DESTF Milestone 4
Q1 2024 / Milestone 4
Workstream 1: Build OpenJS Project Security Programs
Activities
A. Perform outreach to identify existing security resources for each OpenJS Project
B. Establish minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria
C. Develop JavaScript-specific d…
Q1 2024 / Milestone 4
Workstream 1: Build OpenJS Project Security Programs
Activities
A. Perform outreach to identify existing security resources for each OpenJS Project
B. Establish minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria
C. Develop JavaScript-specific developer guidance for OpenSSF Best Practices Programs
D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs
Deliverables
Document: ONGOING UPDATES OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers
Document: DRAFT Minimum Security Compliance Guidelines for New and Existing OpenJS Projects
Workstream 2: Coordinated Vulnerability Disclosure and CVE Management
Activities
A. Engage OpenJS Projects to understand historical researcher disclosures and CVEs
B. Understand current vulnerability disclosure processes and challenges for OpenJS Projects
C. Develop CVD and CVE guidance for OpenJS Projects and ecosystem projects
Deliverables
Document: Reference of past CVEs and challenges for OpenJS Projects
Document: WORKING DRAFT Guidelines for CVD and CVEs for OpenJS Projects
Workstream 3: SBOMs in JavaScript
Activities
A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s)
C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance
Deliverables
Document: IN PROGRESS Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs
Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript
Activities
A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems
B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices
C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance
Deliverables
Document: ONGOING UPDATES Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools
Document: IN PROGRESS Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems