# OpenSSF Stream 1. KubeArmor Introduction 2. What after Core Functionality was built? - Core Functionality: Ability to Inline Prevent Attacks 3. 3 high level scopes 1. Usability and DevSecOps Experience 2. Performance 3. Security 4. Usability and DevSecOps Experience 1. Leveraging the Kubernetes Resource Model - https://github.com/kubernetes/design-proposals-archive/blob/main/architecture/resource-management.md 2. Onboarding Journey - Operator based installation to auto detect env to streamline installation 3. Opiniated Sane Defaults while providing the ability for advanced users to tweak however they want 4. Shift Left - Provide CI/CD packages to help build least permissive policies for individual application 5. Policy Recommendation - Inability of majority users to shift left completely so standardised policy set to help achieve continous compliance - https://github.com/kubearmor/policy-templates/ 5. Performance 1. Security is generally seen as a cost center for organisations - Some organisations do understand the criticality can see it as a profit center provided it prevents them from further law suits or help win them deals due to certain compliances 2. We cannot add too much overhead, impact developer velocity 3. Repeated Benchmarks and Performance Optimisations 4. New Enhancements could be disabled by default because of performance reasons - Explain Capability Support and not enabling it by default 5. Open Reproducible Benchmarks - https://github.com/kubearmor/KubeArmor/wiki/KubeArmor-Performance-Benchmarking-Data 6. Security of the Security Tool 1. Threat Modelling all Actors, Actions and Behaviours in the Tooling Ecosystem - https://github.com/accuknox/k8sthreatmodeling/blob/main/models/kubearmor/README.md 2. OpenSSF Best Practices 3. OpenSSF ScoreCard 4. CNCF TAG Security Whitepapers - https://tag-security.cncf.io/ 5. Lifecycle - https://tag-security.cncf.io/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf 1. Develop * Vulnerability Checks * Gosec, Snyk, FOSSA * Secure Defaults * Fuzz Testing 3. Distribute * Image Hardening * Signed Artifacts 5. Deployment and Access * Roles and Access * Dropping Privileges after running * Secure Defaults * Transitioning to shipping with secure defaults and make experience seamless 8. Runtime * Protecting Vulnerable Points * mTLS * AppArmor, Seccomp * Using KubeArmor to protect KubeArmor 6. KubeArmor Meta Issue - https://github.com/kubearmor/KubeArmor/issues/1186 6. OpenSSF and TAG Security Baseline - https://github.com/ossf/security-baseline/blob/main/baseline.yaml - TAG Security helping implement probes to automate this baseline - CNCF Initiative to integrate it in LF Insights Dashboard