►
From YouTube: CNCF SIG Security 2021-04-07
Description
CNCF SIG Security 2021-04-07
A
C
It's
probably
my
camera
being
like
different.
I
think
my
camera
been
turned
usually
like
that
way.
C
C
I've
been
for
last
four
months-
I
guess
okay
yeah,
so
I'll
need
like
five
minutes
for
update
on
that.
On
that
item,.
B
Okay,
are
you
is
this
something
that
you
know
I
know
like
finney
originally
created
the
issue?
Are
you
working.
C
No,
I
just
picked
up
I'm
working
on
it
because
I
see
like
lots
of
intersection
and
I've
been
like
talking
about
that
square
card
from
rssf
for
a.
C
It
seems
to
be
like
this
is
what
we
need
to
start
with
the
easiest
one.
B
Yeah,
that's.
We
will
have
some
discussion
around
that
after
we
cover,
but
I
mean
we
have
one
main
topic
today.
So
I'm
I'm
not
worried
about
yeah.
C
Yeah,
so
it's
it's
not
like.
If,
if
you
have
time,
I
can
give
an
update
and
ask
a
few
questions,
sir,
because
I
need
to
figure
out
where
to
find
the
date.
Some
data.
E
C
That
yep,
we
can
do
this
way.
B
Hi
everyone,
I'm
gonna,
paste
the
link
to
the
meeting
notes
and
the
chat
please
go
in
and
put
your
name.
B
F
C
A
G
B
B
Okay,
so
I'm
gonna
paste
the
link
to
the
meeting
notes
again
here
we
go
and
let's
get
started.
So
I
see
we
have
a
new
scribe.
Bot
tim
is
testing
a
new
skype
pod
for
us.
So
let's
see
how
that
works.
So
before
we
start
again
just
quick
reminder:
this
is
under
the
the
adhering
to
the
code
of
conductor
of
cncf,
so
the
general
rules
and
guidelines
supply
and,
of
course
again,
this
meeting
is
recorded
and
will
be
published
to
youtube
later.
B
So
today
we
have
one
main
agenda
item
we'll
be
going
through
some
of
the
work
that
we've
done
for
the
cloud
native
security
map,
which
is
a
branch
of
the
the
cognitive
security
white
people.
B
But
before
that,
let's
go
to
let's
kind
of
do
a
check-in.
Let's
see
here.
H
Thanks
brandon
several
months
back,
I
had
heard
you
guys,
were
you
know,
having
someone
take
notes
and
then
upload
it,
and
there
was
a
github
issue
related.
How
can
you
simplify
that?
So
I
went
back
into
my
basement
and
started
to
evaluate
how
can
we,
you
know,
enable
that
so
I'm
now
testing
something
that
I
wanted
to
then
show
back
and
then
get
feedback
on,
and
so
essentially
what
it
would
do
is
it
would
do
a
transcription.
H
H
So
I
I
wanted
to
kind
of
like
test
that
out
and
then
see
what
the
value
you
know
was.
Is
it
useful
to
save
you
guys
time
and
what
the
use
cases
were
and
stuff
like
that.
H
Okay,
thanks
brandon
yeah,
so
you
know
I
just
testing
it
out.
I
vetted
it
out
on
some
of
my
own
meetings,
but
I
figured
you
guys
have
been
the
first
one
that
kind
of
raised
your
hand.
That
said
this
is
something
that
would
be
helpful
because
it
did
a
couple
of
things
in
my
understands
right
a
it
may
lessen
the
load
on
a
potential
scribe
b.
H
We
may
it
may
we
we
may
try
to
help
automate
the
pushing
of
it
from
one
place
to
the
youtube
or
we
already
have
the
recording
and
then
you
can
just
link
to
it
automatically.
I
need
to
flush
out
your
workflows
for
that,
and
then
I
at
some
point
would
like
to
learn
a
little
bit
more.
What
like,
what's
the,
why
you
record
them?
What's
the
biggest
pain
around
them?
What's
the
biggest
benefit
you
want
to
get
out
for
it
for
your
community
stuff
like
that,
so
I
can
get
beyond.
Oh
it's
just
transcript.
B
Yeah,
I
think
it's
gonna,
the
the
the
main
do
things
is
one
like
getting
someone
to
kind
of
take
some
subscribe,
describing
some
notes.
During
the
meeting
we
used
to
have
a
issue
with
getting
consistent,
scribes
another
one
is
actually
being
able
to
search
through
and.
C
C
G
G
G
H
Yeah,
so
actually
that
is
interesting.
We
we
did
test
the
ability
to
do
speaker
identification
and
it
does
it
well
rather
than
relying
on
ai.
It
actually
just
looks
at
who's
physically
speaking
and
then
pulls
that
track
and
then
adds
the
title.
So
I
think
it's
been
pretty
good
about
the
overlapping
and
then
speaker
assignment,
because
it's
not
trying
to
use
an
ai
tool.
We
looked
at
a
bunch
of
ways
to
do
with
ai.
It's
just
that's
a
very
hard
problem
to
solve.
C
H
H
Yes,
yes,
that's
another
one
that
I'm
looking
at
to
see.
How
do
we
do
the
note
the
note
taking
solution
on
that
is
is
tough
but
we're
thinking.
Maybe
if
it's
people
highlight
stuff
that
might
be
a
way
to
get
something
with
a
little
bit
higher
fidelity
and
if
you
look
into
the
who's,
I
think
it's
in
the
chat,
maybe
maybe
it's
only
the
admin
can
see
it,
but
I
think
when
we
add
them
in
it
goes
to
the
moderator,
then
you
can
see
so
in
real
time.
B
B
All
right,
let's
see
new,
updates
update,
so
I
think
before
we
jump
to
our
main
agenda
item,
I
think
eli
wanted
to
give
an
update
on
issue
496..
Take
it
away
sure.
C
C
It's
pretty
comprehensive
in
compared
to
what
we
can
build
from
scratch
so,
rather
than
building
something
it's
better
to
reuse
it,
they
tried
to
do
run
it
basically
through
some
number
of
for
an
open
source
repositories,
not
cncf
related
just
to
run
them,
and
there
is
some
public
data,
but
it
it
hasn't
been
updated
for
a
while.
So
my
initial
thoughts
was
just
to
kind
of
use
it
and
create
a
pipeline,
but
to
fit
a
pipeline
with
the
data.
C
Any
good
source
of
this,
like
does
anybody,
know
where
to
get
it.
I
I
thought
maybe
to
use,
I
don't
know
cloud
native
security
landscape,
but
I
don't
know
if
it
has
like
directly
in
strappos.
B
Yeah,
I
have
have
you
seen
the
the
knots
foundation
security
dashboard.
Yet.
C
B
C
So
if
you
want
to
do
this,
which
we
want
to
include
and
what
would
be
the
source
of
this
data
right,
because
if
you
look
into
cncf
landscape,
there
is
like
hundreds
of
projects
and
if
each
of
them
have
like
few
repositories,
it's
like
a
few
hundred,
so
I
thought
there
might
be
data
already
somewhere,
that's
pre-populated
and
the
same
like
when
you
guys
working
on
a
security
related,
a
landscape.
C
It
is
also
links
to
projects,
but
if
we
can
use
it
as
a
starting
point
for
getting
links
to
repositories,
that's
matter,
then
we
can
include
it,
and
I
can
just
basically
feed
all
this
data
and
kind
of
experiment
it
to
the
dashboards
with
this
data.
But
it's
it's
kind
of
pretty
interesting
information
in
there
in
terms
of,
like,
I,
don't
know,
99
percent
off
for
not
signing
at
all
like
nothing
and
don't
care.
C
Much
so
probably
can
look
into
this
data
in
future
and
and
see
what
we
can
improve
and
working
with
cncf
on
that.
A
C
A
Okay,
yeah,
that's
interesting,
so
I
think
and
like
the
scope
of
everything
an
assessment
entails,
it
could
help
alleviate
part
of
it,
but
it's
not
going
to
be
the
entire
assessment
right,
because
the
focus
of
the
audits
and
assessments
we
perform
are
are
less
well.
We
we
do
do
a
number
of
checks.
If,
yes,
the
project
follows
secure
development
practices,
but
it's
more
about
hey.
These
are
the
set
of
considerations.
C
It
does
do
anything
related
to
audit
for
sure,
so
it
does
specific
checks.
I
can
send
a
link
to
a
chat,
so
you
guys
can
click
on
it,
but
it's
basically
simple
things
that
you
can
derive
and
understand
from
any
github
repository
like
has
nothing
to
do
with
audit.
It's
just
like.
Maybe
one
part
of
it.
Do
you
follow
the
best
security
practices
for
for
open
source?
C
That's
recommended
right,
so
it
does
want
the
things,
but
it
gives
a
pretty
good
overview
in
terms
of
how
their
projects
been
run
in
terms
of
following
these
best
practices.
C
So
it's
like
does
not
require
doing
manual
things.
So
I
remember
we
had
a
discussion
here.
One
day
about
check
for
security
policy,
so
like
one
of
the
checks
implemented
by
the
tool,
is
checking
for
security
policy.
C
E
C
Yeah,
so
it's
it's.
It's
pretty
easy
to
extend
in
terms
of
like
what
what
this
tool
needs
to
check
like
we
can
easily
add,
like
whatever
checks
we
need
on
top
of
it,
but
at
this
point
I
feel
what
they
have
is
enough
for,
like
initial
run
and
understanding
where
we
are
in
implementing
all
this
automation
and
kind
of
have
this
comprehensive
view,
the
only
the
only
question
would
be
like
where
to
get
data
for
this.
Is
it
like
manual
still,
work
needs
to
be
done
or
something
that's
already
exist.
C
So
if
you
ever
come
across
like
list
of
repositories
for
specific
projects,
please
go
to
that
ticket
and
put
it
there
and
I'll
take
care
of
it.
C
A
Totally
yeah
sounds
it
can
be
useful,
it'd
be
a
matter
of
well,
what's
the
what's,
how
do
we
amass
the
activation
energy
required
for
either
us
to
introduce
it
as
a
soft
requirement
and
assessments
for
the
toc
to
ask
during
sandbox
intake
or
incubation
due
diligence,
or
something
that
yeah
becomes
a
mandate
at
a
higher
level?.
C
Yeah,
maybe,
since
foster
like
need
to
collect
like
from
the
projects,
not
just
like
projects,
usually
contains
bunch
of
repositories.
So
maybe
cncf
need
to
collect
also
like
what
repositories
are
really
matter
from
this
project
or
not,
but
like
there
could
be
like
10
or
20
or
30
under
one
project,
but
only
like
five
percent
of
them
really
matters.
A
So
it
looks
like
a
new
project
is
onboarded
every
day,
because
people
understand
what
they
get
out
of
six
store
and
the
transparency
ledger
out
of
record
more
than
well
we're
bringing
in
more
more
overhead
around
checks
and
policies.
But
it's
not
really
alleviating
any
of
our
pain
points.
It's
more
for
others.
B
Awesome
cameron
did
you
want
to
add
something?
I
thought
I
saw
you
wanting
to
say
something
just
now:
no,
no!
Okay,
all
right!
Thanks
eli,
if
you
could
kind
of
maybe
put
down
your
ass
in
the
issue
so
that
you
know
those
that
are
not
part
of
this
meeting
can
already
do
that,
and
maybe
you
know,
probably
after
we
get
some
feedback,
we
can
also
address
it.
You
know
we
can
bring
this
to
the
tlc,
see
whether
they
can
help
with
this
cool.
B
So
let
me
get
back
to
the
meeting
notes,
so
we
have
no
other
updates
today.
So
we're
gonna
go
straight
ahead
to
our
main
agenda
item
and
thanks
alex
for
helping
subscribe
all
right.
So
today
we
wanted
to
give
a
sneak
preview
into
the
world
that
we've
been
doing
with
the
native
security
map,
so
to
get
to
provide
a
little
bit
background
for
those
who
are
not
familiar
with
this
project.
This
is
based
on
the
great
work
done
with
the
cognitive
security
white
paper.
B
When
we
were
doing
the
white
paper,
we
intentionally
left
it
on
a
very
high
level.
We
didn't
want
to
include
any
projects
we
didn't
want
to
be,
have
anything
implementation,
specific
and
so
one
of
the
things
that
we
want
to
do
with
that
is
to
provide
a
document
that
has
also
a
bit
more
of
a
practitioner's
perspective
to
it,
and
so
this
was
initially
called
the
landscape
right,
the
landscape.
B
We
had
a
bunch
of
projects
a
bunch
of
categories,
but
we
figured
out
that
you
know
having
a
bunch
of
categories
and
having
a
bunch
of
projects.
Doesn't
isn't
really
that
helpful,
it's
very
difficult
for
someone
to
go
in
and
figure
out
what
other
projects
that
they
need
to
do
something.
B
So
we
started
off
the
cloud
native
security
map,
and
so
there
we
go.
So
this
is
what
we
have
now
so
this
we
started
this
a
while
ago.
A
little
bit
was
like
content
creation,
but
the
idea
is,
you
know
we
have
to
create
a
website
or
a
resource
that
people
could
navigate
easily.
B
So
idea
is
this:
you
have
to
cognitive
security
map
and
the
idea
is
you
could
go
into
like
different
sections
of
it
to
check
out.
You
know
what's
relevant
to
you
or
you
can
just
go
through
the
document,
so
the
idea
is,
for
example,
if
you
go
to
distribute
and
say
for
artifacts
in
images
and
signing
trust
and
integrity
right.
So
what
we
have
here
is
kind
of
like
the
general
concept.
B
This
is
from
the
the
white
paper,
but
on
top
of
that,
what's
being
added
to
to
this
website
is
one
other
sub
projects,
so
the
idea
is,
you
could
link
to
different
projects
which
may
be
relevant.
Let's
say
as
a
practitioner
you
say
on
the
men's
side
who
trust
integrity.
Okay,
then,
now
I
can
take
a
look
at
these
projects
which
are
relevant
to
me,
and
on
top
of
that
we
also
have
these
examples
to
kind
of
illustrate.
B
You
know
what
are
the
type
of
controls
you
wanna,
you
wanna.
Do
you
know
what
may
be
a
way
that
you
will
implement
that
right
so,
for
example,
assigned
to
image
manifest
with
docker
content?
Trust
you
want
to
attach
metadata
for
the
image,
so
it's
just
a
s-bomb
to
it
and
they
can
make
policy
decisions
on
it.
B
So
the
idea
is
kind
of
like
more
more
implementation.
Examples
of
implementation,
steps
to
implement
the
security
control.
B
We
intentionally
say
upfront
that
it's
not
a
checklist,
because
obviously
different
different
organizations
have
different
requirements,
everything's
a
little
bit
different,
but
this
is
kind
of
general
guide
into
what
a
lot
of
something
said
you
could
do
so.
The
initial
scope
of
this
really
was
to
to
go
one
step
further,
to
say
that
okay,
now
I'm
looking
at
signing
trust
and
integrity,
I
in
the
distribute
stage
right
technically.
B
Whenever
I
perform
a
task
like
signing,
I
also
need
to
perform
a
verification
of
the
runtime
right,
so
there
is
also
a
section,
for
example.
I
think
it's
here
where
it's
something
like
that:
image,
trust
and
content
protection
right.
The
idea
is
that
we
would
have
some
additional
links
over
here.
This
is
still
something
that
not
part
of
the
initial
prototype,
but
there
would
have
been
links
here
to
say
like
okay,
if
you're
implementing
signing
trust
and
integrity.
B
What
are
the
some
of
the
other
areas
that
you
may
want
to
consider
next,
or
you
may
want
to
think
about
when
you're
implementing
this
all
right
so
yeah.
The
initial
goal
was
to
have
kind
of
like
a
visual
map
of
it
right.
So
this
is
the
initial
prototype
where
it's
kind
of
here,
the
sidebar,
it's
more
of
a
traditional
document.
B
So
what
we
are
doing
now
is
we
are
taking
all
the
content
that
the
community
has
worked
on
and
we
are
putting
in
it
at
this
website
so
and
I'm
gonna
paste
it
in
here,
so
that
everyone
can
take
a
look
as
well,
but
the
idea
is,
you
know
we
would
populate
all
these
things.
We
are
all
not
all
the
content.
This
is
final.
We
are
still
reviewing
it
and
making
sure
that
you
know
the
projects
we
put
in.
There
are
in
kind
of
projects
with
a
certain
quality
right.
B
B
Weekend
project,
for
example,
that
isn't
being
made
at
all.
So
that's
what
this
for
this
document
is
really
about.
We
are
still
developing
this.
We
still
need
a
bit
more
content.
B
So
if
you
hit
this
contribute
button
here,
you'll
see
we
have
a
list
of
contributors
here
and
there
are
some
other
some
things
that
we
still
need
help
on.
We
are
still
building
up
the
site.
So,
if
you're
interested
in
like
development,
you
can
put
your
comment.
Put
a
comment
on
this
issue.
B
As
you
can
see,
you
know
things
like
highlight
the
links
so
that
this
can
still
do
better
the
website,
if
not
other
than
that,
we
still
have
some
gaps
in
content
that
we
want
to
help
fill
so
we're
looking
for
projects,
examples
and
links,
because
you
know
the
general
concepts
are
all
being
taken
from
the
white
paper.
B
So
the
way
you
can
do
that
is-
and
martin
has
set
this
up
really
nicely
for
us-
is
that
you
can
just
all
the
different
topics
that
you
see
here
actually
map
onto
a
markdown
file
in
github
right.
So,
let's
say:
if
you
hit
like
code
review
here
all
right,
so
this
is
part
of
the
website
that's
being
deployed,
and
then
you
have.
B
This
is
the
code
review
page?
So
if
I
modify
something
and
add
projects
here,
it
would
show
up
on
the
website
itself.
So,
for
example,
if
I
go
back
here
hit
contribute,
let's
say
I
want
to
add
something
to.
I
want
to
modify
court
review
page.
B
B
B
Automatically
okay,
so
this
is
the
quick
update
for
the
the
security.
Any
comment
question
we're
looking
for
a
lot
of
feedback
on
what
are
some
things
that
we
can
do
do
better.
What
are
some
things
that
people
want
to
see
on
the
website
as
well.
I
Hey
brandon,
a
quick
question
and
this
may
have
been
answered
already.
I
only
just
managed
to
join
this
meeting
from
another
meeting.
We
in
the
project
section.
Are
we
only
listing
out
the
open
source
projects,
not
the
commercial
ones
that
we
put
in
the
original
dock.
B
Yeah
so
right
now
you
don't
see
it
here,
but
there's
actually
an
invisible
command
the
commercial
projects.
We
are
still
evaluating
what
we
want
to
do
with
the
commercial
project.
I
think
that
is
it's
a
little
bit
of
a
a
sensitive
topic.
I
Yeah,
I
know
I
appreciate
that
I
mean
I,
I
guess
from
the
snake
perspective,
it's
kind
of
a
difficult
one.
I
mean
like.
If
we
look
at
that
section,
we're
looking
at
now
right.
The
sneak
cli
is
open
source,
but
clearly
it's
got
a
service
on
the
back
end
right
yeah.
So
you.
B
Know
I
think,
I
think
that
there
will
be
room
probably
to
have
some
have
some
projects
be
commercial
in
specific
cases.
I
think
I
was
having
a
conversation
with
with
matt
flan
and
then
he
said
something
like
you
know,
for
availability
for
ddos
protection.
For
example,
you're
not
gonna
find
a
solution
which
is
a
commercial.
H
B
Yeah,
so
I
think
we
are
still
in
those
discussions.
It's
not
off
the
table.
I
think
if
we
think
that
there
is
value
in
it,
then
we
should
put
it
there.
I,
I
think,
also
you
know
a
lot
of
a
lot
of
these
concepts.
Also,
some
of
them
translate
to
you
know
cloud
features
right.
So
if
this
is
something
that's
already
end
up
at
the
cloud,
the
best
the
best
action
forward
for
a
developer
would
be
probably
to
use
the
cloud
service
instead
of
trying
to
grow
their
own
service
anyway.
B
So
yeah
matt
that
that
that
is
still
kind
of
a
topic
of
discussion
right
now:
okay
yeah,
so
we
will
see
where
we
are
on
that.
But
right
now
we
are.
We
are
still
we're
gonna
put
everything
over
first
and
then
we're
gonna
figure
it
out,
and
then
we
have
to
probably
talk
to
the
toc
about
this
as
well.
A
Brandon
sounds
like
the
discussion
to
be
had
is
whether
the
map
is
exclusively
open
source
or
not,
because
if
it's
cloud
native,
it
should
be
a
matter
of
answering,
is
this
solution
cloud
native
or
not
and
point
it
out?
We
can
draw
a
distinction,
put
a
caveat
of
hey.
These
are
commercial
solutions
that
might
have
some
open
source
or
are
built
around
open
source,
and
we
can
yes
put
like
open
source
solutions
first
or
like
add
an
appendix
that:
well
helps
people,
it
sheds
light
of
hey.
B
Yeah,
I
think
we
will
have
like
a
huge
disclaimer
somewhere
right.
We
don't.
We
don't
necessarily
we're
not
necessarily
saying
that
these
are
like
to
go
to
combustion
projects
and
also
like
the
process
of
which
these
commercial
projects
should
show
up
here
is
by
basically
whoever
wants
to
come
in
and
at
their
project
right.
I
think
we
need
to
have
some
ground
rules
around
it.
As
long
as
we
have
that,
we
should
be
give
enough
information
for
people
to
make
an
informed.
A
Yeah
one
one
added
thought
there
is:
if,
if
someone
has
a
problem
and
they're
looking
for
a
solution,
they
might
ask
themselves
well,
it
doesn't
matter
to
me
that
it's
open
source
or
not
sure
preferably
it
should
be.
But
if
I'm
trying
to
solve
for
something
and
I'm
not
aware
that
well
it'd
be
hard,
I
would
have
to
have
lived
under
a
rock
not
to
know
that
snake
is
is
out
there
and
it's
great.
A
B
Right
yeah,
I
think
this
is
like
a
problem
that
also
like
the
foundation
realizes
right
right
and
that's
just
the
reason
they
did.
The
effects
security
thing,
which
is
like
people,
don't
necessarily
have
a
like
smaller
organizations,
don't
necessarily
have
a
way
to
figure
out
why
and
how
they
should
handle
the
risks
of
open
source
projects
right
yeah,
so
I
mean.
G
If
that
is
clearly
defined,
brandon,
I'm
sorry
to
interrupt
you,
but
if
it's
like,
basically,
there
are
the
projects
out
there
from
an
open
source
perspective
that
may
handle
the
situation,
but
then
also
here's
commercial
ones
that
may
handle
you
know
those
as
well.
I
think
it's,
it's
almost
like
an
a
la
carte
menu.
You
look
at
and
you
choose
the
one,
that's
going
to
be
the
best
solution
for
you
and
here's,
the
ones
that
are
kind
of
on
this
list.
G
G
Know
that
that's
that's
taking
that
fight
even
deeper,
but
I
hear
you,
but
at
the
end
of
the
day
like
if
we
have
a
distinction,
is
all
I'm
saying
open
source
projects
versus
commercial,
they
have
the
decision
to
go
either
where
they
need
to.
At
the
end
of
the
day,
everybody's
happy,
I
think,
but
if
we
don't,
if
we
disclaim
or
don't
have
that
it's,
I
I
think
it's
it's
not
serving
the
the
community.
A
Well,
well,
here's
the
other
thing:
when
we
talk
about
community,
it's
largely
people
who
do
open
source
and
they're,
often
just
heads
down,
maintaining
their
project
and
they
might
have
not
used
snake
because
they
think
well,
we
might
we
don't
have
the
budget
for
this
sure
it's
it's
a
great
enterprise
product,
but
we
can't
afford
it
ourselves,
but
it
turns
out
that
snake
is
great
for
open
source
projects
and
a
lot
of
people
don't
know
that
hey
if
you're.
H
A
G
If
it's
a
scenario
beyond
the
people
in
the
community,
but
if
it's
something
where
somebody
is
looking
at
the
security
map
as
an
entryway
in
you
know
where
you
know,
look
a
lot
of
a
lot
of
people
know
what
cloud
native
is
right,
but
there's
folks
that
obviously
are
trying
to
get
immersed
in
this.
How
would
what
this
is
the
entryway
in
in?
Are
we
saying
you
know
we
have?
Are
we
saying
we're
only
going
to
limit
it
to
one
or
the
other?
That's
that's
the
thing
that
I'm
kind
of
like
that's
well,.
I
I
Here
about
you
know
that
there's,
there's
probably
you
know
certain
certain
aspects
of
security
tooling,
where
there
may
be
a
benefit
to
you
paying
for
something
right.
Where
there's
a
deeper
there's
a
you
know,
because
it
costs.
You
know
it
costs
a
vendor
money
to
actually
build
up,
databases
and
stuff.
I
You
know,
there's
a
probably
a
class
of
things
like
scanning
kubernetes
yaml
right
for
common
mistakes,
where
in
some
ways
the
value
that
you're
going
to
get
from
a
a
commercial
offering
in
that
space
is
going
to
be
very
similar
to
the
value
you're
going
to
get
from
open
source
offerings
in
the
space
right,
because
everybody's
going
to
come
up
with
basically
the
same
the
same
stuff.
But
then
there
are
other
areas
of
security
where
you
might
benefit
from
someone
having
a
deeper.
I
B
Yeah
it
does,
it
does
sound,
like
kind
of,
I
think
we
have
to
figure
out
what
is
the
goal
of
how
we're
gonna
list
the
projects
and
really
how
far
we
can
take
it
between
like
how
usable
it
is
to
you
know,
trying
to
avoid,
like
the
king
maker
situation
right
now,.
D
As
they
can
be,
and
so
we
need
to
have
like
clear
written
criteria,
so
there's
no
questions
or
favoritism
or
anything
like
that
and
everyone's
clear.
It's
like
yes
you're
in
these
categories,
for
these
things
and
here's
how
you
get
there
so
because
otherwise,
I
could
see
this
being
like
you
know,
every
single
vendor
who
does
cloud
native
is
going
to
want
to
be
in
every
single
category
and
that's
just
going
to
reduce
the
value,
because
everyone's
like
well
everyone's
everywhere.
G
E
That
rory
makes
a
good
point
like
having
a
clear
defined
criteria
for
both
the
open
source,
as
well
as
the
commercial
projects,
make
it
as
transparent
as
possible.
So
there's
no
questions
about
it.
I
think
that's
something
they're
going
to
work
on
and
actually
going
to
be
working
on
that
like
having
a
proper
gating
criteria
for
both
the
commercial
and
the
open
source.
So
if
yeah.
F
So
an
important
thing
as
well
is,
I
think
we
also
need
to
define
the
different
types
of
users
that
we
need
to
target
like
as
a
developer.
I
can
this.
This
definitely
helps,
but
if
I'm
the
architect
of
a
system
or
I'm
infosec,
trying
to
come
up
with
a
compliance
strategy
around
how
to
oh,
how
to
enable
developers
to
do
their
work
or
if
I'm
on
the
operations,
side
and
various
roles
there
as
well
like
these,
these
security
checks
may
turn
into
checkbox.
F
Do
you
have
something
there
and
there
may
be
a
whole
set
of
things
that
they
may
want
to
focus
on
that,
where
the
fact
that
you're
using
depend
about
or
something
else
like
they
don't
really
care
which
one
you
use
as
long
as
you
use
an
approved
one,
and
they
have
other
things
that
they
want
to
focus
their
time
on.
So
I
think
we
should
come
up
with
some
with
some
users
that
we
want
to
target
as
part
of
the
it's
part
of
security
map.
B
I
I
want
to
cover
some
of
the
the
comments
in
the
chat.
I
think
there's
some
good
questions
there
as
well.
Alex
was
actually
asking
about
what
does
the
cncf
do
for
the
other
landscape
in
terms
of
projects?
And
I
think
that's
that's
actually
a
good
question.
Do
we
have
anyone
they.
D
H
H
Yeah,
this
is
actually
useful.
It's
good
timing,
because
I'm
trying
to
figure
out
what
the
road
map
is
for
things
that
we
provide
to
open
source
through
lfx,
and
I
think
in
some
ways
there
we
can
abstract
away
sort
of
the
decisions
or,
like
you
know,
for
example,
someone
mentioned,
or
we
use
sneak
and
we're
looking
at
other
commercial,
but
then
we've
already
done
the
pre-vetting
and
people
won't
have
the
question.
H
Oh,
will
this
be
expensive
because
it'll
be
done
through
lfx,
so
what
would
be
helpful
for
me
is
as
I
build,
the
roadmap
is
to
understand.
Well,
what
are
the
problems
you
want
to
solve
and
then
we'll
go
all
off
and
figure
out
with
your
guidance
like
check
out
these
vendors
and
then
we're
going
through
with
the
vendors
and
asking
okay.
We
want
this
available
for
open
source.
We
wanted
to.
You
know,
go
through
our
control
panel,
the
lfx
project
control
center.
H
H
H
And
then
what
we
can
do
is
we
can
then
abstract
away
some
of
that
and
put
it
into
lfx,
and
then
people
won't
have
to
go
through.
They
can
still
use
their
own
choice,
but
we'll
have
vetted
it
out.
It'll
be
easier
to
instrument
based
on
your
projects.
The
costs
will
be
covered
if
you're
a
member
of
the.
H
If
it's
part
of
the
linux
founders,
I
mean
all
those
things
we
can
kind
of
take
the
lift
off
of
the
project
tscs,
but
I
don't
know
the
scope
of
the
kinds
of
problems
how
far
people
want
to
go
like,
for
example,
I
saw
here
listed
was
sassed,
but
did
people
want
to
consider
dast,
but
then
now
you've
got
to
develop
the
run,
be
able
to
run
the
run
time
automatically
as
part
of
your
ci
cd,
and
you
know
we're
not
able
to
generalize
that
completely
and
not
everything
has
a
run
time,
and
so
I
sort
of
paused.
H
Do
I
really
want
to
go
down
that
path
like
I,
I
think
I
I
can
share
my
roadmap
like
we
can
start
with
like
what
are
the
set
of
problems
you
want
to
solve.
Like
I
started
to
look
at
what
was
the
low
hanging
fruit,
it's
like
dependency
scanning
checking
for
the
vulnerability
database
of
things
that
are
known
secret
scanning,
like
kind
of
basic
basic
stuff,
and
I'm
trying
to
get
a
feel
how
far
this
road
map
goes.
That
we
want
to
try
to
do.
B
I
think
an
interesting
place
to
go
to
as
well
is
you
know
the
infrastructure
side
you
know
being
able
to
run,
for
example,
like
cis
benchmarks
or
like
some
kind
of
complier
scans
against
infrastructure.
B
Yeah
I
mean
that's
going
to
be
a
whole
different
thing,
and
then
you
know
it's
going
to
open
up
a
lot
of
costs,
which
I
don't
know
whether
it's
going
to
be
sustainable
to
manage
as
well.
H
You
know
vuln
database,
they
build
their
own
patterns
and
we
use
that.
So
I
think
that's
kind
of
where
I
would
like
to
I'd
like
to
I
like
to
hear-
and
I
can
share
like
these-
are
the
problems
that
I'm
thinking
of
solving.
But
then
we
can
go
off
and
take
your
suggestions
on
you
know.
Do
we
want
to
you
have
a
way
so
that
oss
fuzz
is
really
easy.
You
just
put
in
your
repo
set
it
up
and
then.
I
H
Run
like
that,
then
we
can
go
into
your
recommendations
on
whether
it's
open
source
or
commercial,
but
but
I
I'm
at
a
phase
where
I'm
literally
was
working
yesterday
on
with
the
roadmap
of
problems
we
wanted
to
solve,
and
I'd
love
your
your
input,
how
wide
or
how
deep
do
we
need
to
go?
Is
it
more
shallow
and
what's
the
most
common
tim.
A
You
raised
a
great
point,
I
think
framing
it
at
what
are
the
set
of
problems
is
the
most
useful
in
making
it
a
scenario
driven
like
as
technologists
were
often
subject
to
like
marketing
myopia,
and
we
forget
that
people
don't
don't
want
the
quarter
inch
drill,
they
don't
care
about
the
features
on
the
drill
they
care
about.
A
quarter
inch
hole
right.
A
A
F
A
H
Exactly
and
that's
what
I'd
love
to
hear
where
how
far
we
is,
the
interest
like
you
can
go
to
the
whole
supply
chain.
Up
to
you
know,
do
people
care
about
the
binaries
coming
from
packages?
Do
they
want
to
have
a
hash
insurance?
You
know
signature
all
the
way
up
to
you
know
the
the
commits
like
there's
so
many
different
ways.
You
could
go
I'd,
love
to
kind
of
like
put
that
in
and
I
can
either
next
time
share.
H
B
Yeah,
I
think
that's
great
tim
do
maybe
do
you
want
to
present
a
little
bit
of
what
you
have
in
one
of
the
sessions,
yeah
sure.
H
I'll
try
to
do
it
either.
Maybe
next
week
I
mean
I'm
literally
in
the
middle
of
like
putting
it
it'll,
be
very
like
half
baked,
because
I'm
trying
to
keep
the
funnel
open,
but
maybe
this
would
be
a
good
time
for
me
to
actually
get
it
out
of
my
head
in
front
of
experienced
practitioners.
That
would
be
awesome.
B
A
B
Yeah,
you
know
the
describe
ai
thinks
it's
a
good
action
item
you
know
to
highlight,
so
I
I
think
it
made
the
cut.
B
How
do
you
want
to
do
a
shout
out
on
cloud
native
security
day
andrews
how
how's
that
going
I'll
be?
Is
registration
still
open.
B
A
A
Most
of
the
recordings
are
due
this
week,
so
I
know
folks
are
working
on
that.
I'm
working
along
with
the
tai
on
doing
the
opening
and
closing
on
behalf
of
the
program
committee,
but
yeah
pretty
much
smooth
sailing
awesome,
yeah
kubecon
talks
were
also
due
monday
at
midnight.
So
I
hope
for
those
presenting
you
got
your
talks
in.