►
From YouTube: CNCF SIG Security 2020-05-06
Description
CNCF SIG Security 2020-05-06
C
C
C
C
C
D
D
A
Thank
you
brandon.
I'm
happy
to
continue
to
do
so
so
long
as
it's
they're
helpful
when
they're
getting
something
done.
If
we
feel
it'd
be
better
to
sort
of
rotate
it
just
so
people
see
more
than
one
face
all
the
time.
I'm
happy
to
do
that
too,
we'll
just
rotate
every
week
or
flip
a
coin
at
random
based
on
who's
free
and
that
that
works
fine
by
me
either
which
way.
C
I'd
love
to
see
you
know
someone
else
besides,
just
myself
come
through
and
kind
of
ratify
some
of
the
facilitation
process
that
you
put
in
place.
So
I
I
think,
that's
you
know
it's
great
to
continue
on
I'd
love
to
you,
know,
see
you
know
brandon
or
someone
else
you
know
come
in,
go
through
the
process,
get
feedback
and
kind
of
do
some
some
better
work
there.
A
I
should
put
together
the
facilitator
guidelines.
I
recall
now
it
meant
to
put
together
a
pull
request
and
put
that
in
the
documentation
still
haven't
done.
It
actually
supplement
that
dan
so,
for
example,
for
more
embedded
security
background
and
bit
of
pen
testing
that
sort
of
stuff,
if
someone
were
to
say,
do
more
than
say,
facilitating,
but
be
able
to
provide
some
answers
to
the
actual
real
questions.
A
C
Then
the
co-chairs
and
the
tech
leads
just
started
last
wednesday,
a
bi-weekly
meeting
of
amongst
ourselves,
and
then
there
are
the
individual
assessment
flows.
The
formalization
of
our
tech
leads.
Is
you
know
something
that
that
just
recently
happened?
So
I
I
think,
what
the
opportunity
you
know
to
sort
of
expand
from
you
know
those
sort
of
existing
pillars
towards
you
know.
New
activity
streams
would
be
if
any
of
the
chairs
or
the
tech
leads
wanted
to.
C
You
know,
set
up
a
a
breakout,
and
you
know
brent
is
probably
the
the
the
best
person
to
partner
with
on
this
and
maybe
go
through.
Do
some
issue
triage
and
you
know
work
on
that.
You
know
that
that's
an
area
of
need,
there's
no
formal
definition
around
that.
Yet
it's
it's
largely
been.
You
know
the
tech
lead
stepping
in
and
you
know
taking
care
of
it
and,
and
you
know
the
the
co-chairs
to
ratifying
things
and
and
proposing
things.
C
A
I
reach
out
to
you
specifically
or
brandon,
for
example.
I
was
thinking
I
could
just
reach
out
via
slack
after
this
meeting
and
it
this
resonates
with
the
question.
Another
attendee
had
just
the
other
week,
and
that
was
how
do
we
sort
of
join
in
like,
for
example,
on
a
review,
even
if
we're
just
an
observer.
So
that
way
we
can
sort
of
learn
it
the
first
time
and
not
ask
silly
questions
or
slow
down
other
people
by
treating
it
like
an
academic
training
exercise
rather
than
what
it
is.
A
security
review.
E
D
Yeah,
I
would
say
also
like
I
feel,
like
we
initially
started.
Kind
of
the
initial
idea
was
most
of
the
communication
would
be
in
the
issues
themselves,
but
it
seems
like
over
the
course
of
the
past
year.
There
seems
to
be
like
a
huge
explosion
of
the
number
of
issues,
so
it's
becoming
a
bit
difficult
to
track.
I
mean
a
ton
of
people,
have
different
ideas
and
stuff
like
that,
so
so
yeah,
maybe
it
sounds
like
like
like
we
can
do
some
maybe
have
a
label
on
certain
assessments.
C
C
A
Yeah
sure,
well,
at
the
very
least,
I'll
definitely
be
reaching
out
to
both
uv
slack
afterwards
to
tee
up
again
all
right.
So
I
think
we
have
enough
time
for
everyone
to
hop
on
board.
We've
got
critical
mass,
I'm
just
going
to
quickly
go
through
the
attendance
and
I'll
just
paste.
The
attendance
link
here
in
the
chat
in
case
people
that
joined
after
I
first
pasted.
A
Okay
in
terms
of
what
we
have
here,
you
know
what
I'll
go
through
the
new
attendees
at
the
end.
Just
because
I
see
a
lot
of
names
popping
up
here,
we'll
go
through
sigs
first
actually,
for
I
don't
know
why
I
always
delays
each
time.
Scribes
is
there
anyone
that
would
like
to
volunteer
to
be
scribes
or
meeting
minute
takers
for
today.
A
A
C
F
F
Is
it
mean
because
I
made
like
a
proper
security
assessment
for
key
clock
request
with
hold
the
write-up,
but
so
long,
but
at
the
same
time
there
is
nothing
written
there
that
that's
that's
exactly
what
is
meant,
and
so
I
know
it's
boundary
wise.
It's
hard
to
expect
security
right
now
to
do
a
proper
assessment.
F
C
Great,
so
let
me
separate
a
bit
the
you
know
the
sandbox
proposal,
changes
and
ski
globe.
You
know
key
cloak
decks
and
a
couple
other
projects
are
in
our
queue.
You
know
I've,
unfortunately,
both
of
my
co-chairs.
Sarah
allen
is
sick
and
jj
is
stuck
in
india,
so
you
know
kind
of
at
the
the
top
of
the
food
chain.
C
I
have
a
bit
of
a
you,
know,
leadership
and
bandwidth
organizational
challenge
right
now,
so
getting
through
that
and
I
apologize,
you
know
for
any
delays
that
that's
created
on
your
end.
You
know
where
brandon
was
was
with
the
new
proposal.
You
know
proposing
that
we,
you
know
potentially
lighten
up
how
we
approach
folks
going
into
sandbox,
and
you
know
make
that
you
know
much
more
of
a
self-assessment.
You
know
less
of
a
a
guided
process.
C
We
have
you
know
kind
of
one
core.
You
know
well
oiled
process
with
the
security
assessment,
which
is
a
different
workflow
different
concept
than
you
know.
What
you'll
get
with
a
formal
security
organization
we're
not
going
through
and
going
to
provide
you
with.
You
know
penetration
tests
and-
and
you
know
all
of
the
artifacts
that
you
would
get
from
you
know
paid
you
know,
twenty
thousand
dollar
investment
into
you
know
getting
a
proper
security
assessment.
C
You
know
what
we
provide
is
you
know
in
a
community
of
experts.
We
help
you
prepare
in
your
journey
through
the
cncf
to
you,
know,
sort
of
partner,
coordinate
with
all
the
other
projects
and
make
sure
that
you
have
clear
talking
points
and
coordination
points
around
your
your
security
parameters.
So
it's
a
bit.
You
know
our
security
assessments
a
bit
of
a
different
beast.
C
You
know
that,
has
you
know
a
similarly,
you
know
named
named,
you
know
referring
to
it,
but
you
know
having
having
gone
through
and
you
know,
work
with.
You
know
a
number
of
projects,
including
you
know,
security
products,
everyone's
come
through
the
the
security
assessment
journey
and
been
like
wow.
That
was
a
journey,
but
also
you
know
feeling
way
more
prepared
to.
You
know
address
all
of
the
concerns,
so
you
know
that.
That's
that's
my
high
level.
C
A
F
I
I
guess
that
was
not
my
question,
so
I
I
do
understand.
Currently,
I
was
looking
at
the
current
assessment
process
and
I
did
the
proper
application.
I
was
looking
at
the
previous
one,
so
I
I
do
understand
that
the
difference
between
assessment
and
the
all
that
you
know
kind
of
like
what's
basic
security
approach
here
and
I
think
that's
that's
a
good
approach.
My
question
is
okay,
say
a
project
applies
to
incubation.
Let's
not
mess
up
with
sandbox
right
now
so
and
toc
was
okay
and
we
want
seek
security
recommendation
for
this
project.
C
F
C
G
G
So
it's
almost
like
you
know
you
you
hear
of
the
people
that
say
well.
I
went
to
the
psychologist
and
didn't
really
help
me.
All
they
did
was
have
me
talk,
and
then
I
helped
myself
and
you
know
so.
There
is
an
aspect
of
that
to
it
too,
where
it's
something
where
the
process
of
you
going
through
a
process
about
reasoning
about
the
things
you
have
to
to
give
us
that
information
has,
in
many
cases,
cause
projects
to
find
serious
security
issues
in
things
they're
doing.
F
F
So
my
concern
is
essentially
following
catch-22
situation:
where
to
move
forward
with
incubation
process,
let's
say
I'm
being
asked
by
toc
to
get
a
recommendation
from
seek
security,
which
is
a
security
assessment,
but
then
six
security
having
a
bandwidth
capabilities
like
it
has,
will
struggle
to
actually
pro
process
the
assessment,
because
there
will
be
more
priority
higher
priority
projects
in
the
queue
I
know.
Current
situation
is
special.
We've
covered
no,
no,
no
deny
like.
G
G
G
If
you
look
online,
a
lot
of
those
projects
are
have
had
situations
where,
for
instance,
they
were
very
actively
doing
things
and
then
you
know
covid
hit
and
everybody
started
to
do
social
distancing
and
the
person
who
was
working
on
it
all
of
a
sudden
had
different
priorities
and
basically
said
like
hey
from
the
project
side.
We
can't
do
anything,
I'm
not
aware
of
a
project
that
is
like
waiting
on
us
to
do
anything
at
this
point.
G
D
D
F
F
F
Yeah
there
is
a
bit
of
you
know,
there's
I
I
recognize
there's
a
bit
of
uncertainty
like
are
you
supposed
to
come
to
coc
with
recommendation
or
do
I
need
to
come
to
toc?
And
one
of
I
need
to
have
like
at
least
one
sponsor,
and
then
this
sponsor
needs
to
go
to
you
kind
of
like
okay.
Please
take
a
look
at
this
project.
C
Oh
good,
you
know
just
sort
of
in
the
interest
of
you
know.
Looking
toward
the
you
know,
the
future
bundle
you
know
the
in
in
the
next
month.
You
know
how
how's
your
schedule
and
your
team
schedule.
Looking
now.
Does
it
look
like
you
know,
there's
an
opportune
opportunity
to
work
through
the
assessment
process.
C
C
I
come
from
school
great.
Well,
I
I
have
to
you
know
triage,
you
know
key
poke
decks
and
I
think
one
more
project
in
terms
of
you
know
what
we
begin
to
slot
in,
and
you
know
honestly
showing
up
at
meetings,
and
you
know
advocating
for
your
project
and
you
know,
beginning
to
coordinate
with
our
assessment
leaders
is
the
best
way
for
me
to
you
know
to
push
that
forward.
So
you
know
thank
you
for
showing
up.
C
Thank
you,
for
you
know,
sharing
your
experience
and
your
concerns,
and
you
know
I'll
I'll
try
to
get
that
unblock,
and
you
know
beyond
that
also
be
working
with
amy
to
to
make
sure
that
we're
you
know
working
out
the
kinks
in
this
new
pivot,
towards
you
know,
making
sure
that
the
things
are
you
know
since
we're
you
know
critical
path.
Now
you
know
I
I
need
to
make
sure
that
we're
you
know
aligning
and
communicating
on
on
the
those
coordination
points
a
bit
more.
G
G
You
don't
have
to
have
done
an
assessment
before
to
participate,
but
if
you
might
be
tapped
for
to
be
the
lead
security
reviewer,
then
you
would
have
had
to
have
done
a
a
prior
assessment.
So
you
know
please
volunteer
it's
a
good
way
to
get
some
experience.
Doing
something
you
know
that
you
know
is,
is
obviously
a
really
important
part
of
our
community
and
a
really
important
important
part
of
judging
the
security
of
products
and
projects
everywhere.
A
G
B
A
G
I
don't
really
know
what
the
what
the
problem
is.
Honestly,
I
I
registered
like
zoom
sucks
as
my
username
and
some
other
things
like
that,
but
this
same
id
and
everything
works
on
every
other
zoom
call
I
get
randomly
invited
to
which
I
get
invited
to
them.
I
don't
know
a
couple
times
a
day,
so
I
don't
really
know
why.
G
So
I
don't
know
what's
going
on,
but
I
would
I
had
brought
up
the
issue
weeks
ago
and
there'd
been
a
lot
of.
I
think
positive
mentions
that
we
should
maybe
move
away
from
zoom
and
I'd
like
to
just
renew
that
now
that
I
am
able
to
actually
in
some
limited
form,
be
able
to
call
in,
but
it's
unfortunate
not
being
able
to
see
who's
speaking
or
any
you
know,
or
things
like
that,
which
I
feel
is
a
big
hindrance.
C
H
C
Right
yeah,
I
mean
you
know
getting
getting
to
the
alternative
and
working
through
all
the
issues.
You
know
I'm
happy
to
have
that,
be
you
know
longer
running
workflow.
You
know
the
the
easiest,
the
easiest
sort
of
incremental
move
right
now
is:
you
know,
making
sure
that
the
web
links
work
and
have
whatever
password
or
whatever
you
know
the
new
zoom
policies
require.
C
You
know,
connect
it
up,
so
you
know
justin.
I
I
think
you
know,
including
a
link
to
the
you
know.
Web
client
and
you
know
maybe
a
a
note
as
to
why
we
recommend
the
web
client.
You
know
will
be
great,
and
you
know
I'm
happy
this.
This
link
is,
you
know
the
the
whatever
is
the
meeting
id
main
meeting
default
meeting
id?
C
C
Right
just
get
you,
you
know
logged
in
and
figure
out.
You
know,
there's
some
really
goofy
steps
that
you
know
I
was
reading
about
in
in
terms
of
logging
on
with
the
web
client,
where
you
have
to
sort
of
dodge
and
weave
all
the
attempts
that
zoom
is
trying
to
get
you
to
shuttle
you
towards
the
desktop
client.
A
It
doesn't
seem
too
hard
to
set
it
up
in
a
docker
container
for
linux,
even
though
it's
a
graphical
application
zoom.
But
then
it's
a
container
so
windows
users.
Well,
I
think
you
can
use
linux
on
windows,
but
not
windows
on
linux,
but
there's
some
headaches
involved,
and
then
I
looked
at
vm
based
approaches
and
the
only
windows
vms
that
I
could
find
are
like
these
microsoft
edge
ones
that
expire
after
90
days
and
are
more
or
less
meant
for
windows
web
app
testing,
rather
than
recreating
every
x
days
as
a
instant
messaging
client
thing.
A
So
I
don't
know
if
it's
violating
the
spirit
of
the
license
there.
So
the
ultimate
solution
I
arrived
at
was
linux
virtual
machine
and
linux
in
general,
without
starting
a
flamework.
So
if
we
wanted
to
prepackage
them,
that's
I
think
the
only
medium
I'd
recommend,
because
the
second
we
have
more
than
one
image.
Why
is
it
ubuntu?
Why
isn't
it
fedora?
Or
can
you
help
me
debug
problem
xyz?
No,
no!
We're
not
zoom
support,
so
I'm
happy
to
still
put
together
a
linux.
A
G
G
I
I
think
I
I
don't
know
I
don't
because
like
I
would
want
to
do
it
myself,
I'm
actually
already
running
virtual
machines
for
other
things,
and
I
sort
of
don't
have
enough
memory
left
to
run
to
yet
another
virtual
machine
to
just
handle
zoom
so
like
when
I
have
to
do
that
for
webex.
For
instance,
I
have
to
shut
down
a
bunch
of
other
stuff
and
it's
just
a
pain
in
the
ass.
A
A
Would
it
be
just
busy
work
or
is
there
any
merit
and
throwing
together
like
a
maybe
the
term
would
be
meta
assessment
like
some
sort
of
short
report
that
says:
here's
the
clients,
we
considered,
here's,
the
security,
here's,
the
usability,
here's
the
practicality
and
if
we
decide
to
move
away
from
zoom
we
have
that
like
does
that
need
to
be
formal
or
clinical?
Should
we
make
something
like
that
or
just
say:
no,
let's
just
use
tool,
xyz
change
our
youtube
upload
scripts
and
be
done
with
it.
G
No,
I
I
think,
there's
merit
in
that.
I
think
I
created
a
while
ago
that
I
think
someone
said
that
they
had
put
in
the
chat
there
talking
about
looking
at
alternatives
to
zoom.
That's
exactly
what
we
really
should
do,
and
so
you
know
anybody
just
kind
of
starting
to
add
the
things
that
they've
noticed
and
their
thoughts
and
because
you
know,
I'm
also
some
of
the
usability
things
I'm
not
as
as
certain
like.
G
If
google
has
a
way
to
let
you
automatically
record
meetings,
but
I
know
that
they've
recently,
with
with
the
way
they're
doing
like
the
new
google
meet
thing,
they're,
making
it
a
lot
more
like
zoom
in
terms
of
security
and
ease
of
access,
and
they
don't
require
any
browser,
support,
I
think
or
anything
other
than
your
your
browser.
They
don't
require
you
to
install
things.
Unless
maybe
you
do
some
kind
of
desktop
sharing
or
something
I
don't
even
know.
G
A
And
then
one
other
thing
is:
if
we're
going
to
do
that
kind
of
comparison,
are
there
any
things
that
we
have
to
sort
of
for
the
sake
of
responsible
disclosure
to
keep
a
lid
on
like,
for
example,
if
I
just
took
a
bunch
of
chat,
client
apps
right
now
and
through
ldd
and
strings
and
such
at
it
and
found
a
certain
library,
statically
linked
that
should
never
be
statically
linked.
Can
we
put
stuff
out
there?
H
C
Yeah,
I'm
I'm
not
worried
about.
Well,
I
am
worried
about
disclosure.
I
think
it's
an
important
consideration,
but
this
forum
is
a
public
forum
and
it
should
not
be
considered
a
you
know,
a
private
forum
where
you
can
disclose
you
know
any
any.
You
know
security
concerns
like
that
and
would
advise
anyone
who
has
that
to
you
know
reach
out
to
any
of
the
chairs
or
or
the
tech
leads,
and
you
know
schedule
an
offline
conversation.
C
G
A
I
A
Okay,
thank
you
all
right
now.
I
don't
believe
there
are
any
updates,
but
we
do
have
a
few.
I
think
new
attendees
here
so
I'll
just
quickly
call
out
your
name.
If
you
don't
want
to
be
called
out,
you
can
just
ping
me
or
raise
hand
via
chat
or
just
quickly
say
no
update
via
voice
and
we'll
skip
on
to
the
next.
So
first
year
I
see
in
my
list
is
matt
hamilton
good
day,
matt.
E
E
J
J
J
A
A
C
Thanks
brandon
yeah,
I
went
through
that
we
could
check
off
harbor.
Thankfully
that
was
great
and
you
know
we
are
perilously
close
to
you
know
pushing
past
our
initial
five
yeah.
I
do
feel
like
we,
we
could
potentially
short-circuit
this
and
you
know
with
the
proposal
in
place.
You
know
it's
a
good
time
to
you
know
advocate,
for
you
know
the
introduction
of
a
security
assessment.
You
know,
as
this
is
all
changing,
so
you
know
why
don't
we
add
this?
C
As
you
know,
an
item,
a
discussion
for
next
week's
chair
and
tech
lead
meeting
and
you
know
we'll
talk
through.
You
know
whether
we
want
to
push
now
and
you
know,
get
get
security.
You
know
in
front
of
everybody.
No,
I
I,
I
think
we're
we're
we're
ready.
So
you
know
that
that's
what
I
think
good
work
yep.
That
sounds
good.
D
C
K
I
was
unclear
if
it
was
on
the
table
for
a
smaller
assessment
or
something
slightly
a
kilter
for
application
for
sandbox
or
whatever
versus
you
know
pursuing
graduation.
It's
so
it
seems
like
the
advantage
of
doing
the
same
assessment.
Early
and
late
is
night
to
compare,
and
maybe
the
detriment
is
that
it's
a
little
top
heavy
slash.
K
Maybe
it's
a
different
audience:
the
assessment,
the
bigger
assessment
so
to
speak.
I
just
wasn't
sure
where
that
landed.
I
read
through
the
sandbox
proposal
stuff
and
it's
kind
of
unclear
to
me
what
the
whole
thing
is
about,
but
that's
sort
of
a
question
sort
of
a
statement,
everyone's
happy
with
the
current
security
assessment
and
that's
going
to
be
the
assessment
that
applies
to
sandboxing.
Is
that
the
end
state.
C
C
You
know
you
you've,
you
know
gotten
a
sense
of
the
journey
that
you'll
go
through
with
assessment
partners.
As
you
approach,
incubation
or
graduation,
and
you
know
we
already
have
an
expectation
with
the
attestment
that
there's
an
annual
renewal.
So
you
know
that's
gonna,
you
know
what,
whenever
you
sort
of
get
on
the
train,
you're
going
to
be,
you
know
kind
of
in
a
in
a
trained
workflow,
so
you
know
the
the
the
delta
that
is,
you
know,
kind
of
in
this
in
initial
discussions
on
the
table.
C
Is
you
know
what?
If
we
we,
you
know
made?
You
know
the
sandbox
out
of
things
just
a
little
bit
easier.
You
know
both
on
our
side
in
terms
of
you
know,
level
of
effort,
and
then
you
know
it's
a
bit
more
of
a
a
check.
Boxing
exercise
on.
You
know
the
other
team
side,
though
you
know
I.
I
think
that
if
you're,
you
know
you're
really,
you
know
stopping
and
thinking
about
it.
C
It
might
be
a
little
bit
more
than
you
know,
just
a
a
checkpoint
and
a
checkbox
and
we'll
have
to
also
see
you
know.
Once
we
put
out
a
proposal
to
to
do,
you
know
just
you're
on
your
own,
you
know
how
whether
we
actually
are
able
to
you
know
let
folks
you
know,
work
independently
and
not
get
pulled
into
you
know.
Basically,
you
know
having
to
to
allocate
the
the
level
of
time
and
effort
that
that
we'd
have
on
a
full
assessment.
D
Yeah
and-
and
I
think,
according
to
the
new
proposal-
which
I
don't
know
when
it's
gonna
actually
take
effect
on
how
many
changes
are
gonna
be,
but
with
the
new
sandbox
proposal,
actually,
six
are
not
involved
until
the
incubation
process,
so
this
definitely
will
will
make
things
simpler,
at
least
for
the
sandboxing
process.
For
us
to
not
have
the
requirement
and
not
have
that
kind
of
that,
the
huge
hotel
I
want
to
actually
do
assessment
yeah,
I'm
not
sure.
K
Okay,
thank
you
yeah.
I
I
mean
thoughts
on
that
are
essentially,
if
there's
no
preview
so
to
speak,
then
they
get
pretty
far
down
the
line
and
get
hit
in
the
face
with
a
10-ton
hammer.
That's
it
that's
a
negative
right
and
in
another
world
in
my
life
we
have
two
sort
of
assessments,
one
we
call
a
security
preview
where
the
the
pe
and
review
is
product
or
process.
K
I
don't
remember
what
the
three
ps
are,
but
anyway
we
have
a
security
preview
and
then
we
also
have
a
security
readiness
review
right
and
readiness
reviews.
Basically
we're
shooting
you
out
the
door,
and
you
should
have
pen
to
paper
and
code
review
and
all
that
jazz,
whereas
a
preview
could
be
partially
conceptual.
You
know
there's
at
least
poc
there's
there's
it's
got
legs
but
whatever,
but
we
kind
of
treat
them.
K
C
You
know
matthew
rather
than
putting
in
dms.
You
know
it'd
be
more
convenient
for
me
if
you
dropped
it
into
think
security.
That
way,
you
know,
if
I
don't
happen
to
see,
you
know
the
slack
notification
you
know,
maybe
if
brandon's
online
or
you
know,
whoever
else
is
available
to
facilitate.
You
know
that
individual
could
could
raise
their
hand.