 Welcome. This is the tag security highlights. So hopefully you're in the right room. I'm Marina. I'm one of the co-chairs of tag security and I'm here today with Mike. Hi, I'm Mike Lieberman. I am also one of, so I'm a tech lead on tag security as well as governing board member of the open SSF and tag member of the open SSF and CTO of Kusari. Yeah, and unfortunately our third speaker couldn't make it here today, but we're giving her credit for helping out anyway. Let's go ahead and get started. So we've talked to this is kind of the plan for the day. We're going to talk a little bit about who we are, what we do in tag security, what's been going on recently in tag security, and how all of you can get involved and be part of the group as well. So this is just a very quick overview of what we do at tag security. We have a GitHub repository where a lot of our work is hosted and kind of, you know, goes out to the various different sub projects and all the things going on. It's somewhat popular GitHub repo. It's available there for folks who are curious to learn more about anything we talk about today. That's a good place to start. We're a group of lots of different types of people. We have enthusiasts, professional students. I'm a student, a PhD student here. Mike is a professional, I guess, and anyone is welcome. We're really a group for everyone who cares about security in the cloud native community. So that includes all of you, right? So our goal is to strengthen the security of the ecosystem, find gaps, provide education, things like white papers and other kinds of ways to educate the community about security as well as like foster maturity of projects in their security posture and engage with all of the different projects in the cloud native space, especially the CNCF projects, but really anyone in the cloud native space looking to improve their security. And our charter is listed here as well. We focus on protection of cloud native systems while providing needed access. And that second clause is also important, right? We want to make sure that we're improving the security while also ensuring that usability and all of that is also possible. We focus on common understanding and common tooling to help developers meet security requirements. So one of the things we do is we try and take these big efforts and buzzwords and new standards and try and translate that into something that can help provide actionable actions for projects to actually improve their security posture. And also providing common tooling for audit and reasoning about security properties. So what does that mean in practice? Oh, first of all, this is who we are. This is the leadership team of Tag Security. You'll see both of us there as well as lots of other wonderful people who help get all of this work done. So shout out to all of these folks. So yeah, so now we're going to talk a bit about what this actually looks like in practice, what some of the efforts that we've been working on recently are, and then going into some of the ongoing efforts where you all can get involved and just more about what we do. So the first thing I wanted to highlight that happened recently was a relaunch of the security pals effort with NYU. So one of the big goals of Tag Security is to provide security feedback to CNCF projects. And we do this in a few different ways. There's a security assessment process that has evolved over the years, but really provides an opportunity for security practitioners in Tag Security to do audits of projects. And the first step in this assessment process is a self-assessment, where projects go in and look at their own project, assess the security, and kind of provide us with the context we need to then do the rest of the assessment process. And this relaunch of the security pals process was a project really allowed us to speed up this self-assessment process for a lot of projects, because this can be, it is a lot of work for projects to do the self-assessment process. And so it's often a blocker to getting the security assessment done. And so we partnered with NYU and Justin Kappos, who was on that previous slide, and worked with a bunch of students, oh he's over there too, worked with a bunch of students, I think some of them were even here, to review a bunch of CNCF projects and kind of help them make this self-assessment. It was an incredibly successful effort with 28 CNCF projects reviewed and 20 of six of these merged into the Tag Security repo, kind of ready for projects to take that next step, do like a review of this assessment as like an easier self-assessment before going through the whole process. Another thing I wanted to highlight that the tag has been doing recently is some of the work that we've been doing in the supply chain security space. We recently wrote a blog post about policy as code in the software supply chain, which is linked in these slides, which will be available soon if they're not yet. It just provides really a high-level overview for using policy as code to secure your software supply chain. The goal to provide kind of a high-level overview really easily accessible to help people who are just hearing about some of these things for the first time, figure out where to get started. The other big thing here I wanted to highlight is a kickoff effort for the software supply chain best practices v2. We'll talk a bit more about our white paper efforts in a minute, but we have a software supply chain security best practices white paper published by the tag a couple of years ago, but of course a lot has changed in the supply chain space in the past couple of years. We want to update this document and also really expand its readability and usability to a wide range of audiences. This is an effort that's just getting started and so it's a great time to come in if you have thoughts about either feedback about v1 or new ideas for ways to improve and want to get involved in the writing process. I'll hand on to Mike to talk about some ongoing efforts in the tag. Sure. We have an automated governance reference architecture that's being currently built out. There's a lot of overloaded terms in security and so when it comes to policy, policy right now is often clear distinct rules and governance is often how do you manage policy across multiple domains. There is a reference architecture that is being built up there and there's a working group that meets I believe every other week currently that is focused on that. We also have most recently we have a new compliance working group so once again security and compliance often go hand to hand not always in the greatest ways but we now have a working group that's very much focused on compliance that is looking at bringing in a lot of the different tools but also frameworks and standards like OSCal which is an open source controls assessment language among with other things to pull in some of that work and then also help coordinate and collaborate with the broader security community too so that we can start to maybe solve things with one tool as opposed to two. We also have and this is what a very long ongoing project we have a catalog of supply chain compromises so this is essentially just a whole list of documents or a whole list of descriptions of supply chain attacks that have happened. Most of them cloud native not all of them but most of them cloud native and so it's just a sort of a catalog of different attacks when they happen what was sort of the you know what was the type of attack and that sort of thing and it's been proven to be very useful has been used by researchers and some of their researches as well. We also have a whole lot of security assessments going on and in particular there is the the cube edge and cube flow security assessments that are currently going on and those are actually happening in the TAG security TAG security Europe Middle East and Africa meetings that happen during those friendly time zones and they're looking for obviously more contributions would love to kind of get more support there and then we also have on an ongoing basis you know we have contributions from folks to help translate the white papers into all sorts of languages so the most common one is the the just TAG security cloud native security white paper and we have I don't last I lost count of how many languages. Yeah we released like I think more than five different languages maybe 10 but we're welcome to have more so speak a language that's not on there let us know. All right so how can you where to jump in right so what are we looking for right now? Well so we have weekly meetings for the TAGs and the working groups in the TAGs so in the TAG I should say so that we have there's going to be weekly meetings that happen North America time zone you know 1700 UTC and we also have meetings that happen every other week which is 1300 UTC and just be aware that those subjects are those times are subject to change so please look at the the TAG security calendar for the most up-to-date stuff there and you know once again we have lots of different working groups from like a supply chain security working group to the compliance working group some of the working groups will get spun down at least temporarily like the the controls working group once a bunch of work is done if if folks decide hey we don't want to work on it anymore or we don't think that there's something new yet to work on we also spin down some of those groups but if there's yeah so we have stuff there and then also we now tomorrow and Friday we have the security hub do you want to talk about that? Sure yeah so this has been an effort for the past couple of Kubecons that we've been doing to kind of bring more more security to the main Kubecon event we used to have a co-located event on like the day zero of Kubecon and now we kind of transitioned it to happen at the same time to kind of better interact with not just security people but anyone interested in doing security at the organization so this year the what the security hub will look like is we're doing it on just Thursday and Friday of the conference there'll be a space somewhere on this floor oh yeah there's the there's the number and there'll be two different types of events we'll have well I guess three because we have the unconference sessions where you can submit an idea online and we will review those and kind of create a schedule of unconference sessions these are kind of more informal talks you don't need slides and everything like that but maybe just an idea that you want to talk about with the group and then birds of feather sessions also which are even more informal kind of casual chats if you want if you have like a security topic you want to meet up with folks to talk about or something like that this is a great opportunity we'll have a board available at the security hub to kind of put your your topic down for that as well and we're trying to get those announced on schedule as much as possible and of course there's also a CTF capture the flag event that we that we've been doing at this security hub which has been very successful in the past so hopefully it'll be very fun again this year if you're interested in that I believe there's an info information session about it if you're new to CTFs and want to learn about it or you can just just head to the security hub and and get going if you've done it before that's the information about where it is please join us there on on Thursday and Friday it's all day so the unconference sessions will be generally like the first kind of half of the day birds of feather generally second half of the day CTF the whole time I think I think it does close at some point but I don't remember the exact exact time that'll be yeah it should all be on on sked under security hub yeah they shall be labeled security hub on schedule so hopefully that's all there yeah yeah so usually in the past we've gotten a lot of questions about more about tech security so we leave this presentation relatively short so that folks who are interested who want to understand more about the specifics of any of the projects more than welcome to kind of ask questions you know if folks want to to know more about the unconference feel free to to ask questions but we kind of keep this one keep these ones short because usually we get a ton of questions at the end so yeah yeah and if anyone wants to get involved and isn't sure where to start this is a great place to ask and say you know this this is what you're bringing and how we can even fit that in we really have space for all kinds of different skill sets in the tag so yeah yeah and everyone's welcome and I apologize in advance I will most likely be calling on some of the regular tag security members to to talk about their own experiences as as well but yeah gonna open it up to the floor do folks have questions about tag security what we're working on how to get involved or anything for the unconference that's going to be happening over the next few days yeah so the question is about how to get involved and what kind of skills skills you have to bring and it really depends on how you how you want to get involved I think there's space for a lot of different things I think if you're interested in getting into involved in like from like a technical security perspective the security assessments are a good place to start both to learn more about that process and learn more about technical security stuff and also if you have that expertise already it's kind of both both sides there I think there's also some amount of just like as in as with every open source project there's some amount of GitHub organization project management type stuff that is always welcome if like you know you know issue organization that kind of thing always good as well as writing we work on a lot of white papers and other kind of outputs for the group so either technical input to those documents as well as kind of editorial input is always always welcome as well anything else you think of yeah yeah so um what I'll say is uh so about three years ago maybe yeah about three years ago I started getting involved in tag security and before that I didn't really have a traditional sort of security background at all like I mean felt I was in a dev ops or dev sec ops sort of role but it was you know the the community was super welcoming there's a ton of content and linked content from the various white papers that helped me get me up to speed and then um yeah so it's we're looking for all sorts and if you're just also just folks who are just interested um another thing that to kind of highlight here is is we all we also often have um you know demos of various security products that that or not security you know like security projects underneath the cncf and related open open source security product projects that are um that regularly give presentations so if you just want to kind of learn you're more than welcome just to you know sit into the meeting and and and uh as well would one of you be willing to open the service desk ticket so we could make ricky raccoon an official friend um I could open that ticket yeah fantastic because yeah we still not a friend and how long is his ricky raccoon been around so I don't I don't look the exact number of years um this is our our tag security this is very small for all of you out there so you probably can't see it our tag security um logo do we have it on here so I know we have it in the anyway if you go in our github repo you can see um here here we'll go to it now there it is that's that's much bigger okay um we have our our tag security raccoon logo yeah so we gotta get that in 50 in front so yeah if anyone here has has is an author on that let us know hi and thank you for the talk and what are the differences or how do the tag security pair with the work of the open ssf fantastic question all of my ticket sure uh so has has a tag security lead and a governing board of member of the open ssf and tag member of the open ssf um so the cncf is is heavily focused on cloud native so stuff in kubernetes stuff in public cloud private cloud all that sort of stuff and so when you know just if you're thinking to yourself for like let me just start with saying you know if you're thinking about where to go purely for um you know cloud native security you probably go to cncf if you're thinking about more broadly open source security and that includes some elements of cloud native but but more broadly like you know open source security so that can also include open source you know legacy libraries that run on whatever um you would go to sort of open ssf but there is um you know a strong partnership between the two groups right because usually cncf is coming out with all the latest and greatest technologies that are then driving the change and that includes driving security change and so a lot of the stuff there is kind of ending up in open ssf and vice versa so just as an example there is like a cncf project called tough the update framework which has now a new tool there's a new um uh sort of I don't know what you call it framework service yeah called uh git tough which is um you know essentially applying that set of rules against um git and because that kind of applies more broadly just purely to git like it felt like it should belong in under open ssf and then there's also another project called sbomit which combines sbom and intoto and so intoto is another um cncf project and so how can you apply you know the similar sorts of practices that intoto does against sort of generating and verifying s bombs so there's there is a lot there um I will say that still there's a lot of uh there's a lot of more areas for us to collaborate um and we're always very interested in in you know uh that cross pollination and cross collaboration there was another hand over there earlier I don't know if you still have a question yeah we answered it already sorry I was shy um do you have any um white papers you can highlight especially or white papers you're currently working on yeah so um I'm not going to try and use github alley talk but I can pull them up while I talk um yeah so that I think the the one like I think I would say to start is just our um cloud native security white paper which is just kind of an overview cloud native security um I think we've done there's two versions of it there's like a v1 and a v2 obviously look at the v2 um and we're probably doing another update of that in a year or or so depending on on interest and and so on um that's probably a good place to start just because it um it's most general but if you have a particular area of sub-interest I think we have a couple of others to look at um there's the supply chain security best practices white paper which I think I mentioned a little I touched on I guess a little bit earlier um which we're doing a v2 effort of now but but um also another good one to look at and finally I think we have a recently released is it released which one the um um what is it but oh fuzzing yeah yes yes sorry and um I think there's there's also I think a control the controls does the controls people have a white paper uh so I don't think it has the white paper um but it does have we also have uh like a controls catalog that's focused on cloud native so um for folks who are you know coming from those industries where where you need to kind of have a spreadsheet of controls like hey we have that and we've mapped that back to also stuff like NIST controls so you can understand where you know um if this NIST 853 control uh says something you know we we here's what we sort of apply like here's a cloud native way to implement that I think the zero knowledge sorry the word was escaping me but they also recently had a white paper about that so that's another interesting one to look at um and then we also have uh there's also the secure software factory reference architecture as well which is focused on um sort of uh and then you know building out a secure build platform using cloud native technologies in order to sort of help secure the supply chain okay so um I guess the tag is community driven mostly but is there any big organization providing for example more engineers than the rest or some I'm thinking about Google for example red hat microsoft is any of these organizations heavily involved I would say mostly no actually I think that it's very community driven we have we do have participation from lots of both big and small and not even companies lots of different participation I think what we've mostly focused on in tag security is providing kind of that guidance and that overview rather than actually like the actual writing code and maintaining code in this space I think we found this just to be a more sustainable model um making sure that stuff stays up to date right because if we release a library as a security group we obviously want to make sure that it's always up to date always maintained um and so by focusing on guidance and then kind of allowing other folks to focus on the implementation um that's worked so far not that we're opposed to to doing that work it's just yeah yeah and and also in general we we've shied away from um writing too much code uh because we also don't want to compete with uh uh cncf's own members who might be building their own tools in the in the space as well so we we've focused on as as marina mentioned more on like white papers building out best practices we'll highlight some key examples um uh but yeah and I think you know uh I think also on that front you know we we found um for better or worse uh a lot of great folks from a lot of great organizations both small and large so it's I would say it's all over the place we have um attendance from startups who some of them are you know world leading experts and then we also do have contributions from folks like idm google microsoft as as well any other questions if there's nothing else uh we can end a little early hey girl thanks