Hello everyone, *TL;DR; *I have a proposal of refinements we can apply to our security team and I am looking for comments and feedback (PR is out there in [1]). In short I am proposing that we introduce rotation of the security team members, so that we can avoid burnout, give a chance to others to learn about security and make security team membership effectively temporary - which might help people with their decision to sign-up for a few months to learn new skills and see how it works.
*Context:* It's been quite a few months since we introduced the security team. see that as a pretty successful change we implemented. I've given a talk [2] about it together with Arnout from the ASF Security team. But we can always improve and iterate on the idea and I think rotation is a good idea for the team to continue doing a great job and to bring more people in the realm of security. *Quick summary of where we : * * From > 20 issues in March, some of them > 150 days old, we are down to literally reported 2 (!) issues not being addressed yet (few weeks old and we target to close them in the upcoming 2.8.0) * We introduced and iterated on both our Security Model [3] and Security Policy [4] - some of that is still to be released in 2.8.0 release * We have successful cooperation with Kei - the security researcher that brought a wealth of great insights and we've learned a ton from him and how to approach security handling. * Thanks to funding 4 of the PMC members got from Sovereign Tech Fund we were able to also address a lot of potential (and real) threats in our release and build process as well as improve it and harden it - and in the near future also expose SBOM and better vulnerability exchange information to Airflow users * As a new "ASF Security Committee" member - I already used experiences from our team setup to help other projects to build their own processes (somewhat competing with us "Apache Dolphin Scheduler"). *My personal view:* I think being part of the security team is a fantastic learning opportunity. Security is becoming more and more important in Software Development - we are at the verge of regulations that will change a lot when it comes to approach to security issues, vulnerabilities, vulnerability exchange, upgrading software and a lot more. This is an important experience and it's useful to have security-focus and security experience/skills in the future software development industry - both from technical skill level but also process-wise. The rumour is that the CRA (the Cyber Resilience Act) that is about to regulate security approach for software development in Europe has just completed the intra-EU-policymakers negotiation phase and it already took a final shape. It looks like it is actually very pragmatic and good for the Open Source community at large, as they seem to address literally all the concerns we raised seeing some initial versions of those regulations). It will still, however, mean that our processes have to be sound - and it also seems that we in the ASF and Airflow particularly are well ahead of everyone else and it's us who will be setting the "golden standards" or how things should be done. There are very few people out there who could say they have "a real, proven experience" with handling well established security processes in Open-Source software, and I think it's good to have more people exposed to it, and it's also good for the people to gain the experience (of course if they are security-minded and they do not see it as "boring" - which many people do). Looking forward to comments/feedback. Do you think it's a good idea in general? J. [1] PR: "Add security team rotation proposal to our security team process" https://github.com/apache/airflow/pull/36049 [2] {Presentation: "Lessons Learned: Improving the security process of an Apache project" https://docs.google.com/presentation/d/1EIw4_NHI34v-9KzRDqFi7TS8Pn-O3DgUmjuKqlbghZU/edit#slide=id.p [3] Airflow Security Model https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html [4] Airflow Security Policy https://github.com/apache/airflow/security/policy J.
