SDLC Framework WG Bi-weekly call - November 10th #279
Description
Date
Monday November 10th- 1000 EST / 1200UK
Untracked attendees
| Name | Firm | Comment |
|---|
Meeting notices
-
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
-
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
-
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
-
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
- Convene, roll call, welcome new people
- Approve previous meeting minutes: SDLC Framework WG Bi-weekly call - October 27th #277
- Maintainer responsibilities and elections
- AOB, Q&A & Adjourn (5mins)
Decisions Made
-
Propose controls by creating an issue in the repository: https://github.com/finos-labs/SDLC-Controls-Framework/issues/
-
We need to define a project governance, list of controls, control lifecycle
-
Maintainers
- Expectations that come with the role - there is no prescription so we can can decide
- Public voting for key decisions, expected to be stewards for the project
- Maintainers access list is the membership source of truth
Promotion from Labs -> Finos would be more rigorous governance on the project
Discussion on scope of the project
- Supply chain risks
- Open source governance (podcast open source security) - out of scope for this project's goals. Perhaps it could be used in FINOS projects if they volunteer
- Main focus will be on the enterprise
Common control around SCA/SBOM/
- Can we create a shared standard control for this.
- Can we agree a shared list of risks associated
- Problem statement: can we define a standard that addresses the Indian regulator and the US Executive Order?
Action Items
-
Next session will focus on supply chain risks in software builds:
-
1. Insider threat
-
2. Provenance / supply chain integrity / chain of custody (demonstrate you can prove the supply chain identity)
-
3. Third party open source risks (vulnerabilities + licensing)
-
Advertise the upcoming meeting in the mailing list & individually (@aaronsearle)
-
Karl: send attendee list to maintainers for follow up
Zoom info
Join Zoom Meeting
- https://zoom.us/j/94904595244
- Meeting ID: 949 0459 5244
- Passcode: 545224
- Find your local number: https://zoom.us/u/aesEqmNODb
Github Repo: https://github.com/finos-labs/SDLC-Controls-Framework/
Project Board: SDLC Project Board
Mailing List: Email [email protected] to subscribe to our mailing list