New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloud Native Security Controls Catalog (Phase I) #635
Comments
👍 This seems like some of the most practical output the group could create. I am interested in being part of this effort. Small thought that maybe mapping to CSA CCM 4.0 is an option as it's meant to map to existing frameworks already. |
i'm not sure quite clear where this bullet fits in here.. Want to make a clarification on this, is this a catalog of resources that will assists in the mapping or is the scope to do the actual mapping itself? My concern is that a lot of the mapping is already done by companies and vendors, and really it is a full time job of multiple teams, so just want to make sure we appropriately scope this. |
That's a great idea, and presents a situation where organizations can attest to adhering to the best-practices guidance, tied to specific control identifiers. I would be interested in helping with this activity, and I think it would make both the CNSWP & SSCSP more actionable and tangible to those within the security community, by tying it to frameworks they are both familiar with and regularly utilize. It would likely amplify the use/reference of CNSWP and SSCSP within the industry. |
Several existing commercial and non-commercial mappings to CSF/NIST/GDPR/SOX, etc. exist. Many of the controls in those frameworks are high level. And lack granularity to cloud native practices and models. This is not an attempt to remap them. But to establish a specific, granular catalog of cloud native security controls that relate to those existing mappings. Example: NIST 800-53 SA-10 Developer configuration management is too broad and too general. One control in the CNSWP related to this (and other controls) of actionable granularity is "Test suites follow the test pyramid" and "Test suites are updated against new and emerging threats and developed into security regressions tests"
As a potential opportunity, some items recommended in either CNSWP or SSCSP could be integrated into the existing security reviews process to provide more structure to the manner by which reviews are performed (specific things to look for) |
Love this!
I'm curious for thoughts on how #496 ties in here. The traffic on #496 seems to imply that there are tools to do the security scanning for CNCF projects, but coupling that here with mappings to various control sets like NIST would be sooo huge. I'd be very happy to help contribute to the automated mappings/outputs |
#496 definitely ties in here. This is on the Agenda for discussion Wednesday May 26th. if you can make it great! I have an initial control catalog here: https://github.com/TheFoxAtWork/tag-security/tree/cns-control-catalog/cns-implementations |
I would like to contribute to this effort. |
I would like to contribute as well. Thanks. |
Please include me on these conversations. Thank you. |
@alexbarbato please be sure to join the slack workspace so we can collab on this: https://cloud-native.slack.com/archives/CDJ7MLT8S |
Coordination convo tomorrow for anyone interested 😄 Details here: https://docs.google.com/document/d/10eY_ICglcI5HxYFwUNpEW9Zk_HLoVbYex7OCNraAKe0/edit?usp=sharing |
I would like to contribute to this. Please count me in.
Thanks.
Best Regards,
Hari.
On 30. May 2021, at 20:28, Alex Barbato ***@***.***> wrote:
Coordination convo tomorrow for anyone interested 😄
Details here: https://docs.google.com/document/d/10eY_ICglcI5HxYFwUNpEW9Zk_HLoVbYex7OCNraAKe0/edit?usp=sharing
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#635 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AD7X7JLCDNN5XYNNI26PBLDTQJ7VNANCNFSM45CY2NFA>.
|
I will like to contribute to this effort as well. Also agree with Emily we need to provide granular guidance on controls and specific details are important. High Level , generic set of controls leave it for interpretation by individuals. Thank you |
Just an FYI that today is a holiday in the US and UK (Memorial Day and Spring Bank Holiday respectively) so a lot of people interested may not be able to participate. |
No worries. There will be more opportunities for people to participate in the future! |
Had a great meeting tonight with @chughes29, @pratiklotia, @fkautz, and myself where we spoke about scope and way forward. Meeting notes and most all async collaboration exists in this google doc until something is PR'able - https://docs.google.com/document/d/10eY_ICglcI5HxYFwUNpEW9Zk_HLoVbYex7OCNraAKe0/edit# NOTE: Most of the wording below is heavily stolen from @TheFoxAtWork's initial pass - https://github.com/TheFoxAtWork/tag-security/tree/cns-control-catalog/cns-implementations Scope
The biggest thing to note about our scope here is that we would like to de prioritize everything, but making the initial controls list for now. All of the other proposed in scope items seem massively valuable, but we want to try to tackle the smallest slice possible DeliverablesShort term: (1 week)
Long term:
Meetings / Going forwardMondays at 8PM EST for a month (Zoom in google doc)
Ideally we will be through the heavy lifting in June of getting the catalog together and start to potentially looking at all the other proposed scope items! Please don't hesitate to reach out with any comments, questions, concerns, or words of advice. |
This is an awesome effort team! Nice work pulling this in @alexbarbato! |
I've added a new "Controls Catalog" -> "Schema" section with an attempt to make a schema by which we can make the initial controls catalog and evolve. It is heavily inspired from @TheFoxAtWork's initial pass and I've tried to be quite opinionated so as to give people something to react to! Please leave feedback in the form of comments or suggestions in the Google Doc. In the case that I've botched the sharing, please just @ me and I'll try to fix! Thanks so much for everyone's feedback here :D |
Had another meeting tonight, thanks those that attended! Updates -
|
I would like to contribute to this. |
I am interested and can help with use cases for support of audit, assurance (because it's also "continuous") and metadata flow. Also potential parallel thread with OSCAL. |
Folks - due to time constraints and commitments, Chris and Alex will be taking a back seat and Jon has volunteered to step in as project lead to continue this. Thanks everyone! |
Hello! I'm Greg Blana, and I would like to participate and contribute in this activity. |
Hi @gcblana, welcome! Please jump into the #tag-security-controls channel on the CNCF slack (you can invite yourself here if needed); I am planning to send out a poll soon to revitalize this project. @TheFoxAtWork can you please add @ak-secops, @knowlengr, and @gcblana to the project members? Thanks! |
@TheFoxAtWork can you update the meeting link above to be https://meet.google.com/qyi-vmey-fvi and meeting time to Tuesdays, 6p ET/3p PT? Thanks! CC: @chasemp, @achetal01, @pratiklotia, @fkautz, @Harrysk, @alexbarbato, @chughes29, @ak-secops, @knowlengr, and @gcblana |
@achetal01 you've been doing more on this. Do you want to take on STAG rep for this or remain as contributor? either is fine just wanted to checkin with you. |
Emily, Sure happy to run with it. |
@TheFoxAtWork can you please update the Meeting Hangouts Link to https://meet.google.com/gqv-hfuw-von and meeting time to Wednesdays at 6pm Eastern please? Thanks! |
@achetal01 / @TheFoxAtWork can you please update the Meeting Hangouts Link to https://meet.google.com/gqv-hfuw-von and meeting time to Wednesdays at 6pm Eastern please? Thanks! |
From discussion with CSA 12/10/2021 - we'd like to share the existing controls we've been working on with CSA to potentially assist in CCM v.x but also provide implementation specific information unique to the cloud native space. Further - this working group should document the decisions and intent behind how we are reasoning the controls and implementation to better assist users of the controls as to why we have done things, but also to assist potential collaborative groups with reviewing our content. |
Jon and Security Controls WG Members Hello I will schedule a Joint meeting with CSA CCM team for Security controls WG to have an initial discussion in January...We can have an exchange of ideas and then define goals for this joint effort as well and logistics etc. Hopefully we will have the MOU in place by then. Thank You. |
We had a discussion around this project in Chairs meeting today. We discussed that Goal is to complete these current mappings to the Cloud Native security white paper and close this project and issue. For Phase 2 , I m creating a new Issue, we will get started on mapping the controls after this issue is closed. Thank you |
The New Issue for Phase II is #845 |
@TheFoxAtWork We moved to biweekly Wednesday meetings; next meeting is Feb 16. Can you please update the original post, including the below new Google meet link? Thanks! |
Project update: We have an initial listing of controls here from v1 of the Software Supply Chain Security Paper and v1 of the Cloud Native Security Whitepaper, including a partial NIST SP800-53r5 mapping, and implementation details. We are working through the final implementation details/context to add to the spreadsheet and the 800-53 mapping. When that is complete, Phase 1/this issue should be ready for TAG-Security review. |
@achetal01 @lumjjb @TheFoxAtWork this is nearly ready for review from the rest of Security TAG (expected this week). I won't be able to attend the Security TAG meeting tomorrow, so I was wondering if there's a process to make that review request? I am going to post in #tag-security-controls to see if any of the other team members will be at the meeting tomorrow and can provide a verbal update there as well. |
Description: Creation of a granular cloud native security controls catalog that includes items from the CNSWP & SSCSP. First effort for Audit/GRC/reasoning Card on the Roadmap & planning for 2021-2022
Impact: This catalog may be leveraged by end users and the community to improve the auditability of cloud native architectures against regulatory compliance and industry best practices. The controls should be specific and actionable to engineers and not high level.
Scope: Current Scope is defined based on Monday May 31st Meeting:
Future Scope - The following items would be potentially in scope of this large project and may likely need to be broken into separate areas:
TO DO
STAG leader sponsor - @achetal01
Project Lead(s) @JonZeolla
Project Members: @chasemp , @achetal01 , @pratiklotia , @fkautz , @Harrysk, @alexbarbato & @chughes29
Scope
Deliverable - Initial Catalog
schedule
Channel: #tag-security-controls
meeting time - bi- weekly Wednesdays(2/16/22), 6p ET/3p PT
ongoing notes
Meeting Hangouts Link
The text was updated successfully, but these errors were encountered: