►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Event Wrap Up - Andrew Martin, Emily Fox, Brandon Lum, Jeyappragash Jeyakeerthi
A
Hello,
everyone,
I
hope
you
guys
had
an
excellent
cloud
native
security
day.
I
know
I
did.
Unfortunately,
I
didn't
get
a
chance
to
participate
in
the
ctf,
because
I
was
so
busy
reading
through
all
the
chats
and
listening
to
all
the
amazing
talks
from
our
fabulous
speakers
and
helping
out
to
everybody
that
reached
out
for
assistance
either
through
the
slack
channels
or
through
direct
messages.
A
So
we're
gonna
talk
a
little
bit
more
about
security
and
how
you
can
get
involved
with
this
awesome
group
of
people
as
well,
as
do
a
full
day,
event:
recap
and
open
everything
up
for
q,
a
in
case
you're
curious
about
anything
else
going
on
with
sig
security
or
if
you've
got
questions
about
anything
associated
with
cloud
native
security.
We've
got
some
great
stuff
coming
up
for
you,
so
brandon.
B
Thank
you
emily
awesome,
so
I'm
just
going
to
go
through
a
couple
of
slides,
so
I'm
going
to
tell
you
a
little
bit
more
about
security
on
top
of
what
emily
has
already
shared
this
morning
and
then
we're
going
to
go
into
the
discussions
so
awesome.
What
do
we
have
for
sec
security,
so
emily
covered
in
the
morning
a
little
bit
about
presentations
and
discussions?
B
B
So
another
big
thing
that
we
have
is
the
supply
chain
catalog.
This
was
something
that
was
created
a
while
back
by
by
santiago
and
a
couple
others,
and
there
was
a
lot
of
interest
in
the
supply
chain
problems
in
security.
Today
we
even
had
a
breakout
hallway
track
session
on
that,
and
I
think
there
were
a
lot
of
interesting
things
that
were
put
in
there.
I
think
there
was
even
a
paper.
B
It
was
called
the
backstabbers
knives
collection
or
something
also
paper
is
definitely
something
to
read
it's
a
cool
title,
so
this
catalog
is
commonly
maintained.
So
I
think,
based
on
the
the
number
of
resources
that
were
posted
in
the
channel,
if
you
see
that
there's
something
they're
missing,
that's
missing
for
the
catalog
or
we
can
make
improvements
to
it.
B
B
B
There's
a
lot
of
interaction
to
the
tlc
and
helping
them
provide
recommendations
on
what
is
a
project's
security
posture
as
well
as
as
a
secure
if
it's
security
project,
for
example,
how
does
it
really
fit
into
the
cncf
ecosystem
and
the
the
output
of
this
project
is
a
security
document
which
you
know
we
for
these
projects
that
we've
already
done.
It
is
a
document
where,
if
you're
interested
in
the
project-
or
you
have
been
looking
at
one
of
these
projects,
for
example,
oprah
and
you're-
not
sure
like-
where
do
you?
B
B
Security
assessments
are
also
a
good
way
to
engage
in
the
community.
Usually,
assessments
are
scoped
about
two
about
four
weeks
total,
where
two
weeks
of
it
is
the
main
review
and
assessment
and
the
rest
is
kind
of
putting
together
everything
at
the
end
and
then
looking
up
a
summary
of
what
the
recommendations
are.
B
So
it's
very
nicely
scoped.
Usually
we
have
405
reviews
assessment,
and
so
this
is
open
to
to
everyone.
If
you're
someone
that
is
new
to
this
or
would
like
to
learn,
we
have
opportunities
to
kind
of
shadow,
to
kind
of
join
the
channel
to
see
what's
happening
with
the
security
assessments
and
if
you're
someone
that's
experienced
with
this
definitely
come.
Take
a
look
and
it'll
be
great
to
have
more
people
on
board.
B
B
B
B
B
So
if
you
actually
go
to
a
the
github
repo
and
you
go
into
issues
if
you've
seen
anything
in
the
previous
slides
that
you're
interested
in,
for
example,
you
wanna
present
something
about
your
project
to
the
group
or
talk
about.
You
know
the
security
practices
within
your
organization.
You
can,
you
can
create
an
issue
for
presentation
and
then
you
know
we'll
start
out
the
logistics
to
do
that.
B
So
with
that,
I'm
gonna
wrap
up
this.
This
part
of
the
closing,
like
I
mentioned
multiple
times
before
everything
is
on
the
github.
So
if,
if,
if
you
remember
one
thing
just
go
to
the
github
cncf
security,
our
meeting
times
are
on
wednesday
and
we
have
a
sac
link
over
here
of
which
is
part
of
the
cncf
site
and
don't
forget
to
sign
up
for
our
mailing
list.
A
B
C
B
B
B
A
You
have
to
work
on
them
a
little
bit.
You
have
to
build
that
defense
and
depth
mentality
across
your
organization.
This
is
not
just
going
to
be
runtime
security.
That's
a
concern!
It's
going
to
be
all
along
your
supply
chain,
it's
going
to
be
through
your
build!
It's
going
to
be
through
your
pipeline.
All
of
that
jj.
What
about.
C
C
C
C
B
Yeah-
and
I
think
I
think
also
jj
talked
about
you-
know
the
modern,
modern
cloud
deployments
and
also
emily
talked
about
you
know
just
having
to
juggle
different
aspects
of
security,
but
then
you
know
even
like
in
the
the
chat
governance.
Lightning
talk
where
we
talked
about.
You
know
it's
not
even
just
different
components
of
your
security
ecosystem,
but
when
you
have
multiple
parties
involved,
like
your
cloud
provider,
you
know
how
do
you
make
sure
that
you
have
proper
governance
of
that?
B
C
Yeah
policy
distribution
at
scale
computed
with
performance
is
it's
going
to
be
a
challenge
and
the
more
the
computes
are
not
under
your
control,
the
more
faster
you
want
to
like
evaluate
the
security
policies,
and
it
needs
to
happen
closer
to
the
edge.
So
it's
going
to
be
a
that
is
something
that
actually
was.
It's
still
fascinating
and
I
think
it
should.
C
A
So
we
actually
got
our
first
question.
One
of
our
sig
security
members
decided
to
ask
it
so
bushkara
wants
to
know
what
are
our
recommendations
for
security
related
talks
to
attend
for
the
rest
of
kubecon,
and
I
can
only
assume
that
he's
asking
that,
because
he's
so
in
love
with
all
the
security
talks
that
we
had
today
at
cloud
native
security
day,
and
he
can't
quite
get
enough
of
it,
as
we've
seen
in
some
of
the
other
slack
channels
talking
about
security
day,
so
brandon.
B
C
B
Yeah,
I'm
just
looking
through
it
quickly.
I
think
there
are
a
few
few
things
that
could
be
interesting,
anything
which
is
kind
of
like
bypassing
security
mechanisms.
I
think
you
know
the
one
that
that
the
google
team
did
a
couple
coupons
back
on,
like
jumping
between
notes
that
one
was
cool,
so
there's
a
there's
another
one
called
bypass
falco,
so
I
think
this
could
be
cool.
You
know
it's
going
to
touch
on
a
lot
of
the
the
the
stuff
that
we
just
talked
about.
B
A
C
A
There's
just
so
many
and
that's
what
one
of
the
nice
things
is
that
we're
starting
to
see
more
security,
focused
talks
with
or
even
just
regular
technical
talks
with,
the
security
bend
to
them,
which
is
fabulous
and
that's
something
that
we
want
to
see
from
the
community
but
yeah.
I
actually
have
my
schedule
viewable.
So
if
you
are
friends
with
me
in
sketch,
you
can
check
out
and
see
which
sessions
I'm
going
to
if
you're
interested.
B
A
Yeah
we
got
another
question
for
compliance
automation.
Do
we
have
any
recommendations
for
a
specific
session?
I
I
would
like
to
point
out
that
we
had
some
excellent
compliance
check
coverage
today
with
oppa.
I
think
there
was
at
least
three
talks
discussed
today
that
mentioned
opa
or
talked
about
policy
enforcement
and
automation
of
policy
roles.
C
C
Anything
that's
been
defined
yesterday
doesn't
actually
apply
today
and
it's
it's.
It's
good
to
have
a
scriptable
compliance
story
to
go
with,
but
what
you
want
to
know
is
like
what
how
do
you
verify
validate
and
then
how
do
you
basically
assert
what
you
have
sets
what's
happening
in
the
system
when
the
infrastructure
itself
is
changing
when
computes
are
not
the
thing
that
you
actually
own
this,
it's
a
to
a
large
extent.
C
B
Yeah,
I
think
there
are
like
two
two
or
more
over
talks
in
the
security
track,
but
but
while
we're
on
this,
I
think
a
couple
other
sessions
that
our
topics
you
know
outside
kubecon,
you
know
oscar,
is
one
of
them
and
also
just
my
personal
way,
to
kind
of
like
look
into
the
compliance.
One
of
the
things
that
I
like
doing
is
a
lot
of
these.
B
A
Yeah,
you
actually
brought
up
a
good
point,
and
this
is
something
that
we
back.
We've
talked
about
quite
a
bit
in
the
sig
is
that
security
and
compliance
are
often
lumped
together
and
they
don't
always
mean
the
same
thing.
You
can
be
more
secure
in
some
cases
through
implementing
compliance
controls,
but
you're
not
always
going
to
be
compliant
when
you're
just
implementing
security
out
of
the
gate.
C
B
A
Definitely
for
sure
what
else
did
you
guys
like
the
most
about
security
day
overall,
mostly
because
I've
been
so
close
to
the
cloud
native
security
white
paper
and
getting
that
wrapped
up?
It
was
really
nice
to
see
that
almost
every
single
one
of
the
talks
were
entirely
about
cloud
native
security
end
to
end,
or
at
least
how
you
manage,
or
deal
with
a
particular
problem
area
in
cloud
native
security.
A
It's
I
talked
specifically
about
dynamic
image
security
scanning
and
how
that
fits
into
your
life
cycle,
which
we
talk
about
in
the
paper
as
well,
alfie
and
nick
talking
about
the
importance
of
your
data
source
and
the
benefits
of
understanding.
What
the
data
gives
you
for
cloud
native
security
kelly
talked
about
security,
theater,
which
I
think
a
lot
of
us
are
very
familiar
with,
and
the
list
just
goes
on
and
on.
A
B
B
Oh
I'm
just
going
to
put
some
scanning
stuff,
and
then
I
have
the
ci
and
have
my
cluster
and
our
bank,
and
I
find
right
we're
going
to
be
seeing
a
lot
of
more
advanced
problems
right.
That's
why
we
have
cartographer.
You
know
we're
looking
at
service
mesh.
We
look
at
you
know
how
do
I
having
service
mesh
site
cars
and
and
authorization
kafka
right?
B
How
do
I
bring
it
all
together
in
a
place
that
makes
sense
we're
not
just
talking
about
simple
basic
controls,
but
you
know
how
do
we
tie
the
entire
security
picture
together?
So
I
think
that
that's
what
I
I
got
excited
about,
especially
about
the
hardware
stuff,
but
I
you
know
I'm
curious
to
hear
from
everyone
as
well.
You
know
what
kind
of
future
topics
that
we
can
really
go
into.
What's
interesting,
what
are
the
new
requirements
that
we're,
seeing
as
we
are
getting
more
and
more
workloads
moving
to
accommodative.
C
Yeah,
I
mean
one
of
the
talk
related
to
that
that
reminded
me
of
is
the
defenders
thinking
list
attackers
think
and
grab
that
one
was
a
yeah
yeah.
There
are
like
multiple
people
that
talked
about
that
as
well
before
this
isn't
the
first
time,
but
it's
just
fascinating
for,
as
as
the
services
get
more
distributed,
as
the
services
are
running
everywhere,
the
difference
mechanism
of
early
days
of
like
just
making
it
perimeter-based
security
doesn't
actually
really
work.
C
Applications
either
compliance
verifications
or
even
application
of
authorization
policies
that
thinks
about
it
in
a
graph
based
way.
It's
probably
a
directionally
right
thing
to
do
might
be
too
early.
To
be
honest,
I
think
it's
still
still
a
lot
to
be
decided
in
terms
of
performance
when
you're
evaluating
in
that
zone,
but
directionally.
I
think
that's
probably
a
good
good
way
to
think
through
security.
A
Yeah,
I
think
one
of
the
interesting
things
that
we
got
a
lot
of
is
you're
just
because
you're
doing
containers
doesn't
necessarily
mean
you're
secure,
and
we
saw
that
through
this
etf
and
it's
unfortunate
that
andrew
handed
trump
offline.
But
if
you
were
online
before
he
did
a
wrap-up
of
the
ctf
and
he
went
through
all
of
the
all
the
challenges
and
the
flags-
and
this
was
our
first
time
doing
this
etf
as
part
of
cloud
native
security
day.
A
B
A
That's
right,
but
exactly
right,
but
yeah.
The
container
security
is
super
important,
but
container
security.
Isn't
the
only
thing
that's
going
on
in
the
cloud
native
space
we
had
a
presentation
at
one
of
the
cigs
recently
about
serverless
security
from
the
cloud
native
security
alliance
and
as
of
late
I
mean
I've
been
getting
a
lot
of
newsletters
from
various
sources
about
things
that
are
going
on
in
the
security
landscape
and
serverless
security
has
pretty
much
come
up
in
the
last
10
emails
about
it
that
I've
gotten.
So
I'm
I'm
curious.
B
C
B
C
A
A
All
right:
well,
I
will
go
ahead
and
wrap
things
up.
I
want
to
thank
everybody
for
joining
us
for
cloud
native
security
day,
north
america
2020.
Thank
you
brandon.
Thank
you,
jj.
Thank
you
all
of
the
cncf
staff
that
helped
make
this
possible,
as
well
as
the
cloud
native
security
day
program
committee.
Without
all
of
you
here
attending
the
event
and
volunteering
and
helping
out,
we
could
not
make
this
possible.
So
thank
you
all
so
much.
I
hope
you
had
a
wonderful
day.