►
From YouTube: CNCF SIG Security 2020-07-29
Description
CNCF SIG Security 2020-07-29
A
A
B
D
E
E
E
D
G
F
D
Yeah
sure
so
emily
and
others
laid
out
a
plan
for
what
the
white
paper
kind
of
the
topics
and
outlined
for
the
white
paper
and
took
a
lot
of
feedback
over
the
last
two
weeks
or
so
in
writing.
Then
we
just
had
a
synchronous.
You
know
zoom
discussion
about
them
an
hour
ago
clarified
a
couple
things
and
at
the
end
decided
that
people
who
are
interested
will
put
their
names
on
various
topics.
F
Right
so
you
know
call
to
action
there.
If
you
have
cycles
and
if
you're
interested
in
contributing
your
subject
matter
expertise,
you
know
now's
the
time
I
will
work
to
corral
someone
to
sort
of
do
more
of
a
readout
in
the
coming
week.
Yeah.
So
everyone
can,
you
know,
see
where
they
can.
You
know
sign
up,
there's
a
slack
channel.
D
I
C
What
what
are
you
looking
for
with
respect
to
this,
because
from
sort
of
my
standpoint,
you've
already
gone
through
the
the
process,
like
the
difficult
process
of
the
actual
security
assessment
and
in
my
view,
unless
major
things
have
changed
with
opa
or
you
know,
if
you
want
to
give
us
just
an
update,
this
is
what's
happened.
Then
we
basically
the
people
who
did
the
assessment
are
likely
to
look
at
it
and
say
yep.
C
I
So
I
believe
we
put
that
as
well
in
the
due
diligence
talk,
so
it's
nothing
like
major
or
like
affecting
oppa
completely
from
last
time,
but
we've
just
added
some
new
documentation
and
some
some,
you
know
some
new
things
to
cover
what
was
brought
up
last
time.
So,
okay,
and
so
we
just
need,
like
a
like.
You
know,
a
small
feedback
around
that
document.
So
if.
C
To
provide
that
and
in
general
I'd
like
this
process
to
be
very
low,
friction
for
the
projects.
So
what
what
you've
done
sounds
great,
I'm
happy
to
look
at
it.
I
think
the
rest
of
the
original
reviewers.
We
can
take
a
quick
look
at
it
and
likely
you
know
we
can
produce
something
that
very
quickly.
That
just
says
you
know
yeah
oppa's.
A
D
A
C
C
I
think
doing
you
know
this
is
something
it
has
to
be
discussed
as
a
group,
but
in
general
my
my
view
is:
is
that
the
most
valuable
assessment
we're
going
to
do
for
any
project
is
probably
the
first
one
agree
yep?
I
think
that
that,
like
you
know,
if
we
got
stuck
in
a
position
where
we
just
didn't,
have
the
bandwidth
to
like
look
at
new
projects,
because
we
were
spending
all
of
our
time,
doing
kind
of
like
lengthy
reassessments,
for
projects
going
up
for
the
next
level
or
lengthy
annual
re-reviews.
C
Unless
you
go
through
something
like
like,
for
instance,
a
notary
v2,
some
of
the
things
that
are
being
proposed
there
are
basically
it's
almost.
At
least
you
know.
Some
of
the
draft
stuff
that's
being
proposed
now
is
basically
complete
rewrite
of
the
system,
and
at
that
point
I
think
you
know
it
is
def.
It
would
definitely
be
worth
having
a
complete
reassessment,
because
the
security
properties
and
risks,
and
things
like
that,
at
least
for
some
some
of
the
proposed
things-
are
completely
different.
A
Well,
I
think
that's
the
opportunity
here.
Of
course,
you
know
oppa
was
very
helpful
in
the
formative
stages
of
what
the
security
assessment
would
look
like
in
the
beginning,
here's
a
great
opportunity
to
kind
of
define
the
guard
rails
on
what
the
refresh
looks
like
and
maybe
I'm
I'm
happy
to
to
kind
of
put
together.
Like
here's,
a
10
point,
quick.
Yes,
no
question
you
know,
have
you
undergone
a
major
rewrite?
Yes,
no
right
and
then
you
know
spin
off
from
there
based
on
those
answers,
so
keep
it
simple.
I
Yeah
that
that
sounds
great,
so
what
I
can
do
is
I'll
share
the
document
in
the
oppa
security
channel
we
created
last
time
and
then
y'all
can
take
a
look
at
that
and
if
you
have
like
those
ten
point,
questions
talk
about
anything
else
that
I
can
do
to
help
this
process
as
soon
as
possible.
So
yeah.
Let's
do
it
just.
A
A
quick
follow-up-
and
I
don't
want
to
get
in
the
weeds
on
on
this
call,
but
it
is
somewhat
germane
to
cncf
projects
that
kind
of
fork
off
into
other
cncf
fish
projects.
So
I
know
like
oppa
and
gatekeeper
are
now.
I
guess
somewhat
two
separate
projects
or
would
that
be
considered
the
same
scope
and
how
would
we
kind
of
handle
that
at
the
cncf.
C
E
I
I
I
C
I
I
largely
think
what
you
should
do
is
is
to
post
the
new
document
on
and
mention
on
both
side
security
and
the
old
channel
and
like
ping,
you
know
you
can
also
ping
us
individually,
but
somehow
bring
it
to
everyone's
attention
who
participated
in
the
original
review.
If
you
have
feedback
within
a
week
based
on
this,
please
please
give
it
otherwise.
E
D
D
E
We
should
get
around
to
doing
this,
so
it's,
I
guess,
a
touch
ad
hoc
in
terms
of
taking
it
from
the
backlog
and
putting
it
into
the
meeting
and
then
as
for
creating
the
content,
to
begin
with,
whoever
wants
to
propose
something
you
just
go:
create
the
ticket,
whether
it's
a
member
of
security
or
just
an
external
third
party
that
wants
to
reach
out
to
and
engage
with
security.
They
just
create
a
github
account.
They'll
face
the
ticket
plus
their
contact
info,
that's
the
gist
of
it.
E
D
E
They
could
do
it
on
this
on
the
fly
or
on
the
spot
if
they
wanted
to,
and
we
had
time,
I
guess
the
preferred
ways
that
someone
chooses
a
specific
date
during
which
they
would
present
those.
I
think
we
probably
need
to
purge
those
ones
that
are
in
the
the
meeting
notes
document
referring
to
you
there.
I
leave
them
there.
At
least
we
tend
to
leave
them
there
for
a
couple
weeks
in
case.
Maybe
we
didn't
get
around
to
it
and
we
didn't
want
to
delete
someone
else's
work.
D
Okay
and
another
another
question
right:
that's
what
we're
finding
sorry.
So
it
looks
like
the
things
that
are
generally
proposed.
Are
you
know
things
around
assessing
various
things
to
be,
you
know
included,
and
you
know
and
endorsed
in
various
ways
by
cncf
and
other
things
we're
just
the
group
somebody
wants
to
get
the
impression
of
this
group.
Is
that
accurate
that
you
know?
D
E
I'd
say
at
least
personally
that's
a
fair
appraisal.
There's
also
like
some.
I
guess
you
could
say
housekeeping
topics
that
come
up
like
we
need
to
update
some
documentation
or
add
some
rules
or
add
some,
maybe
build
bots
or
something
to
some
of
our
build
jobs
or
linting.
The
documentation
stuff
like
that,
okay,.
D
E
No
problem,
please
feel
free
to
put
the
issue
in
the
tracker
there
and
if
you
feel
that
it's
to
cut
the
necessary
tension
and
hasn't
ended
up
on
a
schedule
by
all
means,
please
feel
free
to
go
ahead
and
put
it
as
a
proposed
thing
right
there
in
the
meeting
notes
and
it'll.
Definitely
if
it
hasn't
been
noticed
in
the
tickets,
although
the
members
of
the
team
are
quite
diligent,
so
it's
not
often
something
slips
through
the
cracks.
F
When
just
a
you
know,
just
some
framing
there,
you
know
worth
considering
that
we're
you
know
about
to
kick
off
this
three-month
process,
and
you
know,
therefore
you
know
it'll
suck
a
lot
of
folks
time.
So
if
the
thing
that
needs
to
be
done
involves
a
lot
of
contribution
from
a
lot
of
folks,
you
know
you're
going
to
get
pushback
from
folks.
Like
me,
you
know
on
timing,
you
know,
as
we
try
to
keep
complete,
that
workflow.
G
Hey
so
this
is
underwent
here
so
kind
of
a
related
to
this
topic.
I
think,
but
not
a
suggestion
for
a
change
in
practice
right
now,
but
we
do
assessments.
This
is
part
of
my
day.
Job
duties
and
the
question
of
deciding
when
an
application,
that's
already
been
screened,
needs
to
get
re-screened
is
not
necessarily
based
on
the
amount
of
code.
That's
changed.
G
I
don't
think
there
is
a
simple
rule
of
thumb
for
that
and
in
fact,
part
of
what
we
try
to
do
in
the
engagement
with
the
projects
that
come
through
for
assessments
in
our
enterprise,
not
in
cncf,
is
to
try
to
educate
them
about
what
those
things
might
be
that
need
to
have
them
come
back
for
a
visit,
either
in
person
or
in
some
kind
of
written
update
to
the
previous
plan.
So
I
think
it's
a
worthwhile
thing
to
think
about
trying
to
identify
what
those
things
are.
G
So
when
the
teams
come
through
for
the
initial
big
reviews
of
the
sort
that
justin
outlined,
that
they
have
a
sense
for
what
things
would
merit,
you
know
either
personal
visit,
or
at
least
a
sort
of
debrief
back
to
the
security
team.
That
did
the
review.
I
mean
I'll
just
throw
out
a
couple.
Things
like
we
see
changes
to
encryption
or
decision
to
use,
tokenization
or
adding
pii
to
an
application
that
didn't
have
pii
before
or
we
change
us
partners
for
who's
doing
our
api
security.
G
Some
major
changes
with
the
security,
tooling
partners,
and
so
the
the
vendor
apis
are
having
to
be
revisited
for
some
security
issues
which,
at
the
time
these
folks
came
through
for
initial
review,
wasn't
really
much
concern
to
us.
We
were
happy
to
see
it,
but
we
didn't
really
look
at
it
in
detail.
G
So
that's
not
an
exhaustive
list.
That's
just
you
know,
sort
of
the
typical
stuff
that
comes
up,
but
there's
also
other
dependencies
with
other
cloud
projects.
The
one
that
comes
to
mind
for
me
would
be
prometheus
or
the
authentication
tools.
But
again,
I
think
if
you
could,
we
could
offer
guidance
and
for
the
teams
to
come
through
that.
That
would
be
a
value.
Add
because
I
think
just
saying
come
back
when
it's
been
changed
is
not
going
to
help
them.
C
I
think
that's
sensible,
there's
a
couple
of
things.
I
think
we
have
to
be
a
little
like
we'll
have
to
kind
of
customize
to
this
environment
because
in
general,
if
something
like
the
encryption
changes,
but
it's
just
an
algorithm
swap
out
then
most
of
the
time
from
our
standpoint,
it
just
won't
matter.
I
mean
unless
someone
is
swapping
out,
you
know
something
for
md5
or
something
like
that
or
whatever,
which
you
wouldn't
expect
have
happened.
C
I
think
a
lot
of
the
points
you
make
are
really
good
ones,
and
I
think
if
you
can
share,
like
you
know,
basically
what
you
just
said,
along
with
any
other
points
that
you
commonly
have
that
you
give
as
guidance.
That
might
be
a
good
draft
like
sort
of
thing
for
us
to
look
at.
I
think
the
other
decision
we'd
have
to
make
based
on
that
is.
Is
that
something
that
we
look?
C
We
want
to
look
at
for
a
project
immediately
when
that
changes
or
do
we
want
to
in
the
annual
review,
go
through
all
of
the
items
like
that
that
have
changed
for
a
project,
and
I
don't
know
the
answer
to
that.
But
anyway
yeah,
so
I
I
think,
that's
that's
all,
I'm
very
I'm
very
encouraging
of
your
suggestion
mark
and
would
love
to
have
you
maybe
write
up
a
list
of
those
things
that
we
could
we
could
iterate
on.
G
I
am
indeed
thank
you,
my
my
boss
said:
what's
the
most
commonly
thing
said
on
zoom,
it's
your
mute.
I
was
going
to
say
I'm
mindful
of
your
suggestion
that
we
keep
a
light
touch
and
that
the
folks
who
went
through
extensive
reviews
should
be.
You
know
a
prize
that
that's
it's
not
going
to
be
an
extensive
review
and
also,
I
think
you
know
the
use
cases,
I'm
able
to
think
up
ad
hoc
here,
maybe
not
the
best
one.
J
Hey
one
maybe
unrelated
question:
there
have
been
a
couple
of
presentations
on
ci
cd
pipelines
both
on
the
dod
sec,
ops
group
and
others.
I
was
just
curious:
is
there
a
unified
working
group?
That's
and
what's
the
intended
artifact
for
that?
Is
that,
like
a
subgroup
of
the
sig
or
I'm
just
trying
to
understand
what
the
outcomes
are
and
how
to
participate.
B
So
this
is
vinay.
Maybe
I
can
talk
about
it.
I
gave
the
last
presentation
on
the
ci
cd
security.
So
what
came
out
of
that
is
that
there's
some
artifacts
that
we
could
potentially
use
that
can
be
contributed
into
the
the
the
security
cloud
native
security
landscape
or
I'm
sorry.
I
forget
the
exact
name.
Give
me
one.
Second,
it's
called
the
cloud
native
security
white
paper,
so
so
a
lot
of
those
the
information
there
will
be
fed
into
that.
B
Potentially
we
can
leverage
some
of
the
visuals
and
illustrations
and
then
they
would
be
the
idea
there
is
to
actually
highlight
a
lot
of
these
topics
as
well
as
then
as
necessary,
have
deeper
die
concepts
that
are
distilled
in
separate
white
papers.
So
that's
one
and
then
brandon
and
justin
have
already
had
a
landscape
effort
underway
for
quite
a
while
and
then
potentially
we'll
see
how
we
can
contribute
and
leverage
to
that
effort
as
well.
B
So
from
the
cloud
native
security
white
paper
perspective,
we
just
had
one
meeting
this
morning.
There
is
a
there
is
a
slack
channel
that
has
been
established
for
it,
emily
or
dan,
and
somebody
maybe
someone
can
invite
you
to
it.
If
you
could
just
ping
them,
and
so
I
think
it's
just
been
ad
hoc
for
now,
but
there
is
a
slack
channel,
which
I
would
imagine,
is
the
authoritative
way
to
communicate
across
the
stakeholders
cool.
Thank
you
sure.
E
K
Hi
guys
matt
here
I
work
at
synopsys
and
I'm
trying
to
get
up
to
speed
on
cloud
native
security,
so
yeah
like
if
anybody
has
things
would
be
good
for
somebody
pretty
new
to
the
space
to
work
on
I'd.
You
know
like
in
an
open
source
way.
I'd
definitely
be
happy
to
to.
You
know,
look
at
some
of
those
things
and
you
know
kind
of
ramp
up
and
hopefully
help
you
out
too.
E
Sure
thing
one
of
the
recurring
themes-
and
I
myself
asked
that
question
joining
the
group.
There's
the
backlog
on
github
there's
just
joining
the
meetings
a
few
times
to
start
to
get
a
feel
for.
What's
the
current
topic
like
if
there's
a
new
security
review
that
pops
up
and
people
are
welcome
to
join
in
on
it
take
part
in
it
that
sort
of
thing
the
recurring
theme
I
often
hear
being
uttered
is:
we've
chopped.
F
K
I
don't
really,
I
don't
really
know
much
about
security.
I'm
more!
You
know
I
like
I've,
done
a
lot
of
application,
development
and
stuff
like
that,
but
not
really
any
security.
So
for
me
like
getting
a
good
handle
on
security,
that's
happening
in
the
kubernetes
space.
You
know
like
keeping
clusters
secure
images
and
that
kind
of
stuff
is
super
useful.
For,
for
what
we're
doing
so,
yeah
I
mean
I'd.
Love
to
you
know
contribute
in
any
way
that's
helpful
if
that's
like
writing
code
or
triaging
issues
or
reproducing
bugs
or
whatever
you
know
like
yeah.
F
So
in
this
forum,
you're
not
going
to
find
you
know
any
opportunities
to
code
directly,
you're
gonna
have
to
go
from.
You
know
kind
of
this
higher
order
level
here
in
the
sig
down
into
individual
projects.
You
have
you
know
a
number
of
the
the
members
of
oppa
present
today.
It's
a
great
you
know,
sort
of
place
to
start
getting
oriented.
So
if
you're
looking
for
you
know
path
contribution,
you
know
this
is
going
to
be.
F
F
You
know
over
the
next
three
months
and
then
you
know,
in
terms
of
you
know,
sort
of
deeper
dives
into
project.
You
know
participating
in
a
security
assessment.
Would
you
know
really
give
you
the
perspective
of
you
know
what
seasoned
professionals
that
work
in
the
space
are
looking
for,
and
you
know
the
types
of
concerns
that
arise
as
we're,
assessing
the
components
that
make
up
a
cloud
native
system.
K
E
As
a
book
I'll
add
a
link
here,
this
is
just
my
tooth.
This
isn't
officially
endorsed
by
cf
or
anything
like
that,
but
it's
an
interesting
document
by
essentially
on
your
security
and
it's
interesting
reading
that
you
mentioned
you're
interested
in
container
security.
I
found
what
was
interesting
was
after
reading
this
finding
guns
that
cited
and
referenced
it
and
found
essentially
just
a
boatload
of
use
information
that
I've
been
using
to
write
my
own
security
policies
within
my
own
company.