From fe701a47d7f8d395a97c3e1459546977e590fa3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Tue, 11 Jun 2024 11:54:30 -0700 Subject: [PATCH 01/27] Streamline and update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Streamline and update TAG Security README - Combined Objective, Background, and Mission sections under "About Us" header. - Simplified and consolidated content for clarity and brevity. - Updated publication links and added a table format for better readability, sorted by date in ascending order. - Revised meeting information to be less words. Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 132 +++++++++++++++++++----------------------------------- 1 file changed, 46 insertions(+), 86 deletions(-) diff --git a/README.md b/README.md index 4c394a253..77772e0bc 100644 --- a/README.md +++ b/README.md @@ -2,120 +2,86 @@ ![Cloud Native Security Logo](/design/logo/cloud-native-security-horizontal-darkmodesafe.svg) - ## Quick links -- [Meeting Information](#meeting-times) +- [Meeting Information](#meeting-information) - [Slack Information](#communications) -- [New Members](#new-members) - [Members](#members) - [Working Groups](#working-groups) - -## Objective +## About Us -The CNCF Security Technical Advisory Group facilitates collaboration to discover and produce resources that enable -secure access, policy control, and safety for operators, administrators, -developers, and end-users across the cloud native ecosystem. +The CNCF Security Technical Advisory Group facilitates collaboration to exchange and produce knowledge and resources for building security in the cloud native ecosystem. -## Background +Cloud Native involves building, deploying, and operating modern applications in cloud computing environments, typically using open source. This complex ecosystem presents a technology risk landscape that demands rethinking application and information security through the lens of developer experience. -Cloud Native describes the building, deploying, and operating of modern applications in cloud computing environments, typically using open source. This complex ecosystem composed of different open source projects presents an increasingly complicated technology risk landscape. -While there are several projects in the cloud native ecosystem that address trust, safety, and security in the dynamic interplay between the different layers of infrastructure and application services, the technological shift demands application and information security be rethought through the lens of developer experience as close to applying software engineering to design for security considerations in the effort to safeguard an integrated cloud native ecosystem as a whole. +We aim to significantly reduce the probability and impact of attacks, breaches, and compromises. By empowering developers and operators to understand and manage the security posture of their systems, we strive to fulfill the promise of enhanced productivity and operational efficiency. -## Vision +## Key Focus Areas -We believe in a future where the probability and impact of attacks, breaches, and compromises are significantly reduced. Where the most common risks of today are not just mitigated but made implausible. We believe developers and operators can be empowered to understand better and be reassured by the posture of the systems they build and run through the informed use of cloud technologies with clear -understanding of responsibility and risks and the unlocked ability to validate that their architectural intent meets compliance and regulatory objectives. - - -There is a growing ecosystem of tools that promises to unlock developer productivity and operational efficiency. We strive to fulfill the human side of the sociotechnical equation to acceleration and attain that promise including: - -1. Consumable system security architectures that account for the ever - growing heterogeneity of systems and provides a framework to protect - resources and data while servicing their users. -2. Common lexicon and open source libraries that make it easy for developers - to create and deploy apps that meet system security requirements. -3. Common libraries and protocols that enable people to reason about the - security of the system, such as auditing and explainability features. +- **System Security Architectures**: Frameworks to protect resources and data. +- **Common Lexicon & Libraries**: Tools for developers to create secure apps. +- **Auditing & Explainability**: Protocols for reasoning about system security. ## Publications -TAG Security has published several resources for the community, which can be -found under [publications](publications/README.md). +This document lists some of the key publications and resources that TAG Security has produced. For a complete list of assets in multiple formats, please refer to the [publications](publications/README.md) in the publications subdirectory. + +| Publication | Date | +|-------------|------| +| [In-toto Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/in-toto) | May, 2019 | +| [Formal Verification for Policy Configurations](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md) | August, 2019 | +| [OPA Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/opa) | September, 2019 | +| [Catalog of Supply Chain Compromises](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) | November 2019 - Present | +| [Spiffe-Spire Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/spiffe-spire) | February, 2020 | +| [Harbor Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/harbor) | April, 2020 | +| [Keycloak Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/keycloak) | October, 2020 | +| [Software Supply Chain Best Practices](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) | May, 2021 | +| [Evaluating your supply chain security](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) | May, 2021 | +| [Cloud Native Security Lexicon](https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md) | August, 2021 | +| [Buildpacks Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/buildpacks) | September, 2021 | +| [Cloud Native Security Whitepaper](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) | May, 2022 | +| [Cloud Native Security Controls Catalog](https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md) | May, 2022 | +| [Handling build-time dependency vulnerabilities](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md) | June, 2022 | +| [Secure Software Factory: A Reference Architecture to Securing the Software Supply Chain](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) | May, 2022 | +| [Secure Defaults](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) | February, 2022 | +| [Cloud Custodian Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/custodian) | February, 2022 | +| [Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security](https://github.com/cncf/tag-security/blob/main/assessments/Open_and_Secure.pdf) | November, 2023 | ## Governance -[Security TAG charter](governance/charter.md) outlines the scope of our group -activities, as part of our [governance process](governance/README.md) which details how we -work. +Refer to the [Security TAG charter](governance/README.md) for our governance process. ## Communications -Anyone is welcome to join our open discussions of Security TAG projects and share news -related to the group's mission and charter. Much of the work of the group -happens outside of Security TAG meetings and we encourage project teams to share -progress updates or post questions in these channels: - -Group communication: - +Join our open discussions and share news: - [Email list](https://lists.cncf.io/g/cncf-tag-security) - [CNCF Slack](https://slack.cncf.io/) #tag-security channel -Leadership: - -- To reach the leadership team (chairs & tech leads), email - [cncf-tag-security-leads@lists.cncf.io](mailto:cncf-tag-security-leads@lists.cncf.io) -- To reach the chairs, email [cncf-tag-security-chairs@lists.cncf.io](mailto:cncf-tag-security-chairs@lists.cncf.io) - -### Slack governance - -Refer to the [slack governance document](slack.md) for details on slack channels -and posting to the channels. - -## Meeting times +## Meeting Information -For our members in North and South America, we host weekly sessions each Wednesday at 10 am (UTC-7). To participate, simply use the following Zoom link: . The meeting ID is 998 0947 4566. +- **Americas**: Weekly on Wednesdays at 10 am (UTC-7). [Zoom link](https://zoom.us/j/99809474566), Meeting ID: 998 0947 4566. +- **EMEA**: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). [Zoom link](https://zoom.us/j/99917523142), Meeting ID: 999 1752 3142. -Meanwhile, participants from Europe, the Middle East, and Africa (EMEA) can join bi-weekly meetings on Wednesdays at 1 pm UTC+0, which adjusts to UTC+1 when daylight saving time is in effect. Join us through this Zoom link: , with the meeting ID: 999 1752 3142. +Check your local timezone [here](https://time.is/). Meetings are listed on the [CNCF calendar](https://www.cncf.io/calendar/) and the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). -To find the corresponding time in your local area, please see your timezone [here](https://time.is/). - -This dual schedule ensures that no matter where you are, you'll have a place in our conversations. - -We invite you to mark your calendars and join the dialogue. For your convenience, all meetings are listed on the main [CNCF calendar](https://www.cncf.io/calendar/) as well as the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). These calendars are updated regularly to ensure that you stay informed of all upcoming meetings and events. - -Got something to bring up or share? Review how to get a topic or presentation added to the Agenda on our [process](governance/process.md#getting-on-the-agenda) page. +To add a topic to the agenda, review our [process](governance/process.md#getting-on-the-agenda). ## Gatherings -Please let us know if you are going and if you are interested in attending (or -helping to organize!) a gathering. Create -a [github issue](https://github.com/cncf/tag-security/issues/new) for an event -and add to list below: +Interested in attending or organizing an event? Create a [GitHub issue](https://github.com/cncf/tag-security/issues/new): - [Cloud Native SecurityCon 24](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/) June 26-27, 2024 in Seattle, Washington - -[Past events](past-events.md) +- [Past events](past-events.md) ## New members -If you are new to the group, we encourage you to check out -our [New Members Page](NEW-MEMBERS.md) +New to the group? Check out our [New Members Page](NEW-MEMBERS.md) page. ## Related groups -There are several groups that are affiliated to or do work and cover topics -relevant to the work of Security TAG. These can be -seen [here](governance/related-groups/README.md) - -## History - -- TAG-Security - renamed Security TAG ([TOC Issue 549](https://github.com/cncf/toc/issues/549)) -- SAFE WG - renamed to CNCF Security TAG -- [(Proposed) CNCF Policy Working Group](/policy-wg-merging.md) - Merged into - SAFE WG +Explore groups affiliated with or relevant to Security TAG [here](governance/related-groups/README.md) ## Members @@ -152,7 +118,7 @@ seen [here](governance/related-groups/README.md) | Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 | | Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino| -### Working groups +### Working Groups The TAG's working groups focus on specific areas and organize most community activities, including weekly meetings. These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs. @@ -160,7 +126,7 @@ Each group, led by a responsible leader, reaches consensus on issues and manages | Project | Leads | |---------------------------------|---------------------------------------------| -| [Applied Research](/community/research/README.md) | Andrés Vega | +| [Research](/community/research/README.md) | Andrés Vega | | [Automated Governance](/community/automated-governance/README.md) | Andrés Vega, Brandt Keller | | [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres | | [Compliance](/community/compliance/README.md) | Anca Sailer, Robert Ficcaglia | @@ -172,15 +138,9 @@ Each group, led by a responsible leader, reaches consensus on issues and manages ### CNCF Security TAG reviews -As part of -the [CNCF project proposal process](https://github.com/cncf/toc/blob/main/process) -projects should create a +For [CNCF project proposal process](https://github.com/cncf/toc/blob/main/process) +create a new [security review issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name) with a [self-assessment](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md) . - -### Past events and meetings - -For more details on past events and meetings, please see -our [past events page](past-events.md) From 1f3f6414d5a74a560998361accba10cc9d4efdf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Tue, 11 Jun 2024 11:59:10 -0700 Subject: [PATCH 02/27] fix blanks around list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 77772e0bc..7e87d09ff 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ Refer to the [Security TAG charter](governance/README.md) for our governance pro ## Communications Join our open discussions and share news: + - [Email list](https://lists.cncf.io/g/cncf-tag-security) - [CNCF Slack](https://slack.cncf.io/) #tag-security channel From dc87733293ce58a020026b4f85790a148fd48924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Tue, 11 Jun 2024 12:05:53 -0700 Subject: [PATCH 03/27] Revise publications section for clarity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7e87d09ff..93f1eeaea 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ We aim to significantly reduce the probability and impact of attacks, breaches, ## Publications -This document lists some of the key publications and resources that TAG Security has produced. For a complete list of assets in multiple formats, please refer to the [publications](publications/README.md) in the publications subdirectory. +This document lists some of the key publications and resources that TAG Security has produced. For a complete list of assets in multiple formats, please refer to the [publications](publications/README.md) directory. | Publication | Date | |-------------|------| From 70b5c0507ac7f64ae9af921109f4a6435e9feda7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Tue, 11 Jun 2024 12:06:42 -0700 Subject: [PATCH 04/27] Remove repetition in new members section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 93f1eeaea..b7c51136a 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ Interested in attending or organizing an event? Create a [GitHub issue](https:// ## New members -New to the group? Check out our [New Members Page](NEW-MEMBERS.md) page. +New to the group? Check out our [New Members](NEW-MEMBERS.md) page. ## Related groups From 649e140b649755e967090b36207e1cd589f5484b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Tue, 11 Jun 2024 12:56:52 -0700 Subject: [PATCH 05/27] Fix trailing space MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b7c51136a..478390d23 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ We aim to significantly reduce the probability and impact of attacks, breaches, ## Publications -This document lists some of the key publications and resources that TAG Security has produced. For a complete list of assets in multiple formats, please refer to the [publications](publications/README.md) directory. +This document lists some of the key publications and resources that TAG Security has produced. For a complete list of assets in multiple formats, please refer to the [publications](publications/README.md) directory. | Publication | Date | |-------------|------| From e5c7937be39d1b362530dc1a5ca10c57d65d98ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Tue, 11 Jun 2024 13:26:43 -0700 Subject: [PATCH 06/27] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removed issue to organize gatherings Reworded key focus areas Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 478390d23..cbf0b7b0d 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,8 @@ We aim to significantly reduce the probability and impact of attacks, breaches, ## Key Focus Areas - **System Security Architectures**: Frameworks to protect resources and data. -- **Common Lexicon & Libraries**: Tools for developers to create secure apps. -- **Auditing & Explainability**: Protocols for reasoning about system security. +- **Common Lexicon, Templates & Libraries**: Tools for developers to create secure apps. +- **Heuristics and Models**: Approaches for reasoning about system security. ## Publications @@ -70,9 +70,6 @@ To add a topic to the agenda, review our [process](governance/process.md#getting ## Gatherings -Interested in attending or organizing an event? Create a [GitHub issue](https://github.com/cncf/tag-security/issues/new): - - - [Cloud Native SecurityCon 24](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/) June 26-27, 2024 in Seattle, Washington - [Past events](past-events.md) From 605e2abece06c026c24e67779d62bb562d9792d3 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Fri, 14 Jun 2024 10:09:11 -0700 Subject: [PATCH 07/27] Reduce duplication and clarify role of chairs. This commit removes some duplicate text between the description of chairs and TLs, as well as clarifying the governance responsibility of chairs. Signed-off-by: Marina Moore --- governance/roles.md | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/governance/roles.md b/governance/roles.md index 48d8b6216..9ec901bd5 100644 --- a/governance/roles.md +++ b/governance/roles.md @@ -76,6 +76,8 @@ navigate a complex security landscape. If the TAG has less than two Technical Leads, any Chair may act as Technical Lead. * Primary role of Chairs is to run operations and the governance of the group. + This includes coordination with the TOC and providing approval for governance + changes. * The Chairs are responsible for ensuring that group meetings are planned and facilitated effectively, while also engaging group members in leadership roles. Effective facilitation includes (but is not limited to) the following @@ -87,21 +89,8 @@ Leads, any Chair may act as Technical Lead. * Asking for new proposals to be made to address an identified need. * Partnering with Technical Leads to establish a roadmap and manage ongoing projects. - * Serving as Security TAG leadership representative to ensure the project and - project lead(s) is successful - * check in with the project lead regularly to discuss progress, blockers, - and updates - * provide mentorship to project lead(s) - * ensure the schedule set by the project lead(s) is adhered to - * verify the scope and proposed deliverables of the project are in alignment - with the [Charter](charter.md) prior to recommendation of becoming a - project - * provide the TOC and others on the leadership team with updates - * keep the issue up to date for the project lead(s) if they don't have write - access to do so - * enforce and encourage company diversity on a given project where possible - * provide guardrails and guidance to the project and project lead(s) as - appropriate + * Chairs may additionally perform any actions of technical leads as needed, + especially serving as the Security TAG leadership representative to a project. ## Role of technical leads @@ -111,6 +100,8 @@ process](process.md)). The general list of activities for TL are: +* Acting as maintainers of the TAG Security GitHub repository. This includes + reviewing pull requests and publications. * Establish new sub-projects * Decommission existing sub-projects * Resolve cross-sub-project technical issues and decisions @@ -335,7 +326,7 @@ channel](https://cloud-native.slack.com/archives/CDJ7MLT8S)), and issue a call/request for reviewers (i.e. a single security assessment lead, and at least two additional security reviewers), and ensuring all reviewers [read the conflict of interest disclosure](../assessments/guide/security-reviewer.md) and -sign-off on it in the GitHub ticket itself. +sign-off on it in the GitHub ticket itself. From this point forward, the security assessment lead is the primary individual responsible for driving progress in the assessment process with support from @@ -477,4 +468,4 @@ The rotation process should start at least 2 weeks before a rotation is due. be raised and discussed between STAG co-chairs. 1. Validation that proper transition has happened will be done by STAG representative. 1. If there are multiple leads on a project, STAG leadership will work with - current leads to decide how many leads should be rotated. \ No newline at end of file + current leads to decide how many leads should be rotated. From f840d2983864f3f05111ca40d757390c64e91c01 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 18 Jun 2024 17:52:05 -0500 Subject: [PATCH 08/27] migrated contributing docs, updated links Signed-off-by: Eddie Knight --- .github/ISSUE_TEMPLATE/presentation.md | 2 +- CONTRIBUTING.md | 207 +++++++++++++++++++++++ CONTRIBUTING/README.md | 57 ------- CONTRIBUTING/first-time-contributions.md | 60 ------- CONTRIBUTING/pull-request-review.md | 88 ---------- CONTRIBUTING/writing-style.md | 42 ----- NEW-MEMBERS.md | 31 ---- README.md | 10 +- governance/presentations.md | 23 --- governance/process.md | 9 +- project-resources/README.md | 10 +- slack.md | 30 ---- 12 files changed, 223 insertions(+), 346 deletions(-) create mode 100644 CONTRIBUTING.md delete mode 100644 CONTRIBUTING/README.md delete mode 100644 CONTRIBUTING/first-time-contributions.md delete mode 100644 CONTRIBUTING/pull-request-review.md delete mode 100644 CONTRIBUTING/writing-style.md delete mode 100644 NEW-MEMBERS.md delete mode 100644 governance/presentations.md delete mode 100644 slack.md diff --git a/.github/ISSUE_TEMPLATE/presentation.md b/.github/ISSUE_TEMPLATE/presentation.md index 640792a0a..82695288e 100644 --- a/.github/ISSUE_TEMPLATE/presentation.md +++ b/.github/ISSUE_TEMPLATE/presentation.md @@ -19,4 +19,4 @@ Availability: What is the availability times of the speakers to present the topi TO DO - [ ] TAG Representative - [ ] Schedule date -- [ ] By opening this issue, I, (Insert Github Handle/Name) acknowledge that the presentation topic and speaker will follow the [presentation guidelines](https://github.com/cncf/tag-security/blob/main/governance/presentations.md) +- [ ] By opening this issue, I, (Insert Github Handle/Name) acknowledge that the presentation topic and speaker will follow the [presentation guidelines](../CONTRIBUTING.md#present-to-the-tag) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..b53735923 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,207 @@ +# Contributing + + +We welcome new contributors to this community. If you are contributing to the +CNCF and/or TAG-Security for the first time, it's okay if you feel overwhelmed. +We, as a community, are here to help you with any problems you face. Open +source is about collaboration and supporting each other. + +## Get Involved + +To become familiar with the team and understand how you will contribute, start +by reading our [TAG Security charter]. + +New members are advised to: + +- Join the [CNCF Slack], and introduce yourself on the the [#tag-security] + channel. +- Review the following documents: + - [README.md] + - [CODE-OF-CONDUCT.md] +- Get involved by: + - Joining the meetings and expressing your area of interest or if you want to + work on any specific issue. + - Expressing your thoughts or asking questions on an issue you find + interesting. + - Choosing an issue where [help is needed] and commenting on it to express + interest. + +## Contribute to this Repo + +As a new contributor, you might find it difficult to know where to start. Don't +worry! We've got you covered. + +To get more people involved, we have issues marked as [good-first-issues]. +These issues have a smaller scope and are great to start with. If the details +on how to resolve an issue are missing or incomplete, please tag the person who +created the issue. + +### Before Your First PR + +Before you make your first PR, please review the following resources: + +- [How to submit contributions] +- [Collaborating with pull requests] + +Our PRs follow a particular writing style. Check out the [style guide]. + +## Give Pull Request (PR) Reviews + +Except for urgent or very small grammar or spelling fixes, we leave pull +requests open for at least 24 hours for review/comment. + +A favorable review is determined by the PR's compliance with the contributing +guide, writing style, and alignment with the TAG goals, objectives, and scope. +PRs should be discussed with TAG members via Slack or issues before submission. + +Reviewer suggestions that are not required (but may increase the quality of the +contribution) should be highlighted by the reviewer as a "nit." These are +different from items that are preferred by the repo's style which should be +consistently applied. + +### Preferred Language + +Preferred language changes are minor but important suggestions and changes +encouraged for consistency in the repo, not to be confused with nits. + +Example of preferred language change: + +```markdown +They use cloud-native technologies with a clear understanding of risks and +the ability to validate that their security policy decisions are reflected in +deployed software. +``` + +Example Reviewer Comment: + +> Per TOC definition, "cloud native" is not hyphenated. + +### Nits + +Reviewers are encouraged to limit the amount of nitpicking done on a +contribution. If there is a significant number of small errors, create a +summary comment discussing the trend that should be addressed instead. + +Example of a nit change: + +```markdown +They use cloud technologies with a clear understanding of risks and the ability +to validate that their security policy decisions are reflected in deployed +software. +``` + +Example Reviewer Comment: + +> "Ability" is a human-oriented term; "capability" is more technical and may + be more appropriate. + +### Merging Pull Requests + +PRs may be merged after at least one qualified review has occurred, depending +on the type of changes reflected in the PR. The merging party needs to verify a +review has occurred, the PR aligns with this guide, and is in scope of the TAG. + +## Communicate with the TAG + +Join the mailing list and other [communication channels]. We encourage +participation in any way possible, supporting asynchronous communication and +contributions to our documentation. + +### Reporting Security Issues + +This group engages in [security reviews] of projects to improve their security +posture. Discussions about potential issues must adhere to the project's +security reporting process and remain close-held to ensure responsible +disclosure. + +### Identifying and Creating Slack Channels + +TAG-Security channels are identified with the "tag-security-" prefix. Only +chairs or tech leads should create tag-security-related channels. Channels +should include a header for their purpose. Refer to the [CNCF Slack guidelines] +for more information. + +### Code of Conduct + +All contributors are expected to abide by the [code of conduct]. + +### Posting Outside Content + +TAG-Security channels are for cloud native security discussions. Outside +content should be relevant to the cloud native community and not +self-promoting. + +## Present to the TAG + +Part of the STAG activities include having guest presentations by members of the community. +We welcome any topic related to our mission and charter. Typical topics include projects, +real-world use-cases, challenges or success stories. However, presentations must follow the +following guidelines. + +### Guidelines + +- Presentations are encouraged to expose the TAG to cloud native open source projects, cloud native security concepts, and other cloud native or security groups. +- Presentations should fit with [our charter](https://github.com/cncf/tag-security/blob/main/governance/charter.md) +- Presentations should not be scheduled on the Agenda until the issue is filled in and the TAG representative has performed due diligence on the issue +- Presentations should abide by the CNCF code of conduct + +Examples of topics that are within scope: + +- Open source project presentations +- Security use-cases and case studies +- Open source community efforts - whitepapers, communities, standards, etc. + +Examples of topics that do NOT meet the guidelines: + +- Vendor pitches and marketing heavy presentations +- Topics unrelated to security +- Topics that are help desk questions, that have a definitive, known searchable answer + +## Writing Style + +Consistency creates clarity in communication. If you find yourself correcting +for consistency, propose additional style guidelines via PR to this document. + +Here are some additional sources for good content guidelines: + +- [OpenOpps Contribution Guide] +- [18F Content Guide] + +### Common Terms + +- When referring to users and use cases, ensure consistency with [use cases]. +- See the [CNCF Style Guide] for common terms. Note that "open source" and + "cloud native" are not hyphenated and all lower case, except at the beginning + of a sentence. + +### Additional Formatting + +- Headlines, page titles, subheads, and similar content should follow sentence + case and should not include a trailing colon. +- Paragraphs should not start with leading indents. +- Wrap lines at 80 characters, except where it would break a link. +- Place markdown links together at the bottom of the file. + +### File & Directory Naming Conventions + +- Every directory should have a README.md with useful introductory text. +- All other file and directory names should be all lower case with dashes to + separate words. + +[good-first-issues]: https://github.com/cncf/tag-security/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 +[How to submit contributions]: https://opensource.guide/how-to-contribute/#how-to-submit-a-contribution +[Collaborating with pull requests]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests +[style guide]: #writing-style +[TAG Security charter]: governance/charter.md +[CNCF Slack]: https://slack.cncf.io/ +[#tag-security]: https://cloud-native.slack.com/messages/CDJ7MLT8S +[README.md]: README.md +[CODE-OF-CONDUCT.md]: CODE-OF-CONDUCT.md +[help is needed]: https://github.com/cncf/tag-security/labels/help%20wanted +[communication channels]: README.md#Communications +[security reviews]: ../assessments/README.md +[CNCF Slack guidelines]: https://github.com/cncf/foundation/blob/main/slack-guidelines.md +[code of conduct]: https://github.com/cncf/tag-security/blob/main/CODE-OF-CONDUCT.md +[CNCF Style Guide]: https://github.com/cncf/foundation/blob/main/style-guide.md +[OpenOpps Contribution Guide]: https://github.com/openopps/openopps-platform/blob/main/CONTRIBUTING.md +[18F Content Guide]: https://content-guide.18f.gov/ diff --git a/CONTRIBUTING/README.md b/CONTRIBUTING/README.md deleted file mode 100644 index 9eca63b13..000000000 --- a/CONTRIBUTING/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Contributing - -We aspire to create a welcoming environment for collaboration on this project -and ask that all contributors do the same. For more details, see our [code of -conduct](/CODE-OF-CONDUCT.md). - -This document covers contributions to this git repository. Please review -[governance](/governance) for our mission, charter, and other operations. - -## Open source - -While this repository does not contain open source code, we manage content -contributions following open source practice, as detailed below. - -All contributions to this project will be released under open source license as -described in [LICENSE.md](/LICENSE.md). By submitting a pull request (PR), -you are agreeing to release the PR contents under this license. - -## Communication - -Anyone interested in contributing should join the mailing list and other -[communication channels](/README.md#Communications) - -We strongly encourage and support all our members to participate in anyway -they can. Not everyone can participate in the regularly scheduled live meetings, -so we strive to make our processes friendly for people to be active contributors -through asynchronous communication and contributions to our documentation -in this repository. - -## Github pull requests and issues - -If you are new to the group, [reviewing pull requests](pull-request-review.md) -and commenting on issues is a great way to get involved! - -When creating or reviewing pull requests, please refer to the -[writing style guide](writing-style.md) to help maintain consistency across -all of our documents. - -## Reporting Security Issues - -This group engages in [security reviews](../assessments/README.md) of projects to -assist in improving their overall security posture. As part of those reviews, -members may find or discuss potential issues. These findings and discussions -(verbal, slack, or draft doc) are not regarded as a verified vulnerability and -must adhere to the project's security reporting process. It is critical that -contributions from security reviews remain close held to ensure adherence to a -given project's responsible security disclosures process should an potential -issue be discovered. - -Presentations on security issues prior or during active engagement with projects -is not permitted as these may be under embargo. If you are interested in -presenting on a potential security issues we request you contact the project and -get concurrence _prior_ to submitting a presentation issue to our repo. If you -are interested in presenting on security issues discovered as a result of a -security review, please refer to [use of a completed -package](../assessments/README.md#use-of-a-completed-package) for how that -content may be used. diff --git a/CONTRIBUTING/first-time-contributions.md b/CONTRIBUTING/first-time-contributions.md deleted file mode 100644 index 5b5419e10..000000000 --- a/CONTRIBUTING/first-time-contributions.md +++ /dev/null @@ -1,60 +0,0 @@ -# First time contributors - -We happily welcome our new contributors to this -community. If you are contributing to the CNCF -and/or TAG-Security for the first time it is -okay if you feel overwhelmed. We, as a -community, are always there to help you -with any problems you are facing. -Open source is about collaboration and -we are always there to support -each other. - -## Getting involved and contributing - -As a new contributor, you might find -difficulties in understanding where to start. -Don't worry! We got you. - -In the interest of getting more new people -involved, we have issues marked as -[good-first-issues](https://github.com/cncf/tag-security/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22). -These are issues that have a smaller scope, -and are great to start with. - -The good-first-issues should also provide -you details on how to get things resolved or -how to proceed. If you find it is missing or -incomplete please tag the person who created -the issue and let them know. - -## Before your first PR - -Before you make you first PR, we would like -you to go through the below resources -for your understanding: - -- [How to submit contributions](https://opensource.guide/how-to-contribute/#how-to-submit-a-contribution) -- [Collaborating with pull requests](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests) - -Our PR also follows a particular writing -style. Checkout the [style guide](https://github.com/cncf/tag-security/blob/main/CONTRIBUTING/writing-style.md). - -## Other ways of communication - -If have additional questions or -doubts about a certain issue. -Please reach out and we will -be happy to discuss. - -You can reach us via our [Mailing List](mailto:cncf-tag-security-leads@lists.cncf.io). - -You can also reach out on our slack [#tag-security-governance](https://cloud-native.slack.com/archives/C0230RW8V2T). - -### You can reach out to our members - -Our members list can be found -[here](https://github.com/cncf/tag-security#members). It contains only chairs -and technical leads. To see a list of all contributors, see the -[Insights](https://github.com/cncf/tag-security/graphs/contributors) tab -on GitHub. diff --git a/CONTRIBUTING/pull-request-review.md b/CONTRIBUTING/pull-request-review.md deleted file mode 100644 index 167d84987..000000000 --- a/CONTRIBUTING/pull-request-review.md +++ /dev/null @@ -1,88 +0,0 @@ -# Pull Request (PR) reviews - -Except for urgent or very small grammar or spelling fixes, such as simple -changes discussed below, we leave pull requests open for at least 24 hours, so -that others have the chance to review/comment. - -## Favorable review - -A favorable review is determined by the contents of the PR complying with the -contributing guide, the writing style, and agreement the contents align with the -TAG's goals, objectives, and scope. It is anticipated that PRs submitted, with -the exception of spelling and grammar changes, have been discussed with members -of the TAG via slack or issues. - -### Nits - -Nits are minor suggestions and changes that are strongly encouraged to be -identified and resolved to provide consistency in the repo. Preferential -language or language that is a matter of preferred usage are not considered -nits. - -#### Example of preferential language - -> They use cloud technologies with clear understanding of risks and the ability -> to validate that their security policy decisions are reflected in deployed -> software. - -"Ability" is a human oriented term, "capability" is more technical and may be -more appropriate. - -Suggestion: -> They use cloud technologies with clear understanding of risks and the -> capability to validate their security policy decisions are reflected in -> deployed software. - -#### Example of a nit - -> They use cloud-native technologies with clear understanding of risks and the -> ability to validate that their security policy decisions are reflected in -> deployed software. - -Per TOC definition of cloud native, it is not hyphenated. - -correction: -> They use cloud native technologies... - -### Simple changes - -Simple changes are defined as: - -* spelling, typo, grammar -* clarifications, minor updates - -A person without access, other than the PR author, can and _is_ encouraged to -review a PR and comment/+1 that they have done a review and found it favorable. -A person with access, including the PR author, may then perform the merge. - -A person with access, other than the PR author, can both review **and** merge a -PR if found favorable after review. - -[Code owners](/CODEOWNERS) need to be at least one concurring reviewer or the -merging party. - -### Significant changes - -Significant changes are defined as: - -* major changes to the repo -* extensive changes to repo contents -* other items as determined by the Technical Leads and Co-Chairs (to be updated - here as they occur) - -A person without access, other than the PR author can and _is_ encouraged to -review a PR and comment/+1 that they have done a review and found it favorable. -A second person with access, other than the PR Author, must also review the PR -and provide concurrence prior to merging. - -Two persons with access, other than the PR author, must review the PR and -provide concurrence, the last of which should perform the merge. - -Code owners (TLs /Co-Chairs/ Chair Emeriti) need to be at least one concurring -reviewer or the merging party. - -### Merging pull requests - -PRs may be merged after at least one review as occurred, dependent on the type -of changes reflected in the PR. The merging party needs to verify a review has -occurred, the PR is in alignment with this guide, and is in scope of the TAG. diff --git a/CONTRIBUTING/writing-style.md b/CONTRIBUTING/writing-style.md deleted file mode 100644 index 90bb2ea75..000000000 --- a/CONTRIBUTING/writing-style.md +++ /dev/null @@ -1,42 +0,0 @@ -# Writing style - -Consistency creates clarity in communication. - -If you find yourself correcting for consistency, please propose additional style -guidelines via pull request to this document. Feel free to add references to -good sources for content guidelines at the bottom of this guide. - - -## Common terms - -* When referring to users and use cases, ensure consistency with - [use cases](/usecase-personas/) -* See [CNCF Style Guide][cncf-style] for common terms. Note that the following - terms are not hyphenated and all lower case, except for capitalizing the - first letter when at the beginning of a sentence: - * open source - * cloud native - -## Additional formatting - -* Headlines, page titles, subheads and similar content should follow sentence - case, and should not include a trailing colon. -* Paragraphs do not start with leading indent. -* Wrap lines at 80 characters, except where it would break a link. No need to - reformat the whole paragraph to make it perfect -- fewer diffs are easier - for reviewers. - -## File & directory naming conventions - -* Every directory should have a README.md with useful introductory text. -* All other file and directory names should be all lower case with dashes to - separate words. - -## Sources - - -* [OpenOpps Contribution Guide][openopps-style] -* [18F Content Guide](https://content-guide.18f.gov/) - -[cncf-style]: https://github.com/cncf/foundation/blob/master/style-guide.md -[openopps-style]: https://github.com/openopps/openopps-platform/blob/master/CONTRIBUTING.md diff --git a/NEW-MEMBERS.md b/NEW-MEMBERS.md deleted file mode 100644 index 3b19bc35f..000000000 --- a/NEW-MEMBERS.md +++ /dev/null @@ -1,31 +0,0 @@ -# New members - -The purpose of this plan is to ensure that you become familiar with the team and -know how you will contribute. The first step is to get yourself familiar with -our mission at [Security TAG charter](governance/charter.md). - -New members are advised to: - -* Join the [CNCF Slack team](https://slack.cncf.io/), particularly - [#tag-security](https://cloud-native.slack.com/messages/CDJ7MLT8S) channel and - introduce yourself. -* Initially go through the following documents in the repository: - * [README.md](README.md) - * [CODE-OF-CONDUCT.md][coc] - * [first-time-contributions] - * [Use cases and personas][use-cases] -* Regularly join one of the [Zoom meetings][meeting-times] at least for the first - couple of months to get yourself up to speed. -* Here are multiple ways to get involved: - * Join the meeting as advised above and express your area of interests or if - you want to work on any specific issue. - * Express your thoughts or ask questions on an issue you find interesting. - * Choose an issue where [help is - needed](https://github.com/cncf/tag-security/labels/help%20wanted) and - comment on it expressing interest. - -[meeting-times]: README.md#meeting-times -[coc]: CODE-OF-CONDUCT.md -[first-time-contributions]: CONTRIBUTING/first-time-contributions.md - -[use-cases]: usecase-personas diff --git a/README.md b/README.md index 4c394a253..2cb8da421 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ Leadership: ### Slack governance -Refer to the [slack governance document](slack.md) for details on slack channels +Refer to the [Contributor Documentation] for details on slack channels and posting to the channels. ## Meeting times @@ -101,8 +101,8 @@ and add to list below: ## New members -If you are new to the group, we encourage you to check out -our [New Members Page](NEW-MEMBERS.md) +If you are new to the group, we encourage you to check out our +[Contributor Documentation]. ## Related groups @@ -177,10 +177,12 @@ the [CNCF project proposal process](https://github.com/cncf/toc/blob/main/proces projects should create a new [security review issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name) with a -[self-assessment](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md) +[self-assessment](./assessments/guide/self-assessment.md) . ### Past events and meetings For more details on past events and meetings, please see our [past events page](past-events.md) + +[Contributor Documentation]: ./CONTRIBUTING.md \ No newline at end of file diff --git a/governance/presentations.md b/governance/presentations.md deleted file mode 100644 index 467b5559c..000000000 --- a/governance/presentations.md +++ /dev/null @@ -1,23 +0,0 @@ -# Security TAG presentations - -Part of the STAG activities include having guest presentations by members of the community. -We welcome any topic related to our mission and charter. Typical topics include projects, -real-world use-cases, challenges or success stories. However, presentations must follow the -following guidelines. - -## Guidelines - -- Presentations are encouraged to expose the TAG to cloud native open source projects, cloud native security concepts, and other cloud native or security groups. -- Presentations should fit with [our charter](https://github.com/cncf/tag-security/blob/main/governance/charter.md) -- Presentations should not be scheduled on the Agenda until the issue is filled in and the TAG representative has performed due diligence on the issue -- Presentations should abide by the CNCF code of conduct - -Examples of topics that are within scope: -- Open source project presentations -- Security use-cases and case studies -- Open source community efforts - whitepapers, communities, standards, etc. - -Examples of topics that do NOT meet the guidelines: -- Vendor pitches and marketing heavy presentations -- Topics unrelated to security -- Topics that are help desk questions, that have a definitive, known searchable answer diff --git a/governance/process.md b/governance/process.md index f682de73a..ffa327291 100644 --- a/governance/process.md +++ b/governance/process.md @@ -57,9 +57,6 @@ informative note. ### Raising an Issue Anyone is welcome to raise an issue either as a suggestion or as a proposal. -These will follow the process described in [proposals and suggestions](#proposals-and-suggestions). - -## Suggestions, proposals, & presentations Before creating an issue, review the existing issues to determine if something already exists that covers or is closely related to what you want to discuss or @@ -72,7 +69,7 @@ We love to have presentations about various efforts our members and the greater community are working on. They allow us to gain insights into new challenges, upcoming trends, and often inspire our group to take on new projects. It is important that any content presented to the group must adhere to our -[guidelines](presentations.md). +[guidelines](../CONTRIBUTING.md#present-to-the-tag). Presentations require a [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation%2C+triage-required&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) @@ -83,7 +80,7 @@ Once a presentation issue is submitted a Security TAG representative will be assigned to or review the issue to triage the request. Once triaged, the Security TAG representative will perform due diligence on the issue to ensure it adhere's to our requirements for presentation content. If the [requirements are -met](presentations.md), the Security TAG representative will then add the +met](../CONTRIBUTING.md#present-to-the-tag), the Security TAG representative will then add the topic, link the issue, and provide the point of contact and themselves on the Agenda. @@ -148,7 +145,7 @@ line with the [mission and charter](charter.md). interested in working on the project is able to attend, then add the issue to the meeting agenda: include a link and the name of the person who will present the proposal in the "Planned Meeting" area of the - [meeting notes][https://github.com/cncf/tag-security#meeting-times]. + [meeting notes](https://github.com/cncf/tag-security#meeting-times). Then at the meeting: * The presenter should screen share the github issue (or ask the meeting diff --git a/project-resources/README.md b/project-resources/README.md index 5900986d9..181fd7ac3 100644 --- a/project-resources/README.md +++ b/project-resources/README.md @@ -3,7 +3,7 @@ This directory is intended to provide CNCF and other open source projects with resources and templates to assist in kick-starting their security practices. The templates, guides, and other documents herein assist projects in completion -of the [self-assessment](assessments/guide/self-assessment.md) as well as a few +of the [self-assessment](../assessments/guide/self-assessment.md) as well as a few items in the [CII badging](https://bestpractices.coreinfrastructure.org/en) process. @@ -77,15 +77,17 @@ and discussions as guidance when determining the content of their updates. It is highly recommended that you seek peer review for your updates beyond that of the Technical Leads and Chairs. More information on contributions to this -repo may be found in the [contributing file](../CONTRIBUTING/README.md). +repo may be found in the [contributing file](../CONTRIBUTING.md). #### New templates & updating contribute.cncf.io The templates within this folder are linked for availability on the contribute.cncf.io site. Should new templates be added to this folder or additional security insights and instructions for maintainers be added, the -contribute.cncf.io site should be updated. There are two core areas that updates -need to occur: +contribute.cncf.io site should be updated. + +There are two core areas that updates that need to occur: + * maintainers > github > templates for new templates * maintainers > community > project-health for general security guidance on keeping the project secure diff --git a/slack.md b/slack.md deleted file mode 100644 index cdd7b73e6..000000000 --- a/slack.md +++ /dev/null @@ -1,30 +0,0 @@ -# TAG-Security channels housekeeping - -## Identifying and creating channels -Just for approved projects, "sec-assessment-xxxx" exception TAG-Security channels -are identified with the “tag-security-” prefix. Except during conferences, the -CNCF permits slack members to create channels; however, tag-security-related -channels should only be created by chairs or tech leads, and are typically -prefixed by tag-security- following hyphenation of the topic/subject. This -helps the community find topics of relevance as well as discover areas to -collaborate. - -It is requested that channels include a header for what it is used for. - -Additional information may be found in the [CNCF slack guidelines](https://github.com/cncf/foundation/blob/master/slack-guidelines.md). - -## Code of conduct - -Members of TAG-Security channels are expected to abide by the [code of conduct](https://github.com/cncf/tag-security/blob/master/CODE-OF-CONDUCT.md). - -## Posting outside content - -The TAG-Security channels are mechanisms for cloud native security discussions. -It is expected that outside, non-tag created content will be posted; however, -these should include topics of relevance and interest to the cloud native -community space, rather than marketing or promotion of a vendor-specific -product. - -For example, maintainers and contributors of projects are encouraged to post -relevant topics, podcasts, and blogs in the channels provided the content is not -self-endorsing for the sake of driving attention to the project. From 7165c4bad0efb40207557b637d0bcc9db166d097 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 18 Jun 2024 17:56:08 -0500 Subject: [PATCH 09/27] Linting Signed-off-by: Eddie Knight --- CONTRIBUTING.md | 3 --- README.md | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b53735923..c54332fcf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,5 +1,4 @@ # Contributing - We welcome new contributors to this community. If you are contributing to the CNCF and/or TAG-Security for the first time, it's okay if you feel overwhelmed. @@ -164,7 +163,6 @@ for consistency, propose additional style guidelines via PR to this document. Here are some additional sources for good content guidelines: -- [OpenOpps Contribution Guide] - [18F Content Guide] ### Common Terms @@ -203,5 +201,4 @@ Here are some additional sources for good content guidelines: [CNCF Slack guidelines]: https://github.com/cncf/foundation/blob/main/slack-guidelines.md [code of conduct]: https://github.com/cncf/tag-security/blob/main/CODE-OF-CONDUCT.md [CNCF Style Guide]: https://github.com/cncf/foundation/blob/main/style-guide.md -[OpenOpps Contribution Guide]: https://github.com/openopps/openopps-platform/blob/main/CONTRIBUTING.md [18F Content Guide]: https://content-guide.18f.gov/ diff --git a/README.md b/README.md index 2cb8da421..56c1480ce 100644 --- a/README.md +++ b/README.md @@ -185,4 +185,4 @@ with a For more details on past events and meetings, please see our [past events page](past-events.md) -[Contributor Documentation]: ./CONTRIBUTING.md \ No newline at end of file +[Contributor Documentation]: ./CONTRIBUTING.md From f9b588213bc93c2e4f82fa8f4c81b539dfdd0a41 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 18 Jun 2024 17:57:30 -0500 Subject: [PATCH 10/27] linting Signed-off-by: Eddie Knight --- CONTRIBUTING.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c54332fcf..c78ae3ed7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -197,8 +197,8 @@ Here are some additional sources for good content guidelines: [CODE-OF-CONDUCT.md]: CODE-OF-CONDUCT.md [help is needed]: https://github.com/cncf/tag-security/labels/help%20wanted [communication channels]: README.md#Communications -[security reviews]: ../assessments/README.md +[security reviews]: ./assessments/README.md [CNCF Slack guidelines]: https://github.com/cncf/foundation/blob/main/slack-guidelines.md -[code of conduct]: https://github.com/cncf/tag-security/blob/main/CODE-OF-CONDUCT.md +[code of conduct]: ./CODE-OF-CONDUCT.md [CNCF Style Guide]: https://github.com/cncf/foundation/blob/main/style-guide.md [18F Content Guide]: https://content-guide.18f.gov/ From c0c05231e332fc14cf51b6b18a8d5038bc67e20f Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 19 Jun 2024 00:04:17 -0500 Subject: [PATCH 11/27] Added handling for top-level README edge case Signed-off-by: Eddie Knight --- website/layouts/_default/_markup/render-link.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/layouts/_default/_markup/render-link.html b/website/layouts/_default/_markup/render-link.html index c9ac9c099..4d47dc441 100644 --- a/website/layouts/_default/_markup/render-link.html +++ b/website/layouts/_default/_markup/render-link.html @@ -5,7 +5,7 @@ {{ $path := replace $url.Path "README" "" }} {{ $path = replace $path ".md" "" }} {{ $url = urls.Parse $path }} - {{ if $url.Path }} + {{ if or ($url.Path) (eq .Destination "README.md") }} {{ $fragment := "" }} {{ with $url.Fragment }} {{ $fragment = printf "#%s" . }} From be8f1f078b26ae772ca28a1ac7c577714b727714 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Wed, 19 Jun 2024 09:15:15 -0700 Subject: [PATCH 12/27] Additional changes to chair role based on pr feedback Signed-off-by: Marina Moore --- governance/roles.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/governance/roles.md b/governance/roles.md index 9ec901bd5..00ebb1330 100644 --- a/governance/roles.md +++ b/governance/roles.md @@ -72,12 +72,11 @@ consider their actions to support the group. While CNCF TOC allows for Chairs to serve in purely administrative roles, The Security TAG was formed with deeply technical Chairs based on early need to -navigate a complex security landscape. If the TAG has less than two Technical -Leads, any Chair may act as Technical Lead. +navigate a complex security landscape. -* Primary role of Chairs is to run operations and the governance of the group. - This includes coordination with the TOC and providing approval for governance - changes. +* The primary role of Chairs is to ensure effective operations and governance + of the group. This includes coordination with the TOC and providing approval + for governance changes. * The Chairs are responsible for ensuring that group meetings are planned and facilitated effectively, while also engaging group members in leadership roles. Effective facilitation includes (but is not limited to) the following @@ -89,6 +88,8 @@ Leads, any Chair may act as Technical Lead. * Asking for new proposals to be made to address an identified need. * Partnering with Technical Leads to establish a roadmap and manage ongoing projects. + * Chairs are responsible for approving Pull Requests, specifically for + top-level content of the repository * Chairs may additionally perform any actions of technical leads as needed, especially serving as the Security TAG leadership representative to a project. From aba96d58d9026d4669acc3e890295adc1d7de114 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Wed, 19 Jun 2024 09:19:21 -0700 Subject: [PATCH 13/27] Move description of facilitation to the facilitation section Signed-off-by: Marina Moore --- governance/roles.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/governance/roles.md b/governance/roles.md index 00ebb1330..238fa0f9b 100644 --- a/governance/roles.md +++ b/governance/roles.md @@ -78,16 +78,8 @@ navigate a complex security landscape. of the group. This includes coordination with the TOC and providing approval for governance changes. * The Chairs are responsible for ensuring that group meetings are planned - and facilitated effectively, while also engaging group members in leadership - roles. Effective facilitation includes (but is not limited to) the following - activities: - * Setting the agenda for meetings. - * Extending discussion via asynchronous communication to be inclusive of - members who cannot attend a specific meeting time. - * Scheduling discussion of proposals that have been submitted. - * Asking for new proposals to be made to address an identified need. - * Partnering with Technical Leads to establish a roadmap and manage ongoing - projects. + and have facilitators assigned, while also engaging group members in leadership + roles. * Chairs are responsible for approving Pull Requests, specifically for top-level content of the repository * Chairs may additionally perform any actions of technical leads as needed, @@ -374,6 +366,16 @@ goals, the meeting facilitator has the following responsibilities: * Runs meeting check-in, including partner groups. * Leads the meeting through the agenda. +Effective facilitation includes (but is not limited to) the following +activities: +* Setting the agenda for meetings. +* Extending discussion via asynchronous communication to be inclusive of + members who cannot attend a specific meeting time. +* Scheduling discussion of proposals that have been submitted. +* Asking for new proposals to be made to address an identified need. +* Partnering with Technical Leads to establish a roadmap and manage ongoing + projects. + Prerequisites: * Active member. From 27ba5ce097c67ac1ad73cca245c6d5031473b0b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Wed, 19 Jun 2024 19:29:02 -0700 Subject: [PATCH 14/27] Update README.md to unlist assessments from publications MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removes assessments from list Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega Signed-off-by: Andrés Vega --- README.md | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index cbf0b7b0d..ae6fd4bd7 100644 --- a/README.md +++ b/README.md @@ -25,27 +25,20 @@ We aim to significantly reduce the probability and impact of attacks, breaches, ## Publications -This document lists some of the key publications and resources that TAG Security has produced. For a complete list of assets in multiple formats, please refer to the [publications](publications/README.md) directory. +Below is a list of publications by TAG Security. For a comprehensive collection of our works in various formats, please visit the [publications](publications/README.md) directory. | Publication | Date | |-------------|------| -| [In-toto Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/in-toto) | May, 2019 | | [Formal Verification for Policy Configurations](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md) | August, 2019 | -| [OPA Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/opa) | September, 2019 | | [Catalog of Supply Chain Compromises](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises) | November 2019 - Present | -| [Spiffe-Spire Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/spiffe-spire) | February, 2020 | -| [Harbor Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/harbor) | April, 2020 | -| [Keycloak Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/keycloak) | October, 2020 | | [Software Supply Chain Best Practices](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) | May, 2021 | -| [Evaluating your supply chain security](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) | May, 2021 | +| [Evaluating your Supply Chain Security](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) | May, 2021 | | [Cloud Native Security Lexicon](https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md) | August, 2021 | -| [Buildpacks Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/buildpacks) | September, 2021 | | [Cloud Native Security Whitepaper](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) | May, 2022 | | [Cloud Native Security Controls Catalog](https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md) | May, 2022 | -| [Handling build-time dependency vulnerabilities](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md) | June, 2022 | +| [Handling Build-time Dependency Vulnerabilities](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md) | June, 2022 | | [Secure Software Factory: A Reference Architecture to Securing the Software Supply Chain](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) | May, 2022 | | [Secure Defaults](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md) | February, 2022 | -| [Cloud Custodian Security Assessment](https://github.com/cncf/tag-security/tree/main/assessments/projects/custodian) | February, 2022 | | [Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security](https://github.com/cncf/tag-security/blob/main/assessments/Open_and_Secure.pdf) | November, 2023 | ## Governance From 0b109a83957404e8af4d54c0849a9a53bd67686e Mon Sep 17 00:00:00 2001 From: Riaan Kleinhans <61125752+riaankleinhans@users.noreply.github.com> Date: Thu, 20 Jun 2024 13:00:53 -0400 Subject: [PATCH 15/27] change meeting doc link (#1288) --- governance/process.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/governance/process.md b/governance/process.md index ffa327291..6de6a8b84 100644 --- a/governance/process.md +++ b/governance/process.md @@ -13,7 +13,7 @@ that may involve one or more projects and activities. In order to better plan and facilitate meetings, Security TAG has **three** ways in which a topic may be added to the [Agenda for planned -meetings](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.q3539ohya47f). +meetings](https://docs.google.com/document/d/1XDmNG1P1YRnidQJEuZFKufaXaIenNHiY-TdYMlt0Un4/edit). In order to best manage the group's time, consider your topic and the audience, and select accordingly. If you are unsure, reach out in the From f5c26686a1acc8c1c2c8809f752e605e10c2fdac Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Tue, 18 Jun 2024 11:08:00 +0200 Subject: [PATCH 16/27] docs: add events to community folder - renames files to follow same naming convention (hyphens) Signed-off-by: Marco De Benedictis --- community/events/README.md | 12 ++++++++++++ .../events/cloud-native-security.md | 2 +- past-events.md => community/events/past-events.md | 2 +- safe_kubecon.md => community/events/safe-kubecon.md | 0 4 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 community/events/README.md rename cloud_native_security.md => community/events/cloud-native-security.md (99%) rename past-events.md => community/events/past-events.md (99%) rename safe_kubecon.md => community/events/safe-kubecon.md (100%) diff --git a/community/events/README.md b/community/events/README.md new file mode 100644 index 000000000..957adec1d --- /dev/null +++ b/community/events/README.md @@ -0,0 +1,12 @@ +# Events + +## Upcoming Gatherings + +[CloudNativeSecurityCon](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/): +June 26 – 27, 2024 — Seattle, Washington + +## Recurring General Meetings + +[Weekly US Meeting](https://zoom.us/j/99809474566): each Wednesday at 10 am (UTC-7) + +[Bi-Weekly EMEA Meeting](https://zoom.us/j/99917523142): on Wednesdays at 1 pm (UTC+0, UTC+1 when daylight saving time is in effect) diff --git a/cloud_native_security.md b/community/events/cloud-native-security.md similarity index 99% rename from cloud_native_security.md rename to community/events/cloud-native-security.md index c7f01a7d8..1dae9e28e 100644 --- a/cloud_native_security.md +++ b/community/events/cloud-native-security.md @@ -23,7 +23,7 @@ project, architecture, and enhance team awareness on security. - Copenhagen, Denmark - May 2-4, 2018 -- [notes](safe_kubecon.md) +- [notes](safe-kubecon.md) [KubeCon + CloudNativeCon, Shanghai](https://events19.linuxfoundation.cn/events/kubecon-cloudnativecon-china-2018/) diff --git a/past-events.md b/community/events/past-events.md similarity index 99% rename from past-events.md rename to community/events/past-events.md index 1b97756bd..44e2aa593 100644 --- a/past-events.md +++ b/community/events/past-events.md @@ -5,7 +5,7 @@ -A list of past KubeCon/Cloud Native SecurityCon events an be found [here](cloud_native_security.md) +A list of past KubeCon/Cloud Native SecurityCon events can be found [here](cloud-native-security.md) ## DockerCon, San Francisco, CA, Apr 30 - May 2, 2019 diff --git a/safe_kubecon.md b/community/events/safe-kubecon.md similarity index 100% rename from safe_kubecon.md rename to community/events/safe-kubecon.md From a7522e9155899015c301ee0d3107f7b214c381ed Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Tue, 18 Jun 2024 11:09:07 +0200 Subject: [PATCH 17/27] feat: add community folder to website directory via makefile Signed-off-by: Marco De Benedictis --- website/Makefile | 1 + website/content/events/_index.md | 10 ---------- 2 files changed, 1 insertion(+), 10 deletions(-) delete mode 100644 website/content/events/_index.md diff --git a/website/Makefile b/website/Makefile index 0fca670c5..239abb6e6 100644 --- a/website/Makefile +++ b/website/Makefile @@ -6,6 +6,7 @@ deps: --include='assessments' --include='assessments/**' \ --include='governance' --include='governance/**' \ --include='publications' --include='publications/**' \ + --include='community' --include='community/**' \ --include='*.md' --exclude='*' # Move over content such as graphics and logos diff --git a/website/content/events/_index.md b/website/content/events/_index.md deleted file mode 100644 index 75359dc12..000000000 --- a/website/content/events/_index.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Events -menu: - main: - weight: 20 -description: Upcoming Events ---- - -[CloudNativeSecurityCon](https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/): -June 26 – 27, 2024 — Seattle, Washington From 4eb9a704b239ab1f761aeacaf1fe4138a7a50aa4 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 19 Jun 2024 11:01:30 +0200 Subject: [PATCH 18/27] docs: add community README Signed-off-by: Marco De Benedictis --- community/README.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 community/README.md diff --git a/community/README.md b/community/README.md new file mode 100644 index 000000000..30f6c609a --- /dev/null +++ b/community/README.md @@ -0,0 +1,3 @@ +# TAG-Security Community Activities + +The Security TAG has several working groups that organize community activities around specific topics, including recurring meetings. From b7abb2e1b11e8a8251c8f05e90ea1e7b85e26d75 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 19 Jun 2024 11:02:01 +0200 Subject: [PATCH 19/27] chore: remove community default layout Signed-off-by: Marco De Benedictis --- .../themes/docsy/layouts/community/list.html | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 website/themes/docsy/layouts/community/list.html diff --git a/website/themes/docsy/layouts/community/list.html b/website/themes/docsy/layouts/community/list.html deleted file mode 100644 index d66a50ed6..000000000 --- a/website/themes/docsy/layouts/community/list.html +++ /dev/null @@ -1,19 +0,0 @@ -{{ define "main" }} - - -
-
- -

Join the {{ .Site.Title }} community

- -

{{ .Site.Title }} is an open source project that anyone in the community can use, improve, and enjoy. We'd love you to join us! Here's a few ways to find out what's happening and get involved. - -

-
-{{ partial "community_links.html" . }} - -
-{{ .Content }} -
- -{{ end }} From e72b133583a695261600174d12c7d27838973a37 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 19 Jun 2024 11:22:58 +0200 Subject: [PATCH 20/27] fix(safe-kubecon.md): linting, spelling Signed-off-by: Marco De Benedictis --- community/events/safe-kubecon.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/community/events/safe-kubecon.md b/community/events/safe-kubecon.md index 8d09ae997..37a433a7f 100644 --- a/community/events/safe-kubecon.md +++ b/community/events/safe-kubecon.md @@ -1,15 +1,14 @@ -### SAFE Recap @ [Kubecon Europe 2018](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2018/) +# SAFE Recap @ [Kubecon Europe 2018](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2018/) -SAFE had two sessions for introducing SAFE and getting feedback from the community. +SAFE had two sessions for introducing SAFE and getting feedback from the community. * [SAFE WG Intro](https://kccnceu18.sched.com/event/ENw3/safe-wg-intro-jeyappragash-j-j-padmeio-ray-colline-google-any-skill-level) * [SAFE WG Deep Dive](https://kccnceu18.sched.com/event/ENw5/safe-wg-deep-dive-ray-colline-google-intermediate-skill-level) We had a small but relevant group and hallway conversations were equally engaging and informative. -Excited to have [Liz Rice](https://github.com/lizrice) and [Justin Cormack](https://github.com/justincormack) join us. +Excited to have [Liz Rice](https://github.com/lizrice) and [Justin Cormack](https://github.com/justincormack) join us. -Across the board, everyone I had conversation with, there was a natural acknowledgement that security is an end-end problem and understanding secure access and providing a safe end-end system for enduser is critical. Highlighted at the [keynote by Alexis](https://twitter.com/MayaKaczorowski/status/991601395450171392?s=15). +Across the board, everyone I had conversation with, there was a natural acknowledgement that security is an end-end problem and understanding secure access and providing a safe end-end system for end-user is critical. Highlighted at the [keynote by Alexis](https://twitter.com/MayaKaczorowski/status/991601395450171392?s=15). We are just getting started on this, incredibly excited to be part of this team and the effort! - From 98feb2d5589ee31b7b51b34aa25c23e64e6883c6 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 19 Jun 2024 15:44:17 +0200 Subject: [PATCH 21/27] ci: update link test retries on 429 Signed-off-by: Marco De Benedictis --- ci/link-config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/link-config.json b/ci/link-config.json index 1ad3a9dbe..0e43c9de4 100644 --- a/ci/link-config.json +++ b/ci/link-config.json @@ -1,13 +1,13 @@ { "aliveStatusCodes": [200,206,402], - "fallbackRetryDelay": "5s", + "fallbackRetryDelay": "10s", "replacementPatterns": [ { "pattern": "^/", "replacement": "{{BASEURL}}/" } ], - "retryCount": 3, + "retryCount": 5, "retryOn429": true, "timeout": "20s", "httpHeaders": [ From e921144973ce03149698ec907202bf4e563ac9fc Mon Sep 17 00:00:00 2001 From: abhisek Date: Wed, 12 Jun 2024 23:21:03 +0530 Subject: [PATCH 22/27] docs: Update SSC compromise catalog fix: Linter errors docs: Add reference to apt vulnerability description Signed-off-by: abhisek --- supply-chain-security/compromises/2010/apache.md | 4 ++++ supply-chain-security/compromises/2010/fsf-website.md | 2 ++ supply-chain-security/compromises/2010/proftpd.md | 8 +++++--- supply-chain-security/compromises/2011/kernelorg.md | 2 +- supply-chain-security/compromises/2013/apt.md | 5 +++++ supply-chain-security/compromises/README.md | 10 +++++----- 6 files changed, 22 insertions(+), 9 deletions(-) diff --git a/supply-chain-security/compromises/2010/apache.md b/supply-chain-security/compromises/2010/apache.md index 479dbb732..6b213f4f5 100644 --- a/supply-chain-security/compromises/2010/apache.md +++ b/supply-chain-security/compromises/2010/apache.md @@ -15,3 +15,7 @@ databases are considered leaked. ## Type of compromise Attack Chaining - multiple compromises. + +## Reference + +- diff --git a/supply-chain-security/compromises/2010/fsf-website.md b/supply-chain-security/compromises/2010/fsf-website.md index cc0a0c7ff..094b4efc2 100644 --- a/supply-chain-security/compromises/2010/fsf-website.md +++ b/supply-chain-security/compromises/2010/fsf-website.md @@ -1,5 +1,7 @@ # Free Software Foundation Website Hack +**Note:** Review if this incident can be categorized as supply chain incident as per [compromise definitions](../compromise-definitions.md) + The source repository for the FSF's website was hacked via a SQL injection. ## Impact diff --git a/supply-chain-security/compromises/2010/proftpd.md b/supply-chain-security/compromises/2010/proftpd.md index 2ec62d90f..c1f07d05b 100644 --- a/supply-chain-security/compromises/2010/proftpd.md +++ b/supply-chain-security/compromises/2010/proftpd.md @@ -1,4 +1,6 @@ -# ProFTPD hack + + +# ProFTPD Hack and Backdoor A source code repository server of an open-source project (ProFTPD) was hacked by unknown attackers who planted a backdoor in the source code. @@ -15,5 +17,5 @@ and it's unlikely a key compromise was involved. ## References -- https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/ -- https://www.theregister.com/2010/12/02/proftpd_backdoored/ +- +- diff --git a/supply-chain-security/compromises/2011/kernelorg.md b/supply-chain-security/compromises/2011/kernelorg.md index a6cdc2a44..cdaf86511 100644 --- a/supply-chain-security/compromises/2011/kernelorg.md +++ b/supply-chain-security/compromises/2011/kernelorg.md @@ -1,5 +1,5 @@ -# kernel.org infrastructure compromise +# kernel.org Infrastructure Compromise While the kernel.org compromise didn't likely involve source code (and would have had limited impact), from gkh's mail: "the compromise of kernel.org and diff --git a/supply-chain-security/compromises/2013/apt.md b/supply-chain-security/compromises/2013/apt.md index 2f8fb1e92..93d51f1df 100644 --- a/supply-chain-security/compromises/2013/apt.md +++ b/supply-chain-security/compromises/2013/apt.md @@ -12,3 +12,8 @@ authenticity wasn't being used for source packages. ## Type of compromise Negligence - Insufficient client-side package authenticity verification + +## References + +* +* diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index e413e0403..41abf6e4f 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -30,7 +30,7 @@ of compromise needs added, please include that as well. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | -| [Malware Disguised as Installer used to target Korean Public Institution] | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) | +| [Malware Disguised as Installer used to target Korean Public Institution](2024/targeted-signed-endoor.md) | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) | | [3proxy signing incident](2024/laixi-3proxy.md) | 2024 | Trust and Signing | [1](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/) | | [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) | | [GitGot: using GitHub repositories as exfiltration store](2024/gitgot.md) | 2024 | Trust and Signing | [1](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data) | @@ -100,12 +100,12 @@ of compromise needs added, please include that as well. | [Code Spaces](2014/code-spaces.md) | 2014 | Source Code | [1](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/) | | [Monju Incident](2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) | | [APT lack of validation for source packages](2013/apt.md) | 2013 | Negligence | [1](https://lwn.net/Articles/602461/) | -| [GitHub rails/rails Vulnerability](2012/ruby-on-rails-github.md) | 2012 | Source Code
Dev Tooling | [1](https://homakov.blogspot.com/2012/03/how-to.html), [2](https://github.blog/2012-03-05-responsible-disclosure-policy/) | -| [kernel.org compromise](2011/kernelorg.md) | 2011 | Publishing infrastructure | [1](https://lwn.net/Articles/461237/), [2](https://lwn.net/Articles/461552/) | +| [GitHub Ruby on Rails Repository Hack](2012/ruby-on-rails-github.md) | 2012 | Source Code
Dev Tooling | [1](https://homakov.blogspot.com/2012/03/how-to.html), [2](https://github.blog/2012-03-05-responsible-disclosure-policy/) | +| [kernel.org Infrastructure Compromise](2011/kernelorg.md) | 2011 | Publishing infrastructure | [1](https://lwn.net/Articles/461237/), [2](https://lwn.net/Articles/461552/) | | [FSF Website Hack](2010/fsf-website.md) | 2010 | Source Code | [1](https://www.computerworld.com/article/2752415/free-software-foundation-s-software-repository-hacked.html) | -| [apache.org incident](2010/apache.md) | 2010 | Attack Chaining | [1](https://blogs.apache.org/infra/entry/apache_org_04_09_2010) | +| [apache.org Internal Tools Compromise](2010/apache.md) | 2010 | Attack Chaining | [1](https://www.invicti.com/blog/web-security/apacheorg-and-jira-incident/) | | [Operation Aurora](2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | -| [ProFTPD](2010/proftpd.md) | 2010 | Publishing Infrastructure | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | +| [ProFTPD Hack and Backdoor](2010/proftpd.md) | 2010 | Publishing Infrastructure | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | | [WordPress backdoor](2007/wordpress.md) | 2007 | Source Code
Publishing Infrastructure
| [1](https://lwn.net/Articles/224997/) | | [SquirrelMail backdoor](2007/squirrelmail.md) | 2007 | Source Code
Publishing Infrastructure | [1](https://lwn.net/Articles/262688/) | | [Linux Kernel CVS Repository Hack](2003/kernel-repository.md) | 2003 | Source Code
Dev Tooling | [1](https://lwn.net/Articles/57135/) | From 7a1993ff94efc7de91ce4a35a7843c5d42f01776 Mon Sep 17 00:00:00 2001 From: abhisek Date: Fri, 21 Jun 2024 15:01:51 +0530 Subject: [PATCH 23/27] docs: Update category for FSF websie hack incident Signed-off-by: abhisek --- supply-chain-security/compromises/2010/fsf-website.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/supply-chain-security/compromises/2010/fsf-website.md b/supply-chain-security/compromises/2010/fsf-website.md index 094b4efc2..87a4ec45b 100644 --- a/supply-chain-security/compromises/2010/fsf-website.md +++ b/supply-chain-security/compromises/2010/fsf-website.md @@ -1,7 +1,5 @@ # Free Software Foundation Website Hack -**Note:** Review if this incident can be categorized as supply chain incident as per [compromise definitions](../compromise-definitions.md) - The source repository for the FSF's website was hacked via a SQL injection. ## Impact @@ -11,7 +9,7 @@ exfiltrate user names and encrypted passwords from the affected server. ## Type of Compromise -Source Code +Attack Chaining ## References From ce3123d53e9fc966feaf1f6c37c3dcc35701aa34 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 21 Jun 2024 19:17:39 +0000 Subject: [PATCH 24/27] feat(website): Implement consistent page title capitalization Signed-off-by: Brandt Keller --- ci/spelling-config.json | 5 ++--- governance/chair-proposal-process.md | 2 +- governance/chair-transition.md | 4 ++-- governance/github.md | 2 +- governance/process.md | 2 +- .../related-groups/adding-or-updating-groups.md | 2 +- governance/tech-lead-transition.md | 4 ++-- website/Makefile | 3 ++- website/README.md | 15 +++++++++------ website/package-lock.json | 15 ++++++++------- 10 files changed, 29 insertions(+), 25 deletions(-) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index 766761cfa..b8243b39a 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -23,8 +23,8 @@ "CMMC", "CNCF", "CNSMAP", - "CNSWP's", "CNSWP", + "CNSWP's", "codecov", "CODEOWNERS", "Configu", @@ -97,6 +97,7 @@ "OWASP", "Oxley", "Packagist", + "pagefind", "pcre", "PEAR", "pearweb", @@ -125,7 +126,6 @@ "sscsp", "SSCSP", "SSDF", - "SSDF", "stdlib", "superseded", "supplychain", @@ -140,7 +140,6 @@ "triaging", "trojanized", "TTPS", - "TTPS", "Twintag", "unencrypted", "unpatched", diff --git a/governance/chair-proposal-process.md b/governance/chair-proposal-process.md index bcc846013..0d7590abb 100644 --- a/governance/chair-proposal-process.md +++ b/governance/chair-proposal-process.md @@ -1,4 +1,4 @@ -# Security TAG Chair proposal process +# Security TAG Chair Proposal Process 1) Security TAG Co-chairs operate as a team. The Co-Chair team seeks to maintain full coverage of the leadership capabilities across the key qualities of industry experience, hands-on cloud-native and security experience, as well as administrative experience needed to run a Security TAG. 2) If a clear successor for the exiting Co-Chair exists based on the merit of their contributions ("chop wood, carry water") and relevant experience that will benefit the TAG, based on the TAG's collective experience over time, the exiting Co-chair may nominate a successor. diff --git a/governance/chair-transition.md b/governance/chair-transition.md index 74a02c0fe..c51d9903c 100644 --- a/governance/chair-transition.md +++ b/governance/chair-transition.md @@ -1,4 +1,4 @@ -# Chair transition checklist +# Chair Transition Checklist This checklist should be copied into a new issue for when a new chair(s) is needed. @@ -42,7 +42,7 @@ process](chair-proposal-process.md) with specific items that must be completed. * [ ] Update codeowners, github settings, README (TOC Liaisons and chairs have admin access, tech leads have push access). * [ ] Link to official vote email list message in PR descriptions - * [ ] [TOC Repo update](https://github.com/cncf/toc/blob/main/tags/security.md) + * [ ] [TOC Repo update](https://github.com/cncf/toc/blob/main/tags/tag-charters/security.md) * [ ] [Service Desk Access](https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1) * [ ] Update email lists * [ ] update email list membership diff --git a/governance/github.md b/governance/github.md index 6b30e5eb1..c5771571e 100644 --- a/governance/github.md +++ b/governance/github.md @@ -1,4 +1,4 @@ -# Github access permissions and administration +# Github Access Permissions and Administration Facilitation roles are identified in [github settings](/.github/settings.yml) which we use for Github admin permissions and managing issues. Write permissions diff --git a/governance/process.md b/governance/process.md index 6de6a8b84..f09da5595 100644 --- a/governance/process.md +++ b/governance/process.md @@ -1,4 +1,4 @@ -# Agenda, proposals, projects, and teams +# Agenda, Proposals, Projects, and Teams In addition to the activities driven by the [CNCF Technical Oversight Committee][TOC], the work of the group often originates from group members with diff --git a/governance/related-groups/adding-or-updating-groups.md b/governance/related-groups/adding-or-updating-groups.md index de310238b..f852afb0a 100644 --- a/governance/related-groups/adding-or-updating-groups.md +++ b/governance/related-groups/adding-or-updating-groups.md @@ -1,4 +1,4 @@ -# Editing the related groups list +# Editing the Related Groups List ## Updating an existing group diff --git a/governance/tech-lead-transition.md b/governance/tech-lead-transition.md index 087825f19..b85db59ca 100644 --- a/governance/tech-lead-transition.md +++ b/governance/tech-lead-transition.md @@ -1,4 +1,4 @@ -# Tech Lead transition checklist +# Tech Lead Transition Checklist This checklist should be copied into a new issue for when a new tech lead(s) is needed. @@ -17,7 +17,7 @@ For nomination process please refer to [tech-lead-proposal-process](./tech-lead- have admin access, tech leads have push access). * [ ] Link to official vote email list message in PR descriptions * [ ] Add STAG milestone to track STAG rep for TL - * [ ] [TOC Repo update](https://github.com/cncf/toc/blob/main/tags/security.md) + * [ ] [TOC Repo update](https://github.com/cncf/toc/blob/main/tags/tag-charters/security.md) * [ ] Verify new TLs have zoom credentials * [ ] Introduce new TL selection, in the next steering committee meeting slide * [ ] YouTube Channel diff --git a/website/Makefile b/website/Makefile index 239abb6e6..b5c13d03d 100644 --- a/website/Makefile +++ b/website/Makefile @@ -19,7 +19,8 @@ deps: if [ "$$file" = "/_index.md" -o "$$base_name" = "README" ]; then \ continue; \ fi; \ - text_to_prepend="---\ntitle: \"$$base_name\"\n---\n"; \ + title_case=$$(echo "$$base_name" | sed -e 's/-/ /g' -e 's/\b\(.\)/\u\1/g' | sed 's/cncf/CNCF/Ig'); \ + text_to_prepend="---\ntitle: \"$$title_case\"\n---\n"; \ sed -i "1s/^/$$text_to_prepend/" "$$file"; \ done diff --git a/website/README.md b/website/README.md index 5db9cbe1c..68d555f50 100644 --- a/website/README.md +++ b/website/README.md @@ -4,7 +4,7 @@ This directory contains a [Hugo](https://gohugo.io) web site published via [Netl When the `main` branch of this repo is updated a fresh build and deploy of the website is executed. Recent Netlify builds and deployments are listed at . -Add content by adding Markdown files to directories in [./content](./content). +Add content by adding Markdown files to directories identified in the [Makefile](./Makefile) include list. Update layouts for each content type in [./layouts](./layouts/). @@ -12,14 +12,17 @@ Configuration is set in [config.toml](./config.toml). ## Setting up a local dev instance -To set up a local dev environment make sure you have [Hugo Extended](https://gohugo.io/installation/linux/#editions) and [npm](https://www.npmjs.com/) installed, then run the following: +To set up a local dev environment make sure you have [Hugo Extended](https://gohugo.io/installation/linux/#editions), [npm](https://www.npmjs.com/), and [rsync](https://github.com/RsyncProject/rsync) installed, then run the following: -``` +```bash git clone git@github.com:cncf/tag-security.git -cd tag-security -git submodule update --init --recursive -cd website +cd tag-security/website/ +make deps npm install ``` Then run the site using `npm run serve`. To have the site run locally with a functioning local search, run `npm run serve:with-pagefind`. + +### Cleanup + +To cleanup website build files prior to commit - run `make clean`. \ No newline at end of file diff --git a/website/package-lock.json b/website/package-lock.json index 69364308c..4fcf435a6 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -4,6 +4,7 @@ "requires": true, "packages": { "": { + "name": "website", "dependencies": { "autoprefixer": "^10.4.0", "hugo-extended": "^0.115.2", @@ -267,11 +268,11 @@ } }, "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dependencies": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" }, "engines": { "node": ">=8" @@ -766,9 +767,9 @@ } }, "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dependencies": { "to-regex-range": "^5.0.1" }, From 3ddd19de4f4dd834bb97e57eb3831471b5e55e0d Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 21 Jun 2024 19:21:28 +0000 Subject: [PATCH 25/27] feat(website): fix linting issues Signed-off-by: Brandt Keller --- website/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/README.md b/website/README.md index 68d555f50..4a6e13c4e 100644 --- a/website/README.md +++ b/website/README.md @@ -25,4 +25,4 @@ Then run the site using `npm run serve`. To have the site run locally with a fun ### Cleanup -To cleanup website build files prior to commit - run `make clean`. \ No newline at end of file +To cleanup website build files prior to commit - run `make clean`. From 50d5f61d7f9dfb88dd3639a1579304f504eaedd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Fri, 21 Jun 2024 12:51:14 -0700 Subject: [PATCH 26/27] Move assessments to community/assessments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega --- .../assessments}/Open_and_Secure.pdf | Bin .../assessments}/README.md | 61 +++++++++--------- .../assessments}/guide/README.md | 0 .../assessments}/guide/joint-assessment.md | 30 +++++---- .../guide/joint-readme-template.md | 18 +++--- .../assessments}/guide/project-lead.md | 4 +- .../assessments}/guide/review-survey.md | 0 .../assessments}/guide/security-reviewer.md | 19 +++--- .../assessments}/guide/self-assessment.md | 59 +++++++++-------- .../assessments}/intake-process.md | 12 ++-- .../assessments}/projects/README.md | 0 .../projects/antrea/self-assessment.md | 0 .../projects/buildpacks/README.md | 0 .../projects/buildpacks/self-assessment.md | 0 .../cert-manager/adalogics_diagram.png | Bin .../projects/cert-manager/self-assessment.md | 0 .../projects/cloudevents/images/apex-logo.png | Bin .../cloudevents/images/async-api-logo.png | Bin .../images/cloudevents-actions.png | Bin .../cloudevents/images/cloudevents-logo.png | Bin .../cloudevents/images/opentelemetry-logo.svg | 0 .../cloudevents/images/soap-evenlope.png | Bin .../cloudevents/images/soap-webservice.png | Bin .../projects/cloudevents/self-assessment.md | 0 .../projects/cni/docs/CNI-config.png | Bin .../projects/cni/docs/CNI-role.png | Bin .../cni/docs/lightweight-threat-assessment.md | 0 .../projects/cni/self-assessment.md | 0 .../projects/contour/self-assessment.md | 0 .../projects/coredns/self-assessment.md | 0 .../projects/cortex/self-assessment.md | 0 .../projects/cortex/threat-model.md | 0 .../projects/cubefs/self-assessment.md | 0 .../projects/custodian/c7n_attacks.drawio | 0 .../projects/custodian/c7n_attacks.png | Bin .../custodian/c7n_threat_assessment.png | Bin .../projects/custodian/joint-review.md | 0 .../projects/emissary-ingress/image-3.png | Bin .../emissary-ingress/self-assessment.md | 0 .../assets/component-overview.png | Bin .../external-secrets/assets/overview.png | Bin .../docs/stride-threat-model.md | 0 .../external-secrets/self-assessment.md | 0 .../projects/flatcar/joint-assessment.md | 0 .../projects/flatcar/self-assessment.md | 0 .../projects/fluentd/fluent-bit/README.md | 0 .../fluentd/fluentd/self-assessment.md | 0 .../projects/fluentd/plugins/README.md | 0 .../assessments}/projects/harbor/README.md | 0 .../harbor/docs/Harbor-architecture.png | Bin .../projects/harbor/docs/Harbor-history.png | Bin .../harbor/docs/blast-radius-and-recovery.png | Bin .../projects/harbor/self-assessment.md | 0 .../assessments}/projects/in-toto/README.md | 0 .../projects/in-toto/debian-rebuilder.png | Bin .../assessments}/projects/in-toto/kubesec.png | Bin .../projects/in-toto/self-assessment.md | 0 .../projects/jaeger/self-assessment.md | 0 .../karmada/docs/Karmada-architecture.png | Bin .../karmada/docs/Karmada-components.png | Bin .../projects/karmada/self-assessment.md | 0 .../projects/karmada/threatmodeling.md | 0 .../assessments}/projects/keycloak/README.md | 0 .../projects/keycloak/docs/image1.png | Bin .../projects/keycloak/docs/image10.png | Bin .../projects/keycloak/docs/image11.png | Bin .../projects/keycloak/docs/image2.png | Bin .../projects/keycloak/docs/image3.png | Bin .../projects/keycloak/docs/image4.png | Bin .../projects/keycloak/docs/image5.png | Bin .../projects/keycloak/docs/image6.png | Bin .../projects/keycloak/docs/image7.png | Bin .../projects/keycloak/docs/image8.png | Bin .../projects/keycloak/docs/image9.png | Bin .../projects/keycloak/self-assessment.md | 0 .../projects/knative/knative_dia.png | Bin .../projects/knative/recommendations.md | 0 .../projects/knative/self-assessment.md | 0 .../assessments}/projects/kyverno/README.md | 0 .../kyverno/images/kyverno-architecture.png | Bin .../images/kyverno-physical-architecture.png | Bin .../projects/kyverno/self-assessment.md | 0 .../projects/linkerd/self-assessment.md | 0 .../projects/longhorn/self-assessment.md | 0 .../projects/longhorn/threat-model.md | 0 .../projects/nats/doc/threat-modeling.md | 0 .../nats/images/NATS_Figure_1_Image.jpg | Bin .../projects/nats/self-assessment.md | 0 .../assessments}/projects/opa/README.md | 0 .../projects/opa/docs/document_model.png | Bin .../projects/opa/docs/request_response.png | Bin .../projects/opa/self-assessment.md | 0 .../open-telemetry/self-assessment.md | 0 .../projects/openfga/OpenFGA Playground.png | Bin .../projects/openfga/self-assessment.md | 0 .../projects/openkruise/self-assessment.md | 0 .../projects/openkruise/threat-model.md | 0 .../openmetrics/STRIDE Threat Modeling.pdf | Bin .../projects/openmetrics/self-assessment.md | 0 .../operator-framework/self-assessment.md | 0 .../assessments}/projects/pixie/README.md | 0 .../projects/pixie/self-assessment.md | 0 .../rook/Rook High-Level Architecture.png | Bin .../projects/rook/self-assessment.md | 0 .../projects/spiffe-spire/README.md | 0 .../projects/spiffe-spire/docs/image0.png | Bin .../projects/spiffe-spire/docs/image1.png | Bin .../projects/spiffe-spire/docs/image2.png | Bin .../projects/spiffe-spire/docs/image3.png | Bin .../projects/spiffe-spire/docs/image4.png | Bin .../projects/spiffe-spire/docs/image5.png | Bin .../projects/spiffe-spire/docs/image6.png | Bin .../projects/spiffe-spire/docs/image7.png | Bin .../projects/spiffe-spire/self-assessment.md | 0 ...thanos-high-level-arch-diagram-receive.png | Bin ...thanos-high-level-arch-diagram-sidecar.png | Bin .../thanos/res/workflow1.excalidraw.png | Bin .../thanos/res/workflow2.excalidraw.png | Bin .../projects/thanos/self-assessment.md | 0 .../projects/tikv/self-assessment.md | 0 .../tikv/src/imgs/distributed_transaction.png | Bin .../projects/tikv/src/imgs/layer.png | Bin .../projects/tikv/src/imgs/raft_consensus.png | Bin .../projects/tikv/src/imgs/sharding.png | Bin .../projects/tikv/src/imgs/tikv_wholepic.png | Bin .../projects/tikv/tikv-threat-model.md | 0 .../assessments}/projects/volcano/arch.png | Bin .../projects/volcano/recommendations.md | 0 .../projects/volcano/self-assessment.md | 0 .../projects/volcano/threat-analysis.md | 0 130 files changed, 110 insertions(+), 93 deletions(-) rename {assessments => community/assessments}/Open_and_Secure.pdf (100%) rename {assessments => community/assessments}/README.md (81%) rename {assessments => community/assessments}/guide/README.md (100%) rename {assessments => community/assessments}/guide/joint-assessment.md (65%) rename {assessments => community/assessments}/guide/joint-readme-template.md (71%) rename {assessments => community/assessments}/guide/project-lead.md (96%) rename {assessments => community/assessments}/guide/review-survey.md (100%) rename {assessments => community/assessments}/guide/security-reviewer.md (97%) rename {assessments => community/assessments}/guide/self-assessment.md (92%) rename {assessments => community/assessments}/intake-process.md (96%) rename {assessments => community/assessments}/projects/README.md (100%) rename {assessments => community/assessments}/projects/antrea/self-assessment.md (100%) rename {assessments => community/assessments}/projects/buildpacks/README.md (100%) rename {assessments => community/assessments}/projects/buildpacks/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cert-manager/adalogics_diagram.png (100%) rename {assessments => community/assessments}/projects/cert-manager/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cloudevents/images/apex-logo.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/async-api-logo.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/cloudevents-actions.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/cloudevents-logo.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/opentelemetry-logo.svg (100%) rename {assessments => community/assessments}/projects/cloudevents/images/soap-evenlope.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/soap-webservice.png (100%) rename {assessments => community/assessments}/projects/cloudevents/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cni/docs/CNI-config.png (100%) rename {assessments => community/assessments}/projects/cni/docs/CNI-role.png (100%) rename {assessments => community/assessments}/projects/cni/docs/lightweight-threat-assessment.md (100%) rename {assessments => community/assessments}/projects/cni/self-assessment.md (100%) rename {assessments => community/assessments}/projects/contour/self-assessment.md (100%) rename {assessments => community/assessments}/projects/coredns/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cortex/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cortex/threat-model.md (100%) rename {assessments => community/assessments}/projects/cubefs/self-assessment.md (100%) rename {assessments => community/assessments}/projects/custodian/c7n_attacks.drawio (100%) rename {assessments => community/assessments}/projects/custodian/c7n_attacks.png (100%) rename {assessments => community/assessments}/projects/custodian/c7n_threat_assessment.png (100%) rename {assessments => community/assessments}/projects/custodian/joint-review.md (100%) rename {assessments => community/assessments}/projects/emissary-ingress/image-3.png (100%) rename {assessments => community/assessments}/projects/emissary-ingress/self-assessment.md (100%) rename {assessments => community/assessments}/projects/external-secrets/assets/component-overview.png (100%) rename {assessments => community/assessments}/projects/external-secrets/assets/overview.png (100%) rename {assessments => community/assessments}/projects/external-secrets/docs/stride-threat-model.md (100%) rename {assessments => community/assessments}/projects/external-secrets/self-assessment.md (100%) rename {assessments => community/assessments}/projects/flatcar/joint-assessment.md (100%) rename {assessments => community/assessments}/projects/flatcar/self-assessment.md (100%) rename {assessments => community/assessments}/projects/fluentd/fluent-bit/README.md (100%) rename {assessments => community/assessments}/projects/fluentd/fluentd/self-assessment.md (100%) rename {assessments => community/assessments}/projects/fluentd/plugins/README.md (100%) rename {assessments => community/assessments}/projects/harbor/README.md (100%) rename {assessments => community/assessments}/projects/harbor/docs/Harbor-architecture.png (100%) rename {assessments => community/assessments}/projects/harbor/docs/Harbor-history.png (100%) rename {assessments => community/assessments}/projects/harbor/docs/blast-radius-and-recovery.png (100%) rename {assessments => community/assessments}/projects/harbor/self-assessment.md (100%) rename {assessments => community/assessments}/projects/in-toto/README.md (100%) rename {assessments => community/assessments}/projects/in-toto/debian-rebuilder.png (100%) rename {assessments => community/assessments}/projects/in-toto/kubesec.png (100%) rename {assessments => community/assessments}/projects/in-toto/self-assessment.md (100%) rename {assessments => community/assessments}/projects/jaeger/self-assessment.md (100%) rename {assessments => community/assessments}/projects/karmada/docs/Karmada-architecture.png (100%) rename {assessments => community/assessments}/projects/karmada/docs/Karmada-components.png (100%) rename {assessments => community/assessments}/projects/karmada/self-assessment.md (100%) rename {assessments => community/assessments}/projects/karmada/threatmodeling.md (100%) rename {assessments => community/assessments}/projects/keycloak/README.md (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image1.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image10.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image11.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image2.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image3.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image4.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image5.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image6.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image7.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image8.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image9.png (100%) rename {assessments => community/assessments}/projects/keycloak/self-assessment.md (100%) rename {assessments => community/assessments}/projects/knative/knative_dia.png (100%) rename {assessments => community/assessments}/projects/knative/recommendations.md (100%) rename {assessments => community/assessments}/projects/knative/self-assessment.md (100%) rename {assessments => community/assessments}/projects/kyverno/README.md (100%) rename {assessments => community/assessments}/projects/kyverno/images/kyverno-architecture.png (100%) rename {assessments => community/assessments}/projects/kyverno/images/kyverno-physical-architecture.png (100%) rename {assessments => community/assessments}/projects/kyverno/self-assessment.md (100%) rename {assessments => community/assessments}/projects/linkerd/self-assessment.md (100%) rename {assessments => community/assessments}/projects/longhorn/self-assessment.md (100%) rename {assessments => community/assessments}/projects/longhorn/threat-model.md (100%) rename {assessments => community/assessments}/projects/nats/doc/threat-modeling.md (100%) rename {assessments => community/assessments}/projects/nats/images/NATS_Figure_1_Image.jpg (100%) rename {assessments => community/assessments}/projects/nats/self-assessment.md (100%) rename {assessments => community/assessments}/projects/opa/README.md (100%) rename {assessments => community/assessments}/projects/opa/docs/document_model.png (100%) rename {assessments => community/assessments}/projects/opa/docs/request_response.png (100%) rename {assessments => community/assessments}/projects/opa/self-assessment.md (100%) rename {assessments => community/assessments}/projects/open-telemetry/self-assessment.md (100%) rename {assessments => community/assessments}/projects/openfga/OpenFGA Playground.png (100%) rename {assessments => community/assessments}/projects/openfga/self-assessment.md (100%) rename {assessments => community/assessments}/projects/openkruise/self-assessment.md (100%) rename {assessments => community/assessments}/projects/openkruise/threat-model.md (100%) rename {assessments => community/assessments}/projects/openmetrics/STRIDE Threat Modeling.pdf (100%) rename {assessments => community/assessments}/projects/openmetrics/self-assessment.md (100%) rename {assessments => community/assessments}/projects/operator-framework/self-assessment.md (100%) rename {assessments => community/assessments}/projects/pixie/README.md (100%) rename {assessments => community/assessments}/projects/pixie/self-assessment.md (100%) rename {assessments => community/assessments}/projects/rook/Rook High-Level Architecture.png (100%) rename {assessments => community/assessments}/projects/rook/self-assessment.md (100%) rename {assessments => community/assessments}/projects/spiffe-spire/README.md (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image0.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image1.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image2.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image3.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image4.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image5.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image6.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image7.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/self-assessment.md (100%) rename {assessments => community/assessments}/projects/thanos/res/thanos-high-level-arch-diagram-receive.png (100%) rename {assessments => community/assessments}/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png (100%) rename {assessments => community/assessments}/projects/thanos/res/workflow1.excalidraw.png (100%) rename {assessments => community/assessments}/projects/thanos/res/workflow2.excalidraw.png (100%) rename {assessments => community/assessments}/projects/thanos/self-assessment.md (100%) rename {assessments => community/assessments}/projects/tikv/self-assessment.md (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/distributed_transaction.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/layer.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/raft_consensus.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/sharding.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/tikv_wholepic.png (100%) rename {assessments => community/assessments}/projects/tikv/tikv-threat-model.md (100%) rename {assessments => community/assessments}/projects/volcano/arch.png (100%) rename {assessments => community/assessments}/projects/volcano/recommendations.md (100%) rename {assessments => community/assessments}/projects/volcano/self-assessment.md (100%) rename {assessments => community/assessments}/projects/volcano/threat-analysis.md (100%) diff --git a/assessments/Open_and_Secure.pdf b/community/assessments/Open_and_Secure.pdf similarity index 100% rename from assessments/Open_and_Secure.pdf rename to community/assessments/Open_and_Secure.pdf diff --git a/assessments/README.md b/community/assessments/README.md similarity index 81% rename from assessments/README.md rename to community/assessments/README.md index e47bba8ac..6c798bfd4 100644 --- a/assessments/README.md +++ b/community/assessments/README.md @@ -1,9 +1,9 @@ -# TAG-Security Security Assessment (TSSA) Process +# TAG-Security Security Assessment (TSSA) Process ## Goals -The [TAG-Security Security Assessment Process](guide) (formerly the security -review process) is designed to accelerate the adoption of cloud native +The [TAG-Security Security Assessment Process](guide) (formerly the security +review process) is designed to accelerate the adoption of cloud native technologies based on the below goals and assumptions: ### 1) Reduce risk across the ecosystem @@ -11,52 +11,54 @@ technologies based on the below goals and assumptions: The primary goal is to minimize the risk of malicious attacks and accidental privacy breaches. This process achieves this in two ways: - * Improve detection and resolution of vulnerabilities through a clear communication +* Improve detection and resolution of vulnerabilities through a clear communication process. - * Enhance domain expertise in participating projects via collaborative assessments. +* Enhance domain expertise in participating projects via collaborative assessments. ### 2) Accelerate adoption of cloud native technologies -Security assessments are essential but time-intensive processes that each company, -organization, and project must perform to meet their unique commitments to users and -stakeholders. In open source, finding security-related information can be overwhelmingly -difficult and time-consuming. The CNCF TAG-Security Security Assessment Process, hereafter -“TSSA” Process, aims to enhance the discovery of security information and streamline +Security assessments are essential but time-intensive processes that each company, +organization, and project must perform to meet their unique commitments to users and +stakeholders. In open source, finding security-related information can be overwhelmingly +difficult and time-consuming. The CNCF TAG-Security Security Assessment Process, hereafter +“TSSA” Process, aims to enhance the discovery of security information and streamline internal and external assessments in multiple ways: - * Consistent documentation to reduce assessment time. - * Baseline of security information to minimize Q&A. - * A clear security profile rubric for organizations to align their risk profiles with +* Consistent documentation to reduce assessment time. +* Baseline of security information to minimize Q&A. +* A clear security profile rubric for organizations to align their risk profiles with the project’s and allocate resources effectively (for assessment and needed project contribution). - * Structured metadata for navigation, grouping, and cross-linking. +* Structured metadata for navigation, grouping, and cross-linking. -This process is expected to raise awareness of how open source projects impact cloud native security; +This process is expected to raise awareness of how open source projects impact cloud native security; however, separate activities may be needed to achieve that purpose using materials generated by the TSSA, known as artifacts or the TSSA package. ## Outcome Each project's TSSA package shall include a description of the project's: + 1. Security design goals. 2. Potential risks in design and configuration implementations. 3. Known limitations including expectations that certain security aspects are managed by upstream or downstream dependencies or complementary software. -5. Next steps to enhance the project's security and/or its contributions to a more secure +4. Next steps to enhance the project's security and/or its contributions to a more secure cloud native ecosystem. -Due to the nature and time frame of the analysis, *the TSSA package is not -meant to subsume the need for a professional security audit of the code*. Implementation-specific -vulnerabilities or improper deployment configurations are not in the scope of a TSSA. -Instead, the TSSA aims to uncover design flaws, enhance the project's security mindset, +Due to the nature and time frame of the analysis, *the TSSA package is not +meant to subsume the need for a professional security audit of the code*. Implementation-specific +vulnerabilities or improper deployment configurations are not in the scope of a TSSA. +Instead, the TSSA aims to uncover design flaws, enhance the project's security mindset, and clearly document its design goals and intended security properties. ### Benefits of a TSSA -Undergoing the TSSA Process is a key step toward eliminating security risks and integrating +Undergoing the TSSA Process is a key step toward eliminating security risks and integrating security as a fundamental aspect of your system over time. Key benefits of TSSA include: + * Establishing a measurable security baseline. * Identifying and analyzing security issues and their risks. * Integrating a culture of security awareness among developers. @@ -66,6 +68,7 @@ Key benefits of TSSA include: A complete TSSA package primarily consists of the following items: + * [Self-assessment](guide/self-assessment.md): A written assessment by the project of the project's current security status. * [Joint-assessment](guide/joint-assessment.md): A hands-on assessment by both the [security @@ -79,15 +82,15 @@ It is considered when performing due diligence. ### Use of a completed TSSA package -A finalized TSSA package may assist the community in contextual project reviews, but -it is not an endorsement or audit of the project’s security. It does not exempt individuals -or organizations from conducting their own due diligence and complying with laws, regulations, +A finalized TSSA package may assist the community in contextual project reviews, but +it is not an endorsement or audit of the project’s security. It does not exempt individuals +or organizations from conducting their own due diligence and complying with laws, regulations, and policies. -Draft assessments contain *unconfirmed* content and require peer review before being -committed to the repository. Draft documents may also contain *speculative* content as +Draft assessments contain *unconfirmed* content and require peer review before being +committed to the repository. Draft documents may also contain *speculative* content as the project lead or security reviewer is performing an assessment. -Draft assessments are *only* for the purpose of preparing final artifacts and are **not** +Draft assessments are *only* for the purpose of preparing final artifacts and are **not** to be used in any other capacity by the community. Final presentation slides and the project's joint assessment @@ -97,8 +100,8 @@ documentation and artifacts from the TSSA. These folders can be found under ## Process -Creating the TSSA package is a collaborative process that benefits both the project -and the community. The primary content is generated by the [project lead](guide/project-lead.md) +Creating the TSSA package is a collaborative process that benefits both the project +and the community. The primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the TAG. diff --git a/assessments/guide/README.md b/community/assessments/guide/README.md similarity index 100% rename from assessments/guide/README.md rename to community/assessments/guide/README.md diff --git a/assessments/guide/joint-assessment.md b/community/assessments/guide/joint-assessment.md similarity index 65% rename from assessments/guide/joint-assessment.md rename to community/assessments/guide/joint-assessment.md index 47f8a3e1f..82f6188f6 100644 --- a/assessments/guide/joint-assessment.md +++ b/community/assessments/guide/joint-assessment.md @@ -244,12 +244,12 @@ section). ### Identity Theft -|Victim Components | Server | Agent | Container on node | Container separate node | -|--|--|--|--|--| -| Victim Server | N/A | Score .11 : Mitigated, server has... | Score .11 : Mitigated, -node has... | Score .11 : Mitigated, node has... | -| Victim Agent | Score 57.5 None, significant issue... | Score. 11 : Mitigated, server -has... | Score .11 : Mitigated, node has... | Score .11 : Mitigated, node has... | +| Victim Components | Server | Agent | Container (same node) | Container (diff node) | +|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Victim Server | N/A: There is only one server | "Mitigated: The server has validation in place to prevent it from signing CSRs for SPIFFE IDs that are not registered to a particular agent. Furthermore, there is validation to prevent an operator from erroneously registering the server's SPIFFE ID. Agents always validate the server's SPIFFE ID when connecting to it. Score: 0.11" | "Mitigated: There is validation to prevent an operator from erroneously registering the server's SPIFFE ID. Score: 0.11" | "Mitigated: There is validation to prevent an operator from erroneously registering the server's SPIFFE ID. Score: 0.11" | +| Victim Agent | "NONE: The server has the signing keys and can issue new identities at will. Score: 57.5" | "Mitigated: The server has validation in place to prevent it from signing CSRs for SPIFFE IDs that are not registered to a particular agent. Furthermore, there is validation to prevent an operator from erroneously registering a SPIFFE ID representing an agent. Score: 0.115" | "ESCAPE: If a container escape and privilege escalation can be performed, it is possible to read the agent's key from memory. Score: 0.63" | "Mitigated: There is validation to prevent an operator from erroneously registering the agent's SPIFFE ID. Score: 0.115" | +| Victim Container (same node) | "NONE: The server has the signing keys and can issue new identities at will. Score: 5.5" | "NONE: Agent controls the keys and certificates for all containers authorized to run on it. Score: 5.5" | "ESCAPE: If a container escape and privilege escalation can be performed, it is possible to read neighboring container's keys from memory. Score: 0.231" | "ESCAPE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil container, then the evil container can obtain a certificate representing the victim container by reading keys from the memory of the local agent. Score: 0.525" | +| Victim Container (diff node) | "NONE: The server has the signing keys and can issue new identities at will. Score: 12.5" | "NONE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil agent, then the evil agent can obtain a certificate representing the container. Score: 12.5 NOTE: This condition only occurs under certain configurations" | "ESCAPE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil container, then the evil container can obtain a certificate representing the victim container by reading keys from the memory of the local agent. Score: 0.525" | "ESCAPE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil container, then the evil container can obtain a certificate representing the victim container by reading keys from the memory of the local agent. Score: 0.525" | ### Compromise @@ -289,14 +289,18 @@ formal assessment and are no guarantee of the actual security of the project. *If a hands-on assessment was performed, the below format should be used for reporting details* -| | | -| -- | -- | -| Date of assessment | mmddyyyy-mmddyyyy | -| Hands-on reviewers | name, github handle | +### Assessment Details + +| Field | Description | +|---------------------|---------------------------| +| Date of assessment | mmddyyyy-mmddyyyy | +| Hands-on reviewers | name, github handle | + +### Findings -| Finding Number | Finding name | Finding Notes | Reviewer | -| -- | -- | -- | -- | -| | | | +| Finding Number | Finding name | Finding Notes | Reviewer | +|----------------|--------------|---------------|--------------------| +| | | | | ### Hands-on assessment result diff --git a/assessments/guide/joint-readme-template.md b/community/assessments/guide/joint-readme-template.md similarity index 71% rename from assessments/guide/joint-readme-template.md rename to community/assessments/guide/joint-readme-template.md index 302356350..43abdafa2 100644 --- a/assessments/guide/joint-readme-template.md +++ b/community/assessments/guide/joint-readme-template.md @@ -13,11 +13,11 @@ Project team: _list name and github handle as appropriate_ ## Background -*Brief synopsys of the project, problem space, how the project solves the problem, can be pulled from the joint assessment.* +_Brief synopsys of the project, problem space, how the project solves the problem, can be pulled from the joint assessment._ ### Maturity -*Use cases, integrations, etc. bulleted, should be available in the joint assessment.* +_Use cases, integrations, etc. bulleted, should be available in the joint assessment._ ## Summary @@ -31,17 +31,17 @@ _refer to the existing readmes for other projects, such as [SPIFFE/SPIRE](https: ### CNCF recommendations -* -* +* +* ### Project recommendations -* -* +* +* ### Additional recommendations -* -* +* +* -Tracking issue: *link to issue for assessment* +Tracking issue: _link to issue for assessment_ diff --git a/assessments/guide/project-lead.md b/community/assessments/guide/project-lead.md similarity index 96% rename from assessments/guide/project-lead.md rename to community/assessments/guide/project-lead.md index 62c58a031..1868ef01d 100644 --- a/assessments/guide/project-lead.md +++ b/community/assessments/guide/project-lead.md @@ -8,8 +8,8 @@ interest in security. ## Time and effort -The level of effort for the team providing the information is expected to be -around **80 hours** of work. Note, projects that have already performed a +The level of effort for the team providing the information is expected to be +around **80 hours** of work. Note, projects that have already performed a security analysis internally are expected to have much lower requirements. ## Conflict of interest diff --git a/assessments/guide/review-survey.md b/community/assessments/guide/review-survey.md similarity index 100% rename from assessments/guide/review-survey.md rename to community/assessments/guide/review-survey.md diff --git a/assessments/guide/security-reviewer.md b/community/assessments/guide/security-reviewer.md similarity index 97% rename from assessments/guide/security-reviewer.md rename to community/assessments/guide/security-reviewer.md index c5142830e..0f4f14901 100644 --- a/assessments/guide/security-reviewer.md +++ b/community/assessments/guide/security-reviewer.md @@ -93,6 +93,7 @@ or other details in the ticketed request for a project's joint assessment may require additional time. However, analysis is expected to be concluded in a few weeks -- usually 3 weeks. Effort is expected to include and may not be limited to: + * reviewing existing security documentation * reviewing ticketed request for project assessment * analysis of security assertions and assumptions @@ -112,22 +113,24 @@ There is a possibility of a conflict of interest that can arise between a security reviewer and the project being assessed due to the closely-knit nature of the community. Having clear guidelines for conflict of interest situations are important to prevent: -- Individuals from intentionally or unintentionally promoting their own + +* Individuals from intentionally or unintentionally promoting their own company's project -- TAG-Security chairs and review leads intentionally or +* TAG-Security chairs and review leads intentionally or unintentionally limiting the participation of an individual unfairly by asserting conflict of interest -- Security reviews being stalled while groups belabor on who should be allowed +* Security reviews being stalled while groups belabor on who should be allowed to participate The conflicts of interest lie on a spectrum, and are classified into hard and soft conflicts: + * A hard conflict makes a reviewer ineligible to assess a project. * A soft conflict allows a reviewer to assess a project, but not as a [project lead](./project-lead.md). * It is not unusual for reviewers to have soft conflicts. The diversity of reviewers that are familiar with a project can provide a deeper insight -together with a fresh set of eyes and is beneficial to the success of a +together with a fresh set of eyes and is beneficial to the success of a TAG-Security Security Assessment. All reviewers must provide a conflict declaration on the tracking issue to @@ -135,7 +138,8 @@ indicate which hard or soft conflicts do, or do not exist when they volunteer to be a reviewer. This is done by placing a comment on the issue associated with the joint assessment using the table provided below. -#### Conflict of interest statement template: +### Conflict of interest statement template + | Hard Conflicts | Y/N | | :------------- | :-: | | Reviewer is a currently a maintainer of the project | | @@ -143,7 +147,6 @@ with the joint assessment using the table provided below. | Reviewer is paid to work on the project | | | Reviewer has significant financial interest directly ties to the success of the project | | - | Soft Conflicts | Y/N | | :------------- | :-: | | Reviewer belongs to the same company/organization of the project, but does not work on the project | | @@ -155,13 +158,14 @@ with the joint assessment using the table provided below. Should a conflict arise during the time of the assessment, reviewers should notify the lead security reviewer when they become aware of the potential conflict, -so the new conflict may be consulted with the Security Assessment Facilitator +so the new conflict may be consulted with the Security Assessment Facilitator and/or chairs. ## Asserting team readiness to conduct a balanced assessment The lead security reviewer has the responsibility of ensuring a balanced assessment, and as part of that before kicking off the assessment must: + * Check that all reviewers have conflict-of-interest declarations, * Provide their own declaration of any potential conflict-of-interest (or lack thereof), @@ -188,4 +192,3 @@ participating in the assessment for which their hard conflict exists. Depending two chairs and the Security Assessment Facilitator may determine if the hard conflict may be waived. Should this occur, the decision's justification will be documented to ensure it clearly depicts the circumstances for granting the waiver. - diff --git a/assessments/guide/self-assessment.md b/community/assessments/guide/self-assessment.md similarity index 92% rename from assessments/guide/self-assessment.md rename to community/assessments/guide/self-assessment.md index 8a7bb5109..e82e940c1 100644 --- a/assessments/guide/self-assessment.md +++ b/community/assessments/guide/self-assessment.md @@ -1,17 +1,18 @@ # Self-assessment + The Self-assessment is the initial document for projects to begin thinking about the security of the project, determining gaps in their security, and preparing any security documentation for their users. This document is ideal for projects currently in the CNCF **sandbox** as well as projects that are looking to receive a joint assessment and currently in CNCF **incubation**. -For a detailed guide with step-by-step discussion and examples, check out the free -Express Learning course provided by Linux Foundation Training & Certification: +For a detailed guide with step-by-step discussion and examples, check out the free +Express Learning course provided by Linux Foundation Training & Certification: [Security Assessments for Open Source Projects](https://training.linuxfoundation.org/express-learning/security-self-assessments-for-open-source-projects-lfel1005/). -# Self-assessment outline +## Self-assessment outline -## Table of contents +### Table of contents * [Metadata](#metadata) * [Security links](#security-links) @@ -28,7 +29,7 @@ Express Learning course provided by Linux Foundation Training & Certification: * [Security issue resolution](#security-issue-resolution) * [Appendix](#appendix) -## Metadata +### Metadata A table at the top for quick reference information, later used for indexing. @@ -40,28 +41,31 @@ A table at the top for quick reference information, later used for indexing. | Languages | Language(s) the project is written in. | | SBOM | Software bill of materials. Link to the libraries, packages, versions used by the project, may also include direct dependencies. | -### Security links +#### Security links + Provide the list of links to existing security documentation for the project. You may use the table below as an example: | Doc | url | | -- | -- | -| Security file | https://my.security.file | -| Default and optional configs | https://example.org/config | +| Security file | | +| Default and optional configs | | + -## Overview +### Overview One or two sentences describing the project -- something memorable and accurate that distinguishes your project to quickly orient readers who may be assessing multiple projects. -### Background +#### Background Provide information for reviewers who may not be familiar with your project's domain or problem area. -### Actors -These are the individual parts of your system that interact to provide the +#### Actors + +These are the individual parts of your system that interact to provide the desired functionality. Actors only need to be separate, if they are isolated in some way. For example, if a service has a database and a front-end API, but if a vulnerability in either one would compromise the other, then the distinction @@ -70,30 +74,33 @@ between the database and front-end is not relevant. The means by which actors are isolated should also be described, as this is often what prevents an attacker from moving laterally after a compromise. -### Actions +#### Actions + These are the steps that a project performs in order to provide some service or functionality. These steps are performed by different actors in the system. Note, that an action need not be overly descriptive at the function call level. -It is sufficient to focus on the security checks performed, use of sensitive +It is sufficient to focus on the security checks performed, use of sensitive data, and interactions between actors to perform an action. -For example, the access server receives the client request, checks the format, -validates that the request corresponds to a file the client is authorized to -access, and then returns a token to the client. The client then transmits that +For example, the access server receives the client request, checks the format, +validates that the request corresponds to a file the client is authorized to +access, and then returns a token to the client. The client then transmits that token to the file server, which, after confirming its validity, returns the file. -### Goals +#### Goals + The intended goals of the projects including the security guarantees the project is meant to provide (e.g., Flibble only allows parties with an authorization key to change data it stores). -### Non-goals +#### Non-goals + Non-goals that a reasonable reader of the project’s literature could believe may be in scope (e.g., Flibble does not intend to stop a party with a key from storing an arbitrarily large amount of data, possibly incurring financial cost or overwhelming the servers) -## Self-assessment use +### Self-assessment use This self-assessment is created by the [project] team to perform an internal analysis of the project's security. It is not intended to provide a security audit of [project], or @@ -109,7 +116,7 @@ to assist in a joint-assessment, necessary for projects under incubation. Taken together, this document and the joint-assessment serve as a cornerstone for if and when [project] seeks graduation and is preparing for a security audit. -## Security functions and features +### Security functions and features * Critical. A listing critical security components of the project with a brief description of their importance. It is recommended these be used for threat modeling. @@ -121,12 +128,12 @@ for changes to the project. the project, such as deployment configurations, settings, etc. These should also be included in threat modeling. -## Project compliance +### Project compliance * Compliance. List any security standards or sub-sections the project is already documented as meeting (PCI-DSS, COBIT, ISO, GDPR, etc.). -## Secure development practices +### Secure development practices * Development Pipeline. A description of the testing and assessment processes that the software undergoes as it is developed and built. Be sure to include specific @@ -145,7 +152,7 @@ virtualization for 80% of cloud users. So, our small number of "users" actually represents very wide usage across the ecosystem since every virtual instance uses Flibber encryption by default.) -## Security issue resolution +### Security issue resolution * Responsible Disclosures Process. A outline of the project's responsible disclosures process should suspected security issues, incidents, or @@ -157,12 +164,12 @@ outline should discuss communication methods/strategies. confirmation, notification of vulnerability or security incident, and patching/update availability. -## Appendix +### Appendix * Known Issues Over Time. List or summarize statistics of past vulnerabilities with links. If none have been reported, provide data, if any, about your track record in catching issues in code review or automated testing. -* [CII Best Practices](https://www.coreinfrastructure.org/programs/best-practices-program/). +* [Open SSF Best Practices](https://www.bestpractices.dev/en). Best Practices. A brief discussion of where the project is at with respect to CII best practices and what it would need to achieve the badge. diff --git a/assessments/intake-process.md b/community/assessments/intake-process.md similarity index 96% rename from assessments/intake-process.md rename to community/assessments/intake-process.md index 81da8dee4..b486d9992 100644 --- a/assessments/intake-process.md +++ b/community/assessments/intake-process.md @@ -8,7 +8,7 @@ cloud native ecosystem and helping cloud native projects succeed. The following process describes how projects are prioritized for security assessments. -# Authority +## Authority Team members are welcome to submit PRs to streamline this process when priorities are clear based on the criteria below. As needed, specific leaders @@ -26,14 +26,14 @@ coordinate the decision-making process. team, resolving questions/concerns about prioritization, and serving as an escalation point for projects or TAG members, if needed. -# Pre-conditions +## Pre-conditions * The project is either a CNCF project OR an assertion that the project is cloud native (any objection must be resolved before an assessment would be considered) * The project has identified a project lead and has a written self-assessment -# Intake priorities +## Intake priorities The following priorities are high-level guidance for how to coordinate the work of the group when there are multiple projects that are ready for an @@ -65,14 +65,14 @@ Security Assessment Facilitator may remove the project from the queue with notification to the co-chairs. The Security Assessment Facilitator will update the corresponding issue, prior to closing the project's request. -# Updates and renewal +## Updates and renewal The Security Assessment team will aim to review assessed projects annually, focusing primarily on any issues or concerns raised in previous assessments, addressing new functionality that affects risk profile of the project, and any issue that may have been flagged about the project. -# Managing the assessment queue +## Managing the assessment queue Note: this section describes the current process. Anyone is welcome to open a github issue or submit a pull request suggesting process improvements @@ -82,7 +82,7 @@ is clearly communicated to the group (typically by adding a note to the relevant github issue). Each assessment is represented as a github issue, where the description field -follows a [template](/.github/ISSUE_TEMPLATE/joint-assessment.md) +follows a [template](.github/ISSUE_TEMPLATE/joint-review.md) The queue is visible through [github project](https://github.com/cncf/tag-security/projects/2) diff --git a/assessments/projects/README.md b/community/assessments/projects/README.md similarity index 100% rename from assessments/projects/README.md rename to community/assessments/projects/README.md diff --git a/assessments/projects/antrea/self-assessment.md b/community/assessments/projects/antrea/self-assessment.md similarity index 100% rename from assessments/projects/antrea/self-assessment.md rename to community/assessments/projects/antrea/self-assessment.md diff --git a/assessments/projects/buildpacks/README.md b/community/assessments/projects/buildpacks/README.md similarity index 100% rename from assessments/projects/buildpacks/README.md rename to community/assessments/projects/buildpacks/README.md diff --git a/assessments/projects/buildpacks/self-assessment.md b/community/assessments/projects/buildpacks/self-assessment.md similarity index 100% rename from assessments/projects/buildpacks/self-assessment.md rename to community/assessments/projects/buildpacks/self-assessment.md diff --git a/assessments/projects/cert-manager/adalogics_diagram.png b/community/assessments/projects/cert-manager/adalogics_diagram.png similarity index 100% rename from assessments/projects/cert-manager/adalogics_diagram.png rename to community/assessments/projects/cert-manager/adalogics_diagram.png diff --git a/assessments/projects/cert-manager/self-assessment.md b/community/assessments/projects/cert-manager/self-assessment.md similarity index 100% rename from assessments/projects/cert-manager/self-assessment.md rename to community/assessments/projects/cert-manager/self-assessment.md diff --git a/assessments/projects/cloudevents/images/apex-logo.png b/community/assessments/projects/cloudevents/images/apex-logo.png similarity index 100% rename from assessments/projects/cloudevents/images/apex-logo.png rename to community/assessments/projects/cloudevents/images/apex-logo.png diff --git a/assessments/projects/cloudevents/images/async-api-logo.png b/community/assessments/projects/cloudevents/images/async-api-logo.png similarity index 100% rename from assessments/projects/cloudevents/images/async-api-logo.png rename to community/assessments/projects/cloudevents/images/async-api-logo.png diff --git a/assessments/projects/cloudevents/images/cloudevents-actions.png b/community/assessments/projects/cloudevents/images/cloudevents-actions.png similarity index 100% rename from assessments/projects/cloudevents/images/cloudevents-actions.png rename to community/assessments/projects/cloudevents/images/cloudevents-actions.png diff --git a/assessments/projects/cloudevents/images/cloudevents-logo.png b/community/assessments/projects/cloudevents/images/cloudevents-logo.png similarity index 100% rename from assessments/projects/cloudevents/images/cloudevents-logo.png rename to community/assessments/projects/cloudevents/images/cloudevents-logo.png diff --git a/assessments/projects/cloudevents/images/opentelemetry-logo.svg b/community/assessments/projects/cloudevents/images/opentelemetry-logo.svg similarity index 100% rename from assessments/projects/cloudevents/images/opentelemetry-logo.svg rename to community/assessments/projects/cloudevents/images/opentelemetry-logo.svg diff --git a/assessments/projects/cloudevents/images/soap-evenlope.png b/community/assessments/projects/cloudevents/images/soap-evenlope.png similarity index 100% rename from assessments/projects/cloudevents/images/soap-evenlope.png rename to community/assessments/projects/cloudevents/images/soap-evenlope.png diff --git a/assessments/projects/cloudevents/images/soap-webservice.png b/community/assessments/projects/cloudevents/images/soap-webservice.png similarity index 100% rename from assessments/projects/cloudevents/images/soap-webservice.png rename to community/assessments/projects/cloudevents/images/soap-webservice.png diff --git a/assessments/projects/cloudevents/self-assessment.md b/community/assessments/projects/cloudevents/self-assessment.md similarity index 100% rename from assessments/projects/cloudevents/self-assessment.md rename to community/assessments/projects/cloudevents/self-assessment.md diff --git a/assessments/projects/cni/docs/CNI-config.png b/community/assessments/projects/cni/docs/CNI-config.png similarity index 100% rename from assessments/projects/cni/docs/CNI-config.png rename to community/assessments/projects/cni/docs/CNI-config.png diff --git a/assessments/projects/cni/docs/CNI-role.png b/community/assessments/projects/cni/docs/CNI-role.png similarity index 100% rename from assessments/projects/cni/docs/CNI-role.png rename to community/assessments/projects/cni/docs/CNI-role.png diff --git a/assessments/projects/cni/docs/lightweight-threat-assessment.md b/community/assessments/projects/cni/docs/lightweight-threat-assessment.md similarity index 100% rename from assessments/projects/cni/docs/lightweight-threat-assessment.md rename to community/assessments/projects/cni/docs/lightweight-threat-assessment.md diff --git a/assessments/projects/cni/self-assessment.md b/community/assessments/projects/cni/self-assessment.md similarity index 100% rename from assessments/projects/cni/self-assessment.md rename to community/assessments/projects/cni/self-assessment.md diff --git a/assessments/projects/contour/self-assessment.md b/community/assessments/projects/contour/self-assessment.md similarity index 100% rename from assessments/projects/contour/self-assessment.md rename to community/assessments/projects/contour/self-assessment.md diff --git a/assessments/projects/coredns/self-assessment.md b/community/assessments/projects/coredns/self-assessment.md similarity index 100% rename from assessments/projects/coredns/self-assessment.md rename to community/assessments/projects/coredns/self-assessment.md diff --git a/assessments/projects/cortex/self-assessment.md b/community/assessments/projects/cortex/self-assessment.md similarity index 100% rename from assessments/projects/cortex/self-assessment.md rename to community/assessments/projects/cortex/self-assessment.md diff --git a/assessments/projects/cortex/threat-model.md b/community/assessments/projects/cortex/threat-model.md similarity index 100% rename from assessments/projects/cortex/threat-model.md rename to community/assessments/projects/cortex/threat-model.md diff --git a/assessments/projects/cubefs/self-assessment.md b/community/assessments/projects/cubefs/self-assessment.md similarity index 100% rename from assessments/projects/cubefs/self-assessment.md rename to community/assessments/projects/cubefs/self-assessment.md diff --git a/assessments/projects/custodian/c7n_attacks.drawio b/community/assessments/projects/custodian/c7n_attacks.drawio similarity index 100% rename from assessments/projects/custodian/c7n_attacks.drawio rename to community/assessments/projects/custodian/c7n_attacks.drawio diff --git a/assessments/projects/custodian/c7n_attacks.png b/community/assessments/projects/custodian/c7n_attacks.png similarity index 100% rename from assessments/projects/custodian/c7n_attacks.png rename to community/assessments/projects/custodian/c7n_attacks.png diff --git a/assessments/projects/custodian/c7n_threat_assessment.png b/community/assessments/projects/custodian/c7n_threat_assessment.png similarity index 100% rename from assessments/projects/custodian/c7n_threat_assessment.png rename to community/assessments/projects/custodian/c7n_threat_assessment.png diff --git a/assessments/projects/custodian/joint-review.md b/community/assessments/projects/custodian/joint-review.md similarity index 100% rename from assessments/projects/custodian/joint-review.md rename to community/assessments/projects/custodian/joint-review.md diff --git a/assessments/projects/emissary-ingress/image-3.png b/community/assessments/projects/emissary-ingress/image-3.png similarity index 100% rename from assessments/projects/emissary-ingress/image-3.png rename to community/assessments/projects/emissary-ingress/image-3.png diff --git a/assessments/projects/emissary-ingress/self-assessment.md b/community/assessments/projects/emissary-ingress/self-assessment.md similarity index 100% rename from assessments/projects/emissary-ingress/self-assessment.md rename to community/assessments/projects/emissary-ingress/self-assessment.md diff --git a/assessments/projects/external-secrets/assets/component-overview.png b/community/assessments/projects/external-secrets/assets/component-overview.png similarity index 100% rename from assessments/projects/external-secrets/assets/component-overview.png rename to community/assessments/projects/external-secrets/assets/component-overview.png diff --git a/assessments/projects/external-secrets/assets/overview.png b/community/assessments/projects/external-secrets/assets/overview.png similarity index 100% rename from assessments/projects/external-secrets/assets/overview.png rename to community/assessments/projects/external-secrets/assets/overview.png diff --git a/assessments/projects/external-secrets/docs/stride-threat-model.md b/community/assessments/projects/external-secrets/docs/stride-threat-model.md similarity index 100% rename from assessments/projects/external-secrets/docs/stride-threat-model.md rename to community/assessments/projects/external-secrets/docs/stride-threat-model.md diff --git a/assessments/projects/external-secrets/self-assessment.md b/community/assessments/projects/external-secrets/self-assessment.md similarity index 100% rename from assessments/projects/external-secrets/self-assessment.md rename to community/assessments/projects/external-secrets/self-assessment.md diff --git a/assessments/projects/flatcar/joint-assessment.md b/community/assessments/projects/flatcar/joint-assessment.md similarity index 100% rename from assessments/projects/flatcar/joint-assessment.md rename to community/assessments/projects/flatcar/joint-assessment.md diff --git a/assessments/projects/flatcar/self-assessment.md b/community/assessments/projects/flatcar/self-assessment.md similarity index 100% rename from assessments/projects/flatcar/self-assessment.md rename to community/assessments/projects/flatcar/self-assessment.md diff --git a/assessments/projects/fluentd/fluent-bit/README.md b/community/assessments/projects/fluentd/fluent-bit/README.md similarity index 100% rename from assessments/projects/fluentd/fluent-bit/README.md rename to community/assessments/projects/fluentd/fluent-bit/README.md diff --git a/assessments/projects/fluentd/fluentd/self-assessment.md b/community/assessments/projects/fluentd/fluentd/self-assessment.md similarity index 100% rename from assessments/projects/fluentd/fluentd/self-assessment.md rename to community/assessments/projects/fluentd/fluentd/self-assessment.md diff --git a/assessments/projects/fluentd/plugins/README.md b/community/assessments/projects/fluentd/plugins/README.md similarity index 100% rename from assessments/projects/fluentd/plugins/README.md rename to community/assessments/projects/fluentd/plugins/README.md diff --git a/assessments/projects/harbor/README.md b/community/assessments/projects/harbor/README.md similarity index 100% rename from assessments/projects/harbor/README.md rename to community/assessments/projects/harbor/README.md diff --git a/assessments/projects/harbor/docs/Harbor-architecture.png b/community/assessments/projects/harbor/docs/Harbor-architecture.png similarity index 100% rename from assessments/projects/harbor/docs/Harbor-architecture.png rename to community/assessments/projects/harbor/docs/Harbor-architecture.png diff --git a/assessments/projects/harbor/docs/Harbor-history.png b/community/assessments/projects/harbor/docs/Harbor-history.png similarity index 100% rename from assessments/projects/harbor/docs/Harbor-history.png rename to community/assessments/projects/harbor/docs/Harbor-history.png diff --git a/assessments/projects/harbor/docs/blast-radius-and-recovery.png b/community/assessments/projects/harbor/docs/blast-radius-and-recovery.png similarity index 100% rename from assessments/projects/harbor/docs/blast-radius-and-recovery.png rename to community/assessments/projects/harbor/docs/blast-radius-and-recovery.png diff --git a/assessments/projects/harbor/self-assessment.md b/community/assessments/projects/harbor/self-assessment.md similarity index 100% rename from assessments/projects/harbor/self-assessment.md rename to community/assessments/projects/harbor/self-assessment.md diff --git a/assessments/projects/in-toto/README.md b/community/assessments/projects/in-toto/README.md similarity index 100% rename from assessments/projects/in-toto/README.md rename to community/assessments/projects/in-toto/README.md diff --git a/assessments/projects/in-toto/debian-rebuilder.png b/community/assessments/projects/in-toto/debian-rebuilder.png similarity index 100% rename from assessments/projects/in-toto/debian-rebuilder.png rename to community/assessments/projects/in-toto/debian-rebuilder.png diff --git a/assessments/projects/in-toto/kubesec.png b/community/assessments/projects/in-toto/kubesec.png similarity index 100% rename from assessments/projects/in-toto/kubesec.png rename to community/assessments/projects/in-toto/kubesec.png diff --git a/assessments/projects/in-toto/self-assessment.md b/community/assessments/projects/in-toto/self-assessment.md similarity index 100% rename from assessments/projects/in-toto/self-assessment.md rename to community/assessments/projects/in-toto/self-assessment.md diff --git a/assessments/projects/jaeger/self-assessment.md b/community/assessments/projects/jaeger/self-assessment.md similarity index 100% rename from assessments/projects/jaeger/self-assessment.md rename to community/assessments/projects/jaeger/self-assessment.md diff --git a/assessments/projects/karmada/docs/Karmada-architecture.png b/community/assessments/projects/karmada/docs/Karmada-architecture.png similarity index 100% rename from assessments/projects/karmada/docs/Karmada-architecture.png rename to community/assessments/projects/karmada/docs/Karmada-architecture.png diff --git a/assessments/projects/karmada/docs/Karmada-components.png b/community/assessments/projects/karmada/docs/Karmada-components.png similarity index 100% rename from assessments/projects/karmada/docs/Karmada-components.png rename to community/assessments/projects/karmada/docs/Karmada-components.png diff --git a/assessments/projects/karmada/self-assessment.md b/community/assessments/projects/karmada/self-assessment.md similarity index 100% rename from assessments/projects/karmada/self-assessment.md rename to community/assessments/projects/karmada/self-assessment.md diff --git a/assessments/projects/karmada/threatmodeling.md b/community/assessments/projects/karmada/threatmodeling.md similarity index 100% rename from assessments/projects/karmada/threatmodeling.md rename to community/assessments/projects/karmada/threatmodeling.md diff --git a/assessments/projects/keycloak/README.md b/community/assessments/projects/keycloak/README.md similarity index 100% rename from assessments/projects/keycloak/README.md rename to community/assessments/projects/keycloak/README.md diff --git a/assessments/projects/keycloak/docs/image1.png b/community/assessments/projects/keycloak/docs/image1.png similarity index 100% rename from assessments/projects/keycloak/docs/image1.png rename to community/assessments/projects/keycloak/docs/image1.png diff --git a/assessments/projects/keycloak/docs/image10.png b/community/assessments/projects/keycloak/docs/image10.png similarity index 100% rename from assessments/projects/keycloak/docs/image10.png rename to community/assessments/projects/keycloak/docs/image10.png diff --git a/assessments/projects/keycloak/docs/image11.png b/community/assessments/projects/keycloak/docs/image11.png similarity index 100% rename from assessments/projects/keycloak/docs/image11.png rename to community/assessments/projects/keycloak/docs/image11.png diff --git a/assessments/projects/keycloak/docs/image2.png b/community/assessments/projects/keycloak/docs/image2.png similarity index 100% rename from assessments/projects/keycloak/docs/image2.png rename to community/assessments/projects/keycloak/docs/image2.png diff --git a/assessments/projects/keycloak/docs/image3.png b/community/assessments/projects/keycloak/docs/image3.png similarity index 100% rename from assessments/projects/keycloak/docs/image3.png rename to community/assessments/projects/keycloak/docs/image3.png diff --git a/assessments/projects/keycloak/docs/image4.png b/community/assessments/projects/keycloak/docs/image4.png similarity index 100% rename from assessments/projects/keycloak/docs/image4.png rename to community/assessments/projects/keycloak/docs/image4.png diff --git a/assessments/projects/keycloak/docs/image5.png b/community/assessments/projects/keycloak/docs/image5.png similarity index 100% rename from assessments/projects/keycloak/docs/image5.png rename to community/assessments/projects/keycloak/docs/image5.png diff --git a/assessments/projects/keycloak/docs/image6.png b/community/assessments/projects/keycloak/docs/image6.png similarity index 100% rename from assessments/projects/keycloak/docs/image6.png rename to community/assessments/projects/keycloak/docs/image6.png diff --git a/assessments/projects/keycloak/docs/image7.png b/community/assessments/projects/keycloak/docs/image7.png similarity index 100% rename from assessments/projects/keycloak/docs/image7.png rename to community/assessments/projects/keycloak/docs/image7.png diff --git a/assessments/projects/keycloak/docs/image8.png b/community/assessments/projects/keycloak/docs/image8.png similarity index 100% rename from assessments/projects/keycloak/docs/image8.png rename to community/assessments/projects/keycloak/docs/image8.png diff --git a/assessments/projects/keycloak/docs/image9.png b/community/assessments/projects/keycloak/docs/image9.png similarity index 100% rename from assessments/projects/keycloak/docs/image9.png rename to community/assessments/projects/keycloak/docs/image9.png diff --git a/assessments/projects/keycloak/self-assessment.md b/community/assessments/projects/keycloak/self-assessment.md similarity index 100% rename from assessments/projects/keycloak/self-assessment.md rename to community/assessments/projects/keycloak/self-assessment.md diff --git a/assessments/projects/knative/knative_dia.png b/community/assessments/projects/knative/knative_dia.png similarity index 100% rename from assessments/projects/knative/knative_dia.png rename to community/assessments/projects/knative/knative_dia.png diff --git a/assessments/projects/knative/recommendations.md b/community/assessments/projects/knative/recommendations.md similarity index 100% rename from assessments/projects/knative/recommendations.md rename to community/assessments/projects/knative/recommendations.md diff --git a/assessments/projects/knative/self-assessment.md b/community/assessments/projects/knative/self-assessment.md similarity index 100% rename from assessments/projects/knative/self-assessment.md rename to community/assessments/projects/knative/self-assessment.md diff --git a/assessments/projects/kyverno/README.md b/community/assessments/projects/kyverno/README.md similarity index 100% rename from assessments/projects/kyverno/README.md rename to community/assessments/projects/kyverno/README.md diff --git a/assessments/projects/kyverno/images/kyverno-architecture.png b/community/assessments/projects/kyverno/images/kyverno-architecture.png similarity index 100% rename from assessments/projects/kyverno/images/kyverno-architecture.png rename to community/assessments/projects/kyverno/images/kyverno-architecture.png diff --git a/assessments/projects/kyverno/images/kyverno-physical-architecture.png b/community/assessments/projects/kyverno/images/kyverno-physical-architecture.png similarity index 100% rename from assessments/projects/kyverno/images/kyverno-physical-architecture.png rename to community/assessments/projects/kyverno/images/kyverno-physical-architecture.png diff --git a/assessments/projects/kyverno/self-assessment.md b/community/assessments/projects/kyverno/self-assessment.md similarity index 100% rename from assessments/projects/kyverno/self-assessment.md rename to community/assessments/projects/kyverno/self-assessment.md diff --git a/assessments/projects/linkerd/self-assessment.md b/community/assessments/projects/linkerd/self-assessment.md similarity index 100% rename from assessments/projects/linkerd/self-assessment.md rename to community/assessments/projects/linkerd/self-assessment.md diff --git a/assessments/projects/longhorn/self-assessment.md b/community/assessments/projects/longhorn/self-assessment.md similarity index 100% rename from assessments/projects/longhorn/self-assessment.md rename to community/assessments/projects/longhorn/self-assessment.md diff --git a/assessments/projects/longhorn/threat-model.md b/community/assessments/projects/longhorn/threat-model.md similarity index 100% rename from assessments/projects/longhorn/threat-model.md rename to community/assessments/projects/longhorn/threat-model.md diff --git a/assessments/projects/nats/doc/threat-modeling.md b/community/assessments/projects/nats/doc/threat-modeling.md similarity index 100% rename from assessments/projects/nats/doc/threat-modeling.md rename to community/assessments/projects/nats/doc/threat-modeling.md diff --git a/assessments/projects/nats/images/NATS_Figure_1_Image.jpg b/community/assessments/projects/nats/images/NATS_Figure_1_Image.jpg similarity index 100% rename from assessments/projects/nats/images/NATS_Figure_1_Image.jpg rename to community/assessments/projects/nats/images/NATS_Figure_1_Image.jpg diff --git a/assessments/projects/nats/self-assessment.md b/community/assessments/projects/nats/self-assessment.md similarity index 100% rename from assessments/projects/nats/self-assessment.md rename to community/assessments/projects/nats/self-assessment.md diff --git a/assessments/projects/opa/README.md b/community/assessments/projects/opa/README.md similarity index 100% rename from assessments/projects/opa/README.md rename to community/assessments/projects/opa/README.md diff --git a/assessments/projects/opa/docs/document_model.png b/community/assessments/projects/opa/docs/document_model.png similarity index 100% rename from assessments/projects/opa/docs/document_model.png rename to community/assessments/projects/opa/docs/document_model.png diff --git a/assessments/projects/opa/docs/request_response.png b/community/assessments/projects/opa/docs/request_response.png similarity index 100% rename from assessments/projects/opa/docs/request_response.png rename to community/assessments/projects/opa/docs/request_response.png diff --git a/assessments/projects/opa/self-assessment.md b/community/assessments/projects/opa/self-assessment.md similarity index 100% rename from assessments/projects/opa/self-assessment.md rename to community/assessments/projects/opa/self-assessment.md diff --git a/assessments/projects/open-telemetry/self-assessment.md b/community/assessments/projects/open-telemetry/self-assessment.md similarity index 100% rename from assessments/projects/open-telemetry/self-assessment.md rename to community/assessments/projects/open-telemetry/self-assessment.md diff --git a/assessments/projects/openfga/OpenFGA Playground.png b/community/assessments/projects/openfga/OpenFGA Playground.png similarity index 100% rename from assessments/projects/openfga/OpenFGA Playground.png rename to community/assessments/projects/openfga/OpenFGA Playground.png diff --git a/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md similarity index 100% rename from assessments/projects/openfga/self-assessment.md rename to community/assessments/projects/openfga/self-assessment.md diff --git a/assessments/projects/openkruise/self-assessment.md b/community/assessments/projects/openkruise/self-assessment.md similarity index 100% rename from assessments/projects/openkruise/self-assessment.md rename to community/assessments/projects/openkruise/self-assessment.md diff --git a/assessments/projects/openkruise/threat-model.md b/community/assessments/projects/openkruise/threat-model.md similarity index 100% rename from assessments/projects/openkruise/threat-model.md rename to community/assessments/projects/openkruise/threat-model.md diff --git a/assessments/projects/openmetrics/STRIDE Threat Modeling.pdf b/community/assessments/projects/openmetrics/STRIDE Threat Modeling.pdf similarity index 100% rename from assessments/projects/openmetrics/STRIDE Threat Modeling.pdf rename to community/assessments/projects/openmetrics/STRIDE Threat Modeling.pdf diff --git a/assessments/projects/openmetrics/self-assessment.md b/community/assessments/projects/openmetrics/self-assessment.md similarity index 100% rename from assessments/projects/openmetrics/self-assessment.md rename to community/assessments/projects/openmetrics/self-assessment.md diff --git a/assessments/projects/operator-framework/self-assessment.md b/community/assessments/projects/operator-framework/self-assessment.md similarity index 100% rename from assessments/projects/operator-framework/self-assessment.md rename to community/assessments/projects/operator-framework/self-assessment.md diff --git a/assessments/projects/pixie/README.md b/community/assessments/projects/pixie/README.md similarity index 100% rename from assessments/projects/pixie/README.md rename to community/assessments/projects/pixie/README.md diff --git a/assessments/projects/pixie/self-assessment.md b/community/assessments/projects/pixie/self-assessment.md similarity index 100% rename from assessments/projects/pixie/self-assessment.md rename to community/assessments/projects/pixie/self-assessment.md diff --git a/assessments/projects/rook/Rook High-Level Architecture.png b/community/assessments/projects/rook/Rook High-Level Architecture.png similarity index 100% rename from assessments/projects/rook/Rook High-Level Architecture.png rename to community/assessments/projects/rook/Rook High-Level Architecture.png diff --git a/assessments/projects/rook/self-assessment.md b/community/assessments/projects/rook/self-assessment.md similarity index 100% rename from assessments/projects/rook/self-assessment.md rename to community/assessments/projects/rook/self-assessment.md diff --git a/assessments/projects/spiffe-spire/README.md b/community/assessments/projects/spiffe-spire/README.md similarity index 100% rename from assessments/projects/spiffe-spire/README.md rename to community/assessments/projects/spiffe-spire/README.md diff --git a/assessments/projects/spiffe-spire/docs/image0.png b/community/assessments/projects/spiffe-spire/docs/image0.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image0.png rename to community/assessments/projects/spiffe-spire/docs/image0.png diff --git a/assessments/projects/spiffe-spire/docs/image1.png b/community/assessments/projects/spiffe-spire/docs/image1.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image1.png rename to community/assessments/projects/spiffe-spire/docs/image1.png diff --git a/assessments/projects/spiffe-spire/docs/image2.png b/community/assessments/projects/spiffe-spire/docs/image2.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image2.png rename to community/assessments/projects/spiffe-spire/docs/image2.png diff --git a/assessments/projects/spiffe-spire/docs/image3.png b/community/assessments/projects/spiffe-spire/docs/image3.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image3.png rename to community/assessments/projects/spiffe-spire/docs/image3.png diff --git a/assessments/projects/spiffe-spire/docs/image4.png b/community/assessments/projects/spiffe-spire/docs/image4.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image4.png rename to community/assessments/projects/spiffe-spire/docs/image4.png diff --git a/assessments/projects/spiffe-spire/docs/image5.png b/community/assessments/projects/spiffe-spire/docs/image5.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image5.png rename to community/assessments/projects/spiffe-spire/docs/image5.png diff --git a/assessments/projects/spiffe-spire/docs/image6.png b/community/assessments/projects/spiffe-spire/docs/image6.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image6.png rename to community/assessments/projects/spiffe-spire/docs/image6.png diff --git a/assessments/projects/spiffe-spire/docs/image7.png b/community/assessments/projects/spiffe-spire/docs/image7.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image7.png rename to community/assessments/projects/spiffe-spire/docs/image7.png diff --git a/assessments/projects/spiffe-spire/self-assessment.md b/community/assessments/projects/spiffe-spire/self-assessment.md similarity index 100% rename from assessments/projects/spiffe-spire/self-assessment.md rename to community/assessments/projects/spiffe-spire/self-assessment.md diff --git a/assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png b/community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png similarity index 100% rename from assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png rename to community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png diff --git a/assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png b/community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png similarity index 100% rename from assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png rename to community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png diff --git a/assessments/projects/thanos/res/workflow1.excalidraw.png b/community/assessments/projects/thanos/res/workflow1.excalidraw.png similarity index 100% rename from assessments/projects/thanos/res/workflow1.excalidraw.png rename to community/assessments/projects/thanos/res/workflow1.excalidraw.png diff --git a/assessments/projects/thanos/res/workflow2.excalidraw.png b/community/assessments/projects/thanos/res/workflow2.excalidraw.png similarity index 100% rename from assessments/projects/thanos/res/workflow2.excalidraw.png rename to community/assessments/projects/thanos/res/workflow2.excalidraw.png diff --git a/assessments/projects/thanos/self-assessment.md b/community/assessments/projects/thanos/self-assessment.md similarity index 100% rename from assessments/projects/thanos/self-assessment.md rename to community/assessments/projects/thanos/self-assessment.md diff --git a/assessments/projects/tikv/self-assessment.md b/community/assessments/projects/tikv/self-assessment.md similarity index 100% rename from assessments/projects/tikv/self-assessment.md rename to community/assessments/projects/tikv/self-assessment.md diff --git a/assessments/projects/tikv/src/imgs/distributed_transaction.png b/community/assessments/projects/tikv/src/imgs/distributed_transaction.png similarity index 100% rename from assessments/projects/tikv/src/imgs/distributed_transaction.png rename to community/assessments/projects/tikv/src/imgs/distributed_transaction.png diff --git a/assessments/projects/tikv/src/imgs/layer.png b/community/assessments/projects/tikv/src/imgs/layer.png similarity index 100% rename from assessments/projects/tikv/src/imgs/layer.png rename to community/assessments/projects/tikv/src/imgs/layer.png diff --git a/assessments/projects/tikv/src/imgs/raft_consensus.png b/community/assessments/projects/tikv/src/imgs/raft_consensus.png similarity index 100% rename from assessments/projects/tikv/src/imgs/raft_consensus.png rename to community/assessments/projects/tikv/src/imgs/raft_consensus.png diff --git a/assessments/projects/tikv/src/imgs/sharding.png b/community/assessments/projects/tikv/src/imgs/sharding.png similarity index 100% rename from assessments/projects/tikv/src/imgs/sharding.png rename to community/assessments/projects/tikv/src/imgs/sharding.png diff --git a/assessments/projects/tikv/src/imgs/tikv_wholepic.png b/community/assessments/projects/tikv/src/imgs/tikv_wholepic.png similarity index 100% rename from assessments/projects/tikv/src/imgs/tikv_wholepic.png rename to community/assessments/projects/tikv/src/imgs/tikv_wholepic.png diff --git a/assessments/projects/tikv/tikv-threat-model.md b/community/assessments/projects/tikv/tikv-threat-model.md similarity index 100% rename from assessments/projects/tikv/tikv-threat-model.md rename to community/assessments/projects/tikv/tikv-threat-model.md diff --git a/assessments/projects/volcano/arch.png b/community/assessments/projects/volcano/arch.png similarity index 100% rename from assessments/projects/volcano/arch.png rename to community/assessments/projects/volcano/arch.png diff --git a/assessments/projects/volcano/recommendations.md b/community/assessments/projects/volcano/recommendations.md similarity index 100% rename from assessments/projects/volcano/recommendations.md rename to community/assessments/projects/volcano/recommendations.md diff --git a/assessments/projects/volcano/self-assessment.md b/community/assessments/projects/volcano/self-assessment.md similarity index 100% rename from assessments/projects/volcano/self-assessment.md rename to community/assessments/projects/volcano/self-assessment.md diff --git a/assessments/projects/volcano/threat-analysis.md b/community/assessments/projects/volcano/threat-analysis.md similarity index 100% rename from assessments/projects/volcano/threat-analysis.md rename to community/assessments/projects/volcano/threat-analysis.md From 46fc12bf6bc42e6e6c8ec7c173d50c75b2066519 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Fri, 21 Jun 2024 13:15:49 -0700 Subject: [PATCH 27/27] Fix markdown issues and link to survey MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega --- .github/ISSUE_TEMPLATE/joint-review.md | 10 +++++----- community/assessments/guide/README.md | 12 +++++------- community/assessments/guide/review-survey.md | 13 +++---------- 3 files changed, 13 insertions(+), 22 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/joint-review.md b/.github/ISSUE_TEMPLATE/joint-review.md index f96d62782..c5cfc9dec 100644 --- a/.github/ISSUE_TEMPLATE/joint-review.md +++ b/.github/ISSUE_TEMPLATE/joint-review.md @@ -20,11 +20,11 @@ CNCF project stage and issue (NA if not applicable): Security Provider: yes/no (e.g. Is the primary function of the project to support the security of an integrating system?) - [ ] Identify team - - [ ] Project security lead - - [ ] Lead security reviewer - - [ ] 1 or more additional reviewer(s) - - [ ] Every reviewer has read [security reviewer guidelines](https://github.com/cncf/tag-security/blob/main/assessments/guide/security-reviewer.md) and stated declaration of conflict - - [ ] Sign off by facilitator on reviewer conflicts + - [ ] Project security lead + - [ ] Lead security reviewer + - [ ] 1 or more additional reviewer(s) + - [ ] Every reviewer has read [security reviewer guidelines](https://github.com/cncf/tag-security/blob/main/assessments/guide/security-reviewer.md) and stated declaration of conflict + - [ ] Sign off by facilitator on reviewer conflicts - [ ] Create slack channel (e.g. #sec-assess-projectname) - [ ] Project lead provides draft document - see [outline](https://github.com/cncf/tag-security/blob/main/assessments/guide/joint-review.md) - [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index 67c160064..0f7a0085b 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -5,7 +5,7 @@ different projects, this document outlines the procedure by which a project should be assessed during a TAG-Security Security Assessment (TSSA). * [Roles](#roles) -* [TSSA package steps](#TSSA-package-steps) +* [TSSA package steps](#tssa-package-steps) * [New projects](#new-projects) 1. [Self-assessment](#complete-a-self-assessment) 2. [Create issue](#create-a-presentation-issue) @@ -13,10 +13,8 @@ should be assessed during a TAG-Security Security Assessment (TSSA). 4. [Submit PR](#submit-a-pr-to-include-the-self-assessment-in-the-repo) * [Growing projects](#growing-projects) 1. [Create issue](#create-tracking-issue) - 2. [Draft joint - assessment](#project-leverages-self-assessment-to-draft-joint-assessment) - 3. [Reviewers - assigned](#project-provides-the-joint-assessment-and-reviewers-are-assigned) + 2. [Draft joint assessment](#project-provides-the-joint-assessment-and-reviewers-are-assigned) + 3. [Reviewers assigned](#project-provides) 4. [Conflict of interest](#conflict-of-interest-statement-and-review) 5. [Clarifying questions](#clarifying-questions-phase) 6. [Assessment](#security-assessment-with-optional-hands-on-assessment) @@ -176,7 +174,7 @@ assessment, the hands-on assessment is included in this step. * It is highly recommended that security reviewers familiarize themselves with the project's repo and docs if available * **Security reviewers and project lead/POCs** ensure all reviewer questions, - comments, and feedback are addressed and finalize the joint assessment + comments, and feedback are addressed and finalize the joint assessment * **Lead security reviewer or their designee,** with the assistance of the **security reviewers** create a [draft summary document](joint-readme-template.md) to capture existing comments, feedback, @@ -213,7 +211,7 @@ assessment and presentation slides. * PR approval of at least 1 **co-chair**, alongside other **reviewers'** approvals, is required before merging any artifacts. -#### [Post-assessment survey](assessment-survey.md) +#### [Post-assessment survey](review-survey.md) The should be completed by the **reviewers**, **project lead**, and other members of the TSSA. Once complete the survey may be shared directly to the diff --git a/community/assessments/guide/review-survey.md b/community/assessments/guide/review-survey.md index 406587698..c7dbbc401 100644 --- a/community/assessments/guide/review-survey.md +++ b/community/assessments/guide/review-survey.md @@ -10,20 +10,16 @@ self-assessment or joint assessment and should be completed at the end. 1. *Did the project team find the TSSA Process valuable to the security stature of the project?* - 2. *Did the reviewers find the TSSA Process valuable for establishing and evaluating the current security health of the project?* - 3. *What was the most valuable artifact or portion of the process?* - ## Quality 1. *Is the quality of the TSSA package / artifacts on par with previous TSSA packages (formerly assessments)?* - 2. *For self-assessments, was the self-assessment content helpful for assisting in the security documentation of the project?* @@ -32,7 +28,6 @@ self-assessment or joint assessment and should be completed at the end. 1. *Were there parts of the TSSA Process that could be improved, such as timeliness, communication, etc.?* - 2. *Are portions of the artifacts produced from this assessment duplicate, or better left as references elsewhere?* @@ -42,12 +37,10 @@ assessment?* ## Other -1. *Would you recommend other projects receive a TSSA?* - +1. *Would you recommend other projects receive a TSSA?* -2. *What areas of the TSSA Process (templates, instructions, +2. *What areas of the TSSA Process (templates, instructions, etc.) can be improved to make the experience and resulting artifacts more useful or desirable?* - -3. *What additional feedback do you have?* +3. *What additional feedback do you have?*