►
From YouTube: Panel Discussion: Modern App Security Requires Containers – Moderated by Sean Michael Kerner
Description
Want to view more sessions and keep the conversations going? Join us for KubeCon + CloudNativeCon North America in Seattle, December 11 - 13, 2018 (http://bit.ly/KCCNCNA18) or in Shanghai, November 14-15 (http://bit.ly/kccncchina18).
Panel Discussion: Modern App Security Requires Containers – Moderated by Sean Michael Kerner, eWeek (Intermediate Skill Level)
Using containers, enterprises now have strong, secure-by-default primitives available for deploying apps to their infrastructure. Containers are enabling organizations to adopt better engineering practices like immutable infrastructure -- increasing deployment agility and reducing mean time to patch. Companies are thinking strategically about to securely manage their software supply chains. Moderated by eWeek's Senior Editor, Sean Michael Kerner, collaborators in the container ecosystem will share how containers are revolutionizing the way apps are secured and how we can expect container security to evolve in the future. The panel will also touch on open source projects Notary, TUF, SPIFFE, and OPA.
About Sean
Sean Michael Kerner is a senior editor and his coverage of the technology industry appears in Enterprise Networking Planet, eWeek and ServerWatch to name a few. Kerner is also an IT consultant, technology enthusiast and tinkerer, and has been known to spend his spare time immersed in the study of the Klingon language and satellite pictures of Area 51. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults to industry and media organizations on technology issues. Follow him on Twitter @TechJournalist.
About Maya
Maya Kaczorowski is a Product Manager at Google, working in container security, and was previously the Product Manager for Google Cloud KMS.
About Justin
Justin Cappos is a professor in the Computer Science and Engineering department at New York University. His research includes the TUF project (which is hosted by the Linux Foundation / CNCF), which provides a compromise-resilient mechanism for the secure distribution of software. His research advances are adopted into production use by Docker, git, Python, VMware, Cloudflare, Digital Ocean, most Linux distributions, and many automobiles. Due to the practical impact of his work, Cappos was named to Popular Science's Brilliant 10 list in 2013 recognizing him as one of 10 brilliant scientists under 40.
About Torin
Torin Sandall is the technical lead of the open source Open Policy Agent project. Torin has spent his 10 years as a software engineer working on large-scale distributed systems projects. Torin has recently given talks on policy-related topics in Kubernetes at KubeCon, ContainerDaysPDX, Kubernetes meetups, and more. Prior to working on the Open Policy Agent project, Torin was a Senior Software Engineer at Cyan (acquired by Ciena) where he designed and developed core components of their SDN/NFV platform. Some examples of previous talks: How Netflix Is Solving Authorization At Scale (CloudNativeCon US 17): https://youtu.be/R6tUNpRpdnY?t=1041 Enforcing Bespoke Policies in Kubernetes with Admission Controllers (CloudNativeCon US 17): https://www.youtube.com/watch?v=llDI8VvkUj8 CNCF project proposal for OPA: https://github.com/cncf/toc/pull/71
About David
Lay security developer that has learned a lot of mistakes the hard way. David started off building authentication systems, moved on to encrypted cloud storage for a few years, and is now working on the Security Team at Docker, presently focused on securing software distribution
About Andrew
Andrew is the co-founder of Scytale, who are helping bring SPIFFE into the world. Find out more at https://github.com/spiffe/spiffe Andrew is an engineer, and entrepreneur with a passion for building tools that help bring simplicity to software development. Prior to co-founding Scytale, Andrew was a product manager on Google’s Cloud Platform, launching many of the automation primitives on Google Compute Engine (including Auto-scaling, Managed Instance Groups, and Deployment Manager), helping improve developer workflow with the Spinnaker and Container Builder projects, and helping improve accessibility to developers and operations teams. As an Australian in the San Francisco Bay Area, Andrew spends most of his spare time trying to sell his Midwestern wife on the virtues of Vegemite.
Join us for KubeCon + CloudNativeCon in Barcelona May 20 - 23, Shanghai June 24 - 26, and San Diego November 18 - 21! Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.
A
B
C
A
God,
I
okay,
coop
con
yeah.
You
see
this
is
what
I'm
already
thinking
ahead
to
cou
con,
but
what
anyways
just
a
public
service
announcement
for
those
of
you
that
haven't
looked
at
your
Google
News
yet
or
open.
Your
Twitter
accounts
reset
your
password,
since
this
is
a
security
session,
because
this
is
nothing
to
do
with
this
panel
directly.
But
your
passwords
were
stored
in
the
clear
and
somebody
might
have
done.
A
Were
not
encrypted
so
yeah
without
bcrypt,
etc,
etcetera,
but
you
can
read
about
it
online,
so
reset
it
or,
more
importantly,
if
you
have
not
implemented
login,
authentication
or
two-factor
authentication,
whether
it's
Twitter
or
anything
else,
I
think,
that's
probably
most
important
thing.
You
can
do
to
improve
security
for
anything.
We're
not
gonna
talk
about
two-factor
authentication
in
this
panel.
So
don't
worry
about
that,
though
I'm
a
big
fan
of
it.
There's
lots
of
security
or
has
been
many
security
talks
at
this
particular
conference.
A
All
of
our
panelists
here
today
have
had
at
least
one
or
more
talks.
Probably
a
few
of
you
in
the
audience
have
been
to
one
or
more
talks.
So
there's
a
lot
of
things,
there's
a
lot
of
things
that
are
right
with
the
kubernetes
and
cloud
native
ecosystem,
there's
a
lot
of
things
that
are
wrong
and
this
pen
we're
going
to
talk
about
what's
right,
what's
wrong,
what's
missing,
what's
next
and
more
importantly,
whatever
questions
you
have,
because
this
is
what
it's
all
about
is
talking
in
collaboration,
etc.
A
E
I'm
Justin
capo,
so
I'm,
a
professor
at
NYU
and
I've,
been
working
along
with
my
team
on
the
update
project
for
actually
about
nine
years
now
we
were
have
been
excited
to
work
with
docker,
community
and
others
on
that
project.
We
also
do
a
lot
with
more
recently
with
software
supply
chain
security,
so
you
might
have
seen
one
of
my
developers
Lucas
who's
here
in
the
audience,
give
a
talk
on
graffia
scene
in
toto
to
learn
more
about
our
in
toto
system.
So
thank
you
and.
C
F
David
Lawrence
I'm,
the
head
of
security
at
docker
I've,
been
there
about
three
years
and
originally
joined
to
build
all
of
our
signing
infrastructure,
which
became
notary,
which
is
a
member
of
the
CNC
F.
It's
based
on
the
work
that
Justin
and
his
research
team
did
in
the
update
framework
and
more
recently
took
over
the
security
team
at
docker
and
kind
of
playing
with
all
of
the
things.
It's
a
lot
of
fun
and.
D
A
Is
great
and
by
the
way
everything
we're
saying
in
this
panel
is
not
a
secret
because
it's
being
recorded,
so
if
there's
something
that
you
want
to
keep
secret,
don't
say
it.
That's
the
best
way
to
keep
your
secret
is
not
to
say
something.
So
that's
just
the
standard
kind
of
good
security,
so
each
the
update
framework,
Notary,
spiffy
and
OPA
are
all
in
various
stages
of
being
CN
CF
projects,
incubated
or
sandbox,
depending
on
how
the
terminology
rolls
out.
A
A
A
Security
Response
Group,
we'll
talk
about
that
at
some
other
point,
but
there's
no
six
security,
necessarily
or
an
integrated
reference
architecture,
because
every
project
within
the
CN
CF
has
its
own
governance
model
and
there
is
no
reference
architecture
which
may
or
may
not
be
a
positive
thing
so
across
the
the
projects.
Has
the
branding
conversations
at
this
point
for
an
integration
or
perhaps
a
reference
architecture.
E
E
So
I
I
will
say
that
the
people
across
the
CN
CF
and
across
the
projects
have
been
communicating
quite
a
bit
and
have
been
talking
quite
a
bit,
so
obviously,
David
and
I
have
have
been
talking
and
working
together
quite
a
long
time.
But
more
recently,
you
know:
I
have
been
working
a
lot
with
members
of
this
50
community
to
do
a
security
audit
and
have
even
though
OPA
is
something
recently
learned
about.
We've
also
had
a
lot
of
discussions
about
perhaps
further
collaborations
and
trying
to
build.
E
B
I
guess
another
thing:
that's
popped
up
the
beginning
of
this
year
was
the
policy
working
group
within
kubernetes.
It's
that's
looking
at
how
you
can
bring
together
a
lot
of
the
different
policies.
Security,
resource
management,
related
related
features
in
kubernetes
to
help
people
secure
and
manage
their
clusters,
because
right
now,
a
lot
of
that
information
is
just
written
down
somewhere
and
no
one
knows
how
to
tie
it
together.
F
Yeah
I
think
the
hoping
a
lot
of
conversations,
but
you
know
the
question
we
get
a
lot
I
would
say
is
like.
Are
there
too
many
security
companies
in
the
space
and
it's
almost
similar
open-source
projects
where,
like
there's
so
many
going
on?
There
are
a
lot
of
conversations
right
every
week,
there's
a
different
project
popping
up.
F
D
I'll
just
add
so:
for
committees
there
is
sick
off
I,
don't
know
if
you're
talking
about
general
for
saying
yeah
but
sing-off
is
really
sick
security.
There
was
a
discussion
like
December
2016.
If
you
look
at
the
mailing
list
about
renaming
it
or
calling
a
new
six
security
than
they
did
so
historical
recency
was
security.
Questions
takeoff
is
the
place
to
go,
hang
out
the
they
do
talk
about
like
integrations
with,
with
other
with
other
CN
CF
projects
and
and
other.
D
Projects
things
like
its
do
and
how
that
would
work
together.
The
the
thing
I
would
kind
of
pushback
on
is
I,
don't
know
that
there
should
be
a
reference
implementation,
so
maybe,
if
you're
trying
to
solve
a
particular
problem,
should
be
like
a
recommendation
on
how
to
do
it
or
how
to
use
various
insight
projects
together
and
obviously
they
should
work
well
together.
But
everybody's
environment
is
so
different
at
the
end
of
the
day.
Right,
if
you
don't
need
to
solve
this
particular
piece,
then
we
shouldn't
say
that
you
need
it.
A
Just
my
perspectives,
there
always
seems
to
be
people
that,
like
to
do
roll
your
own
and
when
they
roll
their
own
there,
they
always
miss
something.
But
for
somebody
that
was
just
to
go
back
half
a
step
if
somebody's
running
kubernetes
out-of-the-box
plain-vanilla
upstream,
without
the
benefit
of
tough
notary,
OPA
or
spiffy.
D
Something
even
more
basic
like
how
did
you
configure
kubernetes,
there's,
there's
a
lot
of
work
that
still
needs
to
be
done
from
like
basic
security
management
as
a
user?
It's
not
very
usable
right
now,
if
you're,
not
one
of
the
people
sitting
in
this
room,
who
wants
to
spend
the
time
learning
how
community
security
works,
we
can't
expect
users
to
just
go,
deploy
it
and
it
for
it
to
be
secured.
I'd.
C
Second,
what
my
I
said:
you
know
that
putting
putting
better
locks
on
the
door
doesn't
help
you.
If
you
leave
the
door
open
every
night,
there's
a
whole
set
of
basic
concerns
around
kubernetes
hygiene
that
you,
you
probably
want
to
solve
frankly,
first
before
thinking
about
some
of
these
higher-level
projects
that
add
a
lot
of
value,
but
not
on
an
unsecure
framework.
F
I'll
give
a
counter
point:
I.
Think
kubernetes
could
do
a
lot
more
to
be
secure
by
default.
I!
Think
right
today,
when
you
go
and
deploy
kubernetes,
you
have
like
a
push
button,
insecure
and
program.
I.
Think
everybody
heard
about
it.
By
now.
There
was
like
a
big
Tesla
hack
a
few
weeks
ago,
where
somebody
just
deployed
default:
kubernetes,
tcp,
port,
open
to
the
Internet
somebody
scraped
there
AWS
credentials
and
now
they're
crypto
mining
and
the
Tesla's
AWS
account.
There
should
be
at
least
like
a
step.
F
The
user
has
to
take
to
configure
it
to
be
insecure
right,
just
don't
open
a
TCP,
socket
open
a
UNIX
socket
and
then
give
user
a
simple
way
to
open
a
TCP
socket,
and
hopefully
that's
enough
of
an
extra
bar.
It
isn't,
but
it's
at
least
like
one
tiny
additional
step
that
they
have
to
take
where
they
might
think.
Like.
Oh,
hey,
I'm,
I'm,
opening
a
socket
to
the
wider
Internet.
Maybe
I
should
do
something
with
that,
and.
A
I
agree
in
terms
of
the
Tesla
thing
for
since
this
is
being
recorded
for
those
of
you
who
want
to
find
other
instances
and
if
you
happen
to
be
Showdown
users
just
type
in
kubernetes
you'll
find
some
store,
queries
that
I
put
in
there
couple
weeks
ago
and
you'll
find
a
few
others.
We
can't
mention
names
because
that
would
be
contrary
to
jurisdictional
laws,
I
believe,
but
do
a
showdown
query
and
you'll
find
things,
and
you
don't
want
to
find
yourself
in
there
larger
people
to
me.
A
Well,
we
still
me
the
first
thing
you
should
trying
to
hack
yourself
and
if
you
show
up
and
show,
then
that's
not
a
good
thing.
We
talked
a
little
bit
now
or
Dave
you
mentioned
secure
by
default.
The
corollary
to
secure
by
default
is
defense-in-depth.
So
just
as
a
philosophical
argument,
should
a
cloud
native
environment
be
secure
by
default,
defense-in-depth
or
see
all
of
the
above
or
D
is
none
of
that
role
possible,
and
it's
just
hype
that
those
of
us
in
the
media
write
about
I.
D
B
They
distribute
policy
enforcement
out
to
the
edge
because
they
have
all
these
different
resource
types
and
identity
providers,
like
you
know,
contractors
and
batch
jobs
and
full-time
employees,
and
all
these
things
are
coming
from
different
systems,
and
you
never
really
know
what
your
service
is
getting
accessed
by,
so
the
only
place
to
enforce
that
is
right
at
the
edge,
and
so
that's
why
projects
like
sto
are
so
powerful
because
you
can
transparently
enforce
policy
and
cross
across
all
these
different
workloads
and
so
on.
Yeah.
E
I
think
absolutely
defense-in-depth
is
a
key
thing
that
should
be
there.
Secure
by
default
is
important
too,
and
I
think
that
there
is
a
you
know,
a
strong
realization
and
a
movement
towards
us
in
companies
that
are,
you
know,
security,
aware
I
mean
actually
one
of
the
exciting
technologies
that
I
learned
about
coming
here
was
the
G
Pfizer
work,
that's
being
done
out
of
Google,
and
even
more
so
than
just
you
know,
the
exact
work
and
exactly
where
it
is
today.
E
Hearing
the
discussion
about
things
about
how
they
have
to
have
levels
of
indirection,
between
sensitive
data
and
user
of
a
user
facing
code,
and
not
have
you
know,
common
vulnerabilities
and
issues
like
that
that
could
lead
to
a
compromise
of
that
data.
Those
are
the
types
of
things
those
sorts
of
philosophies
about.
F
There's
there's
more
code
being
deployed
at
higher
velocity,
so
we're
going
to
make
more
mistakes
and
more
of
that
code
is
being
deployed
by
computers
and
computers
are
really
good
at
repeating
our
mistakes
over
and
over
again,
so
secure
by
default
is
absolutely
critical.
I
think
defense-in-depth
is
getting
really
interesting,
because
containers
have
reduced
the
scope
of
what
we're
trying
to
control
and
that
actually
allows
us
to
apply
much
more
tailored
sort
of
defense-in-depth
policy
controls
and
restrictions.
So
I
out
defense-in-depth
thing
is
getting
better
as
well
great.
A
C
To
sort
of
reinforce
the
two
points,
which
is
that
defense-in-depth
and
secure
by
default,
are
actually
pretty
complementary
to
each
other.
I
think
you
know.
If
you
have
a
robust
foundation,
then
it
becomes
a
lot
easier
to
start
reasoning
about
things
like
zero
trust
and
in
fact
you
have
to
in
order
to
be
able
to
do
that
so
I
I
completely.
Second,
the
point
that
the
two
are
complementary
and
if
you
get
better
or
one
you
can
get
better
at
the
other,
which.
A
Makes
a
lot
of
sense?
You
just
always
hear
people
talk
about
exactly
perimeter
security,
and
that
would
be
it,
but
since
at
least
four
or
five
years
ago,
when
RSA
had
their
RSA
ID
breach
they've
been
they
can't
say
that
anymore.
So,
everybody's
half
my
stories
are
always
about
three
hunting
trying
to
find
people
after
they're
already
n,
since
we're
in
the
cloud
native
bubble.
I
know
we're
talking
all
about
cloud
native
technology.
Certainly
that's
exciting,
but
it's
only
been
around
three
years.
A
Some
of
the
projects
up
here
have
been
around
even
less
time
than
that.
Necessarily
where
do
you
see
the
intersection
between
some
of
the
new
controls
that
we're
talking
about
whether
it's
update
framework
OPA
spiffy,
the
things
that
Google
is
doing
notary
and
existing
compensating
controls
that
are
in
a
in
a
network
whether
its
existing
IPS
technologies,
firewall
perimeter,
stuff
other
things
that
might
sit
on
a
host
operating
system
or
as
part
of
a
network
infrastructure?.
F
And
ultimately,
somebody
gets
into
your
network
because
of
a
vulnerability
in
some
piece
of
software
you're
running.
Apparently,
a
lot
of
compromises
come
from
inside
your
network,
but
even
if
we
just
focus
on
compromises
that
are
coming
in
from
the
outside
world,
you
still
need
things
like
intrusion
detection.
D
I'll
second,
that
I
think
there's
a
you
know,
idea
that
you
containers
are
actually
very
different
from
iums
and
you
know
here's
some
reasons
why?
But
there's
a
bunch
of
reasons
why
they're
the
same
and
you're
gonna?
If
you
have
an
IDs
and
your
on-prem
environment
or
in
your
VM,
you
need
one
for
your
container.
No
fire
wall
before
you
still
need
a
firewall
like
that.
Doesn't
go
away.
I!
Think
some
of
the
things
that
do
change
are
around
this
software
supply
chain
piece.
D
The
sense
that
before
you
had
a
box
that
you
bought
from
some
vendor
and
that
was
audited
and
was
certified
and
you
know
had
you
know-
was
updated
every
three
years
and
some
guy
showed
up
with
some
firmware
and
did
some
things
and
now
it's
like.
Oh
there's,
a
new
dependency
and
I
just
pulled
it
from
some
github
repo
and
I
pushed
into
production,
and
it
happened
in
seconds
and,
like
you,
don't
really
know
how
all
that
plays
together.
So
I
think
we're
gonna
have
to
spend
a
lot
more
time
as
an
industry.
C
As
well
as
software
supply
chain
in
another
use
case
that
when
we
talked,
we
talked
to
a
lot
of
people
about
zero
trust
and
it's
actually
as
often
as
not
it's
it's
operations,
teams
that
we
speak
to
rather
than
security
teams
and
the
motivation
for
it.
You
know
as
well
as
it
providing
defense-in-depth,
is
to
provide
better
fidelity.
You
know,
VPNs
and
V,
pcs
can
be
and
firewalls
you
know
can
be
expensive
and
it
usually
fairly
coarse
grained.
C
So
people
want
higher
fidelity
when
they,
when
they're
applying
policy
and
the,
and
so
what
you
end
up
resolving
to
is
is
realizing
that
you
need.
You
know
some
degree
of
application,
centric
identity
to
be
able
to
to
do
what
you
need
to
do.
It's
not
necessarily
because
you
don't
you
suddenly,
don't
trust
your
firewall
anymore.
It's
because
you
need
more
fidelity
in
your
policies,
so
the
two
of
complimentary
to
a
certain
extent.
C
B
Also
think
that,
like
for
the
open
policy,
agent
and
I,
think
also
tough,
notary
and
spiffy,
like
the
projects,
are
fairly
generic
and
pluggable
and
so
I
think,
as
they
mature,
we'll,
probably
see
them
applied
to
like
legacy
systems
as
well,
and
and
because
that's
sort
of
what
they're
designed
to
do
is
well
like
it's.
It's
not
fundamentally
different.
So
yeah.
A
A
This
is
going
to
be
more
layers
of
abstraction
in
the
Congo
line
of
security
controls
that
I
already
have,
and
then
they'll
always
ask
me
well,
Sean,
what's
the
source
of
truth
and
the
single
pane
of
glass
view,
so
when
you're
talking,
whether
it's
identity
or
updates
or
even
just
policy,
where
would
the
source
of
truth
be?
Or
is
it
really
just
a
question
of
context?
If
I'm
inside
the
container
world,
then
it
should
be
container
nadir
of
a
cloud
native
rather
versus
some
kind
of
macro
enterprise
infrastructure
view
of
policy,
identity,
security,
I'll.
C
Speak
from
the
spiffy
standpoint,
which
is
that
you
know
that
it
is
context
sensitive,
but
it's
it's
entirely
reasonable
to
think
about
a
project
like
spiffy
as
something
that
lets
you
bridge
say:
Active
Directory
or
you
know
an
open,
ID
provider
to
you,
know
dynamically
schedules
and
elastically
scaled.
You
know
more
more,
more
ephemeral
infrastructure.
F
F
F
You
know,
Apache
nginx,
my
sequel
Redis,
like
applications
that
everybody
is
using
in
their
vanilla
form,
and
yet
we
don't
have
standardized
policies
for
these
things,
and
then
you
take
it
a
step
further
and
it's
like
okay,
what
if
it's
just
a
PHP
app
running
on
Apache?
Well,
99%
of
those
require
the
same
set
of
permissions,
so
I
would
love
there
to
be
some
kind
of
collaborative
effort
and
I
do
not
know
how
to
make
this
happen.
So
if
you
think
you
do,
please
come
and
talk
to
me
afterwards
to
like
pull
together.
F
D
Know
if
this
happened,
you
just
ask
people
for
help
the
there
is
it's
true.
What
you're
saying
is
completely
correct:
I'm,
really
frustrated
that
there
isn't
a
universal
policy
language
that
applies
to
everything
that
I
could
possibly
want
it
to
do
like
it
really
blows
my
mind
that
we
are
where
we
are
today
and
that
doesn't
exist.
You.
D
So
I've
heard
I've
also
heard
of
Sentinel
from
Hacha
Corp,
which
only
works
with
their
enterprise
solutions
and
I'm,
hoping
that
one
of
those
or
anything
else
you
come
up
with
or
anything
else
that
you
can
think
of
is
gonna
solve
that.
Well,
like
I
love
it
to
get
to
a
point
where
we've
kind
of
agreed
as
a
community
that
this
is
what
we're
gonna
do
and
then
please
help
help
build
whatever
that's
gonna
be
and
all
those
reference,
those
reference
policies,
because
we
we
do
need
that
yeah.
A
Just
argue
devil's
advocate
what
I
hear
from
security
vendors,
whether
it's
container
native
cloud
native
or
otherwise.
Is
you
use
machine
learning,
so
you
you
know
you
sprinkle
that
pixie
dust
out
there
and
then
you
do
your
baseline.
So
you
understand
what
the
baseline
is
over
a
certain
period
of
time
for
both
the
entity
and
then
the
user,
and
then,
if
there's
deviation
after
that,
then
okay,
that
must
be
something
wrong.
Is
that
far
too
simplistic
an
approach,
I
think.
E
You
do
run
into
a
bit
of
risk
here
with
a
with
a
situation
like
that
there,
where
you
kind
of
end
up
going
down
to
the
lowest
common
denominator,
that
you
know
a
lot
of
people
end
up
having.
If
you
have
a
CI
CD
system,
then-
and
you
have
everything
set
up,
so
you
can
effectively
test
it
as
though
you're
in
your
production
environment
and
you
have
the
ability
to
tweak
the
knobs
and
I'd
love
to
see
tooling.
That
would
automatically
try
to
to
tweak
and
configure.
E
D
Netflix
talks
about
one
of
the
tools
that
they
have,
that
does
this.
That
kind
of
like
starts
from
everything
being
open
and
just
like,
what's
closed
a
little
bit,
see
if
anything
breaks,
let's
close
a
bit
more
and
see
if
anything
breaks
and
keeps
going
that
way,
I
think
that's
really
cool
I
know
Google
thinks
about
something
similar
with
look.
D
We
have
this
concept
of
right-sizing
instances
on
GCE
or,
if
you're
running
with
a
VM,
that's
bigger
than
we
think
you
need,
will
tell
you
and
you
can
think
about
that
for
security
too
or
like
how
do
we
tighten
all
those
things?
So
hey
that
looks
like
it's
more
than
what
you
really
need.
You
know
try.
E
Something
smaller
and
we've
been
doing
something
similar,
even
with
like
Linux
kit
and
other
kind
of
like
container
runtimes
and
OS
runtime.
So
try
to
see
can
we
can
we
do
something
clever
on
paths
that
we
don't
think
are
going
to
be
needed
very
often
by
applications,
because
when
people
exploit
zero-days,
they
happen
to
to
touch
random
odd
parts
of
the
kernel.
More
often
than
not.
A
A
A
E
I
I'll
take
a
stab
at
this
first
and
then
other
people,
please
jump
in
and
disagree.
I
think
this
is
a
great
one
for
us
to
fight
about,
but
I
think
that
the
reason
why
I,
yes
and
thank
you-
cyber
criminals
are
often
going
after
targets
that
are
fairly
weak,
that
they
can
monetize
things
out
of
and
while
there
have
been
obviously
a
lot
of
database
and
other
types
of
breaches
like
this
and
things
like
ransomware
seem
to
be
relatively
effective.
E
People
are
going
after
things
like
Internet
of
Things
style
devices,
moriah,
botnet
and
and
doing
other
things
like
that.
So
all
these
industries
are
trying
to
get
their
act
together.
I
mean
we've
been
working
with
and
actually
the
most
of
the
tough
implementations.
Tough
implementations
are
a
variant
called
up
team,
that's
used
in
the
automotive
space,
and
so
the
automakers
have
started
to
get
their
act
together
and
we're
trying
to
work
with
other
communities
like
medical
device
manufacturers,
and
you
know
the
electrical
grid
and
others,
and
so
whoever
ends
up
liking
behind.
Is
you.
F
It's
not
specifically
in
sort
of
the
the
cloud
environment
but
they're,
already
containers
running
a
lot
of
places.
You
might
not
expect
it
so.
Okay,
we
are
where
security
people
like
yes,
we're
going
to
tell
you.
We
need
to
get
our
act
together,
but
there
are
a
lot
of
people
out
there.
You
know
to
be
kind
to
the
operations
community,
who
work
very
hard
and
are
on-call.
F
There
are
a
lot
of
people
out
there
doing
a
really
good
job
and
there
are
a
lot
of
container
systems
out
there,
both
in
the
cloud
and
running
on
edge
devices
and
IOT
devices
that
aren't
getting
compromised
daily,
like
they've
they've,
taken
good
security
measures,
so
there's
a
lot
more,
we
can
do
and
I
think
a
lot
of
what
we
want
to
do
is
to
make
it
easier.
You
know,
we've
talked
about
having
more
secure
defaults
and
the
simpler.
F
D
The
reality
is,
people
are
already
using
it
in
critical
systems.
People
want
security,
they're
asking
for
features
and,
and
the
community
is
building
and
rallying
behind
it,
and
the
growth
of
the
community
versus
the
growth
of
the
security
folks
in
the
community
has
been
we've
seen
a
huge,
huge
uptake.
D
So
someone
we're
gonna,
see
a
lot
more
security
features.
Three
different
people
said
on
stage
at
the
during
their
keynotes.
This
is
a
year
of
security
for
for
this
community,
which
is
great,
I,
don't
think
we're
where
we
were.
We
aren't
yet,
but
people
are
starting
to
think
about,
is
building
communities
to
be
so
resilient
and
it's
not
just
security
but
reliability,
performance,
exit,
etc.
That
imagine
that
in
five
years
from
now,
you're
gonna
have
a
critical
hospital
system,
a
critical
telco
system,
some
sort
of
critical
pressure
running
on
kubernetes,
like
people
like.
D
B
Yeah
I
mean
I
think
that
it's
actually
like
less
it's
less
of
a
technology
problem
and
more
of
like
a
cultural
thing
in
a
lot
of
places.
So
you
know
there
are
a
lot
of
companies
that
are
very
security
focused
and
they
leverage
very
sophisticated
fine-grained
security
features
in
like
cloud
native
technology
that
exists
today
and
so
like.
But
then
of
course,
they're
always
gonna,
be
companies
that
fall
back
to
tribal
knowledge
and
spreadsheets
and
wiki's
to
keep
track
of
things
and
enforce
the
and
that's
gonna,
give
them
no
guarantee.
C
You've
got
to
put
it
in
context
as
well.
Right
I
mean
that
with
we're
so
much
better
off
now
you
could
argue,
then
we
were
three
or
four
years
ago.
You
know
we
have
a
standard
way
of
packaging
now,
for
the
most
part,
we
have
a
standard
way
of
deploying
we
start
to
have
standard
ways
of
signing
and
standard
ways
between
identity,
as
you
well
we're
now
in
a
position
where
we
can
actually
talk
about
software
supply
chain
that
would
work
for
n
customers
and
not
work
for
one.
C
We
started
to
talk
about
libraries
and
design
patterns
and
and
schemas
that
we
can.
We
can
reason
about
we
weren't,
even
in
position
to
start
having
those
conversations
a
few
years
ago.
So
you
know
it's
we're,
maybe
you're
understanding
our
own
flaws
a
bit
better
but
and
there's
maybe
more
at
stake
than
there
was
a
decade
ago
or
two
decades
ago.
C
A
A
D
D
I
can
take
ten
devs
that
I
had
working
on
something
super
custom
in
my
environment
and
then
I
can
put
that
into
a
pool
of
thousands
of
devs
and
get
back
way
more
than
10
people
put
in
and
we're
gonna
say
that
with
all
these
projects
here,
right
like
if
I
can
get
a
few
people
who
work
on
a
security
feature
to
benefit
a
lot
of
people
like
we've
done
with
like
open,
SSL
and
open
VPN
and
a
ton
of
other
projects
out
there
in
security.
That's
great
I
think.
C
As
well,
you
know
the
CNC
F
itself,
one
of
the
big
things
they
did
earlier
this
year
was
start
to
was
to
refine
and
perhaps
more
strictly
enforce
their,
what
they
call
their
graduation
criteria.
And
so
you
now
have
something
of
a
funnel
where
at
the
one
end
of
the
funnel
wall,
before
you
get
into
that
funnel,
it
looks
a
bit
more
like
a
bazaar
than
a
Cathedral.
There's
a
lot
of
projects
and
a
lot
going
on.
But
you
know
that
the
CNC
F
has
done
a
lot
of
good
work.
C
I
think
to
start
to
create
a
framework
that
your
operations,
teams
and
security
teams
and
organizations
in
general
can
use
to
reason
about.
You
know
the
degree
of
maturity
and
the
great
degree
of
operational
readiness,
the
amount
of
based
on
the
amount
of
real
world
use,
and
you
know
resiliency
and
degree
of
security
faults
that
exist.
C
A
Good,
actually,
the
first
person
I've
heard
all
week
to
mention
the
cathedral
in
those
Bazaar
that
wasn't
on
the
bingo
chart.
Was
it
in
the
old
days
that
open
source
conferences
you'd
always
have
that
you
know
cathedral
and
the
bazaar
all
bugs
are
shallow
with
many
eyes
all
those
kinds
of
standards
think
so
Congrats
you
first
of
the
week
so.
F
F
So
you
know
as
a
as
a
foundation
and
as
a
community,
and
there
is
support
there
and
there
is
an
active
effort
to
ensure
the
security
of
projects
that
have
at
least
graduated
to
some
level
of
maturity,
and
that
will
that
will
help
with
some
of
the
sort
of
you
know,
security
issues
that
might
otherwise
arise.
The.
D
Other
thing
I'd
like
to
do
and
I
don't
know
how
to
do
this,
so
maybe
some
of
you
do
I'd
love
to
see
more
security
projects
in
the
CN
CF
right.
It's
it's
not
necessarily
specifically
at
home
for
security
projects,
but
it's
a
good
home
for
security
projects
right.
We
have
spiffy
and
OPA,
and
we
have
notary
and
tough,
but
like
there's
lots
of
projects
out
there
that
don't
have
a
particular
foundation
or
that
they're
associated
with
in
security
and
would
hugely
benefit
our
space
right.
D
A
H
A
H
D
F
Speak
to
the
other
sort
of
part
of
that
question
which
was
about
you
know
getting
more
sort
of
I
guess:
contributors
and
involvement
in
security
projects,
I
think
Justin
I
did
a
deep
dive
for
the
notary
and
tough
projects
this
morning
and
at
the
end
the
very
first
question
was
like
I'm,
not
a
crypto
expert.
How
do
I
get
involved
with
these
projects
so
I
think
a
lot
of
times.
Security
projects
can
be
intimidating,
but
ultimately,
like
a
lot
of
what
we're
working
on,
isn't.
Crypto
people
shouldn't
associate
security
equals
crypto.
F
So
I
think
there
is
some
outreach
to
be
done
that,
like
you
know,
let
people
know
that
hey
the
security
community,
isn't
that
big
and
scary,
which
maybe
it
can
seem
at
times
and
actually
think
kubernetes
and
darker
and
all
of
the
open-source
that
sprung
up
around
containers
is
actually
making
a
lot
of
security.
More
welcoming
I
think
is
actually
becoming
less
intimidating.
That's
my
impression.
Yeah.
B
So,
even
if
you
can't
contribute
like
a
new
security
project
to
the
CNC
F,
there
are
a
bunch
of
working
groups
and
SIG's
like
sig
off
which
deals
with
kubernetes
there's
the
policy
working
group
in
kubernetes.
There's
the
safe
working
group,
that's
popping
up
in
CNC
F
and
all
of
these
things
are
dealing
with
security,
but
I
might
probably
miss
them.
But
all
of
these
things
are
dealing
with
with
securities,
so
you
can
come
and
contribute
to
that
community.
In
that
discussion
and.
D
C
Your
use
cases
you
know
of
all
of
the
working
most
of
the
working
groups
that
I've
I've
been
in
or
set
it's
been
a
fly
on
the
wall
for
the
the
word
that
keeps
coming
up
again
and
again
is
not
crypto
or
elliptic
curves.
It's
it's
usability.
It's.
How
can
I
reason
about
this?
How
can
I
explain
it?
How
can
I
rationalize
about
how
I
what
happens
when
I
make
a
change?
C
It's
it's
its
usability
first
and
foremost,
and
that
you're
improving
that
it
seems
to
be
got
while
I'm,
throwing
around
buzzwords
seems
to
be
the
the
well
write,
the
other
that
the
highest
the
highest
return
on
investment
that
we
can
make
as
a
community
and
that
doesn't
need
perhaps
the
traditional
set
of
security
skills.
It's.
A
A
good
place
then,
because
I
couldn't
agree
more.
If
security
isn't
usable
and
nobody
uses
it,
you
have
a
door
that
has
a
door
lock,
but
you
don't
lock
the
door
because
you
don't
know
how
to
lock
it.
You
got
nothing,
that's
five
o'clock,
so
that's
the
end
of
our
panel.
So
if
you
could
all
join
me
in
thanking
our
panelists
and
thank
you
for
coming
to
coupon.