Skip to content

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

License

Notifications You must be signed in to change notification settings

amanda-gonzalez/tag-security

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security Technical Advisory Group

Cloud Native Security Logo

Quick links

Objective

The CNCF Security Technical Advisory Group facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.

Background

Cloud Native describes the building, deploying, and operating of modern applications in cloud computing environments, typically using open source. This complex ecosystem composed of different open source projects presents an increasingly complicated technology risk landscape. While there are several projects in the cloud native ecosystem that address trust, safety, and security in the dynamic interplay between the different layers of infrastructure and application services, the technological shift demands application and information security be rethought through the lens of developer experience as close to applying software engineering to design for security considerations in the effort to safeguard an integrated cloud native ecosystem as a whole.

Vision

We believe in a future where the probability and impact of attacks, breaches, and compromises are significantly reduced. Where the most common risks of today are not just mitigated but made implausible. We believe developers and operators can be empowered to understand better and be reassured by the posture of the systems they build and run through the informed use of cloud technologies with clear understanding of responsibility and risks and the unlocked ability to validate that their architectural intent meets compliance and regulatory objectives.

There is a growing ecosystem of tools that promises to unlock developer productivity and operational efficiency. We strive to fulfill the human side of the sociotechnical equation to acceleration and attain that promise including:

  1. Consumable system security architectures that account for the ever growing heterogeneity of systems and provides a framework to protect resources and data while servicing their users.
  2. Common lexicon and open source libraries that make it easy for developers to create and deploy apps that meet system security requirements.
  3. Common libraries and protocols that enable people to reason about the security of the system, such as auditing and explainability features.

Publications

TAG Security has published several resources for the community, which can be found under publications.

Governance

Security TAG charter outlines the scope of our group activities, as part of our governance process which details how we work.

Communications

Anyone is welcome to join our open discussions of Security TAG projects and share news related to the group's mission and charter. Much of the work of the group happens outside of Security TAG meetings and we encourage project teams to share progress updates or post questions in these channels:

Group communication:

Leadership:

Slack governance

Refer to the slack governance document for details on slack channels and posting to the channels.

Meeting times

For our members in North and South America, we host weekly sessions each Wednesday at 10 am (UTC-7). To participate, simply use the following Zoom link: https://zoom.us/j/99809474566. The meeting ID is 998 0947 4566.

Meanwhile, participants from Europe, the Middle East, and Africa (EMEA) can join bi-weekly meetings on Wednesdays at 1 pm UTC+0, which adjusts to UTC+1 when daylight saving time is in effect. Join us through this Zoom link: https://zoom.us/j/99917523142, with the meeting ID: 999 1752 3142.

To find the corresponding time in your local area, please see your timezone here.

This dual schedule ensures that no matter where you are, you'll have a place in our conversations.

We invite you to mark your calendars and join the dialogue. For your convenience, all meetings are listed on the main CNCF calendar as well as the TAG Security Calendar. These calendars are updated regularly to ensure that you stay informed of all upcoming meetings and events.

Got something to bring up or share? Review how to get a topic or presentation added to the Agenda on our process page.

Gatherings

Please let us know if you are going and if you are interested in attending (or helping to organize!) a gathering. Create a github issue for an event and add to list below:

Past events

New members

If you are new to the group, we encourage you to check out our New Members Page

Related groups

There are several groups that are affiliated to or do work and cover topics relevant to the work of Security TAG. These can be seen here

History

Members

Security TAG Chairs

Name Organization Term Handle
Pushkar Joglekar Independent June, 2023 - June, 2025 @PushkarJ
Marina Moore Independent October, 2023 - October, 2025 @mnm678
Eddie Knight Sonatype May, 2024 - May, 2026 @eddie-knight

Tech Leads

Name Organization Handle
Justin Cappos New York University @JustinCappos
Ash Narkar Styra @ashutosh-narkar
Andrés Vega M42 @anvega
Ragashree Shekar Independent @ragashreeshekar
Michael Lieberman Kusari @mlieberman85
John Kjell TestifySec @jkjell

Security TAG Chair Emeriti

Name Organization Term Handle
Dan Shaw PayPal June, 2019 - September, 2020 @dshaw
Sarah Allen June, 2019 - June, 2021 @ultrasaurus
Jeyappragash JJ Tetrate.io June, 2019 - June, 2021 @pragashj
Emily Fox Apple September, 2020 - February, 2022 @TheFoxAtWork
Brandon Lum Google June, 2021 - June, 2023 @lumjjb
Aradhana Chetal TIAA June, 2021 - September, 2023 @achetal01
Andrew Martin ControlPlane March, 2022 - March, 2024 @sublimino

Working groups

The TAG's working groups focus on specific areas and organize most community activities, including weekly meetings. These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs. Each group, led by a responsible leader, reaches consensus on issues and manages logistics. All materials, such as reports, white papers, documents, and reference architectures, are in the repository's /community directory.

Project Leads
Applied Research Andrés Vega
Automated Governance Andrés Vega, Brandt Keller
Catalog of Supply Chain Compromises Santiago Arias Torres
Compliance Anca Sailer, Robert Ficcaglia
Controls Jon Zeolla
Security Reviews Justin Cappos, Eddie Knight
Software Supply Chain Marina Moore, Michael Liebermann, John Kjell

Additional information

CNCF Security TAG reviews

As part of the CNCF project proposal process projects should create a new security review issue with a self-assessment .

Past events and meetings

For more details on past events and meetings, please see our past events page

About

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 51.0%
  • SCSS 32.7%
  • JavaScript 9.7%
  • CSS 2.5%
  • Shell 2.0%
  • Makefile 2.0%
  • Dockerfile 0.1%