From fa9e206a5abfcac5885b399446bb51e6762d9fe8 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 17 Jul 2024 09:38:48 -0400
Subject: [PATCH 01/12] Create 2024-Q3-BEST-WG.md
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 130 +++++++++++++++++++++++++++++
1 file changed, 130 insertions(+)
create mode 100644 TI-reports/2024/2024-Q3-BEST-WG.md
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
new file mode 100644
index 00000000..e0726032
--- /dev/null
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -0,0 +1,130 @@
+# 2024 Q3 BEST WG
+
+
+## Overview
+The BEST Working group is officially a [Graduated-level](https://github.com/ossf/tac/blob/main/process/working-group-lifecycle.md) working group within the OpenSSF 
+Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them.
+
+We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation.
+
+The BEST Working Group continues to curate and create artifacts tailored towards (open source) developers and open source software consumers illustrating secure development best practices. This is done through the combination of training collateral, best practices guides, and educational awareness.
+
+- We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified.
+- We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types.
+- We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work.
+
+
+
+The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendence generally is down, and several former key contributors no longer attend meetings.
+
+
+### Key Resources
+- Best Practices for OSS For Software Developers [link](https://best.openssf.org/developers)
+- Best Practices Guides [link](https://openssf.org/resources/guides/)
+- Secure Software Development Fundamentals Course [LFD121](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/)
+- Security Toolbelt - ARCHIVED - [link](https://github.com/ossf/toolbelt)
+
+### Sub-groups
+- Guides - [link](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs)
+- EDU.SIG - [link](https://github.com/ossf/education/)
+- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety)
+- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/)
+- Scorecard - [link](https://github.com/ossf/scorecard)
+- Secure Software Development Fundamentals course - [link](https://github.com/ossf/secure-sw-dev-fundamentals)
+- Security Baseline - [link](
+
+### Leads
+- WG - CRob
+- BP Badge and SecDev course - David Wheeler
+- Compiler Hardening Guides - Thomas Nyman & Geog Kunz
+- EDU SIG - CRob & Dave Russo
+- Mem Safety SIG - Nell Shamrell-Harrignton & Avishay Balter
+- Python Hardening Guide - Helge & Georg
+- Scorecard - Laurent Simon & Stephen Augustus
+- Security Baseline - Eddie Knight
+- WebDev Sec BP - Daniel Appelquist
+
+## Activity
+### Best Practices Badge
+#### Purpose
+- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice.
+#### Current Status
+-
+- #### Up Next
+- TBD
+
+### Concise Guides
+#### Purpose
+- Artifacts that consolidate BEST practices in OSS software development and management techniques
+#### Current Status
+- Continued revisions, updates, & enhancements to these core guides
+#### Up Next
+- TBD
+
+### EDU.SIG
+#### Purpose
+- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners.
+Materials will be maximally accessible and easy to consume for all learners.
+#### Current Status
+- Many simultaneous activities
+- Recent release of LF Research study on Security Edutation for Developers
+- Academic Accredidation team working on kicking off program to "certify" collegiate programs that meet OpenSSF & CNCF best practices
+- Security for Developer Managers class progressing into two pieces of collateral: Manager class & terms-definitions
+#### Up Next
+- Security Architect class outline reviewed and content development will come next
+- "201 level" class will come after
+-
+### Memory Safety SIG
+#### Purpose
+- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.
+#### Current Status
+-Have drafted a “Memory Safety Continuum” concept document
+- Have gathered guides/practices related to best memory safety practices in both memory safe by default and non memory safe by default languages
+#### Up Next
+- Produce a Memory Safety workshop (modeled after W3C workshops). Theme is “Improving Memory Safety in an Imperfect World”
+- Finalize Memory Safety Continuum doc
+
+### Python Hardening Guide
+#### Purpose
+
+#### Current Status
+
+#### Up Next
+
+### Scorecard
+#### Purpose
+-To help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
+- Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
+#### Current Status
+
+#### Up Next
+
+
+### Security Baseline
+#### Purpose
+- The goal of this SIG is to evolve OpenSSF security baseline for Linux Foundation wide adoption.
+- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation.
+- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum.
+#### Current Status
+- on 16July the WG voted to adopt the OpenSSF Security Baseline as a SIG within our group.
+- Eddie Knight will help lead the cross-foundation effort
+- 3 OpenSSF Projects will work to comply with the Security Baseline by this fall.
+- CNCF & FINOS will also be collaborating on this effort
+#### Up Next
+- Get SIG resources setup (Gitbug, mailing list, slack,etc.)
+- Determine meeting time
+
+### Web Developer Security Guide
+#### Purpose
+
+#### Current Status
+
+#### Up Next- Joint venture with W3C, focused on improving education & awareness for web developers
+- [BEST Issue 367](https://github.com/ossf/wg-best-practices-os-developers/issues/367)
+
+
+
+## Previous Updates
+[April 2024](https://docs.google.com/presentation/d/1XjaJa2yxWgRmXhpv0N1_oPG23JPpJY_9zpSOMvqccUM/)
+[Dec 2023](https://docs.google.com/presentation/d/1A8Sxm1L3_GcWZqaXepqT1Pj-1sULzUG7fRkCP5tTr24/)
+[Sept 2023](https://docs.google.com/presentation/d/1BPSYzk9J33Xl08uekuDBlgJjhiJIMt5B_eBvZ9PetIo/)
From 96ddb2f84db5100219bd660a08e9cab7ec2e9a69 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 17 Jul 2024 09:41:03 -0400
Subject: [PATCH 02/12] Update 2024-Q3-BEST-WG.md
typo
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index e0726032..855ef4dc 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -15,7 +15,7 @@ The BEST Working Group continues to curate and create artifacts tailored towards
-The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendence generally is down, and several former key contributors no longer attend meetings.
+The group continues to be active and is working on several simultaneous projects aligned with our Mission & Vision. Attendance generally is down, and several former key contributors no longer attend meetings.
### Key Resources
From e4a6b8fd8aef27b4b728c325418cc190f04e0303 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 31 Jul 2024 09:31:57 -0400
Subject: [PATCH 03/12] Update TI-reports/2024/2024-Q3-BEST-WG.md
Co-authored-by: Marcela Melara
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 855ef4dc..20cc28ca 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -36,7 +36,7 @@ The group continues to be active and is working on several simultaneous projects
### Leads
- WG - CRob
- BP Badge and SecDev course - David Wheeler
-- Compiler Hardening Guides - Thomas Nyman & Geog Kunz
+- Compiler Hardening Guides - Thomas Nyman & Georg Kunz
- EDU SIG - CRob & Dave Russo
- Mem Safety SIG - Nell Shamrell-Harrignton & Avishay Balter
- Python Hardening Guide - Helge & Georg
From 9af4c09dcccfb40c64921c44be5d8c4455bd84a6 Mon Sep 17 00:00:00 2001
From: Dana Wang
Date: Wed, 31 Jul 2024 09:52:33 -0500
Subject: [PATCH 04/12] Update 2024-Q3-BEST-WG.md for security baseline
Added more information for current state and next steps.
Signed-off-by: Dana Wang
---
TI-reports/2024/2024-Q3-BEST-WG.md | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 20cc28ca..b3493c3b 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -31,7 +31,7 @@ The group continues to be active and is working on several simultaneous projects
- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/)
- Scorecard - [link](https://github.com/ossf/scorecard)
- Secure Software Development Fundamentals course - [link](https://github.com/ossf/secure-sw-dev-fundamentals)
-- Security Baseline - [link](
+- Security Baseline - [link](https://github.com/ossf/security-baseline)
### Leads
- WG - CRob
@@ -106,13 +106,22 @@ Materials will be maximally accessible and easy to consume for all learners.
- For OpenSSF adoption of the security baseline, there needs to be a home for tracking the adoption, for maintainers to raise issues to refine the security baseline, merge the baseline back to TAC lifecycle, and for OpenSSF to develop the roadmap for the security baseline. It will provide a venue for early adopters to share their reusable code and findings with other maintainers. The pilot adoption builds the foundation for wider adoption of the security baseline in OpenSSF and in Linux Foundation.
- This SIG creates a venue for other participating foundations to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projects. The group will define the right level of risks that the security baseline is applicable for, the effectiveness measurement of the security baseline, and the adoption path of the security baseline at the minimum.
#### Current Status
-- on 16July the WG voted to adopt the OpenSSF Security Baseline as a SIG within our group.
-- Eddie Knight will help lead the cross-foundation effort
-- 3 OpenSSF Projects will work to comply with the Security Baseline by this fall.
-- CNCF & FINOS will also be collaborating on this effort
+- on 16 July the WG voted to adopt the OpenSSF Security Baseline as a SIG within our group.
+- Eddie Knight will help lead the cross-foundation effort.
+- SIG resources setup completed (Gitbug, mailing list, slack, community meeting time, etc.).
+- 5 OpenSSF Projects are actively piloting the security baseline adoption to comply with the Security Baseline by 9/15/2024, inlcuding OpenVEX, Protobom, RSTUF, GUAC, and Scorecard.
+- Tracking of the adoption friction points and adoption prgress is in progress.
+- Removing adoption friction points is in progress via security baseline SIG repo issues and PR's.
+- 2FA will be enabled at the OpenSSF enterprise level on Auguest 6, 2024.
+- OpenSSF technology consumption architecuture for depenednecy management is up for review. Reviewers needed!
+- Survey for security baseline for Linux Foundation wide adoption is being actively worked on.
+- CNCF & FINOS will be collaborating on this effort.
#### Up Next
-- Get SIG resources setup (Gitbug, mailing list, slack,etc.)
-- Determine meeting time
+- Continue tracking and removing security baseline pilot adoption friction points.
+- Pilot projects continue to make progress on security baseline compliance.
+- Develop openSSF technology consumption architecuture for vulnerability management.
+- Publish the survey for security baseline for Linux Foundation wide adoption is being actively worked on.
+- First community meeting on 8/6/2024.
### Web Developer Security Guide
#### Purpose
From f2998f1bfba505160d3cce2e963f818cd1bb8d0b Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Tue, 13 Aug 2024 09:18:32 -0400
Subject: [PATCH 05/12] Update 2024-Q3-BEST-WG.md
updates per wheeler
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index b3493c3b..d979a8d9 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -30,7 +30,7 @@ The group continues to be active and is working on several simultaneous projects
- Memory Safety SIG - [link](https://github.com/ossf/Memory-Safety)
- OpenSSF Best Practices Badge - [link](https://www.bestpractices.dev/)
- Scorecard - [link](https://github.com/ossf/scorecard)
-- Secure Software Development Fundamentals course - [link](https://github.com/ossf/secure-sw-dev-fundamentals)
+- Best Practices Badge and Developing Secure Software (LFD121) course - [link](https://github.com/ossf/secure-sw-dev-fundamentals)
- Security Baseline - [link](https://github.com/ossf/security-baseline)
### Leads
From f4407f405ae860bbe5e0bcdfc4973f6f70396bef Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Tue, 13 Aug 2024 09:24:04 -0400
Subject: [PATCH 06/12] Update 2024-Q3-BEST-WG.md
wheeler changes
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index d979a8d9..2b6b57e3 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -49,9 +49,19 @@ The group continues to be active and is working on several simultaneous projects
#### Purpose
- The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice.
#### Current Status
--
+- OpenSSF Best Practice Badge continues to gain users, as shown in its project statistics. As of 2024-08-04 it has 7,383 participating projects and 1,450 passing projects. We occasionally process special requests, such as ownership changes, and update dependencies (especially if a vulnerability is found in a dependency).
- #### Up Next
-- TBD
+- The current plan is to continue to maintain the project as needed.
+
+
+### Developing Secure Software Fundamentals Course (LFD121)
+#### Purpose
+Provide baseline security education for developers.
+#### Current Status
+-The LFD121 course is occasionally updated as suggestions are made or new issues are discovered.
+#### Up Next
+- We are developing a set of interactive labs for the course. To see them and their current status, see the labs README.
+
### Concise Guides
#### Purpose
From ee7507b3baf642e8b83bb0728c305c04c551e683 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:00:03 -0400
Subject: [PATCH 07/12] Update TI-reports/2024/2024-Q3-BEST-WG.md
Co-authored-by: Georg Kunz
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 2b6b57e3..5ef50428 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -58,7 +58,7 @@ The group continues to be active and is working on several simultaneous projects
#### Purpose
Provide baseline security education for developers.
#### Current Status
--The LFD121 course is occasionally updated as suggestions are made or new issues are discovered.
+- The LFD121 course is occasionally updated as suggestions are made or new issues are discovered.
#### Up Next
- We are developing a set of interactive labs for the course. To see them and their current status, see the labs README.
From 55c4f43282caf82d976ab5bb3b7fa2a787af7b7a Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:00:15 -0400
Subject: [PATCH 08/12] Update TI-reports/2024/2024-Q3-BEST-WG.md
Co-authored-by: Georg Kunz
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 5ef50428..77718b59 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -88,7 +88,7 @@ Materials will be maximally accessible and easy to consume for all learners.
#### Purpose
- The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.
#### Current Status
--Have drafted a “Memory Safety Continuum” concept document
+- Have drafted a “Memory Safety Continuum” concept document
- Have gathered guides/practices related to best memory safety practices in both memory safe by default and non memory safe by default languages
#### Up Next
- Produce a Memory Safety workshop (modeled after W3C workshops). Theme is “Improving Memory Safety in an Imperfect World”
From 35634a22ec6d0dbd1886c2a787e73b5fb1ad8212 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:00:27 -0400
Subject: [PATCH 09/12] Update TI-reports/2024/2024-Q3-BEST-WG.md
Co-authored-by: Georg Kunz
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 77718b59..ae4814d9 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -96,7 +96,8 @@ Materials will be maximally accessible and easy to consume for all learners.
### Python Hardening Guide
#### Purpose
-
+- Help Python developers to create more secure code by explaining vulnerable and non-vulnerable coding patterns based on the CWE framework and rules.
+- Besides a description of each coding pattern, the guide includes executable code examples for each rule, which allow for an in-depth understanding of each pattern.
#### Current Status
#### Up Next
From d8f5d8b0ae3411c278e08c5957642a471567ebb8 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:01:42 -0400
Subject: [PATCH 10/12] Update 2024-Q3-BEST-WG.md
added suggestions from gkunz
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index ae4814d9..956465e8 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -101,6 +101,9 @@ Materials will be maximally accessible and easy to consume for all learners.
#### Current Status
#### Up Next
+- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue 531
+- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from 531 and contribute content
+
### Scorecard
#### Purpose
From 01e3ae0a6c35e8a3735b3af7cc386971631e8412 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:03:03 -0400
Subject: [PATCH 11/12] Update 2024-Q3-BEST-WG.md
more contributor feedback
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 956465e8..955ccd9c 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -103,6 +103,8 @@ Materials will be maximally accessible and easy to consume for all learners.
#### Up Next
- The group is working on adding more content for a broad range of CWE rules. The status is being tracked in issue 531
- We are inviting all interested Python coders to review the current content and/or pick a new CWE rule from 531 and contribute content
+- Use the opportunity to give a lightning talk at SOSS Community Day EU to solicit more contributors
+
### Scorecard
From c79c501b5760cb285a683d75505bc518af02c5b4 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Mon, 19 Aug 2024 10:46:14 -0400
Subject: [PATCH 12/12] Update TI-reports/2024/2024-Q3-BEST-WG.md
Co-authored-by: Thomas Nyman
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
TI-reports/2024/2024-Q3-BEST-WG.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/TI-reports/2024/2024-Q3-BEST-WG.md b/TI-reports/2024/2024-Q3-BEST-WG.md
index 955ccd9c..4ca265da 100644
--- a/TI-reports/2024/2024-Q3-BEST-WG.md
+++ b/TI-reports/2024/2024-Q3-BEST-WG.md
@@ -71,6 +71,15 @@ Provide baseline security education for developers.
#### Up Next
- TBD
+### Compiler Hardening Guides
+#### Purpose
+- Help C and C++ developers and those who compile C/C++ code, e.g., package maintainers, ensure that produced application binaries (libraries and executables) are equipped with security mechanisms provided by compilers against potential attacks and/or misbehavior.
+#### Current Status
+- Continued revision, updates, & enhancement, e.g., keeping the compiler options hardening guide up-to-date with upstream options additions and changes in GCC and Clang/LLVM.
+#### Up next
+- Compiler annotations guide for C and C++ (in incubation), expanding compiler options guide to also cover other compilers, such as Microsoft MSVC (tracked in [BEST Issue 150](https://github.com/ossf/wg-best-practices-os-developers/issues/150))
+- Outreach, e.g., upcoming talk at Nordic Software Security Summit 2024
+
### EDU.SIG
#### Purpose
- Deliver Baseline Secure Software Development Education and Certification to All. Provide access to open and widely available education materials to all learners.