►
From YouTube: CNCF SIG Security 2020-08-26
Description
CNCF SIG Security 2020-08-26
B
D
Preference,
usually
when
we
have
our
first
meeting
after
a
security
day
event
where
we
get
a
bunch
of
new
members,
we
usually
do
introductions
before,
especially
if
we
we
have
a
really
light
agenda
like
today,
and
then
we
usually
talk
about
ways
that
new
members
can
become
more
involved,
and
I
think
one
other
time
that
we
did
it.
We
had
some
of
the
pre-existing
members
talk
about
like
why
they
joined
and
some
of
the
things
that
they
have
done
to
help
inspire
new
members
to
be
more
involved.
C
First
day
sure
yeah
I
will
just
today.
Yes,
unless
anyone
wants
to
grab
the
mic,
since
it
was
just
a
big
event,
whichever
works
best
for
the
team,
I
had
to
turn
my
video
off
for
just
a
little
bit
because
I'm
balancing
a
nine
month
old
in
my
left
arm
and
he
keeps
trying
to
kick
he's
managed
to
kick
my
usb
thing.
Unplugged
and
I
had
to
restart
my
vm.
So
that
was
a.
C
A
C
C
F
C
Beautiful,
thank
you
all
right.
So
today
what
we
will
just
start
things
is.
I
was
just
gonna
go
through
alphabetically
through
the
list
of
attendees
and
whether
someone
is
a
new
person
to
seek
security
and
would
just
like
to
introduce
themselves
or
mention
why
they
joined
or
what
interested
them
or.
C
C
F
C
A
A
So
signing
encryption
and
stuff
like
that,
we
are
also
working
around
trusted
platform
components,
so
things
like
attaching
hardware
all
the
way
up
to
the
software
stack
being
able
to
figure
out
what
what
machines
are
being
run
by
talking
to
the
tpm
and
things
like
that,
so
that
kind
of
stuff,
and
so
six
security
is,
is
kind
of
a
place
where
a
lot
of
these
discussions
also
happen.
There's
I
get
a
lot
of
the
discussions
that
happen
here.
I've
also
participated
in
security
assessments
and
things
like
that.
They
are
really
fun
experiences.
A
G
Yeah
sure
so
I'm
ash
narker.
I
am
one
of
the
maintainers
of
the
open
policy
agent
and
for
those
who
don't
know
it's
a
open
source
general
purpose
policy
engine.
So
if
you
all
want
to
contribute
to
policy,
if
you're
interested
in
policy
enforcement
reach
out
to
us
join
the
oprah
project
and
if
any
questions
feel
free
to
ask
your
or
on
the
slack
thanks.
H
Hi,
I'm
dan
shaw
chair
here
at
security,
been
involved
in
this
now,
for
you
know
coming
on
three
years,
and
you
know
the
this
sort
of
draws
upon
my
background
in
in
security,
and
it's
been
a
great
opportunity
to
sort
of
blend
kind
of
a
decade
of
experience
on
the
app
side
of
things,
and
you
know
help
ensure
that
we're
building
on
a
solid
foundation
of
security.
First.
B
J
C
C
K
Pradeek,
sorry,
hey
folks,
myself,
pratik
lauter.
I
work
for
charter
communications,
which
is
an
isp
in
the
united
states.
I've
been
working
on
some
container
security
stuff
at
the
company,
focusing
on
secrets,
management,
a
bit
of
service,
mesh
container
scanning
and
things
things
like
that.
I've
attended
a
few
of
the
working
group
so
far,
and
so
far
it's
been
doing
great
and
I'm
eager
to
get
more
involved
with
the
community.
E
Like
to
grab
the
mic
now,
sir,
hey
guys
sorry
about
that,
it
was
hourglass
time
for
me,
so
I'm
the
innovation
security
guy
at
synchrony,
but
I'm
really
representing
myself
in
this
group.
I
previously
have
collaborated
with
nist
on
some
of
their
work
and
also
the
devops
security
standard
with
ieee.
So
I
kind
of
bring
the
external
standards
conversation
into
these
meetings.
C
L
Hello,
I
am
from
rxm,
we
are
a
cloud
native
consulting
training
company,
I'm
also
an
active
participant
in
the
kubernetes
project,
being
part
of
the
118
release
team
and
the
current
119
release
team
as
well.
I
also
actually
participate
in
the
in
the
documentation
of
kubernetes
with
the
website
and
I'm
actually
here
to
learn
more
about
security
to
be
more
security-minded,
because
as
a
developer
in
the
past,
I
haven't
always
been
so.
M
Sure
hi
robert
kalia
I've
been
involved
with
six
security
for
gosh
about
it,
the
last
year
or
maybe
longer.
At
this
point,
I'm
co-chair
of
the
policy
working
group
where
we
look
at
specifically
kubernetes
related
policies
and,
more
broadly,
how
that
maps
to
different
compliance
frameworks
and
policy
validation
for
this
group,
specifically
leading
the
cloud
custodian
security
review
process.
So
I'm
I'll
get
on
my
soapbox
and
ask
for
volunteers.
M
If
you
want
to
try
the
process
here
at
six
security
to
review
one
of
the
cncf
projects,
we're
looking
for
all
the
help
we
can
get
and
you
can
join
the
the
slack
channel
for
sec
assessment
custodian.
I
think
I
I
put
that
incorrectly
in
the
notes
now
that
I
look
at
it
so
I'll
correct
that.
But
if
anybody
wants
to
to
chat
or
speak
up,
we're
happy
to
have
some
volunteer
help
on
that
effort.
C
L
N
N
So
I
am
also
involved
in
the
ieee
next
generation,
future
generation
networks
for
looking
at
10
years
from
now
and
in
between,
I
suppose,
and
I've,
been
working
very
closely
with
those
things
and
I'm
trying
to
make
sure
that
they
are
aligned.
Well,
I
suppose,
with
the
cncf
working
group,
so
in
case
anyone
is
interested
in
the
ingr.
N
You
can
look
that
up
in
the
air,
tripoli,
the
next
generation
networks-
and
you
will
see
some
of
the
drafts
that
we
are
proposing
and
we're
preparing
there
on
the
things-
and
it's
just
still
at
the
very
initial
stage,
but
we
do
have
some
working
graph
there
as
well
other
than
that
I
present
a
a
consulting
company
on
the
edge
computing.
Basically
so
we're
working
on
these
things
and
to
make
sure
the
cyber
security
is
also
aligned
to
the
edge
side
of.
C
O
O
Right,
which
is
you
know,
through
the
build,
deploy,
run
phases,
so
I
thought
it
was
very
appropriate
and
the
someone
one
of
the
contributions
I
made
to
the
community
here
is:
I
presented
a
security
reference
architecture
which
I'm
hoping
can
have
a
place
in
the
cloud
native
security
white
paper
as
well,
so
very
excited
to
be
part
of
this
great
group.
Thank
you.
C
P
C
Thank
you
visit,
thank
you
and
if
there's
anyone,
I've
missed
on
the
list
that
would
like
to
introduce
themselves,
I
think
we're
good,
but
if
I've
missed
you,
please
feel
free
to
chime
in
and
oh
may
as
well
introduce
myself.
My
name
is
matthew
jassa,
I'm
a
principal
engineer
and
technical
lead
for
essentially
cloud
development
at
my
employer,
keysight
formerlyxia
and
the
cncf
security
group
is
kind
enough
to.
Let
me
facilitate
meetings
now
and
again
and
besides
that,
my
major
interest
is
just
learning
the
security
landscape
for
kubernetes.
C
My
understanding
is,
is
there's
a
post
security
day
update
from
emily,
as
well
as
the
white
paper
schedule
bump,
and
I'm
just
going
to
quickly
check
and
see.
If
there
are
any
updates
we
have
here
see,
I
believe
all
these
were
covered
in
the
round
table
we
just
had
so
with
that
said,
I'd
like
to
pass
the
mic
to
emily.
B
Hey
everyone
I
want
to
let
you
guys
know
that
we
had
a
really
awesome
cloud
native
security
day
at
kubecon
this
year.
It
was
our
first
virtual
event
and
with
most
first-time
virtual
conferences,
we
did
run
into
some
technical
difficulties
with
the
platform,
but
I
think,
probably
after
the
first
few
talks,
everything
started
to
work
out.
Things
started
to
get
a
little
better.
B
I
will
be
running
a
virtual
retrospective
of
security
day
and
the
security
events
channel,
and
then
we
can
close
out
that
ticket
and
create
a
new
issue
for
security
day
2020
north
america
as
another
virtual
event.
So,
if
you
are
interested
in
potentially
presenting
get
ready,
we
will
hopefully
be
putting
that
call
out
once
we
coordinate
everything
with
cncf
again.
B
So
that's
the
update
for
security
day
and
then
next
update.
So
I
updated
the
cloud
native
security
white
paper
with
a
new
schedule.
All
of
our
dates
have
been
bumped
out
about
a
week
to
allow
the
writers
and
the
contributors
to
have
a
little
bit
more
time
to
put
in
some
content
with
kubecon
consuming
everybody's
time
last
week
wanted
to
make
sure
that
we
had
plenty
of
time
to
get
as
much
information
pulled
together
and
that's
about
all.
I.
C
C
Okay,
so
we
do
not
have
any
additional
pr's
or
presentations,
so
I
was
just
going
to
ping
a
couple
people
here
on
the
call
to
see
if
they
wanted
to
provide
additional
info
on
the
items
they
previously
covered.
So
I
have
what
mark
underwood
noted
here
on
this
ir
8006
cloud
computing
forensic
science
challenges
mark.
Did
you
want
to
go
into
any
additional
detail
there
or
all
good.
E
I
don't
want
to
give
these
two
products
from
nist
too
much
presentation,
but
they
reflect
sort
of
sub
disciplines
in
the
work
that
we
do
in
this
group
that
we
don't
always
give
a
lot
of
attention
to.
So
one
of
them
is
a
cloud
forensics.
So
there's
this
is
not
a
standards
document.
It's
kind
of
just
a
technical
report
on
that
subject
and
the
other
one
is
actually
a
tool.
E
It's
an
installable
executable
that
tries
to
treat
the
cyber
supply
chain
as
a
as
a
graph,
basically
with
multiple
nodes
in
it.
Where
each
node
is
you
know,
some
facet
of
the
supply
chain
could
be
another
open
source
project
could
be
a
person
could
be
a
subcontractor
and
so
on
dubious,
whether
that
tool
is
really
a
great
idea,
but
it
gets
you
thinking
about
alternative
ways
of
looking
at
this
nist
has
some
other
documents
around
cyber
supply
chain.
E
It's
it's
a
real
problem,
especially
for
bigger
organizations,
to
try
to
manage
down
if
you're
heavily
invested
in
tooling,
to
solve
security
issues.
You're,
confronted
with
a
problem
that
your
lesser
capable
organizations
offer
often
offer
a
greater
risk
to
you.
So
that's
it
just
a
couple
suggestions.
C
Thank
you
mark,
and
then
I
believe
we
have
one
last
thing
on
here
and
then
we'll
just
open
the
floor.
If
anyone
wants
to
grab
the
mic
so
robert
there
was
the
mention
of
needs
cloud
custodian,
security,
reviewers.
Is
there
anything
else?
We
would
like
to
add
to
that
or
it's
already
all
covered
in
the
previous
discussion.
M
I
know
I'm
happy
to
reiterate:
we'd
love
to
have
folks
participate
in
the
security
assessment
process.
So
if
you've
been
curious
about
it
or
you've
kind
of
watched
from
the
sidelines,
it's
a
it's.
A
very
low
risk
way
to
participate
kind
of
roll
up
sleeves
a
little
bit.
But
the
ask
is
very
low
and
of
course,
the
more
volunteers
we
can
get
the
more
we
can
distribute
the
load.
K
M
And
you
know
what
came
out
of
that
in
previous
assessment
rounds
with
folks
like
opa
and
key
cloak,
and
such
a
set
of
maybe
concrete
recommendations
around
either
documentation
or
implementing
different
cii
initiative
improvements.
You
know
getting
to
a
certain
badge
or
adding
some
additional
tooling
or-
and
I
think
in
a
couple
of
cases,
some
github
issues
to
the
project
around
a
particular
threat
that
was
identified.
K
C
Okay,
with
that
exchange,
we've
covered
all
the
items
we
have
on
the
agenda
so
far
for
today.
So
at
this
point,
I'd
just
like
to
open
the
floor.
If
anyone
would
like
to
bring
up
any
specific
pr's
that
require
attention
or
if
there's
anything
else
that
needs
to
be
raised,
here's
your
chance
so
yeah,
I
just
thought
sorry
go
ahead.
A
A
Also,
there
were
mentions
of
slack
as
well,
so
we
have
on
cncf
slack
and
the
channel
is
security
and
within
that
channel.
Actually,
if
you
go
into
go
into
one
of
the
the
pins
as
well,
there
are
a
couple
sub
stack
channels.
Six
security
events
stretch
all
those
things,
so
those
are
about
specific
things.
For
example,
sex
security
events
is
for
cognitive,
security
day
and
stuff,
like
that.
There
are
a
few
that
are
not
there
right
now.
A
O
O
L
O
E
Right
so
th
the
there
are
two
artifacts
released
this
last
week
by
nist.
There
are
other
ones
that
I
wasn't
calling
out
in
this
in
this
particular
meeting
that
are
worth
talking
about
in
this
context,
but
I'm
not
I
haven't
listed
them
all
there.
I'm
lazy,
I
guess,
but
of
the
two
that
they
offered
up
here.
One
of
them
is
actually
it's
an
installable
executable
and
it
tries
to
do
a
representation
of
supply
chain
and
what
I,
my
critique
of
that
simply
is.
E
E
On
a
you,
know,
internal
cloud
or
like
a
security
tools,
another
yet
another
example.
Now,
typically
those
are
cloud-based.
So
each
one
of
these
things,
if
you
represent
them
as
a
node,
they
have
a
complicated
type
of
dependencies
or
an
ai
world.
We
would
call
these
attributes
or
properties,
so
it's
an
unsophisticated
graph
representation,
but
because
there's
nothing
else
better.
Right
now,
and
because
nist
is
influential
in
this
space,
it's
a
good
place
to
start
to
get
people
thinking
about
it.
E
So
it
kind
of
depends
on
the
sophistication
of
the
organization,
whether
you
can
lead
people
along
useful,
a
fruitful
path
of
saying,
okay.
This
is
you
know
a
starting
point.
Now,
maybe
we
can
identify
our
risk
register
where
we
think
our
biggest
threats
are
our
most
unstable
elements
of
our
supply
chain.
That
could
be
people
you
just
on
boarded
in
a
regulated
business
like
the
one
where
I
work.
E
But
then
a
deeper
dive
looks
at
things
like
threat
models,
and
how
do
you
share
information
like
intelligence
that
you
might
have
you
know
in
a
fortune,
500
organization
or
in
a
large
government
organization
with
people
down
your
supply
chain?
You
know:
do
you
share
it
directly
and
just
say
we
heard
about
this
threat,
and
here
it
is,
you
know,
fyi.
E
You
might
actually
not
be
permitted
to
do
that
in
your
proprietary
agreements
with
your
contractors,
because
that
they're
selling
that
to
you,
you
can't
just
give
it
away
to
someone
else.
Also,
you
might
have
information
where
you
don't
want
to
tell
them
about
your
own
vulnerabilities
right,
because
you
have
information
sharing
restrictions,
so
there's
a
filter
going
on
that's
bi-directional,
and
so,
although
you
really
want
to
automate
alerting
up
and
down
the
supply
chain,
realistically,
that's
not
feasible
in
many
settings
you
need
to.
You
know
both
have
contractual
and
also
automated
intermediaries.
E
Think
of
these
as
agents
in
a
kind
of
ai
way.
These
agents
need
to
be
intermediaries
between
your
principles
of
sharing
with
the
supply
chain
and
vice
versa.
So
all
of
this
is
happening
in
a
mix
where
we're
all
trying
to
automate
things
in
order
to
be
more
efficient
and
deal
with
the
deluge
of
alerts,
and
traditionally
there
is
no
automated
up
and
down
chain
alerting
in
information
security.
This
is
kind
of
a
you
know.
E
You
get
on
the
phone
with
talk
to
some
and
talk
to
somebody
or
you
get
on
slack
and
you
tell
them
hey.
We
heard
about
this
bad
actor
and
they
might
be
going
after
you
too,
and
occasionally
you
might
have
sector
wide
sharing
like
a
utility
sector
or
finance,
you
know
and
they
have
their
own
interest
groups,
but
that's
not
real
time.
It
tends
to
be,
you
know,
periodic
meetings
and,
and
that
sort
of
thing,
so
that's
the
stuff
I
know
about.
I
know,
there's
stuff,
that's
dark
sharing
that
goes
on.
E
M
M
O
O
M
P
There
is
actually,
as
I
recall,
mitre
has
some
standards
around
threat,
intelligence,
information
and
threat
data.
I
mean
there's
the
cvs,
there's
the
scoring
mechanisms
like
cbs
s3,
cwes
stuff,
like
that,
where
you
have
calculators
but
you're
talking
about
the
actual
format
of
the
information
and
how
it's
transferred,
correct,
yep,.
E
It's
an
oasis
standard
for
cyber
ops,
interoperability
that
tries
to
do
that,
but
I
think
the
current
best
hope
for
that
is
the
the
miter
universal
ontology
project,
and
you
know
what
they
come
out
from
that.
So
that's
a
derivative
of
the
other
minor
projects
but
they're
trying
to
be
a
little
more
formal
about
it.
I
I
I
try
to
keep
track
of
the
stan
where
that
is,
but
it's
not
usable
and
none
of
the
vendors
are
doing
anything
with
it.
Beyond
trying
to
do
attack
miter
attack
mapping,
I
mean
there
is
sticks
right.
P
E
Though
yeah
and
you
know,
the
challenge
is
there's
so
many
challenges
with
this.
You
know:
do
you
trust
information
you
get
up
and
down
the
supply
chain,
and
you
know
there's
the
reputation
problem.
There's
the
standardization
problem
and
also
the
the
nature
of
the
threat,
depends
on
what
you
do
as
a
business
right.
E
So
the
supply
chain
threat
for
health
care
is
not
the
same
as
the
one
you
have
for
a
finance
business
and
even
in
finance,
it's
not
the
same
between
the
the
credit
markets,
like
credit
card
offerings
and
the
the
venture
capital.
Folks
right,
it's
you
know
there
they've
got
a
big
logging
standard
around
what
they're
trying
to
do.
There
that's
got
federal
funding,
but
that
turns
out
not
to
be
very
usable
for
somebody
that
that
sells
credit
cards.
So
there's
a
domain
dependent
part
of
this.
That's
that's
important
too.
N
N
C
E
I
C
Okay,
that
point,
I
think,
we've
covered
all
the
major
points
and
gave
everyone
a
good
chance
to.
I
think
I
see
one
or
two
more
people
that
weren't
on
the
call
initially
so
before
you
wrap
things
up.
If
there's
anyone
that's
joined
part
way
through.
If
you
would
like
to
introduce
yourself
whether
you're,
a
new
member
or
just
getting
to
know
six
security
or
an
existing
member
feel
free
to
grab
the
mic.
Now,
if
you'd
like
to.