Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!

Liz

Thanks to everyone who worked so hard on this. Congratulations on shipping it, it will be very

helpful. 

Justin

On Wed, Nov 18, 2020 at 5:38 PM Chris Aniszczyk <caniszczyk@...> wrote:

The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-whitepaper.md

It's great! Please check it out and feel free to provide their community feedback on it!

--

Chris Aniszczyk (@cra)

The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-whitepaper.md

It's great! Please check it out and feel free to provide their community feedback on it!

--

Chris Aniszczyk (@cra)

Thanks Chris. 

We could also require it for TOC members & SIG chairs too 

On Wed, Nov 18, 2020 at 2:40 PM Chris Aniszczyk <caniszczyk@...> wrote:

Thanks!

Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570

We can discuss at the next TOC meeting to vote/finalize the changes, but I think the best place to put the requirement is at the project proposal phase where we can easily check against the initial list of maintainers. In the future, we can try to do something fancy like an automated audit report based on what's in maintainers.cncf.io and if they have taken the course.

On Wed, Nov 18, 2020 at 8:30 AM Bartłomiej Płotka <bwplotka@...> wrote:

Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,

Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:

I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course

On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:

As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!

--

Chris Aniszczyk (@cra)

--

Chris Aniszczyk (@cra)

Liz,

  Love this.  As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices.  The last few assessments we've begun pushing more for this, as well as responsible disclosure instructions and general security mindedness for project sustainment.   This fits in alignment with those efforts.  We currently have the assessment process undergoing some updates (held currently for kubecon) and this make it a great time to potentially include this.  I personally would like to see license dependencies and dependency trees to help push forward in the area of SBOM.

  I think we should be clear however in what our thresholds and terms are in this area, offhand i can think of the following potentials:

* Listing of vulns in deliverable artifacts

* Listing licensing dependencies

* SBOM

* vulnerability threshold and prioritizing resolution in prior to artifact delivery

* vulnerability threshold and prioritizing resolution post artifact delivery

Definitely worth a conversation and follow-ups.  Do you have anything in mind that are must haves off the above or anything I missed or misunderstood?

~Emily Fox

@TheMoxieFox

On Wed, Nov 18, 2020 at 11:41 AM Liz Rice <liz@...> wrote:

Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!

Liz

Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!

Liz

Thanks!

Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570

We can discuss at the next TOC meeting to vote/finalize the changes, but I think the best place to put the requirement is at the project proposal phase where we can easily check against the initial list of maintainers. In the future, we can try to do something fancy like an automated audit report based on what's in maintainers.cncf.io and if they have taken the course.

On Wed, Nov 18, 2020 at 8:30 AM Bartłomiej Płotka <bwplotka@...> wrote:

Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,

Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:

I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course

On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:

As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!

--

Chris Aniszczyk (@cra)

--

Chris Aniszczyk (@cra)

Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,

Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:

I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course

On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:

As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!

--

Chris Aniszczyk (@cra)

I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course

On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:

As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!

--

Chris Aniszczyk (@cra)

Cloud Native Buildpacks has applied to move from sandbox to incubation. (https://github.com/cncf/toc/pull/338)

Justin Cormack is the TOC sponsor for this project, he has performed Due Diligence (https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit) and called for public comment. (https://lists.cncf.io/g/cncf-toc/message/5317)

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--

Amye Scavarda Perrin | Program Manager | amye@...

+1 NB

On Tue, Nov 3, 2020 at 6:02 PM Alena Prokharchyk via lists.cncf.io <aprokharchyk=apple.com@...> wrote:

+1 binding.

-alena.

On Oct 7, 2020, at 2:18 PM, Amye Scavarda Perrin <ascavarda@...> wrote:

Cloud Native Buildpacks has applied to move from sandbox to incubation. (https://github.com/cncf/toc/pull/338)

Justin Cormack is the TOC sponsor for this project, he has performed Due Diligence (https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit) and called for public comment. (https://lists.cncf.io/g/cncf-toc/message/5317)

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--

Amye Scavarda Perrin | Program Manager | amye@...

--

Gadi Naor ◆ CTO & Security Plumber

US.   2443 Fillmore St, San Francisco, CA, 94115 IL.    5 Miconis St, Tel Aviv, 6777214

M. +972-52-6618811

Web.      www.alcide.io GitHub. github.com/alcideio

Complete Kubernetes & Service Mesh Security. 

Bridging Security & DevOps.

+1 

Regards

Sandeep Lahane

Founder & CEO | Deepfence Inc

On Tue, Nov 3, 2020 at 10:33 PM Gadi Naor via lists.cncf.io <gadi=alcide.io@...> wrote:

+1 NB

On Tue, Nov 3, 2020 at 6:02 PM Alena Prokharchyk via lists.cncf.io <aprokharchyk=apple.com@...> wrote:

+1 binding.

-alena.

On Oct 7, 2020, at 2:18 PM, Amye Scavarda Perrin <ascavarda@...> wrote:

Cloud Native Buildpacks has applied to move from sandbox to incubation. (https://github.com/cncf/toc/pull/338)

Justin Cormack is the TOC sponsor for this project, he has performed Due Diligence (https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit) and called for public comment. (https://lists.cncf.io/g/cncf-toc/message/5317)

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--

Amye Scavarda Perrin | Program Manager | amye@...

--

Gadi Naor ◆ CTO & Security Plumber

US.   2443 Fillmore St, San Francisco, CA, 94115 IL.    5 Miconis St, Tel Aviv, 6777214

M. +972-52-6618811

Web.      www.alcide.io GitHub. github.com/alcideio

Complete Kubernetes & Service Mesh Security. 

Bridging Security & DevOps.

As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!

--

Chris Aniszczyk (@cra)

+1 (binding)

Justin

On Fri, Nov 13, 2020 at 5:51 PM Amye Scavarda Perrin <ascavarda@...> wrote:

The etcd project has applied for graduation:  https://github.com/cncf/toc/pull/541

The due diligence document can be found here: https://docs.google.com/document/d/10IRk__v_nehw-0BpqUnNSY4A8RNP2ztdqKLX2mh0PlU/edit?usp=sharing

Xiang Li is the TOC sponsor.

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

Thank you!
- amye 

--

Amye Scavarda Perrin | Program Manager | amye@...

The etcd project has applied for graduation:  https://github.com/cncf/toc/pull/541

The due diligence document can be found here: https://docs.google.com/document/d/10IRk__v_nehw-0BpqUnNSY4A8RNP2ztdqKLX2mh0PlU/edit?usp=sharing

Xiang Li is the TOC sponsor.

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

Thank you!
- amye 

--

Amye Scavarda Perrin | Program Manager | amye@...