SecurityReviews_CNSCon_2023.pdf

1、Ragashree M C,CISSPGraduate Student,Carnegie Mellon UniversityTechnical Lead,CNCF TAG SecuritySneak Peak into the Security Assessment with the communityWhat a wonderful world.-We are more connected now,that ever-Innovation everywhere!What a wonderful world.-Huge number of connected devices,services.

2、-Larger attack surface that ever-How secure really is it?Meanwhile,Agenda What is a security assessment?How is it different from audits?How to perform a security review?What are the resources available?Announcement!How to get a TAG-security security assessment?Whats next?What is a security assessmen

3、t?How is it different from audits?How to perform a security review?What are the resources available?.Announcement!How to get a TAG-security security assessment?Whats next?Security Assessments Dives into Systemic/design Subjective Longer validityWhat is a security assessment?How is it different from

4、audits?How to perform a security review?What are the resources available?.Announcement!How to get a TAG-security security assessment?Whats next?Security Assessments vsSecurity Audits Longer validity vs Single point in time Systemic/design issues vs process/implementation issues Subjective vs objecti

5、ve What is a security assessment?How is it different from audits?How to perform a security review?What are the resources available?.Announcement!How to get a TAG-security security assessment?Whats next?Source:AliExpress,Marvel Chinese Brand Name Creation|LabbrandDisclaimer All characters represented

6、 in this artwork belongs to the respective owner.ActorsThe good,the neutral,the badSystem goals Confidentiality Integrity Availability Non-repudiation,Secrecy,Privacy.Source:AliExpress,Marvel Chinese Brand Name Creation|LabbrandDisclaimer All characters represented in this artwork belongs to the res

7、pective owner.Attacker goals Source:AliExpress,Marvel Chinese Brand Name Creation|LabbrandDisclaimer All characters represented in this artwork belongs to the respective owners.Disclosure Alteration Destruction Security assessment goalsIdentifyCategorizeRespondIdentification Goal:identify what are t

8、he threats and possible attack scenarios Requirement:service architecture Methodology&Frameworks STRIDEAttack graphs Special mention:Light weight threat modelling framework;GitHub-https:/ Cloud Native Security Con NA 23-Security Threat Modeling Live from Scratch Session-Andrew Martin,Control PlaneST

9、RIDE Framework Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege Categorization Goal:Identify the impact Requirement:Identified risks Methodology Quantitative Qualitative Frameworks DREADLINDDUN.etcDREAD Framework Damage caused Reproducibility Exploitabil

10、ity Affected users Discoverability Response Goal:Reduce the impact!OptionsPrevention RecoverDetection with traceability Detection Traceability Prevention Recover Detection with traceability Detection Traceability What is a security assessment?How is it different from audits?How to perform a security

11、 review?What are the resources available?.Announcement!How to get a TAG-security security assessment?Whats next?Resources,from TAG SecurityGuidelines Cloud native security whitepapers*Translation:-Chinese-Portuguese-Italian(on the way)*Audio recordings Supply chain security whitepapers Cloud native

12、security controls mappingsTools Cloud native use-cases and personas Cloud native 8 Cloud native security map Cloud native controls Cloud native security lexicon Assessments&Reviews Self-assessments Joint reviews Security assessment bookSpecial mention:All the resources are available at TAG Security

13、GitHub-tag-security/PUBLICATIONS.md at main cncf/tag-security()Presentation Cloud Native Security Con NA 23-TAG Security Cloud Native Security Whitepapers Overview-Shlomo Zalman Heigh,CyberArkWhat is a security assessment?How is it different from audits?How to perform a security review?What are the

14、resources available?.Announcement!How to get a TAG-security security assessment?Whats next?TAG Security Assessments ProcessStep 2:Present the project and self assessmentStep 3:Conclude self assessment Step 1:Self AssessmentCreate presentation issue in GitHub-New Issue cncf/tag-securityIncorporate TA

15、G security feedback into self assessmentComplete self assessment as per cncf/tag-security()Present the project&self assessment to TAG Security communityCreate a PR and add the self-assessment in TAG Security repoPhase 1:Self AssessmentStep 4:Initiate Joint reviews Create tracking issue New Issue cnc

16、f/tag-security()Step 6:Questions&ClarificationsLead security reviewer or their designee will perform initial,clarifying reviewStep 8:presentation&final summaryCreate a presentation issue at New Issue cncf/tag-security()Present the project and self assessment to the CNCF TAG Security communityStep 7:

17、Hands-on review(optional)Security reviewers may perform a hands-on reviewStep 5:Conflict of interest statement and reviewTAG Security review team provides the statement of conflict of interestProject LeadLead Security reviewerOwner(s)Phase 2:Joint AssessmentSpecial Mention:Justin CapposMatthew Giass

18、aIntroducing,Security Assessments book.!DraftSecurity Assessment Book Draft-Google Docs GitHub Issue:Suggestion Should we write a Linux Foundation guide/course on how to do a security assessment?Issue#999 cncf/tag-security()Primary author:Justin Cappos What is a security assessment?How is it differe

19、nt from audits?How to perform a security review?What are the resources available?.Announcement!How to get a TAG-security security assessment?Whats next?So Whats next?Have a feedback?Want to get involved?Want to get a security assessment?Slack Us!CNCF Workspace-#tag-security(General discussions)-#security-assessments-book(Security assessment book discussions)GitHub-Tag-security(for requesting security assessments)Please scan the QR Code aboveto leave feedback on this session