From 18914ad5d573ffa40a4aa0a0fecd585fb5a1a4df Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Wed, 10 Jul 2024 12:35:04 -0400 Subject: [PATCH 01/12] update tag documents Signed-off-by: riaan kleinhans md lint Signed-off-by: riaan kleinhans rename file Signed-off-by: riaan kleinhans lint fix Signed-off-by: riaan kleinhans spell file Signed-off-by: riaan kleinhans spell Signed-off-by: riaan kleinhans spell Signed-off-by: riaan kleinhans spell Signed-off-by: riaan kleinhans --- README.md | 38 +++-------- governance/README.md | 2 +- governance/charter.md | 141 ---------------------------------------- tag-emeritus-leaders.md | 11 ++++ 4 files changed, 20 insertions(+), 172 deletions(-) delete mode 100644 governance/charter.md create mode 100644 tag-emeritus-leaders.md diff --git a/README.md b/README.md index 83d4bd165..29e93f967 100644 --- a/README.md +++ b/README.md @@ -74,36 +74,9 @@ Explore groups affiliated with or relevant to Security TAG [here](governance/rel -### Security TAG Chairs - -| Name | Organization | Term | Handle | -|-----------------------|------------------------|---------------------|-----------| -| Pushkar Joglekar | Independent | June, 2023 - June, 2025 | @PushkarJ | -| Marina Moore | Independent | October, 2023 - October, 2025 | @mnm678 | -| Eddie Knight | Sonatype | May, 2024 - May, 2026 | @eddie-knight | - -### Tech Leads - -| Name | Organization | Handle | -|-----------------------|------------------------|---------------------| -| Justin Cappos | New York University | @JustinCappos | -| Ash Narkar | Styra | @ashutosh-narkar | -| Andrés Vega | M42 | @anvega | -| Ragashree Shekar | Independent | @ragashreeshekar | -| Michael Lieberman | Kusari | @mlieberman85 | -| John Kjell | TestifySec | @jkjell | - -### Security TAG Chair Emeriti - -| Name | Organization | Term | Handle | -|-----------------------|------------------------|---------------------|-----------| -| Dan Shaw | PayPal | June, 2019 - September, 2020 | @dshaw | -| Sarah Allen | | June, 2019 - June, 2021 | @ultrasaurus | -| Jeyappragash JJ | Tetrate.io | June, 2019 - June, 2021 | @pragashj | -| Emily Fox | Apple | September, 2020 - February, 2022 | @TheFoxAtWork | -| Brandon Lum | Google | June, 2021 - June, 2023 | @lumjjb | -| Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 | -| Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| +## Leadership + +TAG Chairs, Tech Leads and TOC Liaisons are listed on the [CNCF Technical Advisory Groups ("TAGs") information page](https://github.com/cncf/toc/blob/main/tags/cncf-tags.md). ### Working Groups @@ -131,3 +104,8 @@ new [security review issue](https://github.com/cncf/tag-security/issues/new?assi with a [self-assessment](/community/assessments/guide/self-assessment.md) . + +## TAG Emeritus Leaders + +A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! + \ No newline at end of file diff --git a/governance/README.md b/governance/README.md index 0e2159d00..6ca5f5db6 100644 --- a/governance/README.md +++ b/governance/README.md @@ -3,7 +3,7 @@ Security TAG is a [CNCF Technical Advisory Group](https://github.com/cncf/toc/tree/main/tags). -* [Charter](charter.md) - mission and scope +* [Charter](https://github.com/cncf/toc/tree/main/tags/tag-charters/security-charter.md) - mission and scope * [Roles](roles.md) - the work of the group is facilitated by Chairs, Technical Leads, and active group members * [Process](process.md) - how projects are proposed and work is tracked diff --git a/governance/charter.md b/governance/charter.md deleted file mode 100644 index 72238b5e5..000000000 --- a/governance/charter.md +++ /dev/null @@ -1,141 +0,0 @@ -# Security TAG Charter - -This charter describes operations as a [CNCF TAG](https://github.com/cncf/toc/tree/main/tags). -The [Focus](#focus) section below describes what is in and out of scope, -and [Governance](#governance) section describes how our operations are consistent -with CNCF policies with links to more detailed documents. - -**Mission:** to reduce risk that cloud native -applications expose end user data or allow other unauthorized access. - -## Motivation - -Security has been an area in which open source can flourish and sometimes -has done so; however, with cloud native platforms and applications, security -has received less attention than other areas of the cloud native landscape. - -This means that there is less visibility about the internals of security -projects, and fewer projects being deeply integrated into cloud native tooling. -While there are many open source security projects, there are fewer security -experts focused on the cloud native ecosystem. This has contributed to a culture -where people feel they cannot understand how to securely set up and operate -cloud native systems, due to obscurity and uncertainty. Cloud native principles -have encouraged the development of tools that help manage fast changing -environments, and which have the promise of both simplifying and improving -security. - -Making security more open and understandable is an essential part of this -change. Talking to customers, security is the most important and least -understood part of the cloud native transition. Security is not an easy field, -and it is difficult to measure and value the inputs precisely, which can also -cause issues with evaluation of security software and designs. - -Distributed deployments across heterogeneous infrastructure are increasingly -common for cloud native applications. -Without common ways to programmatically ensure consistent policy, -it is increasingly difficult to evaluate system architecture security at scale. -Emerging common architectural patterns offer the opportunity -improve overall security in cloud native systems. - -## Focus - -In addition to the [CNCF security-related projects](https://landscape.cncf.io/?group=projects-and-products&view-mode=grid&tag=security), there -are three key focus areas: - -* Protection of heterogeneous, distributed and fast changing systems, while -providing needed access -* Common understanding and common tooling to help developers meet security -requirements -* Common tooling for audit and reasoning about system properties. - -### In scope - -Terminology note: Security TAG uses the term "end user" to describe the humans -who use cloud native applications, whereas CNCF refers to companies that operate -cloud native systems as CNCF End Users. In the context of security, we often -need to discuss how a particular control affects the people who use the software -deployed by a company or organization. - -When we use the word "security" within this group, it is defined to be inclusive -of concerns that affect the integrity of the a cloud native -system or the privacy of its users, specifically how to enable secure -access, policy control and safety for operators, administrators, -developers, and end-users across the cloud native ecosystem. - -Security TAG will consider [proposals](process.md) from its members or delegated -tasks from the CNCF TOC that are consistent with the mission, including -the following activities: - -* Publish educational resources on cloud native security - * Videos and/or slides from invited presentations by security providers and - use cases - * Answer the following questions (referring to already existing resources - where possible): - * What is different about cloud security? (including hybrid and multi-cloud) - * What are effective practices for implementing policy controls? - * How can we test, validate, explain, audit our systems? - * What additional measures are needed, specific to cloud, in highly - regulated environments? - * Personas and use cases - * Common vocabulary to talk about and understand cloud native security - * CNCF project ecosystem & landscape - * Define security scenarios (e.g. network configuration, application security, - service orchestration) - * Block architecture(s) for secure access - * Highlight trade-offs (e.g. Expressibility vs Explainability) - * Best practices and anti-patterns (potentially highlighting where there is - disagreement on these) -* Security assessments of specific proposals or projects -* Identify projects for consideration for CNCF -* Cross-pollinate knowledge by participating and inviting people from other projects and TAGs to share security practices -* Integrate relevant external standards, such as from OpenSSF or NIST, as part of educational resources and/or TAG processes - -Given that the group is comprised of volunteers, specific requests from the TOC -may be queued according to the bandwidth of the group. The co-chairs will -facilitate prioritization under the guidance of the Security TAG TOC liaison. - -### Out of scope - -* Not a standards body: We won't be creating standards. -* Not an umbrella organization: We interact with other groups for knowledge - sharing, not decision-making. -* Not a compliance body -* Not a certification board for security of individual projects -* We will not - * answer any specific questions regarding the state of security of any project - or product - * consider device security unless there is some impact to cloud systems. - * explore trust and safety concerns that are not specific to cloud - (e.g. fraud detection, user generated content moderation, spam filtering, - phishing, cross-site scripting attacks, SQL injection, etc.) -* We will not ensure the safety of any operational system. -* This is not related to vulnerability detection and handling any specific - security vulnerability or attack. - -## Governance - -Security must be addressed at all levels of the stack and across the whole -ecosystem, so the group seeks to encourage participation and membership across -a wide range of roles, from diverse companies and organizations. - -### Cross-group relationships - -To focus our efforts, we avoid duplication by developing relationships with -other groups that -focus on a particular technology (such as Kubernetes SIGs) or have a broader -mandate (such as government organizations). - -As a guide to visitors, we maintain the list of groups in the TAG -[README](https://github.com/cncf/tag-security#related-groups). - -Co-chairs are responsible to ensure periodic cross-group knowledge sharing, -which is accomplished by cross-group membership, invitation to present at -a TAG meeting and/or offering to present to the related group. - -## Operations - -Security TAG operations are consistent with standard TAG operating guidelines -provided by the CNCF Technical Oversight Committee -[TOC](https://github.com/cncf/toc). - -Full details of process and roles are linked from [governance README](/governance). diff --git a/tag-emeritus-leaders.md b/tag-emeritus-leaders.md new file mode 100644 index 000000000..5eb9e2b4e --- /dev/null +++ b/tag-emeritus-leaders.md @@ -0,0 +1,11 @@ +# TAG Security Chair Emeriti + +| Name | Organization | Term | Handle | +|-----------------------|------------------------|---------------------|-----------| +| Dan Shaw | PayPal | June, 2019 - September, 2020 | @dshaw | +| Sarah Allen | | June, 2019 - June, 2021 | @ultrasaurus | +| Jeyappragash JJ | Tetrate.io | June, 2019 - June, 2021 | @pragashj | +| Emily Fox | Apple | September, 2020 - February, 2022 | @TheFoxAtWork | +| Brandon Lum | Google | June, 2021 - June, 2023 | @lumjjb | +| Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 | +| Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| From 3a4620a46d114fda221d77cac708fd5a2340802d Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 10 Jul 2024 16:47:44 -0500 Subject: [PATCH 02/12] Update README.md Signed-off-by: Eddie Knight --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 29e93f967..237067e24 100644 --- a/README.md +++ b/README.md @@ -104,8 +104,8 @@ new [security review issue](https://github.com/cncf/tag-security/issues/new?assi with a [self-assessment](/community/assessments/guide/self-assessment.md) . + ## TAG Emeritus Leaders - A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! \ No newline at end of file From dc7064e0f24fc216791c991485814be87ad864ff Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 10 Jul 2024 16:49:45 -0500 Subject: [PATCH 03/12] Update tag-emeritus-leaders.md Signed-off-by: Eddie Knight --- tag-emeritus-leaders.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tag-emeritus-leaders.md b/tag-emeritus-leaders.md index 5eb9e2b4e..0a5c4ecea 100644 --- a/tag-emeritus-leaders.md +++ b/tag-emeritus-leaders.md @@ -9,3 +9,6 @@ | Brandon Lum | Google | June, 2021 - June, 2023 | @lumjjb | | Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 | | Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| + + + From 1d9ab87d9fb69fdee7686179b5c50e13a151f79a Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 10 Jul 2024 16:49:51 -0500 Subject: [PATCH 04/12] Update tag-emeritus-leaders.md Signed-off-by: Eddie Knight --- tag-emeritus-leaders.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tag-emeritus-leaders.md b/tag-emeritus-leaders.md index 0a5c4ecea..b05dd25e2 100644 --- a/tag-emeritus-leaders.md +++ b/tag-emeritus-leaders.md @@ -1,5 +1,7 @@ # TAG Security Chair Emeriti + + | Name | Organization | Term | Handle | |-----------------------|------------------------|---------------------|-----------| | Dan Shaw | PayPal | June, 2019 - September, 2020 | @dshaw | From f9018a48973b610755c06f56163884942b893e80 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 10 Jul 2024 16:51:41 -0500 Subject: [PATCH 05/12] Update README.md Signed-off-by: Eddie Knight --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 237067e24..d92fccd1e 100644 --- a/README.md +++ b/README.md @@ -104,8 +104,6 @@ new [security review issue](https://github.com/cncf/tag-security/issues/new?assi with a [self-assessment](/community/assessments/guide/self-assessment.md) . - - ## TAG Emeritus Leaders -A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! - \ No newline at end of file + +A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! \ No newline at end of file From 0a9e8f0596f9c6c0aa86e0e55134496dba7c1e93 Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Wed, 10 Jul 2024 17:57:09 -0400 Subject: [PATCH 06/12] lint error Signed-off-by: riaan kleinhans --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d92fccd1e..6339b46f3 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,7 @@ new [security review issue](https://github.com/cncf/tag-security/issues/new?assi with a [self-assessment](/community/assessments/guide/self-assessment.md) . + ## TAG Emeritus Leaders -A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! \ No newline at end of file +A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! From 2901062260a3511e6db4178e7913b7c0d6641749 Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Wed, 10 Jul 2024 18:00:39 -0400 Subject: [PATCH 07/12] lint Signed-off-by: riaan kleinhans --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 6339b46f3..6ce4df8de 100644 --- a/README.md +++ b/README.md @@ -102,8 +102,7 @@ For [CNCF project proposal process](https://github.com/cncf/toc/blob/main/proces create a new [security review issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name) with a -[self-assessment](/community/assessments/guide/self-assessment.md) -. +[self-assessment](/community/assessments/guide/self-assessment.md). ## TAG Emeritus Leaders From 165e3c76b8065fb81ae832bb9c31765a7b8bb247 Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Wed, 10 Jul 2024 18:03:27 -0400 Subject: [PATCH 08/12] lint Signed-off-by: riaan kleinhans --- tag-emeritus-leaders.md | 1 - 1 file changed, 1 deletion(-) diff --git a/tag-emeritus-leaders.md b/tag-emeritus-leaders.md index b05dd25e2..6cb5fbb60 100644 --- a/tag-emeritus-leaders.md +++ b/tag-emeritus-leaders.md @@ -13,4 +13,3 @@ | Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| - From 817453c34de84fd8a28e0c8ee1fe690d44171c81 Mon Sep 17 00:00:00 2001 From: Riaan Kleinhans <61125752+riaankleinhans@users.noreply.github.com> Date: Fri, 12 Jul 2024 10:47:19 -0400 Subject: [PATCH 09/12] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Andrés Vega Signed-off-by: Riaan Kleinhans <61125752+riaankleinhans@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6ce4df8de..f289aa5c1 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ Explore groups affiliated with or relevant to Security TAG [here](governance/rel ## Leadership -TAG Chairs, Tech Leads and TOC Liaisons are listed on the [CNCF Technical Advisory Groups ("TAGs") information page](https://github.com/cncf/toc/blob/main/tags/cncf-tags.md). +Details about the TAG Chairs, Tech Leads, and TOC Liaisons can be found on the [CNCF Technical Advisory Groups (TAGs) information page](https://github.com/cncf/toc/blob/main/tags/cncf-tags.md) ### Working Groups From 23ab4b6efd9b6172a4242cebfca950e3e902da7f Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Fri, 12 Jul 2024 11:12:28 -0400 Subject: [PATCH 10/12] nits Signed-off-by: riaan kleinhans --- README.md | 8 ++++---- .../assets/tag-emeritus-leaders.md | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) rename tag-emeritus-leaders.md => community/assets/tag-emeritus-leaders.md (73%) diff --git a/README.md b/README.md index f289aa5c1..01cdc4508 100644 --- a/README.md +++ b/README.md @@ -78,6 +78,10 @@ Explore groups affiliated with or relevant to Security TAG [here](governance/rel Details about the TAG Chairs, Tech Leads, and TOC Liaisons can be found on the [CNCF Technical Advisory Groups (TAGs) information page](https://github.com/cncf/toc/blob/main/tags/cncf-tags.md) +## TAG Emeritus Leaders + +Thank you to all the [tag emeritus leaders]((/tag-emeritus-leaders.md)) for your contributions to the success of this community. + ### Working Groups The TAG's working groups focus on specific areas and organize most community activities, including weekly meetings. @@ -103,7 +107,3 @@ create a new [security review issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name) with a [self-assessment](/community/assessments/guide/self-assessment.md). - -## TAG Emeritus Leaders - -A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! diff --git a/tag-emeritus-leaders.md b/community/assets/tag-emeritus-leaders.md similarity index 73% rename from tag-emeritus-leaders.md rename to community/assets/tag-emeritus-leaders.md index 6cb5fbb60..84cf3bc8f 100644 --- a/tag-emeritus-leaders.md +++ b/community/assets/tag-emeritus-leaders.md @@ -1,5 +1,7 @@ # TAG Security Chair Emeriti +A big thank you to all the [tag emeritus leaders](/tag-emeritus-leaders.md) of this TAG! Your hard work and dedication have helped to make this project a success. Your valuable contributions have enabled us to develop a strong contributor strategy and build a thriving open-source community. Thank you for all that you have done! + | Name | Organization | Term | Handle | From dec44ffd357de5341f553f9f51d34b80a28c8236 Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Fri, 12 Jul 2024 11:25:25 -0400 Subject: [PATCH 11/12] nits Signed-off-by: riaan kleinhans --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 01cdc4508..fb06fcebd 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ Details about the TAG Chairs, Tech Leads, and TOC Liaisons can be found on the [ ## TAG Emeritus Leaders -Thank you to all the [tag emeritus leaders]((/tag-emeritus-leaders.md)) for your contributions to the success of this community. +Thank you to all the [tag emeritus leaders]((/community/assets/tag-emeritus-leaders.md)) for your contributions to the success of this community. ### Working Groups From 592d9ccac891548a9ce421d8f443f96bf3607a2a Mon Sep 17 00:00:00 2001 From: riaan kleinhans Date: Fri, 12 Jul 2024 11:39:21 -0400 Subject: [PATCH 12/12] nit Signed-off-by: riaan kleinhans --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fb06fcebd..94e4ddb32 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,7 @@ Details about the TAG Chairs, Tech Leads, and TOC Liaisons can be found on the [ ## TAG Emeritus Leaders -Thank you to all the [tag emeritus leaders]((/community/assets/tag-emeritus-leaders.md)) for your contributions to the success of this community. +Thank you to all the [tag emeritus leaders](/community/assets/tag-emeritus-leaders.md) for your contributions to the success of this community. ### Working Groups