Thanks, Oleg for putting down this, I would definitely be interested to chat during the contributor summit about this topic.
On Thu, Jan 21, 2021, at 1:48 PM, Oleg Nenashev wrote: > Just a quick follow-up to this thread, there is ongoing discussion about > hosting a contributor summit after FOSDEM. > Should it happen, I suggest having a security track/section there. We had a > similar one last year in Brussels, and IIRC it went quite well. > > Ideas/comments and topic suggestions are welcome :) > > > On Tuesday, January 19, 2021 at 9:02:51 AM UTC+1 Oleg Nenashev wrote: >> Hi all, >> >> To follow-up on the Jenkins Governance meeting >> <https://docs.google.com/document/d/11Nr8QpqYgBiZjORplL_3Zkwys2qK1vEvK-NYyYa4rzg/edit#bookmark=id.ypwngla6o9i9> >> we had last week, I'd like to continue the discussion about Jenkins >> security which was suggested as one of 2021 priorities. In this thread I >> propose to discuss ideas w.r.t improving security of Jenkins components and >> software supply chains. NOTE: Please do not reference unfixed security >> issues in this thread (reporting vulnerabilities >> <https://www.jenkins.io/security/reporting/>). >> >> *Current state*. Jenkins Security Team is doing a great job w.r.t. >> addressing security issues. In 2020 we had 19 security advisories with 198 >> fixed vulnerabilities and 72 disclosed ones. There were great additions to >> devtools: Dependabot, GitHub CodeQL, Find-Sec-Bugs, etc. Also, new plugin >> hosting requests now get on-demand security reviews before being published. >> All of that is a great progress compared to the state we had several years >> ago. >> >> *What’s next?* With all the recent events, security of the software delivery >> chain is in the spotlight for the many organizations. Jenkins is a key part >> of this chain for many users, and for sure we want to keep it that way. It >> is not “just” about timely fixing security issues and preventing >> misconfiguration. We are also interested to keep our own delivery processes >> in the best possible shape. >> >> Some ideas we discussed at the meeting: >> * Growing security awareness among contributors so that the new code and >> documentation get developed with security in mind. >> * Expanding developer tooling. It would help to automate, and, when >> relevant, enforce preferred security practices in Jenkins components. >> * Examples: release automation infrastructure, adopting more analysis >> tools in the default pipelines. With a great start in previous years, we >> could definitely do more by using available tools and sponsorships. >> * Getting more contributors involved in the security effort. It is not only >> about delivering the security fixes. Many topics could be discussed publicly >> in SIGs and sub-projects, e.g. hardening Docker images, demonstrating >> security tools with Jenkins, and so on. Contributors could also help with >> security reviews >> * // Add your ideas in replies! >> What do you think about these items? Would you like to suggest more >> additional areas where we could improve? Any feedback would be appreciated. >> >> Best regards, >> Oleg Nenashev > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/ea30b90e-c2ee-433f-868d-384793350481n%40googlegroups.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/ea30b90e-c2ee-433f-868d-384793350481n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/735b71c9-6321-41a0-b3cc-7c13177ac66e%40www.fastmail.com.
