1 of 15

W3C Workshop - Secure the Web Forward OpenJS Project Briefing: Sovereign Tech Fund

Joe Sepi joesepi@ibm.com�Benjamin Sternthal bsternthal@linuxfoundation.org

September, 2023

2 of 15

Agenda

  • OpenJS & Sovereign Tech Fund Overview
  • Security & Maintenance Workstream
  • Discussion Questions (2)

2

3 of 15

OpenJS & Sovereign Tech Fund Overview

3

4 of 15

OpenJS Foundation + Sovereign Tech Fund

"Strengthening digital sovereignty is key to ensuring economic growth, self-determination and for protecting our values in a digital world. The sustainability of the open source ecosystem is crucial, and we must understand the support of our digital infrastructure as a public task. Supporting the OpenJS Foundation, a vendor-neutral organization with deep expertise working in these areas, will help infrastructure and security issues on a large scale," said Adriana Groh, co-founder, Sovereign Tech Fund. "We are very excited to be supporting the work of the OpenJS Foundation."

4

5 of 15

Sovereign Tech Fund: Summary

  • ~ $900,000 for 2023-2024
  • Funds infrastructure updates
  • Funds security & maintenance for critical projects
  • Structured around quarterly milestones

5

6 of 15

Security & Maintenance Workstream

6

7 of 15

Security & Maintenance Workstream: Goal

“Advance security skills and processes among the contributor and implementer communities to strengthen the JavaScript ecosystem broadly…”

7

8 of 15

Security & Maintenance Workstream: Focus Areas

  • Audits
  • Security framework
  • Support for secure releases
  • Improve and document security processes

8

9 of 15

Security & Maintenance Workstream: Inventory & Analysis

  • Leverage vendor and utilize metrics such as OpenSSFs criticality score and Harvard’s Census II
  • Identify priority projects
  • Audit prioritized projects

9

10 of 15

Security & Maintenance Workstream: Security Framework

  • Customize OpenSSF & OWASP best practices
  • Provide direct support to maintainers on menu of OpenSSF Best Practices Badge Program
  • Create free JavaScript security training and courses

10

11 of 15

Security & Maintenance Workstream: Support For Secure Releases & Improved Process

  • Secure signage for releases
  • SBOMs
  • Streamlined release process
  • Reduced effort for security & non-security releases

11

12 of 15

Discussion Topics

12

13 of 15

Discussion Topic #1

What are we missing, what else should we do, what should be on our roadmap?

13

14 of 15

Discussion Topic #2

How do we have more impact? How can we increase awareness of this work?

14

15 of 15

Thank You \o/

15