►
Description
Closing + CTF Wrap Up- Brandon Lum, Google; Andy Martin, ControlPlane
B
B
B
We
operate
on
a
tech,
lead
and
sort
of
nominative
basis.
So
right
now
we
have
the
the
three
reputable
individuals
andres
attusion
pushkar,
and
this
means
that
in
this
position
these
individuals
take
initiatives
forwards.
They
propose
things
they
help
to
shepherd
things
through
and
we'll
look
at
some
of
the
some
of
the
great
work
that
people
have
been
doing
and
we
have
just
nominated
another
round
of
excellent
tech
lead.
Colleagues,
we
have
michael
lieberman,
marina,
moore
and
ragashra
shekhar.
B
A
All
right
so,
besides
some
security
con
that
we
do
well
used
to
be
called
security
day.
This
was
like
we
started
this
about
three
four
years
ago
and
it
started
off
as
a
single
day
single
track
event
to
now.
We've
we've
gone
through
like
two
day.
We
have
a
ctf
going
on
alongside
so
the
we've
really
evolved
this
and
we're
kind
of
growing
this
a
little
bit
more
and
we're
kind
of
excited
to
see
where
this
can
go.
But
besides
that,
we
also
do
both
technical
work.
A
In
terms
of
like
writing
white
papers,
we
we
do
write
down
documents
about
best
practices
as
you've,
seen
in
yesterday's
presentation
on
how
to
use
these
security
supply
chain
best
practices
into
integrating
into
the
supply
chain
pipelines
in
your
organizations
so
just
to
share
a
few.
These
are
some
of
the
new
releases
that
we
had.
A
The
community
has
been
working
together.
We
have
multiple
working
groups,
we
have
serverless
working
group,
we
have
a
supply
chain,
working
group
controls
working
group,
and
so
these
are
some
of
the
new
documents
that
are
coming
out
this
week
for
kubecon
eu.
So
we
have
the
secure
software
factory
reference
architecture
paper.
So
originally
we
had
the
best
practices
paper.
The
reference
architecture
paper
really
tells
you.
How
do
you
go
about
to
actually
build
a
secure,
secure,
buildup?
A
B
And
there
are
lots
of
things
coming
up.
The
open
source
summit
in
north
america,
austin
texas
next
month
will
feature
a
new
event:
the
global
security
vulnerability
summit.
This
is
an
attempt
to
answer
the
perennial
question:
what
do
we
do
with
the
backlog
of
cves
that
we're
collecting
as
an
industry?
There
has
to
be
a
better
way
to
do
it
than
we
do
it
now.
B
A
Yeah,
we
also
have
the
cognitive
service,
serverless
security
white
paper
that
we
had
a
panel
on
earlier,
and
so
this
is
currently
in
public
rfc.
So
we
are.
We
are
gathering
all
your
input
to
tell
us
like
what
what
do
you?
Why
are
you
looking
for
in
serverless
security?
Are
we
missing
some
things
that
should
be
talked
about
we're
also
working
and
a
lot
of
the
issues
that
you
see
here
are
new.
A
We
are
starting
to
work
on
them,
so
if
you
see
anything
that
you're
interested
in
we're
going
to
talk
a
little
bit
later
on
how
you
can
get
involved,
one
thing
that
the
supply
chain
working
group
is
working
on
is
creating
cloud
native
s-bomb
guidance
right.
We
talk
about
s-bomb,
we
talk
about
generating
s-bombs,
but
why
are
you
supposed
to
generate
who's
responsible
for
generating
s-bombs,
and
so
the
effort
is
to
kind
of
be
able
to
to
provide
guidance
on
for
cloud-native
technologies?
What
should
we
do.
B
Then
we
have
the
nist
security
controls,
mapping
again
looking
to
help
implementers
and
people
working
at
the
coalface
to
implement
sometimes
difficult
compliance
or
auditory
regulations.
This
will
give
us
a
view
on
on
how
to
move
forward.
Take
advice
from
colleagues
and
people.
Who've
implemented
these
kind
of
things
before
the
supply
chain,
best
practices
again
a
collection
of
volunteers
and
interesting
minds
put
together
this
paper,
which
is
technical
detail
on
how
best
to
secure
our
supply
chains,
end-to-end,
looking
kind
of
farm-to-table
or
end-user
device
to
production
and
looking
to
tie
together.
B
B
And
so
what
we'll
do
in
an
effort
to
make
this
obvious
and
repeatable
we'll
take
an
example
cncf
product
project
rather-
and
we
will
put
it
into
the
secure
software
factory,
we
will
apply
the
best
practices
to
its
configuration
to
its
ci
cd
to
its
contributor
framework
and
give
what
is
essentially
a
cookie
cutter
reference.
Implementation
of
this
is
what
we
think
good
looks
like
and
then
again
do
this.
In
the
in
a
community
aspect
and
allow
it
to
be
then
critiqued
we
can
all
feedback
and
then
find
a
shared
understanding,
hopefully
move
ourselves
forward.
B
Then
some
some
really
some
really
interesting
things
here.
These
are
some
of
my
particular
favorites.
The
guidance
on
container
breakout
vulnerabilities.
There
have
been
a
lot
of
kernel
related
escapes
recently.
We
look
at
things
like
dirty,
pipe,
very
quick,
zero
day
dropped
without
much
of
an
embargo.
B
These
things
require
very
real
and
immediate
remediation
and
we're
looking
to
put
together
a
framework
again
to
help
understand
these
to
help
move
us
forward
quickly
and
then.
Finally,
many
projects
come
into
tag
security,
with
a
request
for
an
appraisal
and
audit.
A
security
review
of
some
description.
B
Part
of
this,
and
something
very
dear
to
my
heart-
is
a
lightweight
threat.
Modeling
exercise.
This
looks
at
the
the
broad
question,
the
catastrophization.
What
could
possibly
go
wrong?
What
are
we
going
to
do
about
that
thing
that
goes
wrong,
and
then
we
iterate
and
loop
around
there
so
that
we
can
apply
security
controls
in
an
order
of
precedence
based
on
impact
based
on
risk
based
upon
what
we
think.
B
C
You
andy,
hey
everyone.
I
hope
if
you've
got
a
cluster
for
the
ctf,
you
enjoyed
it.
First
of
all,
we
had
unprecedented
demand
yeah
we
had
we
spun
up
over
well
50
instances
for
users,
so
with
50.
That
meant
that
we
spun
up
three
clusters
each
now.
Those
three
clusters
had
different
scenarios:
each
of
those
had
five
nodes,
so
we've
just
spun
up
over
800
vms.
C
Some
of
them
were
working
as
we
expected,
some
of
them
may,
but
yes,
and
so
to
that,
I
would
like
to
say
first
of
all
thank
you
to
james
cp.
If
you've
seen
us
sat
outside,
you
might
see
you're
like
why
those
why
those
guys
so
stressed
well
yeah,
it's
yeah
sre
on
conference
wi-fi
trying
to
manage
misconfigured
clusters.
It's
it's
been
phenomenal,
so
our
scenario
is
today
these
were
brand
new
scenarios
for
exclusively.
C
For
this
event,
we're
not
going
to
give
you
all
the
answers
right
now,
if
you
want
answers,
come
and
find
us
tomorrow,
we're
happy
to
talk
to
you
about
them,
but
our
first
cluster
was
inspired
by
the
movie
back
to
the
future.
If
anyone's
seen,
that
did
anyone
reference
the
age
of
the
vms
that
you're
using
to
begin
with,
if
not
come
and
find
us
tomorrow,
we'll
give
you
some
more
of
them.
C
D
Lewis,
so
the
the
quiet
place
scenario
was
based
on
the
film
quiet
place,
as
some
of
you
may
have
found,
we
had
a
runtime
detection
agent
trying
to
prevent
users
doing
bits
in
the
cluster.
So
the
idea
was
it
modeled,
a
sort
of
more
red
team-tiled
scenario
where
you
were
the
attacker
trying
to
evade
any
protections
that
blue
team
had
put
in
place.
D
C
Scoreboard
available,
if
not,
you
can
have
a
look
online.
Yes,
so
tomorrow,
well,
the
next
three
days,
james
and
I
well
tomorrow
morning,
james
and
I
we're
gonna-
have
a
lion.
It's
there's
not
been
much
sleep,
it's
been!
Yes,
it's
been
intense,
but
we're
going
to
be
at
the
booth.
Now
we
like
to
solve
difficult
problems.
If
this
ctf
has
inspired
you,
if
this
has
inspired
you
to
get
started
within
ctfs
with
insecurity,
then
please
come
and
talk
to
us.
C
If
you
think
we
could
have
done
hard
if
we
could
have
done
better
if
you've
got
an
idea,
come
and
talk
to
us,
it's
all
about.
We
just
we
like
to
solve
heart
problems,
and
so
please
come
and
discuss
with
that.
Did
we
have
a
scoreboard?
No,
we
don't,
but
oh
no
worries,
so
we
had
to
you.
Well,
I
passed
you
just
to
announce
the
two
winners.
D
C
And
to
that
there
were
two
flags
that
weren't
associated
with
ctf:
no
one
got
the
os
flag,
so
the
os
flag
was
for
osint,
which
you
simply
had
to
ask
iva
james
roy.
What's
the
flag
and
no
one
asked
us
for
a
flag.
So
no
one
got
that
one.
So
try
harder
on
that.
Next
time
and
the
other
one
was
elite
flag.
Did
anyone
get
the
elite
flag
in
here?
Can
anyone
figure
out
what
the
leaf
flag
was,
so
we
got
someone?
Did
you
figure
out
what
it
was
for.
C
I
can't
hear
you,
but
I
think
you
just
said
to
say
thank
you,
and
so
is
anyone
who
came
up
to
us
to
say
thank
you.
We
gave
him
the
leap,
flag
and
equally
more
people
did
and
to
that
is
the
basis
of
these
events.
Everyone
around
here,
so
we've
worked
with
lindsay
as
well
to
do
this,
so
everyone
who's
been
here
to
make
this
event
happen.
C
A
Awesome
so
I
hope
everyone
had
fun.
It
was
a
great
conference.
If
you
want
to
get
more
involved
with
cncf
tech
security,
we
have
a
session
on
friday.
You
can
drop
by,
but
if
you're
not
going
to
save
for
the
entire
con,
we
have
multiple
ways
they
can
get
started.
Everything
that
we
do
is
pretty
much
on
github,
so
github.com
cncf
tax
security.
A
We
have
a
mailing
list
check
out
all
issues.
We
have
weekly
meetings
on
wednesdays.
We
are
also
on
the
cncf
slack
and
on
twitter
as
well
so
give
a
moment.
Did
I
folks
take
a
picture
of
this,
but
all
this
is
on
the
the
sites
uploaded
as
well
and
before
we
go
big.
Thank
you
again
to
our
program
committee
for
security.
Con
they've
done
a
lot
to
make
sure
that
we
get
all
the
exciting
topics.