Note: TAG-Security was rebranded from SAFE working group. The below roadmap includes SAFE WG and TAG-Security in its timeline.
| #2 Discover | #3 Describe | #4 Identify | |
|---|---|---|---|
| Artifacts | Personas Use Cases Categories |
Standards Common Definitions Block Architecture |
Catalog Projects Fill in Boxes Identify Gaps |
| Topics | Presentations TAG members & guests |
Standards in Practice Real World Systems Architecture |
Platforms & Products Tools & Libraries |
- Charter the SAFE Working Group. Draft vision, process and initial members (done, see below)
- Discover (Completed)
- Explore the problem space of the working group
- Investigating what is happening in the community today with respect to security for cloud native applications and infrastructure
- Presentations from members & guests
- Describe personas & use cases
- Draft a picture or set of categories that will serve as a starting point for an evaluation framework
- Solicit real world use cases and practices (and compensating controls) for projects
- Describe (in progress)
- Define the terminology used in the output documents, and in the community
- Describe the current state (map) of cloud native security, which might include:
- existing standards
- existing open source, and proprietary, solutions
- common patterns in use today for system that works for cloud native apps. For example:
- Extract end-to-end view of secure access, and
- Common layering or a block architecture
- Identify existing security components in CNCF and projects in the CNCF landscape and catalog
- Identify gaps and make recommendations to the community and TOC
- Continually monitor the viability of the existing projects and update the landscape document
- Document and disseminate best practices (provide training?)
TAG-Security strives to perform annual planning and quarterly reviews of our roadmap plans. The Roadmap planning project board for each annum is a live board and is continually updated. Boards may have cards added which indicate early concepts or needs for discovery, prior to become proposals or projects.
| Year | Board Link |
|---|---|
| 2021-2022 | RoadMap Planning Board |
TAG-Security maintains a few activities as regular business. Boards tracking these items linked below.
| Effort | Board Link | Description |
|---|---|---|
| CNCF project security reviews | Security Review Queue | This board is used to manage upcoming and current security reviews and security review related activities. |
| TAG-Security Projects | Project Tracking Board | This board is used to manage upcoming proposals (backlog) and ongoing projects. |
| Issue Triage | Triage Board | This board is used to assist the Triage team in managing the queue of issues. |
| Milestone | Date | Action |
|---|---|---|
| First Community Translation | 27 Feb 2021 | Chinese translation of Whitepaper |
| Security Assessments => Reviews | 23 Feb 2021 | Retrospective resulted in process updates |
| APAC meetings start | 1 Feb 2021 | Regular meeting time added to README |
| Expanded to 5 Tech Leads | 13 Jan 2021 | TOC Approves @ashutosh-narkar, @achetal01, @anvega |
| Cloud Native Security Whitepaper v1 | 18 Nov 2020 | Markdown source and images in repo |
| First five security assessments | 21 Oct 2020 | In-toto, OPA, SPIFFE/SPIRE, Harbor, Keycloak |
| First chair rotation | 15 Sep 2020 | TOC approves @TheFoxAtWork with new chair proposal process |
| DoD Kubernetes/Container Security controls proposed | 26 Jun 2020 | LF collaboration with US DoD merged to DoD repo |
| First Tech Leads | 25 Feb 2020 | TOC approves @lumjjb @TheFoxAtWork @JustinCappos |
| Security Assessment intake process | 7 Jan 2020 | Intake process and prioritization |
| First Cloud Native Security Day | 19 Nov 2019 | Event organized by @mfdii and @TheFoxAtWork |
| Software supply chain catalog | 14 Nov 2019 | Catalog |
| Updated personas & use cases | 23 Sept 2019 | Added platform implementer |
| Policy formal verification overview | 10 Sept 2019 | Documentation |
| First Security Assessment | May 2019 | In-toto |
| Updated Charter and Governance ratified by CNCF TOC | 7 May 2019 | New repo |
| First cut security audit guidelines | 2 May 2019 | Guidelines |
| Moved SAFE WG to CNCF | 15 Apr 2019 | Repo rename |
| CNCF WG proposal | 21 Aug 2018 | CNCF TAG-Security charter and roles |
| Policy WG merged | 10 Aug 2018 | Merging policy WG |
| First KubeCon Presentations | 2-4 May 2018 | Intro and deep dive |
| Personas & use cases | 20 Apr 2018 | Shared doc into repo markdown |
| Initial Commit for SAFE repo | 13 Mar 2018 | First commit |
| Informal discussions at Kubecon Austin | Dec 2017 | Meeting with CNCF community and gathering feedback |