The Cloud Native Computing Foundation and OSTIF Impact Report

OSTIF has been working with the Cloud Native Computing Foundation (CNCF) on a number of security projects over the last year. This has been a large collaborative effort to help CNCF projects improve their security posture by conducting code audits, building security tools, directing supply chain reviews, building fixes, and assisting projects with unique challenges.

This report showcases the impact of our works on seven different projects (Argo, Backstage, Containerd, CRI-O, Envoy, Flux, KubeEdge). We also have eight projects with the CNCF in progress or scheduled for the remainder of 2022 that are not included in the scope of this report. Additionally, the project with Envoy is ongoing and is expected to continue to garner significant additional security progress.

Material Progress

This partnership arose from the need for the CNCF to find a security partner that can readily work with open source projects to support their development in an impactful way. OSTIF’s tireless work in this area to build partnerships with security firms that understand open source, and our systems that deliver strong results while maintaining full transparency was a perfect match. In this report we show that we meet every challenge and bring real tangible improvements to the open source ecosystem.

The full CNCF/OSTIF impact report can be found on the Cloud Native Computing Foundation blog here: https://www.cncf.io/blog/2022/08/08/improving-cncf-security-posture-with-independent-security-audits/