Approach to Security?

What guidance, if any, has the architecture team given to the various BB working groups with regard to security (not auth)?

Because security is intrinsic to each ‘block’, I think that there needs to be an overarching approach or recommendation, no?

For example, a widely adopted current trend – especially for microservice implementations – is Zero Trust Architecture (i.e. BeyondProd: A new approach to cloud-native security  |  Documentation), and I believe that this sort of recommendation should come out of the Architecture working group and not be left to any one BB or the disparate working groups but any such recommendation/requirement will affect each.

1 Like

These are important questions (and good ideas); I am looking forward to see what other folks have been thinking so far.

Two important initiatives for people to consider possible alignment around:

  1. The Open Source Security Foundation (OpenSSF) is a new-but-growing-quickly movement to look at collaboration on security-related issues in open source software. Among many work areas, they have a workgroup formed around best practices for open source developers and while it is still very early days, they are focusing on training, common requirements, badging, and scorecards.

  2. One of the OpenSSF’s many members is the long-standing OWASP project, who still maintain their Top 10 list of risks that projects should prioritize to mitigate.

1 Like