[Proposal] Implementation Initiatives WG

[eddie-knight]

Description

Problem

Currently there is little in the way of cross-initiative coordination & visibility for efforts such as Security Pals and Security Slam. This results in a loss of potential for several reasons. There is an inability to fully utilize interested parties and influencers from across the CNCF community, a low level of sharing lessons learned, and a lack of integration with other parts of CNCF.

Proposed Solution

Create the Implementation Initiatives Working Group, designed to support and coordinate any tangible efforts that interface directly with CNCF projects.

• A minimum of two WG leads should be put in place to ensure ongoing success of the working group and alignment with TAG Security goals and recommendations.
  • [This is not to require multiple leads for every initiative]
• The WG should maintain a list of qualifications and standards for implementation initiatives.
• The WG should serve TAG Security by approving qualified initiatives, ensuring they follow the standards set forth by the community, and providing coordination across all efforts.
• A weekly meeting should be created for the working group to share updates and make progress on each initiative, or for projects to come discuss their own initiatives.

Impact

Potential positive impacts:

• By creating a structure to support and coordinate implementation initiatives, TAG Security will be able to exponentially increase the effectiveness of efforts by ensuring that common pitfalls are avoided and best practices can be developed over time.
• By opening planning efforts to the TAG Security community, more individuals and institutions will have the ability to contribute to initiatives.
• By formalizing structure, implementation initiatives can better coordinate with other CNCF groups such as events, end users, social media, ambassadors, and more.
• By scheduling a recurring call, we will create a space for projects to seek input on their own efforts to implement TAG Security recommendations.

Potential negative impacts:

• By opening implementation planning efforts to the TAG Security community, there is increased potential for beauracratic overhead and dilution of focus.

Scope

In Scope:

• Facilitation of efforts related to improving security hygiene or security documentation for CNCF projects.
• Documentation of initiative qualifications, standards, pitfalls, and best practices.

Out of Scope:

• Requests for TAG Security to make implementations to projects on their behalf.

Proposal Progress

Intent to lead:

• I volunteer to be a project lead on this proposal if the community is
  interested in pursing this work. This statement of intent does not preclude
  others from co-leading or becoming lead in my stead.

Proposal to Project:

• Raised in a Security TAG meeting to determine interest - 1/31/2024
• Collaborators comment on issue for determine interest and nominate project
  lead
• Scope determined via meeting mm dd and/or shared document add link
  with call for participation in #tag-security slack channel thread add link
  and mailing list email add link
• Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

• Security TAG Leadership Representative:
• Project leader(s):
• Issue is assigned to project leaders and Security TAG Leadership
  Representative
• Project Members:
• Fill in addition TODO items here so the project team and community can
  see progress!
• Scope
• Deliverable(s)
• Project Schedule
• Slack Channel (as needed)
• Meeting Time & Day:
• Meeting Notes (link)
• Meeting Details (zoom or hangouts link)
• Retrospective

[eddie-knight]

Presented this on today's call, and heard concerns from @JustinCappos related to bureaucracy. Proposal support was expressed by @ragashreeshekar and @mlieberman85 for different reasons.

After chatting offline with @PushkarJ, I threw together this list of different initiatives that could benefit from increased visibility, coordination, and maintenance of best practices documentation:

• Ad hoc project security advisement
• Future security-related events
• Joint Assessments
• Paper Productions
• Retrospectives
• Self-Assessment Support
• Security Pals
• Security Provider Reviews
• Security Slam

[ArangoGutierrez]

/cc

[ragashreeshekar]

Thanks for bringing this up @eddie-knight. This is a good idea, and I think it can help in following ways:

• Self-managing sub-group leading the assessments, pals etc. wings of the STAG, expediting the contributions by reducing overhead of identifying, engaging and retaining contributors.
• Point of contacts for collaborations outside of the STAG, particularly the projects, encouraging further collaborations.
• Establish a community who could help each other through voluntary advisory capacity in implementing TAG security work/securing their cloud.

If the STAG community has enough interest and we choose to proceed with this working group, I'm happy to help/be the STAG rep.

[eddie-knight]

Interest has been communicated by @k8tgreenley from an events collaboration perspective, and @mlieberman85 regarding ad hoc project engagement for the implementation of security recommendations.

[mnm678]

Thanks for this proposal, and for bringing up these issues. I think we can address this with a combination of improving existing process, and short-term WGs.

Some ideas for process improvements:

• Lessons learned: There is a process for a retrospective for TAG projects, which has not consistently been used. We can do better at following up with projects after completion, with a presentation in the general meeting and documentation of lessons learned.
• Check-ins on current initiatives: It would be great if a lot of this discussion could go through the existing meeting so that all attendees can benefit and learn about initiatives. If it turns out there's too much to discuss in the general meeting, then we can circle back to creating a separate space for this.
• Planning transparency: The co-chairs (me) could do a better job ensuring that the Github issues for projects stay up-to-date so that the community can find everything that's happening.

We could then have a light-weight, short-term WG for each initiative, which can check in at the general meeting for increased visibility.