Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Security openjsf.org Webpage #266

Open
ruddermann opened this issue Jan 22, 2025 · 1 comment
Open

New Security openjsf.org Webpage #266

ruddermann opened this issue Jan 22, 2025 · 1 comment
Assignees
@ruddermann
Labels
A-O '25 WS3 (CVD)

Comments

@ruddermann
Copy link
Collaborator

ruddermann commented Jan 22, 2025
edited
Loading

(Moved this from an earlier email chain with Robin and Ben)
In addition to the CNA page itself, it was suggested that we consider adding additional items to the OpenJS Security.

Initial proposal for webpage is:

Using the openjsf.org Join page as a style reference:

  • Header: Positional language about OpenJS' views of security (as relevant/appropriate to the page)
  • Intro: A brief intro to frame these security activities/resources and an acknowledgement of DE STF and A-O's contributions to OpenJS' security efforts?
  • Section*: CNA description and link(s) using the Join page's 'Apply for Membership Today!' box
  • Section*: 'Security Resources' section (or 'Maintainer Resources'?) with boxes for each resource (itemized below) like the Join page's 'Why be a member?" section or the Projects page's At Large section.
  • Section: A Contact Us section that includes references to the #security Slack and the Security Collab Space Weekly meeting and its cadence with a link to the relevant event on calendar.openjsf.org.
    I've included some ideas for two other potential sections below. Let me know what you think!

OpenJS Security Resources

The list below only includes OpenJS-generated items. I am uncertain whether it makes sense to include other resources from OpenSSF/others here - what do y'all think?

  • CVD Guidance
  • OpenJS CNA Guide for Maintainers
  • Security Compliance Guidelines
  • Secure Release Guide
  • OpenPathFinder
  • SBOM/Provenance Recommendations
  • JavaScript Security Training

Question: Should we have a Security Training section?

While performing the compliance surveys, maintainers are looking to the Collab Space for guidance on what security training we'd advise they take to meet expectations. Once the OpenJS security training is published we can reference that in the compliance guidelines, but we were also expecting to to include others like OWASP Top 10 and Developing Secure Software. How do you feel about having Security Training as a separate section within or after Security Resources and moving the OpenJS Security Training here?

Question: Should we have a Security Announcements/Latest section?

At the bottom of the openjsf.org landing page there is a small Recent Posts section to draw visitors to the blog. How would you feel about a section like this (but large) filtered on security-related posts? This would provide a way to highlight the supply chain event blog post and audits of nvm and express.
@ruddermann ruddermann self-assigned this Jan 22, 2025
@ruddermann ruddermann changed the title Finalize additional security items on bottom of CNA/Security page New Security openjsf.org Webpage Feb 3, 2025
@bensternthal
Copy link
Contributor

@ruddermann can I help move this forward?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ruddermann ruddermann

Labels
A-O '25 WS3 (CVD)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bensternthal @ruddermann