Security Technical Advisory Group

Cloud Native Security Logo

About Us

The CNCF Security Technical Advisory Group facilitates collaboration to exchange and produce knowledge and resources for building security in the cloud native ecosystem.

Cloud Native involves building, deploying, and operating modern applications in cloud computing environments, typically using open source. This complex ecosystem presents a technology risk landscape that demands rethinking application and information security through the lens of developer experience.

We aim to significantly reduce the probability and impact of attacks, breaches, and compromises. By empowering developers and operators to understand and manage the security posture of their systems, we strive to fulfill the promise of enhanced productivity and operational efficiency.

Key Focus Areas

  • System Security Architectures: Frameworks to protect resources and data.
  • Common Lexicon, Templates & Libraries: Tools for developers to create secure apps.
  • Heuristics and Models: Approaches for reasoning about system security.

Publications

Below is a list of publications by TAG Security. For a comprehensive collection of our works in various formats, please visit the publications directory.

PublicationDate
Formal Verification for Policy ConfigurationsAugust, 2019
Catalog of Supply Chain CompromisesNovember 2019 - Present
Software Supply Chain Best PracticesMay, 2021
Evaluating your Supply Chain SecurityMay, 2021
Cloud Native Security LexiconAugust, 2021
Cloud Native Security WhitepaperMay, 2022
Cloud Native Security Controls CatalogMay, 2022
Handling Build-time Dependency VulnerabilitiesJune, 2022
Secure Software Factory: A Reference Architecture to Securing the Software Supply ChainMay, 2022
Secure DefaultsFebruary, 2022
Open and Secure - A Manual for Practicing Threat Modeling to Assess and Fortify Open Source SecurityNovember, 2023

Governance

Refer to the Security TAG charter for our governance process.

Communications

Join our open discussions and share news:

Meeting Information

  • Americas: Weekly on Wednesdays at 10 am (UTC-7). Zoom link , Meeting ID: 998 0947 4566.
  • EMEA: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). Zoom link , Meeting ID: 999 1752 3142.

Check your local timezone here . Meetings are listed on the CNCF calendar and the TAG Security Calendar .

To add a topic to the agenda, review our process .

Gatherings

New members

New to the group? Check out our New Members page.

Explore groups affiliated with or relevant to Security TAG here

Members

Security TAG Chairs

NameOrganizationTermHandle
Pushkar JoglekarIndependentJune, 2023 - June, 2025@PushkarJ
Marina MooreIndependentOctober, 2023 - October, 2025@mnm678
Eddie KnightSonatypeMay, 2024 - May, 2026@eddie-knight

Tech Leads

NameOrganizationHandle
Justin CapposNew York University@JustinCappos
Ash NarkarStyra@ashutosh-narkar
Andrés VegaM42@anvega
Ragashree ShekarIndependent@ragashreeshekar
Michael LiebermanKusari@mlieberman85
John KjellTestifySec@jkjell

Security TAG Chair Emeriti

NameOrganizationTermHandle
Dan ShawPayPalJune, 2019 - September, 2020@dshaw
Sarah AllenJune, 2019 - June, 2021@ultrasaurus
Jeyappragash JJTetrate.ioJune, 2019 - June, 2021@pragashj
Emily FoxAppleSeptember, 2020 - February, 2022@TheFoxAtWork
Brandon LumGoogleJune, 2021 - June, 2023@lumjjb
Aradhana ChetalTIAAJune, 2021 - September, 2023@achetal01
Andrew MartinControlPlaneMarch, 2022 - March, 2024@sublimino

Working Groups

The TAG’s working groups focus on specific areas and organize most community activities, including weekly meetings. These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs. Each group, led by a responsible leader, reaches consensus on issues and manages logistics. All materials, such as reports, white papers, documents, and reference architectures, are in the repository’s /community directory.

ProjectLeads
ResearchAndrés Vega
Automated GovernanceAndrés Vega, Brandt Keller
Catalog of Supply Chain CompromisesSantiago Arias Torres
ComplianceAnca Sailer, Robert Ficcaglia
ControlsJon Zeolla
Security ReviewsJustin Cappos, Eddie Knight
Software Supply ChainMarina Moore, Michael Liebermann, John Kjell

Additional information

CNCF Security TAG reviews

For CNCF project proposal process create a new security review issue with a self-assessment .