Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Security Special Interest Group / 10 Feb 2021
Cloud Native Computing Foundation / Security Special Interest Group / 10 Feb 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CNCF SIG Security 2021-02-10

Description

CNCF SIG Security 2021-02-10

A

Hey everyone we'll just wait for other folks to join. I know some of us were in a previous meeting. That's just wrapping up.

A

Hi everyone- I am the facilitator for the meeting today- first time as facilitator, so go easy on me. We'll start in a couple of minutes. I know some folks brandon and emily and others are wrapping up the other meeting and I see they join me.

B

Yeah sorry, I did. I did a horrible thing. I I dragged a meeting way over time.

A

No worries.

B

You're fine.

A

uh Okay, so just some quick logistics.

A

uh This is a reminder that this meeting is being recorded and posted to youtube shortly after your participation in these meetings is an agreement to abide by the security code of conduct which can be found in the report.

A

So I've shared the links to the agenda uh and the meeting minutes in the chat I'll also share it on screen, and then we can get started. So I see folks are still trickling in.

A

One uh I think, important update in terms of agenda we have is from magnum, so maybe you can share that first and then we can see if we need to move on to some other topics or others others if they have any thing to discuss.

C

No problem yeah, so yeah. I just received an email from jen half an hour ago and she said that she had a family issue, an urgent matter that she won't be able to attend today to present the matter. Mitre attack for containers right. um What I can tell you guys so far is that um they're working on on a version for the the the thank you for containers right on um since uh jen released a blog post last year on december uh 17.

C

I can get you the link soon, but but yeah and and we've been we reach out to them and uh we've been helping them with, like providing uh evidence of real-world scenarios and everything and they're planning to release the draft version publicly to the community next week.

C

So I think uh we will definitely reschedule this meeting after the the the draft for the attack for containers is published. So yeah, that's that's all I can say.

A

Yeah thanks thanks mangrove for the update, so it seems like uh february 24th meeting would make more sense versus the next one. Is that correct.

C

I'll have to double check with her, so our update I'll get the the updated date next week.

A

Okay sounds good, sounds good, thank you. So we also need some scribes if anyone wants to volunteer, but most likely this will be a quick meeting. Now that the proposed agenda topic is has to be rescheduled.

B

uh Yeah, I can't access the google doc for some reason, but I was.

D

Just having that same problem, I thought it was just me yeah.

E

No, it just happened for me too. I started typing.

A

Yeah, I can access it now, so hopefully it gets back to you all this way. I think that.

F

Means your scribe.

A

As well, sorry, if.

B

We have, uh if we have time um I'd like to kind of discuss a little bit about um the the presentation that we had last week around the linux, this, the linux foundation, security scanning service and kind of I I see justin's on on the call today so kind of figure out a little bit about that in terms of what we can do to engage there as well. As you know how we are going to see that as part of the toc process.

A

Yeah yeah, I think we have time so we can discuss that now and then I'm thinking we'll get to the updates from john and.

G

Andrew so quick, quick update from me um on the the container. uh Oh sorry, the the supply chain working group um we're progressing, there's quite a few people uh contributing now to their. The document still got a fair way to go I'd say, um but the conversations we're having during the meeting and and offline are pretty fruitful and I think, we're starting to get some decent best practices into that document, but still has saying quite a way to go. They're in the chat room that we have the on the slack channel.

G

uh There's a really interesting article that was uh published um about uh dependency, confusion, I'd, recommend, people read it, but it was quite nicely aligned to some of the work we're doing within there. So definitely one for the uh the list of references and recommend people read it. That's a brief update for me.

H

Jonathan, are you thinking of a follow-up call to bring together the the offline work or how do you want to go from from this point on.

G

It's really the the regular friday meeting calls that we have just trying to update that document. uh I think in in uh sort of three four weeks we should come back to the uh the formal group and sort of report on our progress, but everything that we're doing uh around the working group is funneled in that friday. Call at the moment.

H

Fantastic cool.

A

So john, for the benefit of others uh in the meeting is, is there a way where people can join the friday call? What would you recommend.

G

Completely uh there's um the slack channel. The details are in the slack channel for with uh the zoom meeting details and the link to the paper. We're writing as well. Okay, all right click.

I

um

J

On the.

I

It's on the cncf calendar. Now, if you subscribe to the cncf calendar, okay,.

G

Excellent.

I

Thank.

G

You justin.

B

Yeah jonathan, do you think that it would be um useful to also put that on the readme so that anyone that comes by the page can kind of go directly to it?.

G

uh Which read me you're, referring to the.

B

Cncf.

B

Also, I'm not sure which zoom um that you're, using other kind of I saw the question about the meeting recordings. Is that being set up or if not thinking that, if you use the this this meeting id, it will be uploaded automatically.

E

Brandon they have a separate meeting.

B

Through.

E

The sig security it has the recording enabled but they're not being posted to youtube. They have to be pulled out. Gotcha.

G

Is that something I can do or help with or.

E

I think that's something that only the uh chairs can control. So let me go back through I'll. Take an action to go back through and pull the recordings out and get them posted into a document or an agenda note if it's the one, that's in the um channel great. Thank you.

H

One more question: so I'm discussing supply chain security as a whole there's many different areas that come together are there particular areas where you're looking for help say: key management is a topic that's often unresolved or there's different opinions or runtime.

K

Security, uh something like that.

G

Absolutely well we're open to contributions for every single one of those I think pki. I believe cole who's on the line took that particular area, but I'm sure we'd be open for any contributions around uh around supply chain security. I think for runtime or runtime or or perhaps some of the protections we can put within the software factory itself. We're probably a little light at the moment.

A

Yeah, all right great, uh so I know brandon and andrew have a couple of updates. Whoever wants to go next, go for it.

B

Oh andy, you can go ahead.

L

Thanks brandon, I was about to say the same um uh yeah, just a quick one from me. uh It is an appeal for papers.

L

The sans cloud security summit is uh now free this year, whereas traditionally they weren't and the cfp is open until the 22nd of feb and is well aligned to the copious interests of this group.

L

There are lots of topics they're interested in specifically, probably as usual case studies, best practices, innovation, identity, hybrid environments and all the good stuff. I will post what I've just said into slack and into this channel. um Oh, you beat me to thank you magnum magno.

L

There you go I'll, put those notes in there as well. uh Yes, so it should be good. I will also be slinging my aura in with something as yet undecided and all are welcome. Please do submit all right.

A

Thank you, andrew uh brandon. You want to go next.

B

Yeah, so um is a small kind of like a quick discussion. I don't know whether it's maybe we can have have this offline as well, but this is kind of more for um more for justin. I think we we had a presentation last week um about the linux foundation scanning tools. um I forget what it's called lnx or something like that, um and we are wondering whether um other new plants kind of do integrate this into the the project process for tlc.

B

um Is there anything that we can do from the sikh perspective to kind of evaluate this, or you know, start integrating the use of it into our assessment process?.

A

Just looking at the nodes, it seems like it's called lfx.

L

Right: okay, yeah.

E

Hey brandon, can you do a quick recap on what was specifically discussed at that meeting for folks that may not have been able to meet it or had a chance to watch the video.

B

Yeah so so the um the meeting was about um so schubert gave a kind of an overview of the linux foundation.

B

They have, they have a bunch of a suite of things right, so one of it was like the the um the landscape stuff and all the the stuff that the foundation does, and they have this new um new solution, which is kind of like in beta, and the idea is they're, providing kind of like a scanning solution for linux foundation projects, and so it is a dashboard um where they kind of scan the different projects into the notes foundation.

B

They come up with reports and the idea for this is to kind of provide.

B

um You know, show people that the projects have gone through security testing, that there is a way for them to evaluate the security of the open source projects when they want to use them with the enterprise, uh amongst many other things, so it seemed like they wanted to kind of build um what they were doing and do kind of like something I like to the ci badging system.

B

um As I think, one of the the things that came to mind was is this something that you know we could say, as part of um you know the the graduation process or incubation process that they have to be configured if the scanning has to be done, and also the percentage of their projects or the code has to be scannable or set up for scanning.

I

um Yeah, I think it's definitely something we should. It would be helpful for to evaluate like what we think would be most useful.

I

I mean, I think, that if, if it goes into the badging program, then obviously we're going to also kind of automatically adopt it, so that would be one route, but I think, um while it's in beta, maybe we want to try and help some projects, try it out in cncf and see, if see, what's working for them, what's not working for them, whether they find it easy to adopt and things and see what value they're getting from it from it.

I

I think that would be something that we could if some people could hand hold it through some projects and see help help them, try it out.

B

Okay, yeah yeah. I think that sounds good, and maybe we can see whether we can get a few um logins from for you know the assessment project beats and then they can evaluate, try and include some of that assessments as well.

E

We have the build pack assessments, um either starting soon or started or going on. um Would that be a potential uh project that we can roll into? This.

B

um Yeah, I think, that's I think. First, we have to figure out how we are going to get the the logins, because we we can't access it. Yet I think um so. I can take that as an action item um to kind of figure out how we can get access to that.

H

So the the buildbacks team already produced their self-assessment without being aware up front that this would have been an ask. I think at this point this is probably too late. It's also unclear of like which of the tools, for example, there's a partnership with snick. That's great, a lot of projects would use would like to use snack, but they don't have the resources to pay for a paid subscription or need to find a sponsor to do so.

H

Looking at the security tools under lfx staff, there's like cloud foundry, so not sure how what what might be applicable to to build packs, but it might not be applicable to other products to use cloud foundry. So we need to do some work to to evaluate like out of this thing, should make it there go ahead. Justin.

I

That's the results for scanning cloud factory not for, I think.

H

You're right yeah, um my coffee is yet to kick in today.

H

These these are projects that have used the scanning that they're highlighting there.

B

Yeah, I think we also kind of need access to it. So you know whenever that becomes available. We can kind of also look at this as like more for evaluation, so anything in retrospect right. We can look at the results of the scans of those projects and kind of look at it, how it would have affected the security assessment in memory, whether it's a useful metric or not,.

H

Yeah looks like sign up is like you can sign up, I'm using my linux foundation account and it lets me through. It does, however, ask for adding a public git.

H

Repository, let me let me do some exploration and report back.

C

Is that from snake.

H

This is from lfx security tools.

C

Okay, yeah yeah, if it's tied into a snake, uh I think that's that's the the requirement for first nick once you log in uh you type to your public github account, and then you can add your your like public, open source projects to that. So they're going to start scanning.

H

Yep, that's.

A

Right all right it do. We have any other comments on this topic from anyone else.

F

Yeah one one just comment uh that I noticed went to the linux foundation uh portel. This is something called red team project and under the directing project there are a number of security tools that have been mentioned.

F

I have not investigated enough to make any judgment at this point, but they might be relevant to our discussions and I don't know if anyone else here in this group that may have been exposed to those, and if so, I would be interested also to knowing as to what their observations are or comments are.

F

It meant for, I believe, as a number of security tools, including the pen testing containerized. uh You know, pen, testing, risk analysis and this kind of thing so.

A

All right, tk, do you mind sending the link to the.

F

Sure how to do so in the chat uh chat, message box, okay,.

A

Okay, thank you.

A

So it looks like uh andre. Also has an update on the security tech. uh I think go for it.

D

Correct thanks so.

H

We are finalizing the program committee. A number of you had expressed interest to participate. This is cloud native security day for kubecon europe. We are doing a round of making sure everyone is still interested to participate.

H

Those of you who expressed interest to do so and that if you haven't obtained your sick membership that you do so that you familiarize with what's the charter of this group, what's cloud native security day at the end of the day, ultimately, all about, and as part of that that you just put your name on to the the sick membership if you've been a regular attendee of these calls for a period of time. Moving on from there well we'll we are engaged with the lf planning team for the event and there's going to be coordination.

H

Logistics cfp is open. I know folks had made some comments on the channel around whether the dates could be shuffled around to allow kubecon acceptance or a rejection of talks to happen and people to know whether, like maybe they could reuse those talks. Here we did check with the team at linux foundation and it created a lot of uh pressure and moving moving dates around particularly it would give presenters a much shorter runway to prepare presentations and, on the back end, that created a lot of other complications. So dates will remain as this.

H

We did try to look into that emily. I don't know if you want to add some extra color to that, but that's where we're at.

E

uh They updated the site with some more information. So if you are interested in applying for cubecon and submitting a cfp there as well as for security day, you can certainly do both and then the linux foundations program committee is going to work through and kind of do an audit to make sure that we don't inadvertently force you to talk twice at the same event,.

H

But if you get picked for kubecon, we we believe in the organization believes that you want to make that your stage and on cloud native security day. At the same time, we would encourage you to think of clouds for cloud native security day to be targeted at a primarily security audience, more so than while reusing something you present somewhere else or if you had great experience on on a subject, you've worked on, but you can hone that a little bit to be security focused that would be fantastic.

H

That is the goal of this very special arena that we only get to have twice a year.

H

Thanks for that's it, I don't know if anyone has questions or comments but feel free to tag me on slack or on the cloud native security data issue.

M

A quick question about the club security day so do we have any dates to plan for the timeline for the cfc reviews.

H

Yes, I did get your confirmation in thai thanks for that. I will reply to the group with the timeline.

G

We're looking.

H

At I will I'll give you a sneak peek of that right away before distributing the water group. We're still waiting for a few other confirmations to come through before kicking off the work stream.

M

Thank you. No, I can't wait. I just uh want to make sure that.

A

Right any other questions on security day from anyone.

E

I would like to say that, even if you can't attend- or you can't submit to see a fee, please tweet about it and share it with your network. We had a ton, a ton of kind of attendees last year and we're also going to be running the capture the flag event again this year, so stay tuned for more information about that at a later date. But please please share that.

E

That's actually a huge level of visibility for the sig and for the cncf across the community, bringing more of the security professionals in with the developers and sres and open source projects.

K

Tune in tonight to uh cloud native tv I'll be talking a little bit about this, uh so yeah, I'm gonna definitely give the. I want to make sure the group, because I think it's again it's I like a co-educated day on on your kubecon that has to do with security specifically because look you'll get. We all know during the course of even like uh virtual events, it's like you get bombarded with so much stuff.

K

This is very specific to the audience here and I think there's going to be amazing content just from the whole swath of security. So it's awesome.

H

And.

K

Likelihood as it.

H

Happens with trans a lot of it's going to revolve around supply chain security this year, which is a topic that needs a lot of attention right now. It's it's! It's great like, if, like you have great folks here, that are experts and you're trying to advance the space feel free to to lean on those people. If you have ideas in mind that are not quite fully formed and- and you could use some help, uh jonathan is available.

H

Mr danpop is available. uh All of this is really good, and then please send you, send the link to your to your stream. So folks.

K

It's the cncf stream, I'll put it in the channel no problem. Thank you.

N

My pleasure.

A

Okay, anything else on security day from anyone.

H

No, I know that uh dan wanted to uh turn this into an improv session today, but.

K

I was waiting for renee, I was, you know, vidae really kicks us off, you know, he's he's, got a he's, got a way about him. So.

H

I I do have one joke: why did the it team set up the remote office from the beach.

O

Why it was too cloudy.

K

You can you top that venae come on. Can you talk no.

P

I I can't I can't I I that was a good one. Andrews.

O

What do you call it? A turtle that serves the dark web, a tour toys, I'll, stop I'll! Stop you end the meeting please quickly.

A

Curious, how many.

O

More.

A

I I am actually all for improv uh dan, so we should sync up later. I am big fan of improv yeah.

B

Yeah andreas, you know- maybe we can have this as part of the currently the security day if security improv or something like that.

J

Let's make this a feature in every meeting, we'll give five minutes to do like couple of jokes and if it goes well, you know, let's use the entire reading, for it.

H

You're supposed to to train your strengths, not your weaknesses or apply to your strengths, not your weaknesses. No, I will not be doing that.

A

Okay, all right so, okay, everyone uh back to business, so I think we don't have any other uh updates from anyone, so I'll make one uh last as the facilitator. So we had our first meeting today on uh retrospectives for the security white paper uh we five or six of us met. uh We discussed basically in terms of next steps, a survey that would be drafted soon uh to get answers and information about things. We want to know about the white paper and its distribution, as well as how it was received.

A

So we will be drafting that today, uh starting today and in a couple of weeks time we'll meet again. uh If you want to be involved uh and haven't sent me already, an email uh feel free to send me one and I'll send set up the invite for the retrospective about couple of weeks. From now uh same time, one hour before a seek security weekly meeting uh second update.

A

There would be more to do with uh anecdotal feedback anything you have heard as an author or a contributor of seek security or a reader of the paper where you want to share some details, feel free to let us know uh either put it in our security white paper channel as a post or share it with me, uh and if you want to be invited. Also dm me on slack, because I tend to miss zoom direct dms, so I'll send you the invite for next the next time when we meet again all right.

A

So any questions on.

A

This.

A

Okay, so we have reached, we are at 10, 30 pacific right now. If no more topics we can probably close early or people can continue with the improved sessions or jokes, I am all for it. uh But if not, uh we can finish for the day.

K

The day's ready.

N

Thank you.

P

Have a good one.

K

Why.

G

Are you putting.

P

Me on the spot, though, what is this? It's.

K

All about.

B

Improv.

N

That's.

P

Improv baby, do you know something I don't know about myself.

N

Sorry I dressed too it's too easy for me to pick on andre's all the time. So go pick up. Somebody else all right. Okay,.

A

So looks like we have. We missed one update uh uh from aratna uh correct me from wrong right now,.

K

Sorry, um which update.

A

It's.

A

Okay, so if no update then great, uh uh thank you everyone for the meeting. uh I know I have some folks who have shared interest with improve today. I think that I will consider that as a win for today's meeting and uh let's catch up again next uh next week.

A

Thank you. Thank.

D

You thanks.

P

Thank you. Thank you.

D

All right, okay,.

B

Bye-Bye yeah.

I

Thanks.

E

Sounds good thanks.

E

Bye.

E

You.