tag-security
tag-security copied to clipboard
cncf
Cloud Native Top 10
With increased adoption of cloud native technologies, it is important to minimise risks. Certain types of configuration risks (or there-lack of) are more common than others. There is a need to have a standard awareness document which can be referenced by cloud native professionals which represents a broad consensus about the most critical security risks. So far, the OWASP top 10 has been widely used for awareness about web application risks. CNCF will be the right place to host top 10 risks for cloud native technologies such as Istio mesh which has gain more adoption in the industry.
TO DO:
- [x] Project Lead: @jcchavezs and @jmbmxer
- [x] STAG representative: @pratiklotia (Requires TL/Co-chair sponsor)
- [ ] Project members: TBD
- [ ] Initial meeting to define scope
- [ ] SIG chairs for signoff
- [ ] Logistics:
- [ ] Come up with meeting date/time cadence
- [ ] Calendar invite
- [x] Zoom link + Meeting minutes link
- [x] Slack channel: #tag-security-top-ten
- [ ] Decide where and how to publish and adopt this guidance
- [x] Draft document
- [ ] Call for comments from the community
- [ ] PR to publish
- [ ] CNCF Blog post
Draft scope:
This paper is intended to provide the community with a list of top 10 istio mesh configuration risks with a detailed example of what the risk looks like & how to come up with a secure configuration. It aims to provide an awareness document for organisations to identify the top risks that they should focus on.
There may be some overlap with existing OWASP Top Projects such as the OWASP Cloud Native Application Top Ten (seems to be in draft form still) and the Kubernetes Top Ten (a bit more mature)
I propose that we fold in a rendition of the Kubernetes Top Ten into this proposal as a broader "Cloud Native Top Ten Security Risks" project. I am willing to port over and expand upon a reference for Kubernetes as well. Some of this was initially sparked by a post on Linkedin suggesting that the CNCF could be a good place for these types of materials.
That's a good idea. Over the course, we have had a few challenges with service configurations and inconsistencies in documentation and/or our use-cases. Would be happy to help.
Awesome @matthewflannery and @rashmin-maker, I suggest you come by the #tag-security-top-ten slack channel in cloud-native.slack.com to bootstrap the structure.
Doodle is out to find set the bi-weekly meetings https://doodle.com/meeting/participate/id/b27x88Nd
Hey folks, has a regular cadence for the meeting been selected? I'd like to participate and get involved.
Great initiative!!! Please see how we can refer or reconcile with https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md when working on this
@jcchavezs I left a message in #tag-security-top-ten inquiring about the status of this project. Whenever you have time, it'd be great if you could also update here on where things are and whether you need help from other contributors to complete this.
This issue has been automatically marked as inactive because it has not had recent activity.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
@jcchavezs @jmbmxer is this still active? What help do you need from the TAG Security leads to make this a success?
Hi @PushkarJ I am sorry I did not come back to you. Yeah indeed this is still an on going effort mainly on my side but I have been jiggling many balls for a while but now there is some stability so I can come back to it. This is indeed something that is evolving over time (I have been updating the talks I give about the topic overtime) and what TAG security could help with here is to help promoting the request for collaborators. On the next two weeks I will revamp the document and call for contributors.
Thanks for your reply! @jcchavezs sounds like a really hectic last few weeks for you! Glad you are back at it now :)
Please feel free to share the document when it is ready here, on slack and in our regular weekly meetings 🙌🏼