tag-security
tag-security copied to clipboard
cncf
Cloud Native Security Controls Mapping to NIST ( Phase II for #635)
This project is Phase II for Issue #635 Cloud Native Security controls. This will be completed in collaboration with CCM from CSA.
Scope -
Mapping to existing frameworks and regulations (CSA, NIST, FedRamp, SOX, GDPR, etc.) Conversion to machine readable format (OSCAL, JSON, etc.) Inclusion of tests to validate/verify (both process and technical tests as appropriate) Application to security reviews to improve consistency of CNCF Security TAG reviews
This controls catalogue should also address requirements for Auditors for Cloud Native Platforms
Impact: Describe the customer impact of the problem. Who will this help? How will it help them?
Scope: How much effort will this take? ok to provide a range of options if or "not yet determined" for initial proposals. Feel free to include proposed tasks below or link a Google doc
TO DO
-
[ ] Security TAG Leadership Representative: @achetal01
-
[ ] Project leader(s): @JonZeolla
-
[x] Project Members:[@pratiklotia] [@faisalrazzak] [@anners]
-
[ ] Fill in addition TODO items here so the project team and community can see progress!
-
[ ] Scope
-
[ ] Deliverable(s)
-
[ ] Project Schedule
-
[ ] Slack Channel (as needed) #tag-security-controls
-
[ ] Meeting Time & Day: Every other Tuesday at 2pm ET, starting 2022-05-31
Meeting Hangouts Link: (https://meet.google.com/gra-vpip-uvu)
- [ ] Meeting Notes (https://docs.google.com/document/d/1ARLHrZ4SKIEwnSKgDaa39vS19dVIH45RjfERBaJ1vlg/edit?usp=sharing)
- [ ] Meeting Details: https://meet.google.com/gra-vpip-uvu?pli=1
- [ ] Retrospective
@achetal01 should we include SSDF mapping to TAG Security papers, in scope for this proposal too?
Hopefully I am not too late to the party. I would like to contribute to this work.
yes Pushkar we should add SSDF mappings to the Scope. Thanks
On Wed, Mar 2, 2022 at 4:08 PM Pushkar Joglekar @.***> wrote:
@achetal01 https://github.com/achetal01 should we include SSDF mapping to TAG Security papers, in scope for this proposal too?
— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1057525259, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764U2I3IHRCQ2YILXHBTU577HFANCNFSM5MLQ4CUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
Ann yes please comment on the issue as well so you can be added to the working group.
Thanks Aradhna
On Thu, Apr 14, 2022 at 3:56 PM ann wallace @.***> wrote:
Hopefully I am not too late to the party. I would like to contribute to this work.
— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1099699721, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764TOOAXIORV3T7RBFXTVFCPBPANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>
@achetal01 is this not the correct issue to comment on? If not can you let know the correct id and I will comment. TIA
@PushkarJ @achetal01 I agree; we have been using SSDF behind the scenes in the first phase (#635) and it has been great to help crosswalk frameworks, and provide illustrative examples.
Hi @anners this is the right issue to comment on for phase 2. We are wrapping up phase 1 in #635 in the next few weeks and should be moving over to this issue soon thereafter
@achetal01 @PushkarJ Happy to contribute w.r.t NIST SP 800-218 in Phase II of this mapping. Please include me.
If you're interested in participating, please vote for what meeting time works best for you!
https://doodle.com/meeting/participate/id/b82gO95e/vote
@achetal01 can you please update the initial comment in this issue with the following:
- Project Members: @pratiklotia @faisalrazzak @anners
- Slack Channel: #tag-security-controls
- Meeting Time & Day: Every other Tuesday at 2pm ET, starting 2022-05-31
- Meeting Notes
- Meeting Hangouts Link
Okay I will update the issue
Thanks
On Thu, May 12, 2022 at 7:15 AM JonZeolla @.***> wrote:
@achetal01 https://github.com/achetal01 can you please update the initial comment in this issue with the following:
- Project Members: @pratiklotia https://github.com/pratiklotia @faisalrazzak https://github.com/faisalrazzak @anners https://github.com/anners
- Slack Channel: #tag-security-controls
- Meeting Time & Day: Every other Tuesday at 2pm ET, starting 2022-05-31
- Meeting Notes https://docs.google.com/document/d/1ARLHrZ4SKIEwnSKgDaa39vS19dVIH45RjfERBaJ1vlg/edit?usp=sharing
- Meeting Hangouts Link https://meet.google.com/gra-vpip-uvu
— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1125049844, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764TBOZ3V6P5W6GYUMG3VJUG77ANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>
Hi, stoked to be here but it looks look I am late to the party on 2022-05-31. Will there be another?
Hi @Keeifer we meet every other week, meaning we have a meeting this Tuesday but I won't be there for this one. We also work asynchronously in #tag-security-controls in the CNCF slack.
Leaving a comment to annotate my interest in supporting this activity. Some background in OSCAL leaves me interested in seeing how I can assist.
@brandtkeller sounds great! Feel free to jump into the slack channel, and if you'd like the meeting invite you can direct message me your email address. We have a status meeting on 6/28 but mostly work asynchronously
Should I be attending the policy-wg our tag-security-controls meeting to contribute to this?
Hi @anners we chat in the #tag-security-controls channel in the CNCF slack and we have a biweekly meeting, next meeting is 7/26. Right now we aren't affiliated with the policy-wg but open to collaboration
We are going to start working on this and managing our backlog in a repository - https://github.com/cloud-native-security-controls/controls-catalog
I'm working on a related effort to map the supply chain security white paper to tooling: https://docs.google.com/spreadsheets/d/1LfAgoYesySfg7bkiUgihNWGDpyKsMNt6xTBi303IAcg/edit#gid=0, related to #960
Howdy, I read up on #635 to get current on a long hiatus and wanted to know how I and/or other members of the oscal.club community can pitch in to help with OSCAL bootstrapping (if that is in fact part of this issue and not scoped elsewhere). If I should direct my interest and attention somewhere else, such as cloud-native-security-controls/controls-catalog.
Love to see what you all have been up to, whether or not I am involved, keep up the good work!
@xee5ch we're tracking our granular tasks on https://github.com/cloud-native-security-controls/controls-catalog and have a biweekly 45m meeting - next meeting 2pm Eastern on 8/9 (meeting notes and details links in the first post are still valid). We also chat in the CNCF slack in #tag-security-controls. Now would be a great time to get involved! I'm on vacation this week but looking forward to chatting more
next meeting 2pm Eastern on 8/9 (meeting notes and details links in the first post are still valid). We also chat in the CNCF slack in #tag-security-controls. Now would be a great time to get involved! I'm on vacation this week but looking forward to chatting more
Sounds good, I will try to follow up before that next meeting and/or try to attend. :-)
@achetal01 / @lumjjb this is actively being worked on, should we update the labels from proposal to project?
Yes that makes sense Jon Let’s change this to in work
On Wednesday, August 24, 2022, JonZeolla @.***> wrote:
@achetal01 https://github.com/achetal01 / @lumjjb https://github.com/lumjjb this is actively being worked on, should we update the labels from proposal to project?
— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1226017002, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764R3DZ7Z6QYWHG6JGH3V2ZK4ZANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>
Sgtm.
Process wise, we should also do a presentation to the group on the proposed work and get feedback from the broader group.
On Thu, Aug 25, 2022, 12:00 AM Aradhna @.***> wrote:
Yes that makes sense Jon Let’s change this to in work
On Wednesday, August 24, 2022, JonZeolla @.***> wrote:
@achetal01 https://github.com/achetal01 / @lumjjb https://github.com/lumjjb this is actively being worked on, should we update the labels from proposal to project?
— Reply to this email directly, view it on GitHub <https://github.com/cncf/tag-security/issues/845#issuecomment-1226017002 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/ARO764R3DZ7Z6QYWHG6JGH3V2ZK4ZANCNFSM5MLQ4CUA
. You are receiving this because you were mentioned.Message ID: @.***>
— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1226744913, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXLDBV7N4M4DPQD2QCYT7LV23VUPANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>
We already have a task to create a roadmap. Once we have that it would be a good point to present
https://github.com/cloud-native-security-controls/controls-catalog/issues/16
We have a draft roadmap being worked out in #tag-security-controls and https://github.com/cloud-native-security-controls/controls-catalog/issues/16