►
From YouTube: CNCF SIG Security 2020-04-01
Description
CNCF SIG Security 2020-04-01
A
A
D
E
F
F
F
F
H
Kind
of
debated
whether
how
much
I
wanted
to
share
but
I
just
wanted
to
put
it
out
to
everybody,
and
you
know,
tech
wage
that
I
haven't
heard
from
Sarah
and
JJ
for
a
few
days,
a
little
bit
worried
service
stuck
in
Boston
and
beginning
to
get
ill
and
JJ
stuck
in
India
and
beginning
to
get
ill.
So
I've
been
trying
to
coordinate
a
couple
of
things
with
my
co-chairs
and
you
know:
they've
been
largely
offline,
you
know,
since
they
are
in
sort
of
non-traditional
places.
H
Anyway,
so
the
upside
of
that
is,
if
you
are
waiting
for
anything
from
either
my
fellow
co-chairs,
I
haven't
heard
from
them
either
I
do
hope,
they're
all
right
and
I
don't
have
any
further
information,
but
if
you
have
needs
that
aren't
getting
fulfilled,
you
can
reach
out
to
me
and
I'll
continue
to
coordinate,
so
apologize
for
the
whole
craziness
around
this
and
I
will
share
back
in
slack.
You
know
in
six
sig
security,
a
channel
once
I
hear
from
them
and
have
any
sort
of
general
updates.
I
F
A
Do
have
an
update
as
well,
so
the
harbor
assessment
and
things
like
that
are
beginning
to
start.
We
have
the
people
and
the
statements
have
been
signed
off
on.
Everybody
is
going
to
done
that
I've
just
gone
ahead
and
approved
the
reviewer
conflicts,
although
and
I'd
feel
more
comfortable.
If
you
just
looked
at
it,
I
had
the
most
non
actually
plausibly,
even
listable
sort
of
conflict
in
that
I
in
that
notary
is
used,
uses
tough,
which
is
used
in
notaries
use
inside
of
Harbor.
A
So
therefore,
somehow,
technically
I've
worked
on
harbor,
but
not
really
so
I
think
you
know,
but
I
don't
think,
there's
any
real
cause
for
concern.
So
just
maybe
take
a
take
a
glance
at
at
that
and
we're
looking
forward
to
to
kicking
off
that
assessment.
So
thanks
to
everybody,
who's
volunteered
and
started
to
do
part
of
that.
F
G
Yeah,
so
this
is
the
Falco
assessment
I
am
we
had
a
joined,
the
Falco
community
meeting
this
morning
and
the
project
team.
They
are
expressed
high
interest
in
continuing
with
the
assessment
process
so
much
so
that
they
they
actually
will
gate
their
1.00
Falco
release
on
completing
the
assessment,
so
I
think
a
pretty
strong
commitment.
That
said
the
flip
side,
is
they
don't
have
a
resource
identified
to
step
in
and
actually
be
the
project
or
in
a
contact?
So
you
know
I
wanted
to
raise
the
issue
maybe
later
in
the
discussion
here
you
know.
G
Is
there
some
mechanism
by
which
CN
CF
might
be
able
to
sponsor
or
provide
some
sort
of?
You
know
project-based
granting
or
you
know,
internship
or
something?
But
you
know
I,
don't
know
if
there's
a
way
that
scene
CF
can
support.
Projects
that
are,
you
know,
have
high
will
but
low
resources
to
complete
the
process.
So
that's
just
maybe
we
can
take
that
up
a
later
in
the
call.
H
A
H
Right,
you
know,
I
could
just
put
sort
of
you
know
names
and
project
a
bit
into
this.
You
know
Chris
Nova,
who
doesn't
have
you
know
sponsorship,
but
is
available
to
you
know,
wrap
things
up
would
be
conceivable.
I
can't
see,
you
know
a
unidentified
resource.
You
know
coming
out
of
left
field,
you
know
getting
sponsored
and
basically
hired
into
you
know
doing
something
like
this.
G
I
think
the
problem
is
the
individual
does
not
exist
and
I
think
that
the
kind
of
the
notion
of
like
I
say,
like
an
internship,
might
be
to
go
out
and
kind
of
grow
on
the
recruiting
effort
say,
like
you
know,
kind
of
google
Summer
of
Code
style.
If
you
want
to
work
on
this
say
over,
you
know
a
summer,
a
three-month
project,
you
know
you
could
really
dig
in
I
mean-
is
an
open.
I
G
A
A
G
I,
don't
know
that
I
don't
know
it's,
they
don't
feel
that
it's
important
enough
I,
don't
think
any
one
person
there
felt
they
could
be
a
good
representative,
but
I
can
probe
deeper
into
that.
I.
Also
think
that
they
are,
you
know
one
one
thing
that
came
up
is
that
they're,
you
know
they're
actively
fixing
existing
security
issues,
some
of
which
are
not
Falco
issues
per
se
of
their
kernel
items
that
Falco
in
a
sense
has
discovered,
but
that
they
have
to
create
some
workarounds
or
whatnot.
G
So
I
think
there's
there
is
that
and
that
folks,
that
probably
do
have
the
security
chops
to
participate
are
actively
working
on
high
criticality
vulnerability
or
other
security
issues.
So
it's
kind
of
this
trade-off
of
you
know:
do
I,
do
more
security
review
or
do
I
fix
the
things
that
we
already
know
about
and
that
you
know
the
arity.
J
J
If,
if
a
project
can't
rest
are
the
must
of
the
resources
to
facilitate
a
reveal,
typically,
we
just
assume
that
it
I'll
be
able
to
muster
the
resources
to
maintain
maturity
enough
to
make
there
be
worth
our
time.
So
from
for
my
team,
turner
is
the
self-protection
mechanism.
There
are
lots
of
people
who
would
like
that
credential
or
credibility,
but
unless
it
comes
with
sort
of
imposing
a
resources
sauce,
we
found
that
it's
typically
a
black
hole
or
you
know
a
flip-flop
right.
They
say
things,
we
say
things
and
I.
Just
it's
a
it's.
J
A
low
friction
drag
over
a
long
term
and
as
far
as
sort
of
pulling
in
gee
sock,
or
we
do
another
thing
like
ji-suk-
that's
not
really
a
force
multiplier.
In
this
sense,
G
sock
people
are
typically,
you
know
one
to
three
years
of
experience
and
there
may
be
really
motivated,
but
they
lack
depth
and
you
can
take
three
month
engagement
and
really
make
it.
J
Something
that
you
could
accomplish
in
four
to
six
weeks
tops
that's
the
general
rule
of
thumb
that
we
operate
under,
but
that
four
to
six
weeks
of
additional
manpower,
you're
gonna
subtract,
maybe
two
to
three
of
you.
So
the
whole
G
sock
engagement
games
you
two
weeks
in
a
person
with
one
of
the
three
years
experience
which
is
fine
right.
If
you're
looking
to
further
things
and
I,
don't
I
don't
want
to
go
down
that
rifle
further
other
than
say.
That's,
that's
not
much
of
a
value
add
here.
I
would
just
pause.
J
The
whole
thing
I
mean
my
thought
on.
It
is
I,
don't
know
if
we're
flag
and
graduation
based
on
a
particular
committee.
That
seems
like
we're
not
right.
Everything
is
more
or
less
rolling
release,
but
if
they
aren't
at
a
stopping
point
where
they're
ready
to
walk
in
the
process,
then
you
sort
of
have
multiple
vectors
of
black
right,
appalling
children.
J
I
J
D
Also,
I'm
also
thinking
that
maybe
they
they
want
first
to
fix
their
existing
vulnerabilities,
as
you
said
Robert,
and
they
feel
that
I
mean
it's
normal,
that
you
want
to
clean
your
house
when
you
invite
someone,
someone
who
inspected-
and
my
second
thought
is
that
maybe
it's
good
to
not
push
them
and
just
wait
for
them
to
approach
us
when
they
want
and
when
they
feel
that
they
are
ready.
I
mean
I
think,
because
this
is
a
cooperation
and
anything.
This
is
the
right
way
to
do
it.
G
J
One
additional
thing
which
is
for
sort
of
foundation,
internal
assessments
of
this
ilk.
We
have
anything,
we
call
a
requester
service
and
you
have
to
basically
have
all
the
information
ready
to
go
in
there
to
initiate
the
process
it
would
seem.
Maybe
there
is
not
a
common
understanding.
I'm
sorry
where
they
need
to
be
in
order
to
step
through,
like
a
requester
service
would
involve
a
designated
liaison,
and
if
there
isn't
one
when
there
is
no
requester
service,
so
I
don't
I've
seen
what
is
submitted
sort
of,
but
I
don't
know.
J
I
D
B
So
it's
Wednesday
I
lost
track
of
time.
Yes,
yesterday
I
opened
again
a
submission
of
Quijote
since
Liev
as
a
son
budget
project
and
together
with
desire
up
on
the
assessment
issue
for
seek
security.
For
those
of
you
who
remembered
the
whole
story.
Key
cog
originally
applied.
Like
June
2018,
we
were
scheduled
to
present
to
TOC
October
literally
two
hours
before
the
meeting
we
got
dropped
from
the
agenda.
The
feedback,
that's
you
see,
is
rethinking
the
whole
submission
process.
Then
we
finally
presented
April
2019.
B
B
It's
about
an
IBM
acquired
red
hat
and
Brandon
took
a
step
back
because
he
had
conflict
of
interest
with
it,
and
then
we
knew
that
the
whole
process
gets
engineered
and
the
elections
are
coming
so
I
kind
of
put
a
halt
on
all
of
this,
and
you
know
as
processes
new
processing
is
in
place
and
elections
happens.
I
want
to
really
approach
the
topic
with
some.
You
know:
refreshments
with
new
programs,
so
I
created
the
the
issue
of
the
new
template
and
I
created
self
assessment
document
went
interesting
factories
that
also
last
November.
B
A
Hopefully,
that
shouldn't
make
the
process
a
lot
more
seamless.
You
know
I
think
I
know
that
this
process
hasn't
always
been
smooth
and
things
and
open
source
where
they
are
so
believe
me,
you
know
it's
hidden
there's.
There
are
other
people
that
have
felt
a
lot
of
frustration
tube
with
different
things,
but,
of
course
we're
all
just
doing
the
best
we
can.
H
E
J
H
E
So
scale
agile
is
a
open
source,
but
commercial
framework.
That's
got
its
roots
in
a
number
of
other
things.
So
the
point
of
this
really
this
presentation
was
to
consider
kind
of
a
sub-sub
aspect
of
the
scaled
agile
framework
in
which
we
were
mainly
considering
the
issues
around
opera
operations
and
the
specific
notion
of
operations
that
I
focus
on
here
is
the
ops
that
we
run
into
in
DevOps,
but
it
turns
out
there's
a
lot
of
supporting
information
to
share
in
this
presentation
that
is
going
to
seem
like
it
has
nothing
to
do
with
that.
E
So
the
way
that
I
see
this
scaled
agile
is
built
from
and
they
described
it
this
way
to
lean,
agile
and
DevOps,
and
it's
all
really
pretty
good
mix
of
that
stuff.
They
mentioned
model-based
system
engineering,
but
that's
pretty
lightweight.
They
don't
mention
composable
services,
but
I
think
that's
really
a
major
part
of
it.
That
ought
to
be
considered
and,
of
course,
the
bigger
legacy.
Probably
going
back
for
decades
is
object-oriented
programming
and
a
big
lacing
over
all
of
this
of
the
quality
movement.
The
plan
do
check
act
cycle.
E
Some
people
know
this
is
the
Deming
cycle
and
institutional
practice
around
ISO
9001,
which
goes
back
to
the
mid
80s
or
so
so.
This
is
the
only
time
I'm
going
to
show
this
diagram.
Although
we
can
zoom
back
to
this
there's,
you
can
see
these
on
the
public
website
for
them.
There's
what
you
see
up
here
in
these
various
tabs
are
even
more
detailed
implementations
of
this
process
in
which
they
try
to
explain
how
they
implement
the
agile
process,
which
you
know
the
core
thing
is
daily
stand-ups
group,
the
scrum
process.
I
E
To
decompose
to
work
into
small
pieces
and
working
with
small
teams
writing
stories
and
try
to
educate
one
another
about
how
to
collaborate
across
teams
so
in
the
scaled,
agile
framework,
there's
a
bigger
process
of
how
to
orchestrate
across
the
smaller
teams.
So
you
see
this
in
this
thing
called
the
art
which
is
their
agile
release
train,
so
that
is
they
sync
with
the
multiple
teams
working
together
on
projects?
And,
yes,
you
should
be
asking
yourself
when
you
see
this
wait.
How
does
this
work
for
CN,
CF?
E
And
if
you
look
at
it,
it's
kind
of
not
software
engineering,
which
probably
tells
you
a
lot.
It's
it's
an
attempt
to
try
to
import
concepts
from
outside
of
software
engineering,
but
apply
it
to
what
is
really
a
release
driven
notion.
Now,
that's
a
comfortable
thing
vote
for
most
of
the
people
on
the
call
here,
unless
you
happen
to
work
in
the
ops
community.
C
E
The
arts
community
could
be
somebody
in
the
data
center.
It
could
be
somebody
in
our
JSOC
it.
You
know
in
my
day
job
company.
It
could
be
a
person
doing
pen
testing.
It
could
be
just
about
anybody.
Who's
not
got
clear
milestones
and
sort
of
product
release,
centered
work,
so
that
cover
is
actually
a
much
bigger
part
of
our
world
of
automation
than
most
people
think,
for
example,
in
in
hospitals
right
now.
A
lot
of
the
stress
on
systems
is
just
scaling
up
existing
business
as
usual.
E
You
know
admissions
workflow
of
prescriptions,
deployment
of
machines,
they're
not
releasing
any
products.
Believe
me:
that's
that's
not
the
main
concern
right
now,
but
there
is
a
lot
of
stress
and
use
of
processes
like
the
ones
that
Saif
is
trying
to
address
in
systems
like
that.
So
you
see
it
in
government
a
lot.
All
companies
have
these
kind
of
BAU
processes
that
are
separate
from
that,
and
one
thing
that
dan
and
I've
talked
about
in
the
past
is
you
know,
maybe,
for
some
of
these
things,
the
site.
Reliability.
E
So
that's
something
to
come
to
at
the
end
of
this
talk
when
we
get
there
so
just
to
give
you
an
idea
of
kind
of
where
this
approach
is
maturing
into
I've,
only
I'm
only
certified
as
a
sort
of
simplified,
semi
dummy,
Angeles
and
actually
on
four
point:
five,
which
is
the
last
release
of
this
product,
and
you
can
know
a
lot
more
about
this,
obviously
by
you
know,
seeking
out
these
other
certifications
which
deal
with
different
facets
of
it.
So
it's
probably
debatable
for
people
on
the
outside
of
safe
weather.
E
All
these
things
are
necessary,
but
it
is
necessary
if
you
think
of
if
you
buy
into
this,
which
is
a
lot
of
big
companies,
have
you
need
to
kind
of
specialize
in
different
facets
of
this?
So
I
think
this
is
kind
of
a
little
bit
outside
of
the
ops
question.
Unless
you
say
wait
a
minute
aren't
implementing
this
thing
and
you
look
at
the
things
involved
in
this.
It
really
is
not
developer
stuff,
so
maybe
it
is
related
to
ops
in
some
respects,
so
the
core
values
they
like
to
talk
about
our
worth
residing
here.
E
So
by
alignment,
they're
trying
to
say
you
know,
align
the
principles
across
the
teams
integrates
fully
across
all
of
the
aspects
of
the
platform
there
are.
Their
idea
of
transparency
is
to
have
artifacts
that
are
produced
as
part
of
the
same
process
that
let
everyone
see
what
the
goals
are.
The
artifacts
share
things
fully
across
the
teams.
A
lot
of
what
you'll
see
here
is
about
trying
to
reduce
cycle
time
expose
what
the
features
of
new
releases
are
going
to
be
and
the
evaluations
of
those
things.
J
E
The
way
that
you
execute
the
program,
they
have
very
specific
notions
about
this,
which
I
kind
of
boil
this
down
to
one
slide,
which
is
kind
of
unfair,
but
I'd.
Do
it
anyway?
So
not!
This
is
really
not
a
safe
thing,
but
I
try
to
they
try
to
make
the
point
of
what
the
focus
of
safe
is
bike
by
contrasting
what
they
think
prefer.
So
they
would
prefer
individuals
and
interactions
of
individuals
over
processes
and
tools.
E
Well,
it's
kind
of
ironic
right
since
this
whole
thing
is
a
tool
or
a
process,
but
they're
what
they're
trying
to
say
there
is.
If
the
customer
says:
hey
wait,
a
minute.
You
got
this
feature
all
wrong.
Everybody
needs
to
stop
what
they're
doing
on
that
team
and
recalibrate
what
they're
doing
in
an
agile
way
and
turn
it
around.
Instead
of
having
everybody
go
in
the
wrong
direction.
E
With
that
so
they're
saying
that
piece
of
information
is
going
to
surface
that
individual
interactions,
then
you
let
the
process
take
over
what
you're
gonna
do
with
it
so
working
to
offer
over
documentation,
okay,
that
kind
of
reveals
the
developer
preference
over
the
offs
preference.
So
you
know
that's
an
issue
you
to
consider.
E
Yeah
contracts
are
going
to
be
secondary
to
collaboration
with
customers,
so
customers
may
not
like
that
because
they
want
to
tie
you
to
an
SLA,
but
an
SLA
in
this
scheme
of
things
is
really
not
possible,
because
what
you
want
to
be
measuring
is
what
you're
able
to
produce
in
the
increments,
according
to
what
you
agreed
to
in
the
program
plans.
So
what
those
things
are
is
kind
of
out
of
the
scope
of
this
conversation.
E
But
it's
the
preference
in
this
manifesto,
oh
yeah,
responding
to
change
right,
that's
sort
of
a
truism,
let's
see
so
this
I'll.
Let
you
to
skim
through
this,
but
if
we
look
at
this
from
an
ops
point
of
view,
I
think
changing
requirements
have
been
really
effects.
Operations.
Considerations
so
I
mean
I.
Think
if
you
look
at
what's
going
on
with
kovat
19
across
a
lot
of
enterprises
today,
I
mean
I
could
just
use
as
an
example.
E
What's
going
on
at
synchrony
we're
having
to
put
a
lot
of
people
in
bring-your-own-device
settings
and
do
it
in
a
hurry,
and
this
is
having
to
happen
in
a
on
a
scale
of
you-
know,
5000
users
over
a
couple
of
weeks
time.
A
lot
of
these
people
are
non-technical,
folks
that
need
to
be
taught
how
to
do
that
and
to
be
able
to
operate
from
home
on
short
notice.
So
the
the
operational
challenges
around
doing
that
are
considerable.
I
think
you
could
use
a
developer
like
model
for
that,
but
it's
debatable
whether
it's
safe
really.
E
What
supports
that
in
a
direct
sort
of
way
so
believe
that
is
an
open
question.
I
I
think
the
face-to-face
emphasis
when,
when
I
was
going
through
this
year
and
a
half
ago,
I
was
a
real
skeptic
of
that.
So
okay
I
think
I
mentioned
ad.
An
early
on
I'll
be
interesting
to
see
where
the
safe
people
take.
This
now
that
face
to
face
is
meaning
a
virtual
face
to
face
thing,
because
they
really
do
mean
people
in
a
meeting
it
in
a
physical
meeting.
E
There
is
more
of
a
focus
on
sustainable
development.
Here
they
mean
sustainable,
not
in
the
ecological
sense,
but
I
think
it's
useful
to
try
to
insert
that
dual
meaning
here.
So
I
always
do
that
when
I
see
this
okay,
so
there's
a
little
more
to
these
principles,
the
one
that
I
think
there
are
a
couple
of
these
that
I'll
highlight
here
for
for
the
purpose
of
this
discussion
and
the
two
that
I
would
highlight
are
number
six
and
seven.
E
So
this
thing
about
visualizing
WIPP
and
it
sounds
a
little
technical,
but
there's
really
pretty
good
quantitative
measurement,
support
and
support
in
the
field
for
what
they're,
after
here
and
really
the
benefit
over
waterfall,
isn't
just
this
kind
of
break
up
of
this
cereal
left
or
right
process,
or
the
challenge
of
you
know
trying
to
define
everything
in
advance
what
you
get
with
waterfall.
It
really
is
this
problem
of
trying
to
reduce
lead
time
and
have
the
smaller
tasks
be
more
manageable.
E
So
you
know
it's
basically
this
thing
of
having
smaller
pieces
that
can
be
recompiled
and
reconfigured.
Dynamically
gives
you
more
flexibility
and
efficiency.
So
how
you
do
that
you
know
instigate
and
address
security,
how
the
security
overlays
fit
into
that
specifically,
is
what
I
try
to
deal
with
in
later
slides.
Well.
Number:
seven!
Well
a
look
at
that
in
later
slide,
so
this
is
one
of
their
a
slides
and
it
kind
of
begs
the
question
you
know
if
you
look
at
these
silos
across
you
know
here
on
the
right
side
of
the
slide.
E
E
You
know
they
they
tackle
it,
whether
they're
the
success
or
not,
is
really
the
question
we
want
to
ask
so
the
Deming
cycle
is
this
plan-do-check-act.
This
is
the
way
I
tend
to
remember
it,
but
this
is
a
real
basic
capability.
What
a
process
underpinning
for
for
the
safe
process?
It's
I
think
one
of
the
things
I
really
get
right
about
this.
On
the
other
hand,
think
about
how
do
you
do
this?
If,
with
your
whole
enterprise
or
your
whole
product
line,
you
know
like
we
have
a
retail
card
operation
or
our
commercial
bank?
E
You
know
we
want
to
change
the
whole
checking
application.
This
could
be
a
thing
that
has
you
know,
really
tight
integration
with
third
parties
with
you
know
some
of
it
might
be
mainframe-based.
Some
of
it
is
CN
CF
products
that
are
vertically
integrated
with
other
tools.
This
whole
thing
exists
as
working
artifact
from
an
operator's
point
of
view.
How
do
you
do
plan
to
check
act
for
this
gnarly
nest?
E
The
other
thing
they
postulate
is
this
notion
of
the
program
increment
planning.
So
we
we
have
these
things.
It
happens
as
you
can
see,
they'd
like
to
depict
this
as
the
physical
meeting
with
you
know,
people
writing
stuff
up
on
whiteboards,
and
you
know
having
face-to-face
discussions
about
what
requirements
ought
to
be
teams
taking
responsibility
for
different
things,
challenging
stories
that
people
are
offering
for
how
long
they
think
story
points
ought
to
be
represented.
E
Stakeholders
you
know,
need
to
be
put
into
what
not
direct
conflict,
but
at
least
direct
negotiations.
You
know
that
if
you
try
to
do
that
in
email
or
in
you
know,
traditional
requirements
writing
through
technical
writers.
They
argue
that
can't
happen.
You
really
want
them
in
a
face-to-face
setting
where
these
things
can
get
challenged
and
and
negotiated.
E
You
know
I,
think
they're
on
to
something
with
that,
but
you
know
I
have
some
questions
about
it,
so
the
questions
are
on
the
right
part
of
this
slide
stuff
in
italics.
Is
you
know,
requirements
engineering
depends
on
story.
Fidelity
do
people
know
how
to
write
them?
That's
a
big
question:
in
my
mind
story:
fidelity
is
more
art
than
design
patterns.
E
You
know,
can
you
really
use
the
design
patterns
you
get
like
people
on
this
call
I
think
are
really
highly
proficient
with
design
patterns
both
from
being
coders
themselves,
and
you
know
from
this
combination
of
academic
training
and
and
being
good
practitioners
and
learning
from
mistakes.
But
writing
a
user
story.
That's
another
thing:
how
do
you
get
better
at
that?
How
do
you
recognize
the
good
one
and
really
the
whole
thing
drives
from
this
story?
E
Fidelity
problem
and
there's
the
other
problem,
that
security
is
kind
of
a
dip
player
and
all
this
and
privacy
and
compliance
maybe
has
a
bigger
role
to
play
and
some
applications.
But
it's
more
to
say
on
this
particular
issue
and
later
slides
here:
Saif
has
this
notion
of
an
architectural
runway?
You
know
you
could
argue
that
CN
CF,
you
know,
has
its
own
kind
of
architectural
runway
which
involves
trying
to
leverage
existing.
E
You
know
CN
CF
design
patterns,
or
maybe
you
know,
guidelines
for
how
to
move
from
incubator
to
you
know
full
acceptance
into
the
framework,
but
could
also
mean
you
know,
there's
a
de-facto
habit
about
which
you
know
already
fully
embraced
tools,
ie
popular
tools
that
are
in
the
CFC
M
CN,
CF
family.
You
know
that
a
part
of
the
runway,
so
that
could
be
seen,
as
you
know,
either
features
in
which
you
import
the
tools
and
the
api's
from
things
in
the
landscape
or
you
could
be.
E
These
could
be
inside
the
enterprise
where
future
being
features
are
being
brought
to
you
by
practitioners
that
are
advocates
for
particular
applications
inside
your
own,
your
own
enterprise,
so
yeah
what
this
means.
This
is
kind
of
another.
A
challenge
I
think
they
also
have
this
notion
of
what
the
value
stream
is.
You
know,
I,
think
I've
touched
on
this
delay
based
optimization,
so
this
matters
for
operations,
people
right
they're,
mainly
when
you
learn
about
this,
they
mainly
are
gonna.
Give
you
the
analogy
of
developers.
E
You
know
waiting
to
get
specifications
or
developers
waiting
to
get
feedback
from
testers
or
information
from
other
other
teams,
and
these
delays,
you
know,
introduce
problems
that
you
can
only
address
by
making
the
queue
sizes
and
the
work
in
process
quantity
smaller
so
that
you
can
manage
it.
I
think
there's
something
to
this.
But
the
question
is:
how
do
real
operation
issues
like
latency?
E
You
know
scalability
robustness,
you
know
team
constraints
like
what
you
do
at
the
end
of
shifts
and
how
do
you
manage
when
you're
doing
migrations
or
tool
upgrades,
which
we
see
this
a
lot
in
security,
tooling,
that
when
you
want
to
do
rollout
of
the
new
version
of
the
tool
that
has
the
big
ox
impact?
So
how
do
you
model
these
things
and
safe?
It's
sort
of
a
question.
E
Continuous
exploration,
is
you
know,
as
you
see
in
this
chart,
depicted
as
you
know,
one
of
the
roles
in
this
but
I
think
it's
a
little
fuzzy
and
safe.
How
you
integrate
this
there's
a
role
for
that
for
rdu,
like
going
to
our
friends
at
NYU,
are
going
to
the
professional
associations
like
I,
Triple,
E
or
to
NIST
or
to
the
consortium
to
do
you
know
better
ways
to
do
this.
Maybe
you
look
at
you
know
other
CN
CF
tools
and
say
see:
how
did
they
solve
this
and
tough
or
how
did
they
solve
this?
E
In
you
know
one
of
the
telemetry
projects
that
you
know
it's
got
a
solution:
space
at
Schwimmer,
the
one
I'm
taking
on
I
think
this
is
a
little
fuzzy,
but
this
is
kind
of
a
key
thing
for
ops,
because
I
think
one
of
the
more
powerful
principles
here
is
the
design
patterns
so
cadence
and
synchronizations.
The
other
thing
I
want
to
a
call
out
here:
I'll,
let
you
skim
this,
but
cadence
and
synchronization.
These
are
really
important
for
operations.
E
You
know
it
looks
like
a
fancy
expression
here
to
call
it
this,
but
sometimes
it's
like
you
know
the
shift
boundaries
for
when
people
come
to
work
and
when
they
hand
off
work.
Sometimes
it's
incident
based
considerations
like
oh
man.
Here's
a
zero-day
associated
with
a
stretched
vulnerability,
there's
a
whole
bunch
of
CNCs
projects
that
have
this
in
it.
What
do
we
do?
You
know
now
you've
got
the
press
involved
in
it.
E
You
have
ops
people
who
have
to
be
taken
off
their
current
roles
to
address
that,
so
the
cadence
and
all
this
stuff
you
can
you
mean
that
you
can
implement
safe
to
try
to
do
some
of
these
things,
but
it's
really
different
from
a
release
driven
planning
session.
So
we're
you
know
the
sec
devops
world
or
up.
We
are
a
little
struggling
still
with
how
to
have
security
teams
implementing
safe
to
do
this.
It's
doable,
but
it's
it's
not
always
a
good
fit.
E
J
E
Feel
strongly
about
this
that
one
of
the
most
pernicious,
pernicious
things
that
gets
said
is
security
needs
to
be
designed
in
at
the
beginning.
I
I'm,
I
think
that
is
so
upside
down
this.
The
thing
about
safe
is
the
stakeholders
in
applications.
Are
the
people
who
need
the
applications,
the
customers,
unless
you're
building
a
security
tool,
don't
want
that
so
I
really
want
to.
You
know
turn
that
around
and
say:
look
it's
it's
the
applications
that
rule
and
in
the
office
world
it's
whatever
the
operation
is
that
you
need
to
support.
E
So
if
right,
if
right
now,
it's
running
the
you
know
the
supply
of
ventilators
in
a
hospital.
It's
the
you
know
the
workflow.
For
that
it's
the
queue
management.
You
know
it's
the
staffing
related
to
running
those
operations.
You
know
it's
the
shift,
handoff,
it's
the
security
around.
You
know
around
new
processes.
So
it's
those
applications.
It's
it's
not
the
security,
so
not
to
say
security
isn't
important.
It's
just
that
it
takes
on
a
different
role
than
what
we're
used
to
so
operations.
Y'all
may
be
jumping
ahead
to
the
last
point.
E
On
this
slide,
operations
can
work
as
applications,
but
it's
not
a
one-to-one
mapping.
So
the
point
really
here
is
that
security
comes
later.
You
let
your
the
point
of
this
is
let
the
the
the
teams,
the
application
team,
say
what
they
need
from
their
customers
and
the
stakeholders
bring
in
the
security
and
privacy
aspects
of
this
later
on
through
the
architecture
enablers.
So
so
my
reality
check
on
this
is
you
know,
20%
of
the
defects
remain
after
you
do
static
and
dynamic
scan.
We
don't
know
how
to
produce
bug
free
software's
they'll
get
over
it.
E
The
goal
of
trying
to
produce
interior
code
really
subtracts
from
our
more
important
objectives,
which
our
sustainability
manageability
risk
usability
maintainability
and
what
the
customer
needs
from
the
application
in
the
first
place.
So
that's
where
our
safe
says
we
need
enablers.
Let's
see
we
got
12
minutes
or
so
I'll
wrap
this
up
in
five
minutes,
so
we
can
talk
about
it.
So
how
yeah
go
ahead.
E
It
so
how
does
safe
support
this
frequent
iteration,
automated
testing,
shorter
Sprint's,
trying
to
left-shift
test
development
really
trying
to
make
security,
be
part
of
the
quality
dimension?
So
that's
really
the
movement,
so
this
is
this.
Is
me
touting
this
most
I
think
this
inside
is
external
to
safe.
Some
of
this
needs
to
happen
at
the
Sprint
retrospective,
the
enablers
and
different
enterprises
have
different
life
cycles.
You
may
have
to
bring
these
into
your
own
projects.
Some
of
this
is,
you
know,
well
what
is
cut
and
paste
for
security
and
wrote?
E
What
is
the
role
of
domain-specific
languages,
and
you
know
bringing
that
to
into
play
into
play
into
your
security
teams.
Test
engineering,
you
know,
is
a
new
way
to
think
about
this.
A
security
Estanza
frequent
demo
should
be
including
test
integration.
This
means
usually
left
shifting
to
developers
trying
to
build
this
capability
into
the
integrated
developer
environment,
probably
eclipse
more
tagging
and
annotation.
E
E
The
way
the
rheumatologist
thinks
about
a
neurologist,
it's
it's
an
adjacent
specialization
they're,
both
in
medicine
but
neurologists,
don't
pretend
to
know
what
rheumatologists
know
what
that
means
is
you
know
your
average
developer
is
not
going
to
be
a
security
specialist
shouldn't
expect
that
so
likewise,
from
an
Operations
point
of
view,
we're
not
going
to
understand
what
Akamai
or
Palo
Alto
firewall
specialists
are
going
to
do.
Also,
you
know
some
reasoning
is
going
to
require
aggressive
red
teaming.
That's
really
kind
of
a
new
concept.
E
I,
don't
think
safe
has
baked
that
in
it
offers
a
paradigm
for
doing
that,
but
they
don't
really
give
us
a
good
roadmap
for
it.
A
key
thing
for
our
ops
integration
here
is
how
to
figure
out
how
to
mix
legacy
and
software-defined
data
centers
under
the
same
framework,
so
I'm
gonna
rant
here
against
teaching
toys
like
zero
trust
and
trying
to
do
what
Google
can
do,
and
you
know
even
PayPal-
will
call
them
out
here.
You
know
our
synchrony.
E
E
So
part
of
what
we
need
to
be
thinking
about
our
security,
tooling,
as
as
performing
for
us,
is
supporting
decision
support.
So
what
we
mean
by
that
is,
you
know,
being
fully
part
of
partners
with
quality
writ
large,
providing
telemetry
into
support
decision-making,
sometimes
that'll
be
for
security
into
incidents,
but
they
could
be
other
kinds
of
things
could
be
that
you
know
we
need
meta
models
to
support
our
scalability
or
simulation
goals,
or
it
could
be
to
teach
how
things
work.
So
people
can
learn
how
applications
are
designed.
E
We
need
Ben,
we
need
they
need
to
be
able
to
integrate
risk
in
a
more
systematic
way
into
decision
support
tools.
So
to
do
that,
you
know
there
are
operational
support
tools
that
are
out
there.
You
know
a
building,
an
integrated
integration
with
that
with
our
you
know,
against
existing
CNCs
applications
is
maybe
something
we
could
think
about
on
a
more
systemic
basis
than
we
do
now.
E
You
know
I
got
a
whole
other
compensate
a
presentation
about
security
and
big
data
from
my
work
at
NIST
I
think
we
need
to
start
thinking
of
application
data
secondary
to
security
data
that
you
know
for
most
applications
these
days.
If
we
could,
we
would
be
gathering
more
data
than
the
application
itself
is
accumulating.
So
the
question
is:
how
do
we
do
this
security
analytics
moving
closer
to
data
science,
then
just
purely
you
know
sending
log
in
log
off,
and
you
know
resource
consumption
logs
off
this
blunt.
E
There
are
big
issues
on
human-computer
interaction
for
operations
reef.
You
know
how
we
use
repos.
How
do
we
discover
what's
in
repos
what
the
design
patterns
are
for
operations?
You
can
do
these
things
in
Sprint's,
but
they're.
The
problem
is
they're,
often
not
introduced.
So
you
know
ask
yourself:
how
does
the
CNC
F
community
get
brought
into
the
ecosystem?
Do
we
have
an
officer
repo
is
this?
Is
this
even
a
teachable
thing.
F
E
F
K
So
this
is
Vinay
here:
I
had
a
question
mark
I,
think
you're.
The
story
that
you're
trying
to
convey
is
well-received.
So
what
is
the
next
step?
I
mean?
What
are
you
hoping
to
achieve?
I
mean
how
do
we
incorporate
this
is
something
for
C
and
C
F
to
try
to
think
about
as
we
develop
our
projects.
Is
that
what
you're
trying
to
convey
or
what
is
your
broader
strategy
on
evangelizing
and
also
from
an
adoption
perspective,
yeah.
E
Spot-On
and
I,
don't
I,
don't
know
the
answer
that
what
I
think
is
you
know
this
group
in
CNCs
is
thought
leaders
you
know
both
by
deed
and
by
actions.
So
yeah
I
would
like
to
see
us
take
some
of
the
principles
you
know
it
doesn't
need
to
be
the
whole
thing
either
right,
you
know,
find
a
role
for
CN
CF
projects,
some
of
them
in
particular.
E
You
know,
like
Tov,
have
a
role
to
play
in
this
and
you
know,
but
maybe
have
some
artifacts
and
you
know
maybe
periodic
FAQ
kind
of
presentation
sessions
so
that
you
know
people
who
come
through
this
process
could
review
some
of
this
and
say:
okay,
I
see
how
I
can
contribute
to
you
know,
decision,
support
or
making
better
user
stories
or
integrating.
You
know
safety
aspects
into
future
stand-ups,
because
you
know
the
review
that
we
get
for
exceptional.
H
You
know
I
mean
just
just
a
time
back.
You
know
how
we
got
here
to
have
the
discussion,
because
this
came
out.
You
know
discussions,
we
had
around
operators
and
extending
you
know
the
work
we're
doing
in
the
CF
and
especially
you
know
getting
to
help
and
facilitate
in
the
journey
of
some
of
these
leading-edge.
H
H
So
like
you're,
seeing
organizational
and
systemic
advantages,
you
know
out-of-the-box
and
some
of
those
things,
and
then
you
you
try
to
apply
those
practices
to
larger
organizations
that
don't
have
that
luxury
that
they
come
from.
You
know
situations
where
you
can
conceivably
get
everybody
together
and
you
know
do
some
hard
negotiating
to
work
out
all
the
differences.
H
It's
an
extraordinarily
messy
process,
asynchronously
or
synchronously.
Even
you
know
it's
exacerbated.
You
know,
asynchronously
and
I.
Think
that
you
know
any
leader
that
has
the
opportunity
to
take
the
simpler
route
to
deliver.
A
more
high
fidelity
answer
will
take
the
simpler
route,
and
that
is
totally
you
know
that
in
person
you
know
quorum.
H
H
You
know
the
reality.
My
experience
is,
it
takes
more
people
effort,
not
less
people
ever
and
that's
the
existential
challenge,
the
you
know
we're
seeing
and
moving
to
broader,
more
distributed
virtualized
environments
and
what
we're
looking
for
easier
solutions
with
less
resources
and
unfortunately,
in
my
experience
the
answer
is
it's
more
time
more
effort
with
more
people
to
you
know,
get
the
right
answer
in
that
distributed,
environment
and
I
haven't
seen
the
leadership
see
changes
with
leaders
that
know
what
a
distributed
reality
looks
like
and
what
success
looks
like
in
the
distributed
environment.
H
For
me
to
you
know,
really,
you
know
see
that
that
existential
challenge
pressure
coming
off
of
it
folks
are
gonna
keep
pushing
to
these
new
solution.
You
know
in-person
meetings.
Well,
you
know.
Other
forces
are
pulling
in
the
other
direction
and
it's
great
to
have
you
know
contacts,
but
you
know
we're
gonna
be
battling
this
for,
for
you
know,
Quinn
number
of
years.
K
E
You
can
bring
small
things
into
these
meetings
as
long
as
they're
doable.
So
you
know,
some
of
this
is
as
simple
as
hey.
If
you
look
at
the
API
and
point
to
a
CNC,
F
project
and
say
you
know,
here
is
a
design
pattern
for
solving
that
and
what
you've
done
is
sort
of
bring
in
a
whole
paradigm.
That's
part
of
a
solution,
so
yeah
III
think
VIN
AF.
You
know
you're
asking
the
right
question
here,
which
is
you
know?
How
do
we
do
because
it's
a
teaching
Enterprise
as
much
as
any
you
know.
C
E
At
the
same
time,
learn
from
the
people
who
are
using
it
right
to
let
them
use
these
big
frameworks
like
scaled
agile
to
fur
deployments
like
maybe
it
needs
to
be
a
catalogue.
You
know
of
resources
that,
like
six
security
could
host-
or
you
know,
catalog
I,
don't
know
some
combination
of
those.
Maybe.
H
H
Reality
applied
on
the
ground
understanding
of
how
we
put
this
into
practice.
So
there's
been
a
great
perspective
mark
Thank,
You
Matthew,
our
facility
meeting
facilitator
had
to
drop
so
I'll
close
this
out
for
today,
and
you
know
during
the
meeting
I
did
hear
from
Sarah
Allen
so
happy
here
for
from
her.
She
was
in
the
process
of
going
and
evaluating
getting
covered.
Nineteen
testing,
you
know
for
better
for
worse.
She
was
too
healthy
to
get
tested.
H
You
know
I've
number
of
grumbles
with
that.
That's
that's!
Where
we're
at
collectively,
so
you
know
she's,
you
know
healthy
and
going
alright.
You
know
stuck
in
Boston
unable
to
you
know,
return
to
San
Francisco.
You
know
with
the
rest
of
her
family,
so
I
again
apologize
for
any
delays
that
we
may
encounter
in
managing
through
everything.
Our
first
priority
is
keeping
everybody
healthy
and
safe.
So.