 Hi everyone. My name is Marina Moore. I'm a PhD candidate at NYU and a tech lead for the CNCF Tag Security. I'm Michael Lieberman. I'm CTO of and co-founder of Kusari, a software supply chain security company, and I'm also a CNCF Tag Security Lead. So start off with a quick introduction in the introduction to what Tag Security is and what we do. So this is by the numbers. Very popular on GitHub as well and we're just really just a group of folks interested in security in the cloud native space. Everything from professionals to students to hobbyists, anyone with a little bit of time to spare who's interested in solving the problem of cloud native security. Our role is to strengthen the ecosystem, kind of advise projects, identify gaps in the current cloud native security ecosystem and figure out how we can fill those either through chatting with other people or doing stuff within the group itself. We also look to engage with more communities both with the CNCF projects but also with external groups to see kind of everything that's happening kind of in the security space and the cloud native space and where there's kind of synergy between these different groups. Our charter is listed here. It's really about the protection of cloud native systems, helping developers of the different CNCF projects meet security requirements and kind of working with them to figure out what's missing for them as far as tooling, as far as advice, how we can get everyone kind of on the same page about what it means to be secure in the cloud native space. As well as providing audits for different projects and we have some more detail about some of our ongoing efforts. Here's our team. We have some lovely co-chairs at the top here as well as a large number of tech leads including the two of us. What do we actually do with all those kind of beyond all the ideas and words? So this is a few of our kind of released recently released finished efforts. We have our flagship white paper which is the cloud native security white paper recently-ish like sometime last year released version two of this white paper and we have an audio version of that white paper was also released very recently and we have translations of it in a variety of different languages and are always open to more different language translations of that paper and the different versions of it going forward. We also have a white paper about software supply chain security. There's another big white paper that kind of helps people find the CNCF projects and other things going on the space and kind of gives an introduction to what that space is, what the things you should know, what properties should you actually look for in a tool. There's a lot of folks who are talking about this issue but what do these different technologies actually solve and how do we put them together to really actually solve this whole software supply chain problem and finally there's the cloud native security controls catalog which looks a little bit more at the kind of some government standards and regulations around security and how these map to both the guidelines that we've given the guidelines that other people have given in some particular like applications. So how do you actually apply these things in practice? In addition we have a lot of ongoing work. This probably doesn't even cover all of it. One of the big things that tag security does is security assessments for the various CNCF projects. These used to be a requirement for graduation and they're still used by a lot of projects during the graduation process to kind of attest to the security and really get another outside set of eyes to work with these projects to figure out what is their threat model, what are they trying to do in terms of security and get some security folks to take a look at the project. So this links on the slide to some ongoing security assessments for a bunch of projects. They're in various different states from kind of very early to pretty late in the process. We have cloud native security controls mappings. So these are two different projects that work kind of on the space of mapping the controls. One of them is mapping tools to different controls and requirements and the other is mapping the cloud native white paper to this particular control requirements. We also have the zero trust white paper. Another white paper that the group is working on to kind of look at this idea of zero trust and how does that apply to the space of cloud native. Another big one going on right now is a security assessment book that really looks at this process that the tag security has been doing for security assessments and kind of laying it out a little bit more formally in a way that other people can also use. So folks outside of the cloud native space have looked at how can we do community driven security assessments like tag security is doing and so this book is kind of an attempt to share our knowledge with the broader security community and there's a lot of ongoing work there and I think they're looking for feedback on that issue. So if you want to chat about that find Justin who's up here in the front and he'd love your feedback on that project. Another kind of internally ongoing project is a catalog of supply chain compromises. The tag security maintains a list of not every but I think a representative sample of supply chain compromises in the that relate to the cloud native space that we are continually updating as as more things happen to this community. Yeah do you have a quick question? Oh yeah so it's a supply chain compromise that's a great question. That was sorry the question for the recording but the supply chain compromise is any kind of security incident that has to do with something between when the software was written and when it was actually deployed. So it's not like a bug in the code it's something like the build process, the distribution process. There's a bunch of categories of it listed in this catalog, catalogs of compromises that are included. The next one is a lightweight threat modeling group which is kind of complementary to this idea of security assessments but figuring out a way for projects to kind of do threat modeling in a more approachable way. So that's some ongoing work. I think that we have two kind of big groups in tag security two meeting times I guess. One of them the more European friendly group I think has been focusing a lot on this lightweight threat modeling group. I think that might be of particular interest to to this group. Of course we always do accuracy and goodness work as well so everyone's welcome. And finally of course there's always more always more changing so we have a version three of the cloud native security white paper where we're collecting more ideas about things that have changed you know eradas as well as new things to discuss in the next version of that. I'll pass it on. Sure and so now we're going to talk a little bit I guess about the impacts right of you know how this work is what's happening at what are the outcomes of this work and yeah. So right so there's a couple of different larger sort of bodies of work also that we're working on right like we have a security pals program which is intended to help take projects through some of that initial security work you know so for projects where you know not every developer is a security expert and how can we help out to make sure that folks are not making bad decisions early on that that we can help steer them in the right direction. And then along with that there's the self-assessment work that as Marina had mentioned that's trying to sort of help out with projects especially CNCF you know projects and then CNCF related projects to help guide them through you know here are the things you should be looking at when assessing your your the security of your project. And then there's also work to sort of help review you know taking the security experts within the CNCF like at tag security and linking them up with some of the projects that maybe need a bit more of a rigorous review especially projects that are very security focused or are in that critical path right that could you know a security compromise might be a very very big issue. In addition right tag security is collaborating with a ton of groups throughout the CNCF as well as in the broader open-source community. So there is collaboration with the Kubernetes SIG security which I know at least a few years ago tag security also was known as SIG security but in order to disimpiguate the the we are now called tag security or technical advisory group security whereas Kubernetes has a SIG security which is a special interest group for for Kubernetes and you know there still is a lot of overlap but obviously Kubernetes is such a large project they need to have their own group dedicated to security as well but there's a lot of collaboration we do to make sure that if there's interesting learnings that are coming out of Kubernetes we can kind of pull that into the broader cloud native space and then if there's things that we're detecting in the broader cloud native space and that might impact something specific to Kubernetes we can kind of bring that along as well. There's also the Kubernetes policy working group which you know as you can imagine a lot of elements in policy are often security focused not all of it but a lot of it is and so hey there's a lot of you know there's cloud native security controls there's all this best practices that we have and how can we start to codify that as a policy as well and then how can we get it involved there you know we we have some work that we've been doing with also the cloud security alliance that's where Erano works right who is one of the co-chairs and we also do a lot of work with some other Linux foundation groups like OpenSSF which is the open source security foundation and you know like for example myself I'm also part of the salsa steering committee for folks who aren't aware salsa is just the security levels for supply chain artifacts and that's a a build sort of framework that that it's a build framework for for guaranteeing or helping provide metadata around supply chain integrity or the integrity of the build process right now and then there's also a supply chain working group within the open SSF and there's a lot of collaboration there's a lot of members who are participate in tag security that also participate in open SSF so folks who are you know open SSF is dedicated more towards the broader community right just not just cloud native right we're talking about legacy software and and legacy operating systems and those sorts of things and there's lots of shared learning and so there's a lot of collaboration on on that front as well and in fact actually one of the things that came out of the CNCF which is the secure software factory reference architecture was used as the basis for what is called fresco which is a build tool that kind of is an implementation and that itself lives under the open SSF and there's also lots of presentations that we've had within tag security coming from other open source projects often CNCF projects and these have included things like a cubescape you know open fga which is you know a fine-grained authorization tool cube warden which is another sort of access or sorry what's it called again policy engine and there's many more that we've that you know have happened in the tag security meetings so um just kind of going over a little bit again about the security reviews so just as a reminder the security pals right is is a way for us to help um projects dip their toes into cloud native security it's um it's a way for us to um work with with projects that are still kind of going through the beginning stages self-assessment which is a way for the sandbox projects and incubating to kind of start off and the joint review is a way for tag security to work with projects through their security review process cool and so where can you jump in well uh we have weekly meetings um and actually we we recently um changed the meetings they used to be one p.m eastern time which i know is late for for europe but now we have every other week it is more a more european friendly time frame and since it changes all the time i would uh it sometimes changes i should say it's probably best to just kind of go to the cncf calendar but every other week is a a european friendly time and it's open to you know pretty much all members who agree to abide by the code of conduct and you know we're always looking for folks not just security experts folks who are just interested in security folks who are end users of security and want to better understand how they can integrate we're looking for all sorts of folks and um more recently we also introduced the tag security blog where we plan to sort of have you know a lot more on the sort of day to day what's coming coming out of tag security so big efforts are still going to be posted on the broader cncf blog and the cncf announcements but for smaller things you know around you know progress that we're making on on smaller projects or stuff that's not yet released or even for you know just sort of interesting things we've discovered in the cnc in the cloud native security space will be published on that on on that blog there's also ongoing right now we've actually hosting the first ever security village and um i know it's been a little hard for folks to find this year and we're hoping um as we move forward it'll be a little bit easier but uh we do have a security village talk track that's been going on and this is a part of it um we also have an unconference which is more of a uh you know impromptu kind of style talk for folks who it really gets into the nitty gritty and maybe it's not suitable for your average sort of audience who's just looking for like a 101 on getting started with policy it's like hey let's let's let's like dive deep into an interesting challenge i found on security cool that's you know what the unconference is for and that's kind of continuing on through tomorrow and um you're still you feel free to submit topics to it and you can just kind of give a talk if you're ready and just uh yeah and it's okay if it's like half baked it's it's that's kind of the the unconference style um we also have a hallway track where you know if you just want to tap uh one of us on the shoulder like myself marina um you know you could just and you want to chat about something about security you have questions you want to understand you know hey i keep hearing about software supply chain where do i get started right i have a you know i'm i'm using kubernetes where do i get started well okay cool you ask the question you know ask away come come uh tap us on the shoulder and in addition to that there is um the the ctf that's been going on today um which is uh um that is also part of of this whole thing and that's been going on uh all day and that's a good way to sort of uh take a look at you know what can you do to a poorly configured kubernetes cluster what what can you what can you uh get away with in there and um tomorrow is the uh the the last day of the village and you know if you're interested feel free to stop by and you know we'll we'll um feel free to stop by and you know we're more than interested in chatting about whatever you know uh policy engines lots of different um cncf related security projects like tough and in todo and and if you want to know like hey how do i get started with um emission controllers or how do i get started with something you know one of these other things or how does this project interact with this other project we can definitely help uh help you out there and uh yeah and beyond that like if you want to just sort of get more involved um you know we have a slack channel in underneath the cncf slack tag security um there is the tag security repo there's a bunch of issues in there feel free to also peruse the repo there's a lot of stuff about like the supply chain compromises and all that good stuff we have a twitter you can follow um for you know updates like updates to uh you know the um projects that we're working on as well as things like that uh sure um actually one second uh let's get you a mic oh well i know it's it's for the streamers all right my question is simple like there's no qr code so do we have access to this slide deck because i'm trying to see if i can access it through the app and i can't so i'm just wondering will we have access to the deck so that we can access the links that you included on the slide if it's not already on there we'll make sure it gets there in the next you know a couple hours okay and then my second question is going to be how do you guys normally work like i know you have meetings but what do you all do in those years like can you talk about what you actually you know sure want to get involved with what are you guys working on what do you need help and sure sure sure so um um let me let me go through sort of first what we normally do in the meetings and then we can kind of go into sort of what we do um out of band uh so it within the meetings it's mostly just um it depends right so there are presentations of focus meetings where we might be getting a presentation from a security focused product uh and by product i mean like project within the cncf um and so this might be as an example key verno right which is an emission controller it's a policy emission controller might give a demo within um uh tag security and it's open to anybody who's just interested right and so tag security the the leads and the chairs help facilitate that and then um there are folks who are just end users who are just you know there to check it out ask some questions there might also be security focused folks who maybe want to ask more security specific questions to the project like what is your threat model and and how are you dealing with this do you support this you know encryption or whatever those are the sorts of things that kind of come out of those sort of meetings in addition to that we have a lot of um uh we also have a lot of those sort of projects like the white papers and the the meetings are often um provide a mechanism both for updates to each of those projects and so usually we have like a round you know around robin of hey what are the updates for each of these projects and in certain cases where those projects don't have their own individual um separate meetings so a lot of those projects that we had listed like the zero trust one and the supply chain stuff they have separate um working groups as well that tie back into tag security and those subgroups will provide updates during those meetings and in certain cases there might be areas where there's collaboration or whatever and then we might turn a meeting into more of a working meeting where folks can talk and collaborate and and express criticism or or uh critique or or provide additional input into something that is currently being worked on those are the primary ones and then we also regularly turn some of those meetings into more of a uh like you know let's go back through the issues and see are there any issues that we should be looking at are there any new interesting projects that people want to create out of tag security so often we see stuff coming from the community saying oh you know i i look through everything in cncf and i'm not seeing something that addresses this from a security perspective oh cool well is that you know if it's a white paper or something like that maybe tag security will get started on that if it's something that's tied to another group maybe let's start collaborating with that group like app delivery or something like that um and that's really kind of how it goes and then in addition to that we have those other subgroups like supply chain working group and in zero trust working group where there's a bit more focus on those specific feature you know facets of of supply chain or sorry cloud native security and that's kind of where where we go through and then out of band a lot of folks work on those sorts of projects so if it's a white paper you know we might have a google doc and as time you know throughout the week between the meetings folks are working on that google doc and then they provide updates in those meetings and uh and then there's all sorts of other work that's also happening out of band like the security pal stuff like somebody who's just dedicated to perhaps a project walking them through that whole process um as well as like the security assessment stuff and and and joint review stuff where that's where a couple of the the more um hands-on keyboard sort of like threat modeling folks and whatever they will come in and help some of the projects out and that's kind of like its own you know they have you know their own schedule but then the updates for those things will all have bubble back up into the main meeting yeah you're welcome yeah and uh sorry about the yeah well we'll definitely upload the the slides right after this and yeah we have a lot of um you know things we have a we have a twitter we have um a roadmap of some of the bigger things that we're working on there is a mailing list um mostly for bigger updates and those sorts of things um we have the the there is a tag security calendar which is on the cncf um which has information about the zoom meetings themselves and how to join them and then we also have uh you know all of the meetings um all get recorded and they all get uploaded to to youtube um a bit afterward so if folks are like just sort of not sure if you want to join feel free to look at the youtube and just see what the meeting kind of looks like and uh yeah uh thanks uh questions what did you call your talk entering the abyss like is there a deep dark hole that security involves that makes you very sad or i think that's just a clickbait title yeah and and also it's it's it's not necessarily that security is an abyss it's perhaps the journey to security like how do i get to that like you know um and in addition to that i think it's uh for a lot of folks who aren't in security we often get a bad rap of like oh you're the you're the folks i gotta deal with in order you know and hopefully through the stuff like this sort of process um we're hoping to demystify it and and make it uh more friendly