Cloud Native Top 10 #1051
Comments
jcchavezs
added
proposal
|
This is an awesome idea! Happy to help. |
|
There may be some overlap with existing OWASP Top Projects such as the OWASP Cloud Native Application Top Ten (seems to be in draft form still) and the Kubernetes Top Ten (a bit more mature) |
|
I propose that we fold in a rendition of the Kubernetes Top Ten into this proposal as a broader "Cloud Native Top Ten Security Risks" project. I am willing to port over and expand upon a reference for Kubernetes as well. Some of this was initially sparked by a post on Linkedin suggesting that the CNCF could be a good place for these types of materials. |
|
That's a good idea. Over the course, we have had a few challenges with service configurations and inconsistencies in documentation and/or our use-cases. Would be happy to help. |
|
Awesome @matthewflannery and @rashmin-maker, I suggest you come by the #tag-security-top-ten slack channel in cloud-native.slack.com to bootstrap the structure. |
|
Doodle is out to find set the bi-weekly meetings https://doodle.com/meeting/participate/id/b27x88Nd |
|
Hey folks, has a regular cadence for the meeting been selected? I'd like to participate and get involved. |
|
Great initiative!!! Please see how we can refer or reconcile with https://github.com/cncf/tag-security/blob/main/security-whitepaper/secure-defaults-cloud-native-8.md when working on this |
|
@jcchavezs I left a message in #tag-security-top-ten inquiring about the status of this project. Whenever you have time, it'd be great if you could also update here on where things are and whether you need help from other contributors to complete this. |
|
Really great idea. I am happy to help out here. |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
PushkarJ
added
project
|
@jcchavezs @jmbmxer is this still active? What help do you need from the TAG Security leads to make this a success? |
|
Hi @PushkarJ I am sorry I did not come back to you. Yeah indeed this is still an on going effort mainly on my side but I have been jiggling many balls for a while but now there is some stability so I can come back to it. This is indeed something that is evolving over time (I have been updating the talks I give about the topic overtime) and what TAG security could help with here is to help promoting the request for collaborators. On the next two weeks I will revamp the document and call for contributors. |
|
Thanks for your reply! @jcchavezs sounds like a really hectic last few weeks for you! Glad you are back at it now :) Please feel free to share the document when it is ready here, on slack and in our regular weekly meetings 🙌🏼 |
With increased adoption of cloud native technologies, it is important to minimise risks. Certain types of configuration risks (or there-lack of) are more common than others. There is a need to have a standard awareness document which can be referenced by cloud native professionals which represents a broad consensus about the most critical security risks. So far, the OWASP top 10 has been widely used for awareness about web application risks. CNCF will be the right place to host top 10 risks for cloud native technologies such as Istio mesh which has gain more adoption in the industry.
TO DO:
Draft scope:
This paper is intended to provide the community with a list of top 10 istio mesh configuration risks with a detailed example of what the risk looks like & how to come up with a secure configuration. It aims to provide an awareness document for organisations to identify the top risks that they should focus on.
The text was updated successfully, but these errors were encountered: