Security Slam 2023
Published: March 6th, 2024
A month-long challenge empowering CNCF community in software security
The Cloud Native Computing Foundation (CNCF) once again marked a significant milestone in its commitment to software supply chain security with the successful conclusion of Security Slam 2023.
Beginning on October 10th and culminating in an awards ceremony at KubeCon+CloudNativeCon NA, this challenge presented a unique opportunity for creators and users of CNCF projects to enhance their security hygiene through a series of five challenges to earn “badges” and associated prizes.
Partnership behind the event
The Security Slam is a collaborative effort from CNCF and Sonatype. The key sponsor, Google’s Open Source Security Team (GOSST) also allocated engineers to help participants troubleshoot Scorecard integrations and supplied funding for the event’s prizes.
The complex nature of open source security demands a multifaceted approach. Google is proud to support events like the Security Slam, which tackle both immediate security vulnerabilities in critical projects and promote a culture of security awareness throughout the open source ecosystem.
Bob Callaway
Just like the previous event in 2022, this partnership underscores the event’s primary objective: Build a resilient and secure software ecosystem. By fostering this collaboration, the CNCF continues to play a pivotal role in advancing cloud-native technologies and open source practices.
The 2022 Security Slam was a complicated whirlwind, but it was also statistically significant when we looked back on the security statistics a year later. I anticipate the impact of the 2023 Slam will go well beyond improved stats, as we’ve already seen a marked change in community attitudes related to security hygiene.
Eddie Knight
Sonatype
Measuring success
The event’s structure was meticulously designed to provide both guidance and incentives. Participants had access to a resource library, including three official Linux Foundation Training Courses tailored for the event (LFEL1005, LFEL1006 and LFEL1007).
The success of the Security Slam 2023 event was quantified through five distinct badges, each representing a specific security milestone achieved by participants:
- The Chronicler: This badge focused on ensuring that security documentation contained well-formatted data pertinent to software supply chain security decisions. It also included guidance for end users on how to validate provenance artifacts.
- The Inspector: Participants achieving this badge ensured that a security self-assessment was completed in accordance with TAG-Security’s documented standards.
- The Cleaner: This badge was awarded for bringing all CLOMonitor non-security scores to 100% for a project. This effort indirectly increased overall supply chain security by addressing Best Practices, Documentation, License, and Legal aspects.
- The Defender: To earn this badge, participants had to ensure each project repository was properly accounted for within CLOMonitor. This included assigning the correct check set to each repository and bringing the security score to 100%, thereby statistically reducing the likelihood of future vulnerabilities.
- The Mechanizer: This badge required ensuring that every release of a project had an automated mechanism to supply SBOM (Software Bill of Materials) and provenance artifacts.
These badges represent the various areas of focus in the event, highlighting the diverse range of skills and contributions made by the participants toward enhancing the security of Kubernetes projects.
Celebrating achievements
The climax of the Security Slam was the award ceremony, where Artifact Hub, Jaeger, K8GB, Capsule, and OpenFGA received recognition for their efforts. While many projects participated to varying degrees, five projects received awards at KubeCon + CloudNativeCon North America.
Lessons learned
While the event was a success, there were several lessons learned that we believe will help similar events in the future.
- Many project maintainers expressed keen interest in end user feedback, especially regarding user’s perception of project security. Several projects asked to be put in touch with end users to solicit feedback directly.
- Creating five badges was helpful for some projects, as it presented options of what to pursue. Other projects, however, cited the volume of potential work as intimidating.
- A limited number of organizers were involved in awareness efforts, leading to many projects learning about the process at the last minute— or too late.
Based on these lessons, and those learned during the experimental Lightning Round, this event will look very different in 2024. Several factors are currently being considered, such as a proposal to create an oversight body within CNCF’s Security Technical Advisory Group. This would allow the Slam and related security implementation events to be better harmonized within CNCF.
Other changes that are being considered are modifications to the event length, collaboration with CNCF Ambassadors and Kubernetes Community Days, and improved end-user feedback methods.
Security Slam 2023 set a new benchmark for collaborative learning and skill enhancement in the realm of cloud-native security. It stands as a testament to the CNCF community’s unwavering commitment to fostering a secure, efficient, and innovative software supply chain.