►
From YouTube: CNCF SIG-Security Meeting - 2019-06-05
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
C
A
A
A
Wonderful,
so
Sarah
Allen
had
an
appointment
and
she'll
be
joining
us
momentarily
when
coach,
Harris,
I
think
I've
been
out,
and
you
know
for
the
last
couple
of
sessions
and
unfortunately,
I
wasn't
able
to
make
it
to
Barcelona
to
our
sessions
where
I
imagined
we
met
many
of
you
so
I'm.
Sorry,
I
missed
that
I've
been
tied
up
with
with
some
work
stuff
at
PayPal
and
I'm,
actually
in
Amsterdam.
Right
now,
for
you
know,
kind
of
the
antithesis
of
a
developer
event
at
an
event
called
money
2020,
which
is
like
all
bankers
and
financial
services.
A
Folks,
you
know
looking
at
how
we
bring
a
developer
event
to
the
North
America
edition.
That's
coming
up
in
October,
so
you
know:
we've
been
hard
at
work
at
you
know
landing
the
landing
the
sig
and
you
know
we
for
the
Passover.
The
past
week
we
were
formally
confirmed
the
CFTC
ratified
our
transition
from
the
safe
working
group.
We've
been
operating
as
an
independent
working
group
with
the
intent
to
establish
a
working,
formal
working
group
inside
of
the
CAF
for
nearly
a
year
and
a
half,
and
we
were
just
ratified
as
sig
security.
A
So
if
you
hear
us
talking
about
safe
or
the
safe
working
group,
they're
one
in
the
same,
but
when
we,
when
we
formalized
in
machine
CAF,
the
the
TOC
decided
to
shift
from
the
working
group
moniker
to
SIG's,
and
now
we
decided
that
the
you
know:
secure
access
for
everyone.
Acronym
was
a
little
bit
too
confusing
and
went
with
the
you
know.
The
simple,
a
more
recognizable
single
English
word
with
security.
A
C
D
A
F
F
G
The
a
Justin
thank
you
I'm
Justin
capital
summer,
professor
at
NYU,
and
some
of
my
quick
updates
this
week
are
that
obtained
is
which
is
a
tough
variant
for
automotive
is
nearing
its
standardization
by
I,
Triple,
E
isto
and
we're
actually
thinking
about
migrating
it
in
the
future
over
to
somewhere
in
the
Linux
Foundation.
So
I
actually
have
a
call
later
today
to
talk
about
that.
G
We've
on
the
in
Toto
side
responded
to
the
in
toto
feedback
and
process,
so
I
think
we're
just
waiting
on
Sarah,
Allen
or
others
from
that
group
to
just
actually
put
the
documents
in
the
repository
and
then
we're
done
from
the
opah
security
assessment
side.
The
OPA
folks
have
been
provided
their
feedback,
and
my
understanding
is
is
that
they
just
need
to
respond
to
it,
and
then
we
added
in
the
repo
end
they're
done
as
well.
H
You
Craig
hi,
my
name
is
Craig
Ingram
I'm,
a
software
engineer
at
Heroku,
just
part
of
Salesforce
my
background,
the
kind
of
similar
Peter
my
backgrounds
in
security
pentesting
and
things
like
that
and
I'm
doing
software
engineering,
stuff,
I'm,
also
part
of
the
kubernetes
security
audit
working
group
and
so
interested
in
overlap
there
with
the
cig
and
if
I
can
provide
any
updates
and
things
like
that
and
participating
more
here
as
well.
Britt
welcome.
I
J
K
A
L
B
My
name
is:
what's
been
cur
I
work
for
Fiegel,
which
is
a
financial
services
platform
engineer
and
because
I've
been
working
for
a
public
CA
many
many
moons
ago,
I'm
charged
with
security
I
was
not
quickly
enough,
leaving
the
room
so
I
volunteered
for
doing
a
security
use
case
of
Figo
and
I'm
at
the
moment,
putting
together
all
the
information
that
I'm
allowed
to
share
that
I
want
to
share
that
I.
Think
that
are
of
interest
to
the
group
and
so
I'm
I'm
listening
in
to
see
what
people
are
interested
in
great.
M
N
O
P
Q
A
R
A
S
I'm
also
on
the
open
source
team
here
at
Cystic,
one
of
the
leads
for
the
Falco
project
and
then
just
incident
kind
of
getting
ready
for
our
security
assessment
and
the
security
audit.
We
have
kicking
off
in
a
couple
weeks.
We've
kind
of
just
been
spending
some
time
around.
Rethinking
about
how
we
re
architecture,
we
architect
Falco,
to
try
an
app
than
simple
performance
improvements.
We
have
a
Summer
of
Code
in
terms
of
work.
That's
focused
on
performance
improvements
that
the
CNC
have
sponsored
so
a
lot
of
work
going
into
that
over
the
summer.
A
T
U
Tibi
hi
I'm,
it's
V,
Koren,
aqua
and
I
actually
participate
a
little
bit
a
couple
of
months
ago
with
the
SAF
group
and
now
I
have
a
little
bit
more
time
to
invest
with
the
sig
roof.
We
find
ourselves
needing
to
do
a
lot
more
security
assessments
for
kubernetes.
So,
just
here
to
understand,
you
know
what
what
hooks
we
can
we
can
use
in
order
to
to
make
sure
that
we
give
the
right
information
for
enterprise
users
great.
V
Just
wanted
to
leave
it
open
for
a
while
for
people
to
comments,
chime
in
and
just
trying
to
create
some
structure
so
that
people
who
can't
make
the
meetings
know
that
they
can
chime
in
and
you
know,
participate
asynchronously
and
then
met
this
morning
with
Santiago
and
I.
Think
we
have
the
last
bit
of
the
the
security
assessment
for
in
toto
where
we
brainstormed.
W
V
Of
people
have
differing
opinions,
nobody
agrees
with
anything,
so
the
idea
is
to
just
do
something
write
something
down
do
that
five
times
and
then
step
back
and
be
like.
So
so
it's
funny
that
we
just
need
to
do
a
final
others
like
to
open
issues
in
the
open
comments
in
the
write-up
that
Santiago
is
gonna.
Take
care
of
one
of
them
is
the.
X
X
A
X
P
A
Y
Everybody
mark
Underwood
I'm
with
synchrony
and
the
security
innovation
team.
Actually
a
little
team
here,
I'm
also
the
involved
in
the
I
Triple
E
DevOps
security
standard,
which
is
in
our
third
year,
so
we
probably
gonna
have
it
draft
out
this
year
for
those
some
new
people
on
this
cause,
I'm
mentioning
this
and
we're
wrapping
up
the
NIST
big
data
security
release
version
three,
which
happens
later,
probably
August
or
September
timeframe
great,
to
see
all
these
people
here.
A
D
V
Z
K
Z
Yeah,
it's
been,
we've
been
working
on
it
for
a
while
there's
a
lot
of
interesting
contributions
and
participation.
That
has
happened
previously,
so
people
who
are
joining
and
now
it
will
be
good
for
you
to
go.
They
take
a
look
at
all
the
use
cases
from
Cloud
Foundry,
all
the
thinking
above
wood
security
from
folks
at
Google.
There
is
there's
bunch
of
content
there
that
it's
I
did
encourage
you
to
go.
Take
a
look,
probably
brief
history
is
this
started
out
as
like
an
effort.
Z
I
was
involved
in
spiffy
way
before
and
then
looking
at
spiffy,
which
was
a
cross-cutting
concern
across
all
the
infrastructure.
Then
there
is
like
a
bunch
of
security
concerns
across
all
infrastructure.
Therefore,
so
there
wasn't
a
common
place
where
we
could
actually
talk
about
address
all
these
issues,
and
that
was
a
primary
motor
with
which
we
started
this
group,
and
it
was
surprising
to
see
like
the
amount
of
people
that
we're
thinking
about
it.
The
same
way.
So
I
can't
claim
the
credit
to
be
the
first
one
to
think
so.
Z
W
AA
Z
A
T
A
V
So
so
we
have
a
lot
of
stadium,
saying:
there's
a
lot
of
resources.
Assemble!
It's
not
they're,
not
surface
super!
Well
in
the
repo
like
it's
a
it's
kind
of
a
working
for
the
work
in
progress
is
mixed
up
with
the
history
in
ways
that
are
not
very
transparent
to
newcomers,
so
it
is
to
make
a
site
with
those
static
site.
V
Generators
of
like
you
go,
and
we
have
an
issue
that
has,
or
at
Dan
and
I
awhile
ago,
of
curated
the
presentations
that
seem
like
really
useful
to
reflect
back
and
so
I
would
love
to
have
company
of
people
who
would
be,
like
you
know,
I,
think
picking
a
template
takes
more
time
than
making
the
site
sometimes.
So,
if
there
are
people
like
you,
don't
have
to
like
no,
you
go
or
whatever
it's
mostly
like
markdown
animal.
A
You
know
over
over
the
last
three
or
four
months.
You
know
we've
definitely,
you
know
had
a
huge,
you
know
ramp
up
and
interest
in
participation.
You
know,
we've
evolved
from
you
know,
sir
JJ
and
I.
You
know
you
know,
being
the
the
the
co-chairs
and
you
know
primary
conspirators
to
you
know
really
having
you
know
a
series
of
you
know
very
active
teams
and
I'm
going.
You
know
functions
that
you
know
from
the
security
assessments
and
and
beyond.
A
So
you
know
the
this
will
be
one
of
those,
those
areas
that
we
can
make
things
more
accessible.
You
know
we're
developers
and
technologists,
so
you
know
interacting
and
participating
through
github
is
you
know,
kind
of
normal
and
our
lingua
franca?
You
know
no
problem
there,
but
you
know,
as
you
emanate
out
from
you,
know,
the
work
that
you
that
we're
doing
in
in
open-source.
You
know
the
folks
aren't
necessarily
as
fluent
with
github.
So
this
is
a
great
way
to
make
the
work
that
we're
doing
here,
accessible
and
approachable
to
everyone.
A
Is
I
guess
you
know
before
we
move
on
from
that
you
know.
Does
anyone
want
to
to
pile
on,
or
is
that
a
particularly
interesting
thing?
It
will
probably
take
that
action
item
as
a
breakout
activity
and
and
not
necessarily
you
know,
drive
that
will
pool
you'll,
bring
updates
into
an
awareness
and
ratify
things
through
the
the
the
sig
meetings.
But
you
know
that
will
be
a
breakout
activity
that
we
now
go
iterate
on
work
work
through
together.
A
A
A
V
If
somebody
missed
details
in
there
but
bredren
reached
out
a
while
ago
and
volunteered
to
help
triage
our
issues,
because
we
had
a
lot
of
things
that
were
closed,
and
so
we
actually
made
a
little
triage
team
Howard
who
focuses
on
policy
and
this
time
so
doesn't
work
for
him
volunteered
to
triage
the
policy
things
and
also
write
up
issues
for
some
of
the
things
that
the
policy
subgroup
is
working
on,
and
adjustment
Campos
I
volunteered
how
you
to
treat
ice,
the
security
system
things
so
so.
Basically,
we
have
a
little
triage
team.
V
We
have
a
slack
channel,
which
is
a
couple
piece
of
people
join.
You
happening
link
join
in,
but
the
idea
is
basically
to
have
to
expand
our
bandwidth
and
make
sure
that
our
issues
are
like
easy
to
consume
and
and
useful
and
category,
and
you
know
like
and
we're
keeping
up
with
the
Suzy
Azzam
and
responding
to
things
that
really
so
Brendan
I
would
love
to
invite
you
to
tell
us
about
what
you
discover
that
going
through
every
repo
and
the
proposed
categorization
yeah.
O
I
think
so
yeah
so
I
went
to
all
the
issues.
It
was
a
pretty
long
days.
I
think
you
managed
to
bring
it
down
from
four
pages
to
two
pages,
as
all
of
them
kind
of
like
events
and
stuff
like
that,
but
the
overall
I
think
most
of
the
things
fit
and
do
kind
of
tree
different
labels,
so
most
of
them
were
around
assessment,
stuff,
so
assessment
process
and
other
process
and
then
another.
O
Unfortunately,
a
lot
of
the
other
issues,
kind
of
didn't
fall
into
any
of
the
categories
so
I
have
this.
This
is
linked
in
well.
I
created
a
new
issue
of
cost
to
document
these
actions.
So
we
have
this.
If
you
go
to
issue
194,
basically
there's
a
list
of
issues
which
don't
seem
to
fall
into
any
category,
but
it
seems
like
that
common
themes
that
come
up
which
I
I
think
some
of
them.
O
O
So
I
think
that
this
exists
in
certain
form,
so
they
exist
in
the
white
papers,
they're
being
written
as
well.
As
you
know,
issues
here
and
there
in
the
security
assessments
where
we
really
create.
We
have
some
recommendations
of
these
technology,
but
it's
kind
of
also
this
should
be
which
is
not
easily
accessible,
so
I'm
not
sure
what
exactly
we
can
do
here.
It
seems
like
there
are
many
use
cases
and
many
pockets
of
this
kind
of
information.
So
I
don't
know
whether
there's
a
really
way
that
we
can
kind
of
synthesize
that
yeah.
A
On
that
one
yeah
I
think
the
you
know
that
need
is
one
of
the
core
mandates
and
one
of
the
objectives
that
we
have
as
as
a
sig,
and
you
know
the
state
of
the
industry
and
you
know,
are
sort
of
coalesced
experience
around.
That
is
still
evolving.
So
you
know
we
keep
that.
As
you
know,
one
of
our
poll
stars,
however,
you
know
we're
not
the
end
all
and
be
all
sorts
of
truth.
So
you
know
you
know
Marc
underwood,
and
you
know
the
work
that
he's
been
doing
with
NIST.
A
W
V
Obvious
to
equally
or
either
new
to
cloud
or
new
to
security
right
in
their
bowl,
and
so
we
are
we're
kind
of
starting
with
the
non-controversial
or
things
that
we
have
made
non-controversial
through
interest.
It
search
knowledge
sharing
the
over
the
last
year
now
and
then,
as
we
get
into
things
that
maybe
are
being
discovered
right.
That
we
are.
What
we
talked
about
in
the
past
is
that
we
would
be
open
to
saying
there
are
multiple
ways
that
people
are
doing
it
these
days,
we're
not
seeking
to
really
say
we're.
V
Gonna
pick
the
one
top
whatever
in
you
know,
but
we
want
to
be
able
to
educate
people
about.
Oh,
but
lots
of
people
try
this.
It
wasn't
a
good
idea,
like
might
be
a
good
thing
to
point
out,
but
what
we're
not
seeking
to
if
there
is
contention
we're
we're
not
going
to
focus
on
that
initially,
rather,
you
know
we
should
we
kind
of
whenever
there's
a
difference
between
what
kind
of
support
information
to
try
to
refine
what
that
is,
and-
and
so
we
want
to
have
that
via
kind
of
an
ongoing
process.
V
So
I
think
this
is
a
good
pocket
to
have
like
I'm,
really
glad
you
identified
this
Brendon
and
we
may
like,
as
we
get
into
the
roadmap
discussion,
and
maybe
we
kind
of
have
that,
like
pocket
of
security
assessment
improvements,
where
we've
decided
well
we're
gonna
do
five
its
security
assessments
before
we
really
dig
into
improving
the
process.
So
we
just
have
this
bucket
for
all
these
ideas
and
great,
we
can
just
keep
collecting
the
ideas,
and
then
we
have
a
point
in
time
in
the
future.
When
we
reflect
oh
right.
O
A
Yeah-
and
you
know,
you
know
main
reason-
I'm
here
and
yeah
I
know
Sarah
and
JJ
when
this
group
was
formed,
the
need
to
ensure
that
you
know,
as
you
know,
cloud
native
was
was
evolving,
that
you
know
security
was
a
first
class
consideration
and
that
we
weren't
leaving
it.
You
know
as
an
afterthought,
or
you
know
almost
just
as
bad.
You
know
learning
from
the
experience
with
with
oh
now,
I'm
blanking
on
the
the
the
platform.
A
You
know
one
of
the
limitations,
I
think
and
know.
Some
of
the
experience
that
folks
had
with
OpenStack
was
that
security
was
left
as
a
vendor
consideration,
which
meant
that
interact
and
compatibility
around
security
was,
you
know,
basically
limited,
and
you
know
a
little
bit
broken
on
the
edges.
So
you
know,
as
we
you
know,
built
the
this
this
iteration
of
how
we
all
come
together
and
build
things.
A
You
know
we
really
wanted
to
to
advocate,
for
you
know,
security
and
making
sure
that
you
know
the
primitives
that
we're
putting
in
place
that
all
of
the
infrastructure
of
the
internet
is
built
on.
Has
you
know,
security
out
of
the
gate
and
that,
were
you
know
doing
that
hard
work
of
coming
together
and
building
consensus
around
the
the
right
approaches
to
maintaining
her
up?
And
it's
not
just
being
you
know?
Oh
you
know.
Your
security
vendors
in
the
you
know
provide
the
bolt
on
for
security.
A
O
Yes,
I
think
the
only
last
thing
is
the
the
not
cluster
other
issues
that
I
found
was
really
around
discussions
of
different
topics,
whether
this
is
getting
heat
back
on
certain
technologies.
You
know
discussions
that
people
and
have
fun
topics,
identity
and
so
on
and
I.
Think
one
of
the
the
issues
I
see
here
is
that
I
think
a
lot
of
these
issues
don't
get
seen
by
the
larger
majority
of
the
group
unless
you're
watching
that
I
get
read,
posit
or
so
I'm.
O
Also
with
the
we
could
kind
of
create
I,
don't
know
what
will
be
the
best
medium,
but
something
like
maybe
a
mailing
this
or
something
where
people
can
put.
You
know
attracting
mailing,
that's
that
we
can
in
the
create
where
people
think
talk
about
topics
I,
don't
know
what
that
me
make
these
topics
more,
no
more
visible.
This
is
such
a
small
principle.
Yeah.
A
O
V
I
you
know
like
we
don't
have
on
the
triage.
You
have
a
so
we
see
every
thing
that
comes
in
I
find
it
nice,
but
maybe
not
in
the
main
channel
right,
because
so
we
could
put
that
in
the
triage
channel
and
invite
anybody
to
join
in
and
just
have
a
smaller
group.
That's
actually
assigning
the
labels.
So
that
may
be
nice.
Y
V
Of
get
a
handle
on
like
what
the
heck
are,
we
doing
and
their
people,
but
then
more
discussion.
You
know,
they're,
like
hey.
Look
at
this
I
do
want
to
be
a
little
cautious
that
we
don't
splinter
our
attention
because
there
are.
Many
of
us
are
interested
in
many
of
the
things
right
and
most
people
can't
spend
enough
time
every
week
to
watch
every
issue
and
there's
value
in
having
it
read
so.
O
O
Anything
is
I.
Think
a
lot
of
people
are
not
seeing
so
I'm,
not
saying
that
all
issues
be
wrong,
but
I
feel
like
if
the
intention
is
that
I
want
to
have
a
discussion
in
wrong
to
create
the
community,
not
so
much
just
from
the
sick
perspective,
then
maybe
that
I'm
not
sure
that
we
want
to
create
a
different
everything
for
that.
V
A
Some
some
of
those
topics
are,
you
know,
do
date
back
a
little
bit
and
you
know
we
may
want
to
sort
of
you
know,
go
no-go
on
you
know:
do
we
keep
it
open
and
kind
of
go
through
a
tree,
a
deeper
triage
to
some
of
those
things
and
just
identify
like
maybe
the
discussion
topic
didn't
get
engagement
because
there
isn't.
You
know,
consensus
or
ready
answers
to
that
in
the
industry
yet
or
at
least
we're
not
not
aware
of
that.
O
S
Yeah
Michael,
so
one
thing
that
we
wanted
to
try
and
do
is
kind
of
unite.
The
security
community
I
feel
like
it's
kind
of
bifurcated
among
at
least
from
like
a
software
perspective,
it's
bifurcated
across
a
couple:
different
proprietary
vendors
and
then
some
open-source
vendors
are
open
core
vendors,
but
the
last
coop
con.
What
happened
was
is
all
these
security
vendors
went
and
did
their
own
thing,
and
so
there
was
no
kind
of
community
event
where
the
community
could
actually
come
together
and
have
conversations
about
security
and
it
not
be
focused
on.
S
You
know
one
particular
vendors
opinion
of
security,
the
storage
group
and
I.
Don't
know
if
this
was
run
through
six
storage.
But
this
carrot
there
was
a
cloud
native
storage
day,
which
was
you
know,
vendor
agnostic
and
everyone
could
come
together
and
talk
about.
You
know
solving
persistent
volume
problems
in
kubernetes
and
in
cloud
native
platforms
and
now
seem
to
be
fairly
successful.
S
So
we
wanted
to
try
and
emulate
something
where
we
would
have
a
six
security
day
the
day
before
coop
con,
who
con
does
all
these
things
of
like
add-on
events,
that
people
can
add
to
their
registration
and
they
can
either
be
free
of
charge,
or
they
can
be
something
that
you
know
a
nominal
fee
like
a
hundred
dollars
or
something
like
that.
Just
to
kind
of
recover.
Some
of
the
costs
and
Michael.
AB
S
But
you
know,
for
instance,
in
Barcelona
there
was
a
a
twistlock
of
that
there
was
an
aqua.
Then
we
were
doing
our
own
thing
that
we
kind
of
focus
more
on
my
cognitive
transformation
and
like
the
organizational
changes
you
need
to
have,
so
we
weren't
necessarily
security,
focused
Wow,
but
I
just
feel
like
if
we
had
I
feel
like
the
end.
User
community
is
really
desiring
some
real
practical
guidance
around
security
and
it
doesn't
help
the
end
user
community
to
have
this
kind
of
these
bifurcated
communities.
S
Where
you
know
vendors
are
pushing
their
opinion
versus
us
coming
together
and
giving
practical
advice,
and
yes,
you
might
need
to
use,
choose
vendors
as
part
of
that,
but
that's
at
your
discretion.
You
still
need
to
follow
this
practical
advice
and
so
I
think
the
sig
security
day
could
help
kind
of
lay
that
groundwork
right.
A
V
V
We
are
talking
about
that.
We
want,
you
know
we
want
to
make
sure
that
we
have
delivered
the
stuff
that
we're
cueing
up
and
that
we
have
stuff
to
talk
about
fix
that
stuff.
We've
done
the
perfect
wave
we're
on
our
way
with
the
security
assessment
to
forget
the
you
know
surface
to
stuff
that
we're
doing
that
people
can
see.
V
Then
you
know
it
starts
to
happen
like
I
want
to
have
the
roadmap,
so
we
go
hey
CNCs
work,
we're
going
along
this
path,
and
this
is
what
we
will
have
done
and
I
think
that
everybody's
warmed
to
the
idea.
This
is
like
a
completely
different
thing,
but
along
the
lines
of
communicating
that,
like
ciencia,
cares
about
security,
and
it's
specific
I
talked
to
about
this
idea.
So
officially
there
are
these
hole
located.
Events.
V
Dudu
cystic
volunteered,
we
sort
of
like
are
able
to
pilot
having
a
sick
day
without
necessarily
worrying
about
it
being
for
every
cig
does
that.
But
this
is
the
week
that
they
are
that
they,
like
the
platinum
and
gold
sponsors,
are
signing
up
for
this
off
and
so
I
wanted
to
make
sure
that
sig
months
could
you
and
like
to
have
and
then
and
see?
If
we
have
couple
volunteers
to
be
and
then
and
then.
V
S
We
would
help
with
kind
of
the
coordination
with
the
Linux
Foundation
people.
What
we
would
need
the
six
security
people
to
do
is
focus
on
building
the
agenda,
getting
people
and
to
submit
to
the
CFP
opening
that
CFP
all
of
those
sorts
of
things,
and
we
wouldn't.
We
would
be
totally
like
from
assisting
like
my
role
in
sig
security
I
would
be
willing
to
how
about
with
that.
But
just
so
you
know,
cystic
would
be
kind
of
removed
from
that.
We
would
help
with
budget
and
anything
around
those
lines
that
we
would
need
to.
S
AB
V
G
Love
to
get
some
kind
of
general
like
overview,
slash
threat,
model,
slash
goals
and
stuff
like
this,
for
different
projects
in
the
security
space
sort
of.
When
you
look
at
the
the
assessment
process,
there's
supposed
to
be
a
longer
document
that
give
somebody
all
the
context
they
need
to
evaluate.
Is
this
the
right
sort
of
thing
for
me
to
use
having
a
whole
bunch
of
you
know
20,
minute
versions
of
that
for
all
the
security
relevant
security
first
CN
CF
projects,
as
well
as
a
few
of
the
vendor
projects.
A
A
C
Will
be
better
if
we
can
create
your
use
cases
where
we
can
embed
a
security
on
top
of
that,
instead
of
trying
to
the
big
12
tools
or
security
tools
that
help
us
to
and
reach
the
executi
on,
the
crack
will
be
better
if
we
can
just
take
a
couple
of
and
to
end
use
cases
that
the
industry
is
implementing
on
the
yeah
on
the
industry.
In
order
to
see
how
can
we,
the
pker
and
put
on
top
of
that,
our
has
not
met
up
to
maintain
security
on
that
particularly
spaces.
AA
S
P
P
P
We
have
a
wide
range
of
folks
kind
of
coming
into
it
and
I
feel
like
the
actual
practitioners
that
do
kubernetes
and
cloud
native
stuff,
our
developers-
and
you
know
they
don't
know
about
a
lot
of
the
things
in
the
security
world.
So
you
almost
have
to
go
from
you
know
people
are
taking
there.
You
know
for
maybe
not
the
first
step,
but
their
second
step.
All
the
way
to
you
know
how
we're
actually
like
doing
things
in
in
you
know
in
the
working
group
I
like
a
lot
another.
V
N
T
G
B
I
quickly,
chime
in
from
a
user's
perspective,
they
saw
because
at
coop
con,
not
the
court,
not
only
the
kokum
contributors
are
oversubscribed
users
trying
to
find
out
what's
new
in
the
space
are
oversubscribed
as
well.
I
haven't
had
a
chance
to
see
the
talks,
even
a
fraction
of
what
I
wanted
to
see
and
what
I
missed
the
most
at
the
scale
that
cube
coin
has
reached.
Is
this
listening
in
on
people
talking
in
the
hallways
about
topics
that
I'm
interested
in
so
I
be
very
grateful
for
security
day
security
piece
of
hallway?
W
B
Mentioned
with
threat,
modeling
and
I
have
know
if
many
hats
on
and
I
platform
team
that
actually
runs
to
cluster
and
I'm
the
one
that
has
in
addition,
the
security
at.
So
what
I
desperately
need
is
a
feel
for
where
the
threats
are
and
and
what
people
have
looked
at.
What
what
general
approaches
I
can
take
in
addition
to
what
I've,
what
we've
been
doing
and
just
listening
to
people
discussing
perceived
threats,
things
in
in
in
in
pure
research,
even
if
they
they
don't
apply
to
specific
pieces
of
the
puzzle.
E
Of
the
things
they
did
last
year,
was
they
hallway
track
set
up
that
you
could
sponsor
a
hallway
track,
meaning
you
had
a
topic
that
you
wanted
to
talk
to
other
people
about,
and
anybody
can
like
sign
up
and
come
and
just
listen
or
contribute,
or
if
you
had
a
question
that
you
wanted
to
ask
some
of
them
had
docker
captain's
that
were
like
hosting
them
and
running
it.
Some
of
it
was
just
here's
a
whole
bunch
of
information.
Other
cases
it
was
like
Question
and
Answer.
E
That's
how
that's
how
I
talked
to
Michael
from
Netflix
about
their
bug,
bounty
that
they
were
trying
to
get
set
off
to
see
who
would
be
interested
in
donating
to
that
and
see
if
there
was
any
community
interest
that
started
from
a
hallway
track.
So
that's
something
that
would
be
beneficial,
maybe
you're,
recommending
to
CNCs
in
the
future.
E
A
Would
would
since
I
wasn't
there?
Would
that
be
something
that,
in
addition
to
you
know
the
conference
sessions,
we
kind
of
have
an
area
where
you
know
we
would
continue
meeting
if
you
you're
interested
and
in
our
space,
you
know
continue
without
that
meant,
or
would
that
only
be
in
so
the
the
the
pre-event
day
they.
E
Had
it
throughout
docker
con,
when
I
was
there,
it
was
any
day
that
there
was
a
conference
going
on
the
hallway
travel
for
a
certain
couple
of
hours,
and
you
sign
up
for
a
particular
time
slot.
Now
they
only
had
so
many
areas
for
you
to
sit
so
often
it
got
booked
up,
but
some
areas
for
fairly
large
some
of
them
were
a
little
bit
smaller,
more
intimate,
but
it
certainly
allowed
me
going
there
talking
to
industry
finding
out
what
their
security
concerns
are.
A
V
S
E
Definitely
the
aqua
security
cube
Seck
day
that
they
had
before
the
conference
was
good
and
a
lot
of
the
talks
and
the
container
Security,
Summit
and
February
was
also
good.
There
were
a
lot
of
people
that
showed
up
for
that
ones.
That
I
would
argue
that
there's
enough
interest
in
the
community
to
definitely
put
together
a
security
cloud
native
day
do.