Merge branch 'main' into JustinCappos-CII-OpenSSF

Signed-off-by: Andres Vega <[email protected]>

.github/settings.yml

@@ -61,11 +61,15 @@ collaborators:
 
   - username: ragashreeshekar
     permission: push
-
-    # Triage Team
-    # manage issues (edit labels, occasionally edit)
-    # needs "push" permission, even though triage team should not merge PRs
 
+  # Contributing Reviewers
+  # Submit Reviews to PRs based on this grouping: https://github.com/cncf/tag-security/blob/main/.github/auto_request_review.yml
+  - username: lirantal
+    permission: read
+
+    # Leading the policy project #987
+  - username: jkjell
+    permission: push
 
     # Security Assessment Facilitator
     # merge PRs in /assesssments according to guidelines
@@ -78,6 +82,7 @@ collaborators:
     # JustinCappos, ultrasaurus, lumjjb
   - username: JustinCormack
     permission: push
+
 
     # Meeting Facilitators
     # ultrasaurus, dshaw, pragashj, lumjjb, justincormack, izgeri, JustinCappos, magnologan, TheFoxAtWork, anvega, achetal01, ashutosh-narkar,

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "website/themes/docsy/assets/vendor/bootstrap"]
+	path = website/themes/docsy/assets/vendor/bootstrap
+	url = https://github.com/twbs/bootstrap.git
+[submodule "website/themes/docsy/assets/vendor/Font-Awesome"]
+	path = website/themes/docsy/assets/vendor/Font-Awesome
+	url = https://github.com/FortAwesome/Font-Awesome.git

PUBLICATIONS.md

@@ -0,0 +1,105 @@
+# TAG Security Publications
+
+This document lists all the publications and resources that TAG Security has
+produced.
+
+## Cloud Native Security Whitepaper
+
+The Cloud Native Security Whitepaper (CNSWP) is a TAG Security effort to ensure
+the cloud native community has access to information about building,
+distributing, deploying, and running secure cloud native capabilities.
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)
+  (v2)
+- [PDF](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf)
+  (v2)
+- [Audio](https://soundcloud.com/user-769472014/sets/cncf-tag-security-cloud-native-security-whitepaper-version-v1)
+  (v1)
+
+Translations
+
+- [Portuguese](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v1/cloud-native-security-whitepaper-brazilian-portugese.md)
+  (v1)
+- [Chinese](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v1/cloud-native-security-whitepaper-simplified-chinese.md)
+  (v1)
+
+## Supply Chain Security
+
+### Software Supply Chain Best Practices
+
+The Software Supply Chain Security Paper is a TAG Security effort to ensure the
+cloud native community has access to information about building, distributing,
+deploying, and running secure software supply chains.
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md)
+- [PDF](https://github.com/cncf/tag-security/raw/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+
+### Evaluating your supply chain security
+
+A framework for supply chain evaluation
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md)
+
+### Secure Software Factory
+
+A reference architecture for securing the software supply chain
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/secure-software-factory.md)
+- [PDF](https://github.com/cncf/tag-security/raw/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf)
+
+### Catalog of Supply Chain Compromises
+
+A catalog of supply chain compromises and links to relevant articles discussing
+them
+
+- [Markdown](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)
+
+## Cloud Native Security Lexicon
+
+Standardization of terminologies specific to Cloud Native Security
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/security-lexicon/cloud-native-security-lexicon.md)
+
+## Use Cases & Personas
+
+List of use cases to enable secure access, policy control and safety for users
+of cloud native technology
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/usecase-personas/README.md)
+
+## Policy
+
+### Formal Verification for Policy Configurations
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-formal-verification.md)
+
+### Handling build-time dependency vulnerabilities
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/policy/overview-policy-build-time-dependency-vulns.md)
+
+## Secure Defaults: Cloud Native 8
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md)
+
+## Cloud Native Security Controls Catalog
+
+Mapping of Cloud Native Security Whitepaper and Software Supply Chain Best
+Practices Paper to NIST SP800-53r5
+
+- [Markdown](https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md)
+- [Spreadsheet](https://docs.google.com/spreadsheets/d/1GUohOTlLw9FKUQ3O23X7ypvJLXN-B3veJGe6YE6JYfU/edit?usp=sharing)
+
+## Security Assessments
+
+TAG Security has conducted security assessments of several CNCF projects. These
+assessments are available to the public.
+
+- [Buildpacks](https://github.com/cncf/tag-security/tree/main/assessments/projects/buildpacks)
+- [Cloud
+  Custodian](https://github.com/cncf/tag-security/tree/main/assessments/projects/custodian)
+- [Harbor](https://github.com/cncf/tag-security/tree/main/assessments/projects/harbor)
+- [In-toto](https://github.com/cncf/tag-security/tree/main/assessments/projects/in-toto)
+- [Keycloak](https://github.com/cncf/tag-security/tree/main/assessments/projects/keycloak)
+- [Kyverno](https://github.com/cncf/tag-security/tree/main/assessments/projects/kyverno)
+- [OPA](https://github.com/cncf/tag-security/tree/main/assessments/projects/opa)
+- [Spiffe-Spire](https://github.com/cncf/tag-security/tree/main/assessments/projects/spiffe-spire)

README.md

@@ -45,6 +45,11 @@ experience of cloud native operators, administrators and developers, including:
 3. Common libraries and protocols that enable people to reason about the
    security of the system, such as auditing and explainability features.
 
+## Publications
+
+TAG Security has published several resources for the community, which can be
+found in the [publications](PUBLICATIONS.md) document.
+
 ## Governance
 
 [STAG charter](governance/charter.md) outlines the scope of our group

assessments/README.md

@@ -1,10 +1,10 @@
-# Security reviews
+# TAG-Security Security Assessment (TSSA) Process 
 
 ## Goals
 
-The [security review process](guide) (formerly security assessment process)
-is designed to accelerate the adoption of cloud native technologies, based on
-the below goals and assumptions.
+The [TAG-Security Security Assessment Process](guide) (formerly the security 
+review process) is designed to accelerate the adoption of cloud native 
+technologies, based on the below goals and assumptions.
 
 ### 1) Reduce risk across the ecosystem
 
@@ -13,35 +13,37 @@ breaches of privacy. This process supports that goal in two ways:
 
    * A clear and consistent process for communication increases detection &
      reduces time to resolve known or suspected vulnerability issues
-   * A collaborative review process increases domain expertise within each
+   * A collaborative assessment process increases domain expertise within each
      participating project.
 
 ### 2) Accelerate adoption of cloud native technologies
 
-Security reviews are a necessary, time intensive process. Each company,
-organization and project must perform its own reviews to ensure that it meets
+Security assessments are a necessary, time intensive process. Each company,
+organization, and project must perform its own assessments to ensure that
+it meets
 its unique commitments to its own users and stakeholders. In open source, simply
 finding security-related information can be overwhelmingly difficult and a time
-consuming part of the security review. The CNCF security review, hereafter
-"security review," process is intended to enable improved discovery of
+consuming part of the security assessment. The CNCF TAG-Security Security
+Assessment Process, hereafter "TSSA" Process is intended to enable improved 
+discovery of
 security information & assist in streamlining internal and external security
-reviews in multiple ways:
+assessments in multiple ways:
 
-   * Consistent documentation reduces review time.
+   * Consistent documentation reduces assessment time.
    * Established baseline of security-relevant information reduced Q&A.
    * Clear rubric for security profile enables organizations to align their risk
      profile with the project’s risk profile and effectively allocate resources
-     (for review and needed project contribution).
+     (for assessment and needed project contribution).
    * Structured metadata allows for navigation, grouping and cross-linking.
 
 We expect that this process will raise awareness of how specific open source
 projects affect the security of a cloud native system; however, separate
 activities may be needed to achieve that purpose using materials generated by
-the reviews, known as artifacts or the security review package.
+the TSSA, known as artifacts or the TSSA package.
 
 ## Outcome
 
-Each project's security review package shall include a description of:
+Each project's TSSA package shall include a description of:
 1. the project's design goals with respect to security
 2. any aspects of design and configuration that could introduce risk
 3. known limitations, such as expectations or assumptions that aspects of
@@ -50,34 +52,35 @@ Each project's security review package shall include a description of:
 4. next steps toward increasing security of the project itself and/or increasing
    the applications of the project toward a more secure cloud native ecosystem
 
-Due to the nature and time frame for the analysis, *this review is not meant to
+Due to the nature and time frame for the analysis, *the TSSA package is not 
+meant to
 subsume the need for a professional security audit of the code*.  Audits of
 implementation-specific vulnerabilities, improper deployment configurations, etc.
-are not in scope of a security review.  A security review is intended to
+are not in scope of a TSSA.  A TSSA is intended to
 uncover design flaws, enhance the security mindset of the project, and to obtain
 a clear, comprehensive articulation of the project's design goals and
 aspirations while documenting the intended security properties enforced,
 fulfilled, or executed by said project.
 
-### Benefits of a security review
+### Benefits of a TSSA
 
-Having your project undergo the security review process is a key step toward
+Having your project undergo the TSSA Process is a key step toward
 eliminating security risks.  It allows one to build security as an integral part
 of a system and to maintain that security over time.
 
-Security reviews have many benefits, creating:
+A TSSA has many benefits, creating:
 * a measurable security baseline from that point onward,
 * exposure and analysis of security issues, including the risk they introduce,
 * validation of security awareness and culture among the developers for building secured projects, and
 * a documented procedure, for future compliance, audit, or internal assessment
 
-### Components of the security review package
+### Components of the TSSA package
 
-A complete security review package primarily consists of the following
+A complete TSSA package primarily consists of the following
 items:
 * [Self-assessment](guide/self-assessment.md).  A written assessment by the project
 of the project's current security statue.
-* [Joint-review](guide/joint-review.md). A joint review by both the [security
+* [Joint-assessment](guide/joint-assessment.md). A hands-on assessment by both the [security
 reviewers](guide/security-reviewer.md) and the project team that includes parts
 of the self-assessment and expands to include a more comprehensive consideration
 of the project's security health.  This artifact, coupled with self-assessment
@@ -86,41 +89,41 @@ provide invaluable information for security auditors as well as end-users.
   team,
 * Review the [joint README template](guide/joint-readme-template.md).
 This template is used to create a readme at the end of the joint
-review by the security reviewers to provide a high level summary
-of the joint review and is considered when reviewing for due
+assessment by the security reviewers to provide a high level summary
+of the joint assessment.  It is considered when performing due
 diligence.
 
-### Use of a completed package
+### Use of a completed TSSA package
 
-Finalized security review packages may be used by the community to assist in
+A finalized TSSA package may be used by the community to assist in
 the contextual review of a project but are not an endorsement of the
 security of the project, not a security audit of the project, and do not relieve
 an individual or organization from performing their own due diligence and
 complying with laws, regulations, and policies.
 
 Draft assessments contain *unconfirmed* content and are not endorsed as factual
 until committed to this repository, which requires detailed peer review.  Draft
-reviews may also contain *speculative* content as the project lead or security
-reviewer is performing a review.  Draft reviews are *only* for the purpose
+documents may also contain *speculative* content as the project lead or security
+reviewer is performing an assessment.  Draft assessments are *only* for the purpose
 of preparing final artifact and are **not** to be used in any other capacity by
 the community.
 
-Final slides resulting from the presentation and the project's joint review
-will be stored in the individual project's review folder with supporting
-documentation and artifacts from the review.  These folders can be found under
+Final slides resulting from the presentation and the project's joint assessment
+will be stored in the individual project's folder with supporting
+documentation and artifacts from the TSSA.  These folders can be found under
  [assessments/projects](projects/) and clicking on the project name.
 
 ## Process
 
-Creating the security review package is a collaborative process for the
+Creating the TSSA package is a collaborative process for the
 benefit of the project and the community, where the primary content is generated
 by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md)
 and other members of the TAG.
 
-* If you are interested in a security review for your project and you are
+* If you are interested in a TSSA for your project and you are
   willing to volunteer as [project lead](guide/project-lead.md) or you are a
-  TAG-Security member and want to recommend a project to review, please [file an
-  issue](https://github.com/cncf/tag-security/issues/new?template=joint-review.md)
+  TAG-Security member and want to recommend a project to assess, please [file an
+  issue](https://github.com/cncf/tag-security/issues/new?template=joint-assessment.md)
 
-See [security review guide](guide) for more details.  To understand how we
-prioritize reviews, see [intake process](./intake-process.md).
+See the [TSSA guide](guide) for more details.  To understand how we
+prioritize TSSAs, see [intake process](./intake-process.md).