►
From YouTube: CNCF SIG Security 2021-01-27
Description
CNCF SIG Security 2021-01-27
B
A
Hey
I
requested
midnight
to
see
if
we
can
run.
I
have
like
this
bad
throat
and
cough
thing,
so
I'll,
listen.
A
B
D
Yeah
I'll
take
two
minutes
to
set
up
the
document
and
stuff.
I
guess.
D
D
Well,
welcome
everyone.
Once
again,
we
typically
start
give
everyone
about
a
couple
minutes.
Maybe
we'll
start
at
1002
and
take
it
from
there.
Please
feel
free
to
add
your
name
to
the
attendance
list
for
today.
E
E
D
Today,
all
right,
everyone,
let's
get
started,
maybe
just
to
recap:
I
mean
go
through
the
list
and
then
I'll
do
a
really
recap.
Does
anybody
have
anything
that
they
would
like
to
update
the
team?
The
group
on
anything
that
you'd
like
to
discuss
at
this
time.
B
I
actually
have
one:
oh
yeah
go
ahead.
I
totally
forgot
about
it.
So
big
news,
everybody.
We
now
have
an
apac
region
security
meeting,
set
up
and
scheduled
the
pr
was
merged
into
the
repo.
So,
if
you're
interested
go
check
out
the
meeting
information,
this
is
a
huge
thing
for
us,
because
now
it
means
that
we
can
increase
the
amount
of
sig
contributors
and
take
on
the
activities
that
we've
been
talking
about
for
a
long
time
with
more
and
more
involvement.
So
this
is
a
really
great
thing
for
us.
D
That's
awesome,
that's
awesome
and
thanks
emily
as
I
go
down
the
list
magno,
I
see
you
have
something
that
you'd
like
to
talk
about.
F
Please
go
ahead.
Yes,
so
I've
contacted
jen
burns
from
mitre
and
she
agreed
to
speak
with
us
on
our
meeting
on
february
10th.
So
I
submitted
a
ticket
for
that.
So
if
everybody
is
okay,
she
would
come
and
and
speak
with
us
show
what
are
the
goals
for
the
attack
for
containers
and
how
we
can
help
providing
any
feedback
or
any
information.
F
That
would
be
helpful
for
the
matrix
attack
and
everything
related
also
to
if
they're
planning
on
doing
like
a
separate
one
for
kubernetes
or
just
the
same
one
and
everything
else,
and
and
that
that's
it
and
for
another
thing
that
I
have
is
that
I've
created
a
ticket
also
to
start
a
translation
of
the
cloud
native
security
white
paper
for
portuguese,
and
I
have
a
group
of
people
interested
so
we're
probably
gonna
start
that
off
probably
this
week
or
the
next
one,
and
it
should
be
done.
D
Awesome,
that's
fantastic
thanks!
Thanks
magno
yeah
it'll
be
interesting
to
hear
from
jen
on
how
we
can
you
know,
map
the
mitre
attack
framework
to
a
lot
of
the
to
kubernetes
and
containers
in
general.
That's
awesome.
D
So
I
don't
see
any
other
updates
today
and
maybe
maybe
I
can
just
take
this
opportunity
to
put
a
couple
of
folks
on
the
spot.
I
know
last
couple
of
weeks
we
had
some
great
presentations
on.
You
know:
supply
chain
security,
and
you
know
the
this
is
the
supply
chain
working
group
I
mean
jonathan.
Would
you
like
to
maybe
just
recap
on
where
we
landed?
If
there's
no
other,
maybe
spend
five
minutes
on
this
and
then
because
I
know
there's
a
lot
of
stuff
that
we
talked
about.
G
Sure
happy
too,
so
we
formed
the
working
group
a
couple
of
weeks
ago.
We
we
initially
provided
a
presentation
looking
at
software
factories
and
some
of
the
thoughts
a
group
of
us
had
put
together
around
software
factories,
myself
andrew
martin
and
sabri
blackman
from
control,
plane
and
justin
cormack
from
from
docker.
G
It's
really
just
some
of
the
thoughts
that
we
put
together
on
on
software
factories
and
how
we
could
perhaps
create
one
and
some
of
the
challenges
we
were
thinking
through
around
how
we
could
improve
the
provenance
of
the
code
that
we
were
creating
and
sending
through
that
pipeline,
using
potentially
spiffy
and
in
total,
which
we're
still
working
on,
but
the
the
wider
scope
of
that
was
really
sort
of
a
call
to
arms
to
ask
people
to
join
and
perhaps
form
which
we've
now
done
a
working
group
to
look
at
supply
chain
security,
with
the
aim
of
putting
together
a
a
white
paper,
an
architecture
and
potentially
a
reference
implementation.
G
G
We
also
have
a
slack
channel
and
we
have
a
shared
document
that
we're
starting
to
add
to,
or
we
will
be
we're
doing
it
independently
and
pasting
it
in,
and
the
idea
is
to
initially
put
together
a
white
paper
of
best
practices
and
identify
gaps
in
perceived
gaps
in
the
supply
chain
and
then
look
at
how
we
could
provide
an
architecture
to
provide
that
capability.
G
The
end
goal.
There
are
a
number
of
different
end
goals,
but
it
would
be
it'd
be
really
beneficial.
We
believe
that
to
provide
a
architecture
that
people
could
look
at
and
potentially
start
to
adopt
in
the
open
source
forum,
so
that
you
know
they
can
adopt
that
that
architecture
and
have
a
build
platform
that
would
then
be
somewhat
secure
and
have
the
ability
to
deploy
secured
artifacts
that
are
signed
with
s-bomb
material,
perhaps
as
a
way
of
improving
the
security
throughout.
G
So
really
that
that's
kind
of
the
goal,
I'll,
certainly
post
a
link
to
the
to
the
white
paper
into
the
to
the
working
group.
I
think
it
was
issue
510,
where
you
can
take
a
look
and
see
the
the
conversation
as
it
stands.
We
have
quite
a
number
of
people
offering
to
assist
and
go
through
that
which
is
fantastic
and
the
way
I
think,
we'll
start
to
look
at
it
is
having
people
adopt
or
suggest
topics
for
that
white
paper
and
will
progress
that
way.
G
We
do
have
a
working
group
meetings
on
fridays
at
4,
30
gmt
at
the
moment.
That
was
just
how,
given
the
the
the
look
hows
of
the
people
involved,
we
certainly
change
that
if
additional
people
are
looking
to
join-
and
I
think
the
next
session,
we
would
we're
possibly
gonna
dig
into
that
in
toto
and
the
signing
piece
figure
out
how
we
could
work
with
those
keys,
as
well
as
the
white
paper
itself.
G
One
thing
I
did
miss
out
there
was.
There
was
a
really
really
good
presentation.
Last
week
by
the
the
recall
team
that
had
a
heavy
supply
chain
element,
I'd
recommend
people
take
a
look
at
that
and
also
obviously,
a
lot
of
the
work
that
we're
looking
at
is
based
on
devsecops
principles
from
the
the
department
of
defense,
which
is
a
document
that
you
can
read
on
the.
D
Internet,
that's
awesome
thanks
a
lot
jonathan,
so
a
lot
of
stuff
there.
Everyone-
and
this
I
think,
they'll
be
fantastic
opportunity
to
contribute
towards
the
architecture
and
the
white
paper
there.
I
think
we
have
all
the
links
up
on
the
chat
and
maybe
I'll
take
some
time
to
maybe
transfer
a
lot
of
those
links
to
our
meeting
notes
as
well.
G
Yeah,
we're
certainly
welcome
for
for
anyone
to
to
assist
and
help
with
there's
a
lot
of
work
to
do
there
and
it's
a
it's
a
it's
a
key
area
that
a
lot
of
people
are
really
interested
in
contributing
so
certainly
open
to
all.
B
Right
then,
ava
makes
a
good
point
about
the
linux
foundation
having
a
couple
of
other
projects
and
efforts
that
are
working
on
supply
chain
security,
so
maybe
reach
out
to
those
different
groups
and
find
out
where
they're
at
in
those
discussions
and
see
if
there's
some
cross-foundation
collaboration.
That
can
happen.
G
E
G
So
please,
if
you
could
reach
out
to
to
me
and
I'll
reach
out
to
you,
to
connect
that,
because
that's
definitely
something
that
we
would
like
to
do.
We
we
have
made
initial
conversations
with
the
open,
ssf
and
I
think,
there's
there's
additional
work
happening
in
the
s-bomb
community.
There's
a
number
of
different
s-bomb
communities
that
we're
trying
to
tie
into
this
as
well
great
point
emily,
though
it's
because
there
is
a
huge
amount
of
work
in
individual
pockets.
E
Given
the
that
this
is
a
cncf
working
group,
I
would
assume
that
the
focus
is
going
to
be
on
the
cncf
projects
and
workflows,
whereas
I
know
both
open,
ssf
and
cd
foundation
are
looking
at
the
broader,
like
open
source
as
a
whole.
So
there's
probably
some
good
tie-ins
there,
but
the
scoping
of
this
is
very
different.
G
We're
actually
keeping
it
fairly
generic,
but
but
also
very
cognizant
of
making
sure
we
connect
to
those
exact
groups.
So
I
I
I
didn't
mention
them,
but
we
are
trying
to
reach
out
to
those
groups.
I'm
certainly
working
with
a
couple
members
of
open
ssf
and
we
do
and
expand
that
we're
not
duplicating
any
of
that
work,
but
just
pointing
to
it.
I'm
happily.
D
Great
thank
thanks
jonathan
and
thank
you
all
for
the
comments
and
let
me
see.
D
Well,
I
don't
see
any
other
topics
that
we
want
to
have
covered
here.
So
do
we
know
what
we
can?
What
we
have
set
up
for
next
week.
B
So
vinay
we
actually
have
two
things
on
the
agenda.
We
have
issue
422,
oh.
D
D
Okay,
so
do
we
want
to
talk
about
that?
Who
wants
to
talk
about
issues.
B
So
I
think
I'm
kind
of
on
the
hook
for
both
of
those
okay,
so
I'm
dropping
422
in
the
chat,
because
that's
the
first
one
so
for
those
of
you
that
are
new
or
have
been
super
busy
doing
a
lot
of
other
things.
I've
been
going
through
the
repo
and
trying
to
clean
up
some
of
the
outstanding
issues
that
we've
had
for
a
long
period
of
time.
Seeing
if
we
actually
miss
stuff
issue,
422
is
one
of
the
issues
that
we
missed.
B
So
this
is
a
suggestion
from
the
community
about
kind
of
including
hardening
binaries,
through
our
recommendations
to
projects
that
are
coming
through
our
security
assessment
process
or
incorporating
this
concept
into
other
documentation
or
conversations
that
we
have
in
the
cloud
native
community
and
that's
kind
of
the
extent
of
my
knowledge
in
this
particular
area.
B
The
issue
has
a
ton
of
information
on
it
with
a
lot
of
excellent
resources,
and
I
wanted
to
bring
it
up
because
one
I'm
not
an
expert
in
this
area,
but
to
I
wanted
to
get
the
community's
feedback
on
whether
or
not
they
see
this
as
a
potential
worthwhile
effort,
something
that
we
can
easily
incorporate
into
our
existing
processes
or
whether
or
not.
This
is
a
much
larger
ask
by
the
community
to
kind
of
push
this.
And
if
it's
a
worthwhile
effort
to
push
into
the
community.
C
B
And
we
we've
talked
in
the
past,
or
at
least
we've
had
other
discussions
for
potential
efforts
about
setting
up
automated
hardening
for
cloud
native
product
projects
in
their
development.
That
way
they
they
have
like
a
standard
framework
to
be
leveraging
to
ensure
that,
like
the
base,
distribution
of
all
cloud
native
projects
is
secure.
So
I'm
not
quite
sure
how
this
fits
in
with
that.
But
I
do
know
that
we've
talked
about
that
in
the
past.
D
Maybe
I'd
like
to
have
a
sound
out
a
few
thoughts.
Emily
is
I
mean
if
we
can
definitely
have
these
guidance
kind
of
documents
and
made
available
to
all
the
project
teams
and
and
make
them
aware
of,
let's
say
hardening
flag,
that
we
will
as
we
perform
assessments.
So
that's
one
way
and
the
second
way
to
only
how
do
you
say
test
and
enforce
it?
D
Is
you
know
I
don't
know
when
maybe
the
first
meeting
of
this
year,
we
talked
about
this,
the
automation
that
you
talked
about
right
when
we,
the
automated
and
security
scans.
If
you
will,
generally
speaking,
if
we're
able
to
do
that,
then
that
would
be.
This
would
be
a
great
dimension
to
that
effort
as
well.
So
I
think
there
is
some
correlation
there.
C
D
Yeah,
I
agree,
and
I'm
sorry
just
to
clarify
I'm
only
talking
about
from
a
guidance
perspective
right
so
sorry
and
this
network
yeah
the
the
the
owners
of
the
projects,
we're
just
saying
hey.
This
is
something
that
we
are
familiar
with.
We
provide
guidance
on
and
we
run
your
project
through
our
flags.
If
you
will-
and
this
is
what
we
found
missing
and
you
know
not
to
break
anything
from
their
pipeline
perspective,.
D
All
right
emily,
would
you
like
to
talk
about
the
second
issue,
the
sig
app
delivery
operator
white
paper.
Please.
B
Yes,
okay,
so
sig
app
delivery,
so
cntf
has
a
ton
of
a
ton
of
sigs.
Some
of
our
members
are
members
of
other
things,
and
this
sig
app
delivery
reached
out
to
me
they're,
looking
for
a
security
perspective
on
their
operator
white
paper
that
they're
writing.
B
This
is
a
new
effort
for
them.
They
have
a
current
draft
going
on
and
they
actually
have.
A
specific
issue
is
the
first
issue
associated
with
where
they're
looking
for
help,
which
is
I'm
pulling
it
up
right
now
about
building
trust
security,
constraints,
implementation,
metrics
and
user
observation.
B
So
what
they're
really
looking
for
is
to
have
a
sig
representative
or
a
few
sig
representatives
jump
in
and
help
in
this
particular
area
of
their
white
paper.
They're,
not
looking
right
now
to
rehash
the
entire
draft
that
they
have
that'll,
be
probably
later
review
phase
for
those
of
you
that
remember
the
cloud
native
security
white
paper,
we
wrote
all
the
content
and
then
we
opened
it
up
for
reviews.
This
is
more
about
contributing
specific
security,
focused
content
to
an
operator
white
paper.
B
So
this
is
a
good
opportunity
to
get
to
know
other
members
of
different
sinks,
as
well
as
get
some
crosstic
exposure
from
a
security
perspective.
I
was
hoping
that
I
could
get
a
few
volunteers
to
jump
on
this
effort.
It
doesn't
appear
to
be
a
huge
ask
not
anywhere
near
as
monstrous
as
writing.
The
white
paper
for
us
was,
but
I
would
certainly
expect
it
to
be
a
couple
of
hours
over
the
course
of
two
weeks,
potentially
maybe
a
little
bit
more.
H
This
is
something
I'd
be
happy
to
jump
in
with
we've
done
a
bit
of
threat,
modeling
around
operators
and
mutable
states
and
stuff.
Is
there
any
indication
of
time
scales.
B
Not
that
I
know
of
so
the
ticket
actually
has
the
pocs
for
it,
so
I
would
recommend
reaching
out
to
them
and
jumping
in
the
sig
app
delivery
channel,
so
cameron
and
andrew,
if
you
guys,
could
comment
on
the
ticket
that
you're
interested
and
then
jump
over
into
the
sig
app
delivery
channel
and
let
them
know
that
you
guys
are
gonna,
get
on
that
and
help
them
out.
That
would
be
great
and
we
would
love
to
hear
at
another
meeting
about
how
it's
going.
D
Awesome
thanks
thanks
emily
and
I
guess
the
for
the
folks
who
volunteered
please
you
know
chime
in
on
on
that
ticket
and
make
sure
that
you,
you
have
all
the
necessary
resources
and
get
connected.
Did
I
miss
anything
and
sorry,
I'm
going
to
look
to
you
emily
did
I
did
we
cover
all
the
agenda
items.
D
B
Next
week,
though,
we've
got
the
security
scanning
presentation
from
supracar,
which
was
a
request
from
liz
rice
and
the
talk
to
have
that
presentation
to
us
which,
if
anybody
saw
that
thread
on
the
mailing
list,
it
was
a
fascinating
thread.
Lots
of
great
dialogue.
So
hopefully
we
can
get
a
lot
of
attention
to
that
presentation
because
it
sounds
like
it's
going
to
be
amazing.
D
Awesome
well,
I'm
going
to
open
it
up
once
again,
any
folks
any
comments,
any
updates.
Anything
interesting
you'd
like
to
share
that
we
might
have
all
missed.
D
Thank
you
very
much
and
looking
forward
to
the
presentation
next
week,
don't
miss
it
have
a
great
week.
Everyone
cheers
thank
you.