[PROPOSAL] Forming OpenSearch Security TAG

[cwperks]

What/Why

What are you proposing?

A new technical advisory group focused on Security within OpenSearch. A few key areas this group will focus on:

• The Security Response Process for OpenSearch (https://github.com/opensearch-project/.github/blob/main/SECURITY.md)
• Security practices across the ecosystem
  • Use of dependency automation tools like Mend and dependabot
  • Documenting security best practices for Software Development
  • Making the Security Review process transparent for what goes on to deliver and enable a feature in OpenSearch
  • Vulnerability scanning
• Anything Security Feature related (Encryption, Access Control, Authentication, Audit Logging)

[getsaurabh02]

This is a great starting proposal @cwperks ,thanks.The idea of establishing a dedicated TAG focused on security will also help us identify, triage, and resolve vulnerabilities more systematically across OpenSearch’s diverse repositories and dependencies.

We can leverage this TAG as a central mechanism to:

•	Identify and prioritize vulnerabilities
•	Cross-Repo coordination and bridge between maintainers
•	Automation & tooling integration with existing dependency scanning tools (e.g. Dependabot) integrated with GitHub Actions.
•	Security advisory & response workflow.

It would be great to form an initial core group representing folks among:

•	Core/Plugin Repository maintainers (to help with quick fixes and dependency updates)
•	Security plugin maintainers (to define vulnerability classification and patch standards)
•	Project admins (to coordinate disclosure and communication)
•	Anyone interested in improving the overall security posture of OpenSearch

We can use this thread to define the core responsibilities and the initial founding member list for the TAG.

Overall, this TAG can become the nucleus for proactive security culture in the OpenSearch project, enabling faster response times, better visibility and shared ownership.

[getsaurabh02]

Adding @krisfreedain to help us facilitate the discussion and next steps.
Also @andrross for his inputs and taking to TSC for feedback in future.

[krisfreedain]

@cwperks @getsaurabh02 - this is a great idea and the outline provided makes sense. For next steps, I would recommend drafting up your 'readme' & 'charter' files to flush out all details and open the discussion around the finer points of a Security TAG's mission, responsibilities, participation, etc.
Both the build and observability TAGs have good examples of each doc: https://github.com/opensearch-project/technical-steering/tree/main/technical-advisory-groups

Although an issue is a good starting point, having a draft where the community can comment on specific points in each has proven useful. You both have great ideas included here so you'll just want to use those and flush them out.

When those are ready - I'm happy to help get the community involved in the discussion

[andrross]

@cwperks @getsaurabh02 Take a look at #41 for a good example of how this can work. I'd recommend starting with a proposed charter as a PR. You can then socialize that and find folks who might be interesting in joining the TAG as well as incorporate feedback into the charter itself.

[peterzhuamazon]

Agree with @andrross that we can start a charter to get review.
And we can use @getsaurabh02 suggested categories to find initial members to onboard.
This team would be much help to make decisions on security related issues, and provide support on questions during both development and release of all related components. Thanks.

[krishna-ggk]

Thanks a lot @cwperks for initiating this. TAG for Security makes sense to instill explicit focus on security with all the areas you enlisted. One potential area this focus group can help with is in tooling (OSCAR integration?) to identify security scrutiny, threat-modeling for anything sensitive etc.

[cwperks]

One potential area this focus group can help with is in tooling (OSCAR integration?)

You've read my mind ;). I think there's still a tremendous opportunity to expand the applications of GenAI within the SDLC for large open-source projects like OpenSearch and have some ideas in mind that I still need to write down.

Some initial ideas:

• Help with triaging issues (i.e. assigning labels to issues, identifying regressions, flagging potential security issues filed as public github issues, etc.)
• Grooming the git log by summarizing commits on squash (personal want from Github itself)
• Helping in the process of identifying if CVEs from dependencies would also make OpenSearch vulnerable
• Grooming reproduction steps
• Helping with major-version dependency updates
• Helping with Security focused documentation. i.e. reviewing threat models
• Modernizing the codebases which can have a side-effect of stronger security

[cwperks]

Thank you all for input. I will raise a PR as soon as time permit and solicit review from there as well. ETA early next week after oncall shift is over.

[KarstenSchnitter]

I wonder, if you would need an NDA for permanent members to discuss certain critical issues.

[cwperks]

@kkhatua Do you think it would make sense to include Resiliency in this as well? Security + Resilience?

I wonder, if you would need an NDA for permanent members to discuss certain critical issues.

@KarstenSchnitter this TAG should not be confused with the Security Response Team outlined. Members of that team have access to reports sent to security@opensearch.org whereas members of the TAG will not. The members of the Security Response Team would help seed this TAG with members so there is some overlap.