►
From YouTube: CNCF SIG Security 2021-01-27
Description
CNCF SIG Security 2021-01-27
A
B
A
A
B
D
D
E
E
D
B
I
actually
have
one:
oh
yeah
go
ahead.
I
totally
forgot
about
it.
So
big
news,
everybody.
We
now
have
an
apac
region
security
meeting,
set
up
and
scheduled
the
pr
was
merged
into
the
repo.
So,
if
you're
interested
go
check
out
the
meeting
information,
this
is
a
huge
thing
for
us,
because
now
it
means
that
we
can
increase
the
amount
of
sig
contributors
and
take
on
the
activities
that
we've
been
talking
about
for
a
long
time
with
more
and
more
involvement.
So
this
is
a
really
great
thing
for
us.
F
Please
go
ahead.
Yes,
so
I've
contacted
jen
burns
from
mitre
and
she
agreed
to
speak
with
us
on
our
meeting
on
february
10th.
So
I
submitted
a
ticket
for
that.
So
if
everybody
is
okay,
she
would
come
and
and
speak
with
us
show
what
are
the
goals
for
the
attack
for
containers
and
how
we
can
help
providing
any
feedback
or
any
information.
D
D
So
I
don't
see
any
other
updates
today
and
maybe
maybe
I
can
just
take
this
opportunity
to
put
a
couple
of
folks
on
the
spot.
I
know
last
couple
of
weeks
we
had
some
great
presentations
on.
You
know:
supply
chain
security,
and
you
know
the
this
is
the
supply
chain
working
group
I
mean
jonathan.
Would
you
like
to
maybe
just
recap
on
where
we
landed?
If
there's
no
other,
maybe
spend
five
minutes
on
this
and
then
because
I
know
there's
a
lot
of
stuff
that
we
talked
about.
G
Sure
happy
too,
so
we
formed
the
working
group
a
couple
of
weeks
ago.
We
we
initially
provided
a
presentation
looking
at
software
factories
and
some
of
the
thoughts
a
group
of
us
had
put
together
around
software
factories,
myself
andrew
martin
and
sabri
blackman
from
control,
plane
and
justin
cormack
from
from
docker.
G
G
The
end
goal.
There
are
a
number
of
different
end
goals,
but
it
would
be
it'd
be
really
beneficial.
We
believe
that
to
provide
a
architecture
that
people
could
look
at
and
potentially
start
to
adopt
in
the
open
source
forum,
so
that
you
know
they
can
adopt
that
that
architecture
and
have
a
build
platform
that
would
then
be
somewhat
secure
and
have
the
ability
to
deploy
secured
artifacts
that
are
signed
with
s-bomb
material,
perhaps
as
a
way
of
improving
the
security
throughout.
G
So
really
that
that's
kind
of
the
goal,
I'll,
certainly
post
a
link
to
the
to
the
white
paper
into
the
to
the
working
group.
I
think
it
was
issue
510,
where
you
can
take
a
look
and
see
the
the
conversation
as
it
stands.
We
have
quite
a
number
of
people
offering
to
assist
and
go
through
that
which
is
fantastic
and
the
way
I
think,
we'll
start
to
look
at
it
is
having
people
adopt
or
suggest
topics
for
that
white
paper
and
will
progress
that
way.
G
We
do
have
a
working
group
meetings
on
fridays
at
4,
30
gmt
at
the
moment.
That
was
just
how,
given
the
the
the
look
hows
of
the
people
involved,
we
certainly
change
that
if
additional
people
are
looking
to
join-
and
I
think
the
next
session,
we
would
we're
possibly
gonna
dig
into
that
in
toto
and
the
signing
piece
figure
out
how
we
could
work
with
those
keys,
as
well
as
the
white
paper
itself.
G
One
thing
I
did
miss
out
there
was.
There
was
a
really
really
good
presentation.
Last
week
by
the
the
recall
team
that
had
a
heavy
supply
chain
element,
I'd
recommend
people
take
a
look
at
that
and
also
obviously,
a
lot
of
the
work
that
we're
looking
at
is
based
on
devsecops
principles
from
the
the
department
of
defense,
which
is
a
document
that
you
can
read
on
the.
D
Internet,
that's
awesome
thanks
a
lot
jonathan,
so
a
lot
of
stuff
there.
Everyone-
and
this
I
think,
they'll
be
fantastic
opportunity
to
contribute
towards
the
architecture
and
the
white
paper
there.
I
think
we
have
all
the
links
up
on
the
chat
and
maybe
I'll
take
some
time
to
maybe
transfer
a
lot
of
those
links
to
our
meeting
notes
as
well.
B
Right
then,
ava
makes
a
good
point
about
the
linux
foundation
having
a
couple
of
other
projects
and
efforts
that
are
working
on
supply
chain
security,
so
maybe
reach
out
to
those
different
groups
and
find
out
where
they're
at
in
those
discussions
and
see
if
there's
some
cross-foundation
collaboration.
That
can
happen.
G
E
G
So
please,
if
you
could
reach
out
to
to
me
and
I'll
reach
out
to
you,
to
connect
that,
because
that's
definitely
something
that
we
would
like
to
do.
We
we
have
made
initial
conversations
with
the
open,
ssf
and
I
think,
there's
there's
additional
work
happening
in
the
s-bomb
community.
There's
a
number
of
different
s-bomb
communities
that
we're
trying
to
tie
into
this
as
well
great
point
emily,
though
it's
because
there
is
a
huge
amount
of
work
in
individual
pockets.
E
Given
the
that
this
is
a
cncf
working
group,
I
would
assume
that
the
focus
is
going
to
be
on
the
cncf
projects
and
workflows,
whereas
I
know
both
open,
ssf
and
cd
foundation
are
looking
at
the
broader,
like
open
source
as
a
whole.
So
there's
probably
some
good
tie-ins
there,
but
the
scoping
of
this
is
very
different.
G
We're
actually
keeping
it
fairly
generic,
but
but
also
very
cognizant
of
making
sure
we
connect
to
those
exact
groups.
So
I
I
I
didn't
mention
them,
but
we
are
trying
to
reach
out
to
those
groups.
I'm
certainly
working
with
a
couple
members
of
open
ssf
and
we
do
and
expand
that
we're
not
duplicating
any
of
that
work,
but
just
pointing
to
it.
I'm
happily.
D
D
B
So
I
think
I'm
kind
of
on
the
hook
for
both
of
those
okay,
so
I'm
dropping
422
in
the
chat,
because
that's
the
first
one
so
for
those
of
you
that
are
new
or
have
been
super
busy
doing
a
lot
of
other
things.
I've
been
going
through
the
repo
and
trying
to
clean
up
some
of
the
outstanding
issues
that
we've
had
for
a
long
period
of
time.
Seeing
if
we
actually
miss
stuff
issue,
422
is
one
of
the
issues
that
we
missed.
B
The
issue
has
a
ton
of
information
on
it
with
a
lot
of
excellent
resources,
and
I
wanted
to
bring
it
up
because
one
I'm
not
an
expert
in
this
area,
but
to
I
wanted
to
get
the
community's
feedback
on
whether
or
not
they
see
this
as
a
potential
worthwhile
effort,
something
that
we
can
easily
incorporate
into
our
existing
processes
or
whether
or
not.
This
is
a
much
larger
ask
by
the
community
to
kind
of
push
this.
And
if
it's
a
worthwhile
effort
to
push
into
the
community.
B
And
we
we've
talked
in
the
past,
or
at
least
we've
had
other
discussions
for
potential
efforts
about
setting
up
automated
hardening
for
cloud
native
product
projects
in
their
development.
That
way
they
they
have
like
a
standard
framework
to
be
leveraging
to
ensure
that,
like
the
base,
distribution
of
all
cloud
native
projects
is
secure.
So
I'm
not
quite
sure
how
this
fits
in
with
that.
But
I
do
know
that
we've
talked
about
that
in
the
past.
D
Maybe
I'd
like
to
have
a
sound
out
a
few
thoughts.
Emily
is
I
mean
if
we
can
definitely
have
these
guidance
kind
of
documents
and
made
available
to
all
the
project
teams
and
and
make
them
aware
of,
let's
say
hardening
flag,
that
we
will
as
we
perform
assessments.
So
that's
one
way
and
the
second
way
to
only
how
do
you
say
test
and
enforce
it?
D
Is
you
know
I
don't
know
when
maybe
the
first
meeting
of
this
year,
we
talked
about
this,
the
automation
that
you
talked
about
right
when
we,
the
automated
and
security
scans.
If
you
will,
generally
speaking,
if
we're
able
to
do
that,
then
that
would
be.
This
would
be
a
great
dimension
to
that
effort
as
well.
So
I
think
there
is
some
correlation
there.
C
D
Yeah,
I
agree,
and
I'm
sorry
just
to
clarify
I'm
only
talking
about
from
a
guidance
perspective
right
so
sorry
and
this
network
yeah
the
the
the
owners
of
the
projects,
we're
just
saying
hey.
This
is
something
that
we
are
familiar
with.
We
provide
guidance
on
and
we
run
your
project
through
our
flags.
If
you
will-
and
this
is
what
we
found
missing
and
you
know
not
to
break
anything
from
their
pipeline
perspective,.
D
B
B
This
is
a
new
effort
for
them.
They
have
a
current
draft
going
on
and
they
actually
have.
A
specific
issue
is
the
first
issue
associated
with
where
they're
looking
for
help,
which
is
I'm
pulling
it
up
right
now
about
building
trust
security,
constraints,
implementation,
metrics
and
user
observation.
B
So
what
they're
really
looking
for
is
to
have
a
sig
representative
or
a
few
sig
representatives
jump
in
and
help
in
this
particular
area
of
their
white
paper.
They're,
not
looking
right
now
to
rehash
the
entire
draft
that
they
have
that'll,
be
probably
later
review
phase
for
those
of
you
that
remember
the
cloud
native
security
white
paper,
we
wrote
all
the
content
and
then
we
opened
it
up
for
reviews.
This
is
more
about
contributing
specific
security,
focused
content
to
an
operator
white
paper.
B
So
this
is
a
good
opportunity
to
get
to
know
other
members
of
different
sinks,
as
well
as
get
some
crosstic
exposure
from
a
security
perspective.
I
was
hoping
that
I
could
get
a
few
volunteers
to
jump
on
this
effort.
It
doesn't
appear
to
be
a
huge
ask
not
anywhere
near
as
monstrous
as
writing.
The
white
paper
for
us
was,
but
I
would
certainly
expect
it
to
be
a
couple
of
hours
over
the
course
of
two
weeks,
potentially
maybe
a
little
bit
more.
H
B
Not
that
I
know
of
so
the
ticket
actually
has
the
pocs
for
it,
so
I
would
recommend
reaching
out
to
them
and
jumping
in
the
sig
app
delivery
channel,
so
cameron
and
andrew,
if
you
guys,
could
comment
on
the
ticket
that
you're
interested
and
then
jump
over
into
the
sig
app
delivery
channel
and
let
them
know
that
you
guys
are
gonna,
get
on
that
and
help
them
out.
That
would
be
great
and
we
would
love
to
hear
at
another
meeting
about
how
it's
going.
D
D
B
Next
week,
though,
we've
got
the
security
scanning
presentation
from
supracar,
which
was
a
request
from
liz
rice
and
the
talk
to
have
that
presentation
to
us
which,
if
anybody
saw
that
thread
on
the
mailing
list,
it
was
a
fascinating
thread.
Lots
of
great
dialogue.
So
hopefully
we
can
get
a
lot
of
attention
to
that
presentation
because
it
sounds
like
it's
going
to
be
amazing.