►
From YouTube: CNCF SIG Security 2021-01-06
Description
CNCF SIG Security 2021-01-06
A
A
A
A
A
A
All
right,
I
think,
we've
got
quite
a
few
people
on
and
why
don't
we
get
started
welcome
everyone.
I
guess
happy
new
year
to
kick
off
the
first
meeting
for
2021
and
we
got
quite
a
quite
a
few
people
on.
So
that's
that's
great.
So
this
is
my
first
time
hosting
the
meeting.
You
know
it's
so
much
easier
to
be
in
the
audience
than
to
host
it,
but
bear
with
me
as
I
was.
I
walk
us
through
today.
A
A
A
B
B
So
if
everybody
could
take
a
look
at
some
of
the
pr's
that
we
have
in
there
and
if
you've
looked
at
it-
and
it
looks
fine-
just
drop
a
comment
on
the
pr
letting
them
know
that
it
looks
good
to
you
things
to
pay
attention
to
if
you're
new
to
this
are
language
grammar
smelling,
making
sure
that
it's
in
a
line
alignment
with
how
we
would
like
to
see
some
of
the
content
laid
out
so
text
wrapping
at
80
characters,
spelling
those
kinds
of
things.
So
that's
the
first
thing
about
prs.
B
The
other
piece
is
that
we
have
a
ton
of
issues.
We
have
94
current
open,
active,
well,
94,
open
issues.
A
lot
of
them
are
inactive,
so
if
you're
new
to
the
sig
or
if
you're
you've
been
around
for
a
while
and
there's
something
that
you
want
to
take
a
look
at.
There
are
quite
a
few
inactive
issues
that
we'd
like
to
kind
of
drum
up
attention
to
to
determine
whether
or
not
they're
still
valid.
If
there's
still
interest.
B
A
D
Yeah
happy
new
year
and
I
think
kind
of
the
the
main
thing
that
I
wanted
to
just
highlight.
Let
people
know
last
year
in
december
we
mentioned
a
little
bit
about
the
security
landscape.
Oh
and
we
also
discussed
that
in
nintendo
name.
Maybe
next
game
isn't
the
the
best
the
best
way
to
describe
it.
So
we
are
going
to
be
kicking
off
that
work
next
week,
so
I've
scheduled
there
is
an
issue,
that's
open
and
I'll.
D
Let
me
look
at
it
here,
so
I
schedule
a
kickoff
meeting
just
before
our
regular
weekly
meeting.
So
if
you're
interested
in
kind
of
helping
to
look
at
the
landscape
or
contributing
to
it,
definitely
just
leave
a
comment
in
that
issue
and
I'll.
Send
you
an
invite
to
that
other
than
that
the
security
assessment
issues
are
going
well,
we
have
a
couple
books
there
looking
into
each
of
them,
so
hopefully,
within
the
next
few
weeks
we
can
kind
of
present
some
of
the
the
purple
changes.
Yeah.
A
Will
you
know
loop
you
in
into
you
know
I
don't
know,
maybe
a
private
slack
chat
or
a
slack
room
or
something,
and
then
we
can
kick
those
off,
and
I
noticed
today
that
there
are
no
other
updates
or
topics
that
we
want
to
talk
about.
So
I
I
had
opened
two
prs
towards
the
end
of
last
year
and
emily
had
warned
me
and
I
was
being
very
ambitious
and
I
completely
dropped
the
ball
on
it.
I
was
exhausted
towards
the
end
of
the
year,
but
here
we
are
brand
new
here.
A
Hopefully
we
can
take
it
off
and
the
two
issues
that
I
I
had
called
out
and
I
think
I've
gotten
some
feedback
on
those
pr's.
Thank
you
to
everyone
who
responded
are
a
kind
of
like
a
webinar
like
a
round
table
to
talk
about
the
cloud
security
white
paper.
So
what
I'd?
Like
to
do,
I
think
this,
which
is
in
line
with
what
we've
been
doing,
is
I'll,
create
a
new
slack
channel
to
call
out
all
the
people
who
have
high.
A
You
know
expressed
an
interest
so
that
we
could,
you
know,
have
some
chats
around
it
and
figure
out
how
we
can
make
that
happen.
So
that's
one
and
then
the
goal
of
that
just
real
quick
is
to
amplify
the
message
of
the
cloud
native
security
white
paper.
I
think
it's
a
fabulous
artifact,
there's
so
much
of
interesting
stuff,
but
we
want
to
make
sure
that
people
are
aware
of
it
and
then
understand
the
objectives
and,
and
that
and
the
key
takeaways,
and
so
the
more
that
we
can
do
to
amplify.
A
That
message,
I
think,
would
be
great,
so
I
will
do
that
and
the
second
thing
is,
we
also
talked
about
doing
some
double
click
kind
of
blogs.
I
know
there
was
one
blog
that
summarized
the
entire
landscape
that
the
paper
the
security
white
paper,
but
then
there
is
a,
I
think,
there's
plenty
of
opportunity
to
break
it
up.
A
A
at
the
end
of
the
meeting
today.
Maybe
I
will
reference
it
in
in
our
security
check,
but
those
are
two
things
that
I
will
definitely
be
kicking
off
and
hopefully
we
can
all
collaborate
and
get
that
off
the
ground.
So
those
are
two
things
that
I
wanted
to
talk
about
and
I
don't
know
maybe
I
I
got
first
time
lucky.
This
might
end
up
being
one
of
our
shortest
meetings,
but
is
there
anything
else
that
anybody
would
like
to
talk
about.
E
E
A
B
Yeah,
so
there's
actually
a
few
issues
that
are
open
about
the
white
paper.
So
there
is
the
retrospective
that
push
car
had
opened
up
on
it.
There's
the
micro
blogs,
there's
the
webinar
and
then
there's
the
breakout
topics,
one
which
is
4.95
and
hey,
that's
the
one
that
you
had
submitted
and
I
had
tagged
and
related
it
back
to
the
retrospective.
B
So
there's
a
few
of
them
that
are
kind
of
all
in
that
same
realm.
That
I
think,
would
be
good
to
to
solidify
that
group,
either
through
the
current
white
paper
channel
for
anything
related
to
that
or
just
creating
a
separate
planning,
channel
and
vinay.
You
could
probably
use
the
sig
security
events
channel
for
planning
that
webinar
and
having
that
conversation,
we
currently
use
it
for
the
security
day,
but
it's
not
restricted
just
to
security
day.
So
there's
also
that
I
think
brandon
do.
We
already
have
a
label
for
the
white
paper
right.
B
A
B
A
D
A
A
D
A
E
I
have
one
more
thing:
sorry,
yes,
I'm
gonna
hold
you
so
so
one
of
the
topics
I
wanted
to
discuss
was,
I
don't
know
if
you
need
to
create
an
issue
for
this,
but
I
came
across
this
mitre
framework
for
kubernetes
and
how
that
how
we
can
expand
on
that
in
our
white
paper
in
the
next
version.
So
do
you
guys
think
that'll
be
helpful?
I
I
feel
there
is
a
huge
gap
in
the
detection
side
of
kubernetes
platforms
today
and
correlating
information
from
different
bits
and
pieces
is
really
hard.
B
So
the
white
paper
we
wanted
to
remain
project
or
technology,
specific
agnostic,
even
though
kubernetes
is
like
the
the
thing
that
everybody
is
using,
but
for
the
kubernetes
detection
issues.
That
might
be
something
that's
good
to
do
with
the
falco
project
and
the
kubernetes
security
sig,
just
kind
of
like
putting
together
a
group
just
to
focus
on
those.
F
F
I
don't
know
if
that
you
know
that
could
be
something
that
could
be
more
widespread.
That's
more
of
obviously
the
group
here
to
kind
of
decide
if
that's
the
case,
but
it
is
an
amazing
framework
to
kind
of
say
here's.
You
know
the
logic
that
could
be
put
here.
I
just
I
guess
I'm
trying
to
understand
like
what
what
the
end
goal
of
that
be
kind
of
our
best
practices
in
the
white
paper.
That's
again,
as
emily
said,
an
agnostic
piece
there,
or
what
are
we
trying
to
do
with
the
amount
of
attack
framework.
F
D
Were
having
this
discussion
a
little
bit
that
there
were
quite
a
number
of
issues
that
came
in
and
said
kind
of
like?
Oh,
it's
there
like
a
best
practices
or
he
is
like
here's,
a
playbook,
I'm
looking
for
a
playbook
for
security,
and
I
think
the
general
discussion
has
always
led
to
it
always
varies
depending
on
what
environment
you're
in
and
also.
D
F
And
magnol
has
a
good
point
in
the
chat
here
I
mean
if
it's
not
an
official
framework,
I
think
the
the
tact
we
should
have
and
again
in
my
humble
opinion
is
like
you
said,
is
basically
have
links
to
you
know
things
that
could
be
used,
but
basically
you
know.
Do
we
want
to
advocate
a
specific
one?
I
don't
I
don't
know
if
that's
something
we
want
to
specifically
do.
A
D
D
B
B
So
this
is
something
that
we've
been
wanting
to
do
for
a
very
long
time
and
there's
a
potential
for
a
plethora
of
content.
So
I
don't
want
to
lose
track
of
this
particular
discussion.
But
if
folks
are
interested
in
the
microsite
there's
an
issue,
you
can
sign
up
for
it,
but
I
think
a
collective
resource
for
not
necessarily
specifically
kubernetes
security,
but
anything
associated
with
cloud
native
security,
documentation,
resources
and
blogs
frameworks
as
well.
B
That
kind
of
go
just
just
that
extra
step
beyond
for
somebody
that
wants
like
a
singular
repository
of
where
to
go,
to
look
for
things,
because
I've
seen
tons
of
cross
posts
and
various
slack
channels
and
slack
workspaces
about
hey.
This
is
how
I
collect
and
manage
all
of
my
kubernetes
related
security,
information
or
docker
information,
and
so
on.
H
A
an
answer
I
don't
know,
I
think
it
was
dan
who
asked
the
question:
what
is
the
goal
of
putting
mitre
or
any
framework
lowercase
f
into
the
white
paper?
I
I
have
used
that
not
in
the
specific
context
of
kubernetes
but
in
two
different
clouds
for
mapping
incident
response
both
in
the
preparation
for
incident
response,
tabletop,
exercises
for
incident
response
and
then
actual
incident
responses
and,
of
course,
for
risk
assessment,
so
proactively
assessing
risk
and
then
retroactively
postmortem
assessing
risks.
H
I
Yeah,
no,
I
I
just
want
to
add
to
to
this
as
I've
seen
this
kubernetes
miter
framework
for
a
while.
Now
it
was
released
by
microsoft
like
april
in
the
last
year
right.
So
it's
not
a.
As
I
said
in
the
chat,
it's
not
an
official
framework
right,
but
miter
has
put
out
a
blog
post
recently
asking
for
help
for
for
the
community
and
company,
so
we
can
either
reach
out
to
them
either
as
the
the
security
group
or
with
your
individual
companies.
I
There
that's
one
of
the
things
that
we're
doing
here
and
yeah
they're,
trying
to
create
a
either
like
a
minor
framework
for
containers
in
general
or
are
having
both
one
for
for
containers
and
one
specific
for
kubernetes,
so
maybe
like
a
cloud
native
miter
framework
would
be
a
good
idea
to
start.
I
don't
know
so
yeah.
That's
just
my
my
thoughts.
There.
F
So
so,
just
to
kind
of
clarify
my
thought
was
not
like
hey
what
do
we?
Why
are
we
doing
it's
more
like?
Why
are
we
deciding
like?
You
know
the
the
specifics
here,
and
so
this
that's
great.
I
think
it's
it's
it's
where
the
minor
attack
framework
is
is
a
great
framework.
If
it's
not
adopted
like
if
it's
not
like
has
something
specific.
As
you
said
to
cloud
native,
I
think
that's
something
that
we
you
know.
Maybe
we
should
somewhat
get
involved
with,
but
we
shouldn't
advocate
anything.
F
I
Yeah,
what
I
like
about
the
framework
is
that
they
focus
on
real-world
scenarios
right,
so
they
only
add
stuff
that
they
see
in
real
life
attacks
or
like
honey
pots
and
stuff.
So
that's
what
they're
looking
for
help
with
so
yeah,
I
think
it's
a
great
framework
and
and
if
we
can
provide
any
guidance
or
help
or
any
data
for
them.
It
would
be
very
helpful
for
the
community
as
a
whole.
A
A
It's
really
good
for
them
to
understand
all
the
different
threat,
vectors
and
then
the
way
the
threats,
progress
and
so
on
so
and-
and
I
understand
it's
not
officially
official,
but
maybe
we
can
make
it
into
some
other
type
of
a
threat
framework
and
not
call
it
a
mitre
framework,
but
just
to
help
educate
the
the
the
community
around
generic
threats.
For
I
don't
know,
kubernetes
and
containers,
maybe
that's
a
thought.
F
One
of
the
things
I'm
sorry
to
bulgar
at
the
meeting,
but
I
have
one
thought
here:
I
I
was
I'm
also
in
the
cncf
financial
services,
user
group
and
they're.
Looking
for
like
a
specific,
like
set
of
guidelines
from
a
security
perspective,
and
if
security
is
the
one
that's
the
overarching
saying
this
is
the
one
that
we
think
is.
Is
you
know
whatever
it
is?
I
think
we
have
to
basically
put
our
line
in
the
sand.
F
At
some
point
say:
yes,
we're
going
to
support
the
miter
attack
framework
and
here's
some
great
concepts
that
you
all
want
want
to
use.
You
know
out
of
the
box
right,
it's
and
again
it's
vendor
agnostic,
because
every
vendor
is
going
to
be
able
to
have.
You
know
miter
attack
framework.
You
know
the
discussions,
it's
up
to
the
end
user,
to
choose
what
those
things
are.
So
I
think
yeah
at
some
point.
F
C
The
the
framework
of
choice
is
gonna
depend
where
people
are
coming
from
and
how
much
time
do
they
have
available,
and
what
the
scenario
is
someone
may
opt
for.
Like
oh
we're,
gonna
go
do
ssri.
We
don't
need
to
do
like
full-on
emitter,
so
it
could
be
a
hey
look.
These
are
all
the
frameworks
that
are
out
there,
like
they're
great
they're,
proven
to
work
here
are
the
considerations
of
one
over
the
other
apply,
whichever
is
applicable
in
the
given
instance.
C
B
So
in
the
past,
we've
talked
about
creating
threat,
matrices
or
assisting
in
projects
and
doing
a
threat
matrix
for
themselves
as
part
of
the
security
assessments.
And
when
we
were
doing
cloud
native
security
white
paper,
we
kind
of
talked
a
little
bit
about
threat
assessments
and
how
much
of
that
content
should
go
into
the
white.
D
B
And
I
think
that
it
might
be
beneficial
to
have
that
as
a
one
of
the
breakout
topics
that
way
we
can
move
forward
in
that
space,
because
I've
also
seen
requests
for
that
same
information
and
perhaps
having
it
broken
out.
I
think
aradna
had
mentioned
at
the
cast
and
the
fast
level
would
also
be
beneficial,
so
not
just
through
orchestration
and
containers,
but
also
going
down
to
serverless
too.
G
C
G
A
I
think
no
worries,
I
think
maybe
this
calls
for
another
ticket
so
that
we
can
collate
all
our
ideas
put
together,
because
I
know
these
are
fantastic
ideas,
but
that's
just
the
best
option
where
we
put
down
all
our
ideas
collated,
have
a
separate
working
group
and
then
figure
out
how
we
can
converge
and
land
somewhere.
That's
useful
for
the
community,
so.
A
C
C
But
everything
was
like
just
thrown
out
of
the
window,
and
every
single
person
came
from
a
different
background
and
have
different
opinions.
So
perhaps
we
can
exemplify
of
hey,
actually
get
people
who
are
performing
different
you're
using
different
frameworks
and
are
producing
or
extrapolating
from
all
of
it
and
coming
up
with
something
better.
Ultimately,
that
could
be
like
basic
security
approach.
A
B
J
F
J
My
company
has
an
mda
with
them,
and
they've
got
two
divisions.
You
know
one
is
to
exploit
industrialization
commercialization
things.
The
more
researchy
folks
are
working
on
a
unified
ontology
for
cyber
security,
which
I
know
is
separate
from
this
threat
landscape
stuff,
which
tends
to
be
more
practical
in
our
organization.
The
ops
people
are
very
focused
on
the
attack
surface
and
reconciling
the
telemetry
from
our
tooling
into
the
into
the
threat,
but
across
information,
security,
more
broadly
and
especially
looking
at
devsecops,
the
threat
matrix
is
not
well
integrated.
J
J
You
know
they're
an
ffrdc
but
they're
reluctant
to
talk
about
things
that
they
think
are
proprietary,
even
though
it's
federal
dollars,
often
that
are
just
promoting
the
work
that
they're
doing
so
it
can
be
frustrating
to
talk
to
them.
But
there's
a
lot
of
interesting
work
there
that
they're
that
they're
trying
to
do,
and
if
you
try
to
do
automation
of
brown
security,
you're
going
to
find
yourself
trying
to
do
things
with
uco
or
one
of
the
miter
taxonomies.
So
it
might
be.
J
E
J
A
I
I
A
D
H
H
A.M-
pacific
every
other
week
on
wednesdays.
So
I
I
think
that
there's
some
magic
process
that
occurs
where
that,
because
we
use
the
same
zoom
and
I'm
not
sure
how
it
gets
archived.
But
I
think
there
is
some
process
that
can
occur
to
archive
those
videos,
so
I'll
I'll
follow
up.
Jim,
usually
handles
that.
I
don't
think
he's
on
right
now,
but
we'll
try
to
post
that
on
the
and
there's
a
google
doc
with
the
agenda
notes.
H
D
L
About
the
automation
of
the
security
assessment
process
and
creating
tooling-
and
I
missed
the
the
meeting
where
when
they
were
discussed,
I
just
wanted
to
ask
about
the
differences
between
them.
There
was
a
mini
discussion
in
the
github
issues
about
that,
but
if
someone
can
clarify
because
that
sounds
very,
very
interesting
and
relevant
for
me,
I
just
want
to
understand
the
nuance.
There.
A
A
So
I
think
there
was
just
a
lot
of
discussion
around
it
and
I
don't
think
we
landed
anywhere
in
particular,
but
once
again,
that's
another
one
where
we
weren't
quite
sure
there
were
some
concerns
on
cost
and
operationalizing
it
and
liveliness,
and
how
do
you
keep
all
the
projects
updated
and
so
on?
So
so
that's
where
we
were
at
I
mean
it
was
a.
It
was
a
good
topic
to
talk
about,
but
I
think
that
once
again
the
devil
is
in
the
details
and
we
really
need
to
understand
the
scope
and
converge
on
that.
D
No,
I
was
going
to
say
I
think,
just
for
the
I
don't
know
whether
you're
kind
of
thinking
about
it
in
terms
of
the
security
assessment.
What
group
issues
that
we're
looking
at,
but
I
think
for
now
you
know,
since
that's
kind
of
something
that
is
just
started
the
discussion
on.
We
should
not
include
that
and
kind
of
the
the
specific
points
that
we
discussed
during
the
web
group
just
so
that
we
don't
we
don't
grow
the
scope
too
much.