►
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Security TAG Closing - Dan Papandrea, Sysdig + STAG Leadership Team
We'll be wrapping up Cloud Native Security Con with a presentation from the Security TAG featuring highlights of their existing work, future work, and how to get involved.
A
Artistly
for
the
past
six
months
to
pull
this
capture
the
flag
and
talk
track
line
up
as
we
had.
But
besides
of
that,
there
is
a
bunch
of
things
we
do,
let's
say
not
as
much
as
a
community
but
more
as
a
society
of
security,
conscious
individuals
brandon.
If,
if
you
share
with
the
audience,
what
are
some
of
the
other
things
we
do?
What
do?
Why
are
we
doing
this?
For.
B
Yeah,
so
tech
security,
part
of
the
cncf,
you
know
we
we
have,
I
mean
charters
to
kind
of
improve
cloud
native
security,
create
common
tooling,
making
sure
that
we
come
together
as
a
community.
We
work
together.
We
define
goals
and
kind
of
move
towards
those
as
a
community
and
to
to
make
sure
that
we
collaborate
on
efforts.
So,
besides
the
the
usual
things,
you
know
we
have
our
weekly
meetings.
B
B
You
know
we
have
folks
coming
in
from
different
different
areas
with
different
expertise,
whether
you're
someone
that
is
very
technical,
whether
you're,
someone
that
loves
design,
loves
writing.
You
know
there's
a
place
for
everyone.
We
do
white
papers,
we
do
catalogs
and
I
think
we'll
go
through
some
of
them
soon.
Right
so
and.
A
It
said
like
talking
and
not
doing
is,
is
the
same
as
doing
nothing
or
learning
and
not
doing
it's,
not
something
you
retain
with
you.
So
most
of
our
work,
streams
and
initiatives
are
centered
around
artifacts
that
we
can
externalize
and
share
with
the
community
that
can
capture
the
pension
around
security.
A
As
as
representative
as
as
possible,
the
cloud
native
security
white
paper,
an
initiative
led
by
brandon,
is
a
great
example
of
that.
B
Yeah
we
have
a
lot
of
what
we
do
even
the
white
paper.
These
are
things
that
are
like
we
like
to
call
them
live
documents
right
everything
that
we
turn
out
as
a
group
is
kind
of
always
evolving.
You
know
technology
is
moving
really
quickly,
so
everything
in
this
paper
is
up
in
github.
You
can
create
a
pr.
You
can
find
something
cool,
maybe
something
new
in
supply
chain.
You
know
you
want
to
add
it.
B
A
And
if
you're
here,
you
clearly
have
an
interest
in
security,
it
that
said
security
can
be
intimidating,
particularly
when
we're
talking
as
formal
verification,
a
very
advanced
subject.
Last
talk
we
had,
but
we
want
to
make
it
relatable.
We
want
to
lower
the
barrier
of
entry.
We
want
to
make
it
accessible
that
you
can
wrap
your
head
around
the
different
projects
and
have
a
good
new
user
experience
and
that
you
can
shorten
the
path
of
well.
C
C
You
know
what's
going
on
for
in
the
cloud
native
world,
but
also
from
a
security
perspective,
so
we
welcome
you-
and
you
know
we
do
like
andre
said,
there's
a
lot
of
things
like
white
papers
and
there's
also
kind
of
you
know,
vulnerability,
assessments
and
all
those
things
you
can
volunteer
to
do
so.
Please
get
involved.
B
Yeah
and
I,
on
top
of
what
what
pop
just
said,
you
know
we
have
our
mail.
English
stack
is
still
like
our
main
communications
leadership
team.
You
know
all
the
tls,
all
the
co-chairs
are
very
friendly,
just
feel
free
to
sack
us
there's
nothing
that
you
know.
That's
not,
there's
no
such
thing
as
a
super
dale,
anything,
that's
too
small
right.
Every
contribution
really
adds
up,
and
one
of
the
things,
for
example,
is
we
just
went
by
the
supply
chain
catalog?
B
A
To
paraphrase
the
the
great
ian
coldwater,
often
it's
more
about
showing
up.
Sometimes
we
don't
know
where
to
get
started,
how
to
contribute.
But
people
you
see
as
leaders
in
the
community
are
people
who
attend
the
meetings
have
particular
interest
or
passion
to
tackle
something
and
they
go
for
that,
and
then
they
might
move
to
something
else.
A
I
was
really
bummed
about
tiffany,
jordan
and
john
shell,
who
had
a
session
on
the
schedule,
accidental
security
leaders,
of
their
journey
of
how
they
found
themselves
driving
strategy
and
secure
software
supply
chain
as
a
matter
of
just
being
part
listening
to
the
conversations
helping
other
folks
navigate
that
so
yeah
just
flip
super
quick
through
other
things.
We
do.
C
B
C
There's
a
lot
of
stuff
there,
and
it's
and
again
people
are
doing
a
lot
of
amazing
things
and
by
the
way,
just
one
quick
shout
out
to
andrew
martin,
who
braved
coming
across
and
the
the
the
atlantic
to
come
to
to
visit
his
his
friends
and
and
take
care
of
the
the
ctf
I
mean
you
have
been
the
engine
behind
this
whole
thing
you
and
your
group,
so
you
want
to
speak
a
little
english.
You
know
the
english.
Are
you,
the
uk,
excellent
for
everyone.
D
Yes,
precisely,
I
enjoyed
the
croatian
sun
for
a
couple
of
weeks.
Yeah
I
mean
again
just
to
amplify
some
of
the
things
you
guys
said,
joining
the
meetings
and
like
seeing
these
people
who've
like
published
papers
and
like
done
security
research
can
be
really
intimidating,
but
it
is
just
about
showing
up
contributing
and
actually
listening
to
what
people
listening
to
how
people
think
is
so
instructive
to
understand
where
they
sort
of
derived
their
security
perspective
from
a
lot
of
the
threat.
D
Modelling
things
that
the
group
generates
are
just
preeminent,
really
really
again
very
insightful
yeah,
and
I
have
to
thank
my
team
at
control
plane
for
all
the
hard
work
they've
done
on
the
ctf
we've
had,
I
think,
up
to
like
10
people
rotating
in
and
out.
We
ended
up
with
about
60
60
players
of
the
game.
If
anybody
would
like
a
special
edition,
I
believe,
from
from
the
artistic
hand,
of
emily
herself
yeah
special
edition
stickers
to
certify
playing
ctf.
D
I've
got
I've
got
a
bunch,
so
please
do
please
do
come
and
tap
me
up
and
yeah
a
few
people
asked
if
they
can
kind
of
play
the
scenarios.
Another
time
we
will
do
another
kind
of
community
flavored
version
of
this,
because
I
think
this
was
some
of
them
were
a
little
bit,
maybe
a
little
bit
crazy,
difficult,
our
red
team.
I
left
them
alone
for
a
week
and
yeah.
D
They
tried
to
build
like
engagement,
realistic
scenarios,
so
I
will
do
something
again,
just
just
taps
up
somehow
on
twitter
or
whatever
and
we'll.
I
guess
we'll
put
an
invite
out
in
insect
security
as
well,
because
there's
another
three
challenges
of
kind
of
increasing
difficulty.
A
There's
there's
a
question
I'd
like
to
ask
you
so
people
typically
leave
security
con
or
the
ctf
super
excited
they
geeked
out.
They
come
back
to
work
and
they
struggle
to
relate
this
to
other
people
and
convince
them
of
how
to
bring
this.
Like
what
advice
do
we
have
for
folks
what
to
reference?
What
can
they
reuse,
what
can
they
bring
home
and
to
the
workplace
with
them.
D
D
I
think
it's
going
into
print
today,
so
it'll
be
on
o'reilly
in
the
next
sort
of
three
weeks.
It's
there
on
early
access
too.
D
I
think
using
real
world
examples
to
demonstrate
actually
one
of
the
things
I've
had
to
do
in
my
career
as
a
consultant,
a
lot
of
times
was
to
actually
demonstrate
cvs
to
have
a
vm
on
the
right
kernel
version
to
say:
oh,
look,
you
can
like
the
run
c
breakout,
for
example,
containers
are
not
impenetrable,
it's
the
same
for
hypervisors
like
everything
has
been
attacked,
but
you
just
need
to
get
often
people
with
no
kind
of
hands-on
experience
into
the
headspace
where
they
can
see.
D
There
are
viable
chains
of
attacks
or
computers
are
broken,
shut
down.
The
internet.
C
So
we're
gonna
hand
it
over
to
to
brandon
to
talk
about
security,
assesses
we're
almost
done.
We're
almost
done.
B
All
right
so
one
of
the
the
activities
our
group
does,
and
this
just
started
early
way
early
on.
I
think
this
was
more
than
two
years
we've
been
doing
this
as
security
assessments.
B
The
idea
behind
security
assessments
is,
we
want
to
help.
You
know,
evaluate
the
security
posture
of
the
different
cncf
projects.
We
want
to
be
able
to
provide
a
kind
of
perspective
of
how
they
fit
into
the
cognitive
security,
ecosystem
and
kind
of
the
security
concerns
coming
from
a
adoption
standpoint.
You
know
if
I'm
interested
in
something
like
oppa,
I'm
interested
in
using
something
like
custodian.
B
B
B
Yeah,
so
we
we
have
a
ton
of
interesting
reviews
coming
up,
it's
a
very
a
very
fun
process.
It's
like
two
two
three
weeks
intensive
go
through
the
project
back
and
forth
with
the
project
maintainers.
B
If
it's
a
project
that
you've
been
wanting
to
find
out,
but
you
know
haven't
had
the
time
it's
a
good
like
two
weeks
get
in
there
go
really
deep
and
then
write
a
bunch
of
things
about
it,
so
we
are
always
looking
for
more
reviewers
feel
free
to
just
mention
on
slack
say
that
I
want
to
review
something.
I'm
interested,
you
know
you
don't
have
to
be
really
deep.
Technically,
it
really
is
about.
You
know,
assessing
the
security
posture
overall,
the
of
the
project.
A
Another
way
that
audits
are
extremely
helpful.
Is
it's
really
easy
to
check
out
code
from
github
and
do
a
proof
of
concept
with
it,
but
it's
a
really
hard
job
to
convince
your
security
peers
of
what
are
the
failure
modes
of
this
technology
when
put
in
place
into
our
infrastructure?
What
are
the
security
attributes?
What
are
the
compensating
controls?
A
So
we
try
to
front
load
that
for
the
community,
so
we
really
scrutinize
all
the
security
aspects
we
produce
documentation.
We
produce
a
threat
model.
We
help
certify
the
projects
towards
the
core
infrastructure,
best
practices
batch
to
attest
that
they
follow
secure
software
development,
best
practices,
and
we
we
provide
a
lot
of
consideration
around
sharp
edges.
A
So,
if
you're
looking
to
adopt
any
of
these
really
like
bleeding
edge
sharp
security
tools,
we
want
to
make
that
well
easy
for
you
and
and
make
sure
that
it
doesn't
stall
within
an
internal
audit
or
review
because
well
as
a
community.
A
Others
have
gone
through
this
process
and
we're
all
crowdsourcing
that
that
knowledge
there's
opportunity
for
career
development.
We
help
out
the
cncf
and
developing
certifications.
Most
recently
we
did
the
cks
with
them.
I
see
some
faces
on
the
audience.
Who've
taken
the
test,
another
great
opportunity
to
showcase
your
expertise
and
help
other
folks
like
up
level
their
skill
set.
C
Look,
I
mean
there
is
a
survey
that
was
done.
There's
a
skills
gap,
I
mean
the
the
linux
foundation
did
out
there.
It's
like
90,
7
of
employers
say
they
can't
find
folks
with
open
source
experience.
If
you
don't
have
these
certifications,
you
are
less
marketable
than
you
would
be
otherwise.
So
please
explore
these
as
options
we
get.
I
get
nothing
for
for
saying
anything
about
that,
but
at
the
end
of
the
day
it's
cks
ckas
ckds.
All
those
things
are
good
things
for
your
careers.
B
A
We
we
like
to
keep
our
finger
on
the
pulse
and
restate
our
assumptions.
What's
the
actual
state
of
things?
Are
these
technologies
actually
getting
the
traction
that
we
presume
they?
They
are
because
we're
so
close
to
the
problem.
So
we
survey
the
ecosystem,
often
hear
a
couple
lengths
of
of
the
survey
surveys
that
are
put
out
there.
B
Yeah,
one
of
them
was
actually
released
today.
It
talks
about
some
of
the
concerns
today
around
you
know
not
only
just
supply
chain.
You
talk
about
vulnerability
management,
secret
measurement;
it
also
talks
a
little
bit
about
age,
security
and,
what's
important
so
this.
This
is
hall
of
the
press.
Today,
yeah.
A
Yeah
so
awareness
through
effort-
that's
that's
all
that
we're
really
after,
for
we
understand
the
pressure,
the
risk
that
it
that
was
our
very
last
slide.
I
appreciate
it
so
it
was
timely.
C
C
Of
love,
so
I
want
to
kind
of
end
this
kind
of
like
we
started.
Security
is
not
a
single
vendor.
It's
not
a
single
project.
It
takes
a
community
to
look
at
these
look
at
security
as
a
whole
and
be
able
to
address
these
things.
We
want
to
see
more
your
involvement.
How
can
we
help?
How
can
we
do
this
all
together?
Thank
you.
So
much
for
being
part
of
our
first
cloud
native
security
day.
Comp
excuse
me
cloud
native
security
conf.
Is
that
what
we're
calling
it?
Okay.