[Presentation] Substation Overview (CNCF Sandbox)

[jshlbrd]

Title: Substation Overview (CNCF Sandbox)

Speakers:

• @jshlbrd

Description: This presentation is an overview of Substation (submitted to CNCF Sandbox) and will cover its use cases, how it works (cloud native fit), history, and future.

Time: How long will the presentation take? 30 minutes (up to 45 minutes with questions).

Availability: I'm available to present during any Wednesday meeting, and as soon as the next meeting (9/4/2024).

TO DO

• TAG Representative
• Schedule date
• By opening this issue, I, @jshlbrd acknowledge that the presentation topic and speaker will follow the presentation guidelines
• If this is a presentation for a project moving levels, the TAG Representative should complete the Moving Levels Recommendation

[y-tabata]

@eddie-knight We need to schedule a date.

[eddie-knight]

Hi @jshlbrd!

Here are the next openings for each time zone's community call. Do you have a preference?

• AMER - September 18th, 2024: 1000 UTC - 7 (PDT)
• APAC - September 18th, 2024: 1100 UTC + 9 (JST)
• EMEA - September 11th, 2024: 1300 UTC + 1 (BST)

[jshlbrd]

@eddie-knight AMER 9/18 at 10 AM works for me, thanks!

[mrcdb]

@jshlbrd you have been booked for September 18th 1000 PDT

[jshlbrd]

@jshlbrd you have been booked for September 18th 1000 PDT

Great, thank you!

[brandtkeller]

TAG recommendation to TOC

Project Overview

Ecosystem Adoption

What ecosystem adoption has the project seen?

Repo stats:
317 stars
8 contributors
179 commits @ main
38 Releases

Adoption:
Brex in production
Other companies (Approx 3) using in production

Shared governance model and community awareness as a reason for pursuing donation.

Past TOC Reviews

Application to Sandbox

Security Reviews

TAG Security Assessments

Has the project completed a TAG Security Self-Assessment and/or Joint Assessment? If yes, please add a link and discuss how this has impacted their security posture.

No - Project is now aware that these exist.

Security Audit

Has the project completed an external security audit? If yes, how have they addressed the findings?

A separate Brex team has conducted a review - publishing these could provide good evidence for security confidence.

Team does have a process for disclosing vulnerabilities

Best Practices

Metrics

Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, CLO monitor), and how does it rate by these metrics?

GitHub OSS best practices

No badges displayed but could be made available.

Static Analysis

Does the project perform static analysis?

Golang linting tools used for static analysis

Sub-project Considerations

If the project has sub-projects, how does their security posture compare to the base project?

No sub-projects

Plans for what could evolve as a result of donation could include separation of some efforts into sub-projects

TAG Recommendation to the TOC

Substation as a toolkit is well suited to provide end users with the required tools and framework to enrich security and audit logs in a variety of architectures and scenarios. Discussion today (9/18/24) highlighted historical context, areas of opportunity, and risks involved with regards to threat surface. The criteria noted above provide opportunities for the project to evolve their project security posture and provide more value to the ecosystem.

With that and the above information provided, we believe the project meets the security expectations for Sandbox.