[comment]: # (Compile this presentation with the command below) [comment]: # (mdslides perlkohacon-cpan-sec-lightning-talk.md --include ../media) [comment]: # (...or by running the Makefile with "make") [comment]: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/) # CPAN Security Working Group This is an introduction! Note: Hei! I'm
and I'm here to introduce the CPAN Security Working Group to you
## CPAN-SEC * Made @ **Perl Toolchain Summit** 2023 in Lyon, France * We care about **security on CPAN**! Note: Established in April this year at the Perl Toolchain Summit in Lyon, France
## What do we care about? Note: This is an introduction and a **call for participation**! Here are some of the things we care about!
### CPAN Vulnerability Index 👉 **Audit** and track vulnerabilities Note: Improve security awareness by standardizing and publishing CPAN package vulnerabilities in relevant indices (our own, or CVE, or other). Possibly register as a CVE Numbering Authority.
### CPAN Provenance & Supply Chain Security 👉 Establish a **trusted publishing infrastructure** Note: Establish a trusted publishing infrastructure and tooling, with inspiration from `in-toto.io` and "Salsa" (`SLSA`).
### CPAN Software Bills of Materials 👉 **SBOM** creation and verification Note: Support risk analysis and management by writing tooling for managing standard SBOM objects like OWASP CycloneDX or SPDX, and do this by using existing and new CPAN metadata.
### CPAN Transparency Logs 👉 Tooling for **third-party monitoring** of package changes Note: Write tooling for monitoring package updates and integrity checking of metadata using tools like `sigstore` or `sigsum`, or take inspiration from `transparency.dev`.
### CPAN Security Patch Tooling 👉 Tooling for CPAN Distro security patches to enable **high-priority updates** Note: Enable high-priority updates of CPAN packages, by developing tooling for publishing and applying third-party security patches to CPAN distributions with non-responsive authors.
### CPAN Security Outreach & Information 👉 Security and **incident communication** through relevant media channels Note: Keep different information channels (websites, social media) up-to-date and relevant with info on incidents, best practices and other documentation.
### And more! * 👉 Software Composition Analysis * 👉 CPAN-SEC Governance, Policy & Funding * 👉 Rich Metadata & Dependencies * 👉 Privacy and Compliance Note: And more! * Analyze dependencies for known vulnerabilities * Establish constructive rules, playbooks, governance, policy, and funding channels * Improve interoperability with non-CPAN package indices * Track legal and privacy issues around CPAN metadata, and compliance with regulations
## Why now? * **Increased demands from upcoming laws** on supply chain security and metadata * US [EO 14028](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) _Improving the Nation’s Cybersecurity_ * EU [NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) & [Cyber Resilience Act](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) * **Raise community awareness** on security topics * CPAN is in the dependency trees of _many_ businesses, so it's high time we **get our ducks in a row** 🦆🦆🦆🦆 Note: Why? * Increased demand from upcoming laws EU NIS2 Directive 2022/2555 * Applies to producers of software used by EU institutions that manage **critical infrastructure** * To be implemented in local law by October 2024 EU Cyber Resilience Act * CE certification of software used in and with **internet-connected devices** * Expected to be implemented by July 2025 US Executive Order 14028 * "on Improving the Nation’s Cybersecurity" * For anyone working with or selling to the US federal government * In effect as of May 2021 Also: Raise awareness on impact and responsibility around security on CPAN
### Who are we? **garu**, **haarg**, **ingy**, **klapperl**, **leont**, **oalders**, **reneeb**, **sam**, **sjn**, **stigo**, **timlegge**, **Tux**, …and others! Note: Breno, Graham, Ingy, Andreas, Leon, Olaf, Renée, Sam, Salve, Stig, Tim, Merijn, …and others!
### PTS Picture Proof ![Group picture showing stigo, ingy, sjn, leont, tux and garu](media/cpan-sec-group-picture-PTS2023.jpeg) Note: * Stig * Ingy * Salve * Leon * Merijn * Breno
### Join us! Do you… * …Work with & **care about security**? * …Have **tuits to spare**? * …Have a **security commons** aware employer? * …Enjoy getting your **ducks in a row**? 🦆🦆🦆🦆 Note: * Do you have a **security background** or care about the toolchain? * Do you have **time to volunteer**? * Is your employer willing to **dedicate a percentage of your time** to improve our security commons? We need volunteers!
### Find us! ircs://irc.perl.org#cpan-security https://security.metacpan.org/ mailto:cpan-security@perl.org Note: We're on the web, IRC, mail and eventually on other places.
# Thanks! * Salve J. Nilsen 🦆🦆🦆🦆🦆🦆 Note: Thanks!