-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
...of security pals retrospective Signed-off-by: John Kinsella <[email protected]>
- Loading branch information
Showing
2 changed files
with
77 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| --- | ||
| marp: true | ||
| title: TAG Security - Security Pals Retrospective | ||
| description: A retrospective of the Security Pals project | ||
| theme: gaia | ||
| transition: fade | ||
| paginate: true | ||
| _paginate: false | ||
| --- | ||
| # <!--fit--> TAG Security - Security Pals Retrospective | ||
| --- | ||
| <!-- backgroundImage: "linear-gradient(to bottom, #f7f8e3, #b2b2b2)" --> | ||
| # Pilot Concept | ||
|
|
||
| * For early-stage CNCF projects, can we provide a helping security hand? | ||
| * Details for the nerds: https://github.com/cncf/tag-security/issues/554 | ||
|
|
||
| --- | ||
|  | ||
|
|
||
| --- | ||
|
|
||
| # Projects | ||
|
|
||
| * Tinkerbell | ||
| * Kyverno | ||
| * Crossplane | ||
| * Artifact Hub | ||
| * Argo | ||
|
|
||
| --- | ||
|
|
||
| # Initial Reactions | ||
| * Generally positive | ||
| * "What do you want?" | ||
| * Questions about CNCF | ||
| * "Where do we start?" | ||
|
|
||
| --- | ||
| # Learnings | ||
|
|
||
| * A lot came down to communication | ||
| * How do we engage with the project? | ||
| * How much do we push or set timelines? | ||
| * What's the desired outcome of the engagement? | ||
|
|
||
| * Biggest single takeaway: Projects loved the template security docs | ||
|
|
||
| --- | ||
| # A "timebox" would probably help | ||
| * Week 1: Initial meet and greet, give overview of project, where the project can find the Self Assessment, answer any initial questions (give the team a few weeks to digest all of this) | ||
| * What might be useful here is to get a sense for where the project stands, regarding graduation. If they're new into the sandbox, and foresee many months of work to prepare for graduation to Sandbox, then security might not be top-of-mind. | ||
| * Week 4: Followup - see if any questions, what progress has been made, is there anything the security pal can help unblock, from a security POV (or make connections to other CNCF resources)? | ||
| * Week 6-8: Soft target for a draft of self-assessment | ||
| * Week 12-16: Submit self-assessment for review | ||
|
|
||
| --- | ||
| # Buy-in | ||
|
|
||
| * An important part here is to make sure both the project and the pal(s) understand the timeline/time committment | ||
| * If we can minimize the time committment, we'll get more pals. | ||
|
|
||
| --- | ||
|
|
||
| # Benefits to TAG members | ||
| * Chance to help the community | ||
| * CNCF, OSS, OSS consumers | ||
| * Exposure to other projects | ||
| * Both teams and technology | ||
|
|
||
| --- | ||
| # Next Steps | ||
| * There's definitely value here. We should make this a Thing. | ||
| * How do we select projects (some suggestions)? | ||
| * Security status | ||
| * TOC input | ||
| * Younger, less mature projects? |