►
From YouTube: CNCF SIG Security 2020-04-29
Description
CNCF SIG Security 2020-04-29
A
A
A
From
six
security
to
take
a
look
at
that
and
and
approve
it
all,
the
reviewers
need
to
also
approve
it
as
well,
and
that's
really
the
last
step
in
basically
completing
the
harbor
assessment.
So
I'm
gonna
put
the
PR
I'm
putting
it
in
charge
here.
If
you
can
add
it
to
the
agenda,
that'd
be
great
great,
but
essentially
it
includes
three
things.
The
PR
includes
the
couple
of
images.
A
It
includes
the
assessment
in
markdown
which
has
been
reviewed,
and
you
know
400
plus
comments,
if
not
more
or
address
and
and
and
updated
as
part
of
these.
So
now
it's
you
know
the
final
thing
and
then
the
last
thing
is
the
actual
readme,
which
is
the
assessment
from
the
from
the
team
of
reviewers,
like
Andres
Justin
chase
in
a
robbery
marking
as
well.
So
this
is
really
the
last
step,
so
we're
asking
you
know
done
you
specifically
to
take
a
look
at
that:
you'll
need
to
read
there
for
the
page
document.
A
B
A
B
A
It's
only
a
one-page
document.
Do
you
think
you
might
be
about
to
read
it
today?
I'm
gonna,
try,
okay,
I!
Thank
you.
Yeah,
just
basically
I'm
also
being
asked
by
the
TLC
in
terms
of
one
will
be
able
to
line
this
up
and
I'm
hoping
to
get
it
and
Amy's
is
on
the
call
too
so
I
think
the
next
step
for
Harbor
is
basically
to
put
it
up
for
a
public
vote,
so
you
know
trying
to
line
up
everything.
Thank
you
appreciate.
Thank
you.
All
Amy's
been
plugging.
He
brought
me
to.
D
Michael
mentions
that
one
question:
yes,
as
part
of
the
Bedford
graduation
Michael
has
been
requested
by
the
TOC
to
produce
a
one
or
two
liner
from
the
sake
on
under
six
position,
dad
obviously
factoring
the
assessment,
but
not
sure
whether
I
should
be
doing
that
since
I
led.
The
assessment
michael
has
asked
me
to
fill
out
this
document
that
has
a
template
that
the
TOC
created
or
that
should
be
a
chair
on
behalf
of
the
of
the
sig.
D
The
question
is:
who
should
the
person
be
and
if
I
should
represent
the
sig
and
making
like
okay?
Your
your
concerns?
Are
there
no
concerns
and
we're
fine
weather
I
know?
Typically,
the
Sikh
does
not
get
involved
in
saying.
Yes,
you
should
graduate
or
or
not,
but
it
sounds
like
they
are
expressively
asking
for
that.
Yeah.
A
A
And
you
could
actually
reference
the
assessment
and
say:
hey:
we
saw
harbor
there's
a
few
areas
within
harbor
can
improve
here.
They
are,
we
don't
see
any
major
concerns
or
we
see
major
concerns
up
to
you,
whatever
you
want
to
say,
I'm
making
what
the
assessment
rights
right
and
then
say
you
know,
given
the
assessment
and
the
time
we
spend
in
the
harbor,
we
see
X
Y
Z,
either
support
for
graduation
or
not.
F
A
First
project:
that's
trying
to
graduate
that
has
been
pushed
through
this
process
hum
I
started
this
graduation
beat
after
Harbor
was
not
asked
to
go
through
this
process.
Harbor
has
been.
The
first
version
has
been
asked
to
go
through
for
six
and
every
sick.
Put
us
through
the
wringer
nobody's
matches
you
guys,
but
I
loved
it.
One
complaint
was
you
guys?
A
A
So
make
be
aware
that
whatever
recommendation
you
make
is
not
going
to
be
taken
lightly
by
the
TOC,
but
also
make
a
recommendation
that
you
feel
comfortable
with
right,
given
the
knowledge
you
have
on
Harbor
and
the
things
that
we
did
during
the
review,
but
done,
are
you
gonna
provide
a
recommendation?
Do
you
wanna,
delegate
that
to
undresses
the
leader
and
the
guy
that
worked
with
Harbor
so
far.
B
G
A
A
F
Is
Vinay
here
I
just
thought
about
something?
Maybe
you
know
maybe
it's
a
president
and
we
could
set
and
eating
our
dog
food
best
practices
perspective.
What
are
your
thoughts
on
you
know?
Leveraging
have
we
done
like
you
know,
from
the
vulnerability
perspective
and
all
that
I
I
had
this
thought,
while
going
through
the
assessment,
but
you
know
you
know
you.
You
said
that
this
the
artifacts
are
like
some
container
images,
etcetera
right,
you
know,
have
they
gone
through
some
kind
of
vulnerability
scanning
and
do
we
know
what
the
posture
is?
F
A
There's
there's
a
couple
of
different
things:
I'll
try
to
Outland
them
all
one
by
one,
so
harbor
went
through
a
complete
vulnerability
testing
by
vm
work
in
august
of
2019
after
after
that,
in
October
of
2019
CN
CF
paid
cure
53
and
they
spent
two
weeks
on
her
board
in
vulnerability
and
penetration
testing,
and
in
both
cases
we
found
a
couple
of
issues,
I
think.
In
the
second
case,
it
was
three
critical
vulnerabilities.
Sorry,
one
critical
three
three
hi:
we
fix
them
right
away.
A
Then
we
had
one
of
our
customers
that
a
Singapore
government
agency
that
chartered
their
own
third-party
security
testing
company
and
they
did
an
in-depth
security
vulnerability.
Testing
on
harbor
no
issues
were
found.
There
was
no
critical
issues
and
there's
one
issue
that
they
want
us
to
fix
is
a
feature
request
that
will
enhance
security
but
not
a
gap,
but
not
a
vulnerability
per
se.
It's
a
feature
request,
and
then
we've
talked
to
CN
CF
Chris,
potentially
down
the
line.
A
Maybe
a
month
or
two
from
now
we
can
use
a
six
security
assessment
that
we
created
the
30
page
document.
That
has
a
lot
of
insight.
A
lot
of
details
and
give
it
to
a
pen,
tester
and
telling,
given
this
heavy
knowledge
on
harbor,
can
you
identify
any
ways
you
can
break
cardboard?
You
know
the
blast,
reduce,
dark
and
all
that
stuff.
Now,
I
don't
want
to
make
our
graduation
be
tied
to
that.
A
You
already
did
three
pen
test
on
Harbor
and
they
were
very
extensive
and,
and-
and
but
you
know
we
want
to
do
one
more
because
now
we
have
a
document
that
the
helps
kind
of
give
someone.
Basically
it's
a
hacking
blueprint.
If
you
wanted
to
hug
harbor,
here's
all
the
things
that
you
protect
and
here's
everything
that
that
you,
that
you
should
really
worry
about
and
the
way
the
way
I
phrased
it
to
crease.
Is
you
know
we
have
have
this
document?
A
Can
we
identify
angles
to
attack
harbor
using
this
assessment
right,
so
we
were
giving
you
the
we're
not
giving
the
keys
to
the
kingdom,
but
give
me
the
blueprint
of
the
kingdom.
Can
you
figure
out
how
to
open
some
doors?
I
really
really
don't
want
to
say
in
the
assessment
go
ahead
and
do
this
before
you
graduate.
That
would
really
us
right.
That's
something
that
we
want
to
do,
because
we
think
it's
the
right
thing
over
time,
but
you
already
have
free
pentas.
If.
H
I
can
just
make
a
historical
comment
separate
from
any
concerns
specifically
about
harbor.
When
this
whole
six
security
assessment
process
was
beginning.
There
was
some
pretty
extensive
discussion
and
you
can
probably
find
it
if
you
scroll
down
in
the
notes
about
what
the
purpose
of
the
SIG's
security
assessment
was,
and
at
that
time,
as
I
recall,
the
the
drift
of
the
conversation
was
that
we're
not
here
to
say
this
product
is
secure
because
first
off,
that's
not
our
jobs
and
second
off.
H
That
seems
that
will
allow
it
to
continue
to
adapt
into
the
future
whether
it
seems
to
have
been
designed
and
implemented
with
thought
given
to
security
concerns
and
and
so
on,
and
so,
if
that
is
really
the
charter
of
this
assessment
process,
then
whether
or
not
you
go
and
do
another
pen
test
based
on
the
the
process
isn't
really
part
of
the
scope.
But
the
fact
that
you
want
to
is
certainly
a
good
sign
anybody
else
who
was
there
at
that
time
want
to
comment
on
that
or
or
alternately
Dan.
B
B
We
that's
where
we
are
collectively
aligned.
So
you
know
part
of
our
posture.
Is
you
know
making
sure,
and
you
know
to
tell
at
this
point
you
know
making
sure
that
you
know
we're
supporting
the
community
and
the
you
know:
projects
like
Harbor,
you
know
basically
have
a
partner
in
the
CN
CF
to
you
know,
navigate
the
the
complex
security
landscape
and
deliver
the
best
possible
cause
native
experience.
A
C
B
G
B
Didn't
so
mark
Underwood
III
saw
has
a
check-in
and
honestly
I
was
trying
to.
We
had
a
20-minute.
You
know
get
Michael
out
the
door
who
is
double
booking,
so
we
also
do
need
to
kind
of
bootstrap
and
get
scribes.
You
know
embedded
in
the
process,
so
you
know
we
should.
You
should
call
off
that
as
well.
G
J
All
keep
I'll
keep
short
the
Phase
two,
the
big
data
working
group,
of
which
the
security
subgroup
is
the
relevant
piece.
Here
it
is
trying
to
formulate
its
next
iteration,
which
is
a
three
year
project,
and
the
piece
of
this
that
I'm
trying
to
help
them
formulate
is
supporting
analytics
as
a
service
for
computer
security.
Now
what
that
is
is
gathering
telemetry
from
products
like
say
Prometheus
as
a
good
use
case
that
is
coming
through
in
aggregate
ie
transformed
by
some
algorithm.
We
used
to
call
it
ETL,
but
you
know,
let's
call
it.
J
Fancy
might
have
gone
to
some
machine
learning
and
you
know
maybe
you're
getting
log
results
as
opposed
to
individual
data
points,
but
we're
trying
to
abstract
this
into
a
different
kind
of
interface.
So
we're
looking
for
some
use
cases
and
then
to
partner
with
an
open
source
tool
that
would
let
us
build
a
working
platform
that
people
could
use
for
testing
the
reference
architecture
for
that
project.
So
I'll
just
leave
it
at
this.
J
G
Okay,
thank
you.
Mark
okay,
move
ahead.
The
agenda
I,
don't
see
any
update,
so
if
anyone
was
missed
and
had
an
update
or
didn't
get
a
chance
to
put
your
name
here
in
the
Intendant
self
make
sure
to
double
back
at
the
end
of
the
meeting.
I
don't
see
any
presentations
or
PRS
slated,
so
I
suspect
this
will
be
a
bit
shorter
than
usual.
So
I'd
like
to
just
throw
one
out
there.
G
Off
the
handcuffs
sort
of
thing-
and
it
was
one
that
Justin
Kapos
brought
up
and
it
was
376
with
respect
to
just
a
security
posture
and
zoom.
So
I'm
not
gonna,
go
into
the
broader
topic
of
one
versus
another.
How
we
do
our
whole
workflow
for
uploading
videos
to
YouTube,
but
I
was
wondering
if
it'd
be
appropriate
to
put
up,
maybe
some
instructions
on
how
to
spin
up
a
VM
or
container
for
both
windows.
I'm,
sorry,
windows,
host
OS
is
and
Linux
host.
G
Os
is
so
if
people
feel
that
that's
appropriate
here's,
the
way
you
can
containerize
it
and/or
throw
in
a
VM
and
just
get
it
going
really
quickly.
I
tried
out
that
Microsoft
Internet
Explorer
test
virtual
machine
image,
but
I
don't
know
if
licensing
for
you
such
that
we
can
officially
recommend
download
this
90
day.
Free
p.m.
and
use
it
for
all
of
our
official
correspondence.
I
suspect
that's
going
against
the
spirit
of
why
it's
being
released.
H
G
G
Okay,
yeah,
that's
the
ticket,
so
I.
Don't
think
that
whatever
posing
address
is
what
Justin
brought
up
it.
It's
in
the
same
spirit,
though
here's
how
you
throw
it
into
a
VM
and
I'm
wondering
if
sending
that
out,
if
other
people
want
to
use
it
as
appropriate,
or
does
that
inadvertently
make
a
statement
if
at
all
politicize
like
is
that's
something
we'd
want
to
steer
away
from
by
making
a
statement
saying
you
know,
we
only
trust
this.
If
it's
in
that
VM,
oh
I,.
J
H
The
news
has
been
all
filled
with
other
similar
tools
having
similar
problems,
which
kind
of
makes
it
look
more
like
it's
just
whoever
people
are
focusing
on
finding
issues
in
at
the
time
and
that
this
sort
of
software,
which
is
complicated
by
its
very
nature
and
rushed
to
market
by
the
forces
that
that
make
it
happen,
will
all
be
kind
of
bad
and
and
that
therefore,
singling
out
zoom
specifically
may
not
actually
be
as
good
of
an
ideas
it
may
have
seen.
Twenty
days
ago.
True.
G
I,
don't
intend
to
say
pick
on
zoom
and
I'm
playing
anyone
else,
but
since
it's
the
de
facto
world
using
I
figured
it.
Maybe
if
I
put
a
certain
spin
on
it,
saying
hey
here's
how
you
can
deploy
quickly
in
a
VM
or
a
container,
for
whatever
reasons
there
may
be
like
I
rather
than
be
qualifying
it
just
presented
as
here,
so
you
can
get
it
going
pretty
quickly.
If
you
want
to
container,
is
it
cuz?
G
You
cuz,
want
to
say
paranoid
like
me
and
runs
everything
in
an
isolated,
sandbox
or
something
I
guess
I'll,
take
the
qualification
out
and
don't
try
and
specify
why
I'm
doing
it
to
say
here
it
is
I
figured
that
would
be
appropriate
with
those
making
it
look
like
six
security
is
taking
a
particular
stance
on
it.
This.
E
Yeah
I
like
this,
like
I
I,
mean
they
have
people
that
run
Chrome
or
Firefox
in
the
VM
right,
so
I,
don't
think
it's
how
the
all
of
the
auditor
for
someone
in
the
security
kind
of
space
to
to
create
the
script
Augustus
so
I,
don't
like
as
long
as
it's
not
we
don't
say
that
it's
not
secure.
Therefore
you
should
do
this.
Just
like
it's
bad
yet.
G
Okay,
I
feel
that
aligns
with
what
I'm
going
add.
Don't
say
why
but
just
say:
here's
a
nice
little
thing
for
convenience
and
then
I'm
sure
anyone
that
has
any
pre-existing
stance
or
a
pinata
canned
for
what
they
want.
Now
we
we
don't
look
like
we're
being
mean
to
them
and
not
to
every
other
provider.
I
I
And
of
course
you
can
use
the
browser
ation
or
whatever,
but
long
story
short
a
couple
years
ago
we
prodded
them
with
a
pretty
sharp,
stick
and
we're
small
potatoes,
but
you
know
have
some
notoriety
and
nobody
wants
to
see
their
name
in
lights
next
hours
in
a
bad
way,
and
we
worked
with
them
to
fix
those
things
and
then
about
a
year
later.
We
did
another
audit
and
it
was
the
exact
same
right.
So
they
fix
the
point
in
time
stuff,
but
it's
their
release
process.
I
It's
pretty
obvious
from
a
long-term
mitigation
with
them
and
partnership
in
other
places.
I
can't
share
all
that.
But
let
me
just
say
it's
a
mess
and
I.
Don't
know
what
prevents
us
from
using
another
tool
and
I.
Don't
it's
fine
I'm
I
have
dispensation
to
use
it
for
this
either
way,
but
if
we
were
gonna
move
away
from
it,
that
seems
like
sort
of
what
the
task
is
is
getting
that
and
I
guess.
I
We
should
just
say
no
and
that's
okay,
but
I
worry
about
incomplete
guidance
right
like
here's,
how
you
run
something
in
a
VM
or
whatever.
No
rationale
as
to
why,
in
general,
bad
information
is
almost
always
worse
or
in
general.
Incomplete
information
is
always
almost
always
worse
than
no
information
when
it
comes
to
security,
because
people
start
making
assumptions.
So
any
of
that's
the
thing
I
was
going
to
say
like.
G
I,
don't
want
to
mangle
just
inner
Dan's
words,
but
at
least
know
that
some
of
the
reasons
were
that
we
already
have
the
whole
save
work,
ant
and
workflow
in
place.
So
the
meetings
are
scheduled,
they're
automatically
recorded
and
then
upload
it
to
YouTube
and
then
I
think.
The
bigger
thing
is
that
the
CNC
app
essentially
chooses
the
tool
that
propagates
down
to
all
of
the
other
saves
and
working
groups
and
I.
Think
one
of
the
points
Justin
brought
up
is
since
we're
seeing
security.
B
You
know
the
issue
that
Justin
created
you
already
sort
of
establishes
enough
of
the
context
of
like
hey
security
is
worried
about
this
thing.
You
know
Matthew
what
you're
proposing
to
lay
out
how
you're
potentially
addressing
you
know
not
just
ins,
a
broader
suggestion,
to
move
away
from
the
tool,
but
how
to
bring
you
know
the
tool
you
know.
Basically,
you
know
protect
ourselves
a
bit.
You
know
with
some
unknowns.
B
You
know
that
you
know
provide
some
context,
but
you
know
will
actually
give
us.
You
get
us
to
the
next
resolution
point
in
terms
of
finding
that
resolution
point
cool,
my
goodness,
like
they're,
you
know
we're
kind
of
in
one
of
those
scenarios
where
you
know
the
the
current
solution
is,
you
know
suboptimal,
but
there's
no
breakout.
B
You
know
a
better
solution
that
is
going
to
you
know
come
in
and
do
it
that
we
need.
So
you
know
worse
we're
still
interacting
towards
what
could
be
a
recommendation
to
the
same
chef
on
a
path
for
so
you
know
documenting
how
were
how
were
protecting
ourselves.
You
know
dealing
with
with
you
know,
situation
at
present
and
you
know
doing
what
we
can
to
move
things
forward.
B
You
know,
I
pushed
back
on
switching
over
to
hangouts,
because
I've
had
some
issues
where,
if
a,
if
the
person
who
created
the
calendar
event,
it's
so
tied
to
Google
Calendar,
it's
the
person
that
created
the
calendar
event
isn't
on
the
call.
That
means
that
you've
got
a
scramble
and
set
up
an
entirely
new
meaning.
So
no
hangouts
is
a
great
sort
of
sensible
default
when
it's
a
small
contingent
of
folks-
and
you
know
very
consistent
participation.
B
G
Have
a
one
thing
to
add
on
a
related
tool:
it's
the
feature
is
a
way
quite
a
ways
out,
so
I
don't
anticipate
seeing
it
until
at
least
a
couple
years
from
now,
but
I
think
signal
is
considering
doing
peer-to-peer
distributed
encrypted
conversations
and
whatnot
so
they'll
be
pretty
interesting
to
see
which
way
that
goes.
They
could
be
couple
it
a
little
bit
from
having
to
have
a
phone
or
an
account
with
it.
Then
it
might
modernize
secure
communication,
some
of
pure
guardian
or
PGP
years
back
just
set
up
like
yeah.
B
You
know
so
we
have
our
forum,
but
you
know
as
a
cig:
it's
a
sons
group
in
the
CF.
One
of
our
duties
is
also
to
kind
of
be
transparent
and
share
the
work
that
we
do
and
you
know
the
way
we've
got.
You
know
everything
lined
up.
Is
we
get
recordings
and
that
gets
published
out
to
to
YouTube?
So
you
know
peer
to
peer.
The
challenge
with
peer
to
peer
is
it
ends
up
in
making
that
distribution
and
transparency
no
opportunity
a
bit
more
challenging.
B
You
know:
I
run
a
meetup
here
in
San
Francisco
and
we
you
know,
were
sheltering
in
place
and
you
know
couldn't
you
know,
run
our
normal
meetup
and
we
did
it.
You
know
virtually,
and
you
know
we
had
the
jane
kia
system
set
up
with
OBS
and
we
ended
up
having
the
new
it's
lit
out.
You
know
who's
running
the
zoom
client
for
everybody
and
who's
doing
the
OBS.
You
know
stream
out
to
youtube.
G
Yeah
sorry
Dan
for
about
the
past
15
seconds.
It
does
not
appear
that
you're
muted,
but
we
don't
hear
any
audio
from
you.
Maybe
it's
the
mic
or
something.
B
B
G
G
I
Only
real
concern
I
have
here
is
if
we
were
really
to
discover
something
that
was
a
zero-day
ask
right
and
it's
for
some
product,
that's
out
there
in
the
wild
and
a
bunch
of
places.
This
is
not
a
medium
that
I
would
feel
comfortable,
disclosing
it
in
so
my
my
thought
is,
instead
of
documenting
how
to
make
this
a
little
safer.
Let's
just
document
what
happens
when
we,
because
all
this
should
be
considered
public
area,
obviously
whatever
it
may
be,
let's
just
document
what
we
do
in
the
case
of
non
public.
I
I
G
Auto-Related
they
would
have
had
this
question
for
a
while
and
I've
been
keep
forgetting
to
ask
it.
As
a
team
example,
my
five-year-old
decided
to
make
a
little
cameo
not
too
long
ago,
on
the
video
stream
who
do
we
reach
out
to
if
we
wanted
to
say,
cut
or
edit
the
YouTube
videos
that
get
auto
upload
it
to
the
CNCs
page.
Just
if
we
need
you
know,
we
realize.
Oh,
this
probably
should.
G
G
K
K
No
even
other
Falco's
that
wants
to
capture
a
standardized
format
of
a
policy
violation.
There's
there's
been
a
proposal
to
make
a
CRT
for
that,
and
then
we
just
briefly
kind
of
a
touch
base
with
the
gatekeeper
folks
who
had
a
version
of
this
conversation
and
you
discuss
kind
of
the
pros
and
cons
of
CRT
versus
native
support
and
essentially
we're
we're
going
to
follow
up
if
anyone
at
the
sing-off
meeting
next
at
11:00,
they're
gonna
talk
about
dynamic
audit,
so
I
think
that
will
overlap
as
well.
So
we're
at
some
point.