Security Slam 2023 Participation

[eddie-knight]

Hello capsule community!

In preparation for this year's Cloud Native Security Slam, we've completed a survey of CNCF end users across multiple industries, including Construction, Cybersecurity, Aerospace & Defense, Game Development & Consumer Services, Consulting, and Nuclear.

Through this survey, end users have identified their interest in seeing security improvements to the projects they use. We've asked them to share which Security Slam goals are most interesting to them— and we've compiled the results in a hope that this will help your prioritization during the upcoming event.

While some users have not authorized us to share their name, we've still included their responses in our calculation for you. We CAN tell you that the capsule responses included Epic Games.

After calculating the responses according to the interest-weight, we've found these to be the most interesting things that capsule end users would like to see, from the five possible Security Slam badges.

1. The Mechanizer
2. The Defender
3. The Cleaner

More information will be announced in the event kickoff webinar on October 10th, including how to register for cash & swag prizes, details about how success is measured, and resources to help achieve each of the badge goals.

If you can't make it to the webinar, a recording will be made available within 24hrs. It will be sent out to the community newsletter with any essential details you may have missed.

Join the community & sign up for the webinar here: https://community.cncf.io/cloud-native-security-slam/

---

A quick look at the 2023 Event Badges

The Chronicler

Ensure that security documentation has properly formatted data relating to software supply chain security decisions, including instructions for end users seeking to validate provenance artifacts.

The Inspector

Ensure that a security self-assessment has been completed according to TAG-Security documented standards.

The Cleaner

Bring all CLOMonitor non-security scores to 100% for the project, indirectly increasing overall supply chain security (Best Practices, Documentation, License, Legal).

The Defender

Ensure each project repo is accounted for within CLOMonitor; Ensure proper check set is assigned to each project repo; Bring security score to 100% for the project (This statistically decreases the future likelihood of vulnerabilities).

The Mechanizer

Ensure that every release has an automated mechanism to supply SBOM and provenance artifacts.

[prometherion]

Thanks @eddie-knight for letting us know, I signed up for the event and look forward to it.

[oliverbaehler]

Me too :)

[maxgio92]

+1 as contributor

[oliverbaehler]

HI @eddie-knight, in regards to the security slam we are also updating our documentation. If we wanted a domain like capsule.io, do we have to pay for the domain by ourselves?

[eddie-knight]

I don't believe so... but I've reached out to see if we can get someone from the CNCF projects team to answer this

[nate-double-u]

Hi, CNCF Projects can request domains through the CNCF Service Desk.

(Edit to more directly answer the question: the CNCF provides domains and the Projects don't need to worry about paying for them).

[oliverbaehler]

Thanks @nate-double-u ! :)

[oliverbaehler]

Hi @eddie-knight, we are getting to. a 100%.

I have added the following for the insights:
https://github.com/projectcapsule/capsule/blob/main/SECURITY-INSIGHTS.yml#L41

But we need references to a dependency policy. It's not really clear to me what we are looking for there...
Also the spec (https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md) does not really help me further.

What's a env-dependencies-policy? Does that address other projects which are needed or used to run capsule (eg. cert-manager)? Is it supposed to markdown or some generated format? I am a bite lost here :D

[luigigubello]

Hi @oliverbaehler 👋

Thanks for your answers - they are good feedback for the security insights project :) I try to answer:

env-dependencies-policy should be a policy - or a guideline - that explains how project developers and maintainers manage the dependencies they use, both dev dependencies and project dependencies. Probably dependencies-management is a more appropriate nomenclature. Example: https://cloud.google.com/software-supply-chain-security/docs/dependencies?hl=en
The document should help to know if the project has tools and procedures to mitigate local environmental risks (e.g. typosquatting, etc).

[eddie-knight]

Thanks @luigigubello!

[oliverbaehler]

@eddie-knight We are happy to share, that capsule reached 100 overall score in CLOMonitor:
https://clomonitor.io/projects/cncf/capsule

I am not sure if we have to perform further steps or if we are eligible for any of the badges :).

Anyway, thanks for the opportunity to increase the security of our projects. We have refactored most of the Action Workflows. I have regained trust in our testing and delivery approaches, due to the refactoring. We also replicated these changes to our slim-code repository :).

So Thanks, we are done for now! :D

[eddie-knight]

Awesome!!

[oliverbaehler]

HI @eddie-knight, regarding this:

We CAN tell you that the capsule responses included Epic Games

Since we have delivered, Epic Games could add themselves as adopters:

https://github.com/projectcapsule/capsule/blob/main/ADOPTERS.md

This would help the project gaining traction. Especially, with such a big player. WDYT?

[eddie-knight]

I've forwarded the request to my contact at Epic. Fingers crossed!