A focus on JavaScript security at OpenJS

[rginn]

JavaScript touches nearly every part of the web today, and maintainers at OpenJS Foundation-hosted projects are working tirelessly to keep critical infrastructure secure. The Cross Project Council can leverage its Better Together approach by sharing best practices among OpenJS and other JS projects in the ecosystem, and by establishing baseline requirements for security practices. Additionally, our team at the OpenJS Foundation, together with the Linux Foundation, can provide support and advocate for resources to further strengthen our projects.

We have been having conversations with the Linux Foundation Open Source Security Foundation (OpenSSF), and the Open Source Technology Improvement Fund (OSTIF), with a request for collaboration and funding this calendar year.

What more can we do as a global community and global foundation to strengthen security across the JavaScript ecosystem? How can we reduce the risk and take ambitious security goals for all our OpenJS projects? Let’s further define, document, and measure in an open and transparent way.

RESOURCES

OpenJS Foundation Package Vulnerability Management & Reporting Collaboration Space https://github.com/openjs-foundation/pkg-vuln-collab-space
Project participation in OpenSSF Best Practices Badge Program https://bestpractices.coreinfrastructure.org/en
Project onboarding for LFX Security https://security.lfx.linuxfoundation.org/#/
Project participation in the OpenSSF “Great MFA Distribution Project” https://openssf.org/blog/2021/12/10/great-mfa-distribution/
Project requirements around the use of SBOM formats like SPDX https://spdx.dev/
Secure development training for project maintainers and contributors such as the OpenSSF & LF Training offerings https://openssf.org/training/courses/
OpenSSF Criticality Score https://github.com/ossf/criticality_score
Whitepaper: Threats, Risks, and Mitigations in the Open Source Ecosystem, Michael Scovetta in collaboration with the Open Source Security Coalition https://github.com/ossf/wg-identifying-security-threats/blob/main/publications/threats-risks-mitigations/v1/Threats,%20Risks,%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.pdf

[tobie]

As I've argued on twitter, large part of the problem is systemic and a direct outcome of open source sustainability issues. What can we do help alleviate those? In particular what can we do to help

1. drive corporate contributions, and
2. explore options to pay maintenance of key transitive dependencies?

More concretely, for OpenJSF projects, we should have an up to date list of project dependencies, define their risk factor, and piggyback on @jorydotcom's amazing work with OpenWebDocs to do a pilot paid maintenance project with a particularly critical and at risk dependency.

[rginn]

Action items from last meeting for discussion:

• Create Security channel on Slack
• Schedule follow up meeting for those interested (separate from CPC working session)
• Create a repo
• Recruit potential Collab Space champions
• Bring in more security experts in to participate

[joesepi]

The security template from Node.js was removed, but it provides an opportunity for OpenJS to provide something similar. We should add this to the list of things to do with Security work.
#843