►
From YouTube: Closing: "And, That's a wrap!" - Marina Moore + Ragashree M C, Andrew Martin, James Cleverley-Prance
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Closing: "And, That's a wrap!" - Marina Moore + Ragashree M C, Event Program Chairs & Andrew Martin + James Cleverley-Prance, CTF
A
So
that's
a
wrap,
I
hope
you
enjoyed
the
event,
no
matter
how
chilly
it
got
at
times
or
how
pitchy
it
got
at
times.
So
thank
you
so
much
for
attending
I
know
some
of
you
flew
abroad,
and
some
of
you
walked
a
lot
and
some
of
us
talked
a
lot
and
annoyed
you.
So
thank
you.
So
much
for
staying
and
I
don't
know
how
to
use
this
but
I
hope
I'm
using
it
right
yeah.
So
thank
you
so
much
for
attending
the
con
and
it
would
not
have
happened
without
you.
A
We
did
this
for
you
and
we,
if
you
enjoyed
it
and
share
us
the
opinion
and
all
the
yays
Or
Nah
that'll
be
great.
So
thank
you.
So
much
and
I'd
like
to
now
go
ahead
and
thank
the
sponsors.
We
have
our
Diamond
sponsors,
Red,
Hat,
cystic
updates
and
VMware
tanzo.
We
have
a
platinum
sponsor
appearo
and
we
have
our
gold
sponsors
as
well.
So
thank
you
so
much.
A
We
would
not
have
been
able
to
do
it
without
you,
and
we
also
have
our
wonderful
program
committee,
who
were
here
to
cool
at
all
the
wonderful
talks
that
you
listen
to
and
and
provide
you
with
the
right
agenda
right
content.
So
we
were
right
on
top
of
it
for
last
few
months.
So
thank
you
so
much
for
everybody,
and
there
are
a
lot
of
members
that
are
not
mentioned
here,
be
the
CTF
team
or
the
events
team,
or
anybody
who
really
advised
us
and
got
us
moving.
Thank
you.
B
Thank
you
very
much.
So
the
last
couple
of
days
we've
been
running
a
CTF
event
here
yesterday
we
ran
a
couple
of
introduction
workshops
and
today
we
had
an
all-day
event.
Just
a
couple
of
numbers
on
screen.
We
had
50
clusters,
80
Flags,
11,
hints,
560,
total
points
possible
and
74
flag
submissions
puppies.
Thank
you.
B
So
we
can
see
it
was
pretty
tightly
fought
event,
which
is
really
good
to
see.
We
actually
had
a
lot
of
collaboration
this
year,
which
is
great
lots
of
people
working
in
teams
and
the
top
four
users
were.
B
So
thanks
everyone
who
played
we
welcome
any
feedback
and,
if
you're
interested
in
the
solutions
please
come
and
talk
to
us
thanks.
C
Let's
talk
briefly,
if
you
haven't
heard
it
before
about
tag
security,
who
we
are,
what
we
do
and
why
we
care
so
much
about
trying
to
raise
the
bar
for
cloud
native
security.
We
have
a
repository.
Everything
we
do
is
GitHub
driven.
We
are
modern,
developer
flow
focused.
We
come
from
a
practitioner
background
instead
of
an
abstract
ethereal
security
deployment,
stopping
background
and
really
we're
looking
to
work
with
projects
to
enhance
their
security
and
dispel
some
of
the
latter
old
security
practices
which
involve,
perhaps
floods,
fear
of
deployment.
C
Instead,
we
prefer
to
deploy
regularly
and
enshrine
modern
development
practices.
So
what
does
that
mean?
It
means
we
are
a
voluntary
and
community-based
organization.
Of
course
the
Linux
Foundation
runs
kubecon.
We
are
under
the
cncf,
the
cloud
native
Computing
Foundation,
but
we
operate
with
our
own
editorial,
Independence,
I
suppose
from
one
perspective,
which
means
that
we're
a
collection
of
a
raggedy
collection
of
voluntary
individuals,
as
you
can
see
enthusiasts,
is
probably
the
strongest
defining
commonality.
C
Many
of
us
are
lucky
enough
to
do
security
for
a
living.
We
also
welcome
people
from
an
educative
or
academic
background,
as
well
as
researchers
hobbyists.
There
is
no
minimum
bar
to
entry.
We're
thankful
for
anybody
who
chooses
to
spend
their
time
with
us
goals.
Really.
This
concept
of
strengthening
the
ecosystem.
Tax
Securities
mandate
is
under
the
technical
oversight
Committee
of
the
cncf,
to
ensure
the
products
and
projects
that
are
looking
for
that
stamp
of
approval.
C
Looking
for
access
to
the
marketing
budget,
looking
for
the
reflected
associative
Glory
that
comes
with
being
in
the
same
Foundation
as
kubernetes,
one
of
the
fastest
growing
projects
in
the
history
of
Open,
Source,
plus
the
Cavalcade
of
other
projects
we
have
with
us,
are
appropriately
hardened
that
we
don't
miss
the
foot
guns
that
we
don't
ship
things
that
do
not
have
that
minimum
standard
of
technical
security
quality
we
identify
gaps.
This
is
part
of
our
threat.
Modeling
process
that
we
will
talk
about
education
is
really
important.
Thank
you
for
arranging
and
running
the
CTF
today.
C
James
part
of
the
points
of
running
those
sort
of
things
is
enshrining
the
adversarial
mindset
in
defense
of
security.
It's
only
really
possible
from
a
Sun
Tzu
perspective,
to
know
your
enemy
and
defend
against
them,
with
a
full
understanding
of
The
Suite
of
capabilities.
An
attacker
or
adversary
may
have
I
hope
that
we're
the
kindest
approachable,
Security
Group
in
the
history
of
security,
you
be
the
judge
we
do
meet
regularly
and
have
very
open
discourse.
There
is
no
nerd
sniping
going
on
here,
fostering
maturity.
C
This
is
part
of
our
mandate
to
help
grow
the
projects
in
the
cncf
engaging
more
communities.
We
do
this
intrinsically
by
virtue
of
those
organizations
coming
to
us
as
part
of
that
Toc
mandate
and
stepping
up
through
the
levels
advancing
hopefully
to
graduate
we're
there
as
part
of
that
path,
and
we
look
to
collaborate
and
work
in
tandem
with
the
project
themselves.
C
Finally,
nurturing
growth
and
participation,
it
is
a
high
pollutant
goal.
We
really
want
as
much
contribution
we
are
the
product
of
or
we
are
the
sum
of
our
parts.
Really.
We
are
the
product
of
the
contributions
that
people
make
to
us
and
we're
nothing
without
the
community
that
builds
and
supports
us.
So
thank
you
to
everybody
who
has
contributed
and
please
do
throw
your
hat
in
the
ring.
C
If
you
would
like
to
understand
different
security
mindsets
and
different
ways
of
approaching
problems,
there
really
is
no
finer
community,
in
my
humble
opinion,
our
Charter
protection
of
cloud
native
systems.
This
is
our
goal.
The
Advent
of
all
this
new
technology
brings
a
rush
of
developers,
as
we
saw
at
the
Advent
of
the
cloud
native
Renaissance.
C
The
people
who
are
delivering
code
were
writing.
Golang
golang
is
relatively
exclusive
in
terms
of
language
penetration
in
2013
there
were
not
many
security
Engineers
writing
that
language,
and
so
we
see
incredible
utility
afforded
to
developers
and
operators
with
some
attenuation
of
security
Focus
because
again
of
the
complexity
of
penetration
of
dealing
with
a
language
with
concurrency,
Primitives
I.
Suppose
what
about
rust?
We
ask
ourselves.
The
Russ
Foundation
is
is
interested
we're
yet
to
see
a
lot
of
rust.
C
Turning
up
in
the
cncf,
perhaps
you
can
correct
me,
but
yes,
as
it
advances,
we
will
also
be
looking
for
Rush
security
practitioners,
because
that
is
certainly
somewhere
that
we
do
not
currently
have
strong
representation.
It
is
exactly
the
same
problem.
The
long
tail
of
the
short
entrance
to.
C
The
Humble
brag
from
Mr
cattle's
that
we
have
two
implementations
of
the
update
framework,
one
of
the
First
Security
projects
to
come
through
tag
security
with
published
security
properties
and
a
known
attack
and
defense
surface.
But
yes,
please
anybody
interested
in
helping
the
ecosystem.
We
are
raising
the
bar
of
security,
universally.
C
We
have
next
helping
developers
meet
security
requirements.
These
are
the
abstracts,
sometimes
security
requirements
that
developers
find
hard
to
reconcile
with
genuine
implementations.
This
is
where
we
can
provide
value.
We've
been
through
this
process
multiple
times,
and
we
look
to
minimize
the
friction
involved
with
implementing
again
these
abstract
security
properties
and
common
tooling.
C
You
can
try
and
Implement
other
things,
but
when
there
is
a
gap
in
the
market
where
there
is
innovation,
when
there
is
the
bleeding
edge,
instead
of
allowing
adopters
to
be
cut
on
that
bleeding
edge,
we
provide
them
with,
for
example,
in
this
case,
a
matrix
of
compromise,
an
attack
Matrix.
What
happens
when
an
attacker
has
this
level
of
access
to
your
system?
These
are
the
security
properties
that
still
remain.
These
are
those
that
you
should
mitigate
with
other
controls.
C
I
advise
you,
if
you're
interested
to
look
through
that
work
as
an
entry
point
to
understanding
the
capabilities
of
some
of
the
people
that
I'm
lucky
enough
to
work
with,
with
that,
thanks
to
my
co-chair
Brandon
Lum,
who
is
here
today,
aradna,
who
also
spends
a
huge
amount
of
time
working
in
the
team,
we're
lucky
to
have
an
active
and
vocal
Tech
lead
Community.
We
welcome
Mr,
Justin
kappels
back
after
Hiatus,
very
pleased
to
have
you
with
us
again.
C
We
have
Andres
here,
push
cars
in
the
room,
I
hope
somewhere
or
at
least
was
and
is
around,
and
we
we
have,
of
course,
then
Michael
Liebman,
who
is
also
our
interface
into
the
open
ssf
and
into
the
salsa
steering
committee
and
then
I'm
lucky
to
be
joined
on
stage
by
Marina
and
Ragga
who
have
joined
us
recently.
We
also
have
Matthew,
who
perhaps
isn't
here
but
is
working
actively
on
a
complex
threat
model
dealing
with
Argo
CD.
This
is
how
modern
git
OBS
based
deployments
occur.
C
We
also
have,
as
we'll
see,
coming
up
work
with
flux
and
githubs
in
general,
cert
manager,
again
huge
thanks
to
the
team
and
I
will
pass
over
to
Marina.
D
All
right,
thank
you.
So
I'll
talk
a
little
bit
next
about
a
couple
of
the
projects
that
the
tag
is
currently
involved
in.
So
here's
a
quick
highlight
us
some
new
projects,
some
things
that
just
finished
so
there's
the
cloud
native
security
white
paper.
We
have
a
version,
two
of
that
white
paper
that
was
recently
released,
as
well
as
an
audio
version
of
the
white
paper,
that's
available
online
for
folks
who
prefer
to
consume
it
in
the
audio
format.
Another
white
paper
that
was
recently
released
was
the
supply
chain
security
white
paper.
D
So
that's
also
available.
These
slides
will
be
available
when
they
have
links
to
all
of
these
projects,
they're
also
available
on
GitHub
and
the
other
breaking
project.
Is
this
Cloud
native
security
controls
catalog,
which
is
a
catalog
and
GitHub,
where
you
can
access
all
of
the
controls
and
and
go
through
those
some
other
upcoming
projects?
These
are
some
ink
progress
projects.
This
is
a
great
place
to
get
involved
if
any
of
these
have
your
interests
and
have
open
issues
on
GitHub
to
track
all
of
the
different
progress.
D
And
then
we
have
the
cloud
native
security
controls,
mappings,
there's
a
couple:
different
versions
of
that
mapping,
the
cloud
native
security
controls
to
existing
standardization
efforts,
and
we
have
some
security
assessments,
so
lots
of
ongoing
ones
here,
I
think
what
a
couple
just
completed,
some
some
link
there
that
are
ongoing
or
upcoming,
and
the
zero
trust
white
paper
is
also
an
in
progress
project.
Another
white
paper
explaining
Focus
this
time
on
the
zero
trust
architecture
for
cloud
native
and
the
V2
of
the
audio
for
this
Cloud
native
security
white
paper.
D
So
that's
kind
of
what
we
have
ongoing
and
again
links
to
GitHub.
If
anything
catches
your
attention
with
lots,
more
detail
about
all
these
projects,
so
I
encourage
everybody
to
get
involved
and
join
us
in
whichever
version
of
this,
whichever
project
seems
the
most
interesting
to
you
and
I'm
going
to
pass
it
on
to
Raga
to
talk
a
bit
about
where
you
can
jump
in,
and
some
kind
of
quick
calls
to
action
for
getting
involved
today.
C
A
Okay,
so
now
that
we've
established,
we
are
the
kindest
hum
list
and
the
most
welcoming
Community
here,
and
there
is
a
ton
of
work
for
everybody,
and
a
recent
study
astonishingly,
says
that
there
is
only
one
security
engineer
for
every
100
developers,
which
is
a
really
really
really
less
amount
of
numbers.
So
we
need
you,
we
need
you
to
come
join
us
collaborate,
we're
really
friendly.
A
We,
we
are
not
at
all
scary
and
we're
not
scary,
as
our
vulnerabilities
are
so
come,
join
us
and
how
you
could
help
immediately
is
by
joining
and
sharing
the
survey
responding
to
the
survey
and
share
whatever
you
know
how
supply
chain
is
affecting
you.
So
this
really
helps
us
in
driving
our
roadmap
as
well
as
derive
some
key
insights
on
where
we
can
improve
so
take
a
time.
Take
a
moment
scan
this
QR
code.
Please
respond
to
the
survey
and
we
really
will
be
benefited
out
of
it.
A
I'll
pause
a
moment,
so
you
actually
take
your
phones
out
and
scan
this.
Please
yeah
all
right
and
we
are
active
on
a
number
of
communities.
If
slack
is
not
your
cup
of
tea,
then
go
ahead
check
out
our
GitHub,
we
have
GitHub
as
our
single
source
of
Truth.
We
maintain
everything
via
GitHub.
There
are
a
ton
of
issues.
Last
I
checked
it
was
more
than
130,
so
feel
free
to
check
out
all
our
issues
wherever
you
want
to
get
involved,
just
drop
a
message
or
drop
a
comment
there
and
we'll
get
back
to
you.
A
We
are
really
active
in
Twitter
as
well
as
well
as
our
mail
mail
lists
are
active
as
well.
So,
whichever
platform
you
favor,
you
can
go
ahead
and
get
involved
and
we
meet
weekly
on
Wednesdays
in
two
different
time
zones
in
APAC,
as
well
as
U.S
time
zone,
so
feel
free
to
join
us.
Whichever
time
zone
you
are,
we
have
a
room
for
you
and
if
you
are
sometimes
like
me,
Miss
on
Zoom
meets.
A
There
is
always
a
YouTube
for
all
our
recordings
so
feel
free
to
go
back
check
it
out
and
whatever
you're
interested
in
come
join
us
and,
more
importantly,
we
are
going
from
Colo
to
solo.
So
we
need
your
support,
check
it
out
and
the
cfps
are
open
so
submit,
and
we
look
forward
to
seeing
you
here
again
in
four
months:
miss
us
maybe
but
we'll
be
back
in
four
months.
Thank
you
so
much.
Thank
you
from
our
raccoon.