Cloud Native Security Whitepaper v2 #747
Comments
PushkarJ
added
proposal
|
Seems like a lot of great metadata and organization tie in. What's the thinking on revising the content itself? (not suggesting just asking) Interested in helping potentially :) |
|
thanks for detailed info, Pushkar. I'm interested in contributing. |
|
Tagging myself as i'm interested in participating in this! |
Hey Chase, great to see you are interested to continue the work from v1. My thinking for revising the existing content itself is to update the content for brevity, remove mention of things that are deprecated in favor of new state of the art. Additionally, would love to cross link sections in #737 to each section in the whitepaper so folks can jump to implementation details or recommendation from a requirement as part of an engaging learning experience :) |
|
This sounds good @PushkarJ, I'm interested to join. |
|
Sounds good. Interested to join. |
|
Sounds good. Interested in contributing. |
|
revisit STAG leadership rep in January |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
stale
bot
added
inactive
|
Our friendly bot, reminded me that it is time to start working on version 2!! I will bring this up in our weekly call tomorrow (11/03) and we can get started on this :) Excited 🎉 |
|
Perfect, please remind me to bring up some of the discussions we had with NIST around ideas to augment the whitepaper ! |
|
I am interested in helping on this @PushkarJ |
|
For the NIST SSDF mapping work, I would like to contribute as well. |
|
@PushkarJ I'm interested in helping with v2 |
PushkarJ
changed the title
|
I am interested in helping with this! |
|
@PushkarJ I am late to the party. Interested in helping out if you haven't maxed out on volunteers. |
|
No hard limit on contributors. So everyone is welcome!! |
|
Interested to help! |
|
Hi @PushkarJ, I'm interested in helping out with this. Just one suggestion: Can we use LaTeX for the paper instead of google docs? IMO it will produce a much better-looking and version-controlled whitepaper. WDYT? |
|
Hi All, Just added new dedicated issues that represent the deliverables for v2. Please check the description of this parent issue for more context. The issues with "Need Owner" prefix are the ones up for grabs. If you want to work on them, please add a comment on that particular issue so one of the Tech Leads / Chairs can assign it to you! There can be more than one assignee to the same issue as long as you all can collaborate and divide the work between yourselves :) As a reminder, we will reconvene meeting in Jan but don't let that stop you from making progress on them in an async manner. Also, its okay to make updates on a google doc or hackmd or wherever for your first draft. We will pull them all together into one place when we meet together!! Good luck and leave a comment if you have any questions. |
|
Interested in helping out as well! Best, |
|
Thank you @sayantani11 , @savitharaghunathan , @devadvocado , @faisalrazzak , @captainarcher , @mateuszpruchniak for raising your hand up to take ownership of the deliverable issues. Let's meet up in the upcoming week Jan 12, Wed, 9-9:45 AM PT to get together and discuss your progress and plans for completing these deliverables. Bring your questions and let's have some fun at work :) . If you want to add the meeting to your calendars, please click on this link. The meeting minutes and zoom details can be found here. NOTE: For others who are interested to contribute you are welcome to join as we always have more to do and help each other out! Leave a comment here or find me on CNCF slack (channel: #tag-security-whitepaper) if you have trouble joining the meeting! |
|
Thank you all for meeting today ❤️!! Please hop on over to slack and check out the next steps |
|
I made a comment on SSF RFC doc regarding the potential benefits of generating some kind of delta report in addition to SBOM itself in order to ease the effort to identify issues as they happen and components that cause them. The reason for this is that if one has a delta report, it would limit the no of components to work with as oppose to SBOMs with potentially thousands of components while working with issues. @lumjjb pointed this issue as a place to highlight the topic of delta report and I also found the cloud-native-security-whitepaper-v2 |
|
@fdegir go ahead and make your updates. Correct page number though would be 34-35 under supply chain security |
|
Thanks @PushkarJ. Added a new paragraph on page 35. |
|
Whitepaper v2 is now open for Public comment. RFC stage ends April 27 2022. You can find the paper for review here: https://docs.google.com/document/d/1fftLBt3XjDzyYQisEKH3TZXL1QnT_cHIbBnFtW98UOs/edit |
|
Left comments, rewrote parts of it, and hopefully improved it after an extensive review. Sorry, I was not aware this was being revised, I should have tried to join some calls but not enough time. |
|
@jkowall thank you so much for your generous updates and exhaustive read!! The paper is in better shape because of it :) |
|
@PushkarJ my pleasure, feel free to move me to author or reviewer. I am happy to take another look anytime or add sections as needed. |
|
@jkowall already added you as reviewer :) We are bit late in terms of timeline to add new content/section though but please open an issue (suggestion) with what you have in mind, so we don't lose track of it and can figure out which artifact (perhaps v3 of this paper) we could incorporate it in. |
|
Hi @PushkarJ, Thanks for the great work, just wanted to highlight an error inside the PDF https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf In the PDF figure 4 is a duplication of distribute whereas figure 4 should be Deploy figure 4 Thanks, Phillip |
|
@p0bailey sorry for the delayed response. You are absolutely right. The markdown seems to not have this discrepancy (anymore). So we will fix this in the next update to the PDF |
|
Closing this issue now with creation of #975 . Thank you all for the wonderful collaboration, contributions and camaraderie. Great opportunity to lead creation and publication of the next version for existing and new contributors. More details in the linked issue and I will be happy to chat more if anyone has more questions :) |
|
@PushkarJ thanks for the heads up. Looking forward to downloading the updated PDF. Great work! Phillip |
and others
Working draft (RFC ends April 27): https://docs.google.com/document/d/1fftLBt3XjDzyYQisEKH3TZXL1QnT_cHIbBnFtW98UOs/edit
Description
Original security whitepaper (#138) was published in Nov 2020, about 9 months ago. It is now time to update the paper and publish v2 by Kubecon EU 2022 (by which time paper will be 18 months old) to ensure the content stays relevant and useful.
Impact
Since publication of v1, Security TAG has made a lot of progress through ongoing work on several supplementary docs, websites, audio version, maps and other papers. In general, the security understanding of cloud native environments has also evolved with growing focus on ransomware and supply chain security. We have also received feedback on the paper's content and its distribution through cloud native security survey and retrospective.
Additionally, there have been several small updates in the repo, made to the original content that have improved the readability and quality of the paper. Bringing this all together merits publishing the second version, in accordance, with original goal of keeping the content always up to date.
Scope
Several tasks are in progress and there are some that would need further work
Tasks
Meta Deliverables:
Meta tasks:
Project Schedule
The text was updated successfully, but these errors were encountered: