Date   

Re: [cncf-sig-security] Vulnerability scanning for CNCF projects

Eli Nesterov <eli.nesterov@...>
 

Liz, this is great! Having vulnerability scanning is a good thing, but looking into the results might be too many false positives (as you pointed out) and noise. In my experience, reviewing such a massive amount of data for project owners might take way too much time.
I actually like the idea of the security scorecard https://github.com/ossf/scorecard which covers lots of security best practices and provides lots of actionable feedback along with advice on how to improve using different tools. 

--eli

On Wed, Nov 18, 2020 at 8:41 AM Liz Rice <liz@...> wrote:
Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!
Liz


Re: FYI: Cloud Native Security Whitepaper 2020

Matt Jarvis
 

This is awesome ! Well done folks ...


On Wed, 18 Nov 2020 at 17:41, Justin Cormack via lists.cncf.io <justin.cormack=docker.com@...> wrote:
Thanks to everyone who worked so hard on this. Congratulations on shipping it, it will be very
helpful. 

Justin


On Wed, Nov 18, 2020 at 5:38 PM Chris Aniszczyk <caniszczyk@...> wrote:
The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-whitepaper.md

It's great! Please check it out and feel free to provide their community feedback on it!

--
Chris Aniszczyk (@cra)


[RESULT] Buildpacks moves to incubation

Amye Scavarda Perrin
 


Re: FYI: Cloud Native Security Whitepaper 2020

Justin Cormack
 

Thanks to everyone who worked so hard on this. Congratulations on shipping it, it will be very
helpful. 

Justin


On Wed, Nov 18, 2020 at 5:38 PM Chris Aniszczyk <caniszczyk@...> wrote:
The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-whitepaper.md

It's great! Please check it out and feel free to provide their community feedback on it!

--
Chris Aniszczyk (@cra)


FYI: Cloud Native Security Whitepaper 2020

Chris Aniszczyk
 

The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-whitepaper.md

It's great! Please check it out and feel free to provide their community feedback on it!

--
Chris Aniszczyk (@cra)


Re: FYI: New Training Course on Diversity in Open Source

Chris Aniszczyk
 

Let's put it as a discussion item for the next meeting and consider rolling it out in 2021


On Wed, Nov 18, 2020 at 9:47 AM Liz Rice <liz@...> wrote:
Thanks Chris. 

We could also require it for TOC members & SIG chairs too 


On Wed, Nov 18, 2020 at 2:40 PM Chris Aniszczyk <caniszczyk@...> wrote:
Thanks!

Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570

We can discuss at the next TOC meeting to vote/finalize the changes, but I think the best place to put the requirement is at the project proposal phase where we can easily check against the initial list of maintainers. In the future, we can try to do something fancy like an automated audit report based on what's in maintainers.cncf.io and if they have taken the course.

On Wed, Nov 18, 2020 at 8:30 AM Bartłomiej Płotka <bwplotka@...> wrote:
Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,
Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:
I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course


On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:
As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!


--
Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)


--
Chris Aniszczyk (@cra)


Re: [cncf-sig-security] Vulnerability scanning for CNCF projects

Chris Aniszczyk
 

" Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)?"

We have a graduation requirement around CII badging which requires a security disclosure process so it's there but not codified formally, we could do that, I think the important thing is that projects also publish advisories in a standard way (like via the github security API)

We should treat the LF tool suite as another option for projects to take advantage of, already many projects are using Snyk, FOSSA, Whitesource etc that is listed here: https://github.com/cncf/servicedesk#tools

You can kind of get an SBOM (depending you define sbom ;p) for some of our projects already: https://app.fossa.com/attribution/c189c5b9-fe2c-45f2-ba40-c34c36bab868

I think offering projects more choice is always better as the landscape changes often in tooling.

On Wed, Nov 18, 2020 at 10:54 AM Emily Fox <themoxiefoxatwork@...> wrote:
Liz,
  Love this.  As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices.  The last few assessments we've begun pushing more for this, as well as responsible disclosure instructions and general security mindedness for project sustainment.   This fits in alignment with those efforts.  We currently have the assessment process undergoing some updates (held currently for kubecon) and this make it a great time to potentially include this.  I personally would like to see license dependencies and dependency trees to help push forward in the area of SBOM.
  I think we should be clear however in what our thresholds and terms are in this area, offhand i can think of the following potentials:
* Listing of vulns in deliverable artifacts
* Listing licensing dependencies
* SBOM
* vulnerability threshold and prioritizing resolution in prior to artifact delivery
* vulnerability threshold and prioritizing resolution post artifact delivery

Definitely worth a conversation and follow-ups.  Do you have anything in mind that are must haves off the above or anything I missed or misunderstood?

~Emily Fox


On Wed, Nov 18, 2020 at 11:41 AM Liz Rice <liz@...> wrote:
Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!
Liz



--
Chris Aniszczyk (@cra)


Re: [cncf-sig-security] Vulnerability scanning for CNCF projects

Emily Fox
 

Liz,
  Love this.  As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices.  The last few assessments we've begun pushing more for this, as well as responsible disclosure instructions and general security mindedness for project sustainment.   This fits in alignment with those efforts.  We currently have the assessment process undergoing some updates (held currently for kubecon) and this make it a great time to potentially include this.  I personally would like to see license dependencies and dependency trees to help push forward in the area of SBOM.
  I think we should be clear however in what our thresholds and terms are in this area, offhand i can think of the following potentials:
* Listing of vulns in deliverable artifacts
* Listing licensing dependencies
* SBOM
* vulnerability threshold and prioritizing resolution in prior to artifact delivery
* vulnerability threshold and prioritizing resolution post artifact delivery

Definitely worth a conversation and follow-ups.  Do you have anything in mind that are must haves off the above or anything I missed or misunderstood?

~Emily Fox


On Wed, Nov 18, 2020 at 11:41 AM Liz Rice <liz@...> wrote:
Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!
Liz


Vulnerability scanning for CNCF projects

Liz Rice
 

Hi TOC and SIG Security folks 

On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues.

We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? 

This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. 

As well as vulnerability scanning this is showing license dependencies, which could be very useful.

For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels).  

Copying Shubra in case he would like to comment further. .

Enjoy KubeCon!
Liz


Re: FYI: New Training Course on Diversity in Open Source

Liz Rice
 

Thanks Chris. 

We could also require it for TOC members & SIG chairs too 


On Wed, Nov 18, 2020 at 2:40 PM Chris Aniszczyk <caniszczyk@...> wrote:
Thanks!

Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570

We can discuss at the next TOC meeting to vote/finalize the changes, but I think the best place to put the requirement is at the project proposal phase where we can easily check against the initial list of maintainers. In the future, we can try to do something fancy like an automated audit report based on what's in maintainers.cncf.io and if they have taken the course.

On Wed, Nov 18, 2020 at 8:30 AM Bartłomiej Płotka <bwplotka@...> wrote:
Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,
Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:
I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course


On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:
As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!


--
Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)


Re: FYI: New Training Course on Diversity in Open Source

Chris Aniszczyk
 

Thanks!

Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570

We can discuss at the next TOC meeting to vote/finalize the changes, but I think the best place to put the requirement is at the project proposal phase where we can easily check against the initial list of maintainers. In the future, we can try to do something fancy like an automated audit report based on what's in maintainers.cncf.io and if they have taken the course.

On Wed, Nov 18, 2020 at 8:30 AM Bartłomiej Płotka <bwplotka@...> wrote:
Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,
Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:
I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course


On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:
As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!


--
Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)


Re: FYI: New Training Course on Diversity in Open Source

Bartłomiej Płotka
 

Hi,

Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 

It's actionable and insightful, +1 to make it mandatory.

BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free)

Kind Regards,
Bartek Płotka (@bwplotka)

On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:
I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course


On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:
As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!


--
Chris Aniszczyk (@cra)


Re: [VOTE] Buildpacks to move to incubation

Archy k
 

+1 NB

On Wed, Oct 7, 2020 at 5:21 PM Amye Scavarda Perrin <ascavarda@...> wrote:
Cloud Native Buildpacks has applied to move from sandbox to incubation. (https://github.com/cncf/toc/pull/338)

Justin Cormack is the TOC sponsor for this project, he has performed Due Diligence (https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit) and called for public comment. (https://lists.cncf.io/g/cncf-toc/message/5317)

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Buildpacks to move to incubation

Romaric Philogène
 

+1

On Tue, Nov 3, 2020 at 6:03 PM Gadi Naor via lists.cncf.io <gadi=alcide.io@...> wrote:
+1 NB

On Tue, Nov 3, 2020 at 6:02 PM Alena Prokharchyk via lists.cncf.io <aprokharchyk=apple.com@...> wrote:
+1 binding.

-alena.

On Oct 7, 2020, at 2:18 PM, Amye Scavarda Perrin <ascavarda@...> wrote:

Cloud Native Buildpacks has applied to move from sandbox to incubation. (https://github.com/cncf/toc/pull/338)

Justin Cormack is the TOC sponsor for this project, he has performed Due Diligence (https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit) and called for public comment. (https://lists.cncf.io/g/cncf-toc/message/5317)

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...

--
Gadi NaorCTO & Security Plumber
 

US.   2443 Fillmore St, San Francisco, CA, 94115
IL.    5 Miconis St, Tel Aviv, 6777214   
M. +972-52-6618811
Web.      www.alcide.io
GitHub. github.com/alcideio

Follow us on LinkedInFollow us on Twitter 

Complete Kubernetes & Service Mesh Security. 
Bridging Security & DevOps.




--
Romaric Philogène
CEO & Co-founder | Qovery

Backed by Techstars

Phone : +33 601 226 575
Email : romaric@...
Address : 128 rue la Boétie, 75008 Paris - France


Re: [VOTE] Buildpacks to move to incubation

Liz Rice
 

+1 binding


On Tue, 3 Nov 2020 at 17:08, sandeep lahane <sandeep@...> wrote:
+1 

Regards
Sandeep Lahane
Founder & CEO | Deepfence Inc




On Tue, Nov 3, 2020 at 10:33 PM Gadi Naor via lists.cncf.io <gadi=alcide.io@...> wrote:
+1 NB

On Tue, Nov 3, 2020 at 6:02 PM Alena Prokharchyk via lists.cncf.io <aprokharchyk=apple.com@...> wrote:
+1 binding.

-alena.

On Oct 7, 2020, at 2:18 PM, Amye Scavarda Perrin <ascavarda@...> wrote:

Cloud Native Buildpacks has applied to move from sandbox to incubation. (https://github.com/cncf/toc/pull/338)

Justin Cormack is the TOC sponsor for this project, he has performed Due Diligence (https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit) and called for public comment. (https://lists.cncf.io/g/cncf-toc/message/5317)

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...

--
Gadi NaorCTO & Security Plumber
 

IL.    5 Miconis St, Tel Aviv, 6777214   
M. +972-52-6618811
Web.      www.alcide.io
GitHub. github.com/alcideio

Follow us on LinkedInFollow us on Twitter 

Complete Kubernetes & Service Mesh Security. 
Bridging Security & DevOps.



Re: FYI: New Training Course on Diversity in Open Source

Liz Rice
 

I’d like to see all project maintainers taking this at all maturity levels

Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course


On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:
As a follow up from previous discussions on D&I training, we at The Linux Foundation in partnership with NCWIT are launching a new course on building inclusive open source communities that CNCF helped fund: https://training.linuxfoundation.org/announcements/linux-foundation-and-ncwit-release-free-training-course-on-diversity-in-open-source/

We should consider making this as a graduation requirement or even as part of project acceptance, food for thought as we ramp up for kubecon + cloudnativecon next week!


--
Chris Aniszczyk (@cra)


Re: [VOTE] etcd for graduation

Robert Wilkins III
 

+1 NB


Re: [VOTE] etcd for graduation

Liz Rice
 

+1 binding 



On Mon, Nov 16, 2020 at 4:36 PM Justin Cormack via lists.cncf.io <justin.cormack=docker.com@...> wrote:
+1 (binding)

Justin


On Fri, Nov 13, 2020 at 5:51 PM Amye Scavarda Perrin <ascavarda@...> wrote:
The etcd project has applied for graduation:  https://github.com/cncf/toc/pull/541

The due diligence document can be found here: https://docs.google.com/document/d/10IRk__v_nehw-0BpqUnNSY4A8RNP2ztdqKLX2mh0PlU/edit?usp=sharing

Xiang Li is the TOC sponsor.

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

Thank you!
- amye 

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] etcd for graduation

Justin Cormack
 

+1 (binding)

Justin


On Fri, Nov 13, 2020 at 5:51 PM Amye Scavarda Perrin <ascavarda@...> wrote:
The etcd project has applied for graduation:  https://github.com/cncf/toc/pull/541

The due diligence document can be found here: https://docs.google.com/document/d/10IRk__v_nehw-0BpqUnNSY4A8RNP2ztdqKLX2mh0PlU/edit?usp=sharing

Xiang Li is the TOC sponsor.

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

Thank you!
- amye 

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] etcd for graduation

Tzury Bar Yochay
 

+1


On Fri, Nov 13, 2020 at 7:51 PM Amye Scavarda Perrin <ascavarda@...> wrote:
The etcd project has applied for graduation:  https://github.com/cncf/toc/pull/541

The due diligence document can be found here: https://docs.google.com/document/d/10IRk__v_nehw-0BpqUnNSY4A8RNP2ztdqKLX2mh0PlU/edit?usp=sharing

Xiang Li is the TOC sponsor.

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

Thank you!
- amye 

--
Amye Scavarda Perrin | Program Manager | amye@...



--
Tzury Bar Yochay
Founder and CTO

1681 - 1700 of 7189