►
From YouTube: CNCF SIG-Security Meeting - 2019-07-24
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
B
A
We
can
now
have
a
set
of
colors
and
a
logo
and
that's
nifty,
so
so
yeah,
nothing
much
insecurity
land
for
me
other
than
oh
well,
something
that
was
pretty
interesting
as
I
went
to
D
web
the
camp
and
learn
about
a
bunch
of
peer-to-peer
protocols
and
databases
like
scuttlebutt
and
the
interplanetary
file
system
and
they're
all
and
self
sovereign
identity
in
different
ways
that
they're
using
the
blockchain
to
not
have
to
have
a
single
identity
service.
So
that's
pretty
interesting.
E
Have
been
absent
and
I
apologize
for
that
I
got
caught
on
a
trip
and
then
vacation
vacation,
overlaps,
Wednesday's
two
weeks
in
a
row
and
I'm
back
and
I
will
be
back
from
here
on
out
not
too
much
to
report.
I
saw
the
email
thread
around
the
six
security
days,
so
I'll
wait
until
we
get
to
that.
To
talk
about
that.
E
F
G
I'll
talk
about
being
new
member
last
time,
I
took
a
look
at
the
new
member
issue
and
this
sort
of
proposal
around
that
and
left
some
comments.
I
think
that
I
think.
Ultimately,
the
idea
of
having
a
something
that
is
for
new
members
will
be
really
useful.
I
think
I
made
two
main
points.
I
think
it's
worth
having
something
that
is
targeting
people
who
are
like
Sig,
familiar
and
who've,
been
along
to
strange
things
like
this
before
I
think
it's
probably
worth
having
something
for
people
who
are
like
what
even
is
this
like.
G
This
is
weird
I
also
think
it's
worth
having
examples
in
their
bases
like
stories
of
like
previous
issues
that
have
moved
through
the
process
like
how
they
got
picked
up
like
what
the
success
well,
something
that
will
make
it
easier
to
go
like
oh
yeah
I
understand
how
this
works.
Yeah
I
left
some
comments,
I'm
happy
to
pull
some
things
together.
If
people
have
specific
stories,
I'm
happy
to
like
write
something
up
but
I
don't
have
the
individual
bits
that
people
have
done.
A
Yeah,
that's
I'm,
gonna
put
I'm
gonna.
If
we
have
time
before
JJ
arrives,
if
you
need
to
brainstorm
that
a
little
bit
or
maybe
try
to
talk
about
it,
makes
because
I
think
it
would
be
neat
to
have
like
a
little
sharing
from
people
who've
been
around
for
a
while
about
like
what
did
you
do
when
you
were
new?
That
was
helpful
to
the
group
and
like
helped
you
on
board
I,
think
that's
a
really
neat
idea
or.
G
H
A
I
B
J
Colors
chu
aye
good
morning
and
you
Nathan
meetings,
share
with
me.
Some
ideas
about
that
modeling
and
he
developed
well
equated
thread
model
for
the
Canaries
and
I'm
reviewing
and
adding
some
notes
on
that
particular
work
that
the
gelatin
is
developing.
Wynnum
I
will
also
finish
a
couple
of
spells
with.
There
are
some
security
companies
related
with
a
tremendous
project
that
we
are
maleeni
internally
Reddington?
H
M
Sorry
I
wasn't
me
just
a
little
bit
late,
don't
have
a
whole
lot
actually
just
on
the
I
Triple
E
5g
roadmap
I
dug
dug
a
little
bit
deeper
on
that
and
seems
like.
M
They
are
all
playing
a
very
key
role
and
they
are
obviously
focusing
on
the
security
that
will
play
a
people
to
a
part
on
the
part
of
the
how
security
is
going
to
be
handled
in
the
virtualized
world.
So
that's
what
seems
like
on
the
roadmap
a
long
road
map
for
ten
years,
so
there's
a
lot
of
people
getting
involved
many
carriers.
So
there
are
many
vendors
are
in
there
so
to
make
sure
of
everybody.
Even
the
end
users,
so
might
be
worth
following
that
one
which
I
am
doing
right
now
right.
A
N
So
I've
been
in
Tokyo
talking
at
the
open
source
summit
and
at
the
automotive
grade,
Linux
event
there
and
also
meeting
with
much
of
the
automakers
there
they're
deploying
something
that's
a
variant
on
the
tough
project.
That's
the
CNC
F
project
and
apparently
my
talk
caused
quite
a
stir
because
there's
two
different
articles,
one
in
lwn,
one
in
an
automotive
venue
that
were
written
based
on
the
talk
I
gave
without
anybody
talking
to
me
like
interviewing
me
separately
or
discussing
afterwards.
N
F
A
A
And
yeah
Robert,
if
you
could
share
stuff
on
the
slack
after
the
call
that'd
be
great
so
that
people
can
follow
along
who
can't
make
it
to
both
calls
appreciate
that
you
chiming
in
there
do.
We
have
Santiago
here
for
the
supply
chain
we're
going
to
chat
about
the
supply
chain
proposal.
P
O
F
A
F
F
Figure,
it's
always
an
area
for
improvement,
because
just
because
I
work
in
the
field
and
I
can
understand
a
lot
of
things
that
are
going
on
doesn't
necessarily
work
when
we're
trying
to
expand
security.
Awareness
outside
of
our
field,
I
work
with
a
lot
of
developers,
system
administrators
who
are
more
or
less
completely
clueless
when
it
comes
to
security
and
how
to
apply
it
native
architectures.
So
even
just
documentation
and
guidance.
O
F
A
I
think
that's
super
helpful
and
I
think
what
I'm
hearing
is
that
there
are
people
who
are
very
used
to
that
process
of
you
know,
yeah.
We
expect
you
to
just
jump
up
and
do
stuff,
and
there
are
other
people
who
haven't
been
in
a
group
where
that's
the
norm,
and
so
there
might
be
places
particularly
the
folks,
I
think,
Erin
and
Gareth
who
are
chiming
in
on
the
new
member
stuff.
There
may
be
places
that
we've
omit
we've.
We
haven't
thought
to
write
down
like
hey.
A
Do
this
thing
that
you
know
some
of
us
are
accustomed
to
being
in
this
open
sourcing
world
where
you
just
like
jump
in
and
do
stuff,
which
is
you
know
in
to
some
degree
like.
Maybe
in
contrast
with
you
know,
other
groups
that
people
are
a
part
of
or
other
areas
right
like
we're,
maybe
not
all
groups
are
so
much
this
way.
I
don't
know.
G
Cube
cons
and
interesting
products
agree
things
like
that
and
koukin
keeps
growing,
but
seventy
percent
of
people
in
EU
were
brand
new
they've
never
been
before
and
if
you've
been
to
like
most
of
them,
it's
easy
to
go
like
I,
see
all
the
same
people
all
the
time.
Actually
there's
way
more
people
just
joining
the
broader
community,
all
the
time
yeah
and.
A
I
think
that
we
aspire
to
support
asynchronous
communication
right,
like
I've.
You
know,
like
Howard
super
active,
yet
he's
in
China,
so
a
lot
of
it
like
he
held
leave
the
policy
breakout
in
the
afternoon
in
my
afternoon,
somebody
else's
middle
of
the
night
and
I
think
that
we
want
that
to
thrive,
that
that
people
can
be
parts
of
this
group
and
not
be
President
one
meeting
because
they're
in
a
different
time
zone
and
still
participate
in
all
the
discussions,
and
you
know
like
likewise
for
cube
code.
N
O
A
A
So
I
wanted
to
give
a
little
space
to
talk
about
the
supply
chain
proposal
and
I'll
actually
just
share
my
screen
and
because
I
think
we've
got
two
out
of
it.
The
there
were
a
few
people
who
chimed
in
but
Santiago
do
you
want
to
just
introduce
the
concept
while
I
share
my
screen
and
bring
up
the
issue,
sir.
L
This
meant
that,
for
example,
all
of
this
software
supply
chain
compromises
are
not
somewhere
to
be
like
how
to
say,
verified
or
there's
no
history
of,
like
all
of
the
compromises
that
happened
every
day,
that
you
can
just
go
and
look
and
find.
There's
also
no
information
about
how
to
like
tight
and
your
security
release
process
and
like
cloud
native
world
and
and
or
references
to
like
academic
information
that
you
can
find
were
like.
L
The
whole
idea
came
from
so
I
basically
drafted
this
proposal,
in
which
we
basically
start
with
aggregating
all
of
this
software
supply
chain,
compromises
for
people
to
query
and
and
explore,
and
hopefully
in
the
future.
We
can
expand
this
to
also
include
like
resources
on
how
to
tighten
your
security
release
process
and
and
then
further
into
more,
like
abstract,
like
a
knowledge
base
of
software
supply
chain
security,
information,
yeah.
A
I
think
also
chimed
in
because
I
think
that
I
just
became
one
of
the
things
that
we
did
with
the
in
Toto
assessment.
Is
we
kind
of
helped
clarify
the
edges
of
like
what
in
Toto
does
and
doesn't
do,
and
then
it
raised
all
of
these
interest.
I
remember,
you
know
like
any
interesting
discussion
now.
It's
like,
oh
well,
this
stuff
is
outside
of
the
scope
of
in
toto
but
Santiago.
You
actually
know
a
lot
about
this
sketching
out.
A
The
whole
landscape
seemed
more
of
a
sig
thing
and
too
much
to
put
on
the
intuitive
project,
and
so
it
would
be
like
what,
where
are
there
either?
Maybe
there
are
gaps,
or
maybe
there's
just
other
things-
that
we
want
to
help
point
people
to
do
to
close
these
gaps,
but
I
also
want
to
leave
the
floor
for
other
people
who
chime
done
in
this
issue
to
said
that
they
wanted
to
help
to
talk
about
what
you
envision,
helping
this
becoming.
A
Yeah
and
Emily
I'm
just
bringing
up
here
since
she's
on
the
phone.
She
can't
see
this
comment
that
you
made
about
type
typecasting
attacks
right,
that
to
maybe
look
at
the
path
like
to
draw
from
that
list,
so
that
there
could
be
typecast
with
examples
rather
than
a
time-based
list,
which
would
imply
that
we're
going
to
like
some
kind
of
keep
it
up-to-date.
F
There's
a
lot
of
potential
attack
vectors
within
that
space,
but
a
lot
of
people
don't
even
know
about,
or
they
don't
even
think
about
it.
Why?
She's?
Probably
most
people
look
at,
especially
if
you're,
if
you're
just
working
on
something
call
that
blows
up
and
go
it
startup?
It's
having
that
listing,
or
at
least
a
point
of
reference
for
people
to
go
to
about
the
kinds
of
ones
that
are
out
there,
what
they
look
like
the
character
traits
that
make
them
off
and
what
the
corresponding
impact
of
that
looks.
F
Like
I
mean
just
thinking
about
docker
last
year
and
all
the
crypto
mining
container,
africanus,
there's
no
finding
even
libraries
and
saying
people
understand
the
attacks
are
happening,
but
they
don't
know
necessarily
how
they're
going
in
or
what
to
look
for
to
prevent
and
that's
really
what
needs
to
happen,
not
necessarily
a
full
blown
out
listing
and
every
single
thing
that
exists,
because
I
don't
know
that
that's
humanly
possible,
but
we're
lumping
them
together.
Identifying
groups
of
like
objects
that
they're
staying
now
and
what
could
potentially
come
out
of
that
I.
L
Mean
I,
agree:
I,
don't
think
we
just
need
an
exhaustive
list,
but
I
think
and
I
think
here
saying
that
basically
pacing
off
of
this
incidence
drive
some
insight,
so
I
think
in
a
sense
we
do
eat
like
a
knowledge
base,
that
we
can
build
off
and
they
say
and
that's
why
I
would
be
a
good
idea
to
at
least
have
a
list
that
you
can
just
square
it.
Okay,
all
of
these
things
have
happened,
and
then
we
can
evolve
from
there
and
have
other
documents
living
in
the
same
space.
L
A
Think
the
I,
like
the
idea
of
having
a
list
to
refer
to
like
here's,
a
bunch
of
examples
and
I,
think
that
there's
there's
a
way
to
present
the
catalog.
So
if
it
weren't
exhaustive,
it
would
be
fine
right.
It's
not
like
it's
a
CVD
database
where
we
need
to
have
a
list
of
every
single
one
that
s
ever
happened
right,
Santiago,
yeah,.
R
If
you're
a
bit
because
coming
from
a
start-up
that
never
has
enough
resources
to
even
do
all
the
understood,
best
practices,
supply
chain,
management
for
or
software
supply
chain
management,
definitely
is
is
a
cultural
thing,
because
I
have
to
educate
my
developers,
so
it
would
be
very
helpful
to
identify,
even
in
the
most
roughest
of
of
categories,
the
low-hanging
fruit.
What
is
the
the?
What
are
the
first
three
to
five
things?
C
Yeah
absolutely
I
think
that
things
like
patching
Jenkins
are
very
much
on.
It
should
be
on
the
list,
because
these
are
things
that
people
are
compromised
for
a
large
and
no
Jenkins
plugins.
Things
like
that.
These
are
things
that
are
actually
like,
really
common,
and
we
can
definitely
find
examples
for
them
and
they're
very
relatable
and
then
not
notion
that
attacks
it.
Oh.
L
L
That's
like
prioritized
for
like
different
types
of
threat
models
and
then
have
a
like
this
type
of
taxonomy
that
that
also
grows,
and
it's
discussed
about
I
feel
that
if
we
try
to
go
to
abroad
and
do
everything
at
once,
we'll
eventually
have
a
dead
project
with
like
half-baked
ideas.
The
very
little
value.
A
I
think
it
Santiago
is
the
facilitator.
I
think
they
think
you
have
an
opportunity
and
an
obligation
to
make
the
the
the
first
iteration
fit
into
the
scope
right.
So
we
had
scope
this
as
a
relatively
small
first
bit
and
so
I
think
pulling
together
the
people
who,
like
I,
know
after
we
have
this
discussion
and
people
give
feedback
from
the
wider
group.
You
know
like
making
best
use
of
the
brain
power
that
has
volunteered
to
how
to
get
something
within
that.
A
L
A
L
A
M
So
is
our
goal
going
to
be
at
some
point
that
we
create
a
guideline
that
we
can
publicize
and
also
sell
to
most
of
these
popular
tool
providers
that
basically
controls
all
the
development
in
the
world
and
so
that
this
can
be
embedded
and
become
ultimately
transparent
to
the
developer,
so
that
every
developer
doesn't
have
to
start
thinking
from
the
scratch
as
to
how
they
go
about
protecting
their
whole.
Ci
CD
and
the
whole
supply
chain
mechanism.
A
Well,
I
think
it's
it's
our
habit
to
when
we
recognize
improvements
that
could
be
made
in
in
open
source
things
right
or
into
vendors,
where
they
have
an
open
repository
that
we
generally
like
write
up
issues,
and
we
did
that.
You
know
in
the
course
of
the
in
toto
assessment
and
I
think
it's
really.
A
The
first
step
is
to
identify
all
the
possibilities
and,
and
then
you
know,
and
then
we
can
move
our
way
through
making
recommendations.
I
think
this
proposal
is
it's
making
the
recommendations
to
improve
the
situation
of
supply
chain
security
is
one
step
beyond
the
current
proposal,
but
I
think
that
if
things
came
out
of
it
like
oh,
this
is
a
common
issue
that
if
this
part
of
our
ecosystem
did
XYZ
better,
like
writing
up
an
issue
with
that
recommend
like
with
that
observation,
is
a
something
that
people
should
just
do
as
a
matter
of
course.
A
But
like
we
sing
security,
saying
here,
we
have
a
recommendation
to
the
cloud
native
ecosystem
about
supply
chain.
Stuff
I
think
is
like
let's
do
the
catalog
first
and
whatever
comes
up
that
and
then
you
know
see
if
there's
see
you
know
what
the
pacing
is
on
the
energy
to
take
it
to
the
next
step.
I.
M
Agree
in
general
I
just
wondering
you
know,
because
things
are
happening
quite
fast
right
and
if
other
people
are
doing
similar
type
of
thoughts,
and
they
are
already
embedding
some
mechanisms
to
protect
their
chain
and
the
CI
CD
pipeline,
and
we
are
also
proposing
something.
And
then
you
know
I'd
like
to
see
that
the
all
these
efforts
come
to
some
sort
of
a
real
useful.
A
The
proposal
came
from
the
fact
that
this
catalog
does
not
exist,
that
any
of
us
could
find
and
currently
only
exists
as
a
note
in
the
in
toto
github
repository,
which
isn't
very
visible,
and
so
really.
This
is
just
a
relatively
small
effort
to
take
that
be
sort
of
valuable
list
of
supply,
chain
compromises
right
and
then
surface
it
in
a
more
useful
way
and
more
broadly,
by
making
it
part
of
the
sig
security,
repo
or
catalog
or
or
I
mean
it
could
stay
where
it
is
and
I
mean.
A
A
A
F
Overall,
today,
we
have
a
three
reserved
for
about
up
to
200
people.
The
question
that
we
need
to
have
an
answer
on
is:
what
kind
of
format
are
we
going
to
run
the
last
two
weeks
ago
we
had
a
presentation
on
on
conferences
and
how
those
are
run,
which
is
not
the
way
that
normal,
their
unholy
without
a
PSP
and
get
a
bunch
of
talk
submitted,
reflects
from
their
so
right
now.
We
need
to
know
if
we
are
running
the
whole
day
as
an
unconference
day
or
normal
conference.
F
Make
this
whole
fact
room
set
up
and
lay
out.
The
current
proposal
for
layout
is
a
classroom,
style
or
bunch
of
chairs
and
prose
roundtable
distributed
throughout
the
room.
This
would
allow
for
more
collaborative
discussion
to
occur
and
followers
closer
to
the
uncomfort
design
and
the
last
one
is
theater
style,
but
I
don't
know
that
that's
necessarily
going
to
work
for
a
part,
so.
A
F
So
I'm
going
to
add
that
the
email
that
we
got
from
Emily
ruff
is
that
the
event
needs
to
run
from
8
a.m.
to
5
p.m.
so
I'm.
Pretty
sure
that,
given
Michaels
proposal,
we
can
certainly
make
that
work
for
us
and
I
I.
Personally,
am
a
fan
of
the
idea
with
the
roundtable
layout
to
enable
more
collaborative
discussion,
especially
if
we
can
do
more
of
the
unconference
session.
F
A
Know
I
think
that
I
think
Michael
EULA,
like
you,
miss
the
sort
of
like
a
nuance
to
me.
That
Kalia
contributed
is
that
they
like,
which
I
think
can
happen
with
whatever
format
like
whatever
a
degree
of
unconference
stuff
in
it
is
that
people
are
if,
if
the
more
like,
if
it's,
if
like,
if
everything's
unconference
than
people,
then
it
then
it's
more
self-generative
right.
Everybody
comes
in
with
that
expectation,
which
doesn't
mean
necessarily
that
there
aren't
anchor
things.
You
know
there
aren't
some
prepared
presentations
and
I.
A
A
People
how
people
feel
in
preparing
for
the
events,
if
we
twist
and
choose
a
few
like
two
or
three
people
to
present,
and
we
have
dozens
and
dozens
of
people
who
have
aired
a
present
like
you
know
it
may
change
the
flavor
of
the
unconference
to
have
a
CFP
and
an
unconference.
You
know
what
I
mean.
That's
what
I
was
talking
about
in
terms
of
yeah.
E
A
A
E
A
O
A
Just
hang
on,
we
heard
from
Emily
today
that,
if
we
so
that
it
was
already
all
of
the
CFPs
have
already
gone
out
for
this
time
frame,
it
doesn't
mean
we
can't
do
it.
I'm
just
saying
that,
like
the
the
amount
of
time
we
will
have
to
give
to
reach
out
outside
of
our
bubble
will
be
shorter
than
other
things
happening
around
cube
code
because
yeah,
we
also.
G
I
think
the
numbers
playing
out
over
here
so
Barcelona
is
an
example
and
the
CFP
dates
that
we've
come
were
even
closer
than
they
are
for
us
for
San
Diego
and
reject
Kampf
actually
ran
an
entire
two
days
and
I
think
even
with
multiple
talks
going
on.
At
the
same
time
that
populated
solely
by
people
who'd
been
rejected
from
Cape
Cod
and
they
still
had
a
CFP
problem
where
they
had
like
more
submissions
than
they
could
take.
So
I
think
just
down
to
a
loved
coupon.
G
A
Who
haven't
spoken
to
chime
in
on
you
know
to
give
feedback
to
the
team
on
CFP?
Yes,
know
how
to
do
a
CFP
to
make
it
effective
and
Emily
ruff
who's
not
on
the
call
will
actually
be
it.
You
know
who's
a
CNCs
staff
person
will
help
us
execute
on
the
see
him
on
the
CFP.
So
this
is
more
to
like.
Have
people
in
the
group
share
with
Michael
and
Emily
about
what
your
hopes
and
desires
are
for
this?
So.
M
You
might
concern
on
this
whole
unconference
thing
and
so
forth.
Is
that
I
mean
it's
a
great
idea
for
being
a
storming,
but
at
the
end
of
the
day
you
need
to
have
a
focus.
So
we
must
have
a
focus
as
far
as
what
we
want
to
achieve.
If
we
don't
have
a
goal
that
we
at
least
put
forward
in
front
of
the
audience,
I
mean
the
audience
can
obviously,
depending
on
their
comments
that
can
change.
I
understand
that
educating
work.
M
We
need
to
have
something
as
a
focus
as
to
what
we
want
to
achieve
through
the
security
day
and
where
we
are
heading
some
gold
which
could
change
based
on
the
people's
input
and
so
forth.
But
if
we
don't
have
anything
and
just
go
as
a
free-form
can
work,
probably
on
the
first
time,
but
I,
don't
think
it
should
continue
like
that
and
that's
not
very
I,
don't
see
how
that
is
very
productive.
M
M
F
The
call
and
we'll
get
JJ
and
we'll
probably
have
some
conversations
in
this
big
security
events
group
and
we'll
come
to
a
resolution
and
then
we'll
update
the
ticket
with
the
status
I
do
have
to
run
right
now.
So
I'll
check
back
in
later.
Thanks.
A
E
A
C
Yeah
I,
don't
I,
don't
agree
that
we
need
to
go
in
with
a
preconceived
part.
Cam
I
think
having
an
conference
is
a
way
of
bringing
together
people
who
have
to
find
out
what
their
concerns
are
and
what
they
want
to
happen.
What
things
are
important
to
them
and
we
can
then
determine
outcomes
at
the
time
which
is
I,
think
is
pretty
important.
E
Wanted
to
get
two
more
points
of
feedback
from
people
real,
quick
one
thing
the
CNCs
suggested
is
a
price
of
$199
I,
just
I
feel
like
it's
kind
of
high
as
we're
trying
to
do
more
of
a
community
oriented
event.
Does
anyone
have
any
point
of
feedback
on
that
or
higher
lower
keep
it
as
it
is?
Who
cares.
A
C
C
G
I
often
top
my
head
that
would
I
don't
remember
anything
that
expensive
at
Barcelona
things
were
caveat.
We
managed
to
crush
our
currency,
so
I
can't
I
can't
actually
remember
the
dollars
to
pounds
thing
the
CDF
event,
which
was
the
biggest
event
in
Barcelona.
That
was
roughly
300
I,
think
that
was
I.
Ikura
knows
that
was
free.
If
memory
serves
all
right.
Well,
if
it
wasn't,
it
was
like
$20
equivalent.
There
were
events
that
were
probably
more
like
a
hundred
and
$20
like
Cott,
requiring.
I
A
N
There
is
a
you
know,
just
like
a
headache
problem
also
with
paying
something.
I
know
there
was
some
event
or
something
I
had
wanted
to
drop
by,
and
it
wouldn't
have
been
an
actual
problem
to
pay
for
it,
but
I
like
couldn't
logistically
go
and
pay
for
it
to
just
go
and
show
up
so
yeah
I
do
want
just
be
able
to
wander
in.