The CNCF Security Technical Advisory Group facilitates collaboration to exchange and produce knowledge and resources for building security in the cloud native ecosystem.
Cloud Native involves building, deploying, and operating modern applications in cloud computing environments, typically using open source. This complex ecosystem presents a technology risk landscape that demands rethinking application and information security through the lens of developer experience.
We aim to significantly reduce the probability and impact of attacks, breaches, and compromises. By empowering developers and operators to understand and manage the security posture of their systems, we strive to fulfill the promise of enhanced productivity and operational efficiency.
- System Security Architectures: Frameworks to protect resources and data.
- Common Lexicon, Templates & Libraries: Tools for developers to create secure apps.
- Heuristics and Models: Approaches for reasoning about system security.
Below is a list of publications by TAG Security. For a comprehensive collection of our works in various formats, please visit the publications directory.
| Publication | Date |
|---|---|
| Formal Verification for Policy Configurations | August, 2019 |
| Catalog of Supply Chain Compromises | November 2019 - Present |
| Software Supply Chain Best Practices | May, 2021 |
| Evaluating your Supply Chain Security | May, 2021 |
| Cloud Native Security Lexicon | August, 2021 |
| Cloud Native Security Whitepaper | May, 2022 |
| Cloud Native Security Controls Catalog | May, 2022 |
| Handling Build-time Dependency Vulnerabilities | June, 2022 |
| Secure Software Factory: A Reference Architecture to Securing the Software Supply Chain | May, 2022 |
| Secure Defaults | February, 2022 |
| Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security | November, 2023 |
Refer to the Security TAG charter for our governance process.
Join our open discussions and share news:
- Email list
- CNCF Slack #tag-security channel (Refer to the contributing guidelines for posting and participation details.)
- Americas: Weekly on Wednesdays at 10 am (UTC-7). Zoom link, Meeting ID: 998 0947 4566.
- EMEA: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). Zoom link, Meeting ID: 999 1752 3142.
Check your local timezone here. Meetings are listed on the CNCF calendar and the TAG Security Calendar.
To add a topic to the agenda, review our process.
If you are new to the group, we encourage you to check out our contributing guidelines.
Explore groups affiliated with or relevant to Security TAG here
| Name | Organization | Term | Handle |
|---|---|---|---|
| Pushkar Joglekar | Independent | June, 2023 - June, 2025 | @PushkarJ |
| Marina Moore | Independent | October, 2023 - October, 2025 | @mnm678 |
| Eddie Knight | Sonatype | May, 2024 - May, 2026 | @eddie-knight |
| Name | Organization | Handle |
|---|---|---|
| Justin Cappos | New York University | @JustinCappos |
| Ash Narkar | Styra | @ashutosh-narkar |
| Andrés Vega | M42 | @anvega |
| Ragashree Shekar | Independent | @ragashreeshekar |
| Michael Lieberman | Kusari | @mlieberman85 |
| John Kjell | TestifySec | @jkjell |
| Name | Organization | Term | Handle |
|---|---|---|---|
| Dan Shaw | PayPal | June, 2019 - September, 2020 | @dshaw |
| Sarah Allen | June, 2019 - June, 2021 | @ultrasaurus | |
| Jeyappragash JJ | Tetrate.io | June, 2019 - June, 2021 | @pragashj |
| Emily Fox | Apple | September, 2020 - February, 2022 | @TheFoxAtWork |
| Brandon Lum | June, 2021 - June, 2023 | @lumjjb | |
| Aradhana Chetal | TIAA | June, 2021 - September, 2023 | @achetal01 |
| Andrew Martin | ControlPlane | March, 2022 - March, 2024 | @sublimino |
The TAG's working groups focus on specific areas and organize most community activities, including weekly meetings. These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs. Each group, led by a responsible leader, reaches consensus on issues and manages logistics. All materials, such as reports, white papers, documents, and reference architectures, are in the repository's /community directory.
| Project | Leads |
|---|---|
| Research | Andrés Vega |
| Automated Governance | Andrés Vega, Brandt Keller |
| Catalog of Supply Chain Compromises | Santiago Arias Torres |
| Compliance | Anca Sailer, Robert Ficcaglia |
| Controls | Jon Zeolla |
| Security Reviews | Justin Cappos, Eddie Knight |
| Software Supply Chain | Marina Moore, Michael Liebermann, John Kjell |
For CNCF project proposal process create a new security review issue with a self-assessment .