 Thanks, everyone, for coming to this session. I know it's the very end of the conference, and everybody's tired, so I appreciate you sticking around long enough. Purpose of this talk is to get introduced to the CNCF tag security and learn about some of the publications and initiatives that it's involved in, and also how you can get involved as well. A lot of this work was already done for me during the keynote and during previous sessions as well. So my show of hands, everybody at this point understand what the CNCF tag security is the most part. OK, so I'll give a brief overview. But first, a little bit about me. I'm Shlomo. I work as a senior software engineer at CyberArk. I work on Conjure, which is an open source secrets manager used for security and security identity in cloud environments. My role aside from regular feature development on the product, I engage with the open source community and lots of upstream contributions, specifically to a lot of projects and tag security, which is what brings me here. And my spare time, I like to spend time with my wife and four-year-old daughter. I tinker with 3D printing, fly RC planes, and woodworking projects. And I'm always happy to connect with new people. You can find me on LinkedIn and GitHub. The links are on the slide. Or you can talk to me afterwards. Here until the end. And I've been involved with the tag security for about a year now, I think. I got more involved after this last KubeCon in Detroit, where I got to meet a lot of the members in person, which really helped jumpstart that. And I really like that these conferences allow us to meet people in person and understand how we can get it involved. It's a very different meeting people on a GitHub issue as opposed to at a conference in person. So I really appreciate that. I'm going to do something a little bit different. I'm going to shout out to a certain CNCF initiative, which is not really part of the tag security. But I love it, and I just had to give it mention. Is everybody aware of FIPI? Wow, people are really missing out. This is the illustrated children's guide to Kubernetes. Have people heard about this? Wow, OK. A lot more people need to know about this. This is me reading my daughter her favorite bedtime story. And it is her favorite. So those of you who don't know about this book, you can check it out at FIPI.io, it's a CNCF page. They also sell these squishies and plushes of the characters, and there are a bunch of other books. And in fact, if you start educating them early, we'll see if this works. You can get this out of it. What's your favorite container orchestration platform? OK. Let's get on in. OK, so tag stands for Technical Advisory Group. CNCF has a large number of technical advisory groups. Well, I don't know what the number is, but there's several. And this is obviously the one that deals with security. We are a developer-focused group. We want to enable developers as opposed to blocking them. We're volunteers from all backgrounds, all over the world, and we try to strengthen security in the cloud-native ecosystem through education, security reviews of CNCF projects, which was covered in a previous talk by Raga and by Andy Martin, publishing resources to help everyone involved in the cloud-native landscape, which is what this talk is going to focus on specifically, and also conferences like this one. This is a project of tag security, and the previous cloud-native security cons and security days that were the predecessor to this conference that you heard about this morning at the keynote. We run everything via our GitHub repository, CNCF slash tag dash security. We meet once a week on Zoom on Wednesdays every other week. So one week we meet within a US time zone, alternate week we meet in an AMIA-friendly time zone, and meetings are recorded, live streamed, and we have notes. So you can follow along, know what's going on. Everybody's welcome to come to meetings and get involved in the conversations. And we have different working groups for different projects that we work on. Here is a leadership team. All these faces were on the keynote slide this morning, so I won't go over too much. I'll gloss over this a bit. Let's get into what we do, though. We have a lot of different initiatives, and we've had in the past maybe had trouble communicating what all the things that we've published are and how people can make use of them. So that's a portion of what this talk is intended to do, show what we have and how it can help you and how you can contribute. So we publish white papers, guidelines, best practices, and then tooling for things like assessments so that we can allow projects to assess what they're doing if they're following the best practices and whether they're doing things in the most secure way. We're not a government's body, and we do not do incident response. That's out of our scope. A really main focus here is our flagship white paper, which is the Cloud Native Security White Paper. Can I have a show of hands? How many people have heard of the Cloud Native Security White Paper? Some, we still have more work to do. OK, great. So this is a white paper that we have. It's written by a lot of authors. It's very much a community project. It's published as a PDF and in Markdown, and we also have an audio recording for people who want to listen to it on their way to work or whatever else, washing dishes. White Paper covers a ton of topics. It's contributed to and reviewed by a long list of contributors, community members. Includes different lifecycle phases of the application, development, deployment, runtime, on and on. And of course, as with anything in Cloud Native, things are always evolving. So we originally published version one, and then we immediately started a retrospective and started working on version two. And now we have version two published. And there's going to be a version three. And there's opportunities to get involved in that, which I'll cover a little bit more detail soon. And the target audience is project teams who do Cloud Native and want to make sure they're doing it securely. So I'm just going to show a brief. I'm not going to go through the whole white paper because it is long. But this is the table of contents, just so you can get an idea of what's in scope in the white paper. There's the different lifecycle phases. And it goes by each phase. Lots of information if you want to drill down into something specific. A lot of content. It's really great. And as I said, it's a PDF. But it's also available in Markdown. We have translations, some of which are completed, some are both in progress. And we're always open to new ones. I'm going to show a list of GitHub issues. And as I mentioned, we run everything through a GitHub repository. And we have GitHub issues for version three already. So if anybody wants to get involved, you just post a comment there. We'll tell you what you can help out with. Also, we have our Slack, which I'll show off soon, which will also where we talk about these things in our meetings. So again, I'll circle back to all that afterwards. In addition to this main flagship white paper, we also have a few others. So we have this software supply chain best practices white paper, which is obviously specifically about supply chain security. We also have a few other things we have a framework for evaluating your supply chain security. So if you follow the white paper and then you want to see somewhat of like a checklist, did we do this right, you can go through the here and question answer and see how you've done. Another publication that we have, which if you want to get involved with something, this is pretty easy to get involved in, pretty low barrier to entry, we have a catalog of supply chain compromises. Supply chain compromises are happening all the time. And we wanted there to be a central location for people to look through, research, analyze real world cases that have happened, real supply chain incidents that have happened, see if they can find things in common, and learn from them. So we created this list, it's published on our GitHub repository. It goes back to, I'm not sure what year it goes back to, it goes back pretty far, like 2003 or something, the first recorded supply chain security attack, and then all the way up till now. If you know of one that's not listed, please submit a PR. And if you're interested in supply chain security, which maybe you're all sick of it by now after two days, but if you're not, by some miracle you're not sick of it yet, you can learn a lot from this list. Great way to get acquainted with real world impacts. There's a lot of other projects also, a lot of projects in flight, and we're always looking for people to get involved. Here's a list of some of the GitHub issues that we're currently working on. If there's something that speaks to you, go to that GitHub issue, post a comment, say that you want to contribute, we can help get you on your way towards that. And I'll show the slide again at the end, or you can take a picture of it now. Another thing that I've talked to a lot of people here at the conference, and something that I've found interesting is that when people think about contributing to open source, they often think about writing code or things like that, where they think it's difficult because you need to understand what's going on in a project to be able to write code or to really understand the depth of it. Something that people don't realize is that you can contribute to open source by doing very simple things. I recently had a pull request for somebody who literally was fixing a grammar mistake or a spelling mistake in one of the white papers. That's valuable. That's extremely valuable, and that's something that anybody can do, and we encourage you to. Another thing we do is we have, as I mentioned, we have our weekly meetings. You can show up to the meetings. The information about that is also on our GitHub repository. Show up to the meetings and just be part of the conversation. We also have somebody needs to take notes at all the meetings that we have. It's very helpful to have notes afterwards to go through if you missed the meeting or that kind of thing, have a record of things, besides for the video recording, but to have it in a shorter form. If you want to get involved, show up to the meeting and offer to scribe, meaning just take notes as we're going along, and that's extremely helpful. Super useful. One thing I wanted to give special mention on here, so lightweight threat modeling was, this was covered by Andy two sessions ago. And security assessments was covered by Raga one session ago. And continuity of security white paper, we just talked about, this is the issue for 3.0, this is the audio, which I'll talk about more in a second. We also have a zero trust white paper, which is in progress. Some of you may have met Assad Faizi, who is not here right now, but he's somewhere around, and he's working on that. If you want to get in on that, it's almost finished. In terms of the white paper, the story with the audio is that I personally, and a lot of people, don't necessarily have time to read, or don't prioritize their time in such a way where they end up reading very much. But maybe they have commutes, or they wash dishes, or whatever, and they want an audio version. So what we've done is, and this is another way people can contribute without having to write a line of code, is we split up the white paper into sections. And different people can read different sections, record it, and we put it on SoundCloud, and anybody can listen to it. Since the white paper's always a work in progress, so we had version one, audio currently is up to version one. Now we have the white paper version two, Markdown, and PDF generated from the Markdown. The audio needs to be updated to version two. So that's something that we're working on now, updating that. Eventually there's going to be version three, and we're going to need that. So definitely something that if you have a voice, you can get involved in. How do all these projects actually improve security in the cloud-native world? Besides for publications, we also do more in-person things. Big part of creating cloud-native security is education and partnership. So we engage with projects and communities in both security-related and non-security-related. One of the roles of the tag security is when a project wants to move up in the CNCF landscape. So we have a lot of sandbox projects. When they want to move up towards graduated, they have to go through a security review. Tag security takes care of that. We provide ways of doing self-assessments, security pals, support for these projects in their journey towards having good security posture. Here are some presentations that we've done. This is another really cool thing. If you come to the meetings, another fantastic feature is that projects will run presentations for us. They'll come and show what they've done. CubeScape is a recently added CNCF sandbox project. We got a great preview of this. They came and did a presentation. We were able to ask questions, ask them why they did certain things, and give them feedback. They can then go take that feedback, work it into their product, and improve the security. Same thing with there's a couple of other assessments you can, I mean, presentations you can take a look at over here. We also collaborate with other groups, like the Kubernetes SIG security, which should not be confused with Tag security. SIGs are within Kubernetes, specifically Tags are CNCF more broadly. I have a lot of overlap. They are a lot of cross-pollination of ideas. And OpenSSF, which is here, we work with them on some things. It's also on supply chain stuff particularly. And yeah, I sort of covered this. We assist projects graduating through CNCF levels. They present at a meeting. We ask them questions, et cetera. It gives more perspectives on a project. And self-assessments and joint reviews, I'm not going to cover too much because that was covered previously. And where can you jump in? Because this is open source. So first of all, call to action. We have a supply chain security survey, which we're conducting, to understand how people relate to the supply chain, the security in the supply chain, and how we can best help and what we can do to improve things. So please take this survey, if you haven't already, some of you may have already. This is very, very helpful to us because we're trying to provide value to the community. So it would be very helpful for us to know where the gaps are, what people need, what people are already doing, what people are maybe not doing yet, maybe should be doing, that kind of thing. So it would be very helpful. Anybody take that survey? You can take a picture of the QR code, otherwise the slides will be on-schedged. And then just come join us. It's an open community. You can come to GitHub, tag security, cncf.tagsecurity. We have a tag security channel in the cncf Slack workspace. We're on Twitter. We have a mailing list, Zoom. You can watch our stuff on YouTube. And I'm going to show the meeting calendar is available on GitHub as well. I'm going to show one new thing we just put out, which was a list of publications. I didn't go through every single one of these in the slides, but we have a list of things that we have published. And there's quite a lot. There's something for everybody, probably. We have the Cloud Native Security White Paper, as we talked about. We talked about this and this. This is another reference architecture. I believe I mentioned at the keynote today, or one of the other sessions. We have Cloud Native Security Lexicon, which is great for just getting standard terminology, use cases, policy stuff, secure defaults for Cloud Native. This is a fantastic resource on creating secure defaults. We have a security controls catalog, which maps the controls that we list in the Cloud Native Security White Paper to NIST. So if you want to work with NIST, SB 800, you can reference the white paper that we put out and see where things align. And then we have a bunch of security assessments. Here's the ones that we've done so far. And there'll be more, obviously. Here is the list of projects, again. People can get involved in. And also, I'm here, Raga's here, a few others are here. You can definitely reach out to us in person if you want to get involved. That's what I did at Detroit. And that's how I got involved in the audio project. There's plenty of places for everybody from all backgrounds and all skill levels to get involved and help out with tag security. And it's really a community effort to improve security in the Cloud Native world. Again, this is my information if anybody wants to connect. And with that, thank you.