 Ni wedi rhaid i gael cerddur yma. Dw i'n mynd i'n sefydlu chi'n gweithio gyda'r planau ac mae'r ysgrifennu yn bethau cyffredig o'r ffordd o ffordd o'r ffordd yn gyflau'r holl ymgyrchu. Fe'r gweld ffordd i'n meddwl mewn tairfawr o'r cyffredig i gael ei ffordd i gael eich ffordd o'u cyffredig, mae'r ffordd ymgyrchu mae'r gwasniad rhaglen storage i'r newid ddiogel I am relentosly hawking the book that I wrote last year, doing a book signing at the booth later, if hacking Kubernetes is of interest to you, and I'm here with my co-presenters and tech leads from tax security to walk you through what we do and give you a chance to ask us how we feel about the work that we do. First of all, an introduction. Everything is run through GitHub. We are developer focused. We have a developer mindset. We pay a lot of attention to attempting to divorce the traditional perception of security whereby releases are blocked. Last-minute understanding of technical concepts and problems. Instead, we look to embeds at the beginning of the lifecycle of a project as it enters the CNCF. As I say, focus on this developer-driven mindset. Everything is done in public. Everything is in the open. Individual issues are raised in a developer workflow style on GitHub. We work in a pull request mentality as well. You can go and see exactly what we are doing by virtue of browsing. We hold meetings every other week on the US-centric time zone, and, alternately, the cadence is the same for an Amir friendly time zone. Depending on which side of the pond you are on, or, indeed, which time zone is more convenient for people slightly further out, we hope that there is a time zone that makes contribution possible. We just run meetings on Zoom. Everything is very open, and everything is then transcribed into a working document where you can catch up or see what the history of the group has been. We are a voluntarily led organisation. Everything is open and participant-driven. As you can see, this means that security enthusiasts are the DNA of the group. We have everybody from professionals through to academics and researchers. It is a very open and collaborative space. Again, we look to be as inviting and balanced as we can possibly be. What do we do then? The role of tag security is to assist projects as they look to graduate up through the CNCF's different levels. What that means is for an individual project that is submitted to the CNCF and looks to take advantage of that reciprocal limelight that admission to the CNCF gives, the marketing budgets, the level of technical quality and community participation and governance that is required, we fulfil the security aspect of that spectrum. A project comes to tag security and presents and says this is what we do end-to-end and gives the participants an opportunity to interrogate the maintainers. Why did you make this decision? How does this fit with another project? Where is your threat model for these things? We then go back to the project. There is also a self-assessment role that a project can take and then we feed back into the technical oversight committee and give guidance on how to harden that project, ultimately trying to raise that bar of security in the most consensus and collaborative-driven way that we know how. First of all, strengthening the ecosystem, identifying gaps in the individual projects and we say this again from a position of compassion. Security is difficult and no one individual has a real full transcendent view of all the potential problems. By projects submitting to the organisation, they have the opportunity to gain various different perspectives from a security application or from a low level design, everything in between and again we hope that this open collaboration style builds up the quality of the project in the most friendly and compassionate way possible. We also have a mandate for education. Part of this is we've just spent two days running CloudNative SecurityCon. It was a zero day event that has spawned into a minus one day event. I'm always hesitant to say zero day event in the security context. But we're very proud to say that that will also birth its own independent conference that we'll talk about later. We will continue to intertwine tag security with the mainCubeCon event going forward, so there is always a home for this level of communication. But yes, we'll talk a little bit more about that as we progress. Fostering maturity again is this goal of ensuring that projects are able to ascend through the CNCF's graduation process with the level of technical rigor that we would expect. Engaging more communities, again reaching out and ensuring that we perform a social community and security function, and finally nurturing growth and participation. And this really is one of the key aspects of the group. Security is difficult. There is often no one true way. Everything is a compromise. And decisions are made that may affect security that have a rationalisation that objectively at first glance may not look fundamentally correct. Making sure that we do this again in the open in a way that everybody has a voice is of foundational importance to the group. And again, looks to try and dispel some of this older, more calcified view of the security industry where participation is latter stage, deployments are blocked, and there are various holds on the things that actually deliver business value, which is fundamentally shipping features. With that, we move on slightly. We have a charter that is public. This is how we engage with the technical oversight committee. Ultimately, the point of the group is to try and raise that bar of security in, again, a compassionate and collaborative manner. Helping developers to meet security requirements. Most developers do not enjoy shipping security patches because ultimately their bug is not features in many cases. Helping to make those design decisions easier to make earlier in the life cycle of a project is again foundational to what we really care about. Finally, audit and reasoning about system properties. A lot of tooling does not publish a threat model or an attack tree or a security property matrix. One of the things that the group, one of the excellent pieces of work that the group has undertaken was a threat model for Spiffy Spire. This publishes a detailed view on the compromise resistance of the system. So Spiffy Spire is a work through identity and dynamic attestation service. By understanding the model of compromise and how those security properties degrade with certain levels of adversarial access, it means people building on top of that system can make, again, make those design decisions about how they integrate and implement those tools far earlier, and it's that level of democratisation of security information that we are especially interested in. One of the real personal benefits for me of working in the group is the opportunity to collaborate with people who excel in their own specialisations and their own parts of the field. Really, it's an opportunity to learn and grow in public and as much participation or observation as the individual field is appropriate is entirely welcome. We're just looking to raise the bar for everybody at the same time, and part of that is outcome driven learning experiences. We have run a capture the flag event at CloudNative SecurityCon historically for the last four cube cons as well. These will continue going forward. We're running them at the security con that we'll talk about as well. Again, it's just an opportunity to spread as much information and open the floor as widely as possible by demonstrating the adversarial and attack of mindset to apply the minimum viable controls. We're not looking to constrict maintainers. We're not looking to apply an overly prescriptive set of security requirements, just the minimum controls to satisfy requirements, ensure agility of the system and make sure that we have a quantifiable baseline and we do that by demonstrating what can go wrong. Very proud to work with these individuals. As I say, everything here is collaborative community and voluntarily based. We have representation from across organisations, continents. Very lucky to be working with such a delightful group of people and I will hand over to Marina for more. Thank you. I'll talk a bit now about some of the work we do, some of the ongoing and recently completed work that we've done with the TAG. First of all, I'm going to announce some of the things that the group recently completed or recently finished, including a version two of the CloudNative Security White Paper. This is a white paper that provides guidance to anyone in the CloudNative community about security and in all different types. It has a lot of detail and the 2.0 really makes sure to modernise and include new technologies, new advice. There's also a supply chain security white paper that focuses specifically on supply chain security problems. As we were writing this, the original security white paper, we realised that this was its own topic that needed a separate discussion and so that white paper is also available now. In addition, there's a CloudNative Security Controls catalogue which takes some of the same recommendations from the security white paper, but really breaks them down into individual pieces that you have to get done with advice about different tools and other pieces to achieve them and also mappings to various regulations and requirements like the SSDF and other groups, so you can see how all this different advice that you're getting from all these different places really fits together in a practical way. Finally, we recently released an audio version of the V1 of the CloudNative Security White Paper for folks who prefer to consume content in audio format. There's a couple versions of that available. Also, we have some in progress and ongoing work highlighted here. We have some lightweight threat modelling project, and all of these projects here that I'll talk about have links to GitHub. So, as Andy mentioned, all of our work goes through GitHub so that you use a way to get involved with anything that I'm talking about just to go to the issues linked on this slide, which will be shared, or talk to the folks tagged in those issues about how to get involved. So, lightweight threat modelling is a project that is designed to help improve the security assessment project for the CNCF. More versions of that CloudNative Security White Paper are also ongoing. The world of security continues to evolve, and so this white paper continues to evolve as well to reflect all the changes that are happening. So, we're working on both the written 3.0 version of this white paper. This working group is just forming, so probably sometime in the next year, see more about that. And then we're also working on the audio version of the V2 white paper, because of course the white paper was updated, so now we update the audio version. Next, we have the CloudNative Security Controls mapping. So, this relates to that CloudNative Security Controls catalogue. This is mapping different tools in the ecosystem to those controls so that you can tell immediately these are all, you know, if you look at the whole CNCF landscape, there's a lot of tools available. A lot of security tools even available on that landscape. So, these mappings can help you figure out which of these tools are actually designed to solve each of the different problems that we talk about in security. Also, the security assessments, one of the key pieces of the tag is helping all CNCF projects go through security assessments, which are required as part of the process of becoming a CNCF incubating project. So, this is a list of some of the ongoing ones currently. Next, we have the Zero Trust White Paper, another one of these white paper efforts that really focuses on an emerging area in security to get some guidance specific to Zero Trust. And finally, there's a catalogue of supply chain compromises, which is available on GitHub. This is just an ongoing list that keeps track of software supply chain compromises related to CloudNative technologies. And so, we try to keep up with different types of attacks. Not every attack that happens, but all the different types of attacks that happens that we can tell. You know, what are the emerging threats in this space and how can we address those things? So, yeah, next I will hand it off to Raga to talk a bit about creating the CloudNative security community. Thank you, Marina. So, how does all this actually impact? How are we actually making an impact, a meaningful impact with the community? So, security cannot exist within itself. Security cannot be in a bubble. We need to be able to educate people of all the opportunities that is available, all the support that is available for consumption, as well as inform you about all the products and things that are available for your consumption as well. Alongside, we need to partner with other organisations who are in the similar space, who are complimenting our space and be able to give a holistic view of what are all the things that could go wrong and what are all the things that you could actually make use of to make a project better. So, we have a continuous effort to make awareness possible in our community and this can be within the CNCF community with, for example, like the Kubernetes security. We are in constant touch with the team and we also collaborate with them for a better understanding of the community and hardening of the projects itself. And this is also a level up. We also collaborate with the Linux Foundation and its projects and opportunities. OpenSSF is one of such collaboration and we also go beyond the Linux Foundation, for example, the CSA and things like that. So, we are in constant collaboration with other communities who are working in a similar space to provide you the holistic view of all the things that you need to be aware of to make a holistic decision for your project. And we also provide a platform for the projects to come talk to us. We are here for you and we are here to listen and provide feedback for your projects and really uncover all the decisions that you've made about. So, Andy mentioned that the Spiffy inspired me with the threat modelling and really ask the tough questions on why were certain decisions made, what are the implications of such decisions and how they are actually doing well and where they could potentially improve. So, these are some of the platforms that we provide and this is also another opportunity for the community to learn about all the different things that is available for them to go back and make use of those projects. So, it works either ways and it's beneficial either ways. So, these are some of the efforts that we are taking for raising awareness in the community itself and in focus about the security reviews itself. So, our tax security will be your pulse for any of the security requirements in your project. We act as a friendly phase and we are here to help for anything that you need with respect to security and we are here to help you either educate or provide a platform for reaching out to multiple folks. So, that is a main part of our security pulse program and another is the security assessment where any project that is looking to come incubate with the CNCF we work with you for the self-assessment and we help you kind of create a security MD file which kind of provides a checklist of all the basic things and basic hardening stuff that needs to be done so you qualify to enter the CNCF community and once you do that and you are looking to graduate we also have a joint review program so you can really get deep into it and mature in the overall security posture of the project. So, there are a lot of such reviews that is ongoing and like the team mentioned the GitHub is our single point of trust and we have all the links that is given here and if you are interested in any of the projects come talk to us and get involved. With that, where can you help us today? At the moment just take a couple of minutes and scan the QR code and if you can help us with the supply chain security questions that you have or challenges that you are facing or if you have any feedbacks for the team this would be a really good place to make a meaningful difference and a meaningful impact so take a couple of seconds scan the QR and please fill out this survey this will be massively helpful for us and if you want to join us we really are a very good team and we are very approaching and helping you and we help with mentorship for any of the folks who are willing to join us if you are really interested check out our roadmap like I keep saying GitHub is our single source of trust and you can find all the previous work and the future work that we are working towards in GitHub especially I've pasted one of the links for our roadmap so check it out and whatever issues you are interested in just put an interested comment there and we will reach out to you we will provide you with the needed support to get started and especially if you are a beginner in the space look for something like good first case or help needed which kind of really makes it easier for all the newcomers to join the community and we are very active on Slack and we have a couple of communities in the CNCF working group so join us and we actively talk on all the new issues latest and greatest things and the new stuff that we are working on is always posted there and some of those working groups and the activities that we are either taking on or publishing is also posted on Twitter so if you are a Twitter person there is a handle as well that you can follow and we collaborate on a weekly basis in EMEA as well as US time zone as Andy mentioned so you can join either of the time zones or both of them you are most welcome so please join us and we collaborate on weekly basis whichever is suitable for you and if for any reasons you are like me and miss out on some meetings no worries there is all our meetings are always recorded and it's available as live stream as well as for later usage so make sure to check us out and now the most interesting part so now we are going from co-located event to a solo event so please check us out we were selling out each time and we thought why not make this a best use and spin up a new conference out of it so it's happening on February 1st and 2nd 2023 in Seattle, Washington so the CFPs are open now come join us spread your knowledge and help the community with that said thank you so much from Arakun for taking the time to attend this talk and here is a QR for sharing the feedback with us so if you like this talk or if you find it like please feel free to share the feedback and that will be useful for us thank you thank you for a great talk if you have any questions please wave at me are you in terms of security best practices and stuff are you synchronising with what the open SSF projects are starting to move forward with and thinking of things like security scorecards and the stuff that's happening in Alffronome is that working now there's a lot of different working groups working on different aspects of security we definitely are working with the open SSF and I think we're trying to coordinate to make sure that there's no duplication of effort our focus is really on the cloud native security space I think the open SSF is more generally open source security and of course there's overlap but we definitely all talk to each other there's various members of the tag who are also members of open SSF and vice versa so definitely ongoing communication in addition to what Marine said there's also the question of where some of these projects sits for example the CI scorecard maybe it's kind of the CD foundation angle but there are more orchestrators maybe it could be in the cloud native space but actually it's a general cloud tooling so that sits with the open SSF it's the same for the Frisco project the factory for repeatable software composition artefact I'm going to go with nodding heads thank you there was birthed and had his genesis in tag security but then actually moved to cross into the other foundation so we're very close if the supply chain security white paper bears testament to this in any way the list of recommendations include for example things like running the scorecard cosign and sig store of course which also sit in that project under that foundation rather so yes we collaborate as closely as practical we both have for example supply chain security working group that intersects quite heavily and our TOC sponsor is Emily Fox who again bridges the two and has a keen eye on what's happening in both communities any more questions perfect the book signing I think is thank you very much at the control plane booth somewhere over there perfect so for the people in watching the recording or virtually the question was when is the book signing for Andrew's book and you can actually download the first half of the PDF for free at controlplane.io my work here is done any more questions is the PDF signed yes you can sign it yourself but it's not digitally signed yes last call for questions okay in that case thank you very much hope you enjoy the rest of the session thank you I hope you enjoy the rest of the session