You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CNCF Security Technical Advisory Group facilitates collaboration to discover and produce resources that enable
18
-
secure access, policy control, and safety for operators, administrators,
19
-
developers, and end-users across the cloud native ecosystem.
14
+
The CNCF Security Technical Advisory Group facilitates collaboration to exchange and produce knowledge and resources for building security in the cloud native ecosystem.
20
15
21
-
## Background
16
+
Cloud Native involves building, deploying, and operating modern applications in cloud computing environments, typically using open source. This complex ecosystem presents a technology risk landscape that demands rethinking application and information security through the lens of developer experience.
22
17
23
-
Cloud Native describes the building, deploying, and operating of modern applications in cloud computing environments, typically using open source. This complex ecosystem composed of different open source projects presents an increasingly complicated technology risk landscape.
24
-
While there are several projects in the cloud native ecosystem that address trust, safety, and security in the dynamic interplay between the different layers of infrastructure and application services, the technological shift demands application and information security be rethought through the lens of developer experience as close to applying software engineering to design for security considerations in the effort to safeguard an integrated cloud native ecosystem as a whole.
18
+
We aim to significantly reduce the probability and impact of attacks, breaches, and compromises. By empowering developers and operators to understand and manage the security posture of their systems, we strive to fulfill the promise of enhanced productivity and operational efficiency.
25
19
26
-
## Vision
20
+
## Key Focus Areas
27
21
28
-
We believe in a future where the probability and impact of attacks, breaches, and compromises are significantly reduced. Where the most common risks of today are not just mitigated but made implausible. We believe developers and operators can be empowered to understand better and be reassured by the posture of the systems they build and run through the informed use of cloud technologies with clear
29
-
understanding of responsibility and risks and the unlocked ability to validate that their architectural intent meets compliance and regulatory objectives.
30
-
31
-
<!-- cSpell:ignore sociotechnical -->
32
-
There is a growing ecosystem of tools that promises to unlock developer productivity and operational efficiency. We strive to fulfill the human side of the sociotechnical equation to acceleration and attain that promise including:
33
-
34
-
1. Consumable system security architectures that account for the ever
35
-
growing heterogeneity of systems and provides a framework to protect
36
-
resources and data while servicing their users.
37
-
2. Common lexicon and open source libraries that make it easy for developers
38
-
to create and deploy apps that meet system security requirements.
39
-
3. Common libraries and protocols that enable people to reason about the
40
-
security of the system, such as auditing and explainability features.
22
+
-**System Security Architectures**: Frameworks to protect resources and data.
23
+
-**Common Lexicon, Templates & Libraries**: Tools for developers to create secure apps.
24
+
-**Heuristics and Models**: Approaches for reasoning about system security.
41
25
42
26
## Publications
43
27
44
-
TAG Security has published several resources for the community, which can be
45
-
found under [publications](publications/README.md).
28
+
Below is a list of publications by TAG Security. For a comprehensive collection of our works in various formats, please visit the [publications](publications/README.md) directory.
29
+
30
+
| Publication | Date |
31
+
|-------------|------|
32
+
|[Formal Verification for Policy Configurations](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md)| August, 2019 |
33
+
|[Catalog of Supply Chain Compromises](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)| November 2019 - Present |
34
+
|[Software Supply Chain Best Practices](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)| May, 2021 |
35
+
|[Evaluating your Supply Chain Security](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md)| May, 2021 |
|[Secure Software Factory: A Reference Architecture to Securing the Software Supply Chain](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf)| May, 2022 |
|[Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security](https://github.com/cncf/tag-security/blob/main/assessments/Open_and_Secure.pdf)| November, 2023 |
46
43
47
44
## Governance
48
45
49
-
[Security TAG charter](governance/charter.md) outlines the scope of our group
50
-
activities, as part of our [governance process](governance/README.md) which details how we
51
-
work.
46
+
Refer to the [Security TAG charter](governance/README.md) for our governance process.
52
47
53
48
## Communications
54
49
55
-
Anyone is welcome to join our open discussions of Security TAG projects and share news
56
-
related to the group's mission and charter. Much of the work of the group
57
-
happens outside of Security TAG meetings and we encourage project teams to share
58
-
progress updates or post questions in these channels:
- To reach the chairs, email [cncf-tag-security-chairs@lists.cncf.io](mailto:cncf-tag-security-chairs@lists.cncf.io)
70
-
71
-
### Slack governance
72
-
73
-
Refer to the [slack governance document](slack.md) for details on slack channels
74
-
and posting to the channels.
75
-
76
-
## Meeting times
77
-
78
-
For our members in North and South America, we host weekly sessions each Wednesday at 10 am (UTC-7). To participate, simply use the following Zoom link: <https://zoom.us/j/99809474566>. The meeting ID is 998 0947 4566.
55
+
## Meeting Information
79
56
80
-
Meanwhile, participants from Europe, the Middle East, and Africa (EMEA) can join bi-weekly meetings on Wednesdays at 1 pm UTC+0, which adjusts to UTC+1 when daylight saving time is in effect. Join us through this Zoom link: <https://zoom.us/j/99917523142>, with the meeting ID: 999 1752 3142.
57
+
-**Americas**: Weekly on Wednesdays at 10 am (UTC-7). [Zoom link](https://zoom.us/j/99809474566), Meeting ID: 998 0947 4566.
58
+
-**EMEA**: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). [Zoom link](https://zoom.us/j/99917523142), Meeting ID: 999 1752 3142.
81
59
82
-
To find the corresponding time in your local area, please see your timezone [here](https://time.is/).
60
+
Check your local timezone [here](https://time.is/). Meetings are listed on the [CNCF calendar](https://www.cncf.io/calendar/) and the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ).
83
61
84
-
This dual schedule ensures that no matter where you are, you'll have a place in our conversations.
85
-
86
-
We invite you to mark your calendars and join the dialogue. For your convenience, all meetings are listed on the main [CNCF calendar](https://www.cncf.io/calendar/) as well as the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). These calendars are updated regularly to ensure that you stay informed of all upcoming meetings and events.
87
-
88
-
Got something to bring up or share? Review how to get a topic or presentation added to the Agenda on our [process](governance/process.md#getting-on-the-agenda) page.
62
+
To add a topic to the agenda, review our [process](governance/process.md#getting-on-the-agenda).
89
63
90
64
## Gatherings
91
65
92
-
Please let us know if you are going and if you are interested in attending (or
93
-
helping to organize!) a gathering. Create
94
-
a [github issue](https://github.com/cncf/tag-security/issues/new) for an event
95
-
and add to list below:
96
-
97
-
<!-- markdownlint-disable-next-line MD013 -->
98
66
-[Cloud Native SecurityCon 24](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/) June 26-27, 2024 in Seattle, Washington
99
-
100
-
[Past events](past-events.md)
67
+
-[Past events](past-events.md)
101
68
102
69
## New members
103
70
104
-
If you are new to the group, we encourage you to check out
105
-
our [New Members Page](NEW-MEMBERS.md)
71
+
New to the group? Check out our [New Members](NEW-MEMBERS.md) page.
106
72
107
73
## Related groups
108
74
109
-
There are several groups that are affiliated to or do work and cover topics
110
-
relevant to the work of Security TAG. These can be
111
-
seen [here](governance/related-groups/README.md)
112
-
113
-
## History
114
-
115
-
- TAG-Security - renamed Security TAG ([TOC Issue 549](https://github.com/cncf/toc/issues/549))
116
-
- SAFE WG - renamed to CNCF Security TAG
117
-
-[(Proposed) CNCF Policy Working Group](/policy-wg-merging.md) - Merged into
118
-
SAFE WG
75
+
Explore groups affiliated with or relevant to Security TAG [here](governance/related-groups/README.md)
119
76
120
77
## Members
121
78
@@ -152,15 +109,15 @@ seen [here](governance/related-groups/README.md)
| Andrew Martin | ControlPlane | March, 2022 - March, 2024 |@sublimino|
154
111
155
-
### Working groups
112
+
### Working Groups
156
113
157
114
The TAG's working groups focus on specific areas and organize most community activities, including weekly meetings.
158
115
These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs.
159
116
Each group, led by a responsible leader, reaches consensus on issues and manages logistics. All materials, such as reports, white papers, documents, and reference architectures, are in the repository's /community directory.
|[Catalog of Supply Chain Compromises](/community/catalog/README.md)| Santiago Arias Torres |
166
123
|[Compliance](/community/compliance/README.md)| Anca Sailer, Robert Ficcaglia |
@@ -172,15 +129,9 @@ Each group, led by a responsible leader, reaches consensus on issues and manages
172
129
173
130
### CNCF Security TAG reviews
174
131
175
-
As part of
176
-
the [CNCF project proposal process](https://github.com/cncf/toc/blob/main/process)
177
-
projects should create a
132
+
For [CNCF project proposal process](https://github.com/cncf/toc/blob/main/process)
133
+
create a
178
134
new [security review issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name)
0 commit comments