CNCF and Google Open Source Security Team GSoC Collaboration - Enhancing Security Across CNCF Ecosystem

[nate-double-u]

Description

This project is a collaborative effort between the CNCF and Google's Open Source Security Team to improve security practices across various CNCF projects. The focus is identifying and addressing security vulnerabilities, integrating security tools like OSS-Fuzz, and enhancing build and release security processes. The goal is to get all CNCF projects to use scorecards (focusing on graduated/incubating projects first) and to remediate some of the findings.

Expected Outcomes

• All graduated and incubating CNCF projects using OpenSSF Scorecards to assess and enhance their security postures. Stretch goal: all (including sandbox) CNCF projects using OpenSFF Scorecards.
  • Remediation of identified vulnerabilities based on scorecard findings
  • Where CNCF projects are already using OpenSSF Scorecard, improved scores (remediating various risk assessments
• Integration or enhancement of fuzzing with OSS-Fuzz for CNCF projects
• Improved build/release security by automating builds and releases, added build provenance, signing, and improved reproducibility

Recommended Skills

• Security analysis
• CI/CD practices
• programming (preferably Go)
• knowledge of CNCF projects

Expected project size

large (~350 hour projects)

Mentors

• Nate Waddington (@nate-double-u, natew@cncf.io)
• Dustin Ingram (dustiningram@google.com)

[harshal-rembhotkar]

Hello @matzew @aslom @lkingland mentors i am Harshal Rembhotkar , 4th semester Engineering(Automobile) student, i excited to join your organization ,my tech stacks are Java , html, css ,version control system, springboot framework ,mysql DB and technologies that i learned are like docker ,kubernetes and i also i have little idea about other Devops tools. i am selected CNCF organization for GSOC '24.
Thanks !!

[AmanSarraf]

hi @nate-double-u , I am intersted in working on this issue, I am new to fuzzing and related concepts and started doing some research around the same, I have some questions,
Are there any guides or documents I should read?
Can you recommend any resources to help me understand the project better?

[AmanSarraf]

@nate-double-u I just went over some basic of fuzz and oss fuzz working, do we need to write fuzz functions ourself for all the cncf projects and there entry points or is there any other way, let me know I am looking to try this on a project.

[rootxrishabh]

Hey @nate-double-u, I have submitted a proposal (file name ROOTXRISHABH-CNCF GOOST.pdf).

My understanding of the project is as follows -

I see a lot of discussion around the scope of the project. This is my view on the scoped items.
OSSF scorecard -

1. The scorecard can be created by the mentee for incubating and graduated projects.
2. A lot of projects have OSSF scorecards but they don't have good scores. What we can do is to create a central issue addressing issues and remediation at a single source of truth and make that issue an action item in community meetings, tackling sub-items one by one.
3. The mentee can also help with improving scores of certain sub-items taking help from the community as well. Also, guiding anyone interested in contributing.

OSS-Fuzz -

1. Handling fuzz testing for each project would be out of the scope for the mentee.
2. Fuzz testing itself is a mentorship project in many organizations. Examples - LitmusChaos
3. I think what the mentee should do is open issues about fuzzing to make the projects aware about the process and tools required and help them out in creating the process.
4. For example, Input would be handled by oss-fuzz. Generating the input set would be handled by the project members.
5. Output behaviour testing could be done for example by pprof.
6. Identify the components that would be fuzzed and document the process afterwards.

Security, signing, provenance -

1. This step is mostly works with github workflows and software artifacts.
2. Notary and cosign facilitate the singing of images as well as images with artifacts.
3. Automating build would be handled by github workflows.
4. Security of dependencies would be facilitated by integrating Snyk or kubescape in the workflow.
5. Overall, the steps above would involve creating issues and igniting discussions on the slack channels.

I am very eager to know your opinion on the above to proceed with the proposal.
Thanks : )

[di]

Answering some questions here:

Are there any guides or documents I should read?

The following might be helpful:

• https://www.infoq.com/presentations/ossf-scorecard/
• https://www.youtube.com/watch?v=emLqpvPdsGs
• https://github.blog/2022-01-19-reducing-security-risk-oss-actions-opensff-scorecards-v4/

Can you recommend any resources to help me understand the project better?

I recommend reviewing the documentation at https://securityscorecards.dev/ and https://github.com/ossf/scorecard/blob/main/docs/checks.md

I am very eager to know your opinion on the above to proceed with the proposal.

I think this is an excellent interpretation of the intended scope & scale of the project, nice job!

[rootxrishabh]

@di I am glad you liked it!

Also, please find my proposal, provide any feedback that you might have? We still have some time left on the deadline, I can still make any changes that might be needed.

If the proposal is not accessible. I can DM it to you and Nate.

Thank you for the resources : )

[Stan370]

Hi @di @nate-double-u , I am very interested at this project and just submitted my proposal. As someone deeply immersed in the world of cloud-native computing and security, I bring to the table significant experience in both Go programming and microservice. I look forward to hearing your thoughts and feedback.

[kaaass]

Hello @nate-double-u @di. I am a master's student in computer science, majoring in cybersecurity. I am very interested in this project! I think this project aligns closely with my research focus. I believe my experience in cloud-native security and fuzzing will be helpful for this project. Also, I am eager to apply the state-of-the-art tools developed in previous academic projects I paticipated to this project to help enhance security across the CNCF ecosystem. I have detailed these experiences and my plan in the proposal I submitted. Looking forward to hearing your feedback.

[satyampsoni]

Hi @di Thanks for sharing the links! They are helpful

[nate-double-u]

Hi, everyone. Thank you all for your interest in this project. I want to introduce @harshitasao. She was accepted to GSoC 2024 and will work with us on this collaboration. We'll use this issue as the primary public communication spot for our progress on this project.

[mumong]

Hello @nate-double-u @di. i'm new graduated student now working in a non-profit organization. my title is Wireless cloud platform R&D engineer. i use kubernetes, ansible, golang such tools to solve my work problems. and recently i am researching about security cloud plantform, like using virtural container, such as kata container, gvisor. and using harbor to analysize image SBOM and some other tools to making Vulnerability Scan.

This is first time i'm trying to join the project and, i might have a lot of things to learn. my free time will be at weekends.

[nate-double-u]

Hi @mumong, thanks so much for your interest in the project. This is specifically a Google Summer of Code project, but you bring up a good question, and that is how do we want to continue this work after the term ends in a couple weeks.

Most of our project discussion is happening over on the #cncf-gosst-gsoc-2024-collab slack channel. (*Note to folks looking to apply to GSoC, this is not the channel to discuss that process -- it's a channel to specifically discuss the improvements this project is trying to make).