STAG facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.
“Cloud Native” is open source cloud computing for applications — a complete trusted toolkit for modern architectures. There are multiple projects which address key parts of the problem of providing access controls and addressing safety concerns. Each of these adds value, yet for these technical solutions to be capable of working well together and manageable to operate they will need a minimal shared context of what defines a secure system architecture.
There is a future where operators, administrators and developers feel confident creating new cloud native applications. They use cloud technologies with clear understanding of risks and the ability to validate that their security policy decisions are reflected in deployed software.
We envision that there could exist an ecosystem of tools that can simplify the experience of cloud native operators, administrators and developers, including:
- System security architecture that understands and accommodates the ever growing heterogeneity of systems and provides a framework to protect resources and data while servicing their users.
- Common vocabulary and open source libraries that make it easy for developers to create and deploy apps that meet system security requirements.
- Common libraries and protocols that enable people to reason about the security of the system, such as auditing and explainability features.
STAG charter outlines the scope of our group activities, as part of our governance process which details how we work.
Anyone is welcome to join our open discussions of STAG projects and share news related to the group's mission and charter. Much of the work of the group happens outside of SIG-Security meetings and we encourage project teams to share progress updates or post questions in these channels:
- Email list
- CNCF Slack #tag-security channel
Group meeting times are listed below:
- US: Weekly on Wednesdays at 10:00am GMT-7 (see your timezone here)
- APAC: Bi-weekly on Tuesdays at 1:00pm GMT+11 (see your timezone here)
See the CNCF Calendar for calendar invites.
Meeting Link: zoom.us/my/cncftagsecurity (Passcode: 77777)
One tap mobile:
- +16465588656,,7375677271# US (New York)
- +16699006833,,7375677271# US (San Jose)
Dial by your location:
- +1 646 558 8656 US (New York)
- +1 669 900 6833 US (San Jose)
- 877 369 0926 US Toll-free
- 855 880 1246 US Toll-free
- 1800 945 157 Australia Toll-free
- Find your local number
Meeting ID: 737 567 7271
Please let us know if you are going and if you are interested in attending (or helping to organize!) a gathering. Create a github issue for an event and add to list below:
- KubeCon + CloudNativeCon, NA October 12-15 2021
If you are new to the group, check out our New Members Page and submit a PR to add yourself to the members list.
- SIG-Security - renamed STAG (TOC Issue #549)
- SAFE WG - renamed to CNCF Security SIG
- (Proposed) CNCF Policy Working Group - Merged into SAFE WG
- Emily Fox (@TheFoxAtWork), Apple [Chair - term: 9/28/2020 - 9/27/2022]
- Sarah Allen (@ultrasaurus), [Chair - term: 6/3/2019 - 6/3/2021]
- Jeyappragash JJ (@pragashj), Tetrate.io [Chair - term: 6/3/2019 - 6/3/2021]
- Brandon Lum (@lumjjb), IBM
- Justin Cappos (@JustinCappos), New York University
- Ash Narkar (@ashutosh-narkar), Styra
- Andres Vega (@anvega, VMWare
- Aradhana Chetal (@achetal01, TIAA
- Dan Shaw (@dshaw), PayPal [Chair - term: 6/3/2019 - 9/3/2020]
Policy is an essential component of a secure system.
Bi-weekly meetings at 3:00pm PT focus on policy concerns and initiatives.
Co-leads
- Howard Huang (@hannibalhuang), Huawei [Kubernetes Policy WG co-chair]
- Erica von Buelow (@ericavonb), Red Hat [Kubernetes Policy WG]
Co-chair representative: @pragashj
Security reviews are a collaborative process for the benefit of cloud native projects and prospective users by creating a consistent overview of the project and its risk profile.
Facilitator: Justin Cappos (@JustinCappos), New York University
Co-chair representative: @ultrasaurus
Membership governance can be viewed here. If you are new, check out the New Members Page.
Click to view list
- Marlow Weston (@catblade), Intel
- Pushkar Joglekar (@pushkarj)
- POP (@danpopsd), Sysdig
- Devarajan P Ramaswamy (@deva), PADME
- Kamil Pawlowski (@kbpawlowski)
- Geri Jennings (@izgeri), CyberArk
- Jason Melo (@jasonmelo), NearForm
- Torin Sandall (@tsandall), OPA
- Sree Tummidi (@sreetummidi), Pivotal [Cloud Foundry Project Lead]
- Christian Kemper (@ckemper67), Google
- Ray Colline (@rcolline), Google
- Doug Davis (@duglin), IBM
- Sabree Blackmon (@heavypackets), Docker
- Justin Cormack (@justincormack), Docker
- Liz Rice (@lizrice), Aqua Security
- Erik St. Martin (@erikstmartin), Microsoft
- Cheney Hester (@quiqie), Fifth Third Bank
- Mark Underwood (@knowlengr)
- Rae Wang (@rae42), Google
- Rachel Myers (@rachelmyers), Google
- Evan Gilman (@evan2645), Scytale.io
- Andrew Weiss (@anweiss), Docker
- TK Lala (@tk2929), ZcureZ
- Maor Goldberg (@goldberg10)
- Andrew Martin (@sublimino), ControlPlane
- Karthik Gaekwad (@iteration1), Oracle
- Chase Pettet (@chasemp), Mirantis
- Jia Xuan (@xuanjia), China Mobile
- John Morello (@morellonet), Twistlock
- Alban Crequy (@alban), Kinvolk
- Michael Schubert (@schu), Kinvolk
- Andrei Manea (@andrei_821), CloudHero
- Santiago Torres-Arias (@SantiagoTorres), New York University
- Brandon Lum (@lumjjb), IBM
- Ash Narkar (@ashutosh-narkar), OPA
- Lorenzo Fontana (@fntlnz), Sysdig [Falco Maintainer]
- Leonardo Di Donato (@leodido), Sysdig [Falco Maintainer]
- Daniel Iziourov (@danmx), Adevinta
- Michael Hausenblas (@mhausenblas, AWS
- Zach Arnold (@zparnold), Ygrene Energy Fund
- Tsvi Korren (@tsvikorren), Aqua Security
- Simarpreet Singh (@simar7)
- Michael Ducy (@mfdii)
- Roger Klorese (@qnetter), SUSE
- John Menerick (@cloudsriseup), Ford Autonomic
- Peter Benjamin (@pbnj), Norton LifeLock
- Emily Fox(@TheFoxAtWork), Apple
- Carlos Villavicencio (@solrac901), Intel
- Gareth Rushgrove (@garethr), Snyk
- Martin Vrachev (@MVrachev), VMware
- Ricardo Aravena (@raravena80), Rakuten
- Lakshmi Manohar Velicheti (@manohar9999), Shape Security
- Andres Vega (@anvega), Scytale.io
- Cameron Seader (@cseader), SUSE
- Robert Ficcaglia (@rficcaglia), Policy WG
- Matthew Giassa (@iaxes)
- Tabitha Sable (@tabbysable)
- Steven Hadfield (@steven-hadfield), FICO
- Payam Tarverdyan Chychi (@unclepieman), Infoblox
- Yeeling Lam (@yeelinglam), AT&T
- Wayne Haber (@whaber github / @whaber gitlab), GitLab
- Trishank Karthik Kuppusamy @trishankatdatadog, CNAB/Datadog/Notary-v2/TUF/in-toto
- Vinay Venkataraghavan (@vinayvenkat, Prisma Cloud (PANW)
- Magno Logan (@magnologan), Trend Micro
- Itay Shakury (@itaysk), Aqua Security
- Gadi Naor (@gadinaor), Alcide
- Ron Vider (@RonVider), Neo Security
- Marco Lancini (@marco-lancini), Thought Machine
- Lewis Denham-Parry (@denhamparry), ControlPlane
- John Hillegass (@JohnHillegass), Capital One
- Chris Hughes (@chughes216), Oteemo
- Aradhna Chetal (@achetal01), TIAA
- Jon Zeolla (@jonzeolla), Seiso
- Diego Comas (@dcomas), MessageBird
- Adith Sudhakar (@asudhak), VMware
- Muhammad Yuga Nugraha (@myugan), Practical DevSecOps
- John Kinsella (@jlk), Accurics
- Matt Jarvis (@mattj-io), Snyk
- Or Azarzar (@azarzar15), Lightspin
- Alex Floyd Marshall (@apmarshall)
- Alok Raj (@ak-secops), XenonStack
- Brad McCoy (@bradmccoydev), Search365
- Abhishek Singh (@araalinetworks), Araali Networks
- Aeva Black (@AevaOnline), Microsoft
- Frederick Fernando (@freddyfernando), InfraCloud
- Andreas Spanner (@aspanner), Red Hat
- Eli Nesterov (@elinesterov), ByteDance
- Matthew Flannery @matthewflannery), Accelera
- Frederick Kautz (@fkautz), Network Service Mesh Maintainer
- Sunny Patel (@sunnythepatel), Monash eResearch Centre, Melbourne Australia
- Jeff Rowell (@jeff-rowell)
- Daniel Tobin (@dant24), Cyral
- Cole Kennedy (@colek42), BoxBoat
JOIN OUR MEETINGS REGULARLY, THEN ADD YOURSELF VIA PULL REQUEST
As part of the CNCF project proposal process, projects should create a new security review issue with a self-assessment.
For more details on past events and meetings, please see our past events page