►
From YouTube: CNCF SIG Security 2020-05-13
Description
CNCF SIG Security 2020-05-13
A
B
Okay,
so
today's
gonna
be
a
walking
session
and
next
week
is
gonna,
be
a
presentation.
We
are
having
the
folks
from
PASOK
and
do
a
presentation.
They
are
submitting
their
project
for
sandbox
and
the
project
revolves
around
kind
of
an
abstraction
there
for
hardware
security
devices,
HSM
CPM
stuff,
like
that,
so
that
will
be
next
week.
So
next
it's
going
to
be
a
presentation.
B
E
E
F
B
But
is
there
any
chance
that
I
know
we
haven't
done
the
update
with
the
policy
group
in
the
wall
as
well?
I
said
like:
do
you
think?
Is
there
like?
We
could
do
like
a
couple?
Maybe
10
15
minutes
kind
of
just
talk
a
little
bit
about
at
one
of
the
next
working
sessions
to
just
talk
a
bit
about
what's
near
over
there
and
then
at
least
keep
up
to
date
on
that.
F
D
You
can,
you
also
add
a
link
to
anything
from
your
meeting,
or
you
mentioned
some
reference
material
or
something
like
that.
There's
a
left
at
spot
in
my
scribe,
notes
for
a
link
in
case
people
or
want
to
go
and
follow
up
and
I'm.
Sorry
I
didn't
catch
her
name
either
I'm
called
in
so
I
can't
see
who's
talking.
Can
you
say
your
name?
Oh.
This
is
Robert
Elliot,
okay,
okay,
great
yeah!
If
you
can
just
add
a
have
a
link
below
for
people
that
want
to
look
at
it.
That
might
be
helpful.
B
This
is
something
that
just
as
I
started
working
on,
and
so
we
made
all
progress
on
that
for
those
that
were
not
around
the
first
time
we
talked
about
this.
The
main
kind
of
motivation
for
this
was
that
we
found
that
the
ar.drone
landscape
wasn't
really
that
useful
in
terms
of
consumption.
It
was
just
kind
of
like
a
list
of
categories
and
there's
projects.
There
didn't
really
give
a
lot
of
information
on
how
to
use
it
so
and
if
you
haven't
take
a
look
at
the
this
is
the
current
landscape
right.
B
We
have
create
the
categories,
and
we
said:
okay
here
are
some
of
the
different
technologies
within
the
categories
and
so
on,
but
a
lot
of
the
time
like
some
of
these
things,
like
we
had
a
huge
discussion
on
this,
which
is
I,
didn't
the
access
control
isn't
really
a
specific
technology
on
its
own
is
integrated
into
multiple
technologies.
You
know
how
does
it
is
it
a
category
on
its
own,
the
landscape,
or
should
it
be
part
of
basically
a
broad
category
that
spans
across
every
every
technology?
B
So,
while
back,
just
and
I
saw
that
working
on
this,
so
just
in
capitals
and
I
put
in
together
this
kind
of
first
cut
on
how
we
wanted
to
see
the
security
landscape
and
the
thought
was
that
we
will
break
it
down
into
how
to
use
cognitive
security
based
on
the
processes.
So
one
of
the
first
things
that
we
tackle
was
application
security.
So
how
do
you
create
and
deploy
a
education
in
cognitive
security
in
the
ideas
of
that
is
there
will
be
a
process,
so
we
wrote
down.
B
Basically,
here
are
the
steps
in
which
a
developer
would
deploy
application.
So
you
write
the
code
you
commit
it
to
github
and
so
on,
and
the
idea
is
that
every
step
of
the
way
you
would
run
into
several
threads
and
we
want
to
map
these
treads
onto
the
possible
Prevention's
on
mitigations,
and
that
way
a
developer
can
come
in.
Take
a
look
at
how
their
process
Maps
on
to
the
landscape
that
we
provided
and
then
look
at
the
specific
technologies
that
they
can
use
and
on
the
micro
level.
B
The
idea
is
that
we
will
be
able
to
provide
the
details
of
the
treads.
The
technology
is
referencing
the
technologies
and
projects
in
CN
CF.
They
helped
me
to
mitigate
these
threats
and
on
the
macro
level,
we
want
to
be
able
to
provide
kind
of
a
process
which
can
follow
which
people
can
use
to
maybe
bring
to
the
their
managers
or
executives
to
say
that
ok
here
is
kind
of
like
a
model
that
we
can
follow.
B
B
The
idea
here
is
that
we
want
to
be
able
to
create
kind
of,
like
an
overview
of
here,
are
the
various
kind
of
processes
that
we
have
in
regards
to
cognitive
and
then
here,
if
you're
interested
in
in
this
case,
building
in
cognitive,
AB
security.
We
can
look
at
this
process
and
the
idea
is,
this
will
be
kind
of
an
exploratory
interface.
B
So
this
is
where
we
are
at
currently
in
the
process.
We've
done
the
mock
up
and
I
think.
The
next
step
here
is
to
kind
of
create
an
example
for
this
and
create
a
some
kind
of
interactive
web
page
so
that
we
can
try
this
out
and
then,
on
top
of
that,
you
start
building
the
content
on
four
different
types
of
processes.
B
So
the
next
step,
I
think
for
us
here,
is
to
actually
create
a
website
or
mock-up
HTML.
To
do
this,
I'm
gonna
try
and
take
a
stab
at
this
myself,
but
I
am
NOT
a
a
web
person.
So
if
there's
anyone
that
would
like
to
work
on
this
as
well,
do
leave
a
comment
here,
any
expertise
in
this
or
whether
you're
just
interested
in
creating
more
content
and
giving
feedback
on
this.
That
anything
would
be
great.
B
B
D
D
D
D
Think
everybody
from
what
I
recall
here
all
of
the
reviewers
have
already
gone
and
put
their
conflict
statements
in
so
that
part's
been
done
and
now
I'm
I
think
we're
just
waiting
on
the
chairs
to
sign
off
on
reviewer
conflicts
for
the
top
part
to
be
done
so
we'll
you
know,
I'll
go
ahead
and
start
this
process
a
little
bit
like
I'll
make
the
slack
channel
and
stuff
like
that
and
ass.
You
should
probably
start
taking
a
look
at
the
at
the
document
to
do
the
I.
D
B
H
D
H
G
D
You
have
access
to
add
everyone's
I,
don't
know
if
you
have
edit
access
to
to
change
the
issue
thing
at
the
top.
I
think
you
probably
do,
but
if
so,
can
you
add
in
so
I
just
added
you
in
as
a
project
security
lead?
Can
you
add
everybody
else
in
who
should
be
contacted
or
I
guess
I
can
just
invite
you
to
the
slack
channel
and
then
you
can
like
Adam
ever
but
okay,
sorry
yeah
go
ahead.
D
H
D
B
E
B
B
We
do
review
the
aspects
of
having
a
process
and
right
now
our
benchmark
is
the
CI
paging
system.
I,
don't
think
we
go
into
specific
details
like
whether
something
necessarily
is
said
to
be
dead,
but
isn't
there
I
think
we
generally
take
the
the
we
trust
that
the
projects
a
so
thus
I
think?
If
not,
though,
is
just
the
disco
just
be
too
big?
B
E
E
E
In
fact,
I
don't
have
any
official
statistics
about
it,
but
as
many
as
I
would
say,
hello
as
many
as
a
quarter
of
the
issues
that
arise
in
a
major,
a
security
shop
like
ours
at
a
fortune,
500
company
might
be
associated
with
what
version
to
version
conflicts
or
apparent
conflicts
between
tools
which
makes
which
interrupts
the
telemetry
stream.
So
you
know
cloud
natives,
you
know
as
a
forward
leaning
organization,
it's
something
to
think
about.
F
Would
add
that
so
I
never
look
at
the
versioning
conflicts
that
could
occur
or
the
interactions
for
you
know
when
I
looked
OPA
Falco
but
but
Brennan.
Just
a
comment
on
what
you
said.
I
did
trace
back
what
was
on
the
sky.
Id
badging
documentation
and
you
know,
ash
can
attest
to
this.
I
did
actually
go
through
and
at
least
spot
check
that
if
they
said
they
had
a
notification
process
that
there
was
some
evidence
that
that
process
had
actually
been
demonstrated
and
in
their
trans.
A
F
E
B
E
You
know
automates
notifications
to
the
developer,
but
other
people
think
that's
not
sufficient
for
complex
environments,
where
you're,
renting
multiple
tools,
because
you
know
the
CI
CD
pipeline-
is
a
necessarily
pristine
one
with
a
lot
of
segregated,
namespaces
and
test
data
and
so
on,
and
that's
not
the
environment
it
gets
deployed
into
so
I.
Don't
know
that,
there's
a
consensus
around
doing
that,
so
I
think
we're
consigned
to
sort
of
a
checkbox
kind
of
approach.
But
you
know
getting
often,
as
you
tell
the
developers
they
need
to
do
this.
E
It
kind
of
changes
their
behavior
because
they
think
oh
gee,
I
gotta
stand
up
a
dev
environment.
Now
that
provides
celebra
tree
to
do
automated
testing
feedback
and
that
changes
the
way
they
code
in
in
an
ideal
circumstance.
So
yeah
I,
don't
think,
there's
a
standard
around
this,
yet
that
anybody
has
been
satisfied
with.
B
E
F
One
more
data
point:
having
had
this
conversation
yesterday
with
a
fairly
large
organization,
you
know
they're
trying
to
figure
this
out
as
well,
so
at
that
at
that
scale
scale.
You
know
large
cloud
provider
level
discussions
around
how
you
trace
CI
CD
executions,
specifically
for
dev
and
QA
environments,
pre-production
to
your
policy
framework,
your
risk
assessment
framework.
F
E
E
E
Also
there's
the
sort
of
high
profile
or
high
privileged
access
problem
of
you
know
what
level
of
security
you
know
in
our
back
kind
of
framework.
Do
you
need
to
have
to
run
the
test
in
and
is
that
compatible
with
the
one
that
you
find
yourself
running
in
production
and
if
not,
how
does
that
look
then?
E
There's
the
data
problem
of
getting
representative
data
to
exercise
the
thing
that's
similar
to
the
one
you
run
with
dynamic
testing,
why
people
would
say
why
doesn't
CN
CF
do
dynamic
tests
with
commercial
tools
to
kick
the
tires
on
the
products
and
I?
Don't
I,
don't
know
if
you
do
that
or
not,
but
that's
hard
to
do
too.
Even
if
you
have
pretty.
A
C
C
You
know
what
case:
why
don't
we,
as
we
one
of
the
I,
don't
know
considerations
if
you
will
should
have
been
like
lead,
repost,
cannon
of
all
the
images
etc,
and
then
the
response
I
got
was
we
don't
want
to
be
too
prescriptive
from
that
standpoint,
I'm,
not
saying
that
that's
right
or
wrong,
but
the
response
that
was
given
was
we
don't
want
to
be
too
prescriptive.
We
don't
want
that
to
be
a
gate,
as
well
as
the
fact
that
in
the
case
of
harbor
we
had
actually
they
had
actually
done.
C
Security
testing
and
testing
two
three
times
from
different
organizations
at
different
points
in
the
in
the
whole
process,
so
I
and
personally
I'm
all
for
being
a
little
bit
more
prescriptive
to
say:
hey
as
six
security,
you
know,
can
we
have
the
opportunity
and
should
we
start
instilling
these
kinds
of
capabilities
and
I?
Think
mark
to
your
point.
C
I
think
some
tools
exist,
it's
very
low
hanging
and
we
have
the
opportunity
today
to
define
that
and
bring
it
in
as
we
perform
these
security
assessments,
but
at
the
same
time
I
think
that
I,
just
a
paraphrase
and
I'm,
probably
going
to
butcher
it
but
I
think
we
just
want
to
perform
the
assessment.
But
I
forget
the
right
term,
the
his
verbage,
but
it's
there
in
the
documentation,
but
I
think
we
don't
want
to
be
Gators
I,
think
that's
the
the
overarching
position,
I
believe
I.
D
Would
like
the
chime
in
here
is
that
I
think
that
there's
there's
a
real
like
danger
or
risk
if
we
start
to
go
too
far
afield
there.
D
D
So
Harbor
has
been
through
something
like
three
different
real
security
audits,
including
one
by
Kier
53,
which
is
you
know,
was
very
detailed
and
so
I
feel,
like
you
know,
starting
to
do
things
that
run
that
have
a
run
tools
on
code
basis
starts
to
make
us
look
like
a
really
bad
audit
and
I
think
we're
better
off.
Looking
like
a
really
good
assessment,
then
a
really
bad
than
it
done
a
good
assessment
and
a
really
bad
audit.
D
So
if
we
were
going
to
build
that
capacity,
I
think
we
would
need
to
get
trail
a
bit
or
three
or
53
or
some
other
group
like
that
to
partner
with
us
and
then
for
us
to
do
some
kind
of
like
combined
assessment
audit,
but
I
I.
Definitely
don't
feel
like
you
know,
just
to
use
an
example
here,
like
I
kind
of
just
capped
ash
on
the
shoulder
and
said,
hey,
please
leave
this
assessment
and
I.
D
You
know
have
some
degree
of
comfort
from
that
because
of
the
great
job
he
did
on
the
other
side
of
this
on
the
recipient
side
from
the
opah
thing,
the
other
reviewers
on
the
assessment.
I,
don't
really
know,
I,
don't
know
that
I've
interacted
with
in
any
great
detail
before
and
so
for
us
like.
You
know
for
me
to
just
say:
oh
yeah,
now
you
guys
go
like
do
what's
basically,
you
know,
a
lightweight
audit
is
I,
think
scary,
it's
already
mildly
scary.
D
C
I
agree,
I.
Think
the
the
key
words
from
what
you
mentioned
to
me
for
me
was
an
audit
versus
an
assessment.
An
audit
is
a
far
more.
You
know
the
greater
in-depth
and
provides
obviously
far
more
introspection,
as
opposed
to
an
assessment,
and
given
that
these
are
assessments,
I
think
what
we
are
performing
right
now
is.
C
B
Does
seem
like
this
version.
Testing
stuff
is
also
kind
of
questionable
withers
and
the
bothered
I
know
the
project,
responsibility
or
whatever
you're
integrating,
because
usually
the
projects
can
be
used
in
more
than
one
way
and
I.
Don't
know
whether
it's
really
on
the
onus
of
the
project
itself
to
maintain
our
integral
integration,
compatibility,
yeah.
E
F
Say
you
know
I
look
at
the
assessments
as
prospective,
whereas
audits
or
retrospective,
so
I
would
say
if,
in
the
assessment
process
we
thought
you
know,
there
was
a
consensus
around
that
there's
interactions,
version
control
and
all
that
was
a
key
element
of
the
risk
model
for
that
particular
project.
I'm,
not
I,
don't
have
a
hypothetical
where
that
may
be
true
or
false,
but
if,
for
whatever
reason,
the
consensus
was
that
that
should
be
done.
E
And
these
are
all
good
points
in
you
know.
Some
of
this
I
think
is
nudging,
not
auditing
and
I.
Think
there's
a
useful
distinction
to
be
made
here
between
software
engineering
practices
and
the
extent
to
which
they
become
ubiquitous
and
in
our
organization,
and
you
know,
I'm,
you
know
for
a
fairly
narrow
world
of
dealing
with
DevOps
adoption
and
standardization
and
that
you
know
maybe
doesn't
reflect
the
whole
world
very
well.
But
the
Jenkins
and
Jenkins
like
model
for
code
development
is
so
ubiquitous.
Ubiquitous
outside
of
security.
F
E
Know
there's
the
easy
example
to
use
is,
if
you
you
know
like
take
encryption,
you
know
yeah,
because
we're
I'm
dealing
in
PCIe
settings.
You
know
we
want
to
make
sure
that
the
encryption
still
works
at
the
other
end.
So
you
know
you
can
check
it
at
a
point
in
time
you
can,
but
you
can
also
have
it
check
to
see
whether
the
encryption
occurred
using
an
automated
task.
That's
got
a
lot
of
value
beyond.
E
E
It
seems
kind
of
silly,
but
on
the
other
hand,
if
you
look
at
a
mature
product
like
Prometheus,
which
is
embedded
in
a
lot
of
other
products
and
there's
a
lot
of
dependency
on
the
robustness
of
certain
features
of
that
tool,
you
know
I
would
feel
safer
if
I
had
a
pipeline
that
was
doing
builds
that
was
doing
assurance.
Testing
on
security
features
Prometheus.
At
the
same
time,.
B
This
sounds
like
it
could
kind
of
I
think
the
suggestions
are
good
and
it
seems
like
for
specific
cases
like
you
talked
about
like
for
crypto.
There
are
certifications
that
can
be
done
right
and
I.
Think
that's
generally.
How
design
falls
is
that
the
specification
and
then
you
can
get
certified
by
somebody
I.
F
Yeah
well,
then,
just
extend
your
your
hypothetical
Brennan
I
mean-
and
this
may
be
germane
to
the
parsec
discussion,
because
in
in
Hardware
environment,
especially
certification
for
payment
and
whatnot.
That
is
exactly
what
happens.
You
have
to
recertify
if
the
firmware
changes
or
valves,
and
so
you
know
that
might
be
a
special
case
where
you
know.
D
F
Controls
is
far
more
relevant
to
the
risk
model.
It's
not.
It
doesn't
really
fit
new.
Your
Jenkins
software
STI
CD
case
mark,
but
that
may
be
a
case
where
the
assessment
says
you
know
you
really
ought
to
be
doing
things.
Every
version
Rev
to
retest
or
we
recertify
whatnot.
But
again
I
would
say
that
the
assessment
should
make
that
recommendation
based
on
a
particular
risk,
not
necessarily
perform
that
certification.
E
E
I
I
just
wanted
to
say
that
the
public
comment
period
for
the
spiffy
spa
incubation
is
now
open.
So
please
come
in
on
the
way,
unless
there's
actually
accidentally,
two
threads
either
of
them
will
do,
but
really
thanks
for
everyone
who
out
work
on
the
assessment
and
another
due
diligence
work
and
this
group
first
biggest
buyers
was
really
helpful
and
Sarah
and,
and
so
that
was
really
really
good
work
and
they're
very
helpful.
They
say
thanks
very
much
so.
D
I
noticed
on
the
threads
before
maybe
I
misinterpreted
this,
but
there
were
a
lot
of
people
that
were
just
sort
of
saying
+12
a
lot
of
the
threads
without
really
adding
any
any
value
and
I.
Think
someone
at
some
point
was
like
stop
just
saying
plus
one
right:
is
it
valuable
for
us
to
weigh
in
and
say
yeah
you
know,
we've
really
done
a
thorough
look
at
this
and
it's
a
really
strong
security
project.
I
Yeah
I
think
it
I
think
yes,
I
think
they
comment
this
got
there
isn't
just
plus
one
is
that
is
actually
substantive
in
real
sentences
is
very
boo.
I've
said
the
public
comment
pairs
recently
had
been
on
the
edge
of
have
been
totally
cut,
the
one
for
how
no
one
said
anything
at
all,
which
was
kind
of
weird,
so
I
think
that
yeah
supportive
comments,
the
her
actually
have
substance.
I
On
or
obviously
unsupportive
comments
if
people
like
actually
have
a
have
an
issue,
there's
not
being
addressed
at
this
point
but
but
yeah
I
think
it's
it's
good
to
comment.
E
E
I
B
They
completed
the
assessment
process.
The
only
step
that
we
don't
have
the
check
mark
on
is
the
optional
presentation
to
the
TLC,
which
I
don't
think.
We've
got
a
request
for
that,
and
also
because
I
think
since
you've
done
that
presentation
before
I,
don't
think
that
has
been
their
request
coming
in
yet
I.