Cloud Native Security Whitepaper v3

[PushkarJ]

Use https://github.com/cncf/tag-security/issues/1044 for future communications and tracking

Description

Original security whitepaper (#138) was published in Nov 2020, followed by version 2 (#747) in May 2022. Since then we have received a lot of community feedback for improvements and new topic addition. So this issue is an attempt to carve out everything in one place and let a contributor take up the Project Leader role for this next version.

Scope

• https://github.com/cncf/tag-security/issues/906
• https://github.com/cncf/tag-security/issues/546
• Retrospective for v2 (similar issue for v1 for context: #480 )
• More details on the process of publishing TAG Security whitepapers: https://github.com/cncf/tag-security/blob/main/governance/publishing-deliverables.md

Metadata

• [x] Security TAG Leadership Representative: @PushkarJ
• [x] Project leader(s): @savitharaghunathan @aks-alokraj
• [ ] Project Members: Please comment if you are interested to join
• [ ] Slack Channel: #tag-security-whitepaper
• [ ] Meeting Time & Day: TBD
• [ ] Meeting Notes (link): TBD
• [ ] Retrospective for v3

---

Project Schedule

TODO	Milestone	Estimated time	Actual date
	Audience, Goals, & refining scope	1 week
	Tasking Assignment	1 week
	Content Rough-in	2-3 weeks
	Collaborative Review	2 weeks
	Executive Summary and content wrap up	2 weeks
	Narrative Voice	1-2 weeks
	Final Group Review	1 week
	Community Review / Public comment adjudication	2-3 weeks
	CNCF publishing engagement	~2-3 weeks
	Addition to the repo	1 week
	Blog post and publishing coordination	2-3 weeks

[savitharaghunathan]

@PushkarJ I am interested to lead v3. Do I need to have any experience or background for this role?

[sayantani11]

Hey @PushkarJ interested to work on the version 3 as well.

[mythi]

I'm planning to cover #906 but I can help with other activities too.

[szh]

I'd be interested to help on the subject of Secrets Management.

[PushkarJ]

Great to hear about all the interest from @sayantani11 @mythi @szh 🎉

@savitharaghunathan in terms of pre-requisites, being a part of the process of prior whitepaper version publication, is definitely going to help. Apart from that you would need to make calls on what topics would be in scope and be able to review, edit and fact check content from other contributors. For that some experience in cloud native security space would be useful.

I think you possess all these skills so I am confident that you would do well as a lead for this version. I will be happy to help from CNCF TAG Security leadership as a liaison in any way possible. Optionally, you can co-lead this version with someone whom you trust with the main advantage being that you would be able divide your workload between two people as you are juggling multiple things.

Be sure to checkout this link in the description: https://github.com/cncf/tag-security/blob/main/governance/publishing-deliverables.md to get a better idea of what it would entail to lead this project.

[savitharaghunathan]

@savitharaghunathan in terms of pre-requisites, being a part of the process of prior whitepaper version publication, is definitely going to help. Apart from that you would need to make calls on what topics would be in scope and be able to review, edit and fact check content from other contributors. For that some experience in cloud native security space would be useful.

I think you possess all these skills so I am confident that you would do well as a lead for this version. I will be happy to help from CNCF TAG Security leadership as a liaison in any way possible. Optionally, you can co-lead this version with someone whom you trust with the main advantage being that you would be able divide your workload between two people as you are juggling multiple things.

Be sure to checkout this link in the description: https://github.com/cncf/tag-security/blob/main/governance/publishing-deliverables.md to get a better idea of what it would entail to lead this project.

Thanks, @PushkarJ. Sign me up to lead. I will look at the deliverables and if I need anything will reach out to you.

[ragashreemc]

I'm interested to contribute :)

[pratiklotia]

[Suggestion] for scope:

Add 'assurance level' and 'risk categories' to the best practices mentioned in the whitepaper. This will help achieve parity with the format in SSCP (Software Supply Chain Best Practices) and the CNS Controls document can also be updated based on these new details

[achetal01]

Please include me in this initiative. Also Lets incorporate Serverless Sections and use the content created by Serverless Team

[matthewflannery]

Hi guys,

I'm more than happy to be included. I've been quiet lately due to having 3 kids, and this will be great as a way to start contributing again.

[savitharaghunathan]

Hi all, thanks for expressing interest to be part of this v3 white paper initiative. We will be using slack channel for collaboration - https://cloud-native.slack.com/archives/C017K5AN70T. Please join if you are not a part of it already. I will set up a kick off meeting doodle poll for the timing and post it to the channel and here. I just got back from my vacation and catching up on the work. Please bear with me for a few days as I will be slow to respond. Thanks :)

[savitharaghunathan]

Hi Folks, here's the link to doodle poll - https://doodle.com/meeting/participate/id/dwmWgYwa. It will close this Friday, Oct 14th, 2022 at 12 PM EST. Please add your availability at your earliest convenience :)

[savitharaghunathan]

@PushkarJ @sayantani11 @mythi @matthewflannery @ragashreemc @szh and folks who expressed interest in contributing/participating, we will be meeting on Oct 18th 3-4 PM Eastern time. Can you all share your email privately with me via CNCF slack dm or here, I can send out the invite.

[baiyungao]

Not sure where to report a problem in the v2 White paper. the PDF document figure 4 (Page 18) is wrong, the diagram is duplicated with figure 3.

[PushkarJ]

Not sure where to report a problem in the v2 White paper. the PDF document figure 4 (Page 18) is wrong, the diagram is duplicated with figure 3.

@baiyungao This should be fixed in the markdown version here: https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md and will be incorporated in the v3 automatically as a result. Thanks for bringing up though.

(Edit: copy pasted the wrong URL earlier)

[PushkarJ]

@savitharaghunathan something that came across in issue triage for me that is worth revisiting for scope in v3: https://github.com/cncf/tag-security/issues/565

[datosh]

@mythi pointed me in your direction I am currently drafting a blog post about confidential computing for the CNCF blog. I will present it on Thursday in sig security docs. All the information are available in Slack. The draft is located in hackmd.io.

@mythi also mentioned that we might have some overlap in content and could help each other out? Le me know what you think 🙂

[aks-alokraj]

I would like to contribute to this.

[datosh]

I have opened the PR for the blog post in https://github.com/kubernetes/website/pull/38973 Let me know if you have some input for the blog post or would like to re-use some of the information gathered there!

[fkautz]

Hello, I would like to get involved again. Happy to contribute more in workload identity, and software supply chain for sure.

[ArielShup]

Hello, I'd be happy to get involved again with v3 of the white paper

[aks-alokraj]

Hello Folks!

Please find the link to the draft of CNSWP v3. https://docs.google.com/document/d/1mO_MyNpqk8lHTvKlT-dSbgeMjHXKEmfE9H2QeZ0zFk0/

[savitharaghunathan]

Hi folks, lets use this issue to collaborate - https://github.com/cncf/tag-security/issues/1044. It is easy for the whitepaper v3 leads to update the issue. Sorry for the inconvenience.

@PushkarJ Can we add a link to https://github.com/cncf/tag-security/issues/1044 and make this thread read-only, please?