Date   

Re: Post on Supply Chain Security

Dan Lorenc
 

Definitely! +Jacque


On Tue, Jan 7, 2020, 2:04 PM Tracy Miranda <tmiranda@...> wrote:
Great read, and lots of insightful links. 

If you're up for it I'd suggest republishing this on cd.foundation too. 

Tracy

On Tue, Jan 7, 2020 at 2:55 PM Kay Williams via Lists.Cd.Foundation <kayw=microsoft.com@...> wrote:

Great article, Dan. Thanks for writing, and for sharing.

 

From: sig-security@... <sig-security@...> On Behalf Of Dan Lorenc via Lists.Cd.Foundation
Sent: Tuesday, January 7, 2020 11:32 AM
To: sig-security@...
Subject: [sig-security] Post on Supply Chain Security

 

Sorry for the spam since I wrote this, but over the holidays I wrote up a blog post outlining some of the security problems I see facing OSS, and how I hope this the CDF and this SIG can help address them.

 

 

Dan Lorenc


Re: Post on Supply Chain Security

Tracy Miranda <tmiranda@...>
 

Great read, and lots of insightful links. 

If you're up for it I'd suggest republishing this on cd.foundation too. 

Tracy

On Tue, Jan 7, 2020 at 2:55 PM Kay Williams via Lists.Cd.Foundation <kayw=microsoft.com@...> wrote:

Great article, Dan. Thanks for writing, and for sharing.

 

From: sig-security@... <sig-security@...> On Behalf Of Dan Lorenc via Lists.Cd.Foundation
Sent: Tuesday, January 7, 2020 11:32 AM
To: sig-security@...
Subject: [sig-security] Post on Supply Chain Security

 

Sorry for the spam since I wrote this, but over the holidays I wrote up a blog post outlining some of the security problems I see facing OSS, and how I hope this the CDF and this SIG can help address them.

 

 

Dan Lorenc


Re: Post on Supply Chain Security

Kay Williams
 

Great article, Dan. Thanks for writing, and for sharing.

 

From: sig-security@... <sig-security@...> On Behalf Of Dan Lorenc via Lists.Cd.Foundation
Sent: Tuesday, January 7, 2020 11:32 AM
To: sig-security@...
Subject: [sig-security] Post on Supply Chain Security

 

Sorry for the spam since I wrote this, but over the holidays I wrote up a blog post outlining some of the security problems I see facing OSS, and how I hope this the CDF and this SIG can help address them.

 

 

Dan Lorenc


Post on Supply Chain Security

Dan Lorenc
 

Sorry for the spam since I wrote this, but over the holidays I wrote up a blog post outlining some of the security problems I see facing OSS, and how I hope this the CDF and this SIG can help address them.


Dan Lorenc


Re: [sig-security-supply-chain] Slides from CD Summit - Software Supply Chain Security

Dan Lopez <dlopez@...>
 

Hi SIG Security Team


Best
--
Dan Lopez
The Linux Foundation
+1 415.735.5881


On Mon, Nov 18, 2019 at 3:49 PM Kay Williams via Lists.Cd.Foundation <kayw=microsoft.com@...> wrote:

Hi everyone – slides from the Software Supply Chain Security presentation at CD Summit are available here. You will find both PDF and PPTX versions. Feel free to share, copy and make private modifications to the slides.  Please don’t modify the originals.  Also, please share suggestions for future improvements. We can all benefit for future presentations.

 

Thanks!

Kay

 

 


Slides from CD Summit - Software Supply Chain Security

Kay Williams
 

Hi everyone – slides from the Software Supply Chain Security presentation at CD Summit are available here. You will find both PDF and PPTX versions. Feel free to share, copy and make private modifications to the slides.  Please don’t modify the originals.  Also, please share suggestions for future improvements. We can all benefit for future presentations.

 

Thanks!

Kay

 

 


CDF SIG-Security activities next week at CD Summit / KubeCon

Kay Williams
 

Hi everyone,

 

The SIG-Security group is excited to be participating in CD Summit / KubeCon next week in San Diego!

 

Here are a few activities for your awareness:

 

  • Monday - 11/18 1:45 to 2:15 PM – Santiago Torres Arias and I will be talking about Software Supply Chain Security (overview here)
  • Thursday – 11/21 9:00 AM to 12:00 PM – SIG-Security discussion of Software Supply Chain Security (agenda here)

 

All are welcome. Please join. :-) Let me know if questions.

 

Kay

SIG-Security Chair

 

 


Security SIG: meeting schedule through 2019

Kay Williams
 

Hey everyone,

 

I wanted to let you know about a change in our meeting schedule for the rest of the year. 

 

Typically we meet every other Tuesday at 8 AM Pacific, just ahead of bi-weekly TOC meeting. A few factors are making us rethink this schedule for November and December:

 

  1. Many of our sig-security members are also actively involved in the Software Bill of Materials (SBOM) Working Group – a partnership with the Consortium for Information and Software Quality (CISQ). This group is hard at work delivering a draft industry standard specification in November with a round of updates in December.
  2. With the holidays, many people with be away from work in late November and again in late December.

 

Given these items, we have decided to keep focus and momentum by merging efforts between the security-sig and the SBOM working group through the end of the year. During that time our plan is as follows:

 

  • Briefly suspend bi-weekly security-sig meetings from 11/5 through 12/31.
  • Report on security-sig related topics, including the SBOM effort, in bi-weekly TOC meetings.
  • Reconvene security-sig meetings again beginning January 14th.

 

This is an exciting time - we are seeing individuals and organizations across the industry engage to create standards for Software Supply Chain Security. We look forward to launching a first draft standard this year, and additional collaboration in 2020!

 

Sincerely,

 

Kay, Brian and Fred

SIG Security co-chairs

 

 


10/21 CDF Security SIG Agenda

Kay Williams
 

Hi all,

 

Here is our agenda for tomorrow’s CDF Security SIG Meeting, copied below for convenience.

 

Agenda and Notes:

 

Thanks,

Kay


Notes from 10/8 Security SIG meeting

Kay Williams
 

Hi everyone, for those who were unable to attend this morning’s meeting, notes available in our agenda document (here). I have copied below for convenience.

 

Our next meeting will be on Tuesday 10/22 at 8 AM Pacific.

 

Agenda and Notes:

  • Welcome and Overview
  • Upcoming Events
    • CD Summit San Diego 11/18
      • Software Supply Chain Security
      • Security SIG Lightning Talk
  • Security Working Groups
    • Software Supply Chain Security
      • Overview of of joint SBOM effort with CISQ, OMG
      • Presentation here
    • Other working group ideas and interests?
      • Telemetry - best practices around collecting, implementation, code
        • Concerns about PII data being collected in telemetry
        • GDPR compliance for telemetry and data collection
        • Guidance for shared projects on regulatory compliance
        • Dan Lopez to discuss at TOC
      • Credential leak management
        • Common process / APIs for communicating leaked credentials
        • Guidance on scanning for leaked credentials, e.g. passwords, SSH keys, etc.

 


Help! Call for sponsors: Mind Share Event at KubeCon 2019

Jacque Salinas
 

Help!!!

We are still needing 4 member or end user companies who would like to support the Mind Share Cocktail hour from 6:30 to 8:00 on November 18th (Monday night of Kubecon).  This event will be held as part of the CDF North American Summit and will kick-off KubeCon for attendees who are interested in building out a CD process. 

The cost is $1500 to support the event.  

The event will serve as an ice breaker and will encourage attendees to network around the topic of the Continuous Delivery Landscape.  Sponsors of the event will participate by facilitating discussion on various CD Landscape focus areas, logos will be displayed on material and a table for literature will be provided. 

Please let me know if you would like to be part of this evening event. It will be an excellent way to meet attendees who are looking for direction on CD topics. 


Kind Regards,

Tracy Ragan
CEO and Co-Founder / DeployHub / tel: + 1.505.424.6440/ mob: +1.505.780.0558


REMINDER! CD Summit @ NA Kubecon 2019! Call for demos/sponsors

Jacque Salinas
 

Hello Sig Security Members- 

The North American CD Summit co-located at KubeCon is just around the corner.  We hope you all can make it.  Be sure to sign up.  You can find the registration under co-located events on your KubeCon registration page. Here are some ways to participate:

Sign up to do a demo in your booth

· We will be coordinating and advertising member demos at their booths. We want to highlight the CDF members who are on the expo floor at KubeCon.  We will not have a CDF booth, so this is a great alternative. Look for a sign-up email shortly or register here! Please register no later than Oct. 18th @ 12PM. 

Sponsor the MindShare Cocktail Hour

· Consider hosting the CDF MindShare Cocktail hour to be held on November 18th directly after the end of the CDF Summit. This is a chance to participate as a CDF Summit sponsor at a lower cost.  We have 6 sponsorships on a first come first serve basis. The cost will be $1500 per sponsor.  Description below. Please reach out to Tracy Ragan to secure your sponsorship by Oct. 21st @ 12PM

· MindShare Cocktail Hour:

o   The goal of this CDF Summit evening event is to bring together attendees and CDF members in an informal setting to encourage networking and to stimulate technical discussions around various topics of continuous delivery.   Each category in the CDF Landscape will have a table and a moderator.  Sponsoring members will have the opportunity to assign 2 table moderators - topics to be chosen randomly at the event.  This way everyone learns and no one vendor controls a table in their expertise. Your company logo will be displayed on each table.  There will also be a literature table to distribute material about your solution and stickers.  

 Thank you! 


--
Jacqueline Salinas 
Continuous Delivery Foundation
Director of Ecosystem & Community
408 218 0667


Re: Announcing the CDF Security SIG

Kay Williams
 

Correction. SIG-Security meetings will be held at 8 AM Pacific. Our first meeting will be next Tuesday 10/8.  Join us!


From: Kay Williams
Sent: Friday, October 4, 2019 10:26 AM
To: cdf-toc@... <cdf-toc@...>; sig-security@... <sig-security@...>
Subject: Announcing the CDF Security SIG
 

Hey everyone, I am excited to announce the formation of the Security SIG -  the CD Foundation’s first Special Interest Group (SIG)! The Security SIG began as a lightning talk at the first CD Summit in Barcelona this past May, and progressed to a formal proposal in August. In September it was adopted by the Technical Operating Committee (TOC).


The charter for the Security SIG is to provide a neutral home for discussion around designs, specifications, code and processes to enable security across the software supply chain. Topics of interest include the following:


  • Observability - enabling actions performed while writing code, compiling, testing, and distributing software to be manifest and verifiable.

  • Policy - enabling consumers of software to specify and implement policy over consumed software.

  • Inventory - enabling administrators to inventory and audit software used within their organizations.

  • Runtime Security- enabling detection and prevention of software tampering at runtime.

  • Vulnerability Communication - providing mechanisms for breaches in the integrity of software to be communicated and remediated.

  • Vulnerability Recovery - providing mechanisms for consumers to recover from compromised or untrusted software.

Membership in the Security SIG is open to the public. Here are some details:


Communication


Meetings


All are welcome to join the mailing list and attend meetings. We look forward to building a more secure future together!


Sincerely,

Kay




Announcing the CDF Security SIG

Kay Williams
 

Hey everyone, I am excited to announce the formation of the Security SIG -  the CD Foundation’s first Special Interest Group (SIG)! The Security SIG began as a lightning talk at the first CD Summit in Barcelona this past May, and progressed to a formal proposal in August. In September it was adopted by the Technical Operating Committee (TOC).


The charter for the Security SIG is to provide a neutral home for discussion around designs, specifications, code and processes to enable security across the software supply chain. Topics of interest include the following:


  • Observability - enabling actions performed while writing code, compiling, testing, and distributing software to be manifest and verifiable.

  • Policy - enabling consumers of software to specify and implement policy over consumed software.

  • Inventory - enabling administrators to inventory and audit software used within their organizations.

  • Runtime Security- enabling detection and prevention of software tampering at runtime.

  • Vulnerability Communication - providing mechanisms for breaches in the integrity of software to be communicated and remediated.

  • Vulnerability Recovery - providing mechanisms for consumers to recover from compromised or untrusted software.

Membership in the Security SIG is open to the public. Here are some details:


Communication


Meetings


All are welcome to join the mailing list and attend meetings. We look forward to building a more secure future together!


Sincerely,

Kay