►
From YouTube: CNCF SIG Security 2021-04-21
Description
CNCF SIG Security 2021-04-21
A
A
B
A
A
A
D
A
A
So
let's
get
started
so
we're
gonna
go
do
a
round
of
check-in.
So
let's
see
no
updates.
Oh
before
we
get
started,
this
meeting
is
recorded
and
it
follows
that
here,
cncf
called
the
conduct
guidelines.
So
standard
rules
are
black
so
going
through
a
clcb
for
filling
in
the
list,
so
I
will
make
sure
I
swing
back.
To
do
another
check,
diego.
You
have
an
update
on
the
cloud
native
security
map.
A
A
B
Hey
guys,
this
will
be
really
fast.
I
just
missed
a
few
meetings
back.
These
guy
council
is
writing
a
container
security,
best
practices
document
or
payment
into
pci's
payment
card
industry,
so
finance
centric,
but
this
is
really
just
best
practices
for
containers,
so
I'm
going
to
steal
stuff
from
our
own
white
papers
and
so
on.
So
if
people
want
to
be
party
to
that
and
help
me
write
paragraphs
to
that,
I'm
mainly
looking
at
the
icd
aspects
of
this.
E
The
stuff
in
I
actually
had
two
of
them,
so
lexicon
is
going
forward
doing
it.
The
team
is
doing
a
great
job
of
providing
some
of
those
definitions
for
terms
not
quite
ready
for
everyone
to
start
reviewing
it
yet,
but
they're
getting
closer.
The
other
one
was
a
quick
update
on
security,
plows
they've
reached
out
to
crossplane
and
artifact
hub
at
a
minimum.
Those
two,
but
I
believe,
there's
a
third
one
that
I'm
probably
forgetting
about
starting
conversations.
E
A
G
A
A
Them
yeah
yeah
cool
thanks
tim
going
through
the
updates.
Here,
roberts
is
going
to
be
joining
late.
We
can
put
him
on
the
agenda
later,
ruggery,
okay,
so
your
update
was
covered
by
emily.
That's
all
good!
We
had
the
tlc
meeting
on
tuesday
andreas
and
I
would
have
to
kind
of
represent
the
sake
and
they
were
talking
about
incubation
processes
and
the
the
main
part
of
it
is
like
yeah
they're,
making
the
tlc
sponsor
own
the
entire
incubation
process.
C
Yeah
sorry,
I
was
just
typing
pasting:
the
pr
and
chat
for
those
interested
in
the
details,
but
the
gift
of
it
is
the
toc
is
trying
to
streamline
the
incubation
process
by
appointing
a
designated
talk
sponsor
upfront
so
rather
than
a
project
going
over
the
due
diligence
requirements
and
chasing
different
cigs
and
filling
out
the
stock
ahead
of
time.
They
would
first
find
someone
in
the
talk
to
sponsor
the
project
and
hand,
hold
them
and
direct
them
throughout
the
process.
C
So
from
a
security
perspective,
we
would
typically
either
hear
from
well
from
this
point
on
would
be
hearing
from
the
talk
liaison
or
from
the
talk
sponsor
for
the
project.
If
we
have
a
project
in
the
pipeline,
we
need
a
security
review
or
we
need
a
recommendation
rather
than
some
project
we
might
have
not
heard
of
coming
to
present
to
us.
First
try
to
get
buy-in
for
us
to
try
to
go,
sell
it
to
the
talk.
So
that's
the
summary
of
it.
A
Awesome
yeah
and
I
think
I
think,
trial
like
we
were
having
some
conversations
on
the
call
about
you
know
what
is
what
is
really
requested
of
the
sake,
and
I
think
this
acknowledge
that
sex
security
is
kind
of
a
special
case
in
which
our
recommendation
is
kind
of
a
little
bit
different
from
the
other
sex
brand.
It's
not
just
with
the
if
it's
within
the
ecosystem
and
it's
good
technology,
but
even
for
the
non-security
projects
we
we
do
also
need
to
provide
higher
federation
of
that.
C
We
would
still
want
to
hear
presentations
throughout
assessment
processes,
because
it
helps
us
inform
the
assessment
and
a
lot
of
the
scenarios
in
which
a
project
might
be
the
point
so
yeah.
Well.
This
has
yet
to
be
merged.
We'll
learn
more
as
as
this
gets
implemented
and
we
go
through
it
awesome
see
how
much
changes.
A
A
A
G
G
It
just
makes
sense
and
the
the
difference
at
the
time
when
I
read
it,
but
it's
how
I
was
starting
up
my
blog
and
how
I
think,
through
the
road
map,
was
getting
a
handle
on
the
problem
space
and
seeing
well
what
what
seems
to
be
the
issues,
what
are
our
priority
and
then
for
this
group?
What
what
should
we
try
to
solve
for,
or
even
can
we
solve
for
them?
So
that's
what
I
wanted
to
like
get
some
feedback
on
really
quickly.
G
So
so
here's
how
I
started
was
thinking
you
know,
and
at
the
time
when
I
read
I
was
like
well,
it
would
help
to
understand
when
we
talk
about
supply
chain.
Where
are
the
problems
we
could
visualize?
I'm
not
saying
this
is
the
right
way.
I
liked
it
because
it
was
a
good
starting
point.
There's
lots
of
different
ways.
You
could
do
it,
but
it
does
start
to
put
into
context
okay.
G
There
are
lots
of
pieces
in
a
supply
chain
and
then
what
tend
to
be
the
attack
vectors
based
on
that
and
then
from
there
iterate,
because
I
think
last
time
we
started
to
go
down
into
the
tooling
tool
chain
discussion.
I
thought.
Oh,
it
might
be
better
to
start
hey,
let's
frame
it
as
what
the
problems
are,
and
then
we
can
iterate
on
tools
or
a
list
of
tools,
and
that
would
be
helpful
for
me
too.
G
In
my
own
mind,
what
is
the
range
of
the
attack
vectors,
and
so
this
is
a
bunch
of
different
sources
and
just
stuff
that
I
threw
in
there,
and
this
is
where
I
could
use
some
some
guidance,
but
you
can
kind
of
see
just
one
bucket
around
code
signing
like
that
seems
to
be
a
bucket
that
stands
alone,
but
there's
a
couple
of
different
ways:
people
access
it,
something
that
we
would
call.
I
think
the
term
is
pretty
good
distribution
vectors,
which
is
how
do
they
get
the
malware
to
be
distributed?
A
H
A
G
Yeah,
so
the
end
goal
was,
I
wanted
to
figure
out.
What
do
we
want
to
do
in
terms
of
approaches
like
we
already
are
planning
on
rolling
out
some
kind
of
basic
vulnerability
detection
that
has
dependency
mapping?
That
seems
to
be
kind
of
well
defined,
and
I
wanted
to
see
what
else
is
is
is
next
like
the
next
thing
that
we
know
is
going
to
be
key,
a
key
key
scanning
for
keys
and
sort
of
kind
of
fits
somewhere
in
sci,
I
suppose
kind
of
sub
bullet.
G
But
some
of
the
things
I
was
getting
stuck
on
was
well.
Are
people
interested
in
you
know,
das,
there's
a
lot
of
complexity,
because
I
started
to
go
down
the
path
of
evaluating
a
dash
solution,
but
I
was
like
oh,
but
you
know,
everybody's
run.
Time
is
sort
of
different.
Do
people
want
to
bother
with
instrumenting
that
blah
blah
blah
sassed
fuzzing,
and
then
I
started
exploring
a
solution
around
code
search
which
was
more
initially
around
improving
productivity
for
developers.
G
So
it's
like
you
know,
imagine
it's
like
splunk
or
google,
but
for
your
code,
but
I
I
started
to
ask
the
the
the
creators
of
this
tool.
You
know.
Is
there
a
security
application
because
I
feel
sometimes
there's
issues
when
you
have
sort
of
these
vulnerability
databases,
whereas
people
who
are
close
to
the
code
may
start
to
think
through
what
the
vulnerability
patterns
are.
They
may
just
want
to
do
a
fast
search
in
real
time
or
build
out
their
own
libraries
on
their
own.
So
I
I
I
want
my
end
state.
G
Is
this
like?
What
do
you
guys
think
we
should
try
to
consider
making
a
standard
offering
that's
enabled
through
a
security
portal,
for
projects
to
ease
the
instrumentation
and
reporting,
but
before
I
could
get
to
the
tools
I
wanted
to
understand.
Well
what
are
meaningful
problems
and
then
we
can
kind
of
say
well
yeah.
Let's
try
to
explore
these
tools.
G
G
Host,
that's
correct,
that's
correct,
and
so
the
way
we've
been
doing
it
is
and
that's
why
the
tooling
discussion
will
be
in
fact
valuable
when
we
get
there
is,
and
one
of
the
things
I
had
heard
was:
oh
well,
there's
lots
of
different
tools.
I
have
to
pick
a
tool.
How
do
you
get
neutrality
so
we're
trying
to
take
that
out
by
saying:
okay,
we're
going
to
vet
vendor
a
work
out
some
arrangement
and
a
lot
of
times?
G
We
have
to
make
bespoke
arrangements
in
terms
of
billing
or
integrations
or
the
ux
to
solve
for
certain
things,
so
you
know
and
the
goal
would
be
okay
now
you
have
a
single
control
plane
that
you
could
then
govern
it
for
a
project
instrument.
Your
repos
and
you
know,
kind
of
simplify
and
not
have
people
have
to
go
and
search
a
vendor,
and
then
you
appear
poc
and
all
this
other
stuff.
I
G
No,
no,
I
I
definitely
want
to
open
up.
I've
tried
to
reach
out
to
open
ssf,
and
I
I
couldn't
get
clearly
how
far
along
the
tools
were,
whether
we
should
do
it
or
not,
and
so
I
figured
let
me
triangulate
by
having
you
know
a
different
set
of
practitioners,
some
that
you
guys
might
be
neutral,
whether
it's
from
open,
ssf
or
commercial
versus
they're
doing
it.
And
that
way
I
can
kind
of
harmonize
between
the
two.
G
I
Yeah,
so
that
they
are
going
beyond
sc
and
their
vulnerability
right,
so
they
are
also
considering
other
attributes
about
open
source
libraries,
securities
and
risk
like
they
do
have
a
package
feed
and
a
criticality
score.
There
are
multiple
tools
around
there
and
they
have
a
dashboard
where
they
calculate
all
these
metrics
and
give
you
some
level
of
score
for
the
for
an
open
source
package
right.
So
I
think
it's
good
to
consider
those
tools,
and
some
of
these
tools
are
not
necessarily
going
to
help
that
much
with
the
supply
chain
problem.
I
It
may
help
with
the
application
security
of
the
software
in
you
know,
building
inside
a
company
not
necessarily
a
supply
chain,
security,
specific
right
like
fast.
It
is
not
that
practical
to
scan
all
the
open
source
code
through
a
sas
like
I,
I
don't
know
how
many
companies
are
doing
that
and
even
yeah.
So
sca
itself
is
kind
of
a
limited
approach
for
open
source
security,
yeah.
G
Yeah,
that's
kind
of
what
I've
been
sensing
too,
but
I
couldn't
I
I
couldn't
tell
when
I
synced
up
with
david.
What's
the
status
on,
you
know,
release
and
is
it
working
and
is
the
metrics
well
defined
if
all
the
tools
from
so
on
the
extreme,
if
everything
from
openssf
will
fit
all
the
needs
and
requirements
from
a
group
like
this,
then
problem
solved
if
there's
a
gap
and
we
need
some
commercial
tool
then
or
other
tool,
then
I
would
like
to
understand
that
one
example,
for
example,
is
fuzzing.
G
So
when
I
would
talk
to
them,
they
said
well,
yeah,
you
know
open
open,
fuzz
is
available,
but
part
of
me
was
like,
but
even
if
it's
available,
how
easy
is
it
and
how
widespread
is
it
used
across
projects,
and
so
there
we
would
be
tackling
okay.
Maybe
we
have
a
control
plane,
which
is
makes
it
much
easier
for
everyone
to
run
code
against
open
fuzz.
If
that
isn't
done
or
you
know,
helps
them
to
record
the
the
output
or
select
what
the
library
is
used
like.
G
E
Is
is
there
a
path
or
a
mechanism
by
which,
as
the
sig
discovers
gaps
in
these
particular
areas,
that
we're
expected
to
engage
with
the
foundation
to
highlight
an
overwhelming
need
in
this
particular
area?
We
have
a
lot
of
projects
ongoing.
The
supply
chain.
Paper
is
one
of
them.
There's
the
map
and
as
some
of
the
sig
leadership
as
well
as
a
lot
of
the
sig
members
and
the
community
members
are
discussing
like
the
current
state
of
things.
Another
attack
just
happened.
E
What
what
do
we
do?
What
are
we
recommending
to
people
we're
slowly,
starting
to
realize
key
areas
such
as
the
ones
that
you
pointed
out,
for
which
there
is
a
lack
of
tooling
that's
available
to
the
community
and
we're
struggling
with?
Where
do
we?
Where
do
we
write
all
that
down
right
now?
That
looks
like
cards
in
our
repo,
but
is
there
a
path
by
which
we
can
engage
and
say
hey?
We
were
doing
x,
y
and
z.
G
That's
a
super
great
question
to
which
I
don't
have
an
answer
and
given
I
don't
have
an
answer,
we
could
you
know
co-create
it
here.
Like
you
know,
you
guys
are
the
most
active,
what's
useful
for
you.
I
I
actually
don't
have
it's
a
super
great
answer
and
I
think
having
a
solution
would
be
super.
I
I
don't
have
a
prescription
at
this
point.
So
what
what?
E
Cncf,
I
think
you
have
you've,
got
a
couple
of
areas
that
are
already
here
that
are
called
out
as
potential
problem
cases.
I
think
if
it's
intended
to
be
our
sig
ownership
of
those
problem,
areas
from
a
security
focus.
Remember
that
that's
kind
of
like
how
we're
scoped,
maybe
having
something
akin
to
this
listing
in
our
repo,
where
we
we've
particularly
called
out
problem
space
and
then
just
engaging
with
the
foundation
to
be
like
hey.
A
A
D
G
Yeah,
I
I
that
sounds
right.
You
know
and-
and
I
I
tried
so
this
one-
I
started
from
scratch,
but
then
we
did
that
whole
exercise
for
the
dod
and
I
reached
back
to
them
and
say
hey:
what's
the
published
outcome
for
what
you
guys
did
they
didn't?
They
haven't
gotten
back
to
me,
the
two
folks
that
are
that
are
working
on
it.
So
I
you
know
we
could
always.
You
know
I
like
the
format
that
we
did
last
time
too,
as
a
spreadsheet,
and
you
know
that
was
super
valuable.
G
So
I'm
pretty
open
and
I
I'm
hearing
the
two
things.
One
is
what's
the
list
that
you
guys
are
like
this
one's,
probably
not
a
very
great
great
list,
because
I
just
pulled
it
out
of
my
whatever
kind
of
like
jamming
through
it
just
to
give
a
context,
but
you
guys
probably
know
a
lot
more
and
then,
like
you
said:
where
do
we
go
to
to
find
it?
So
I
I'm
open
to
what
they
think
the
form
fact
the
right
form
factor
is
meaning.
You
know
I
like
the
idea
of
a
repo.
G
C
G
And
in
some
ways,
you've
actually
stated
the
sub
problem,
which
we're
trying
to
solve
is
how
do
we
make
it
super
easy?
How
do
we
make
it
for
those
that
are
off
skeleton
crews
to
still
have
some
level
of
security
assurance,
and
so
that's,
like
the
hot,
the
higher
order
bit
question
is
okay.
What's
the
scope
of
the
problems
which
I'm
turning
to
you
know
you
guys
as
practitioners
what
it
is
and
then
the
product
aspect
is
okay.
How
do
we
enable
it
for
the
persona
of
someone
who
doesn't
really
have
time.
C
So
if
it
were
something
similar
to
the
cncf
service
desk
model,
where
the
elf
is
going
to
make
a
person
available
to
work
with
maintainers
and
help
them
expedite
all
the
due
diligence
to
be
able
to
like
the
problem
is
not
really
technology
right.
It's
it's
putting
it
yeah,
going
back
to
your
your
diagram
that,
like
even
system
design
stage
and
making
sure
that
well,
yes,
there's
there's
this
thing.
We
can
consume
as
a
service
great
tooling,
but
making
sure
you
can
handhold
the
project
maintainers
and
make
it,
and
even
do
it
for
them.
C
Just
like
do
that,
augmentation
for
them,
so
that
it's
not
additional
overhead
where
they
don't
understand
the
implications
of
well
how's.
This
going
to
change
our
build
pipeline
how's
this
going
to
change
the
threat
model
of
our
project
like
this.
This
is
going
to
uncover
stuff
that
we're
not
ready
to
talk
about
at
this
point,
etcetera,
etcetera.
A
From
you
yeah,
I
was
thinking
about
fuzzing
as
well.
I
was
thinking
about
you
know
the
kind
of
like
domain
knowledge
that
you
would
need
to
know
to
implement
a
fuzzer
yeah,
adapt
your
application,
but
like
if
it's
a
service
based
model,
you
know
at
all
yeah
it
could
be,
even
if,
like
just
open
source
tooling
right,
it
doesn't
have
to
be
a
service
we
could
just
like.
Oh,
we
do
a
security
process
for
you,
we'll
write
a
cicd
pipeline
for
you
or
something
like
that.
G
C
Like
you
even
take
like
running
the
web
infrastructure
for
web
pages
of
the
projects,
maintainers
are
not
doing
that
and
there's
been
like
some
shuffling
on
the
cncf
side,
where
the
people
that
helped
put
up
netlify
and
do
the
load
balancing
and
do
cloudflare
for
for
this
project
has
moved
on
and
now
like.
Maintainers
are
scrambling
because
they
haven't
dealt
with
this
stuff
before.
G
I
I'd
love
to
hear
those
use
cases
on
the
deployment
side,
and
maybe
that's
something
that
we
you
know
we
just
iterated
on
this,
so
I
just
wanted
to
kick
it
off.
It
seems
like
there's
some
things.
I
don't
have
answers
on
like
where
we
go
to
put
those
in
there
I'll
take
my
lead
from
you
guys.
I
think
it's
whatever
is
the
least
friction
for
you
that
gives
lowest
friction
and
highest
fidelity.
G
All
right,
well,
the
that's
it
for
me.
Maybe
what
we
do
is
I
kind
of
jump
to
another
meeting,
but
I
think
we
framed
it
and
then,
let's
see
what
maybe
happens
in
the
next
week
or
two
on
thoughts
that
we
come
out,
we
can.
We
also
have
the
slack
in
terms
of
what
you
guys
want
to
do
in
terms
of
the
repo
location
like
where
the
discussion
and
the
things
go,
and
I
think
that
seems
like
a
good
starting
point.
Does
that
sound
good.
A
A
E
Yes,
all
right,
let
me
go
up
and
figure
out
what
I'm
talking
about
meeting
summaries
first
and
foremost,
so
for
those
of
you
that
probably
already
know-
and
those
of
you
that
don't
six
security
is
considered
a
global
group,
a
global
community
spanning
multiple
time
zones
and
as
a
result
of
that
expansion
and
community
interest,
we
do
have
an
apac
region
being
that
occurs
where
they
have
lots
of
conversations.
They
are
active
community
members
and
they
are
engaged
in
these
discussions.
E
E
So
that's
the
first
item
and
then
the
second
one
is
inclusion,
language
changes.
This
is
issue
number
478.
It
was
originally
brought
up
by
andres
and
I
wanted
to
bring
this
back
to
the
community
as
something
that
I
think
we
can
actually
get
taken
care
of.
So
this
is
regarding
the
use
of
non-inclusive
terms
within
our
repository.
E
We
do
have
a
few
of
them
to
include
the
branching
schema
by
which
we
employ
within
the
sig.
So
what
this
is
is
it
would
entail
somebody
going
through
probably
gripping
through
all
of
our
files,
doing
changes
to
some
of
the
terminology,
as
well
as
a
decision
point
in
which
we
switch
over
from
the
master
branch
over
to
the
main.
E
A
A
E
J
In
terms
of
the
inclusive
naming
I
mean
it
was
in
the
new
york
times
recently
in
terms
of
like
the
crew
that
put
that
all
together
and
stuff
like
that,
I
think
it's
an
amazing
initiative
for
all
of
us
here
so
kind
of
like
putting
my
two
cents
in
here,
even
though
it's
unsolicited,
but
it's
it's
a
really
amazing
initiative.
They've
done
a
bunch
of
projects,
so
I
think,
would
be
awesome
whatever
I
can
do
to
contribute.
I'm
going
to
do
here.
J
K
D
D
D
D
There
are
regular
releases-
and
there
are
active,
commits
in
the
in
the
last
six
months
and
it's
a
priority
if
it
can
be
a
cncf
project
or
linux
foundation
relationship,
so
that
this
is
a
discussion
from
the
rest
of
the
group
of
what
is
appropriate.
Any
other
suggestion.
What
is
important,
but
the
the
goal
is
to
always
provide
good
quality
projects
so
that
people
trust
this
resource.
A
A
You
know,
why
is
this
guys
projecting
but
not
mine,
and
I
think
the
the
idea
is
to
make
it
as
objective
as
possible
and
to
have
a
criteria
that
I
think
covers
all
the
bases
that
that
people
should
care
about.
I
think
we
haven't
really
decided
on
exactly
what
the
we
have
this
scott
criteria,
but
I
think,
like
maybe
there
is
also
consideration
to
like
the
wait.
I
A
D
C
E
H
J
E
E
You
can
have
two
people
and
they
could
be
doing
awesome
and
amazing
work,
but
they
can
also
just
go
to
the
same
company
together
or
abandon
the
project
together
or
leave
that
one
person
overwhelmed
with
the
massive
amount
of
things.
To
that
end,
I
think
that
we
should
be
very
clear
and
upfront
about
like
what
what
kind
of
those
expectations
are
and
and
cite
that
principle
that
rory
eloquently
stated
for
us,
the
lottery
one
as
the
kind
of
the
reasoning
for
why
we're
looking
at
that
particularly.
A
D
E
Yeah,
the
other
problem
with
the
specific
github
stars
is
that
quickly
becomes
a
popularity
contest
and
we
would
like
to
avoid
that
at
all
costs.
So
it's
a
good
idea
and
if
we
figure
out
a
way
to
do
a
somewhat
accurate
measurement
about
the
use
of
a
project
across
industry,
that
would
go
a
long
way
to
helping
them
in
seeking
incubation
and
graduation
criteria,
because
that
highlights
project
maturity.
E
So
I
think
that
was
more
about
what
we're
looking
for
is
like
what
is
the
project
maturity?
How?
How
do
we
quantify
that
as
something-
and
maybe
maybe
that's
not
necessarily
a
fixing
a
numerical
value
for
assignment
but
showcasing
where
that
falls
on
that
chasm
chart?
Is
it
early
early
adopter?
Is
it
innovation?
Is
it
like?
E
L
A
J
One
I
just
put
in
channel
brendan
is:
is
one
that's
fairly
good
at
all
at
a
high
level,
it's
not
going
to
go
in
depth
right
in
terms
of
just
understanding
contributors
contributions
commits
repositories.
That
type
of
thing
I
just
found
out
about
this
like
two
weeks
ago,
and
you
know
like
it's
pretty
incredible,
like
you-
can
kind
of
see
an
overview
of
each
one
of
the
underlying
projects.
J
How
many
lines
of
codes
are
there,
but,
like
again,
it
doesn't
stick
to
a
specific
criteria,
but
I
would
assume
that
the
upper
like
line
of
these
of
okay
x
amount
of
lines
of
code
exomatic
contributors
would
would
be
something
that
would
be
something
that
precludes
them
or
adds
them
to
whatever
thing
we
have
here
and
again.
I
think
this
is
beta,
but
it's
been
super
useful
in
some
of
the
recent
pursuits.
I'm.
F
J
J
K
A
C
You
know
an
often
overlooked
file,
but
a
great
indicator
of
the
product.
Health
is
the
adopters
file.
If
there
are
public
adopters,
it's
one
to
look
at
and
encouraging
people
to
do
that.
Yes,
for
security
projects,
there's
a
lot
of
organizations
that
won't
publicly
state.
This
is
what
we
do,
but
well
there's
there's
other
signs
of
evidence.
Whether
product
is
well
adopted
or
not
versus
a
developer.
Spawn
up
200
000
bucks
to
go.
Do
a
git
cone
from
this
thing.