Ideation: OSS Architecture

[manishapriya94]

Challenge

To echo the larger challenge of scaling this project within this hackathon - we focus on creating a robust OSS DevSecOps workflow and infrastructure.

Priorities

• CodeSpaces
• Actions
• ORM

You might find this skillset track interesting if you hold any of the following titles:

• Project Management
• Architecture
• Security/Cybersecurity Analyst
• DevOps engineer
• DevSecOps

Problem

More than 80% of the world’s software is built on open source. Log4J and Solorigates tested organizations across the world and how robust their infrastructure was when it came to operations, discovery, and remediation.

Maintainers navigate a very different world. Resources across tools, people, and time are afforded differently so we take on the lens of MGV when trying to adapt DevSecOps thats accessible in the projects that fuel our development heartbeats - open source.

This is an exploration of the accessibility of securing open source as discussed at the Open Summit at the White House earlier this year.

Goal

We plan to use Minimum Viable Governance framework so that security across user policies, infrastructure, appsec, app structure, data, and open source collaboration can scale seamlessly with the least amount of overhead.

MVG provides a two-tier structure for a set of open source projects. At the top level (called an “organization” on GitHub), there is a technical steering committee to make decisions about the overall direction and coordination between all the organization's projects. Underneath that top level are the individual projects, with lightweight, consensus-based governance.

Pillars of MVG:

Decision Making. MVG defaults to a consensus-based decision making process at the organization level. Consensus does not mean no objection - it means loose agreement by the stakeholders based on their dominant view, and taking outstanding objections into consideration. This is the approach that built the net. In our experience, striving for consensus reduces friction and reduces hostile project forks. At the organization/steering committee level, decisions that can’t be made by consensus fall back to majority vote. Individual repositories are consensus-only: if a decision can’t be made by consensus, it’s appealed to the steering committee.

Minimal Viable Risk Management: This is Appsec, zero trust policy, and protected workflows. Policies within administrative workflows which limit key decision making to OSS maintainers (steering comittee).

Functional Specifications

Amplify App

• Going from using 40 advocacy groups to 100
• Focus areas:
  • ORM implementation
  • Database Abstraction
  • API integrations are made through secrets

OSS Architecture:

• Supporting 200 outside collaborators that are made up of folks used to enterprise architecture with enough enablement and intuitive workflows to
• Focus Areas:
  • Codespaces onboarding
  • Production & Staging
  • CI/CD optimizations with Actions
  • Vulnerability Detection and Remediation
  • Security Policy
  • Token Scanning
  • Project board automations

How to get started

Review and pick a thread
Understand the context of the architecture

Pick an issue linked to discussion
Scope the problem you're hoping to add or seek input around

Submitting an issue:
Don't see a problem discussed? Discuss within your pod and skillset team to see if it worth submitting an issue. Use this template when submitting the issue

Table of Contents

	Threads	Stack
Developer Experience	Onboarding, Continuous Integration, Continuous Delivery, CodeQL Checks, Project tracking	Codespaces, Actions, Workflows, Project Boards, GitHub Advanced Security
Application Security:	Securing current actions, Ensuring secrets for all new APIsDatabase Abstraction	Secrets, Dependabot, ORM,
Operations	Set up staging environment and production environment Administrative Actions	Heroku, Actions, Repo Structure and Permission

### Definitions in the context of this project

App Structure:
We are going from a Single Page App Structure

To a CRUD App Structure

OSS Architecture:
OSS Architecture refers to all of the tools, workflows, and developer contribution pathways we're condensing under the DevSecOps model that works for open source - GitHub flows within an MVG framework.

Developer Experience

• Developer experience speaks to all of the procedures of contribution flow onboarding, scoping project or issue, writing and testing code, code review, and the CI that enables their code to be merged.
• MVG Framework Consideration: The more important matter is to integrate practices and embed them deeply into a process flow that crosses data and information silos from secure development through deployment and then to operations. To this end, continuous integration builds on test automation to ensure that as new code is added to an application, continuous integration focuses on quality at the application level as new or modified code is integrated.
• Our focus of this hackathon is to ensure onboarding takes minimal effort while making sure we check code per merge from an administrative, project, and security perspective
• Current Contribution Flow

• Threads:
  • Changing Contributor Onboarding: Codespaces

AppSec:
Background:
AppSec tools like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and others that address issues in proprietary software have become staples of the developer’s security toolbox. In addition, an AppSec strategy also needs to detect open source components with known vulnerabilities, and that’s where SCA (Software Composition Analysis) tools play an important role. Both SAST and SCA tools address vulnerabilities management. Each one operates differently, covers a different set of vulnerabilities, and even integrates into different stages of the software development lifecycle (SDLC).

Secure Workflows minimize risk across supply chain

• Code scanning with CodeQL - Search for potential security vulnerabilities and coding errors in your code. For more information, see "About code scanning."
• Secret scanning - Detect secrets, for example keys and tokens, that have been checked into the repository from API integrations. For more information, see "About secret scanning."
• Dependency review through Dependabot- Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see "About dependency review."
• Report vulnerabilities through Security Lab. Maintainers figure out the ‘how’ with their security policy

Operations:
Operations refers to administrative practices for staging and monitoring production as well as policies and permissions.

Stack Best Practices

[manishapriya94]

Category: Developer Experience - Onboarding with Codespaces

Use case: speed up onboarding (similar to dev containers) in a cloud environment for optimal onboarding experience for both hackathon participants and student mentorship programs

Context: We currently use the contributors guide for people to set up local environments in Mac, Linux, and Windows. It can sometimes create barriers for both students as well as those who would like to start contributing immediately.

Mac users get the following error:

@JamesMGreene has started the following issue to implement within backend:

[manishapriya94]

Setting up CI in frontend

Use Case: this will allow us to create tests for frontend instead of just backend

[manishapriya94]

Category: Operations - Production Environments for Staging and Production

Use case: have a different environment for hackathon and one that advocacy groups continue to use

https://github.com/ProgramEquity/amplify-front-end/issues/80

[manishapriya94]

Category: AppSec - Security Policy

[JarLob]

Hi, I have looked the workflows in the repository from security perspective. Good practices are in place, like permissions and hash pinning. No injections or pull_request_target usage. The only thing to keep in mind secrets in integration-tests.yaml are available only to pull requests from the same repo. For pull requests from forks the workflow will fail. That's the secure behavior. If you want to run tests for pull requests from forks a manual trigger (label or comment from a maintainer) can be added after the changes are reviewed. As a side note dispatch event will have the access to the secrets too, but I assume everything merged has been reviewed, so it is safe.

[manishapriya94]

Dev Experience: Adding bugs to your workflows
https://github.co/3y2jfAb