TAG Security and Compliance
TAG Security and Compliance addresses security and compliance concerns in cloud native systems through best practices, assessments, tooling, policy-as-code, threat modeling, and secure software supply chain practices.
Mission Statement
Security Hygiene, Policy-as-Code, Compliance, Auditing, Threat Modeling, Secure Software Supply Chain
Leadership
Chairs
| Name | GitHub | Organization | Term |
|---|---|---|---|
| Evan Anderson | @evankanderson | Custcodian | 2025-07-01 to 2026-06-30 |
| John Kjell | @jkjell | Control-Plane.io | 2025-07-02 to 2027-06-30 |
| Marina Moore | @mnm678 | Edera | 2025-07-01 to 2027-06-30 |
Tech Leads
| Name | GitHub | Organization | Term |
|---|---|---|---|
| Brandt Keller | @brandtkeller | Defense Unicorns | 2025-07-02 to 2026-06-30 |
| Eddie Knight | @eddie-knight | Sonatype | 2025-07-01 to 2026-06-30 |
| Jennifer Power | @jpower432 | Red Hat | 2025-07-02 to 2026-06-30 |
| Justin Cappos | @JustinCappos | New York University | 2025-07-02 to 2027-06-30 |
| Michael Lieberman | @mlieberman85 | Kusari | 2025-07-02 to 2026-06-30 |
| Yoshiyuki Tabata | @y-tabata | Hitachi | 2025-07-02 to 2026-06-30 |
TOC Liaisons
- Faseela K (@kfaseela)
- Jeremy Rickard (@jeremyrickard)
Meetings
TAG Security and Compliance Meetings
- Calendar: View and join meetings
- Recordings: YouTube Channel
All meetings are open to the public. No registration required - simply join the meeting from the calendar link.
Communication Channels
Slack
Join the CNCF Slack workspace and connect with the TAG:
- Channel: #tag-security-and-compliance
- CNCF Slack Invite: slack.cncf.io
Mailing List
- Subscribe: cncf-tag-security-and-compliance
- Use for announcements, discussions, and coordination
Focus Areas
TAG Security and Compliance works on several key security domains:
Security Hygiene
Best practices for maintaining secure cloud native systems:
- Security Posture: Assessing and improving security baseline
- Vulnerability Management: Identifying and remediating vulnerabilities
- Patch Management: Keeping systems updated and secure
- Configuration Security: Hardening configurations across the stack
- Access Control: Identity, authentication, and authorization
Policy-as-Code
Defining and enforcing policies programmatically:
- Policy Languages: OPA/Rego, Kyverno, and other policy frameworks
- Admission Control: Enforcing policies at deployment time
- Runtime Policies: Enforcing policies during execution
- Policy Libraries: Reusable policy templates and best practices
- Policy Testing: Validating policies before deployment
Compliance
Meeting regulatory and industry requirements:
- Compliance Frameworks: NIST, PCI-DSS, HIPAA, SOC2, etc.
- Compliance Automation: Automated compliance checking and reporting
- Audit Trails: Maintaining comprehensive audit logs
- Compliance as Code: Managing compliance requirements programmatically
- Continuous Compliance: Ongoing compliance monitoring
Auditing
Monitoring and recording security-relevant activities:
- Audit Logging: Comprehensive logging of security events
- Log Analysis: Detecting anomalies and security incidents
- Forensics: Investigating security incidents
- Compliance Audits: Supporting external audit requirements
- Audit Tools: Tooling for audit collection and analysis
Threat Modeling
Identifying and mitigating security threats:
- Attack Surface Analysis: Understanding potential attack vectors
- Threat Intelligence: Staying informed about emerging threats
- Risk Assessment: Evaluating and prioritizing security risks
- Mitigation Strategies: Implementing controls to reduce risks
- Security Architecture: Designing secure systems from the ground up
Secure Software Supply Chain
Protecting the software supply chain:
- SBOM: Software Bill of Materials generation and management
- Artifact Signing: Cryptographic signing of software artifacts
- Provenance: Tracking the origin and build process of software
- Dependency Security: Managing third-party dependencies securely
- Build Security: Securing the software build pipeline
Subprojects
Security Assessments
The Security Assessments subproject conducts comprehensive security reviews of CNCF projects.
- Project Reviews: In-depth security assessments
- Self-Assessments: Helping projects assess their own security
- Threat Modeling: Identifying project-specific threats
- Recommendations: Actionable security improvements
Learn more about Security Assessments
Initiatives
View current and past initiatives:
Publications
TAG Security and Compliance produces various publications to help the community:
- White Papers: In-depth security guidance
- Security Lexicon: Common security terminology
- Best Practices: Security best practices for cloud native
- Catalog: Comprehensive security resources
Getting Involved
We welcome contributions from anyone interested in cloud native security:
Attend Meetings
Join our regular meetings to hear about ongoing work and participate in discussions. Check the meeting calendar for details.
Contribute to Initiatives
Browse active initiatives and volunteer to help with specific deliverables.
Security Assessments
Help conduct security assessments of CNCF projects:
- Join assessment teams
- Review security documentation
- Contribute threat models
- Provide security expertise
Share Your Experience
- Present security use cases or lessons learned at TAG meetings
- Write blog posts about security practices and implementations
- Contribute to white papers and best practices documents
Join the Conversation
- Participate in Slack discussions
- Engage on the mailing list
- Comment on GitHub issues in the TOC repository
Resources
Related TAGs
- TAG Infrastructure - Infrastructure security
- TAG Operational Resilience - Security operations
- TAG Developer Experience - Secure development practices
Related Technical Community Groups
- Software Supply Chain Security TCG - Focused supply chain security discussions