►
From YouTube: CNCF SIG-Security Meeting - 2019-07-03
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
B
People
adding
themselves,
we
have
16
participants
and
almost
16
there
and
lines
I.
Thank
you
know
that
we
have
scribes,
we
won't
have
chickens
so
so
this
is
where,
if
anybody
from
you,
we
just
go
around
and
we
check
in,
we
say
who
we
are,
what
we
do
what's
happening
with
security
in
our
week
or
you
know
you
can
feel
free
to
share
something
personal
if
you
like
and-
and
you
know,
just
anything
that
the
group
would
it
doesn't
have
to
be
things,
security
hits
done,
it
could
be
some
article.
B
You
read
about
security,
a
conference
when
you
went
to
we
welcome
and
a
cross-fertilization,
because
we
can't
all
do
all
the
things
so
I'm,
Sarah,
Allen
I'm,
one
of
the
co-chairs
of
SIG's
security
and
most
of
what
I've
been
doing
in
the
last
week
is
covered
in
the
agenda.
I've
been
doing
a
lot
of
meetings
in
repo
lately,
so
we'll
cut
we'll
get
to
that
when
we
get
to
it.
Jonathan.
C
E
B
F
G
I
Craig
am
Craig
I
work
at
Heroku,
I'm,
also
part
of
the
kubernetes
security
audit
working
group.
So
this
week
we
are
actually
pretty
close
to
I.
Think
next
week
having
that
audit
and
all
the
the
white
paper
at
threat
model
and
the
security
assessment
released,
except
for
a
couple
of
issues
that
are
gonna,
be
under
embargo
with
the
product
security,
the
PSC
for
kubernetes
for
a
little
bit
of
time
and
get
those
issues
fixed.
It's
an
exciting
news
for
their
project
right.
B
And
that
would
I
didn't
think
that
that
might
be
something
that
we
you're
interested
in
coming
back
and
presenting
it.
Maybe
we
could
have
a
little
brainstorm
about
presentations.
We
might
like
from
different
people
in
the
group
are
involved
in
different
activities
when
we
know
when
it
wraps
up-
and
you
feel
ready
to
that-
might
be
neat
yeah.
It's
great
mark
Underwood.
J
Let's
mark
under
when
I
apologize
for
the
background
noise,
we're
trying
to
wrap
up
standards
and
ontology
zin
one
meeting:
it's
not
gonna
happen
and
no
news
from
me,
I'm
at
synchrony
working
in
cybersecurity,
whereas
we're
still
trying
to
build
knowledge
graphs
around
cybersecurity.
So
people
interested
in
that
you
know
ping
me
otherwise,
no
progress!
All
right!
Thanks
mark.
L
B
A
I'm
Norton
I
work
on
Falco
wiggler
Nardo.
My
update
is
basically
the
same
is
no
not
dope,
but
you
also
want
to
add
that
on
the
Falco
side,
we
have
been
doing
all
the
improvements
in
how
the
project
in
the
stability
of
the
project
basically
and
we
think
that
that
will
does
improve
the
overall
security
of
the
project
itself.
It's
just
little
things
that
make
the
project
more
mundane,
able
and
easy
easier
to
to
spot.
M
Hi
I'm
Brendan
from
IBM
Research,
so
I
guess
what
happened
recently.
Was
we
like
in
China?
There
was
some
interest
in
the
group.
I
think
I
got
some
feedback
on
you
know
some
folks
were
interested
and
the
idea
of
if
we
were
able
to
give
certain
recommendations
on
security
configurations
and
good
amenities
clusters
and
things
like
that.
I
think
that
we
we
managed
to
meet
up
a
fairly
small
group,
I
think
I.
Imagine
few
people
in
person
that
I
met
super
kitesurf
from
falco.
M
B
O
P
Emily
Fox
from
the
National
Security
Agency
in
the
United
States
I
just
got
off
the
call
about
doing
more
program
planning
for
the
security
day
that
is
coming
up
and
we'll
talk
more
about
that
during
the
agenda.
Erin.
Q
B
K
Hey
this
is
Peter
here,
I'm
a
per
engineer
with
a
background
in
security
working
at
Teradata
and
I've
been
working
to
solve
for
supper
supply
chain.
In
our
you
know,
environment,
so
integrating
open/close
the
agent
and
a
few
of
and
evaluating
few
other.
Since
you
have
projects
to
help
us
achieve
secure
software
supply
chain
right.
R
I'm
Christian
I
work
on
the
Google
cloud
security
team.
We
have
been
thinking
a
lot
about
how
to
express
policy
composition,
so
policies
on
policies,
how
some
people
call
it
meta
policy.
This
is
in
the
context
of
how
we
can
enable
what
we
call
the
platform
I.
Think
right.
We
we
decided
that
might
be
another
persona,
so
I'm
still
interested
in
having
that
discussion.
At
some
point.
Oh.
B
Yeah,
if
you
add
it,
I'll
find
it
I'm
already
know:
Thank
You,
Carlos.
S
B
Right,
excellent,
so
I'm
going
to
skip
down
to
I'm
gonna
put
this
actually
below
Emily.
If
you're
are
you
online?
Can
you
add
the
issue
link
to
it
before
we
get
there
on
the
agenda?
I
wanted
to
just
do
a
couple
of
highlights
on
PRS
and
issues
that
need
input,
so
we've
been
doing
some
wrangling
of
trying
to
get
so
that
we
don't
have
as
much
in
progress,
and
so
one
of
the
things
that
we
co-chairs
talked
about
is
and
and
we've
talked
about
informally
in
the
groups,
but
we
we're
formalizing
it,
which
is.
B
We
did
these
draft
landscape
categories
earlier
this
calendar
year
who
an
effort
that
was
started
in
2018
and
there's
been
a
bunch
of
feedback
that
I'm
actually
working
on
making
sure
it's
all
written
up
is
issues,
but
we've
realized
that
having
more
contextual
material
when
we're
finalizing
these
categories
is
important,
so
we
have
a
while
back.
We
started
the
white
paper,
we
put
it
on
pause.
Jj
is
going
to
spearhead
picking
it
up
again,
but
we
decided
that
we
would.
B
We
would
formally
pause
this
and
put
a
snake
in
the
sand
that
we
would
revisit
it
after.
We
have
a
draft
of
the
white
paper,
so
I
want
to.
Let
people
know
that
we
we
added
another
item
to
our
checklist
of
how
we're
going
to
get
to
a
landscape
and
and
then
we're
kind
of
cueing
that
up
for
a
little
later
in
our
road
in
our
to
be
figured
out
roadmap
and
the
process
that
we're
following
that
we're
still
in
the
midst
of
is.
We
are
actually
echoing
our
process
in
github.
B
So
what
we're
for
those
of
you
who
are
new?
We
are.
We
have
a
proposal
process
if
you're
looking
governance,
anybody
in
the
group
can
propose
something
that
the
group
would
work
on.
If
you
actually
want
to
do
work
on
it,
then
you
can
make
it
a
proposal.
If
you
just
have
an
idea,
but
you're
not
sure
you
want
to
work
on
it
and
it's
a
suggestion.
B
Wrangling
and
Howard
is
working
on
doing
that
on
the
policy
side
in
a
different
time
zone
and
and
then
Justin
Campos
is
wrangling
all
the
security
audits
and
so
we're
trying
to
get
everything
tracked
and
github.
So
then
we
will
have
a
number
of
issues
that
are
projects
and
we
will
queue
them
up
in
a
this.
If
we
don't
change
anything,
this
is
what
we're
actually
doing,
and
then
we
can
have
a
discussion
about
whether
that's
the
right
priority.
B
N
Yeah,
so
we've
got
a
final
call-out
for
being
able
to
say
if
there's
any
feedback
that
you
would
like
to
be
able
to
put
in
for
the
Loko,
please
do
so
we're
about
to
go
back
to
our
designer
at
CN
CF
and
probably
come
back
with
roughly
four
options
to
be
able
to
say:
here's
where
you
can
move
from
there.
So
if
you
can
get
that
done,
I
know,
we've
got
this
July
4th
holiday
coming
up.
N
B
And
what
I'd
like
to
ask
people
to
do
so?
We
captured
notes
from
the
lot
we
went
around
the
last
time
and
sort
of
people
had
ideas
about
saying
you
know
imagery.
They
thought
of
this
was
actually
done
this.
This
ideation
was
done
before
that,
so
our
designer
got
all
excited
and
based
on
some
ideation
that
was
at
Q.
Khan
came
up
with
these
things
and
their
own
out
of
their
own
hacking
head
and
so
different
people
have
pulled
out
different
things
and
made
a
comment
on
them.
B
If
you
agree
with
it
use
your
emojis,
you
can
kind
of
emoji
like
different
ones,
and
then
I
did
for
an
example.
Here.
My
weight,
my
voice,
carries,
doesn't
carry
any
more
weight
than
anybody
else's
saying
why
you
like.
It
really
helps
the
designer
and
so
I
just
pulled
out
two
that
captured
what
I
I
like
what
one
of
the
group
members
said
about
having
something
iconic
in
a
logo.
B
So
that's
an
example
of
something
that
would
be
helpful
like
if
you
see
one
of
the
things
in
this
set
that
hasn't
been
commented
on
that
you
really
like
pull
it
out
at
it.
To
the
comments
say
what
you
like
about
it,
what
you
think
it
evokes
and
if
you
don't
like
something
you
can
just
leave
it
aside.
B
Unless
you
want
to
vigorously
say:
let's
not
do
something
for
reasons
that
other
people
have
said
that
they
would
like
to
do
for
other
reasons,
and
you
can
see
a
a
discussion
about
visual
representation
that
maybe
we
shouldn't
use.
So
so
please,
chime
in
on
the
issue.
If
you
have
thoughts-
and
particularly
you
know,
welcome
any
reasons
you
have
those
thoughts,
but
any
any
feedback
is
definitely
valued
and
then
also
wanted
to.
B
This
is
a
relatively
minor
thing,
but
it's
very
hard
to
write
up
the
what
we
do
right
and
I
Emily
gave
some
great
feedback
on
like
there's
been
a
discussion
of.
We
have
a
bunch
of
new
roles
relatively
new
in
the
last
few
months
that
are
written
up
now,
and
there
was
this
phrase
that
was
difficult
to
capture,
which
is
what
I'm
trying
to
say
is.
If
you
take
on
a
role
in
the
group,
it's
your
job
to
figure
out
what
the
right
thing
to
do
is
and
how
to
conform
to
be
like
having.
B
We
have
a
lot
of
ideas
that
are
somewhat
written
down,
that
we'd
like
to
be
to
respect
each
other
and
be
friendly,
and
we
value
each
other's
opinions
and
all
sorts
of
good
collaboration,
things
that
we
try
to
do
and
we
try
to
be
inclusive
so
that
if
just
because
one
person
is
working
on,
something
doesn't
mean
that
they're
dictating
that
to
the
rest
of
the
group.
And
so
we
have
like
a
bunch
of
words
that
are
trying
to
express
the
good
collaborative
communal
feel
we
have,
but
it
isn't
really
well
captured.
B
So,
if
you
have,
you
know,
this
just
needs
a
little
help
to
try
to
write
this
down
in
some
way.
So
if
you've
been
in
the
group
for
a
while
or
you've
been
in
groups
like
this,
if
you
kind
of
know
what
I'm
talking
about-
and
you
have
some
idea
of
how
to
capture
that
in
words
and
you're
willing
to
wade
through
our
governance,
Docs,
which
everybody
should
read
by
the
way,
it's
a
lots
of
people
work
hard
on
them,
then,
and
that
really
could
do
some
input.
B
P
Yes,
I
can
start
talking
now
that
I'm
unmuted,
so
we
had
a
call
earlier
today
to
talk
through
some
of
the
planning
in
the
209
issue
that
got
started
so
Michael
updated
the
ticket
content
with
the
proposed
format
and
layout.
So
we
had
some
good
discussion
essentially
boiled
down
to
we're
really
happy
with
the
proposed
format.
But
now
the
question
is
whether
or
not
we
go
or
something
that's
considered
a
more
formal
day
at
the
conference
or
if
it's
more
informal,
so
next
week,
what
we're
gonna
end
up
doing
is
having
somebody
presented
about
unconference.
P
So
we
can
learn
a
little
bit
more
about
that
style.
There
seems
to
be
a
lot
of
various
ways
that
you
can
do
an
open
kind
of
space
feel
at
a
conference
we're
not
necessarily
looking
to
do
a
mix
of
both
because
we
feel
logistically.
That
would
be
a
little
bit
difficult
to
manage.
But
if
it's
formal
we're
running
short
on
time
for
some
of
those
things,
if
it's
informal,
we
have
plenty
of
time.
However,
it's
a
little
bit
more
legwork
to
source
presentations.
P
So
if
you
have
any
feelings
on
anything
about,
it
feel
free
to
read
through
the
comment.
It's
posted
in
the
notes
for
the
FDA
of
what
our
last
meeting
was
and
if
you
have
a
feel
one
way
or
the
other
or
more
formal
or
informal,
certainly
post,
that
we'll
take
it
into
consideration
as
we
work
through
and
trying
to
figure
out,
what's
going
to
work
best
for
what
we're
trying
to
accomplish.
So
as
a
reminder,
the
whole
point
of
security
day
is
to
bring
like
minds
together,
passionate
people
about
security
in
a
cloud
native
environment.
P
So
they
can
discuss
and
work
together
on
either
identifying
solutions.
Sharing
lessons
learned
and
I
think
those
seated
with
that
we're
not
looking
through
generated
standards
or
a
body
associated
with
the
common
security
day,
but
more
make
available
any
presentations
that
are
put
together
or
any
notes
that
are
taken.
If
we
do
lightning
talks
or
the
open
spaces
environment
so
feel
free
to
provide
comments
and
the
tickets
will
certainly
add
them,
certainly
review
them.
And
when
we
meet
next
week
again
it
to
learn
more
about
encumbrance.
B
Channel,
yes,
so
this
is,
we
decided
that
it
would
be
for
any
live
event.
So,
right
now
we're
focused
on
this
security
day,
but
then
this
is
an
ongoing
channel
for
things
like
this
so
feel
free
to
join
that
channel
if
you're
interested
and
then
JJ
is
going
to
take
over
as
the
sig
chair
sponsoring
this
initiative
and
because
it
will
happen
mostly
organizing
will
happen
outside
of
the
working
group
meetings.
B
H
So
basically,
we
just
had
a
conversation,
the
security
assessment
process.
Why
we're
doing
what
it's
used
for?
What
both
the
end
users
in
the
community
are
expected
to
get
out
of
it
and
what
get
out
of
it
most
of
the
feedback
there
was
that
related.
Actually,
security
assessments
was
fairly
minor,
a
few
clarifying
questions
about
things,
but
we
had
a
much
more
spirited
and
in
which
I
think
we're
about
in
a
little
bit
here.
H
Couple
I
actually
a
couple
things
so
in
toto
assessment,
which
is
a
software
supply
chain,
security
project
is
going
to
be
presented
next
Tuesday
at
the
TOC
meeting.
So
this
is
gonna,
be
the
TV's
first
chance
to
really
look
at
a
completed
assessment
and
give
us
feedback.
So
it
is
actually
a
good
opportunity
for
people
to
see
what
the
TMC
thinks
about
this
and
would
be
a
good
meeting
for
people
in
general
here
in
SIG's
security
to
make.
H
Because
of
this,
if
assessments-
and
the
other
thing
is,
is
that
I'm
gonna
be
pushing
people
a
little
bit
to
actually
formally
completely
complete
the
OPA
assessment?
So
ash
will
I'll
be
prodding
you
a
bit
and
also
be
prodding
people
from
our
side
to
finish
up
the
very
small
number
of
very,
very
minor
things,
so
we
can
actually
get
a
PRN.
B
Did
you
want
to
do
the
do
you
feel
like
we've
addressed,
we
kind
of
had
a
shorter
than
planned
presentation
and
Q&A
session?
Do
you
feel,
like
that's,
been
addressed
to
a
sink,
or
do
you
think
that
we
should
allocate
some
time
for
part
two
of
that
presentation,
because
that
was
right
before
cube
con
and
then
it
got
interrupted
by
keep
honey
you
and
vacations,
and
things.
H
H
B
Maybe
we
can
just
I
wanted
to
put
it
out
there.
I,
don't
think
we
have
to
decide
right
now,
but
like
I,
wanted
to
let
a
Schmo-
and
you
know,
and
the
the
folks
on
the
call
who
are
reviewing
that
that
if
it
would
be
helpful
to
take
it
to
a
close
to
have
a
discussion,
we
can
set
aside
time
for
that
yeah.
H
N
B
A
A
B
The
the
cig,
the
TOC,
can
add
its
option
delegate
to
the
cig.
So
that's
one
of
the
things
that
we're
trying
to
figure
out
with
six
security.
If
it's
a
security
project
and
due
diligence
needs
to
be
done,
then
we
would
participate
in
that.
Historically,
it's
been
done
by
a
TOC
contributor.
Like
the
TOC
says:
hey,
there's
anybody
can
volunteers
a
a
as
a
contributor.
That
means
that
you're
saying
hey.
B
One
of
the
things
that
came
up
in
the
TOC
meeting
was
actually
having
kind
of
like
a
workflow
diagram
would
really
help
everybody,
instead
of
it
being
as
ad-hoc
as
it
is
like
you
know,
the
TOC
doesn't
always
speak
with
a
single
voice.
You
never
know
where,
like
you
know,
we've
gotten
different
requests
from
different
TOC
members
and
when
there's
contention
it
hasn't
always
been
clear
who
sets
the
priorities.
Now,
as
of
a
few
months
ago,
we
have
TOC
liaisons
for
each
cig.
B
However,
they
may
also
ask
SIG's
security
about
it
if
it's
an
open
question
in
some
way,
and
so
that's
where
we're
kind
of
security
cuts
across
a
bunch
of
different,
no
other
projects
as
well,
that
might
have
security
implications,
but
aren't
for
security,
and
so
some
of
that
is
kind
of
we're
in
that
realm
and
a
lot
of
it,
because
the
TOC
doesn't
always
have
bandwidth
to
figure
this
stuff
out
in
the
timeframe
that
we
need
to
know
it.
We've
taken
the
approach
of
taking
like
hey.
What
do
we
think
is
important?
B
How
are
we
going
to
approach
this,
so
we
have
to
the
extent
that
we
have
bandwidth
if
the
TOC
doesn't
ask
for
help,
but
we're
like
hey.
We
kind
of
want
to
weigh
in
on
this
project
this
particular
project
transitioning
from
one
thing
to
another.
We
can
prioritize
that
participating
in
that
and
anybody
can
come
to
the
TOC
meetings
and
chime
in
or
chime
in
on,
the
issues.
B
So
so
one
of
the
things
that
came
up
that
I
just
I,
definitely
like
I,
want
to
discuss
amongst
ourselves
and
we'll
get
to
see
input
in
as
well
is
that
Joe
bata
who's?
Actually
one
of
our
TOC
liaisons,
hey
like
brought
up
this?
How
do
we
prioritize
the
assessments
where
you
know?
Are
they
always
the
NCS
projects
we
had
talked
about
that?
We
would
prioritize
the
NCS
project.
B
We
might
not
even
have
bandwidth
to
do
all
the
ciencia
projects
and
we
would
also
prioritize
the
ones
that
are
specifically
delivering
security,
except
that
we
will
also
want
to
do
in
this.
First
five
do
something
that
is
not
itself
for
security,
so
we
kind
of
get
a
sense
of
what
that
kind
of
security
assessment
is
like
and
so
Justin
Campos.
If
you
want
to
just
chime
in
a
little
bit
about
how
we
came
up
with
this
list,
I
like
the
this
list
that
and
your.
H
Sure
so
some
of
this
was
provided
to
us
because
we
were
provided
with
the
set
of
projects
that
the
TOC
thought
were
security
projects,
and
we
took
a
few
of
those
and
omid
them
from
that
from
you
least,
or
priority,
for
instance,
in
spire,
which
is
mentioned
down
at
the
bottom
of
the
screen
there,
and
so
because
I
had
just
sort
of
done
of
actually
a
more
rigorous
audit
process
or
assessment
process
and
what
we're
doing
our
assessments.
It
seemed
less
important
for
us
to
do
that
right
away.
H
The
same
was
sort
of
true
of
yeah
perfect.
So
looking
at
that
list
on
that
list,
the
things
that
we
clearly
wanted
to
audit
were
were
Falco
and
opa,
because
that
those
were
on
a
list
of
things
proposed
by
the
TOC
in
toto
had
also
been
mentioned,
because
in
toto
wisk,
which
is
a
software
supply
chain,
a
project
was
brought
up
by
the
TOC
that
they
would
like
to
have
it
go
through
this
process.
H
So
we,
the
in
toto
project
which
I'm
involved
with
went
through
I,
did
not
participate
in
the
assessment
from
an
Assessor
standpoint,
but
we
did
the
opus
essman
in
the
meantime,
in
terms
of
prior
the
other
things
on
the
list
there.
Those
are
projects
that
were
largely
people
mentioned
to
us
as
either
the
developer
saying
hey.
We
would
like
to
be
a
part
of
this,
or
we
think
this
would
be
you
get
to
have
this
assessment
or
someone
else
said
hey.
H
H
P
We
have
a
ticket
open
to
discuss
like
the
frequency
at
which
these
audits
are
supposed
to
be
performed
and
at
what
stages
and
membership
with
the
CNC
F,
the
projects
are
supposed
to
be
reviewed.
I
feel
like
almost
HIV
that
we've
started
to
have
that
conversation
at
some
point
now.
I,
don't
remember
the
ticket
so.
B
Yes,
so
there's
a
ticket,
so
we
it
has
been
decided
I,
think
we
should
write
it
all
up
and
review
it,
but
it
was
prior.
It
was
proposed
to
us
by
the
Vice
the
TOC
that
we,
whatever
problem,
what
that
the
assessment
should
be
valid
for
a
year,
and
we
should
we
review
them
annually,
and
so
there's
I
wrote
up
an
issue
that
that
should
be
that
should
be
written
down.
What
the
annual
review
is
is
TBD.
B
P
And
I
know
that
we
had
I,
know
well,
I,
remember
commenting
on
a
particular
ticket
where
we
had
discussed
that
so
I'm
happy
that
CNC
app
has
come
forward
and
said
like
we'll
do
it
annually,
but
we
we
get
to
define
the
scope
of
that.
Annual
review
is
supposed
to
be,
but
I
know
that
that
we've
talked
about
it
in
at
least
one
of
the
tickets
and
for
the
life
of
me.
I
cannot
find
it
right
now,
but
we
had.
We
tried
to
figure
it
out
like
what
should
the
model
look
like?
P
Should
it
be
before
they
graduate
completely?
Should
it
be
just
at
each
in
order
for
them
to
like
move
from
the
sandbox
incue
bation,
whichever
phase
that
they're
currently
in
or
trying
to
get
into
that's,
when
an
initial
review
is
done,
should
it
be
like
a
lightweight
for
anybody,
that's
being
proposed
in
to
CN
CF
how?
How
what
at
what
time
frequencies
or
what
life
cycle
stages
should
same
security
get
involved
and
whether
or
not
there
is
a
requirement
for
somebody
to
graduate
like
convert
any
since
graduated.
They
have
a
full
audit.
B
I've
got
it
up
on
the
screen
here,
not
okay,
it's
just
this.
The
thing
this
is
just
that
there
is
an
annual
review
process
documenting
that
and
Roberts
volunteered
to
get
it
into
our
Docs
I
think
that
I
want
to
pause
on
the.
We
should
write
up
separately
and
you
know,
maybe
we
can
have
a
chatter
onslaught
to
find
whether
whether
there
actually
is
an
issue.
That
is
the
other
thing,
which
is
the
graduation
processes.
They,
like
the
incubation,
sandbox
and
so
forth.
B
The
the
more
substantive
thing
that
I
wanted
to
have
discussed
is
so
whatever
we
decided
to
do
for
quite
a
while
there
will
be
a
large
backlog
of
projects
right.
Cn
CF
has
dozens
of
projects.
There
are
many
many
things
that
need
to
be.
That
would
benefit
from
a
security
assessment.
How
do
if
we
were
thinking
about
like
going
out
and
out
reaching
to
projects
and
saying?
Oh,
don't
you
want
to
do
a
security
assessment?
B
B
I'm
not
going
to
go
through
this
in
detail,
but
just
point
out
that
it's
here
have
that
kind
of
elaborated
that
we
believe
that
one
is
assessments
themselves
will
reduce
risks
and
that
the
data
that's
provided
and
the
exercise
will
itself
accelerate
adoption
of
cloud
native
technologies,
which
is
the
mission
of
the
CN
CF.
So
in
that
light,
how
should
we
think
about
using
our
time
and
queuing
up
these
assessments?
People
have
thoughts.
E
B
Does
anybody
else
have
any
thoughts
about
like
I,
like
I'm,
really
curious,
I've
thought
about
like
there's
some
projects
that
aren't
fancy
projects
that
are
very
widely
used
right
and
then
there
are
ones
that
are
CNCs
projects
that
are
less
widely
used
right
and
you
know,
and
how
should
we
think
about
like
what
level
of
use
presents
more
risk?
People
have
I.
P
Given
that
sting
security
is
from
the
scenes,
yes,
I
would
tend
to
focus
scope
on,
since
you
have
specific
projects
and
that
if
there
is
an
effort
outside
of
CNC
F,
that
is
widely
used,
that
perhaps
it
should
be
looked
at.
Bringing
brought
in
to
the
fault
for
inclusion
within
the
CNC
F
and
review
by
security.
I
worry
that
the
landscape
is
so
large
that
just
saying,
because
there's
a
large
project
out
there
that
everybody
is
already
using,
can
you
guys
take
a
look
when
we've
already
committed
to
a
bunch
of
other
things
like
stretch?
P
Current
resource
is
too
thin,
so
kind
of
Reese
coping
it
to
focus
more
on
CF
and
then
maybe
evaluating
at
a
later
date.
If
there
is
something
that's
no
kidding
part
of
the
ecosystem
and
so
widely
used
and
adopted,
like
almost
to
the
scale
of
how
kubernetes
is,
maybe
those
ones
should
be
the
exception
to
that
role,
and
they
have
to
have
I,
don't
know
some
quorum
of
agreement
for
review.
P
J
Know
I
suggest
you
know
and
yeah
point
taken.
I
am
I
thinking
about
this.
It's
the
degree
of
dependency
and
this
kind
of
begs
the
questions.
Justin's
supply
chain
project.
You
know
what
counts
is
the
highly
dependent
ones,
but
the
ones
that
are
widely
employed
in
the
DevOps
space,
but
that
are
not
CN
CF
but
are
part
of
the
tools
pipeline
should
be
at
least
addressed.
Even
if
we,
you
know
address
the
fact
that
we
really
don't
take
a
deep
dive
into
them,
but.
R
We
should
also
not
forget
that
we
rely
on
participation
of
the
project
right,
so
if
there
is
a
project
that
is
not
part
of
CN
CF
and
you
know,
could
be
hostile
to
the
ciencia,
for
whatever
reason
they
they
are,
they
are
probably
less
likely
to
participate
in
something
like
that.
We
do
rely
on
having
some
goodwill
from
the
project
yeah.
B
M
I
mean
I
feel
a
lot
of
the
Securities
of
came
before
the
subject
came
before
called
native-like
the
key
measurements
that
you
can
stuff
like.
That
I
think
it's
important
to
consider
within
the
landscape,
but
I,
don't
I'm,
not
sure
what
they're
really
having
a
security
assessment
of
it
is
really
necessary
since
I
think
a
lot
of
these
projects
are
usually
very
well
establish
or
have
been
there
and
they're
kind
of
being
looked
at
other
users
of
security.
B
Yeah,
that's
a
good
point.
I
think
that
the
person
who
first
brought
up
widely-used
was
they
it's
not
clear
how
we
would
define
that,
and
so,
if
it's
so
widely
used,
that
everybody
understand
its
security
profile
that
there's
something
there's
somewhere.
You
know
I
think
that
there's
widely
used
as
a
proxy
for
a
need,
so
so
I
think
that's
good
yeah.
R
K
P
B
A
really
good
point
and
I
think
for
the
people
who
are
new.
We
have
two
things
that
are
filters
for
what
we
work
on
and
one
of
them
is.
It
actually
has
to
be
cloud
native,
so
Linux
is
often
used
in
the
cloud,
but
it
isn't
really
particularly
like
it's
also
used
outside
of
the
cloud
we
talked
about
like
spam
filters
for
email
right
like
it's,
we
don't
like
it
pre
it
doesn't
require
the
cloud
it.
B
If
there
is
a
group
already
doing
a
thing
and
we
try
to
reach
out
and
invite
that
person
to
tell
us
about
it
or
learn
about
it
and
I
think
C
III
best
practices
is
a
good
example
of
that
that
we've
kind
of
like
folded
into
our
process
a
little
bit,
and
then
we
and
we've
brought
in
experts
from
NIST
and
from
kubernetes
groups
and
so
I
think
so
far.
We've
done
a
pretty
good
job
about
that,
so
Emily,
a
really
good
point
that
we
want
to
continue
to
do
that.
R
One
of
the
things
that
might
be
interesting
is
what
priority
should
the
recertification
get
right?
So
if
we
still
have
a
backlog
of
projects
that
we
have
never
looked
at,
is
it
really
useful
to
look
at
a
project
again
to
make
sure
that
they
didn't
fall
out
of
you
know
whatever
compliance
standards,
we
have
I.
H
H
C
Just
maybe
one
final
one
on
that
one
some
members
may
have
already
done
security
assessments
or
like
security
assessments
of
some
of
the
products
anyway
and
I
think
you
know
if
people
are
willing
to
share
that
sort
of
information,
at
least
as
a
an
initial
stage
that
might
be
useful
contribution
back
to
the
group,
not
to
sway
the
prioritization,
specifically
I
kind
of
agree
with
Justin
in
that
one.
But
look
if
you
already
implemented
half
of
it
I
will
bring
it
to
the
table
and
assistant
Lee.
Actually.
B
That's
a
really
good
point:
cuz.
We
do
that
with
the
audits
where
you
know
like
me.
We
had
this
vision
that,
like
the
assessment,
would
inform
an
audit.
But
if
audits
have
already
happened,
we
read
them
the
assessment
and
just
pulling
together
that
and
I
think
you're
you're,
absolutely
right
that
there's
a
lot
of
the
member
companies.
P
That
be
beneficial
to
include
not
necessarily
in
the
projects
area,
but
in
a
separate
area
of
Arizona
suit
security
hasn't
personally
looked
at,
but
here's
what
we
already
know
about
them.
So
if
we're
trying
to
encourage
people
to
come
to
us
to
understand
what
it
is
that
we've
done,
security
status,
a
particular
project
or
effort,
looks
like
they
also
have
that
as
a
resource
to
dive
into
I.
B
P
J
What
witness
does
in
this
space
to
deal
with
this
problem
is
to
have
conformance
levels
and
expect
that
you're,
not
gonna
audit
everybody
and
some
people
that
you
don't
reach
that
are
not
purely
cloud
native,
can
self
certify,
or
at
least
you
know,
disclose
what
level
of
conformance
that
they
have
to
this,
and
if
you
go
in
that
direction,
it's
the
declarations
and
process
around
the
audit,
that's
more
important
than
the
audit
itself
in
the
long
run,
but
you
have
to
establish
the
value
by
doing
good
audits.
So
it's
it's
not
either/or.
B
Fabulous,
oh
and
then
I
also
wanted
to
call
on
Justin
Cormac,
because
you've
been
involved
in.
You
were
involved
in
this.
As
a
toc
contributor
wave
Justin
capos
before
we
became
a
sig
and
if
you
had
any
thoughts
to
whether
they've
been
you
know,
you've
been
involved
in
discussions
about
how
those
activities
got
prioritized
in
the
pastor,
thoughts.
T
Yeah
I,
don't
think
I
I,
don't
have
any
inside
information.
I
wasn't
directly
involved
in
discussions
with
the
TSA,
so
I
did
get
the
impression
from
the
meeting
yesterday
that
some
people
had
strong
opinions
about
prioritization
and
we're
starting
the
discussion
over
there.
That
seems
there
quite
a
long
time,
so
we
should
just
listen
to
them.
Yes,
I
think.
T
B
I
think
one
of
the
things
that
I'm
trying
to
increase
is
transparency,
because
there
was
some
question
about
why
we
did
in
toto
first
before
there
a
CN
CF
project,
but
in
fact
we
did
in
toto
because
we
were
asked
to
by
the
prior
to
see.
So
we
need
to
do
a
better
job
of
communicating,
hey,
TOC.
You
asked
for
these
things
and
we
are
doing
them
yeah.
You
too
I
see
members.
B
T
And
I
think
they
they
seem
to
recognize.
They
need
a
more
structured
onboarding
process
for
new
projects,
because
it
is
very
ad
hoc,
so
maybe
they
will
formally
asked
us
to
do
assessments
for
some
more
projects
they're
coming
in,
which
would
which
would
definitely
make
sense,
well,
I
think,
but
obviously
there
are
I
mean
looking
at
the
current
backlog.
There
are
a
huge
number
of
projects,
potentially
coming
in
as
sandbox.
B
And
part
of
it
was
I
think
before
there
was
such
a
backlog
when,
in
the
era
of
like
q4
last
year,
they
asked
us
to
look
at
in
toto
as
a
way
to
pre-filter
in
toto
before
they
gave
a
presentation
and
that
they
said
well
what
anybody
says
they
want
to
give
a
presentation
to
the
TOC.
Why
don't
you
do
a
security
assessment
if
they're
a
security
related
project
right,
which
is
why
we're
we
queued
up
Key
Club?
So
it's
a
process
and
I
think
that
what
I
was
referring
to
is
actually
I.
B
Think
there
needs
to
be
a
onboarding
of
TOC
members
that
maybe
we
should
think
about
when
there's
a
new
TOC
elected
next
year,
that
we
invite
them
to
tell
them
what
that
cig
security
does
or
we
have
like
us.
You
know
maybe
a
could
have
a
all
new
TOC
members.
This
is
what
all
the
SIG's
do,
so
that
there's
a
little
more
continuity
for
the
TOC,
because
we
treat
them
as
if
they're
one
body,
but
there
are
actually
different
people
every
year.
Well,.
T
B
T
B
And
so
an
on
the
prioritization
thing:
it's
not
ready
for
a
discussion,
but
I
just
wanted
to
let
you
know
this
process
that
I
referred
to
before
of
like
making
things
labeled
as
projects,
so
the
triage
team
and
the
chairs
are
working
to
catalogue,
the
things
that
we're
actually
working
on
and
I'm
experimenting
with
this
board
so
that
we
can
see.
Oh
look
here
are
some
things
in
progress.
We
don't
have
have.
B
B
So
we
can
get
everybody's
feedback
on
how
we're
prioritizing
things,
because
we
want
to
have
all
the
various
proposals
and
different
things
we
and
we
might
even
get
to
the
point
where
we
have
requests
for
proposals,
because
we
have
things
that
are
on
our
written
mode
roadmap
that
we
haven't
gotten
to
so
just
sit.
Allah
newcomers
know
we
have
a
road
map
here,
which
is
very
broad
right
and
we're
kind
of
in
the
process
of
doing
this
kind
of.
How
do
we
describe
what
is
cloud
native
security
and
there's
a
lot
of
enthusiasm
for
wait?
B
And
so
and
then
we
started
to
catalogue
the
things
that
we've
done,
and
so
we
envision
that
this
will
evolve
into
things
that
are
a
set
of
proposals,
projects
request
for
proposals,
so
that
people
there's
more
transparency
about
what
about
these
words
mean,
and
how
do
I
scrub
in
and
help
and
participate
so
more
on
that
later
I.
Just
you
know,
if
people
want
to
add
notes
to
issues
that
the
sort
of
triage
work
of
like
what
is
this
thing?
Can
we
just
take
care
of
it
with
a
PR,
or
do
we
actually
have
it?
B
Do
we
have
a
discussion?
Is
it
something
that
we
need
multiple
people
for,
or
we
can
just
take
care
of
with
some
async
discussion,
all
that
we're
trying
out
like
sort
of
clear
the
decks
so
to
whatever
extent
people
have
time
and
inclination
to
dive
in
to
help
us
resolve
some
of
the
smaller
detailed
things
that
would
help
a
lot
and
then
we'll
raise
it
in
a
future
meeting
and
I
think
that
ends
our
meeting
for
today.