►
From YouTube: CNCF SIG Security 2021-02-10
Description
CNCF SIG Security 2021-02-10
A
A
A
A
So
I've
shared
the
links
to
the
agenda
and
the
meeting
minutes
in
the
chat
I'll
also
share
it
on
screen,
and
then
we
can
get
started.
So
I
see
folks
are
still
trickling
in.
A
One
I
think,
important
update
in
terms
of
agenda
we
have
is
from
magnum,
so
maybe
you
can
share
that
first
and
then
we
can
see
if
we
need
to
move
on
to
some
other
topics
or
others
others
if
they
have
any
thing
to
discuss.
C
No
problem
yeah,
so
yeah.
I
just
received
an
email
from
jen
half
an
hour
ago
and
she
said
that
she
had
a
family
issue,
an
urgent
matter
that
she
won't
be
able
to
attend
today
to
present
the
matter.
Mitre
attack
for
containers
right.
What
I
can
tell
you
guys
so
far
is
that
they're
working
on
on
a
version
for
the
the
the
thank
you
for
containers
right
on
since
jen
released
a
blog
post
last
year
on
december
17.
C
I
can
get
you
the
link
soon,
but
but
yeah
and
and
we've
been
we
reach
out
to
them
and
we've
been
helping
them
with,
like
providing
evidence
of
real-world
scenarios
and
everything
and
they're
planning
to
release
the
draft
version
publicly
to
the
community
next
week.
C
So
I
think
we
will
definitely
reschedule
this
meeting
after
the
the
the
draft
for
the
attack
for
containers
is
published.
So
yeah,
that's
that's
all
I
can
say.
A
Yeah
thanks
thanks
mangrove
for
the
update,
so
it
seems
like
february
24th
meeting
would
make
more
sense
versus
the
next
one.
Is
that
correct.
A
B
We
have,
if
we
have
time
I'd
like
to
kind
of
discuss
a
little
bit
about
the
the
presentation
that
we
had
last
week
around
the
linux,
this,
the
linux
foundation,
security
scanning
service
and
kind
of
I
I
see
justin's
on
on
the
call
today
so
kind
of
figure
out
a
little
bit
about
that
in
terms
of
what
we
can
do
to
engage
there
as
well.
As
you
know
how
we
are
going
to
see
that
as
part
of
the
toc
process.
G
Andrew
so
quick,
quick
update
from
me
on
the
the
container.
Oh
sorry,
the
the
supply
chain
working
group
we're
progressing,
there's
quite
a
few
people
contributing
now
to
their.
The
document
still
got
a
fair
way
to
go
I'd
say,
but
the
conversations
we're
having
during
the
meeting
and
and
offline
are
pretty
fruitful
and
I
think,
we're
starting
to
get
some
decent
best
practices
into
that
document,
but
still
has
saying
quite
a
way
to
go.
They're
in
the
chat
room
that
we
have
the
on
the
slack
channel.
G
There's
a
really
interesting
article
that
was
published
about
dependency,
confusion,
I'd,
recommend,
people
read
it,
but
it
was
quite
nicely
aligned
to
some
of
the
work
we're
doing
within
there.
So
definitely
one
for
the
the
list
of
references
and
recommend
people
read
it.
That's
a
brief
update
for
me.
G
It's
really
the
the
regular
friday
meeting
calls
that
we
have
just
trying
to
update
that
document.
I
think
in
in
sort
of
three
four
weeks
we
should
come
back
to
the
the
formal
group
and
sort
of
report
on
our
progress,
but
everything
that
we're
doing
around
the
working
group
is
funneled
in
that
friday.
Call
at
the
moment.
A
So
john,
for
the
benefit
of
others
in
the
meeting
is,
is
there
a
way
where
people
can
join
the
friday
call?
What
would
you
recommend.
G
Completely
there's
the
slack
channel.
The
details
are
in
the
slack
channel
for
with
the
zoom
meeting
details
and
the
link
to
the
paper.
We're
writing
as
well.
Okay,
all
right
click.
J
I
B
Yeah
jonathan,
do
you
think
that
it
would
be
useful
to
also
put
that
on
the
readme
so
that
anyone
that
comes
by
the
page
can
kind
of
go
directly
to
it?.
B
B
Also,
I'm
not
sure
which
zoom
that
you're,
using
other
kind
of
I
saw
the
question
about
the
meeting
recordings.
Is
that
being
set
up
or
if
not
thinking
that,
if
you
use
the
this
this
meeting
id,
it
will
be
uploaded
automatically.
B
E
E
K
Security,
something
like
that.
G
Absolutely
well
we're
open
to
contributions
for
every
single
one
of
those
I
think
pki.
I
believe
cole
who's
on
the
line
took
that
particular
area,
but
I'm
sure
we'd
be
open
for
any
contributions
around
around
supply
chain
security.
I
think
for
runtime
or
runtime
or
or
perhaps
some
of
the
protections
we
can
put
within
the
software
factory
itself.
We're
probably
a
little
light
at
the
moment.
A
Yeah,
all
right
great,
so
I
know
brandon
and
andrew
have
a
couple
of
updates.
Whoever
wants
to
go
next,
go
for
it.
L
Thanks
brandon,
I
was
about
to
say
the
same
yeah,
just
a
quick
one
from
me.
It
is
an
appeal
for
papers.
L
The
sans
cloud
security
summit
is
now
free
this
year,
whereas
traditionally
they
weren't
and
the
cfp
is
open
until
the
22nd
of
feb
and
is
well
aligned
to
the
copious
interests
of
this
group.
L
L
A
Thank
you,
andrew
brandon.
You
want
to
go
next.
B
Yeah,
so
is
a
small
kind
of
like
a
quick
discussion.
I
don't
know
whether
it's
maybe
we
can
have
have
this
offline
as
well,
but
this
is
kind
of
more
for
more
for
justin.
I
think
we
we
had
a
presentation
last
week
about
the
linux
foundation
scanning
tools.
I
forget
what
it's
called
lnx
or
something
like
that,
and
we
are
wondering
whether
other
new
plants
kind
of
do
integrate
this
into
the
the
project
process
for
tlc.
B
B
Yeah
so
so
the
the
meeting
was
about
so
schubert
gave
a
kind
of
an
overview
of
the
linux
foundation.
B
They
have,
they
have
a
bunch
of
a
suite
of
things
right,
so
one
of
it
was
like
the
the
the
landscape
stuff
and
all
the
the
stuff
that
the
foundation
does,
and
they
have
this
new
new
solution,
which
is
kind
of
like
in
beta,
and
the
idea
is
they're,
providing
kind
of
like
a
scanning
solution
for
linux
foundation
projects,
and
so
it
is
a
dashboard
where
they
kind
of
scan
the
different
projects
into
the
notes
foundation.
B
You
know,
show
people
that
the
projects
have
gone
through
security
testing,
that
there
is
a
way
for
them
to
evaluate
the
security
of
the
open
source
projects
when
they
want
to
use
them
with
the
enterprise,
amongst
many
other
things,
so
it
seemed
like
they
wanted
to
kind
of
build
what
they
were
doing
and
do
kind
of
like
something
I
like
to
the
ci
badging
system.
B
As
I
think,
one
of
the
the
things
that
came
to
mind
was
is
this
something
that
you
know
we
could
say,
as
part
of
you
know
the
the
graduation
process
or
incubation
process
that
they
have
to
be
configured
if
the
scanning
has
to
be
done,
and
also
the
percentage
of
their
projects
or
the
code
has
to
be
scannable
or
set
up
for
scanning.
I
Yeah,
I
think
it's
definitely
something
we
should.
It
would
be
helpful
for
to
evaluate
like
what
we
think
would
be
most
useful.
I
I
mean,
I
think,
that
if,
if
it
goes
into
the
badging
program,
then
obviously
we're
going
to
also
kind
of
automatically
adopt
it,
so
that
would
be
one
route,
but
I
think,
while
it's
in
beta,
maybe
we
want
to
try
and
help
some
projects,
try
it
out
in
cncf
and
see,
if
see,
what's
working
for
them,
what's
not
working
for
them,
whether
they
find
it
easy
to
adopt
and
things
and
see
what
value
they're
getting
from
it
from
it.
B
Okay,
yeah
yeah.
I
think
that
sounds
good,
and
maybe
we
can
see
whether
we
can
get
a
few
logins
from
for
you
know
the
assessment
project
beats
and
then
they
can
evaluate,
try
and
include
some
of
that
assessments
as
well.
E
We
have
the
build
pack
assessments,
either
starting
soon
or
started
or
going
on.
Would
that
be
a
potential
project
that
we
can
roll
into?
This.
B
Yeah,
I
think,
that's
I
think.
First,
we
have
to
figure
out
how
we
are
going
to
get
the
the
logins,
because
we
we
can't
access
it.
Yet
I
think
so.
I
can
take
that
as
an
action
item
to
kind
of
figure
out
how
we
can
get
access
to
that.
H
So
the
the
buildbacks
team
already
produced
their
self-assessment
without
being
aware
up
front
that
this
would
have
been
an
ask.
I
think
at
this
point
this
is
probably
too
late.
It's
also
unclear
of
like
which
of
the
tools,
for
example,
there's
a
partnership
with
snick.
That's
great,
a
lot
of
projects
would
use
would
like
to
use
snack,
but
they
don't
have
the
resources
to
pay
for
a
paid
subscription
or
need
to
find
a
sponsor
to
do
so.
H
Looking
at
the
security
tools
under
lfx
staff,
there's
like
cloud
foundry,
so
not
sure
how
what
what
might
be
applicable
to
to
build
packs,
but
it
might
not
be
applicable
to
other
products
to
use
cloud
foundry.
So
we
need
to
do
some
work
to
to
evaluate
like
out
of
this
thing,
should
make
it
there
go
ahead.
Justin.
H
You're
right
yeah,
my
coffee
is
yet
to
kick
in
today.
B
Yeah,
I
think
we
also
kind
of
need
access
to
it.
So
you
know
whenever
that
becomes
available.
We
can
kind
of
also
look
at
this
as
like
more
for
evaluation,
so
anything
in
retrospect
right.
We
can
look
at
the
results
of
the
scans
of
those
projects
and
kind
of
look
at
it,
how
it
would
have
affected
the
security
assessment
in
memory,
whether
it's
a
useful
metric
or
not,.
H
C
Okay,
yeah
yeah,
if
it's
tied
into
a
snake,
I
think
that's
that's
the
the
requirement
for
first
nick
once
you
log
in
you
type
to
your
public
github
account,
and
then
you
can
add
your
your
like
public,
open
source
projects
to
that.
So
they're
going
to
start
scanning.
F
Yeah
one
one
just
comment
that
I
noticed
went
to
the
linux
foundation
portel.
This
is
something
called
red
team
project
and
under
the
directing
project
there
are
a
number
of
security
tools
that
have
been
mentioned.
F
It
meant
for,
I
believe,
as
a
number
of
security
tools,
including
the
pen
testing
containerized.
You
know,
pen,
testing,
risk
analysis
and
this
kind
of
thing
so.
F
Sure
how
to
do
so
in
the
chat
chat,
message
box,
okay,.
A
H
H
Those
of
you
who
expressed
interest
to
do
so
and
that
if
you
haven't
obtained
your
sick
membership
that
you
do
so
that
you
familiarize
with
what's
the
charter
of
this
group,
what's
cloud
native
security
day
at
the
end
of
the
day,
ultimately,
all
about,
and
as
part
of
that
that
you
just
put
your
name
on
to
the
the
sick
membership
if
you've
been
a
regular
attendee
of
these
calls
for
a
period
of
time.
Moving
on
from
there
well
we'll
we
are
engaged
with
the
lf
planning
team
for
the
event
and
there's
going
to
be
coordination.
H
Logistics
cfp
is
open.
I
know
folks
had
made
some
comments
on
the
channel
around
whether
the
dates
could
be
shuffled
around
to
allow
kubecon
acceptance
or
a
rejection
of
talks
to
happen
and
people
to
know
whether,
like
maybe
they
could
reuse
those
talks.
Here
we
did
check
with
the
team
at
linux
foundation
and
it
created
a
lot
of
pressure
and
moving
moving
dates
around
particularly
it
would
give
presenters
a
much
shorter
runway
to
prepare
presentations
and,
on
the
back
end,
that
created
a
lot
of
other
complications.
So
dates
will
remain
as
this.
H
E
They
updated
the
site
with
some
more
information.
So
if
you
are
interested
in
applying
for
cubecon
and
submitting
a
cfp
there
as
well
as
for
security
day,
you
can
certainly
do
both
and
then
the
linux
foundations
program
committee
is
going
to
work
through
and
kind
of
do
an
audit
to
make
sure
that
we
don't
inadvertently
force
you
to
talk
twice
at
the
same
event,.
H
But
if
you
get
picked
for
kubecon,
we
we
believe
in
the
organization
believes
that
you
want
to
make
that
your
stage
and
on
cloud
native
security
day.
At
the
same
time,
we
would
encourage
you
to
think
of
clouds
for
cloud
native
security
day
to
be
targeted
at
a
primarily
security
audience,
more
so
than
while
reusing
something
you
present
somewhere
else
or
if
you
had
great
experience
on
on
a
subject,
you've
worked
on,
but
you
can
hone
that
a
little
bit
to
be
security
focused
that
would
be
fantastic.
H
H
M
E
I
would
like
to
say
that,
even
if
you
can't
attend-
or
you
can't
submit
to
see
a
fee,
please
tweet
about
it
and
share
it
with
your
network.
We
had
a
ton,
a
ton
of
kind
of
attendees
last
year
and
we're
also
going
to
be
running
the
capture
the
flag
event
again
this
year,
so
stay
tuned
for
more
information
about
that
at
a
later
date.
But
please
please
share
that.
K
Tune
in
tonight
to
cloud
native
tv
I'll
be
talking
a
little
bit
about
this,
so
yeah,
I'm
gonna
definitely
give
the.
I
want
to
make
sure
the
group,
because
I
think
it's
again
it's
I
like
a
co-educated
day
on
on
your
kubecon
that
has
to
do
with
security
specifically
because
look
you'll
get.
We
all
know
during
the
course
of
even
like
virtual
events,
it's
like
you
get
bombarded
with
so
much
stuff.
K
H
H
Happens
with
trans
a
lot
of
it's
going
to
revolve
around
supply
chain
security
this
year,
which
is
a
topic
that
needs
a
lot
of
attention
right
now.
It's
it's!
It's
great
like,
if,
like
you
have
great
folks
here,
that
are
experts
and
you're
trying
to
advance
the
space
feel
free
to
to
lean
on
those
people.
If
you
have
ideas
in
mind
that
are
not
quite
fully
formed
and-
and
you
could
use
some
help,
jonathan
is
available.
H
Mr
danpop
is
available.
All
of
this
is
really
good,
and
then
please
send
you,
send
the
link
to
your
to
your
stream.
So
folks.
H
No,
I
know
that
dan
wanted
to
turn
this
into
an
improv
session
today,
but.
K
O
O
A
I
I
am
actually
all
for
improv
dan,
so
we
should
sync
up
later.
I
am
big
fan
of
improv
yeah.
H
A
Okay,
all
right
so,
okay,
everyone
back
to
business,
so
I
think
we
don't
have
any
other
updates
from
anyone,
so
I'll
make
one
last
as
the
facilitator.
So
we
had
our
first
meeting
today
on
retrospectives
for
the
security
white
paper
we
five
or
six
of
us
met.
We
discussed
basically
in
terms
of
next
steps,
a
survey
that
would
be
drafted
soon
to
get
answers
and
information
about
things.
We
want
to
know
about
the
white
paper
and
its
distribution,
as
well
as
how
it
was
received.
A
So
we
will
be
drafting
that
today,
starting
today
and
in
a
couple
of
weeks
time
we'll
meet
again.
If
you
want
to
be
involved
and
haven't
sent
me
already,
an
email
feel
free
to
send
me
one
and
I'll
send
set
up
the
invite
for
the
retrospective
about
couple
of
weeks.
From
now
same
time,
one
hour
before
a
seek
security
weekly
meeting
second
update.
A
There
would
be
more
to
do
with
anecdotal
feedback
anything
you
have
heard
as
an
author
or
a
contributor
of
seek
security
or
a
reader
of
the
paper
where
you
want
to
share
some
details,
feel
free
to
let
us
know
either
put
it
in
our
security
white
paper
channel
as
a
post
or
share
it
with
me,
and
if
you
want
to
be
invited.
Also
dm
me
on
slack,
because
I
tend
to
miss
zoom
direct
dms,
so
I'll
send
you
the
invite
for
next
the
next
time
when
we
meet
again
all
right.
A
A
K
B
N
N
A
So
looks
like
we
have.
We
missed
one
update
from
aratna
correct
me
from
wrong
right
now,.
K
Sorry,
which
update.
A
A
Okay,
so
if
no
update
then
great,
thank
you
everyone
for
the
meeting.
I
know
I
have
some
folks
who
have
shared
interest
with
improve
today.
I
think
that
I
will
consider
that
as
a
win
for
today's
meeting
and
let's
catch
up
again
next
next
week.