►
From YouTube: Creating Cloud Native Security - Emily Fox, Apple; Brandon Lum, IBM; Andres Vega, VMware
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Creating Cloud Native Security - Emily Fox, Apple; Brandon Lum, IBM; Andres Vega, VMware
Cloud native security is not new, but is under constant iteration and creation. As cloud native innovation occurs, the Security TAG is lock-step in considering, analyzing, and guiding the community on the most appropriate security mechanisms, architectures, design patterns, and tooling. This presentation covers an introduction to the Security TAG, their charter and scope, and then deep dives on several efforts the TAG has undertaken (completed and in progress) with their community impact such as the Supply Chain Security Paper, CNCF Project Security Reviews, Security Pals, and so much more. This session is for anyone interested in cloud native, cloud native security, or wishes to understand how a community of passionate volunteers can change an entire technology ecosystem.
B
C
Yeah,
we
got
somewhat
of
a
contentious
title,
creating
cloud
native
security.
What
do
we
mean
by
that?
Isn't
cloud
native
by
definition,
intrinsically
secure
or
meant
to
be
we're
going
to
talk
through
the
slides
and
during
the
presentation?
What
do
we
actually
mean
for
creating
cloud
native
security?
How
to
do
open
source
security
in
public
working
in
public,
advancing
the
space
safeguarding
the
systems
upon
which
we
run
critical
applications
and
mitigating
the
structural
risk
as
a
whole?
C
B
Yeah,
so
today
we're
gonna
quickly
go
through.
You
know
who
we
are,
how
we're
doing
the
things
that
you
know
understand
how
we're
gonna
secure
our
company's
security,
build
the
whole
thing
and
also
like
how
we're
doing
it,
which
is
very
important
in
which,
like
we're,
collaborating
with
many
different
groups,
both
security
and
as
almost
as
importantly,
the
non-security
groups,
so
we're
going
to
start
off
a
little
bit
about
talking
about
us.
B
B
So
our
main,
our
main
scope
of
our
main
charter,
is
really
create
cognitive
security,
with
essentially
the
goal
of
balancing
the
whole
protection
versus
usability
right.
The
hr
question
with
security,
we
concentrate
a
lot
on
common
tooling.
I
think
this
is
a
very
essential
part
of
we
are
given
this
gift
of
having
a
green
field
with
cloud
native,
and
we
want
to
make
sure
that
we
build
everything
together
as
a
community,
we
have
common
tooling,
we
have
common
auditability
methods
and
so
on.
C
C
The
space
and
the
problem
domain
is
quite
broad.
There
is
a
number
of
sharp
tools
out
there
and
we
work
with
with
all
these
different
projects.
We
prioritize
work
based
on
incoming
requests
from
the
tlc
and
the
community,
so
we
jump
onto
different
projects.
We
do
look
out
for
common,
tooling
and
part
of
it
is
well
the
the
problem
is
challenging,
because
a
lot
of
the
getting
started
on
the
technologies
is
a
high
barrier
of
entry.
These
are
very
complex,
expert
level
systems
and
there's
not
a
lot
of
documentation.
C
B
Yep
and
in
order
to
fill
in
all
these
banks,
we
essentially
as
a
community,
are
not
just
security
professionals.
We
work
with
developers,
devops,
ops,
folks,
the
managers,
engineering
managers
and
also
folks
that
you
know
are
coming
in
new
to
security
because
we
are
building
all
this
for
them
and
not
for
us.
B
So
we
are
largely
community
based.
We
believe
that
this
has
been
a
successful
model.
So
far,
all
issues
all
the
prs.
All
the
efforts
mostly
have
been
driven
by
the
members
and
participants
of
the
community
and
right
now
we
are
almost,
I
think,
or
at
least
over
100
members,
and
we
come
from
60
different
companies.
C
If
I
could
get
a
show
of
hands,
members
of
the
tech
who
are
here
in
the
room
with
us
awesome
pretty
good
turnout.
Some
of
you
are
security
engineers.
Some
of
you
are
practitioners.
I
see
some
product
managers
in
the
room.
I
see
some
tech
riders
so
we're
a
diverse
group
of
folks
there's
work
for
everyone
and
there's
just
many
ways
to
get
involved
and
we're
going
to
talk
through
those
but
yeah
part
of
that
is
democratizing
security.
C
C
We
have
a
number
of
other
security
resources,
cloud
native,
eight
eight
guiding
principles
for
building
security
from
the
ground
up
that
is
currently
open
for
review.
We're
going
to
make
some
of
this
links
available
for
posterity.
We
want
to
get
as
many
eyes
as
we
want
on
it.
A
lot
of
it
is
departing
from
security
by
obscurity.
C
B
Awesome
so
one
of
the
things
that
was
initially
our
focus
area
within
this
was
back,
I
think,
a
year
and
a
half
to
almost
two
years
now
it
was
a
cloud
native
security,
white
paper
and
essentially
the
whole
idea
of
this
was
that
we
got
a
lot
of
people
coming
to
us
that
were
like.
I
don't
really
understand
what
cloud
native
security
is.
How
is
it
different
from
regular
security,
traditional
security
folks
that
are
moving
from
on-prem
vms
to
containers
are
like.
What's
different
of
this,
what
is
devops?
B
B
You
know
different
enough
for
us
to
write
a
white
paper,
a
white
paper
just
about
it
talking
about
the
essential
tenants
and
the
methodology
of
cloud
native
and
how
security
has
to
evolve
so
adapt
to
them.
So
we
go
all
the
way
from
like
develop,
distribute
to
all
the
way
to
run
time.
Going
from
how
do
I
develop
my
application?
B
B
How
do
we
establish
trust
between
the
different
items,
and
we
talked
a
little
bit
about
compliance
in
terms
of
how
it
also
affects
the
different
regulations?
Regulatory
industries
like
finance,
financial
and
federal
one.
One
cool
thing
is
that
this
white
paper
has
been
very
useful.
We
will
talk
a
bit
about
later.
We've
got
some
really
good
feedback
that
drives
some
of
the
work
that
we're
doing.
B
C
Part
of
the
intent
here
is,
I
personally
come
to
kubecon
and
I
get
super
excited
for
a
lot
of
what
I
see
and
I
tend
to
grasp.
It
typically
really
quick,
but
I
get
back
to
work
the
following
week
and
I
struggle
to
be
able
to
explain
it
to
anyone
else
in
my
team,
particularly
so,
if
there
are
other
security
folks
and
like
let's
not
even
talk
about
risk
people.
B
Yep
and
so
another
thing
that
we've
done
here-
and
this
was
a
full
lot
from
the
white
paper-
is
something
we
call
the
cloud
native
security
map
and
the
idea
behind
the
cloud
native
security
map
is
to
create
a
way,
or
you
know,
an
interactive
way
for
folks
that
are
coming
in
to
have
a
bit
more
practical
guidance
on
things
in
the
white
paper
right
in
the
white
people.
We
talk
about
general
concepts
or
you
need
to
sign
your
things.
You
need
to
verify
them.
B
You
need
to
check
the
provenance
of
your
containers
and
configure
your
runtime,
but
you
know
it
doesn't
talk
about
specific
technologies.
How
do
I
actually
go
about
doing
this?
So
the
cloud
native
security
map
is
an
interactive
page
and
it's
actually
hosted
this
website.
It's
live.
Unfortunately,
it
doesn't
work
on
mobile.
So
don't
try
that,
but
the
idea
is,
you
can
navigate
into
the
white
paper
and
look
at
okay,
I'm
interested
as
you
know,
you
have
to
start
security
somewhere
right,
so
evaluating
within
your
organization
may
be
understaffed
with
container
image
provenance
right.
B
So
I
go
into
development,
I'll,
go
into
container
image,
signing
and
provenance,
and
then
it
will
tell
me
basically,
you
know
here
are
the
tools
that
I
can
use
to
go
ahead
with
that,
so
it
will
talk
about
in
total
talk
about
things
like
6r.
I
think,
basically,
all
the
bunch
of
different
tools
and
some
general
guiding
principles
around
that
another
version,
two
that
we
have
on
this
security
map
is
to
come
up
with
something
called
guided
tours.
This
is
still
a
work
in
progress.
B
It's
about
to
start
the
idea
behind
this
is
we
want
to
define
really
what
are
certain
tangible
stories
that
people
can
take
and
start
adopting.
So
let's
say
my
my
boss
goes
to
me
and
says:
we
need
to
do
supply
chain
supply
chain
security
right,
so
we
will
have
a
guided
tour.
That
says.
Okay,
here
is
how
you
go
about
doing
supply
chain.
C
It
maps
a
little
bit
to
a
crawl,
walk,
run,
almost
there's
a
process
of
discovery,
there's
a
process
of
developing
a
better
understanding
from
there
going
to
a
place
where
you
can
do
architectural
reviews
and
design
reviews
of
these
technologies
to
where
you
can
make
it
part
of
of
your
infrastructure
topologies,
so
we're
trying
to
incorporate
that
progression
of
adoption
of
a
technology.
So
it's
not
just
you
go
from
zero
to
like
full-blown
web
scale
prod,
but
it's
gradual.
It's
a
little
bit
of
a
couch
to
5k
program
for
security.
B
This
catalog
contains
all
well
most
of
the
supply
chain
security
breaches
over
the
past
few
years
and
is
a
good
resource
to
kind
of
learn
about
the
different
types
of
supply
chain
security
in
the
real
world
in
the
world
and
also
as
a
way
to
kind
of
convince
stakeholders
and
higher
level
executives.
That
supply
chain
is
indeed,
you
know
something.
That's
going
to
put
you
in
the
wall
street
wall
street
journal.
B
One
thing
I'd
like
to
mention
about
this
piece
of
work,
which
I
think
this
was
really
cool,
because
this
stemmed
from
a
single
contributor
that
was
like
I
want
to
do
this.
It
was
a
maintainer
of
in
total
santiago
and
basically
he
said
I
want
to
do
this.
He
proposed
it
to
the
tech
we
said
cool.
This
is
the
line
with
what
we
want
to
do
as
a
community.
B
C
C
C
I
saw
you
raising
your
arm,
so
we
we
produced
and
published
the
best
practices
white
paper.
This
was
led
by
jonathan
meadows,
head
of
cyber
at
city
collaboration
with
myself.
We
had
about
15
to
20
other
people
who
contributed
and
collaborated
to
this
effort.
There's
a
recording
from
kubecon
europe,
where
we
talk
about
go
through
through
the
different
aspects
of
the
white
paper.
C
We
have
progressed
from
there.
Well
now
that
we
have
described
a
software
factory
end-to-end
that
incorporates
security
from
the
ground
up.
How
do
we
translate
that
into
an
architecture
that
pieces
all
the
different
components
that
you
can
use
as
a
reference?
This
is
being
developed
with.
I
see
a
number
of
folks
in
the
room,
marina
moore,
called
kennedy,
driving
a
lot
of
the
work
of
well.
C
If
you're
reasoning
about
reproducible
builds
what's
the
relationship
of
that
to
like
cryptographic,
identity,
and
these
are
things
that
we
typically
don't
see
the
relevance
from
one
to
the
other.
But
as
look
as
you
look
into
the
bigger
picture,
you
need
the
different
moving
parts.
As
someone
said
yesterday,
you
could
have
all
the
parts
that
make
up
a
piano,
but
if
they're
not
assembled
together
right,
you
can't
actually
play
it.
C
C
We
are
going
to
be
opening
it
up
for
public
comment
in
the
coming
weeks
and
from
there,
then
we
intend
to
start
writing
some
code,
so
people
could
check,
check
it
out
and
run
a
a
sample
of
that
software
factory
and
start
building
around
it
and
on
top
of
it
brandon.
If
you
want
to
add
something
to
that.
B
Yeah,
I
think
this
is
this
is
something
that
really
we
wanna,
as
a
community
show
people
that
this
is
something
that
it's
attainable.
It's
something
that
you
know
if
you
put
a
bit
of
effortless-
and
I
think
you
know
michael
showed
this-
a
few
others
are
showing
this
there's
a
lot
of
projects
out
there
that
can
help
you
attain.
You
know
reasonable
levels
of
supply
chain
security.
There
are
gaps
that
need
to
be
filled,
but
we
think
that
you
know
by
showing
this
to
others.
C
We're
trying
not
to
be
overly
prescriptive
and
say
well
at
the
current
time.
These
are
the
most
mature
or
fit
feature
complete
technologies
in
our
ecosystem
that
you
can
piece
together
to
accomplish
this,
but
we're
also
trying
to
provide
alternatives
and
say
well.
You
could
very
well
do
this
with
tecton
chains
or
you
could
do
it
with
jenkins
x
as
an
example.
B
Cool,
so
we
talked
a
little
bit
about
you
know
what
are
some
artifacts
that
we
produce
as
a
group,
and
I
want
to
spend
a
bit
of
time.
You
know
before
we
talk
about
how
to
contribute
about
some
of
the
things
we
do.
You
know
not
necessarily
things
that
end
up
in
papers,
but
things
we
do
to
help
strengthen
the
security
of
the
ecosystem
and
how
we
work
together
with
other
groups,
so
big
part
of
cloud
native
security
and
creating
it
is
education
and
partnership.
B
This
actually
comes
in
the
form
of
engagement
of
different
projection
communities.
So
an
example
of
that
strengthening
the
ecosystem
in
cncf.
We
have
something
that
we
introduced
earlier
called
security
pals
right.
The
idea
is
that
someone,
especially
with
new
projects,
are
cutting
coming
into
cncf.
As
you
know,
sandboxing
or
incubating,
we
will
have
someone
there
to
guide
them
to
talk
about.
Okay,
voila
here
are
the.
What
are
the
security
considerations
you
should
integrate
from
the
start.
B
Right
security
is
something
that
you
should
keep
in
mind
from
the
start
and
not
you
know
an
afterthought.
So
that
is
something
that
we're
piloting.
It's
going
great.
We
almost
have
our
first
projects
done
with
that.
We
also
have
a
something
that
else
that
we
do
is
security
assessment
and
joint
reviews
on
this,
essentially,
is
you
know,
looking
at
the
other
cncf
projects
and
assessing
the
security
posture
of
it?
B
I
won't
go
too
much
detail,
because
andrews
will
cover
that
in
the
next
slide
and
of
course,
you
know
we
work
with
a
lot
of
the
related
group.
Open
ssf
obviously
sells
us
for
supply
chain
stuff.
We
work
with
the
kubernetes
six
security
group.
We
have
there's
a
lot
of
overlap
with
the
members,
and
this
is
great
because
you
know
we
call
each
other
out
and
also
we
we
want
to
make
sure
that
we
set
realistic
goals
and
make
sure
everyone's
on
the
same
page
other
than
that
for
our
members.
We
usually
have
presentations.
B
This
go
from
presentations
of
projects
in
cncf
around
security.
Recently
we
had
like
qri
defense,
kaiva,
know
your
new
projects
coming
to
the
cncf
so
that
folks
can
get
updated
with
it,
and
also
we
have
certain
talks
around
like
trent
model.
You
know
behavioral
security,
how
you
manage
security
in
organization
and
things
like
that.
C
Yes,
I'll
tell
you
about
security
assessments,
but
I'll
start
off
to
tell
you
my
ex
an
anecdote
really
of
how
I
got
involved
in
security
assessments.
I
was
working
in
the
spiffy
inspire
projects
shout
out
to
the
team.
I
see
them
here
in
the
front
seat
and
the
project.
The
project
was
at
sandbox
stage
and
we
were
pursuing
trying
to
get
to
incubation
and
performing
that
due
diligence
and
security.
C
Audit
security
reviews
were
one
of
the
requirements
we
would
have
to
meet
in
order
to
make
that
progression
and
the
project
had
actually
been
scrutinized
and
reviewed
and
thread
modeled,
and
I
quite
didn't
understand.
Why
would
we
have
to
like
do
this
over
again
and
put
it
in
a
particular
template
format
and
it
seemed
a
lot
like
an
inconvenience?
Well
we're
we're
security
experts.
We
know
what
we're
doing
our
technology
is
battle
tested.
It
runs
in
production.
C
I
don't
think
we're.
Gonna
do
extract
much
value
of
it
and
it's
more
something
we
just
need
to
get
done.
Now.
We
got
engaged
through
first
off
being
able
to
in
order
to
kick
off
an
assessment.
You
have
to
produce
a
self-assessment,
and
you
need
to
explain
to
the
technical
advisor
group,
the
design
of
your
project,
the
threat
model
of
your
project,
the
different
security
attributes
of
it
and
from
there
on
folks,
the
reviewers
start
poking
holes,
and
this
engagement
typically
lasts
between
a
month
or
two
months.
C
We
were
also
left
with
a
great
artifact
that
helped
us
gain
a
broader
reach,
because
one
of
the
typical
bottlenecks,
when
we're
helping
organizations
trying
to
adopt
spire
was
a
platform
engineer,
would
get
it.
Some
security
engineer
engineer
would
get
it,
but
when
they
had
to
deal
with
infosec
as
part
of
those
of
a
review
in
order
to
get
to
production,
they
always
had
to
call
evan,
gilman
or
andrew
harding
or
myself
to
thread
model.
C
That
would
help
us
to
speed
through
this
review
and
would
actually
shorten
the
time
to
get
to
production,
because,
yes,
we
can
come
up
with
an
idea.
We
can
check
out
the
code,
we
can
deploy
it
to
some
cloud
environment,
but
in
order
to
get
to
production,
the
biggest
gate
remains
to
be
going
through
a
security
review
going
through
a
third
party
audit,
and
now
we
have
something
that
drastically
accelerated
actually
getting
there
and
having
those
folks
satisfied
with
defensible
arguments.
C
So
it
codifies
a
lot
of
that
since
that
I've
participated
in
leading,
I
felt
I
had
to
pay
it
back,
and
this
is
how
I
got
involved
with
tax
security
as
we
extracted
so
much
from
this.
I
want
to
help
other
projects
in
this.
In
this
journey
I
led
the
security
assessment
for
harbor.
It
is
published
also
the
assessment
for
build
packs,
brandon
you've
done
a
few
others
you're.
Actually
the
reviewer.
B
Yeah
so
yeah
so
security
assessments
and
reviews,
you
know
something
that
we've
done
way
back
a
lot
of
the
projects
that
come
to
us
say
that
they
did
like
it.
It
gives
them
like
interested
like
a
document
to
point
to,
and
also
it
provides
kind
of
like
a
boost
of
confidence
with
the
toc
as
well.
In
terms
of
doing
due
diligence.
B
C
Best
practices,
so
part
of
the
assessment
is
actually
filling
out
the
rubric
for
the
core
infrastructure,
best
practices
batch,
and
it
was
a
huge
boost
for
all
those
different
projects
that
have
gone
through
the
process
because
well
we
understand
how
we
stack
rank
against
it.
We
actually
do
quite
a
bit
of
it
or
we
don't
do
this
much,
but
here
are
all
the
other
directions
that
we
could
do
that
are
going
to
give
our
end
users.
C
B
I
think
that
the
last
thing
I
may
add
is
like
for
projects
that
may
want
to
get
a
official
security
audit
like
a
qr-53
trail
bits
type
audit
is
helpful,
so
to
go
to
us,
we
can
do
assessment
and
then
we
can
also
make
a
recommendation
to
the
cncftoc
that
this
is
a
security
critical
project.
We
think
that
it
should
be
audited
and
we
should
buy
audit
for
it.
Yeah.
C
And
our
experience,
working
with
q53
q53
always
gives
praise
because
it
actually
helps
them
come
up
to
speed
much
faster,
so
you're
going
to
be
able
to
take
more
advantage.
Better
use
of
the
professional
third
party
audit
that
the
cncf
pays
for
once.
You've
done,
the
prep
work
produce
the
information.
B
Cool,
so
I
think
the
last
thing
that
we
wanted
to
talk
about
today,
just
in
terms
of
what
we
do
is
micro
surveys
or
surveys
in
general.
This
is
something
we
do
to
kind
of
keep
a
pulse
on.
You
know
what's
happening
outside
the
end
users,
you
know
outside
the
security
bubble.
What
do
people
think
about
the
from
the
outside?
B
What
are
some
things
you
can
work
on
as
well
as
to
you
know,
go
back
to
the
tlc
and
say
that
okay,
here
is
kind
of
a
consequence
of
what's
happening
and
how
we're
trying
to
address
it.
So
we
did
this.
We
did
the
cognitive
security
white
paper
survey
to
kind
of
get
people's
feedback
on.
You
know,
after
understanding
cloud
native.
What
do
you
think
stacking?
What
do
you
think
we
can
work
on?
You
know.
B
The
results
of
the
survey
said
that
secure
defaults
was
number
one,
and
then
we
had
the
cloud
native
eight,
which
was
talking
about
circular
defaults.
That
pushkar
was
working
on,
which
is
up
for
public
comment
by
the
way.
So
please
take
a
look
at
it.
All
the
feedback
is
valuable
and
then
based
on
that
just
recently
a
couple
months
ago,
we
we
started
on
the
cloud
native
micro
survey
and
this
survey
was
talking
about
what
are
the
challenges
of
organizations
today?
What
are
they
worried
about
and
we
we
see
a
lot
of
interesting
data.
B
We
saw
that
you
know.
Obviously,
supply
chain
is
a
big
issue,
but
actually
not
far
too
behind
of
supply
chain.
You
know
vulnerability.
Management
was
like
10
behind
supply
chain.
Secret
management
was
another
one.
We
talked
about
where
organizations
saw
that
there
was
a
gap
in
open
source,
so
this
was
around
like
secret
management.
B
C
It
is
a
collaborative
effort.
Security
is,
is
a
huge
responsibility,
but
look
to
your
right
look
to
your
left
this.
This
is
a
good
chunk
of
the
people
in
the
world
who
are
entrusted
with
it
on
mitigating,
like
the
pervasive
attacks,
we
we
keep
on,
seeing
that
it's
mind-boggling
that
these
things
continue
to
occur
when
technology
is
available.
C
We
just
haven't
productionized
it
well
enough,
so
we
have
a
mailing
list.
Click
on
it
sign
up
stay
in
the
loop
of
our
different
communications,
come
to
our
github
repository.
We
do
our
best
to
triage
issues
of
what
slow
hanging
fruit.
What's
the
best
good
first
issue,
what
areas
are
we
looking
for?
Help
we
meet
weekly
every
wednesday
over
soon
cameron
cedar
is
regular
regularly
on
the
calls
you
can
ask
him
and
see
how
we
work
there
come
join
us.
We
have
calls
for
the
different
working
groups.
C
The
supply
chain
call
happens
every
thursday
come
to
our
slack
channel.
If
you,
if
you
don't
want
to
get
super
like
jump
in
into
the
deep,
a
good
glimpse,
is
our
roadmap.
We
have
a
project
board
on
github.
That
will
give
you
a
good
sense.
What
initiatives
are
at
play?
What
things
are
in
our
radar
that
that
we're
planning
for
what
things
are
we
being
asked
for,
but
we're
we
haven't
actually
quite
gotten
into
so
there's
plenty
of
ways
to
get
involved.
C
D
B
D
From
the
seg
security-
and
you
know
my
clients
that
I
was
working
with
at
the
time
when
the
solar
ones
happened
were
really
affected
by
it
right
it's
a
serious
issue,
and
so
I
the
first
thing
I
did
was
you
know
we
didn't,
have
the
expertise
you
know
to
deal
with
that.
That's
a
really
big
problem,
so
I
went
to
six
security
and
started
working
with
them,
and
it
really,
you
know,
andres,
you
know
brought
me
in.
D
He
actually
co-authored
a
article
that
we
post
in
our
company
blog
and
he
was
working
for
vmware
at
the
time.
So
not
only
you
know
did
I
feel
that
personal
hug
right.
He
also
helped.
You
know
my
company
deliver
value
to
our
customer,
which
she
didn't
need
to
do
right.
It's
a
community
effort,
but
what
sig
security
can
do
or
take
the
security
tag
can
do
for
you
is
both.
You
know
elevate,
not
only
you
on
a
personal
level
right
by
including
you,
but
also
on
a
business
aspect
right.
D
You
have
some
of
the
greatest
security
experts
in
the
world
ready
to
answer
like
any
questions
that
you
want
and
that's
a
really
powerful
tool
to
use
to
help.
You
know
your
customers
and
your
initiatives
that
you
have
within
your
organization
to
ensure
that
you're,
more
secure
and
the
best
part
about
it
is-
is
that
when
you
do
get
involved,
when
you
come
to
places
like
kubecon
right,
you
know,
there's
not
hasn't
been
one
dull
moment
here.
You
know
I've
been
invited
to
dinners
every
single
night.
I've
been
here.
D
B
Yeah
and
just
like
a
reminder
again
like
you
know,
we
drive
everything
to
github
very
commonly
focused
again.
You
know
open
to
whether
you're
someone
that's
new
to
security
or
someone
that
wants
to
that's
keen
to
learn.
Our
community
is
very
friendly.
You
know
we
we
need
folks,
like
all
types
of
folks,
to
kind
of
give
the
different
perspectives
and
and
ideas
and
yeah.
We
as
the
leadership
team,
the
the
co-chairs
and
the
tls,
are
always
open
to
your
dm.
So
like
message
us
all,
just
ping
us
on
the
slack
channel.
E
C
Doing
pet
pen
tests
absolutely
you
want
to
stress
test
systems
right,
you
want
to
measure
them
for
their
resiliency
and
and
how
fragile
they
are
and
understand
which
different
ways
can
they
break
a
lot
of
what
we
do
with
the
security
audits
is
produce
the
information
that
will
inform
pen
testers.
So
we
talked
about
the
third
party
security
audit
that
cncf
gives
as
a
service
to
to
the
projects.
I
don't
know
if
it's
something
that
they're
going
to
be
doing
with
the
new
credits
program,
but
a
few
different
of
the
projects
have
been
involved.
C
F
F
It
was
like
halfway
kind
of
I
guess
it
was
halfway
between
white
blocks
and
black
box,
but
it's
one
of
the
benefits
of
being
incubation
and
above
project
in
cncf.
Is
that
you're
able
to
do
this
audit
and
the
cncf
will
cover
cost
our
experience
going
through
that
process
was
actually
very
good
and
those
folks
knew
exactly
what
they
were
doing.
They
uncovered
a
few
pretty
nasty
things
that
we
were
able
to
respond
to
quickly.
F
Luckily,
but
we
learned
a
lot
in
that
process
and
it
was
hugely
hugely
valuable,
probably
one
of
the
most
valuable
security
review
processes
we've
gone
through,
and
so
you
know,
I
cannot
recommend
it
highly
enough.
I'm
not
sure
if
that's
exactly
what
what
you're
referring
to
it
with
the
pen
testing.
C
Yeah,
there's
there's
actually
thank
you
evan
for
that.
That's
very
insightful.
There's
there's
one
distinction
in
there
of
the
usefulness
of
of
a
pen
test
of
a
run-time
system,
and
when
we
talk
about
the
ephemerality
of
things
and
like
systems
that
should
be
immutable
like
that
there
shouldn't
be
any
runtime
drift
like
arguably
well
test,
would
would
be
like
poking
a
little
bit
into
those
wounds
if
those
things
are
not
there,
but
it
can
surface
additional
information.
The
audit
is
a
little
bit
more
like
not
in
production
to
say,
but
yeah.