|
1 | 1 | # TAG Security Publications |
2 | 2 |
|
3 | | -This document lists all the publications and resources that TAG Security has |
4 | | -produced. |
5 | | - |
6 | | -## Cloud Native Security Controls Catalog |
7 | | - |
8 | | -Mapping of Cloud Native Security Whitepaper and Software Supply Chain Best |
9 | | -Practices Paper to NIST SP800-53r5 |
10 | | - |
11 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md) |
12 | | -- [Spreadsheet](https://docs.google.com/spreadsheets/d/1GUohOTlLw9FKUQ3O23X7ypvJLXN-B3veJGe6YE6JYfU/edit?usp=sharing) |
13 | | - |
14 | | -## Cloud Native Security Lexicon |
15 | | - |
16 | | -Standardization of terminologies specific to Cloud Native Security |
17 | | - |
18 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md) |
19 | | - |
20 | | -## Cloud Native Security Whitepaper |
21 | | - |
22 | | -The Cloud Native Security Whitepaper (CNSWP) is a TAG Security effort to ensure |
23 | | -the cloud native community has access to information about building, |
24 | | -distributing, deploying, and running secure cloud native capabilities. |
25 | | - |
26 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) |
27 | | - (v2) |
28 | | -- [PDF](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) |
29 | | - (v2) |
30 | | -- [Audio](https://soundcloud.com/user-769472014/sets/cncf-tag-security-cloud-native-security-whitepaper-version-v1) |
31 | | - (v1) |
32 | | - |
33 | | -Translations |
34 | | - |
35 | | -- [Portuguese](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md) |
36 | | - (v1) |
37 | | -- [Chinese](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md) |
38 | | - (v1) |
39 | | - |
40 | | -## Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security |
41 | | - |
42 | | -A comprehensive guide dedicated to assessing and understanding the security of open source software projects. The book is the culmination of five years of TAG Secure Assessments, practical insights, and collaborative effort from experts in the field. Our goal? To empower you with the knowledge and skills to enhance the security of the cloud native ecosystem, the projects, and their use in your organization’s platforms. |
43 | | - |
44 | | -- [PDF](https://github.com/cncf/tag-security/blob/main/assessments/Open_and_Secure.pdf) |
45 | | - |
46 | | -## Policy |
47 | | - |
48 | | -### Formal Verification for Policy Configurations |
49 | | - |
50 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md) |
51 | | - |
52 | | -### Handling build-time dependency vulnerabilities |
53 | | - |
54 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md) |
55 | | - |
56 | | -## Secure Defaults: Cloud Native 8 |
57 | | - |
58 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) |
59 | | - |
60 | | -## Security Assessments |
61 | | - |
62 | | -TAG Security has conducted security assessments of several CNCF projects. These |
63 | | -assessments are available to the public. |
64 | | - |
65 | | -- [Buildpacks](https://github.com/cncf/tag-security/tree/main/assessments/projects/buildpacks) |
66 | | -- [Cloud |
67 | | - Custodian](https://github.com/cncf/tag-security/tree/main/assessments/projects/custodian) |
68 | | -- [Harbor](https://github.com/cncf/tag-security/tree/main/assessments/projects/harbor) |
69 | | -- [In-toto](https://github.com/cncf/tag-security/tree/main/assessments/projects/in-toto) |
70 | | -- [Keycloak](https://github.com/cncf/tag-security/tree/main/assessments/projects/keycloak) |
71 | | -- [Kyverno](https://github.com/cncf/tag-security/tree/main/assessments/projects/kyverno) |
72 | | -- [OPA](https://github.com/cncf/tag-security/tree/main/assessments/projects/opa) |
73 | | -- [Spiffe-Spire](https://github.com/cncf/tag-security/tree/main/assessments/projects/spiffe-spire) |
74 | | - |
75 | | -## Supply Chain Security |
76 | | - |
77 | | -### Software Supply Chain Best Practices |
78 | | - |
79 | | -The Software Supply Chain Security Paper is a TAG Security effort to ensure the |
80 | | -cloud native community has access to information about building, distributing, |
81 | | -deploying, and running secure software supply chains. |
82 | | - |
83 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md) |
84 | | -- [PDF](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) |
85 | | - |
86 | | -### Evaluating your supply chain security |
87 | | - |
88 | | -A framework for supply chain evaluation |
89 | | - |
90 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) |
91 | | - |
92 | | -### Secure Software Factory |
93 | | - |
94 | | -A reference architecture for securing the software supply chain |
95 | | - |
96 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/secure-software-factory.md) |
97 | | -- [PDF](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) |
98 | | - |
99 | | -### Catalog of Supply Chain Compromises |
100 | | - |
101 | | -A catalog of supply chain compromises and links to relevant articles discussing |
102 | | -them |
103 | | - |
104 | | -- [Markdown](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) |
105 | | - |
106 | | -## Use Cases & Personas |
107 | | - |
108 | | -List of use cases to enable secure access, policy control and safety for users |
109 | | -of cloud native technology |
110 | | - |
111 | | -- [Markdown](https://github.com/cncf/tag-security/blob/main/usecase-personas/README.md) |
| 3 | +This document lists all the publications and resources that TAG Security has produced. |
| 4 | + |
| 5 | +| Publication | Description | Format | Link | |
| 6 | +|-------------|--------------|--------|------| |
| 7 | +| **Cloud Native Security Controls Catalog** | Mapping of Cloud Native Security Whitepaper and Software Supply Chain Best Practices Paper to NIST SP800-53r5 | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md) | |
| 8 | +| | | Spreadsheet | [Link](https://docs.google.com/spreadsheets/d/1GUohOTlLw9FKUQ3O23X7ypvJLXN-B3veJGe6YE6JYfU/edit?usp=sharing) | |
| 9 | +| **Cloud Native Security Lexicon** | Standardization of terminologies specific to Cloud Native Security | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md) | |
| 10 | +| **Cloud Native Security Whitepaper** | Information about building, distributing, deploying, and running secure cloud native capabilities | Markdown (v2) | [Link](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md) | |
| 11 | +| | | PDF (v2) | [Link](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) | |
| 12 | +| | | Audio (v1) | [Link](https://soundcloud.com/user-769472014/sets/cncf-tag-security-cloud-native-security-whitepaper-version-v1) | |
| 13 | +| | **Translations** | | | |
| 14 | +| | | Portuguese (v1) | [Link](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md) | |
| 15 | +| | | Chinese (v1) | [Link](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md) | |
| 16 | +| **Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security** | Guide for assessing and understanding the security of open source software projects | PDF | [Link](https://github.com/cncf/tag-security/blob/main/assessments/Open_and_Secure.pdf) | |
| 17 | +| **Policy** | | | | |
| 18 | +| | Formal Verification for Policy Configurations | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md) | |
| 19 | +| | Handling build-time dependency vulnerabilities | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md) | |
| 20 | +| **Secure Defaults: Cloud Native 8** | | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) | |
| 21 | +| **Security Assessments** | Assessments of several CNCF projects | | | |
| 22 | +| | Buildpacks | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/buildpacks) | |
| 23 | +| | Cloud Custodian | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/custodian) | |
| 24 | +| | Harbor | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/harbor) | |
| 25 | +| | In-toto | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/in-toto) | |
| 26 | +| | Keycloak | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/keycloak) | |
| 27 | +| | Kyverno | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/kyverno) | |
| 28 | +| | OPA | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/opa) | |
| 29 | +| | Spiffe-Spire | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/assessments/projects/spiffe-spire) | |
| 30 | +| **Supply Chain Security** | | | | |
| 31 | +| | Software Supply Chain Best Practices | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md) | |
| 32 | +| | | PDF | [Link](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) | |
| 33 | +| | Evaluating your supply chain security | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) | |
| 34 | +| | Secure Software Factory | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/secure-software-factory.md) | |
| 35 | +| | | PDF | [Link](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) | |
| 36 | +| | Catalog of Supply Chain Compromises | Markdown | [Link](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) | |
| 37 | +| **Use Cases & Personas** | List of use cases to enable secure access, policy control, and safety for users of cloud native technology | Markdown | [Link](https://github.com/cncf/tag-security/blob/main/usecase-personas/README.md) | |
0 commit comments