TAG Security and Compliance
TAG Security and Compliance addresses security and compliance concerns in cloud native systems through best practices, assessments, tooling, policy-as-code, threat modeling, and secure software supply chain practices.
Mission Statementโ
Security Hygiene, Policy-as-Code, Compliance, Auditing, Threat Modeling, Secure Software Supply Chain
Leadershipโ
Chairsโ
| Name | GitHub | Organization | Term |
|---|---|---|---|
| Evan Anderson | @evankanderson | Custcodian | 2025-07-01 to 2026-06-30 |
| John Kjell | @jkjell | Control-Plane.io | 2025-07-02 to 2027-06-30 |
| Marina Moore | @mnm678 | Edera | 2025-07-01 to 2027-06-30 |
Tech Leadsโ
| Name | GitHub | Organization | Term |
|---|---|---|---|
| Brandt Keller | @brandtkeller | Defense Unicorns | 2025-07-02 to 2026-06-30 |
| Eddie Knight | @eddie-knight | Sonatype | 2025-07-01 to 2026-06-30 |
| Jennifer Power | @jpower432 | Red Hat | 2025-07-02 to 2026-06-30 |
| Justin Cappos | @JustinCappos | New York University | 2025-07-02 to 2027-06-30 |
| Michael Lieberman | @mlieberman85 | Kusari | 2025-07-02 to 2026-06-30 |
| Yoshiyuki Tabata | @y-tabata | Hitachi | 2025-07-02 to 2026-06-30 |
TOC Liaisonsโ
- Faseela K (@kfaseela)
- Jeremy Rickard (@jeremyrickard)
Meetingsโ
TAG Security and Compliance Meetings
- Calendar: View and join meetings
- Recordings: YouTube Channel
All meetings are open to the public. No registration required - simply join the meeting from the calendar link.
Communication Channelsโ
Slackโ
Join the CNCF Slack workspace and connect with the TAG:
- Channel: #tag-security-and-compliance
- CNCF Slack Invite: slack.cncf.io
Mailing Listโ
- Subscribe: cncf-tag-security-and-compliance
- Use for announcements, discussions, and coordination
Focus Areasโ
TAG Security and Compliance works on several key security domains:
Security Hygieneโ
Best practices for maintaining secure cloud native systems:
- Security Posture: Assessing and improving security baseline
- Vulnerability Management: Identifying and remediating vulnerabilities
- Patch Management: Keeping systems updated and secure
- Configuration Security: Hardening configurations across the stack
- Access Control: Identity, authentication, and authorization
Policy-as-Codeโ
Defining and enforcing policies programmatically:
- Policy Languages: OPA/Rego, Kyverno, and other policy frameworks
- Admission Control: Enforcing policies at deployment time
- Runtime Policies: Enforcing policies during execution
- Policy Libraries: Reusable policy templates and best practices
- Policy Testing: Validating policies before deployment
Complianceโ
Meeting regulatory and industry requirements:
- Compliance Frameworks: NIST, PCI-DSS, HIPAA, SOC2, etc.
- Compliance Automation: Automated compliance checking and reporting
- Audit Trails: Maintaining comprehensive audit logs
- Compliance as Code: Managing compliance requirements programmatically
- Continuous Compliance: Ongoing compliance monitoring
Auditingโ
Monitoring and recording security-relevant activities:
- Audit Logging: Comprehensive logging of security events
- Log Analysis: Detecting anomalies and security incidents
- Forensics: Investigating security incidents
- Compliance Audits: Supporting external audit requirements
- Audit Tools: Tooling for audit collection and analysis
Threat Modelingโ
Identifying and mitigating security threats:
- Attack Surface Analysis: Understanding potential attack vectors
- Threat Intelligence: Staying informed about emerging threats
- Risk Assessment: Evaluating and prioritizing security risks
- Mitigation Strategies: Implementing controls to reduce risks
- Security Architecture: Designing secure systems from the ground up
Secure Software Supply Chainโ
Protecting the software supply chain:
- SBOM: Software Bill of Materials generation and management
- Artifact Signing: Cryptographic signing of software artifacts
- Provenance: Tracking the origin and build process of software
- Dependency Security: Managing third-party dependencies securely
- Build Security: Securing the software build pipeline
Subprojectsโ
Security Assessmentsโ
The Security Assessments subproject conducts comprehensive security reviews of CNCF projects.
- Project Reviews: In-depth security assessments
- Self-Assessments: Helping projects assess their own security
- Threat Modeling: Identifying project-specific threats
- Recommendations: Actionable security improvements
Learn more about Security Assessments
Initiativesโ
View current and past initiatives:
Publicationsโ
TAG Security and Compliance produces various publications to help the community:
- White Papers: In-depth security guidance
- Security Lexicon: Common security terminology
- Best Practices: Security best practices for cloud native
- Catalog: Comprehensive security resources
Getting Involvedโ
We welcome contributions from anyone interested in cloud native security:
Attend Meetingsโ
Join our regular meetings to hear about ongoing work and participate in discussions. Check the meeting calendar for details.
Contribute to Initiativesโ
Browse active initiatives and volunteer to help with specific deliverables.
Security Assessmentsโ
Help conduct security assessments of CNCF projects:
- Join assessment teams
- Review security documentation
- Contribute threat models
- Provide security expertise
Share Your Experienceโ
- Present security use cases or lessons learned at TAG meetings
- Write blog posts about security practices and implementations
- Contribute to white papers and best practices documents
Join the Conversationโ
- Participate in Slack discussions
- Engage on the mailing list
- Comment on GitHub issues in the TOC repository
Resourcesโ
Related TAGsโ
- TAG Infrastructure - Infrastructure security
- TAG Operational Resilience - Security operations
- TAG Developer Experience - Secure development practices
Related Technical Community Groupsโ
- Software Supply Chain Security TCG - Focused supply chain security discussions