitigations. We will also
identify a set of key metrics and build tooling to communicate those metrics
to stakeholders, enabling a better understanding of the security posture of
individual open source software components.

### Scope

The scope of this working group includes "security", as opposed to privacy,
resiliency, or other related areas. We also consider the broad open source
ecosystem, as opposed to focusing exclusively on critical open source projects.

### Active Projects

* [Security Insights](https://github.com/ossf/security-insights-spec) - Provides a mechanism for projects to report information about their security practices in a machine-readable way.
* Lead: Luigi Gubello

* **Security Risk Dashboard** - This project's purpose is to collect, organize, and provide interesting security metrics for
open source projects to stakeholders, including users.
* Lead: Jay White

* [Security Reviews](https://github.com/ossf/security-reviews) -
This repository contains a collection of security reviews of open source software.

* [Threats, Risks, and Mitigations in the Open Source Ecosystem](https://github.com/ossf/wg-identifying-security-threats/blob/main/publications/threats-risks-mitigations/v1.1/Threats%2C%20Risks%2C%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.1.pdf)

### Get Involved

* Please get involved with our specific projects, e.g,.
* [Mailing List](https://lists.openssf.org/g/openssf-wg-security-threats) and [Security Reviews](https://github.com/ossf/security-reviews).
([Manage your subscriptions to OpenSSF mailing lists](https://lists.openssf.org/g/main/subgroups))
* [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
* [Join us on Slack](https://openssf.slack.com/archives/C01A50B978T)

### Related Work

* [OpenSSF Best Practices Badge Program](https://bestpractices.coreinfrastructure.org/) - an input to the metrics dashboard generated by the Security Metrics project (formerly named CII Best Practices Badge Program).
* [OpenSSF Scorecard](https://github.com/ossf/scorecard) - another input to the metrics dashboard

* [CHAOSS](https://chaoss.community) - develops definitions of metrics

### Quick Start

The best way to get started is to simply join a working group meeting. You can also
read our [Meeting Minutes](https://docs.google.com/document/d/1XimygAYGbG2aofAiBD9--ZMTALdnbdbVw53R851ZZKY/edit?usp=sharing) to get up to speed with what we're up to.

### Meeting Times

* We meet every other week on Wednesdays. See the
[OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ).

### Meeting Notes

[Meeting Minutes](https://docs.google.com/document/d/1XimygAYGbG2aofAiBD9--ZMTALdnbdbVw53R851ZZKY/edit?usp=sharing) If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.

### Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at . If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

### Governance

The [CHARTER](https://github.com/ossf/wg-identifying-security-threats/blob/main/CHARTER.md)
document outlines the scope and governance of our group activities.

The workgroup leads are:
* Michael Scovetta
* Luigi Gubello