►
From YouTube: CNCF SIG Security 2020-06-10
Description
CNCF SIG Security 2020-06-10
A
A
A
D
A
F
A
A
D
So,
just
for
some
for
some
background,
I
was
assigned
a
volunteer
for
the
the
key
cloak
assessment
a
little
over
a
week
ago,
and
in
my
understanding
of
the
six
security
assessments.
Is
that
a
lot
of
it
is
reviewing
the
the
self-assessment
and
the
document
that
is
produced
by
the
authors
of
you
know
the
application
or
whatever
the
working
group
is
looking
at
and
then
providing
feedback
based
off
of
that
documentation.
D
I
personally,
am
a
very
tactile
person
and
I
like
to
poke
things
because
I
feel,
like
you
know,
it's
implementation
can
can
be
whatever
people
think
you
know
you
know
sorry
design
can
be
whatever
people
you
know
want
it
to
be,
but
implementation
is
where
you
know
things
actually
get
interesting.
In
the
particular
case
of
the
assessment
that
I
was
on
I
set
up
the
application
and
within
30
minutes
I
found
something
that
really
should
be
fixed
as
a
security
issue
that
that
that
team
has
has
agreed
with
that
it
should
be
fixed.
D
So
in
saying
this
I
was
wondering
why.
Why
is
it
that
six
security
assessments?
Don't
there's?
No,
you
know
practitioner
angle
to
this.
Nobody
actually
sets
up
the
application
and
attempts
to
you
know
compromise
to
identify
any
security
issues
and
I
understand
that
that
is,
you
know,
a
security
assessment
that
likely
the
blocker
is
bodies
and
people
who
are,
you
know
able
to
perform
those
competent
reviews.
D
Assessment
process,
but
instead
performed
very
light.
Very
you
know
just
once-over
review
penetration
tests
of
applications,
or
you
know,
practitioners,
acure,
'ti
assessments,
I
think
that
would
go
a
long
way
in
improving
the
security
of
projects
that
come
through
SIG's
security
and
doesn't
require
you
know
the
formality
and
the
you
know
the
otherwise
potentially
very
large
time
investment
of
a
formal
penetration
test,
and
so
I
was
wondering
you
know
what
what
did
the
blockers
hear?
Is
it
just
bodies?
Is
it
just
people
you
know
able
to
do
these
reviews
right.
A
First
initial
at
all
of
this
was
that
the
CN
CF
for
projects
reach
a
retro
stage
would
end
up
performing
a
security
audit
for
it,
and
so
it's
kind
of
like
there
would
be
a
bit
of
overlapping
of
cos.
They
were
doing,
but
at
the
same
time,
I
do
see
kind
of
a
bit
of
value
in
terms
of
doing
a
cursory
look
of
it.
Just
because
it
kind
of
translates
to
the
security
posture
of
the
project
itself.
Right
right.
C
A
C
Thanks
I
was
just
going
to
say
that
I
think
so
in
general,
I'm
in
favor
of
this
I
would
like
to
see
it
be
sort
of
done
and
provided
in
a
more
uniform
way,
and
one
of
the
kind
of
logistical
concerns
I
have
is
to
this
point.
We
haven't
really
had
anybody
step
up
and
directly
do
this.
We've
had
people
occasionally
do
things
that
are
kind
of
like
this,
like
it's,
not
that
we
didn't
necessarily
play
with
some
aspects
of
the
tool
or
things,
but
it
certainly
hasn't
been
universal.
C
We
might
not
check
that
and
then
we
may
even
push
the
TOC
to
move
in
the
direction
like
hey
audit,
this
part
or
something
like
that,
feeling
we're
doing
the
right
thing.
When
really
we've
just
avoided
like
a
big
problem
that
the
project
has,
because
we
maybe
got
the
wrong
information
from
the
people
doing
the
self-assessment
or
maybe
we
just
you
know
like
overlooked
something
obvious
that
we
didn't
see
because
we
weren't
looking
in
the
right
way
so
I'm
very
much
in
favor
of
this.
A
Know
I
I'm
a
bit
hesitant
on
kind
of
phrasing
it
that
way.
In
terms
of
saying
that,
okay,
we
kanessa
surgery,
we
have
to
do
kind
of
due
diligence
based
on
what
they're
putting
in
the
in
the
assessment,
because
I
feel
like
80%
of
the
assessment
process
is
based
on
that.
Oh
I'm,
not
sure
we
can
really.
You
know,
make
that
statement
and
try
and
validate
that
statement.
A
I'm
wondering
whether
we
can
just
put
in
a
way
that
you
know
we
are,
if
everything
I'm
so
I'm,
not
sure
what
exactly
the
bug
was.
But
I'm
thinking
about
the
in
terms
of.
Is
that
a
way
to
say?
Okay,
in
terms
of,
can
we
somehow
measure
the
quality
of
security
design
rather
than
you
know,
trying
question
the
validity
of
the
self-assessment.
D
Just
I
mean
just
just
to
interject,
and
perhaps
this
is
the
more
valuable
component
and
I'm
only
speaking
for
myself
as
a
tester,
although
I'm
sure
that
there
are
a
lot
of
other
people
who
are,
you
know
in
the
same
position
when
I
when
I
look
at
an
app
within
30
minutes,
I
can
tell
whether
or
not
it's
garbage
so
I.
Just
you
know
if
it's
nothing
more
valuable
than
that
a
lot
of
times
you
can
get
a
gut
feeling
about.
This
might
be
an
area
of
concern
this.
D
You
know
this
authentication
scheme
is
very
roundabout
and
it
you
know
it
there's
there's
too
much
going
on
such
that
it
could
become
a
problem.
It's
very
very
easy
to
do
that,
at
least
for
me
and
I'm
sure
that
others
are
the
same
way.
So
I
don't
know
you
know
other
than
just
findings
what
what
information
would
be
valuable
to
this
group
into
the
assessment
process,
but
I
think
you
know
defining.
That
would
be
good
too
so
I.
D
Personally,
no
I
mean
again.
This
is
just
me
personally,
like
I
in
the
app
that
I
was
recently
looking
at.
I
had
used
it
before
and
many
years
ago,
so
I
knew
what
it
was,
but
if
you
know
if
I
open
that
that
six
security
document
and
I
watched
the
the
walkthrough
and
all
of
that-
and
you
know
that's
that's
great
a
lot
of
times-
I
can
understand
it,
but
a
lot
I
personally
need
to
poke
stuff.
The
only
thing
that
I
you
know
would
benefit
from
asset.
D
B
To
talk
about
how
Assessors
our
security
reviewers
have
flexibility
to
go
through
the
documentation,
the
project
has,
we
don't
require
it,
but
it
does
help
them
get
a
better
understanding
about
the
project
is
how
it
actually
functions.
This
is
beyond
the
actual
self
assessment
mitad.
It
was
my
thoughts
when
those
updates
with
me
that
it's
an
individual
wanted
do
a
little
bit
of
poking
around
and
spell
it
on
their
desktop
on
a
machine
to
figure
out
how
it
worked
if
they
happen
to
discover
any
possibilities
that
was
entirely
their
choices.
They
wanted
to
do
that.
G
B
Group
of
individuals
doing
the
security
of
a
project
and
we
find
a
bleeding
problem.
Sometimes
it's
an
indicator
in
the
document.
This
isn't
written
quite
right.
It
reads:
a
little
funny
actually
mean
this,
and
then
we
dig
in
a
little
bit
more
and
find
they're
going
early,
for
instance,
but
if
there
is
a
tactile
wave
for
that
I'm
putting
the
light
I,
don't
necessarily
as
that
part
of
the
effect
I.
H
Just
to
add
to
that,
this
is
in
reference
to
the
Key
Club
assessment,
and
so
currently
the
assessment
is
in
the
terrifying
question
face
in
which
we're
just
trying
to
like
see
if
the
doc
conforms
to
the
assessment
guidelines,
all
the
necessary
fields
and
stuff
like
that
and
after
this
phase
is
done
after
the
clarifying
phase
is
done.
You
have
like
an
entire
week
for
people
to
chime
in
and
then
actually
try.
H
G
H
We
have
be
happy,
you
have
a
setup
like
a
week
to
actually
do
that,
so
we
are
not
in
that
stage
yet,
because
the
project
is
still
working
on
the
on
the
self
assessment
itself.
So
once
that's
done,
then
definitely
folks
can
go
and
try
out
the
project
and
then
obviously
give
a
presentation
in
the
later
stage.
So
we
can
bring
up
all
these
issues,
so
we
have
time
to
bring
this
this
stuff
up.
So
just.
D
B
B
Yes,
sir
hurry
researcher
is
the
mechanism
by
which
they
go
around
hope
some
of
these
projects
or
these
applications
is
different
from
others.
So
earlier
about
harmony,
if
we
were
to
do
an
assessment-
and
we
had
one-
maybe
two-
maybe
like
ten
individuals
to
actually
poke
around
at
the
application-
it
may
not
necessarily
be
consistent
between
assessment,
which
some
projects
we
don't
want.
Anybody
to
think
that
some
security
review
or
project
is
considered
endorsement
for
such
project.
How
art
it's
more
of
a
he
did
a
review.
This
is
our
process.
F
B
D
So
I
guess
just
to
address
both
of
those
points,
the
first
point
being
that
different
people
do
things
different
ways:
I
mean
I,
think
that's
just
kind
of
an
unsolvable
problem.
That's
the
way
that
everything
is
right,
so
I
don't
understand
why
that
would
apply
to
this
more
than
people
for
viewing
the
written
document
or
anything
else
in
regards
to
people
interpreting
the
results
to
mean
something
different
because
we're
doing
a
poking
audit
I
mean
personally.
D
Why,
when
I
joined
this
group
of
you
know
just
a
month
or
so
ago,
I
assumed
that
was
what
was
going
on
here
like
when
you
hear
security
assessment.
That's
just
what
you
assume
so
I
think
to
add
that
functionality
just
yeah
it
just
it
makes
sense,
I
think
it's
filling
a
deficiency.
It's
not
adding
something
extra.
Then
now
we
have
to
explain
or
worry
about.
I
I
want
to
make
sure
that
we,
you
know,
cover
a
bit
of
the
context
of
like
how
we
got
here
yeah.
So
this
you
know
what
was
working
group
that
you
know
became
sort
of
the
prototype
for
the
things
inside
the
CTF.
You
know
started
as
safe
working
groups
cactus
for
everyone
and
when
we
landed
a
cig,
I
actually
pushed
real
hard
to
have
it.
I
You
know
get
rid
of
the
you
know,
backronym
and
you
know,
move
to
a
single
word
and
we
chose
security
so,
like
the
community
of
members
here
are
primarily
builders
and
to
the
technologists
supporting
the
cloud
native
infrastructure.
You
know
up
until
recently,
we
really
haven't
had
any
pen,
testers
or
professionals
that
you
know
are
at
our
disposition
to
build
process,
and
you.
I
Things
like
this,
so
you
know
when
we
as
a
cig,
take
on
a
responsibility.
You
know
we
need
to
make
sure
that
we
can,
you
know,
continue
to
staff
it.
Basically,
you
know
with
the
volunteers
that
we
have
so
you
know
if
we
have
something
that
an
individual
is
interested
in,
doing
we'll
look
for
ways
to
get
integrate
that
into
existing
processes,
but
you
know
until
there's
a
lead
until
there's
a
contingent
of
individuals
that
can
do
that
regularly.
I
D
I
D
C
A
So
I
do
think
that
there's
possibly
a
space
of
this
I'm,
not
sure
what
we
I
know.
We
we
had
a
lot
of
discussions
when
we're
talking
about
something
called
observer
role
in
which
people
say.
Okay,
how
do
I
do
is
secure
the
assessment
and
I
like
you
know
what
just
like
of
the
few
people
taking
it,
but
I
think
that
this
could
be
part
of
a
document
if
I
can
write
down.
Okay,
here
are
some
ways
you
can
go
about
doing
a
security
assessment.
One
of
it
is
downloading
the
tool
and
trying
it
out.
B
D
D
F
You
know
I
know,
Justin
does
a
fantastic
job
of
articulating
the
objectives
of
the
security
assessments,
but
does
it
and
I
don't
know
if
it's
already
there
does
it
make
sense
to
have
in
the
security
assessment
templates
the
clear
objectives,
the
goals,
as
well
as
the
non
goals?
And
you
know,
for
example,
when
we
did
the
harbor
review,
we
brought
up
I
brought
up
some
of
the
things
a
hair.
F
We
have
already
subjected
Hardware
to
a
lot
of
pen
testing
and
here
are
the
results,
so
we
said
yeah
that
makes
sense,
so
we
could
put
call
these
out
as
requirements
or
areas
to
cover
and
if
that's,
not
one
of
the
goals
for
the
security
system,
to
actually
call
it
out
to
say
that
we
don't
cover
these
and
and
as
Dan
also
mentioned,
there's
also
also
these
liability
issues.
It's
not
like
a
thorough
or
full
fledged
pentest
security
audit,
but
it's
mapping
back
to
best
practices.
F
B
The
one
can
you
get
the
recommended
process
by
how
we
could
potentially
include
this.
There
will
be
a
lot
of
things
of
documentation
discussed,
like
the
goals
for
the
assessments
that
we
currently
have
might
eventually
change
in
scope.
Our
non
goals
listing
might
increase
the
liability
statements
that
we
have
on
the
repo
will
be
essentially,
and
so
there's
a
whole
bunch
of
stuff
that
we're
going
to
this
I
don't
have
to
be
considered,
but
I
I
think
we're
late.
So
we
have
feasibility
that
and
a
recommended
process
to
discuss.
F
Does
it
make
sense
for
me
to
take
a
stab
at
it,
Emily
to
just
start
putting
together,
and
then
we
can
see
where
we
land
and
capture
all
the
different
impacts
and
from
a
legal
perspective
from
a
liability
perspective
just
to
have
it
somewhere
so
that
we
can
discuss
and
then
they
can
choose
as
we
deem
fit.
I
think.
B
That
would
be
good
to
have,
and
I
would
also
recommend
that
you
engagements
out
on
a
couple
of
those
as
we're
finding
people
across
the
community
that
are
from
different
organizations
and
teams
and
backgrounds
and
experiences
like
versity,
is
great
because
it
brings
all
those
different
viewpoints
together.
So
somebody
may
be
thinking
about
something
about.
We
call.
B
E
B
B
A
G
I
have
a
comment
when
we
do
an
assessment
assessment
against
what
that
would
be
the
question
that
I
think
most
people
will
have.
If
you
don't
have
a
frame
of
reference
that
is
common
to
every
assessor
under
this
group.
Isn't
it
very
difficult
and
it
should
become
almost
subjective
on
the
assessment
and
then
how
do
you
maintain
the
consistency
among
these
different
assessments
are
done
by
different
Assessors,
so
they're
all
experts
in
different
things,
but
there
is
no
one
consistent
way
of
doing
it.
G
Unless
we
put
something
in
front
of
us,
I
mean
it's,
it's
it's
beyond
just
goals
and
non
goals.
I
mean
it's
simply
saying:
okay.
Well,
this
is
what
we
are
following.
Either
is
standard
that
in
the
industry
for
certain,
for
example,
Identity
Management
or,
for
example,
vulnerabilities
testing
or
something
like
that,
whatever
it
might
be
and
I
realized
that
the
liability
portion
and
all
those
things
but
I
think
the
need
to
become
officially
call
ourself
a
security
working
group.
G
C
C
Things
that
are
so
different
from
each
other
and
in
many
cases
there
aren't
effective,
established
standards
for
how
to
do
this
and,
furthermore,
we're
not
even
you
know
we're
not
claiming
to
do
something
like
a
professional
audit,
we're
giving
the
TOC
some
general
recommendation
and
giving
some
some
general
notes
about
what
this
group
of
Assessors
thought
for
the
project.
So
in
order
to
do
something
like
what
you
described,
I
think
there's
a
lot
of
things
that
are
well
outside
of
the
control
of
what
this
group
could
possibly
do.
C
That
would
have
to
change,
including
figuring
out
how
to
standardize
a
lot
of
like
you
know
that
to
do
something
like
PCI
level,
standardization
across
every
possible
project
that
would
come
to
see
MTF,
which
would
just
be
crazy,
I
think
it's
it's!
The
space
is
moving
too
fast,
so
we're
we're
really
I.
Think
making
a
you
know
the
alternative
to
us.
C
If
we
just
say
well,
we'll
just
do
nothing,
then,
then
what
we
end
up
with
is
we
end
up
with
the
model
that
we
had
before,
where
the
TLC
members
a
few
of
them
poke
and
prod
in
what
little
spare
time
they
have
for
the
projects
that
come
up
and
try
to
form
some
opinion
and
then
try
to
convince
other
toc
members
what
they
think
their
opinion
is
based
on
some.
You
know,
then,
getting
to
spend
an
hour
to
probably
I'm
guessing
in
some
cases
kicking
the
tires
on
these
projects.
C
So
we're
doing
a
more
extensive.
You
know,
I
do
as
we're
doing
something
in
between
those
two
extremes:
we're
doing
something
where
we're
getting
a
much
deeper,
much
more
involved
engagement
with
the
project,
but
we're
not
you
know,
going
and
doing
a
month-long
security
audit
digging
through
the
code
line
by
line
with
a
team
of
you
know
eight
to
ten
professional
security
penetration
testers.
C
C
G
I,
don't
disagree
with
that.
All
I'm
saying
is
that
perhaps
if
we
can
put
down
some
very
high-level
somewhat
of
a
scope
or
maybe
some
guidelines-
and
we
don't
do
everything,
but
we
do
some
things.
You
know
there's
whatever
that
something
is
at
a
very
high
level,
maybe
just
not
get
actual
issue,
maybe
just
philosophical
issue
or
whatever
that
level.
G
So
there's
not
an
individual
subjective
assessment,
because
every
individual
is
a
different
level
of
expertise
and
you
can
put
that
against
any
subject
matter
and
you
can
come
up
with
different
assessments
depending
on
who
is
the
excessive
and
that's
not
a
very
I'm,
not
sure
that
is
very
valuable
to
the
community
they're,
basically,
attaching
it
someone's
name
and
saying:
okay.
Well,
this
is
the
person
that
assessed
this
one.
B
B
How
do
we
do
this?
How
do
we
make
it
work
for
the
community
our
volunteer
base,
and
what
does
that
look
like,
and
then
we
won't
know
if
it
actually
works
or
what
the
feedback
is.
So
we
try
a
lightweight
process
or
a
lightweight
assessment
to
include
a
lightly
audit
on
a
project.
That's
willing
to
allow
us
to
experiment,
but
we
won't
know
until
we
get
there.
B
So
these
are
all
really
good
recommendations
and
I'm
sure
Matt,
there's
more
than
willing
to
that's
them
and
whenever
those
conversations
get
started
and
you're
always
welcome
to
join
and
comment
on
that,
get
to
ensure
that
they
have
your
feedback
and
input
on
how
to
make
this.
The
best
that
it
can
be.
A
E
One
thing
I
wanted
to
mention
real,
quick,
too,
is
it.
It
sounds
like
you
know.
This
isn't
really
happening
regularly
and
I.
Don't
think
the
goal
should
be.
You
know
an
audit,
the
one
thing
that
that
they
would
need
to
kind
of
feel
secure,
but
some
level
you
know
30
minutes
now
or
whatever
some
level
of
just
checking
things
over
testing
things
I
think
would
be
beneficial
and
the
goal
shouldn't
be
a
perfect
test.
But
if
it
uncovers
a
couple
of
vulnerabilities,
I
think
I
think
that'd
be
beneficial
and
kind
of
doing
its
job.
A
A
F
Can
you
all
see
the
DoD
for
CN
CF
spreadsheet,
yep,
look
yeah,
so
you
know
the
way
I
interpreted.
This
is
I
think
there
is
a
whole
bunch
of
categories
that
have
been
defined
in
this
in
this
tab.
You
know,
you
know,
belongs
in
communities
take
and
then
they
controls
meets
NIST
requirements
for
a
coconutty
steak
and
then
belongs
in
a
vendor-specific.
Talker
openshift
did
not
contain
a
hardening
belongs
in
a
container
platform
and
I
think
this
is
actually
a
quite
a
comprehensive
list
of
controls
that
has
been
put
together
and
mmin.
It's
it's.
F
It's
a
it's
a
great
start
from
our
work
in
progress
and
obviously
there
are
so
many
different
facets,
but
you
know
I
think
it
talks
about
all
the
different
best
practices
right,
one
of
the
things
that
I
think
about
it
I
believe
it's
the
NIST
800
170,
which
is
the
container
compliance.
So
if
I
think
about
that
a
lot
of
the
controls
that
have
been
talked
about
in
that
NIST
standard
has
been
talked
about
here.
So
it's
a
really
good
start
for
any
kind
of.
F
Let's
say
in
this
particular
case:
it's
the
Department
of
Defense,
but
an
operator
to
be
aware
of
as
they
deploy
their
applications
and
their
cluster.
So
it's
nothing
out
of
the
ordinary,
but
you
know
just
a
whole
bunch
of
best
practices,
controls
that
need
to
be
addressed
so
I'm
I'm
not
doing
justice
to
the
full
intent
of
this
I
I
must
mention
that.
F
But
the
way
I
can
think
of
as
how
this
can
be
consumed
is
for,
let's
say
the
DoD
to
put
together
some
kind
of
reference
framework
on
the
controls
that
need
to
be
enabled
across
all
they're.
You
know
for
their
containerized
applications
and
I
don't
want
to
go
through
all
of
them,
but
you
know
there
are
different
categories
if
you
will
so.
A
F
I
think
they've
done,
like
you
know,
requests
for
comments
if
you
will
or
something
that
and
then
so,
the
vendors
that
have
actually
provided
those
recommendations.
All
right.
Thank
you
sure,
and
so
there
is
some
kind
of
classification
in
terms
of
how
the
you
know
mandatory
recommendations.
What
is
the
severity
based
on
non
applying
these
not
applying
these
controls?
If
you
will
and
I'm
sure,
a
lot
of
these
are
very
very
familiar
to
a
lot
of
us
and
really
really
bringing
together
a
lot
of
the
you
know.
F
F
So
there
are
some
places
where
explicit
capabilities
being
cold
out.
There
are
some
places
where
they
have
been
plugged
into
a
bigger
bucket.
If
you
will-
and
you
know
how
to
handle
namespaces,
etc,
and
given
that
I
can
talk
to
something,
I
just
want
to
highlight
some
of
the
stuff
that
I
added
from
my
perspective,
which
was
you
know,
there
was
not
enough
emphasis
on.
F
You
know
the
shift
left
aspect
and
the
ability
to
actually
incorporate
those
best
practices.
So
I
added
this.
You
know
the
ability
to
do
gulnur
ability
scanning
file
into
the
runtime
security
file,
integrity,
monitoring,
malware
scanning,
you
need
for
network
visibility,
network
protection,
and
you
know
scanning
kubernetes,
manifests
and
I'm,
hoping
that
a
lot
of
these
things
can
also
go
back
into
some
of
the
points
that
Matt
product
to
say.
F
You
know
when
you
deploy
Allah
when
let's
talk
about
the
Kuban
estimate,
kubernetes
manifest
there
are
a
whole
bunch
of
things
that
can
be
scanned
and
called
out
even
prior
to
those
actually
being
deployed.
So
some
of
those,
so
that's
as
far
as
I
dare
to
go
with
describing
the
intent
for
this
document.
F
A
A
K
Adding
directly
to
the
requesting
access
to
the
doc
and
adding
things
to
it
or
I,
clicked
on
the
link,
I
don't
have
access
I
just
put
in
the
request
for
it
or
commenting
in
the
in
the
slack
channel
or
what's
kind
of
the
call
to
action.
What
should
we
do?
You
have?
What
are
we
doing
to
contribute
so.
F
From
what
I
gather
clearly
I'm,
not
the
owner
of
this
I,
just
want
to
make
that
very
clear,
but
I'm
also
similar
to
you
guys
as
a
contributor.
But
the
I
would
recommend
getting
on
that
slack
Channel
and
then
maybe
requesting
access
from
Tim
and
and
then
just
starting
to
add
your
recommendations
and
maybe
provide
the
attribution
so
that
it,
you
know
appropriately,
be
followed
up
and
handled.
F
B
I
Vinay,
thank
you
for
putting
on
your
vendor
hat
and
you
know
pushing
that
forward.
Really
love.
You
know
getting
some
contributions
there
as
you
went
through
that
is
there
anything
that
you
were
like.
You
know,
mm
it'd
be
great
to
take
this
from
the
vendor
level
and
you
know
turn
extracted
out
and
build
consensus.