►
From YouTube: CNCF SIG Security 2021-01-06
Description
CNCF SIG Security 2021-01-06
A
Hello,
everyone
good
morning,
it's
10
on
the
dot
that
will
just
give
everyone.
Maybe
a
couple
more
minutes
to.
A
A
A
A
A
All
right,
I
think,
we've
got
quite
a
few
people
on
and
why
don't
we
get
started
welcome
everyone.
I
guess
happy
new
year
to
kick
off
the
first
meeting
for
2021
and
we
got
quite
a
quite
a
few
people
on.
So
that's
that's
great.
So
this
is
my
first
time
hosting
the
meeting.
You
know
it's
so
much
easier
to
be
in
the
audience
than
to
host
it,
but
bear
with
me
as
I
was.
I
walk
us
through
today.
A
Yourselves,
okay,
I'll!
Take
that
as
a
no
and
if
not
are
there
any
any
items
that
anyone
would
like
to
bring
up
before
I
go
through
the
you
know,
the
roll
call
and
call
out
if
anybody
has
any
updates
or
items
that
you'd
like
to
talk.
A
A
Okay-
and
in
that
case
I'm
going
to
call
on
emily,
I
know
you
probably
want
to
ask
people
to
take
a
look
at
pr's
emily.
Would
you
like
to
say
a
few
words
on
that.
B
B
So
if
everybody
could
take
a
look
at
some
of
the
pr's
that
we
have
in
there
and
if
you've
looked
at
it-
and
it
looks
fine-
just
drop
a
comment
on
the
pr
letting
them
know
that
it
looks
good
to
you
things
to
pay
attention
to
if
you're
new
to
this
are
language
grammar
smelling,
making
sure
that
it's
in
a
line
alignment
with
how
we
would
like
to
see
some
of
the
content
laid
out
so
text
wrapping
at
80
characters,
spelling
those
kinds
of
things.
So
that's
the
first
thing
about
prs.
B
The
other
piece
is
that
we
have
a
ton
of
issues.
We
have
94
current
open,
active,
well,
94,
open
issues.
A
lot
of
them
are
inactive,
so
if
you're
new
to
the
sig
or
if
you're
you've
been
around
for
a
while
and
there's
something
that
you
want
to
take
a
look
at.
There
are
quite
a
few
inactive
issues
that
we'd
like
to
kind
of
drum
up
attention
to
to
determine
whether
or
not
they're
still
valid.
If
there's
still
interest.
B
A
Yep,
that's
that's
a
good
point.
Thanks
a
lot
emily
and
and
that's
on
me
as
well,
and
I
I
have
a
couple
I'd
like
to
talk
about.
Maybe
I'll
come
down
and
come
back
to
it,
but
maybe
I
know
brandon
has
something
that
you'd
like
to
talk
about
brandon.
D
Yeah
happy
new
year
and
I
think
kind
of
the
the
main
thing
that
I
wanted
to
just
highlight.
Let
people
know
last
year
in
december
we
mentioned
a
little
bit
about
the
security
landscape.
Oh
and
we
also
discussed
that
in
nintendo
name.
Maybe
next
game
isn't
the
the
best
the
best
way
to
describe
it.
So
we
are
going
to
be
kicking
off
that
work
next
week,
so
I've
scheduled
there
is
an
issue,
that's
open
and
I'll.
D
Let
me
look
at
it
here,
so
I
schedule
a
kickoff
meeting
just
before
our
regular
weekly
meeting.
So
if
you're
interested
in
kind
of
helping
to
look
at
the
landscape
or
contributing
to
it,
definitely
just
leave
a
comment
in
that
issue
and
I'll.
Send
you
an
invite
to
that
other
than
that
the
security
assessment
issues
are
going
well,
we
have
a
couple
books
there
looking
into
each
of
them,
so
hopefully,
within
the
next
few
weeks
we
can
kind
of
present
some
of
the
the
purple
changes.
Yeah.
A
So
great
thanks
brandon,
so
just
to
reiterate
that
I
think
just
for
the
purpose
of
you
know
if
you're
interested
in
an
issue
and
if
you'd
like
to
partake
and
contribute
just
please,
you
know,
call
yourselves
out
on
those
tickets
and
then
you
know
the
respective
people.
A
Will
you
know
loop
you
in
into
you
know
I
don't
know,
maybe
a
private
slack
chat
or
a
slack
room
or
something,
and
then
we
can
kick
those
off,
and
I
noticed
today
that
there
are
no
other
updates
or
topics
that
we
want
to
talk
about.
So
I
I
had
opened
two
prs
towards
the
end
of
last
year
and
emily
had
warned
me
and
I
was
being
very
ambitious
and
I
completely
dropped
the
ball
on
it.
I
was
exhausted
towards
the
end
of
the
year,
but
here
we
are
brand
new
here.
A
Hopefully
we
can
take
it
off
and
the
two
issues
that
I
I
had
called
out
and
I
think
I've
gotten
some
feedback
on
those
pr's.
Thank
you
to
everyone
who
responded
are
a
kind
of
like
a
webinar
like
a
round
table
to
talk
about
the
cloud
security
white
paper.
So
what
I'd?
Like
to
do,
I
think
this,
which
is
in
line
with
what
we've
been
doing,
is
I'll,
create
a
new
slack
channel
to
call
out
all
the
people
who
have
high.
A
You
know
expressed
an
interest
so
that
we
could,
you
know,
have
some
chats
around
it
and
figure
out
how
we
can
make
that
happen.
So
that's
one
and
then
the
goal
of
that
just
real
quick
is
to
amplify
the
message
of
the
cloud
native
security
white
paper.
I
think
it's
a
fabulous
artifact,
there's
so
much
of
interesting
stuff,
but
we
want
to
make
sure
that
people
are
aware
of
it
and
then
understand
the
objectives
and,
and
that
and
the
key
takeaways,
and
so
the
more
that
we
can
do
to
amplify.
A
That
message,
I
think,
would
be
great,
so
I
will
do
that
and
the
second
thing
is,
we
also
talked
about
doing
some
double
click
kind
of
blogs.
I
know
there
was
one
blog
that
summarized
the
entire
landscape
that
the
paper
the
security
white
paper,
but
then
there
is
a,
I
think,
there's
plenty
of
opportunity
to
break
it
up.
A
So
I
created
another
pr-
and
I
know
it's
on
me
to
actually
provide
a
little
bit
more
context
around
that
I'm
going
to
do
that,
and
I've
also
seen
some
people
express
an
interest.
I
believe
it's
495
and
496.
A
at
the
end
of
the
meeting
today.
Maybe
I
will
reference
it
in
in
our
security
check,
but
those
are
two
things
that
I
will
definitely
be
kicking
off
and
hopefully
we
can
all
collaborate
and
get
that
off
the
ground.
So
those
are
two
things
that
I
wanted
to
talk
about
and
I
don't
know
maybe
I
I
got
first
time
lucky.
This
might
end
up
being
one
of
our
shortest
meetings,
but
is
there
anything
else
that
anybody
would
like
to
talk
about.
E
So
when
I
add
a
quick
question
on
the
two
issues
that
you
brought
up,
yes,
the
second
part
where
we
want
to
do
micro
blogs.
Was
there
an
issue
about
updating
the
paper
with
more
content
as
well
as
version
two?
E
A
B
Yeah,
so
there's
actually
a
few
issues
that
are
open
about
the
white
paper.
So
there
is
the
retrospective
that
push
car
had
opened
up
on
it.
There's
the
micro
blogs,
there's
the
webinar
and
then
there's
the
breakout
topics,
one
which
is
4.95
and
hey,
that's
the
one
that
you
had
submitted
and
I
had
tagged
and
related
it
back
to
the
retrospective.
B
So
there's
a
few
of
them
that
are
kind
of
all
in
that
same
realm.
That
I
think,
would
be
good
to
to
solidify
that
group,
either
through
the
current
white
paper
channel
for
anything
related
to
that
or
just
creating
a
separate
planning,
channel
and
vinay.
You
could
probably
use
the
sig
security
events
channel
for
planning
that
webinar
and
having
that
conversation,
we
currently
use
it
for
the
security
day,
but
it's
not
restricted
just
to
security
day.
So
there's
also
that
I
think
brandon
do.
We
already
have
a
label
for
the
white
paper
right.
B
A
Emily
does
it
makes
that's
a
great
point:
does
it
make
sense
at
the
risk
of
creating
yet
another
issue
to
actually
how
do
we?
How
do
we
correlate
all
these
related
issues?
How
do
we
typically
do
that
you.
B
A
D
A
A
D
Yeah,
so
so
the
the
main
idea
is
kind
of
we
there
has
to
be
a
definition
of
what
the
project
is
kind
of.
It
has
to
be
like
a
defined
piece
of
scoped
work
and
then
with
the
timeline
that
we
can
keep
track
of.
Okay,
yep.
A
Yeah,
that's
a
good
good
idea.
Thank
you
all
right!
So
yeah
now
that's
great.
I
will
definitely
go
and
clean
that
up
correlated
so
that
everybody
has
visibility
into
all
the
related
issues
and
we
can
go
from
there.
So.
E
I
have
one
more
thing:
sorry,
yes,
I'm
gonna
hold
you
so
so
one
of
the
topics
I
wanted
to
discuss
was,
I
don't
know
if
you
need
to
create
an
issue
for
this,
but
I
came
across
this
mitre
framework
for
kubernetes
and
how
that
how
we
can
expand
on
that
in
our
white
paper
in
the
next
version.
So
do
you
guys
think
that'll
be
helpful?
I
I
feel
there
is
a
huge
gap
in
the
detection
side
of
kubernetes
platforms
today
and
correlating
information
from
different
bits
and
pieces
is
really
hard.
B
So
the
white
paper
we
wanted
to
remain
project
or
technology,
specific
agnostic,
even
though
kubernetes
is
like
the
the
thing
that
everybody
is
using,
but
for
the
kubernetes
detection
issues.
That
might
be
something
that's
good
to
do
with
the
falco
project
and
the
kubernetes
security
sig,
just
kind
of
like
putting
together
a
group
just
to
focus
on
those.
B
There
was
an
article
from
one
of
the
community
members
of
falco
that
talked
about
kubernetes
detection,
runtime
security,
I'll
see
if
yeah.
F
Security
researchers
at
cystic
yeah,
I
mean
in
terms
of
the
miter
attack
framework.
Those
are
the
so
we
so
I
was
part
of
that
and
so
to
be
able
to.
We
wrote
that,
because
of
a
requirement
from
from
an
investment
bank
that
kind
of
wanted
to
have
something
mapped
to
it.
F
I
don't
know
if
that
you
know
that
could
be
something
that
could
be
more
widespread.
That's
more
of
obviously
the
group
here
to
kind
of
decide
if
that's
the
case,
but
it
is
an
amazing
framework
to
kind
of
say
here's.
You
know
the
logic
that
could
be
put
here.
I
just
I
guess
I'm
trying
to
understand
like
what
what
the
end
goal
of
that
be
kind
of
our
best
practices
in
the
white
paper.
That's
again,
as
emily
said,
an
agnostic
piece
there,
or
what
are
we
trying
to
do
with
the
amount
of
attack
framework.
F
D
Were
having
this
discussion
a
little
bit
that
there
were
quite
a
number
of
issues
that
came
in
and
said
kind
of
like?
Oh,
it's
there
like
a
best
practices
or
he
is
like
here's,
a
playbook,
I'm
looking
for
a
playbook
for
security,
and
I
think
the
general
discussion
has
always
led
to
it
always
varies
depending
on
what
environment
you're
in
and
also.
D
I
think
that
it
is
difficult
for
us
to
kind
of
maintain
that
this
for
a
different
set
of
technologies
that
are
very
agile
and
keep
keep
changing.
I
think
we
can
kind
of
provide
a
a
page
to
reference
all
this
material,
but
I
don't
think
that
we
is
in
school
for
us
to
maintain
these
things.
F
And
magnol
has
a
good
point
in
the
chat
here
I
mean
if
it's
not
an
official
framework,
I
think
the
the
tact
we
should
have
and
again
in
my
humble
opinion
is
like
you
said,
is
basically
have
links
to
you
know
things
that
could
be
used,
but
basically
you
know.
Do
we
want
to
advocate
a
specific
one?
I
don't
I
don't
know
if
that's
something
we
want
to
specifically
do.
A
Or
how
about
this?
Actually
that's
a
great
point,
I
think,
which
is
do
we
want
to
consider
like,
like
a
git
repo
subject,
repo
or
something
like
that
with
a
whole
bunch
of
collated
links,
that
that
would
be
helpful
in
general.
D
There
was
a
so
there's
an
issue
going
back,
I
think
about
a
year
about
the
micro
micro
site
and
part
of
the
microscope.
Was
this
thing
about
education,
and
then
it
had
resources
and
as
well
as
some
additional
information
on
how
to
do
certain
aspects
of
aspects
of
security.
D
So
we
wanna,
maybe
if
you
wanna
kind
of
start
up
the
discussion
again.
We
should
continue
that
conversation
in
the
issue.
Let
me
find
it
and
I'll
send
the
check.
B
So
yeah
there
there
is
an
issue
issue
number
110,
it's
for
a
micro
site,
it's
something
that
we
had
talked
about
before
and
I
believe
vinay.
I
have
mentioned
it
to
you
as
being
maybe
a
good
place
to
do
micro
bogs
for
this
egg,
okay,
but
I'm
gonna
post
the
link
for
it
in
the
chat.
B
So
this
is
something
that
we've
been
wanting
to
do
for
a
very
long
time
and
there's
a
potential
for
a
plethora
of
content.
So
I
don't
want
to
lose
track
of
this
particular
discussion.
But
if
folks
are
interested
in
the
microsite
there's
an
issue,
you
can
sign
up
for
it,
but
I
think
a
collective
resource
for
not
necessarily
specifically
kubernetes
security,
but
anything
associated
with
cloud
native
security,
documentation,
resources
and
blogs
frameworks
as
well.
B
That
kind
of
go
just
just
that
extra
step
beyond
for
somebody
that
wants
like
a
singular
repository
of
where
to
go,
to
look
for
things,
because
I've
seen
tons
of
cross
posts
and
various
slack
channels
and
slack
workspaces
about
hey.
This
is
how
I
collect
and
manage
all
of
my
kubernetes
related
security,
information
or
docker
information,
and
so
on.
H
A
an
answer
I
don't
know,
I
think
it
was
dan
who
asked
the
question:
what
is
the
goal
of
putting
mitre
or
any
framework
lowercase
f
into
the
white
paper?
I
I
have
used
that
not
in
the
specific
context
of
kubernetes
but
in
two
different
clouds
for
mapping
incident
response
both
in
the
preparation
for
incident
response,
tabletop,
exercises
for
incident
response
and
then
actual
incident
responses
and,
of
course,
for
risk
assessment,
so
proactively
assessing
risk
and
then
retroactively
postmortem
assessing
risks.
H
I
Yeah,
no,
I
I
just
want
to
add
to
to
this
as
I've
seen
this
kubernetes
miter
framework
for
a
while.
Now
it
was
released
by
microsoft
like
april
in
the
last
year
right.
So
it's
not
a.
As
I
said
in
the
chat,
it's
not
an
official
framework
right,
but
miter
has
put
out
a
blog
post
recently
asking
for
help
for
for
the
community
and
company,
so
we
can
either
reach
out
to
them
either
as
the
the
security
group
or
with
your
individual
companies.
I
There
that's
one
of
the
things
that
we're
doing
here
and
yeah
they're,
trying
to
create
a
either
like
a
minor
framework
for
containers
in
general
or
are
having
both
one
for
for
containers
and
one
specific
for
kubernetes,
so
maybe
like
a
cloud
native
miter
framework
would
be
a
good
idea
to
start.
I
don't
know
so
yeah.
That's
just
my
my
thoughts.
There.
F
So
so,
just
to
kind
of
clarify
my
thought
was
not
like
hey
what
do
we?
Why
are
we
doing
it's
more
like?
Why
are
we
deciding
like?
You
know
the
the
specifics
here,
and
so
this
that's
great.
I
think
it's
it's
it's
where
the
minor
attack
framework
is
is
a
great
framework.
If
it's
not
adopted
like
if
it's
not
like
has
something
specific.
As
you
said
to
cloud
native,
I
think
that's
something
that
we
you
know.
Maybe
we
should
somewhat
get
involved
with,
but
we
shouldn't
advocate
anything.
F
I
Yeah,
what
I
like
about
the
framework
is
that
they
focus
on
real-world
scenarios
right,
so
they
only
add
stuff
that
they
see
in
real
life
attacks
or
like
honey
pots
and
stuff.
So
that's
what
they're
looking
for
help
with
so
yeah,
I
think
it's
a
great
framework
and
and
if
we
can
provide
any
guidance
or
help
or
any
data
for
them.
It
would
be
very
helpful
for
the
community
as
a
whole.
A
I
mean
my
my
sense
over
there
is
like
even
looking
at
that
microsoft,
blog
post,
at
least
the
one
that
I
posted
there
was.
You
know
this
whole
space
people
are
still
learning.
People
are
still
trying
to
understand
it.
So
it's
it's.
A
It's
really
good
for
them
to
understand
all
the
different
threat,
vectors
and
then
the
way
the
threats,
progress
and
so
on
so
and-
and
I
understand
it's
not
officially
official,
but
maybe
we
can
make
it
into
some
other
type
of
a
threat
framework
and
not
call
it
a
mitre
framework,
but
just
to
help
educate
the
the
the
community
around
generic
threats.
For
I
don't
know,
kubernetes
and
containers,
maybe
that's
a
thought.
F
One
of
the
things
I'm
sorry
to
bulgar
at
the
meeting,
but
I
have
one
thought
here:
I
I
was
I'm
also
in
the
cncf
financial
services,
user
group
and
they're.
Looking
for
like
a
specific,
like
set
of
guidelines
from
a
security
perspective,
and
if
security
is
the
one
that's
the
overarching
saying
this
is
the
one
that
we
think
is.
Is
you
know
whatever
it
is?
I
think
we
have
to
basically
put
our
line
in
the
sand.
F
At
some
point
say:
yes,
we're
going
to
support
the
miter
attack
framework
and
here's
some
great
concepts
that
you
all
want
want
to
use.
You
know
out
of
the
box
right,
it's
and
again
it's
vendor
agnostic,
because
every
vendor
is
going
to
be
able
to
have.
You
know
miter
attack
framework.
You
know
the
discussions,
it's
up
to
the
end
user,
to
choose
what
those
things
are.
So
I
think
yeah
at
some
point.
F
C
The
the
framework
of
choice
is
gonna
depend
where
people
are
coming
from
and
how
much
time
do
they
have
available,
and
what
the
scenario
is
someone
may
opt
for.
Like
oh
we're,
gonna
go
do
ssri.
We
don't
need
to
do
like
full-on
emitter,
so
it
could
be
a
hey
look.
These
are
all
the
frameworks
that
are
out
there,
like
they're
great
they're,
proven
to
work
here
are
the
considerations
of
one
over
the
other
apply,
whichever
is
applicable
in
the
given
instance.
C
B
So
in
the
past,
we've
talked
about
creating
threat,
matrices
or
assisting
in
projects
and
doing
a
threat
matrix
for
themselves
as
part
of
the
security
assessments.
And
when
we
were
doing
cloud
native
security
white
paper,
we
kind
of
talked
a
little
bit
about
threat
assessments
and
how
much
of
that
content
should
go
into
the
white.
D
B
And
I
think
that
it
might
be
beneficial
to
have
that
as
a
one
of
the
breakout
topics
that
way
we
can
move
forward
in
that
space,
because
I've
also
seen
requests
for
that
same
information
and
perhaps
having
it
broken
out.
I
think
aradna
had
mentioned
at
the
cast
and
the
fast
level
would
also
be
beneficial,
so
not
just
through
orchestration
and
containers,
but
also
going
down
to
serverless
too.
G
C
G
A
I
think
no
worries,
I
think
maybe
this
calls
for
another
ticket
so
that
we
can
collate
all
our
ideas
put
together,
because
I
know
these
are
fantastic
ideas,
but
that's
just
the
best
option
where
we
put
down
all
our
ideas
collated,
have
a
separate
working
group
and
then
figure
out
how
we
can
converge
and
land
somewhere.
That's
useful
for
the
community,
so.
A
C
C
But
everything
was
like
just
thrown
out
of
the
window,
and
every
single
person
came
from
a
different
background
and
have
different
opinions.
So
perhaps
we
can
exemplify
of
hey,
actually
get
people
who
are
performing
different
you're
using
different
frameworks
and
are
producing
or
extrapolating
from
all
of
it
and
coming
up
with
something
better.
Ultimately,
that
could
be
like
basic
security
approach.
A
B
J
F
J
My
company
has
an
mda
with
them,
and
they've
got
two
divisions.
You
know
one
is
to
exploit
industrialization
commercialization
things.
The
more
researchy
folks
are
working
on
a
unified
ontology
for
cyber
security,
which
I
know
is
separate
from
this
threat
landscape
stuff,
which
tends
to
be
more
practical
in
our
organization.
The
ops
people
are
very
focused
on
the
attack
surface
and
reconciling
the
telemetry
from
our
tooling
into
the
into
the
threat,
but
across
information,
security,
more
broadly
and
especially
looking
at
devsecops,
the
threat
matrix
is
not
well
integrated.
J
The
the
miter
framework
for
the
attack
services
are
not
isn't
quite
as
well
integrated,
so
that's
so
what
I
am
trying
to
say
is
miter
other
folks
at
miter
are
interested
in
that
broader
issues
as
we
are
so
it
might
be
interested
to.
J
J
You
know
they're
an
ffrdc
but
they're
reluctant
to
talk
about
things
that
they
think
are
proprietary,
even
though
it's
federal
dollars,
often
that
are
just
promoting
the
work
that
they're
doing
so
it
can
be
frustrating
to
talk
to
them.
But
there's
a
lot
of
interesting
work
there
that
they're
that
they're
trying
to
do,
and
if
you
try
to
do
automation
of
brown
security,
you're
going
to
find
yourself
trying
to
do
things
with
uco
or
one
of
the
miter
taxonomies.
So
it
might
be.
J
E
Yeah
mark
that's
a
great
point.
I
do
have
some
connections
at
mitre
as
well
through
nist,
so
I'll
reach
out
to
them
as
well
and
see
if
they
are
interested
in
working
with
us
on
this
and
then
get
back
to
the
team
and
or
include
them.
J
A
So
I
know
magnum
made
a
comment
we
can
reach
out
to
the
mitre
attack
for
continuous
team
lead,
which
was
one
that
posted
the
blog.
So
do.
I
Yeah
there
is
a
a
link
to
a
blog
post
and
migra
ingenuity
posted
on
december
17.
On
on
the
chat
there.
I
can
post
it
again.
So
jen
burns
is
the
one
that's
leading
this
miter
for
containers
might
have
attack
for
containers.
I
I
reached
out
to
her
already
like
for
for
us
to
provide
some
some
data
and
information
related
to
what
we've
seen
out
there
in
the
wild
but
yeah.
We
I
I
have
her
email
and
we
can
definitely
contact
her
and
ask
her
to
join
in
a
next
meeting
or
any
other
date.
A
D
Yeah,
I
think
we
have
also
we
have
a
string
of
good
presentations
this
month.
I
think
I'm
doing
the
ufo,
so
we
have
to
break
off
project
which
is
on
unsigning
transparency
similar
to
certificate
transparency.
A
Awesome
guys
that
was
a
great
discussion
here,
I'm
looking
forward
to
what
we
do
with
the
the
mitre
framework
in
the
context
of
containers,
and
you
know
going
one
last
time
any
anything
else
that
you
guys
would
like
to
talk
about.
H
If
it's
the
last
option,
I
just
mentioned
that
we
did
have
our
policy
work
group
meeting.
We
have.
H
A.M-
pacific
every
other
week
on
wednesdays.
So
I
I
think
that
there's
some
magic
process
that
occurs
where
that,
because
we
use
the
same
zoom
and
I'm
not
sure
how
it
gets
archived.
But
I
think
there
is
some
process
that
can
occur
to
archive
those
videos,
so
I'll
I'll
follow
up.
Jim,
usually
handles
that.
I
don't
think
he's
on
right
now,
but
we'll
try
to
post
that
on
the
and
there's
a
google
doc
with
the
agenda
notes.
H
Today's
talk,
we
had
a
presentation
about
mapping
our
the
policy
work
group
has
produced
a
kubernetes
crd
for
policy
report
output,
and
the
presentation
today
was
about
mapping
that
to
auscal
and
specifically
for
those
familiar
with
ascal,
the
sar
the
assessment
report
or
assessment
results
so
anyone's
interested
in
that
you
can
review
the
recording
when
it's
posted
or
just
reach
out
on
slack
and
we'll
we'll
try
to
send
it
to
everyone.
H
K
Great,
thank
you
all
right.
Well,
another
quick
question
sure.
D
L
About
the
automation
of
the
security
assessment
process
and
creating
tooling-
and
I
missed
the
the
meeting
where
when
they
were
discussed,
I
just
wanted
to
ask
about
the
differences
between
them.
There
was
a
mini
discussion
in
the
github
issues
about
that,
but
if
someone
can
clarify
because
that
sounds
very,
very
interesting
and
relevant
for
me,
I
just
want
to
understand
the
nuance.
There.
A
A
So
I
think
there
was
just
a
lot
of
discussion
around
it
and
I
don't
think
we
landed
anywhere
in
particular,
but
once
again,
that's
another
one
where
we
weren't
quite
sure
there
were
some
concerns
on
cost
and
operationalizing
it
and
liveliness,
and
how
do
you
keep
all
the
projects
updated
and
so
on?
So
so
that's
where
we
were
at
I
mean
it
was
a.
It
was
a
good
topic
to
talk
about,
but
I
think
that
once
again
the
devil
is
in
the
details
and
we
really
need
to
understand
the
scope
and
converge
on
that.
L
All
right
so
so
maybe
a
more
specific
question:
oh
yeah.
D
No,
I
was
going
to
say
I
think,
just
for
the
I
don't
know
whether
you're
kind
of
thinking
about
it
in
terms
of
the
security
assessment.
What
group
issues
that
we're
looking
at,
but
I
think
for
now
you
know,
since
that's
kind
of
something
that
is
just
started
the
discussion
on.
We
should
not
include
that
and
kind
of
the
the
specific
points
that
we
discussed
during
the
web
group
just
so
that
we
don't
we
don't
grow
the
scope
too
much.
D
A
Thanks:
okay,
thank
you.
Well,
I
think
I'm
gonna
finally
call
it
folks.
Thank
you
very
much
happy
new
year
and
look
forward
to
a
great
year
ahead,
cheers
fenay!
You
did
a
great
job
good.