►
From YouTube: CNCF SIG Security Meeting 2020-12-16
Description
CNCF SIG Security Meeting 2020-12-16
A
A
Oh,
that's
a
marine
corps
hat
that
was
my
that
was
my
cover
from
when
I
was
in
the
marines.
B
It's
on
top
of
the
beer
containment
unit
that
seems
appropriate.
E
B
C
A
quick
reminder
for
everybody
joining
us:
the
agenda
is
linked
in
the
chat,
please
be
sure
to
add
yourself
in
the
attendance.
If
you
have
any
updates,
please
put
them
in
parentheses,
after
your
name,
if
otherwise
just
put
no
update.
If
you're
a
new
member
go
ahead
and
put
new
and
we'd
like
to,
have
you
introduce.
B
B
C
It's
we
don't
want
you
to
do
a
transcript
that
will
kill
your
fingers.
We
also
have
a
transcript
service
of
the
recording,
so
we
definitely
don't
need
folks
to
type
it
out.
So
really,
it's
high
level
notes
of
what
was
discussed
and
kind
of
decisions
that
are
going
on.
C
B
D
C
C
All
right,
we
are
gonna,
go
ahead
and
get
started
so
quick
reminder
to
everyone.
This
meeting
is
being
recorded
and
posted
to
youtube
shortly
thereafter.
Your
participation
in
these
meetings
is
an
agreement
to
abide
by
the
sig
security
code
of
conduct,
which
can
be
located
in
our
repository
all
right.
C
Pushkar
you've
got
an
update
for
issue
480
I'll.
Let
you
go
first.
F
F
What
I
was
wondering
is,
if
any
of
the
folks
who
have
read
it
or
who
have
shared
it
with
their
colleagues,
wanted
to
create
a
process
working
with
everyone
that
would
allow
us
to
have
a
good
set
of
retrospective
for
every
version
that
we
will
publish
and
I've
created
a
p
issue
on
get
up
for
it,
just
pasting
the
link,
so
that
I,
the
only
ask
from
to
ask
rather
from
every
one
of
you
is,
if
you
have
any
feedback
in
terms
of
how
could
we
build
a
process?
F
Please
add
a
comment
to
the
github
issue
and
the
second
one
is
potentially
I'm
thinking
emily
open
for
feedback
similar
to
the
white
paper
meetings.
We
could
have
a
couple
of
meetings,
at
least
in
the
new
years
after
the
holidays,
just
before
this
six
security
meeting
and
kind
of
discuss
with
the
folks
who
are
interested
in
working
together
on
this.
F
So
if
you
want
to
work
with
me
on
this
dm
me,
your
email
address,
so
I
can
send
to
zoom
and
then,
after
that,
we
can
set
up
something
once
everyone
is
back
from
holidays.
D
Question,
if
I
may
so,
can
you
please
clarify
what
is
the
objective?
I'm
not
sure
I've
got
the
complete
essence
of
it.
So
is
it
just
working
on
updates
or
what?
What
exactly
is
the
objective
here.
F
Yeah,
it's
kind
of
similar
to
how,
in
agile
after
a
sprint,
we
kind
of
do
retrospective
of
how
what
worked
well,
what
could
be
better
and
then
based
on
the
feedback
that
we
receive
from
everyone
who
were
contributors
as
well
as
who
were
consumers
of
the
white
paper,
we
will
get
some
ideas
for
what
the
next
version
should
look
like.
Do
we
need
to
change
a
few
things
like
do?
F
We
need
to
reduce
the
content,
or
was
there
something
that
was
missing
or
something
that
people
thought
would
be
useful
to
add,
more
details
about
and
those
kind
of
ideas
we
can
put
it
together
as
the
first
retrospective
of
version
one
and
then,
while
we
are
doing
this,
we
build
a
process
for
how
to
do
the
same
kind
of
retrospective
for
future
versions.
D
You
so
I
think
there
are
two
aspects
to
this.
If
I
understand
it
right,
one
is
how
could
because
for
a
lot
of
us
who
contributed
to
this,
how
could
we
make
that
process
better
and
second,
is
from
a
content
perspective.
I
think
we
should
keep
those
two
distinct
as
we
proceed
through
this.
I
feel.
F
Yeah
that,
I
think
that's
fair
point,
we
can
do
that.
What
I
want
to
kind
of
see
is
give
a
voice,
more
importantly,
to
the
silent
voice
in
a
way
who
are
not
really
in
the
group
today
that
we
discuss
every
day
or
every
week
with,
but
mostly
are
like
end
user
consumers
who
read
the
paper
but
have
some
thoughts
and
we
haven't
had
a
chance
to
listen
from
them
so
from
cncf's
help,
maybe
with
the
marketing
team.
F
D
D
So
I
think
all
of
us
need
to
ensure
that
this
is
amplified
even
more,
which
is
where
I
open
another
ticket,
where
we
should
do
a
webinar
to
really
get
the
message
out
before
we
are
able
to
bring
in
that
feedback,
so
that
give
a
little
bit
more
time
for
people
to
actually
consume
all
the
content
there,
and
and
so
that
we
can
feed
it
into
the
process
that
you're
suggesting.
F
C
I
know
right
all
right,
so
it
looks
like
we
have
a
new
member
and
I
apologize.
If
I
do
not
pronounce
your
name
correctly.
Facal.
H
H
I
am
basically
a
software
engineer
and
I
also
have
a
phd
degree
in
automation
systems
from
cura
in
italy.
Currently
I
am
in
toronto,
canada
and
I
work
for
a
cyber
security
vendor
in
the
united
states
and
basically
I
deal
with
machine
identity
management.
I'm
a
lead
cloud
security
analyst
there.
H
Basically
I
my
main
role
these
days
is
that
I
go
to
different
customer
sites
and
I
analyze
their
environments,
their
infrastructures
and
then
I
basically
make
recommendations
to
them
regarding
how
they
can
manage
their
machine
identities.
H
My
introduction
to
this
forum
was
that
I
read
the
security
paper
that
came
out
the
white
paper
that
you
guys
wrote
and
well.
I
basically
read
the
paper
and,
and
I
deal
with
the
customers
as
well,
so
I
have
some
background
in
that
information
as
well.
I
want
I
actually
joined
this
group
because
I
wanted
to
see
a
couple
of
things
added
more
to
that
security
paper
regarding
machine
identities
as
well,
and
also
how
people
are
doing
their
ci
cd
pipelines
actually
right
now
in
in
a
different
customer
side.
H
C
We
have
an
announcement
so
for
those
of
you
that
are
new
or
some
of
you
that
have
been
around
for
a
while.
Typically,
our
sig
has
technical
leads
that
are
they
kind
of
drive
a
lot
of
the
direction
with
the
co-chairs
and
help
initiate
some
of
the
activities
and
make
sure
the
sig
is
moving
in
the
right
direction.
C
I
Don't
they
have
to
be
voted
by
the
cnc
ftse
first,
so
we're
just
going
to
open
the
voting,
but
we
agreed
to
do
that
today.
Yeah,
yes,.
C
A
C
Up,
let's
talk
about
solarwinds
mark:
do
you
want
to
kind
of
start
that.
C
G
But
I
think
it's
a
great
use
case
for
the
the
problem
of
securing
the
supply
chain,
and
you
know
the
update
framework
is
something
that
a
number
of
us
have
poked
either
using
or
talked
to
the
developers
and
participants
in
that
project.
You
know
it's
a
cncf
project.
It's
you
could
argue.
You
know
a
central
piece
of
securing
software
in
in
the
foundation
to
be
able
to
secure
the
flight
the
supply
chain.
G
The
other
thing
is
that
you
know
from
my
point
of
view,
we
tend
to
attract
a
and
this
is
self-congratulatory,
but
we
we
attract
a
pretty
high
level
of
competence
in
this
group
and
in
others,
and
what
that
means,
from
a
attack
surface
point
of
view
to
use
the
the
minor
terminology
that
smart
people
can
put
smart
bugs
into
software,
that
you
know
end
up
being
compromises
of
both
not
just
the
the
tool
in
the
case
of
solar
winds
here,
but
the
whole
institution
in
which
we're
trying
to
stay
engaged
so
building
frameworks
to
build
secure
software.
G
It
calls
the
whole
thing
into
question.
So
the
you
know
the
mechanics
of
how
this
happens,
get
diluted
as
it
bleeds
out
into
the
public
space
and
becomes
a
you
know,
both
a
slam
against
the
cloud
platform
in
general
against
self-regulated
institutions
like
this
one,
and
I
think
about
crowdsource
software
kind
of
written
large
into
that
that
space.
G
So
you
know
I
have
some
views
about
this,
but
I
really
just
wanted
to
open
the
floor
to
what
our
thoughts
about
this
might
be.
You
know
what
are
we
doing?
The
best
we
can
do
you
know
is
this.
The
case
of
you
know
lightweight
adoption
by
commercial
entities
to
things
we're
already
doing.
Well.
Is
it
you
know
weak
socialization
of
best
practices
that
we
think
people
have
already
adopted,
or
is
this
really
just
the
you
know
reality
we
haven't
come
to
terms
with
that.
G
Undermining
the
tools
is
really
the
most
sophisticated
and
best
attack
surface,
and
we
should
have
been
ready
for
this.
J
It's
it's
lovely,
I
think,
to
imagine
that
we
should
have
been
ready.
First,
I
think
we
all
knew
about
coming.
I
think
we're
all
humans
we're
all
lazy
right.
I
I
found
an
example
somewhere
recently
where
someone
was
they
didn't
want
to
wait
for
a
pull
request
to
be
merged
into
a
project,
so
they
forked
it
they
did
a
build
and
then
they
included
that
binary
in
their
docker
image
right
and
we're
going
to
get
rid
of
it
in
two
weeks,
because
it's
just
a
temporary
thing,
and
that
was
four
months
ago.
J
So
it's
it's!
It's
it's
going
to
be
ongoing.
It's
I
think
it
comes
down
to.
How
can
we
make
the
security
as
easy
as
possible
for
folks
to
use
so
that
they
don't
realize
when
we
ask
them
to
adopt
it.
G
I
mean
there
is
one
of
the
I
don't
know,
weaknesses
that
I
see
here
is
a
kind
of
an
instinctive
preference
for
vulnerability
scanning
as
the
security
framework.
You
know
this.
It
should
have
been
a
lesson
when
the
asus
update
thing
happened.
G
I
think
that
was
early
in
2019,
there's-
probably
some
others
before
that,
but
it's
very
hard
to
get
away
from
that,
especially
if
you
have
siloed
teams
in
your
enterprise
that
who
do
nothing,
but
that-
and
that
is
a
you
know-
that's
a
busy
making
enterprise
trying
to
keep
up
with
that,
and
it's
not
just
a
case
of
patching
everything
right.
It's
a
risk-rated
gradation
of
things.
That's
a
non-trivial
effort.
G
We
have
to
acknowledge
that
that's
the
reality
of
it,
but
I
do
think
there's
a
tendency
to
say
well,
I
pass
the
scans,
it
must
be
okay
and
then
there's
the
other
thing
that
we
deal
with
in
finance
is
how
do
you
vet
your
third-party
software
in
general,
your
third-party
contractors
partners,
even
some
of
your
customers.
G
K
G
K
The
way
that
I
want
them
to
right
and
when
all
I
get
out
of
that
process
is
a
signed
image
where
their
pki
probably
was
exposed
on
ftp
server
for
two
years
right,
so
I
think,
being
able
to
bubble
up
that
metadata
that
went
into
the
build
process
in
a
standardized
way
is
going
to
be
the
way
forward,
and
that's
where
I
think
this
community
can
help
out
is
what
does
that
standard
look
like,
and
how
do
we
distribute
that
among
the
enterprises?
How
do
we
contribute
to
that?
Is
it?
K
L
They're,
just
the
chip
of
an
iceberg
right,
so
we're
trying
to
do
like.
I
think
it
happens
every
year,
more
or
less
loudly
in
the
press
depends
on
how
many
and
how
big
companies
that's
been
involved
into
resident.
L
But
this
is
just
like
prevention
of
this
and
securing
software
supply
chain
it
gains.
Such
compromises
is
just
like
a
prevention
tactics,
but
we
should
think
about
like
defense
and
death,
like
presume
that
this
is
happened
already
or
happening
in
your
system.
How
would
you
be
able
to
detect
and
find
it
right?
I
think
so.
L
M
I
think
part
of
the
challenge
has
been
that
historically,
we've
relied
on
self-attestation
for
these
kinds
of
things
to
suggest
that
the
supply
chain
is
secure,
so
we've
seen
some
movement,
for
example,
with
cmmc
to
go
in
and
to
try
to
bring
some
auditability
into
this
and
some
third-party
ways
of
attesting.
M
I
think
if
there
is
a
way
to
automate
some
of
that
can
probably
reduce
some
of
the
cost
and
the
load,
but
that
would
imply
an
integration
of
the
supply
chain
and
some
of
the
work
that
I'm
doing
with
with
some
other
standards
groups
is
trying
to
tackle
this
kind
of
a
problem.
So
I'm
sure
folks
in
this
group
are
aware
of
some
of
those
activities,
but
we
have
to
pick
and
choose.
M
I
think
where
we
think
we
can
play
a
role
in
this.
We
we
can't
boil
the
ocean
on
this.
It's
it's
a
big
problem.
If
we
can
automate
key
parts
of
this,
I
think
would
be
a
at
least
a
step
forward.
Thanks.
L
And
there
have
been
enough
problems,
I
think
recently
in
a
in
a
ci
cd
and
a
few
guys
subscribed
to
any
any
channels
where
you
get
up
like
vulnerabilities.
I
think
lots
of
them
come
in
in
different
icd
systems
and
a
plugin.
So
a
good
point
that
I've
seen-
I
don't
remember-
it's
been
on
twitter
or
like
through
internal
discussions
related
to
this,
but
there
is
a
feeling
that
we
do
pretty
good
job
or
like
decent
on
a
product
security
site.
L
So
it's
pretty
hard
to
get
access
or
a
compromise
system
through
this,
but
icd
historically
been
something
that's
sitting
somewhere
in
bootstrap
in
all
our
systems,
but
we
paid
less
attention
to
the
security
of
the
systems
as
well,
and
then
that
got
an
easy
target
nowadays
for
bad
guys.
That's
trying
to
get
into
our
system,
so
maybe
spending
more
attention
for
in
cycles
for
secure
inside
city
systems
as
well
as
internal,
is
also
good.
M
Just
pulling
on
that,
if
we
can
make
the
economics
of
this
work
just
again,
the
issue
here
should
be
that
it
can't
be
prohibitively
expensive
for
the
supply
chain
members
to
participate
in
this
like
a
really
low
key,
like
you
know,
somehow,
there's
got
to
be
a
way
to
automate.
This
is
kind
of
what
I'm
coming
to.
I
think.
B
Can
I
ask
a
question
as
a
group-
maybe
I'm
sure
everybody
probably
knows
fair
and
does
some
amount
of
or
attempts
to
quantify
risk
right
for
prioritization
budget
allocation,
all
that
kind
of
stuff?
But
you
know
kind
of
some
of
the
interesting
thing
here
for
me,
is
when
you,
when
your
crown
jewels,
are
not
necessarily
financial
right
like
if
you
are
the
cornerstone
of
civic
responsibility,
then
how
do
you
quantify
that
in
a
fair-like
system
right?
How
do
you?
How
does
that
work?
If
everything
is
meant
to
boil
down
to
dollars?
B
You
know
I've
had
the
same
thing
where
I
worked
at
a
a
non-profit
where
we
did
a
significant
amount
of
human
rights
and
activist
work,
and
you
know
that
the
push
and
pull
there
on
what
you
could
and
couldn't
do
and
who
you
couldn't
couldn't,
protect
and
and
which
you
couldn't
couldn't
guarantee
was.
It
was
pretty
exhausting
but
a
lot
of
our
models
on
where
and
when
to
spend
money
come
down
to.
We
can
do
it
so
well
and
after
that
there's
insurance,
but
not
everything
is
recoverable
right.
If
it's
not
financial,
it's
not
recoverable.
J
J
J
So
I
think
that
that's
I
hear
what
you're
saying
there,
but
I
think
when
we
need
to
bring
this
back
a
little
bit
think
about
what
can
we
do
to
actually
either
make
recommendations
to
other
cncf
projects?
As
my
guess
around,
is
there
a
standard
we
can
either
use
or
create
or
modify
something
existing
that
is
easy
to
implement
it?
Has
that
sort
of
cheap
cost
and
is
automatable
for
those
who
want
to
do
that?
Does
that
sound
approximate
or
am
I
authentic
field.
B
No,
I
hear
you,
I
think
the
cncf's
already
engaged
in
risk
management,
but
I
don't
know
if
they
want
to
inform
anyone
else.
That's
for
sure,
but
really
I
was
just
shooting
the
breeze
right
like
what
the
ultimate
impact
or
loss
will
be,
is
oh,
hugely
totally
great.
It's
an
interesting
postulate.
You
know
yeah.
G
G
Word
instinct
for
cncf
to
cannibalize
its
own
projects.
That's
a
good
thing!
If
the
projects
are
good,
you
know
use
the
authentication
tool.
That's
in
there
you
know,
use
the
the
audit
tool
use
the
red
team
tool,
that's
already
in
the
landscape
right,
that's
sort
of
an
implied.
G
You
know
if
you're
cut,
that's
an
implied
coming
to
the
party
thing,
but
what
that
says,
I
think
about
security
is
the
probability
then
of
infecting
you
know
across
the
landscape
with
reused.
Compromised
components
is
greater
in
the
cncf
than
in
many
other
organizations.
Where
you
know
some
of
it
is
outsourced.
Some
of
it
is
built
in
house
using
internal
devops
practices.
So,
but
here
we
have
this
sort
of
open
source
uber
alice
kind
of
instinct
am
I
am
I
wrong
about
that.
I
There's
still
a
lot
of
diversity
in
open
source.
I
don't
think
there's
like,
I
think,
there's
a
lot
of
different
choices
made
by
different
cncf
projects,
and
I
don't
think
it's
as
uniform
as
that.
I
think
there
are
more
good
open
source
choices
you
can
make
potentially
than
closed
source
ones.
In
many
cases
I
mean
there
are
more
probably
more
choices
with
cloud
source,
but
not
all
of
them
are
necessarily
good
and
you
at
least
get
the
opportunity
to
make
a
better
informed
decision.
G
C
Security
assessments
that
we're
currently
doing
to
either
increase
visibility
and
awareness
of
how
these
things
can
happen
or
to
help
teams
think
more
about
how
to
prepare
to
potentially
address
this
or
mitigate
it,
either
by
providing
end
users
with
a
behavior
signature
of
their
projects
so
like
when
it's
deployed.
This
is
what
it
should
be
doing
and
looking
like
and
having
that
separate
from
the
actual,
build
and
release
or
is
there?
Is
there
something
that
we're
already
doing,
and
we
just
we
haven't
reached
enough
saturation
within
the
landscape.
D
M
C
M
End
up
taking
has
to
be
automatable
so
if,
for
example,
we're
going
to
check
in
on
secrets
management
specifically,
what
are
we
going
to
check
in,
and
I
think
it's
going
to
help
us
to
kind
of
drill
down
on
what
are
the
key
things
and
we
can
build
this
over
time,
but
just
get
the
ball
rolling
and
iteratively.
If
we
can
tighten
this
a
little
bit,
I
think
would
be
kind
of
the
approach
to
take.
F
Here
was
if,
if
comparing
like
the
same
safe
projects
versus
individual
projects
managed
by
one
person
generally,
the
overall
sense
is
I
I'll
have
more
confidence
on
cncf
project
security
because
of
the
process
involved
from
sandbox
to
graduation
security
assessments
done
by
the
group
here.
F
But
it's
sometimes
not
a
zero
to
100
percent.
I
mean
zero
or
one
boolean
decision,
so
maybe
in
the
assessments-
I
don't
know,
if
it's
already
done,
we
should
mention
few
things
that
we
haven't
assessed
for
so
we
generally
share
that
this
is
in
scope.
I
would
imagine,
but
sometimes
maybe
it
is
worth
saying,
that
supply
chain
security
was
not
in
scope
of
this
assessment
so
that
when
people
are
not
blindly
trusting
that
the
assessment
was
complete
versus
knowing
that
okay,
this
was
not
in
scope.
C
So
we
have
a
couple
of
those
things
documented
that
are
needed
to
be
done
in
the
in
the
updates.
So
for
anyone,
that's
not
familiar!
I'm
going
to
do
another
plug
here
for
brandon
the
security
assessment
process,
that's
performed
by
the
sig,
is
currently
undergoing
some
changes
based
off
of
feedback
from
the
last
five
assessments
that
we
did
as
well
as
some
community
involvement
and
some
of
the
other
things
that
we've
noticed
over
time
while
working
through
these
assessments.
C
So
there
is
at
least
one
pr
out
that
has
a
recommendation
for
like
new
documentation
that
better
aligns
with
the
current
talk
phases
for
cncf,
either
sandbox,
incubation
and
graduation,
as
well
as
there's
an
updates
one
coming
out.
There's
benefits
associated
like
so
explaining
to
project
teams
what
what
are
they
gonna
get
out
of
it
when
they're
coming
to
us
and
we're
asking
them
for
all
of
this
information
and
what
what
do
their
end
users
get
out
of
it.
C
So
there
are
plenty
of
issues
on
making
these
updates
check
them
out
in
the
repo
there's,
actually
a
security
assessment
label.
I
believe
that
you
can
click
on.
So
if
you
have
ideas,
definitely
add
them
to
those
issues.
I
think
some
of
what
we
had
talked
about
in
that
working
group
is
a
lot
of
these
things.
C
This
is
where
they
should
be
paying
more
attention,
because,
realistically,
if
they're,
not
a
security
project,
they're,
probably
not
thinking
about
it
in
the
forefront
of
their
mind
and
we've
to
date,
really
done
closer
looks
at
the
security
projects
like
with
spiffy,
inspires
assessment
and
and
toto
is
looking
at
them
from
a
supply
chain.
But
not
all
projects
are
security.
Minded
they're,
not
security,
focused
and
we'd
like
to
be
able
to
help
them
out
in
that
area,
so
that
the
entire
landscape
becomes
more
secure.
C
E
L
No,
it's
it's
not
the
only
software
supplier.
This
is
this
is
where
it
started
right.
But,
like
my
my
whole
point
like
you
cannot
solve
this
problem
with
one
thing
and
back
to
emily's
point:
we
have
multiple
projects
in
cncf
right,
but
some
of
them
might
not
be
there,
but
if
you
think
about
this
problem,
holistically
like
who,
like
here,
has
everything
all
tools
to
be
able
to
protect
and
detect
this.
L
I
can
openly
say
that
we
don't-
and
this
is
like
why
we're
looking
into
this
problem
like
what
are
the
tools
here.
That's.
E
Why
that's
why
I
prefaced
it
with
that?
I'm
sorry
to
interrupt
it
like
that's.
Why
I
prefaced
the
whole.
That's
part
of
it
like
is
that
the
financial
part
of
the
software
supply
chain,
there's
obviously
run
time.
You
know,
capabilities,
there's
things
you
need
to
do
at
a
node
level.
I
mean,
I
think,
we're
all
in
agreement.
It's
it's
not
just
one
one
thing,
but
it's
basically
like
I
said
some
type
of
standard
which
I
think
emily
you,
I
think,
you're
you
know
also
kind
of
alluded
to
as
well.
E
It's
some
type
of
base
standard
we
can
say
here
here
you
are,
these-
are
kind
of
what
you
should
be
doing
for
each
of
the
projects.
We
do
that
somewhat
with
the
assessments
there
should
be
almost
a
playbook
as
well
post.
That
says:
okay
going
forward
because
people's
like
okay,
I
just
escaped
this
assessment
cool,
I'm
signed
off,
then
what
happens
is
a
year
later?
Something
like
this
happens
and
they're
like
well.
You
know,
I
don't
have
this
set
of
like
list
of
things
that
I
need
to
do
in
my
world
right.
So
that's!
E
L
No,
no,
no,
no,
no
worries
just
to
just
to
finish
my
thought.
I
think
that's
a
that's
a
good
idea
to
have
use
this
example
like
hey
this.
This
is
what
happened.
This
is
what
we
know
and
this
what
you
probably
should
be
doing,
and
these
are
the
tools
that
would
be
able
to
not
completely
solve
this
problem,
but
have
a
certain
mitigation
to
prevent
this
or
if
it's
not.
L
If
you
cannot
prevent
this
and
how
you
probably
can
detect
this
and
that's
what
also
helped
like
polishing
landscape
and
find
out
what
what
gaps
we
have
and
what
tools
we
need
and
what
which
projects
that
might
not
be
in
there
that
we
need
to
engage
with,
and
I
think
now.
O
To
a
certain
extent,
the
core
infrastructure
best
practices
batch
does
measure
for
a
number
of
these
things,
and
it's
something
we
look
for
in
the
assessments
we
require
projects
to
attain
the
best
practices
batch,
if
not
the
silver.
It's
also
something
that
the
toc
looks
for
the
promotion
of
any
project
from
like
intake
or
promotion
from
one
state
to
the
other
assessments
by
nature.
There's
like
a
lot
of
variables,
not
many
things
are
constant,
but,
like
one
thing
we've
come
to
is
like
hey:
how
are
you
managing
secrets?
O
How
are
you
managing
rotation
of
keys?
I
know
justin
was
very
diligent
in
asking
well
you're
using
tough
great.
We
cannot
just
check
box
and,
like
give
you
passing
callers
for
this
thing,
how
is
stuff
actually
being
used
like
what
version
of
stuff?
O
How
does
this
interact
with
with
all
those
different
things,
and
that
does
demand
a
lot
of
like
well
taking
a
closer
look
at
these
things,
but
like
for
starters,
if
we
extend
either
the
cii
best
practices
or
we
do
like
a
security
best
practices
batch,
we
could
measure
for
like
at
least
common
denominator,
things
that
should
be
in
there
and
just
forming
a
thought
around
that.
I
want
to
put
that
there
like
thinking.
D
A
lot
yeah
I
like
that,
a
lot
and
the
cii
badge
kind
of
if
we
were
to
how
amenable
would
it
be
for
us
to
come
up.
Of
course,
this
is-
and
this
goes
to
alex's
point,
which
is
all
fully
automated,
but
how
costly
both
from
resources
and
all
those
kinds
of
things
would
it
be
for
us
to
come
up
with
here?
Are
the
10
security
checks,
and
then
we
give
that
badge.
D
N
I
think
so
because
it
is
not
one
time
thing
again:
you
have
to
do
yearly,
reviews
or
periodic
reviews
of
those
products
and
recertify
them
as
well,
because
new
threats
will
come
and
new
vulnerabilities
who's
going
to
keep
up
all
the
updates
to
them.
That
becomes
quite
challenging.
E
It's
almost
like
a
certification
and
again
it's
might
be
more
work
for
us,
but
I'm
just
thinking
in
general,
like
there's
an
assessment
that
you
do
to
get
a
project
over
the
hill
right
and
then
there's
a
you
know
when
you
search
for
a
cka
cks
or
any
of
these
things
another
two
years
or
three
years
you
have
to
research.
I
almost
feel
like
that
needs
to
happen,
but
then
also
we
need
again.
I
mentioned
this
playbook.
E
It's
not
like
something
you
drop
off
and
say:
go
it's
like
look,
there's
a
link
to
the
best
practices
that
security
has,
that
you
need
to
put
in
place
from
your
supply
chain
from
your
run
time
from
your
whatever
it
might
be.
You
know
that
they
can
refer
to,
and
you
know
again
it
doesn't
absolve
security
from
all
this,
but
at
the
very
least
it
gives
these
best
practices.
I
believe
that's
helped
more
helpful
than
what's
in
place
now.
C
So
is
that
something
there's
an
appetite
for
to
expand
from
the
white
paper
on,
so
the
white
paper
was
intentionally
intended
to
be
like
the
my
first
cloud
native
security
architecture
kit?
How
do
we
take
that
concept
and
break
it
down
even
further
to
more
concrete
actions
that
we
want
to
see
projects
and
and
and
entire
architectures
take
when
they're
looking
across
the
ecosystem
at
what's
going
to
be
their
orchestrator?
What's
going
to
be
responsible
for
their
service
mesh?
How
are
they
managing
identity.
N
I
think
that's
a
great
great
starting
point.
I
think
we
can
expand
from
the
paper,
but
there'll
be
lots
of
offshoots
right
where
we
write
individual
detailed
documents,
providing
guidance
just
for
supply
chain,
open
source
software,
etc,
etc.
Right.
But
we
should
map
that
out
first
as
to
what
that
offshoot
will
look
like
and
then
from
there
we
can
start
developing
those
best
practices.
G
The
other
thing
I
want
to
inject
in
the
conversation-
and
I
don't
have
an
answer-
this
is
going
to
betray
my
department
of
defense
history.
A
tool
like
solarwinds
is
a
forest
multiplier.
If
you
look
at
the
cncf
landscape,
these
are
not
all
equal
threats
right.
Certain
tools
that
are
highly
scalable
or
are
interpenetrated
in
the
network.
You
know
have
differential
kind
of
risks
and
threats.
So
I
know
we
we
try
to
I've.
Seen
some
of
this
in
the
assessments
we
ask
the
sponsors
to
talk
about.
G
You
know
worst
case
scenarios
and
impact
of
that,
but
maybe
we
could
do
something
more
formal
around
that.
C
I
think
we
probably
could
one
of
the
one
of
the
original
intentions
behind
the
white
paper
was
not
to
get
into
a
lot
of
detail,
but
be
able
to
create
additional
documentation
or
content
around
the
white
paper
for
specific
areas,
like
the
reason
why
we
didn't
fully
expand
on
supply
chain
expand
supply
chain
security
is
because
it's
such
a
large
area
with
such
a
huge
impact
and
potential
repercussions
that
it
really
needed
its
own
audience.
Its
own
kind
of.
O
Now,
if
we
look
at
solarwind
and
like
well,
it's
it's
unfortunate
and,
like
the
response
at
this
point,
may
be
like
hey,
let's
shut
down
every
single
instance
of
of
solarwinds,
an
attacker
can
actually
have
anticipated
that
and
they're
going
to
conduct
an
advanced,
persistent
threat.
Monitoring
has
been
shut
off
organization-wide
now
like
they
may
be,
employing
a
bunch
of
other
things
like
attacking
like
weaker
points
that
are
like
things
that
don't
meet
this
gold
standard
or
don't
do
this
thing.
O
So
while
we
could
look
for
things
that
well,
the
in
the
development
and
maintenance
of
this
project,
maintainers
are
doing
the
right
thing
like
this
is
how
they're
signing
release
this
is
like
how
many
keys
are
out
there
who
can
sign
a
release.
All
of
those
checks
are
good,
but
there's
like
that's
the
theory
in
practice.
There's
there's
a
lot
of
deviations
that
may
exist.
So
do
we
contemplate
those
things
in
scope?
O
We
don't
and
to
say,
hey
we're
making
like
this
at
the
station
of,
like
things,
have
been
done
right
in
the
delivery,
but
once
once
things
are
running
and
prod
like
there
are
all
these
deviations
that
may
have
occurred.
Are
they
discrepancies
between
like
intent
and
implementation?
M
So
I
kind
of
get
the
sense
that
the
conversation
is
steering
towards
establishing
a
set
of
controls,
and
I
would
caution
us
in
going
down
that
path.
We
don't
want
to
slow
things
down.
We
want
to
be
enablers
of
of
kind
of
the
the
innovation
that's
already
taking
place
right
and
there
are
different
projects
that
have
different
groups,
different
sizes,
different
levels
of
maturity.
M
Could
we,
for
example,
you
know,
provide
code
that
has
already
been
through
this
process
and
say:
look
here's
something
you
can
reuse
as
an
example
right,
but
these
are
ways
to
help
accelerate,
rather
than
you
know
forcing
this
down
and
saying
you
can't
move
forward
unless
control
control
control,
just
it
hasn't,
worked
in
the
industry.
It's
just
it's
security,
getting
in
the
way,
essentially
anyway,
others
are
welcome
to
chime
in
thanks.
G
I
think
that's
why
emily
calls
it
education,
that's
we're
in
another
another
meeting
about
talking
about
cncf
as
a
third
party-
and
this
was
a
professor
at
indiana
university-
and
he
said
you
know.
Cncf
has
been
successful
when
you
compare
it
to
the
grid
community,
which
you
rewind
the
clock,
five
or
ten
years
we're
trying
to
do
a
similar
kind
of
thing
with
the
grid,
and
it
failed
because
there
were
too
many
controls
placed
on
the
projects
and
sort
of
the
loose
rains.
G
Model
of
cncf
is
part
of
the
so
far
part
of
the
secret
sauce
here,
so
maybe
altez
is
getting
it.
You
know
the
the
need
to.
I
guess,
keep
that
secret
sauce
working
and
yet
provide
projects
with
things
that
are
enablers
to
do
this.
I
I
don't
have
all
the
answers
either,
but
it's
sometimes
you've
got
to
make
this
conversation
happen
when
it's.
You
know
front
of
mind-
and
this
is
one
of
those
moments.
E
If
there's
a
situation
too,
one
of
the
things
is,
if
they're
starting
out,
and
they
have
that
white
paper
as
an
example
and
they're
embedding
their
security
in
there
from
the
start.
I
think
that's
also
useful
right,
so
I
think
again
the
sig
security's
role
in
that
is
basically
making
sure
that,
from
the
start,
if
there's
a
new
project
coming
in,
they
already
think
about
these
things,
because
what
are
they?
E
What
are
they
doing
right
now,
they're
like
I
need
to
get
my
code
out
there,
so
people
can
buy
my
product
or
you
know
or
use
my
thing.
You
know
what
I
mean
so
at
the
end
of
the
day,
those
are
the
things
are
going
to
be
the
priorities
for
them
and
if
we
can
kind
of
say,
look
it's
not
going
to
impact
you.
It's
just
just
think
of
these
things.
You
know,
circulate
your
keys.
You
know
make
sure
that
your
aws
instances
or
whatever
are
really
locked
down.
E
O
I
just
want
to
share
my
screen
as
as
we
talk
through
this
because,
like
cii
best
practices
does
make
all
these
recommendations
and
it's
not
it's
not
putting
a
barrier
or
hindering
people
discouraging
people
from
like
developing
and
open
sourcing
software.
It's
like
hey,
keep
doing
what
you're
doing
come
in
here
say
whether
you
met
or
unmet
something
like.
What's
what's
your
progression
towards
that,
as
opposed
to
like
a
lot
of
people,
see
the
assessment
as
the
checkbox
thing
like.
Oh
this
got
us
on
to
like
incubation,
but
a
few
exceptions.
O
O
Some
projects
may
do
it
because
well
it's
going
to
get
asked
again
in
order
to
graduate
some
others
may
just
do
it
because
they
care
about
it
and
they
want
to
improve
these
things,
but
yeah
secure
release
what
artifacts
are
performed.
If
you
could
go
to
gold
like
the
requirements
are
more
stringent.
O
E
This
is
the
first
time,
I'm
even
aware
of
this
right.
You
know
what
I
mean
like
as
a
project.
That's
you
know
anyway,
part
of
a
project
right
so,
like
I,
I
think
the
awareness
here
again,
I'm
sorry
for
cutting
you
off
there,
but,
like
I,
I
think
an
awareness
of
this
would
be
amazing,
because
I
had
no
idea.
This
was
even
available.
O
It
is
yeah,
it
is
actually
not
automated.
There's
no
conformance
tests
of
this.
Essentially,
a
a
project
person
comes
in
and
works
through
this
list
and
they
self-certify
hey.
Do
we
meet?
Do
we
not
meet
this
and
provide
some
evidence
for
it,
but
it
it's
like
checks
for
those
things
and
it
outputs
the
score,
but
no
one
is
actually
coming
in,
like
no
human
or
machine
corroborating
that
that
can
be
true.
O
So
I
want
to
answer
no.
In
my
personal
experience,
I
I
filled
out
the
one
for
spiffy
inspire
when
we
were
working
to
move
from
when
we
made
a
proposal
to
hey
we're
ready
for
incubation.
One
thing
we
do
is
we
actually
put
this
on
the
we
have
the
little
batch
on
the
project
readme.
O
Let
me
get
the
zoom
thing
out
of
the
way
and
yeah
I
have
gone
back
and
like
we
have
one
standing
item
on
on
one
of
the
categories
that
we're
working
towards,
but
it
has
also
given
the
project
a
a
guideline
of
hey.
It
actually
helped
us
clean
up
and
organize
a
lot
as
we
were
working
through
these
things
of
what
could
we
improve
and
where
should
we
be
doing
better
and
if
not
well
what?
O
C
So
I
want
to
kind
of
like
circle
back,
because
we
we've
talked
about
a
lot
of
stuff
and
we've
got
12
more
minutes
left.
I
know
you
guys
all
want
to
be
here
all
day,
but
so
I've
heard
that
potentially
creating
libraries
or
even
role
sets
or
policies
for
teams
to
either
enable
some
sort
of
automated
detection
that
they're
doing
better,
that
they're
being
more
secure
in
their
practices
or
that
they're
meeting
cii
badging
criteria.
C
I've
heard
the
retrospective
on
the
white
paper
and
just
in
this
conversation
alone,
sounds
like
there's
a
lot
more
work
that
could
potentially
be
done
there,
as
well
as
more
updates
to
the
security
assessments
that
we're
currently
doing
the
pr's
that
are
already
out
there
for
it
and
the
open
issues.
Those
are
like
the
three
primary
things
that
I'm
I'm
hearing
for
how
we
can
help
educate
the
community
better
to
do
better
and
just
kind
of
strive
for
more
secure
projects.
J
There's
two
things
there
there's
there's
the
areas
we
need
to
educate
in.
I
think
the
other
part
was
sort
of
interesting
will
come
from
that
retrospective
is.
How
do
we
go
about
doing
that?
Education?
J
C
D
D
Should
we
open
a
pr
to
just
start
collating
all
these
great
ideas
right,
which
is
from
a
cii
best
practices
like
a
security,
best
practices
and
maybe
pull
in
a
lot
of
the
security
assessment
framework
to
actually
make
it,
and
maybe
brandon
is
already
on
top
of
that
to
actually
have
it
rendered
somewhere,
where
we
can
actually
look
and
feel,
and
that's
a
great
first
step,
and
then
we
start
to
see
how
we
can
potentially
automate
it
and
have
projects.
C
Yeah,
I
would
agree,
I
think
I
would
like
to
see
a
lot
of
folks
sign
up
for
that
retro
with
the
white
paper
to
kind
of
help
drive
more
of
this
educational
conversation.
C
I
would
also
like
to
see
folks
take
a
look
at
the
current
security
assessment
improvement
issues,
as
well
as
the
prs
that
are
associated
with
them.
I
think
we
only
have
like
11
pr's
in
the
repo
right
now,
so
there's
not
that
many
to
go
through
just
to
evaluate
with
the
current
recommendations
from
the
working
group.
Are
they
still
sound
and
how
do
we
improve
them
and
then,
for
the
other
bits
that
we
don't
actually
have
projects
in
flight
for
maybe
create
an
issue
to
evaluate
the
the
outfall
of
the
solarwinds
event?
G
C
G
You
could
do
this
with
red
team
virtual
red
teaming
also,
but
to
identify
these
force
multiplier
scenarios
like
compromising
vmware.
You
know
the
thing
that
fires
up
instances
of
containers
these
are
places
where,
if
you
do
an
inject,
you
can
scale
the
risk
rapidly
and
people
may
not.
You
know,
think
of
those
unless
they're
forced
into
you
know
sort
of
iterating
through
the
scenarios.
I
don't
know
where
that
fits
into
your
taxonomy,
but
that
should
be
on
the
list.
I
think.
C
Agreed
so
who's
gonna
make
the
issue
to
capture
all
the
little
tiny
tidbits
for
projects
we
don't
currently
have
in
flight.
D
Yep
I'll,
but
maybe
I'll,
let's
yeah
I'll
reach
out.
Thank
you.
M
C
All
right
are
there
any
other
topics
that
somebody
wanted
to
talk
about
with
the
last
six
minutes
that
I
might
have
missed
inadvertently.
F
One
of
the
topics
from
last
time
wanted
to
just
give
a
update
there.
Brandon
and
I
were
discussing
about
how
cncf,
landscape
and
cloud
native
security
landscape
are
not
really
related
to
each
other,
even
though
they
sound
very
similar,
so
I've
been
thinking
about.
Would
it
be
a
good
idea
to
potentially
rename
cloud
native
security
landscape
to
something
else?