►
From YouTube: CNCF SIG Security 2020-02-19
Description
CNCF SIG Security 2020-02-19
B
B
C
Yeah
yeah,
we
might
kind
of
take
today
a
little
a
little
bit
of
time
if
we
want
to
just
shifter
a
working
session.
B
C
C
B
B
B
Alright
looks
like
we
have:
quite
a
few
people
are
doing
a
call,
so
that's
not
off
with
check-ins
and
thanks
bozo
and
Nashville
for
volunteering
describe
today's
meeting.
So
just
a
quick
update
before
I
get
started.
I
know
and
it
should
be.
This
was
supposed
to
be
the
ceasefire
assessment
meeting.
Unfortunately,
there
was
a
lot
to
me,
an
emergency.
The
folks
didn't
make
it
so
we're
gonna
push
that
back,
probably
to
Nick
sweet
tentatively,
but
we
will
figure
out
the
date
and
then
post
and
group
all
right.
So
let's
do
check-ins
Kapil.
E
E
We
can
find
some
time
to
do
that,
but
my
major
update
this
week
is
there's
stuff
starting
to
happen
quite
a
bit
with
the
notary,
v2
effort
and
so
I've
started
to
really
dive
in.
We
just
had
the
official
pepp,
which
is
like
the
standards
process
for
the
Python
community
on
tough
accepted,
and
so
we've
really
shifted
over
and
started
to
work
with
the
notary,
folks
and
people
who
are
in
this
group
that
you
know
have
spent
time
thinking
about
security
issues
and
operational
issues
with
the
cloud.
E
You
might
also
want
to
pay
attention
to
some
of
those
meetings
and
things
because
they're
struggling
with
there
are
some
people
there
that
are
struggling,
I,
think
or
could
benefit
from
like
or
effort
paid
to
the
threat,
modeling
and
so
might
like.
There's
a
few
of
us
that
are
stepping
in
and
starting
to
try
to
help
them
to
add
that
in
into
the
process,
now.
B
E
E
B
G
That
correct
or
I
don't
know
Justin
I'm,
not
sure
with
2000
furniture
they
probably.
B
C
So
because
I
so
those
of
you
who
don't
know
Joe
beta,
has
been
endless
rice
for
our
TSE
liaisons
for
the
past
half
year
or
so
that
we've
been
an
official
sig
and
Joe's
time
on
the
board
passed
on
the
TOC
has
passed
in
and
we
have
a
new
round
of
TOC
people
and
and
Liz.
It
remains
on
the
TOC.
They
had
like
kind
of
every
other
year
thing,
so
Liz
will
be
continuing
and
Justin
rounds
out,
our
TOC
liaison
team
and
then
I
linked
in
the
notes.
The
we
have
nominated
tech
leads.
C
We
had
a
little
freeze
while
the
TOC
was
having
its
elections,
but
I'm
excited
that
Emily,
Foxx
and
Brendan
Lum
and
Justin
Capo's
have
all
agreed
to
be
nominated
and
continue
their
leadership
roles
in
the
SIG's
in
a
more
in
this
SIG
in
a
very
official
manner,
pending
the
actual
vote.
So
far
so
far
the
people
have
voted
have
approved.
You
know
we're
optimistic,
we'll
see,
feel
free
to
+1
non-binding
on
the
thread,
or
you
know
chime
in.
If
there's
dissent.
C
Definitely
our
spirit
if,
as
we
have
attempted
to
encode
and
the
governance,
is
that
people
step
up
and
start
doing
things
that
need
doing
that
either
overlap
their
skills
or
are
in
an
area
where
they
would
like
to
develop
skills
and
knowledge.
So
welcome
anybody.
We
have
a
lot
of
roles
to
fill
that
are
very,
very
important
and
we
will
I
look
forward
to
seeing
our
new
adventure
exactly
what
a
tech
lead
of
security
is.
I
Hey
guys,
nothing
for
me,
I
was
trying
to
look
up
the
reference.
Nist
had
an
invited
presentation
from
a
project,
that's
starting
up
to
do
image,
sharing
for
electron
microscopy
building
some
big
data
api's,
and
it
introduces
some
interesting
security
problems.
Around
containerized
objects
like
that.
So
but
I
don't
have
the
slide
deck
yet,
but
I'll
share
it
with
this
group,
because
it's
a
it's
a
great
family
of
use
cases
and
it's
intended
to
be
public.
I
I
It
was
an
invited
presentation
from
the
NIST
leader
there,
but
I
think
the
the
project
probably
will
unfold
separately,
because
the
the
lead
folks
are
mainly
in
biomedicine,
okay,
sort
of
interesting
to
note
that
I
think
a
lot
of
the
stuff
that
goes
on
is
deep
in
the
disciplines
right.
It's
not
in
the
horizontal
working
area
that
this
group
has
to
wrestle
in
so
I
thought.
B
I
B
I
J
H
C
B
E
Yeah,
so
what
we
have
in
terms
of
the
queue
is
we
have
the
spiffy
spire
in
progress.
We
have
falco
dragonfly
and
cloud
custodian
that
are
all
basically
fairly
early
on
in
the
process
in
some
cases
where
we're
waiting
on
things
kind
of
internally
like
settle
out
and
get
get
it
together.
It
looks
like
we're
waiting
for
chairs
to
sign
off
in
Falco,
which
is
something
that's
easy
to
do
like,
like.
E
F
C
E
C
E
We
do
want
them
to
feel
like
they
have
a
complete
document,
they're
ready
for
us
to
look
at
for
that,
because
there
are
templates
and
things
it's
it's
intended
that
whoever
the
lead
security
reviewer
is,
who
we
don't
have
at
this
stage,
is
gonna.
Do
a
lot
of
you
know
it's
gonna,
look
at
this
in
detail
with
them,
and
we
don't
sort
of
want
this
to
be
a
like
an
initial
unthought
rough
draft.
That's
partially
finished!
We
want
this
to
be
like
a
document.
They
think
is
good
and
rightly.
E
E
Can
you
give
me
some
more
guidance
like
it,
but
we
did
these
other
things,
but
what
we
don't
like
the
idea
is
that
the
the
team
would
be
able
would
go
and
actually
produce
the
like
a
real,
viable,
like
first
draft
of
the
document
they
think
is
good
and
then
the
lead
security
reviewer
goes
over
it,
not
that
they
sort
of
jot
down
some
notes
on
a
napkin
and
then
handed
it
over
to
the
lead
security
reviewer
to
help
them
figure.
Okay,.
F
Think
so
we
I
mean
mostly
we've
been
cutting
content
versus
having
more
content.
To
be
honest,
I
think
we're
at
a
phase
where
it
would
be
nice
to
actually
talk
to
someone
interviewing
to
get
a
sense
of
things,
because
I
mean
we.
We
hate
added
a
lot
of
content.
We've
slowly
been
like.
Oh,
we
don't
need
the
stride
scale
on
this
classification
of
threat
models
and
like
so
now
we're
just
trying
to
trim
it
down,
but
I
mean
we're
at
a
point
where,
yes,
it
would
be
great
to
have
talked
to
somebody.
E
E
Right
and
hopefully,
then
we
can
get
that
moving
a
little
further
along
and
get
you
know,
get
the
process
really
sort
of
to
the
to
the
next
step,
which
is
to
have
a
document
that
that
you
wouldn't
feel
comfortable
that
we'll
all
be
able
to
read
and
and
make
good
sense
of
which
you
know
sometimes
just
having
somebody
outside
the
community
read
it.
He
doesn't
understand
a
lot
of
the
context
that
is
is
fantastically
helpful.
C
So,
what's
it
so
in
terms
of
the
lead
security,
reviewer
I
looked
up,
and
we
had
said
that
we
wanted
to
have
aside
from
the
very
early
bootstrapping
process.
We
wanted
to
have
somebody
who'd
reviewed,
a
project,
be
the
lead
and
we
have
a
short
list
of
potential
leads
here,
and
so,
since
Cameron
has
agreed
to
help
and
shadow
someone,
I'll
volunteer
to
be
lead
in
terms
of
helping
to
orchestrate
the
process
with
a
helper,
because
I'm
like
a
little
crazy
busy
and
what
I'd
love
to
do
is
say.
C
Okay,
we
won't
formally
kick
off
the
process
till
next
week.
Give
me
a
chance
to
meet
with
Cameron
and
kind
of
figure
out
how
to
streamline
it
a
bit
and
then
I'd
like
to
test
to
see.
If
we
can
do
do
this,
we
have
like
a
three
week
goal
of
like.
Can
we
execute
this
in
three
weeks
and
so
I
want
to
not
start
until
we
feel
like
okay?
Well,
we've
got
a
plan
and
then
ask
everybody.
C
So
is
the
next
three
weeks
clear
for
people
to
I
did
because
I
think
that
the
more
that
we
can
get
these
to
be
a
chunk
of
focused
work
after
the
initial
self-assessment
and
getting
the
team
together,
I
think
that'll
help
us
just
kind
of
it'll
be
good
for
the
projects.
It'll
be
good
for
us
and
I
like
having
that
goal,
but
we
have.
M
J
C
N
J
Just
question
about
the
review
process
like
once
a
leader
year
is,
you
know,
engaged
and
we're
moving
forward.
How
does
that
actually
work
in
practice?
You
review
the
self-assessment.
Do
you
have
a
meeting?
Do
you
just
check
in
online
like
yes,
we
approve
like
how
does
that
actually
work
out?
Well,.
C
J
E
What
what
that
is
basically
happening
is
the
lead.
Reviewer
is
doing
like
an
initial
kind
of
pass
to
see
if
they
think
the
rest
of
us
four
reviewers
are
going
to
be
able
to
read
this
and
understand.
What's
going
on
so
that
you're,
not
kind
of
flooded,
with
like
weird
clarifying
questions
from
everywhere
and-
and
the
point
is-
is
that
when
the
when
the
rest
of
us
like
try
to
do
it,
then
we
hopefully
will
be
able
to
understand
everything
we
need
to
know
about
the
system
and
we'll
be
able
to
ask
for
technical
questions.
E
But
this
is
a
chance
to
sort
of
you
know
make
you
have
to
define
like
you
know
what
what
is
a
widget?
You
know
if
you
talk
about
widgets
throughout
your
document
like
what
the
heck
is
a
widget
uses
it,
and
and
how
is
it
defined,
and
you
know
when
you
say
the
word
crypto.
What
do
you
actually
mean
by
crypto?
Is
this
a
yes?
Are
you
you
know
like
what?
C
E
C
C
C
The
Google
Doc
were
were
more
than
sufficient
and
people
were
responsive
and
we
went
back
and
forth,
but
part
of
that
was
Santiago
was
like
in
our
weekly
meetings
a
lot
and
like
the
opah
people
had
been
very
involved
in
sig
security,
so
it
could
be
that
you
know
with
a
new
group
would
be
like.
Oh,
this
is
like
really
confusing.
Let's
just
get
on
a
hangout
and
talk
about
it
because
I
don't
know
what
you're
talking
about
right.
I
mean
I,
actually
know
cloud
custodian
or
know
of
it.
C
I
should
say
before
this,
so
I
think
I
have
a
grasp
of
what
it's
supposed
to
do,
but
but
that's
where
I
think
we
do
the
other
than
the
official.
This
sort
of
presentation,
everything's
pretty
like
live
meetings,
are
ad-hoc
and
so
far
I
mean
I.
Think
that
Robert,
you
did
a
meeting
a
kickoff
meeting
with
Falco
yeah.
C
B
C
Yeah
and
I
also
found
that
in
the
final
assessment,
there
were
some
things
that
we
liked
I
ended
up,
having
a
meeting
with
Santiago
to
be
like
well
I
kind
of
think
you
should
be
doing
this.
But
what
do
you
mean
by
that
and
to
sort
of
finalize
our
recommendations
in
a
way
that
we
I
think
aspire
to?
Have
those
be
things
that
the
project
embraces
and
thinks
are
great
things?
Q
C
J
Right
so,
okay,
that
gives
me
a
good
idea
for
the
self-assessment
we
kind
of
got
to
the
point
we're
going
back
and
forth
on
a
few
things,
and
so
it
would
just
be
helpful
to
have
some
initial
feedback
on
direction,
especially
when
it
comes
to
like
the
threat,
modeling
and
stuff
like
that.
So
anyway,
we'll
be
looking
for
guidance.
There.
C
J
I
C
Maybe
we
just
look
at
it
one
person,
volunteers
to
look
at
it
and
says:
oh
look,
they
fix
some
things
right,
I,
don't
see
any
red
flags
with
changes
that
have
happened
but-
and
you
know
like
maybe
we
would
have
a
deeper
look
like
more
like
the
first
assessment.
If,
if
there's
been
more
changes-
and
we
don't
have
a
process
for
like
Oh
somebody,
major
policeman
changes
their
security
profile
in
between
updates,
but
I.
Think
right
now
with
where
the
majority
of
CN
CF
projects
don't
have
an
assessment.
You
know
that's
not
our
biggest
concern.
C
I
Hear
you-
and
so
this
may
be-
you
know
a
future
topic
and
I
don't
want
to
derail
the
agenda,
but
you
know
in
our
organization
this
is
kind
of
tied
to
the
agile
process,
and
it's
it's
it's
an
important
problem,
because
some
of
the
security
gaps
end
up
in
technical
debt
that
are
supposed
to
get
resolved
later
on
features
could
be
rolled.
That
rolled
back
for
initial
production
use
and
then
introduced
later,
but
they
don't
come
back
for
review.
I
Also,
you
know
some
of
the
solutions
that
are
being
put
in
place
to
address
these
security
elements
that
were
addressed
have
to
themselves
go
through
a
review
process,
so
there's
a
fork
and
then
a
return
to
you
know
a
future
Junction
point
for
that.
So
it's
it's
a
non-trivial
problem
and
it's
one
in
which
maybe
the
product
owners
need
to
be.
You
know
the
key
advocates
for
that,
as
opposed
to
the
security
TOC
itself,
just
just
the
thought.
It's
like
you
know
if
I
be
interesting
to
pull,
maybe
not
today.
P
I
actually
think
it
is
somewhat
pregnant.
One
of
the
reasons
I
didn't
jump
in
and
say,
I'll
volunteer
for
the
cloud
custodian
leaders,
because
I'm
already
bleed
on
Falco
implicitly
I
sort
of
assumed
that
the
lead
would
have
to
take
on
the
burden.
At
least
you
know
initially
of
that
kind
of
annual
review
process.
Now.
P
Anymore,
it's
not
an
official
part
of
the
process,
but
I
think
I
had
opened
up
a
github
issue
on
how
this
annual
might
work
and
I.
Think
I
put
a
flowchart
in
there
at
some
point,
but
just
implicitly
for
me,
I
was
assuming
as
the
lead
for
Falco
that
everyone's
gonna
come
back
to
me
a
year
later
and
say:
where
are
we
with
that
annual
process?
So
I
didn't
want
to
jump
on
too
many
lead
roles?
For
that
very
reason,
I
think.
E
You
can
always
say
no
to
something
like
that
night.
I
think
I
mean
it.
There's
something
nice
about
having
at
least
some
of
the
team
from
the
prior
assessment
participate,
but
there's
also
something
nice
about
having
other
people
come
in
and
take
a
fresh
look.
So
we
haven't
really
discussed
this,
but
I
I
definitely
would
not.
I
would
not
be
in
favor
of
a
process
where
the
entire
team
was
expected
to
do
it
in
their
same
roles
and
I
wouldn't
be
in
favor
of
a
process
where
the
entire
team
must
be
switched
out.
P
Why
I
kind
of
thought
the
the
tether
might
be
the
the
lead,
so
the
whole
team
doesn't
need
to
come
back
a
year
later,
but
maybe
the
lead
would
be
the
point
of
contact
that
says
you
know.
I
doesn't
necessarily
have
to
be
me
as
the
lead,
but
I'll
be
the
one
that
kind
of
does
the
reach
out
of
year
later
to
try
to
you.
I
Know
I
wasn't
really
so
fretting.
I
was
I
mean
the
who
problem
is
important,
but
the
win
problem
seems
more
problematic
to
me
like
a
year
right.
Let
me
introduce
a
use
case,
you
know
so
now
somebody
comes
to
us
for
a
review.
We
do
these
reviews
right
and
we
say:
oh
you
don't
have
any
audits
for
this
transaction.
So,
okay,
we'll
do
that,
but
we
need
to
get
the
product
out
without
one
okay
go
ahead,
so
they
put
the
audit
thing
in
there's
no
Apogee
interface.
Oh,
we
forgot
to
do
that.
I
So
the
whole
team
doesn't
need
to
come
back
who
it
is
no
isn't
so
important,
as
you
know,
catching
this
chemical
debt
thing
and
making
sure
that
the
review
for
this
you
know
critical
function
from
a
security
point
of
view
that
was
omitted
in
you
know.
Previous
release
gets
put
in
and
so
I
think.
An
annual
review
is
like
an
artificial,
maybe
it's
better
than
nothing,
but
it's
an
artificial
one
that
really
should
be
more
tied
to
what
happens
on
the
the
the
product
feature
set
than
anything
else.
I.
P
Agree:
it's
a
totally
artificial.
It's
it's
arbitrary
in
that
I
had
put
in
the
flow
chart.
I
envisioned.
You
know
some
other
triggers.
You
know
CBE
discovered,
and
maybe
that
should
retrigger
thing,
I
think
there's
some
debate
but
I
think
practically
speaking,
just
getting
the
time
from
the
project
to
do
it
on
an
annual
basis
might
be
onerous.
So
I
was
you
know,
certainly.
C
Well,
I
think
that
we've
made
an
effort
to
make
it
as
like
lightweight
on
the
projects
as
possible,
while
adding
a
benefit
that
is
hopefully
of
more
value
than
the
effort
put
in
and
I
think
that
we
generally
the
CNC
F
like
it's
the
project
self
responsibility
here,
we
can't
dictate
anything
to
the
project.
That's
not
our
role
as
the
special
interest
group
on
security.
C
We
can,
you
know,
make
recommendations
to
the
TOC
and
the
TOC
could
potentially,
you
know,
exert
pressure
on
projects
to
do
something
or
not
to
do
something,
or
you
know,
has
the
right
to
kick
them
out
of
the
CNC,
F
or
whatnot,
but
mostly
I.
Think
that
you
know
I
sort
of
like
in
my
roles
as
engineering
manager
and
doing
security
stuff
in
companies
is
sort
of
echoes.
C
What
we're
seeing
here,
which
is
that
the
project
itself
has
to
actually
care
about
security
and
take
responsibility
and
I
think
that
in
in
like
a
commercial
effort
or
government
or
like
when
there's
an
organization
that
isn't
quite
so
grassroots
to
the
CN
CF,
having
some
kind
of
a
technical
project
manager
make
sure
things
happen.
Cuz
things,
security
thing
is
fall
through
the
cracks
all
the
time.
C
I
Mean
I'm
in
a
regulated
industry,
so
this
is
a
giant
deal
but,
and
you
know
so,
for
an
open
source
community,
it's
different,
you
know
should
be
different,
probably,
but
but
it's
really
important
and
you
know
the
role
of
like.
What's
the
role
of
a
project
manager
in
an
open,
so
project
is
there
even?
Is
there
even
an
awareness
of
that?
You
know
I.
P
Guess,
mark
I
would
I
would
ask
kind
of
the
question
back
to
you
as
a
highly
regulated
entity
using
open
source.
Have
you
ever
seen,
pushback
like
we're,
not
we're
gonna,
not
use
this
product
or
open-source
tool
or
we're
gonna
discontinue
using
this
open-source
tool
because
they
haven't
refreshed
their
their
audit
or
assessment
in
the
last
12
months.
You.
I
Know
you
know
we
talked
about
this
in
this
group
a
couple
years
ago.
Maybe
you
know
so
that's
where
black
duck
and
these
commercial
providers
try
to
give
us
impartial
assessments
of
the
status
of
these
open-source
projects,
and
so
there's
that
and
then
we
look
at
the
CVE
count
and
then
we
have
you
know.
Individual
practitioners
have
opinions
about
it.
Like
people
who
worked
at
cap,
one
in
the
past
I
heard
I
hear
we
got
cab.
One
people
on
this
call
so
yeah.
F
I
Cap
one
people
in
our
company,
so
they
have
views
about
some
of
the
open
source
projects
which
they
bring
to
the
table
and
then
there's
the
whole
problem
of
how
to
bring
automated
testing
into
our
pipelines.
So
open
source
projects
with
no
automated
test
scripts
means
more
work
for
us
to
put
that
in
the
pipeline,
so
batters
in
enters
into
it.
So
it's
it's
pretty
messy.
I
You
know
I'm
not
trying
to
impose
that
messiness
into
the
process
here,
but
but
there
are
some
important
facets
of
it
that
are
worth
introducing
and
some
critical
omissions
they
might
be
made
for
good
reasons.
This
nice
trade-offs
are
realistic
and
important.
I
need
to
get
logged
in.
You
know
cause
a
we
trigger
a
future
reviews.
I.
O
Think
there
is
a
pressure
from
two
sides,
so
most
of
those
open
source
projects
are
out.
There
are
vendors
or
big
businesses
behind
them.
Right
I
were
driving
development
or
adopting,
and
then
you
know
the
the
internal
classic
requirements
and
security
apply
and
kind
of
leak
into
the
upstream
of
them.
I
am
I'm
on
the
mailing
list
or
security
issue
reporting
for
open
source
project.
O
D
D
It's
not
necessarily
something
that's
different
between
an
open-source
project
versus
a
highly
regulated
industry.
I
think
that's!
That's
a
mindset
that
typically
within
the
organization
that
needs
to
change
and
I,
have
conversations
with
organizations
like
this
all
the
time,
especially
around
containers
and
container
or
application
delivery
to
the
point
where
they
need
to
understand
that
this
needs
to
be
part
of
the
pipeline
for
their
dev
setups
pipeline.
D
D
There
are
lots
of
ways
to
do
things,
I
think,
there's
good,
better
and
best
and
figuring
out
what
those
are
in
terms
of
what
we're
talking
about
here
today
with
some
of
our
assessments.
Maybe
there
are
some
some
better
ways
to
do
certain
things.
Maybe
there
are
certain
policies
to
apply
that
make
sense
for
everybody,
so.
B
It
seems
like
this
discussion
kind
of
it's
a
bit
deeper
than
I.
Think
I
went
to
the
going,
so
so
in
the
interests
of
so
that
we
have
enough
time
for
the
the
other
fix
there.
We
wanted
to
cover
mom,
would
you
mind
creating
an
issue?
And
then,
if
we
have
enough
discussions
on
the
issue,
then
we
can
first
get
you
another
call
where
we
will
dedicate
half
the
meeting
to
talking
about
justice.
C
I'll
just
wrap
this
up
by
I'm
gonna
move
cloud
custodian
into
the
backlog
because
we've
assembled
the
team
and
we
just
haven't
quite-
kicked
off
and
thank
you
Robert
for
helping
to
move
that
along
and
then
Falco,
maybe
Robert
you
could
say.
Are
they
still
working
on
their
self
assessment?
Is
this.
J
C
So
the
security
assessments
are
not
directly
correlated
to
the
CNCs
stages.
Okay,
so
we
do.
We
now
established
that
anyone
who
has
not
already
had
an
audit,
which
is
which
our
people
are
eligible
for
during
graduation
during
incubation
and
I
think
is
typically
pre
graduation.
But
before
you
have
an
audit,
you
should
have
an
assessment,
because
that
helps
the
process,
but
other
than
that
there
isn't
it's
not
a
gate.
Although.
Q
C
Talked
about
that,
it
would
be
good
if
people
did
a
self-assessment
before
you
know,
because
I
think
that
has
good
inputs,
but
we're
I
know.
We've
been
asked
by
well
Joe
suggested
that
maybe
we
should
look
at
our
self
assessments
and
see
if
we
should
could
factor
some
of
the
material
to
be
some
of
the
other
material.
That's
generated.
So
there's
all
like
a
little
process.
Alignment
happening
right
now,
but
yeah.
It's
not
like.
It's
not
like
that.
One.
A
C
J
C
B
M
So
fabulous
news:
if
nobody
was
paying
attention
in
the
flacc
channel,
we
have
a
schedule
for
cognitive
security
day.
So
thank
you
to
everybody
and
anybody
that
you
know
that's
submitted
for
it.
We
had
a
lot
of
really
good
submissions
and
we
had
a
lot
of
really
good
discussion
on
everything.
So
the
schedule
is
live,
it
is
posted.
It
is
linked
in
the
slack
channel
feel
free
to
retweet
any
of
the
number
of
tweets
going
on
around
it.
So
we've
got
a
wide
variety
of
speakers.
M
We're
hopeful
that
this
year,
we'll
have
will
have
a
significant
amount
of
diversity
and
the
talks
as
well
as
in
the
presenters.
So
if
you're
interested,
you
can
go
and
check
out
the
schedule
right
now,
we
are
beginning
to
look
at
day
of
logistics
and
planning
and
day
of
staff,
so
the
ticket
number
305.
M
We
do
have
a
couple
of
people
already
signed
up
for
day
of
staff,
but
if
you
are
planning
on
already
being
at
security
day
and
you're
interested
in
helping
out
or
you're
there,
please
go
ahead
and
comment
in
the
issue
that
way.
We
can
make
sure
that
we've
got
the
right
amount
of
work,
distribution
for
everybody
and
nobody
is
slammed.
M
So
cystic
and
wrap
and
Rackspace
are
confirmed
and
we're
hopeful
that
we're
gonna
get
more
now
that
the
schedule
has
been
posted
and
announced.
So,
if
you
know
of
anybody
that
is
interested,
the
sponsorship
prospectus
is
out
on
the
cloud
native
security
day
web
site.
I
think
that's
all
I
have
for
security
day
updates.
Q
Yep
Amy
anything
else.
No,
that
was
great
much
everything
that
we
have
right
now,
which
is
there,
is
a
schedule,
buy
your
tickets.
M
So
this
is
a
little
bit
about
the
conversation
that
was
going
on
earlier
on
the
call
there
I
opened
a
ticket
a
while
ago,
issue
number
326
to
talk
about
potential
process,
improvements
to
how
we're
doing
security
assessments
and
sig
security.
We
have
some
really
good
information
to
help
us
help.
New
reviewers
and
new
leader
viewers
get
started
on
what
the
process
looks
like,
but
when
I
was
going
through
and
working
with,
Brandon
and
working
with
Justin
I
didn't
feel
like.
M
There
was
enough
information
where
I
felt
empowered
to
do
what
it
was
that
I
needed
to
do
and
I
had
a
lot
of
questions.
So
this
ticket
is
specifically
to
address
the
naive
or
clarifying
questions
phase
that
was
brought
up
by
Chris
at
one
of
the
previous
meetings,
as
well
as
some
other
things
that
I've
noticed
doing
the
ceasefire
assessment.
Some
things
that
I've
ever
heard
in
phonecall
conversations
some
things
that
have
been
in
the
slack
channels.
M
So
if
you
have
any
comment
area
on
how
we
can
improve
the
security
assessment
process,
clarify
some
of
the
instructions
go
ahead
and
throw
a
comment
in
that
ticket
I'll
probably
be
going
through
it
later
next
week
to
refine
some
of
those
things
and
break
up
the
work
a
little
bit
more
because
the
list
of
things,
for
me
at
least,
is
getting
very
long.
So
if
anybody
has
any
recommendations
or
if
they
had
questions,
we
could
potentially
capture
responses,
doing
FAQ
on
a
security
assessment.
Things
like
that
I.