community/archive/wg-security-audit

Security Audit Working Group

Perform a security audit on k8s with a vendor and produce as artifacts a threat model and whitepaper outlining everything found during the audit.

Stakeholder SIGs

• SIG Auth

Meetings

• Regular WG Meeting: Mondays at 12:00 PT (Pacific Time) (weekly). Convert to your timezone.

Organizers

• Aaron Small (@aasmall), Invitae
• Craig Ingram (@cji), Stripe
• Jay Beale (@jaybeale), InGuardians
• Joel Smith (@joelsmith), Red Hat

Contact

• Slack: #wg-security-audit
• Mailing list
• Open Community Issues/PRs

Published Documents

Trail of Bits and Atredis Partners, in collaboration with the Security Audit Working Group, have released the following documents which detail their assessment of Kubernetes security posture and their findings.

Findings

• Kubernetes Security Review
• Attacking and Defending Kubernetes Installations
• Whitepaper
• Threat Model

Ancillary Data

• Rapid Risk Assessments
• Dataflow

Mailing Lists

• Sensitive communications regarding the audit should be sent to the private variant of the mailing list.

Request For Proposals

The RFP was open between 2018/10/29 and 2018/11/30 and has been published here.

Vendor Selection

The RFP is now closed. The working group selected Trail of Atredis, a collaboration between Trail of Bits and Atredis Partners to perform the audit.

You can read more about the vendor selection here.