►
From YouTube: CNCF SIG Security 2020-09-23
Description
CNCF SIG Security 2020-09-23
A
A
A
B
C
C
D
B
C
C
E
Yeah,
I
just
had
a
quick
update
on
the
key
club
assessment,
so
the
pr's
open
for
reviews
and
suggestions.
So
if
you
all
are
interested
in
adding
your
comments,
please
do
so.
I'm
gonna
paste
the
pr
link
in
the
chat
for
those
interested
and
yeah
feel
free
to
add
your
comments
and
yeah.
That's
pretty
much
it
that's
my
update.
C
A
So
this
is
from
the
readme
security
assessments
are
a
collaborative
process
for
the
benefit
of
the
cloud
native
projects
themselves
and
prospective
users
by
creating
a
consistent
overview
of
the
project
and
its
risk
profile.
Justin
is
the
security
assessment
facilitator,
which
means
he
runs
the
process.
I
am
a
co-chair
for
each
ongoing
project.
At
six
security
we
have
a
co-chair
representative
so
that
I'm
responsible
for
like
communicating
to
the
toc
and
the
outside
world
who's
has
any
concerns
about
this
and
escalating
things
up
or
down.
A
You
know
I
don't
want
to
really
say
up
or
down
but
across
to
the
broader
organization
and
to
the
review
team,
and
vice
versa,
I'm
also
responsible
for
reviewing
every
for
generally
being
the
go-to
chair
for
a
review
of
security
assessments.
Although
jj
has
done
a
couple
either
when
I
served
as
a
reviewer
or
was
on
a
leave
of
absence
this
summer,
so
the
history
of
the
process
in
early
2019,
we
were
getting
requests
from
the
toc
for
evaluating
projects,
primarily
ones
that
had
not
yet
come
to
the
cncf
and
justin
capos.
A
Who
had
done
this
as
a
toc
contributor
previously
for
he'd
actually
done
it.
I
think
for
spiffy
inspire,
maybe
another.
He
did
a
first
cut
at
like
what
our
process
could
be,
that
a
any
number
of
people
could
follow,
and
so
we
generally
thought
this
was
a
good
idea.
We
liked
his
process,
but
the
pr
you
know
got
into
the
weeds
for
many
months.
A
While
there
were
many
ideas
that
would
be
improvements
to
that
we
put
those
on
the
table
and
that
we
would
do
five
reviews
and
then
review
what
works
and
what
doesn't
so.
We
merged
the
pr
in
early
may
with
a
number
of
open
issues,
and
I
linked
to
the
ones
that
were
open
at
that
time
in
case
anybody's
curious,
so
and
then
in
may,
justin
reviewed
the
what
we
were
doing
at
the
kubecon
session
and
then
up
now.
We
have
four
completed
and
a
couple
in
progress.
A
A
The
private
project
lead
provides
a
draft
document.
What
we
call
a
self-evaluation
and
there's
an
outline
for
that?
There's
a
naive
question
phase,
where
the
lead
security,
reviewer
or
their
delegate
asks
clarifying
questions
so
that
you
know
we
have
a
complete
artifact
and
then
the
security
review
team
does
a
close
read
asks
questions
typically
comments
in
the
google
doc
request.
A
Revisions
usually
like
more
detail
on
this
item
confused
by
that
and
there's
a
back
and
forth
for
the
project
lead
and
then
there's
a
presentation
and
discussion
at
the
sig
security
meeting,
usually
some
further
revision
and
we
do
a
summary
assessment
where
it
takes
a
bit
of
work
to
get
on
one
slide.
An
overview
of
this
thing
that
seems
to
have
value
to
the
toc,
because
for
every
one
of
these
we've
actually
done
a
presentation,
and
that
seems
to
go
over
well.
A
So
when
we
to
get
unstuck,
we
all
met
together
at
dockercon
in
2019,
where
most
of
us
happen
to
be
there
who
were
kind
of
scrubbing
in
on
this
process,
and
we
came
up
with
this
timeline.
So
one
of
justin's
key
concerns,
which
I
thought
was
really
good,
is
that
we
should
have
like
these
things.
Shouldn't
stretch
on
take
forever,
we
should
be
able
to
somebody
signs
up
as
a
reviewer.
A
We
should
be
able
to
say
it's
going
to
take
this
much
calendar
time
and
this
many
hours
to
get
this
done,
and
maybe
it's
a
little
more
at
the
beginning,
but
we
should
be
able
to
get
a
reproducible
process.
So
we
realized
later
that
dumb
questions
was
an
appropriate
way
to
phrase
this,
but
the
idea
being
we'd
spent
a
couple
of
days
just
asking
these
naive
questions
of
like
wait.
A
A
So
we
could
get
to
the
point
where
a
future
requirement
of
security
assessments
is
that
you've
participated
in
a
prior
assessment.
But
how
do
you
bootstrap
that
so
one
of
the
things
that
I'm
super
excited
about
is
we
did
a
really
good
job
with
this?
I
think
and
I've
I'm
of
course,
speaking
from
perspective
of
having
participated
in
almost
every
review,
so
I'm
really
interested
in
hearing
other
people's
thoughts
on
how
it
went
for
them.
A
At
the
same
time-
and
I
I
remembered
that
robert
was
participating
in
an
earlier
review,
but
he
might
have
been
shadowing,
but
in
any
case
we
did
do
a
good
job
of
having
consistencies
and
we
decided
that
if
you
were
a
project
lead,
you
really
got
the
review
process
and
then
you
could
lead
a
review
and
it's
exciting
that
ash,
who
I
think
is
also
here.
Maybe
here
today.
Yes,
I
heard
you
announce
yourself,
is
you
know,
leading
a
review
now?
A
A
So
I'm
going
to
go
through
these
quickly
just
and
then
we
can
come
back
for
any
questions
if
or
points
of
discussion.
So
then
justin
I'll
just
you
know,
go
over
this
according
to
what
I've
heard
from
justin
and
what's
written
on
the
slide,
so
justin's
reporting.
What
seems
to
be
working
is
that
the
completed
assessments
are
valuable
to
the
projects.
It
scares
scales
fairly
well
and
seems
like
the
review,
is
not
too
burdensome
for
the
reviewers
and
both
the
project
and
the
assessors.
A
The
security
reviewers
get
to
explain
issues
in
their
own
words,
so
that
you
get
the
sort
of
perspective
on
security
from
different
voices.
What's
not
working
so
well
is
project
and
reviewers
tend
to
drop
in
and
drop
out.
He
has
a
question
about
toc
requirements
which
I'll
address
later
in
the
presentation,
and
assessments
vary
in
the
level
of
detail
and
the
type.
So
some
things
go
more
into
threat.
Modeling
some
have
more
user
guidance
review.
A
A
What's
working,
I've
also
participated
in
hearing
from
the
toc
on
each
one
of
these
and
gotten
positive
feedback,
both
during
the
meetings
where
these
things
are
presents
and
offline
people
have
mentioned
to
me,
I
find
that
the
consistent
assessment
outline
means
that
doing
a
second
or
third
review
as
a
security
reviewer
makes
it
much
easier
to
like
just
go
through
and
do
the
review.
Also,
when
I
go
back
and
think,
oh
my
gosh,
what
was
that
project
exactly?
A
How
would
I
describe
it
to
somebody
like
it
make
reference
really
easy,
because
I
can
go
right
to
the
section.
I
don't
know
whether
it'll
be
interesting
to
see
whether
other
people
read
many
reviews.
Besides
the
co-chairs
of
six
security,
but
one
of
the
things
that's
working
is
we've
had,
and
you
know
we
at
the
very
beginning
were
like
well,
people
really
want
to
do
this.
You
know:
will
this
be
a
burden?
People
do
this
for
their
jobs.
Will
they
want
to
volunteer?
A
I
think
has
really
worked
for
me
in
terms
of
being
helping
that
communication
outward
inward,
so
not
working
so
much
the
lack
of
clarity
between
the
security
assessment
and
the
what
the
cnc
of
due
diligence,
some
of
that
has
been
their
process,
has
evolved.
So
we've
kind
of
had
to
absorb
a
little
bit
of
evolution
there.
A
That
hasn't
always
felt
so
great
to
the
projects,
but
we're
working
on
it
and
I'll
talk
about
that
more
in
a
bit
and
then
the
lack
of
consistent
execution,
some
of
the
sometimes
it's
individual
people
dropping
in
and
out
as
justin
mentioned,
and
sometimes
there's
been
process
confusion.
One
person
is
waiting
for
the
other
person
to
do
something
and
we're
just
like
wait.
It's
been
three
weeks
what's
going
on
or
a
month
and
a
half
so
so
I
think
there's
been
some
improvements
and
there
could
be
some
more
so.
B
I
wanted
to
just
go
ahead
and
kind
of
just
since
one
of
his
not
working
points
was
that,
like
there
was
like
a
different
different
assessments,
kind
of
looked
a
little
bit
different.
I
think
I
just
wanted
to
point
out.
Is
it's
not
that
you
know
some
assessments
were
lacking
in
certain
areas?
It's
just
that
some
projects
kind
of
already
had
prior
work
done
in
certain
areas,
so
they
just
like
had
a
much
more
expensive
amount
of
content
there.
So
I
I
think
it's
kind
of
like
every
year.
B
A
Typically,
the
project,
the
security
review,
lead
to
review
the
self-assessment
and
really
go
through
it
in
detail
has
really,
I
think,
helped
because
one
is
like
you
get
this
sort
of
unfiltered,
unbiased.
Everybody
reads
the
same
thing
for
the
review
team
and
it's
also
easier
on
people's
time.
The
30
security
assessment
queue
that
I
mentioned.
I
put
a
little
picture
of
it
here.
Having
a
blocked
column
makes
it
clear
which
things
are
in
the
backlog,
meaning
they're.
A
We
don't
have
the
bandwidth
to
do
them
for
whatever
reason,
because
we've
been
trying
to
only
have
one
in
process
at
a
time,
but
we
sort
of
relax
that
lately
and
which
ones
are
blocked
because
they're
missing
a
component
and
typically
this
has
been
the
self-assessment
which
wasn't
clear
at
the
beginning
right.
It
wasn't
clear
that
that
would
be
the
time-consuming
bit
and-
and
I
think,
there's
process
improvements.
A
We
could
do
for
that
as
well
and
then
there's
a
done
column,
which
I
didn't
illustrate
because
it's
less
exciting,
although
I'm
super
excited
about
it
and
then
the
other
thing
is.
We
added
was
the
intake
process,
which
was
kind
of
started
before
this
assessment
queue
because
people
were
like
well,
I
don't
want
to
do
my
selfie
vowel.
A
If
I'm
going
to
be
like
sitting
there
waiting,
you
know
and
what's
going
to
decide
what,
if
we
have
two
projects
ready
at
the
same
time
and
only
one
review
team
again,
this
is
from
when
we
felt
like
the
review
team
was
a
scarce
resource
and
which,
right
you
know.
I
think
things
are
a
little
different
now,
but
it
was
a
healthy
process.
A
A
A
And
you
know:
should
somebody
recuse
themselves
and
then
it
was
like
you
know
like
we,
no
need
waiting
will
be
kabits
about
it,
while
other
people,
you
know
other
things-
would
move
forward
without
discussion
of
something
that
was
maybe
as
significant.
So
I
wrote
up
something
at
the
toc
level.
Brendan
did
a
nice
pr.
We
actually
still
have
an
open
issue
where
things
need
to
be
clarified.
A
I
noticed
some
formatting
errors
this
morning,
so
some
of
these
improvements
are
very
much
still
in
process,
but
again
there
and
then
the
big
question
is
how
does
this
fit
in
with
the
security
assessment
stages?
So
in
the
last
I
don't
know
about
six
months
ago,
the
toc
did
some
work
on
really
clarifying
these
stages.
A
It
seemed
to
be
inconsistent
for
those
of
us
who
aren't
you
know
in
every
tsc
meeting,
and
so
this
this
clarified
it
for
us
a
lot
which
was
great.
But
how
does
this
relate
to
our
assessments?
Well,
first,
before
we
get
to
the
assessments,
the
cncf
pays
for
a
third-party
security
audit,
which
is
like
some
traditional
security
audit,
with
like
penetration
testing
and
code
inspection
and
like
ticking
all
those
boxes
during
incubation
as
a
prerequisite
to
graduation.
A
So
that's
important
to
know
that
that
takes
place
and
has
taken
places
for
half
a
dozen
projects
and
there's
an
open
issue.
They're
supposed
to
be
listed
in
our
repo
and
we've
been
working
on
finding
them
collecting
them.
So
so
what
we've
agreed
on
so
far
last
year
with
chris
a
who
does
up
a
lot
of
the
operations
for
cncf.
A
Is
that
it
when,
when
a
new
project
requests
an
audit,
he
will
tell
them
that
they
need
to
do
their
security,
a
sig
security
assessment
first,
so
that
that
ends
up
being
a
feeder
for
the
audit.
It
should
make
it
so
that
the
money
spent
on
the
audit
can
be
more
efficient
right
because
they
can
take
that
as
an
input,
and
then
it
creates
a
little
pipeline.
A
So
the
sort
of
proposal
that
some
of
us
have
talked
about
is
that
we
could
make
it
so
that
the
self-assessment
is
a
prerequisite
for
incubation.
So
during
sandbox
phase,
all
projects
are
required
to
do
a
self-assessment
that
becomes
a
feeder
for
the
assessment,
which
would
then
be
something
that
is
required
for
at
graduation,
because
it's
a
precondition
to
the
audit
which
is
required
for
graduation.
So
that's
the
idea.
A
We
have
told
our
the
toc
liaisons
and
team
that
we're
not
going
to
propose
this
until
after
we
do
our
process
improvements
after
our
first
five.
So
while
we've
talked
about
this,
the
reason
it
isn't
inked
is
because
our
precondition
was
five
assessments
and
process
improvements,
and
then
this
and
some
other
things
whatever
we
determine.
So
I
think
that,
like
the
the
chairs
and
the
tl's
basically
are
like
well
we're
close
enough
we've
completed
four.
We
have
two
in
progress.
It's
long
overdue.
A
B
A
A
Oh
okay,
yeah,
so
we
get
sort
of
like
assigned
by
the
toc
here.
Are
the
projects
that
you
use
security
have
some
kind
of
oversight,
participation
with,
and
most
of
them
are
projects
that
serve
a
security
purpose.
What
we
need
with
the
assessments
called
the
security
providers
right,
they
provide
some
key
aspect
of
security,
and
so
one
of
the
you
know
sort
of
open
like
we
have
prioritized
those
projects
for
assessments
both
in
terms
of
our
outreach
and
in
terms
of
what
we
focus
on.
A
But
we
do
think
that
we've
said
that
we
want
the
assessments
to
be
done,
ideally
by
all
the
projects,
because
all
projects
have
a
security
aspect
right.
It
just
might
be
it's.
You
know
we
haven't
had
that
experience
yet
so
it
might
be
a
little
different.
You
know.
Maybe
it's
going
to
have
a
different
template.
Maybe
it's
not?
Maybe
it's
just
going
to
be
different
shape.
A
A
Should
I
move
on
to
cormac
dustin
capos's
final
thoughts,
so
justin
kapos,
not
present,
says
he's
had
a
heavily
weighted
point
voice
on
how
getting
here,
which
has
been
wonderful
right
because
he's
like
driven
us
to
actually
do
stuff
and
many
people
have
this
experience.
So
he
encourages
sig
security
to
form
a
small
subgroup
and
and
actually
revive.
You
know,
do
this
formal
revision
of
the
process
or
propose
provisions
and
he
can
be
available
for
questions
and
opinions
and
to
participate.
A
C
28
minutes
brandon
and
justin,
cormack
and
justin
campos.
If
you're
watching
this
later
for
the
presentation,
I
think
it
did
an
excellent
job
capturing
a
lot
of
the
historical
knowledge
and
contacts
that
we
just
don't
have
anywhere
in
the
repo
and
the
small
in
instances
where
it
does
exist
would
be
very
hard
to
find.
C
So
we
wanted
to
kind
of
bring
this
up
and
present
it
to
everybody,
because
there's
been
a
lot
of
questions
about
how
we
do
these
security
evaluations
or
security
assessments
for
the
different
projects
that
are
presented
to
us
and
we've
gotten
to
the
point,
as
sarah
had
indicated,
where
we've
done
enough
of
them,
but
it
and
it's
gone
on
long
enough-
that
we
feel
like
we
have
a
much
better
understanding
of
where
process
improvements
need
to
occur.
Whether
or
not
we
actually
know
what
those
improvements
explicitly
need
to
be.
C
We
want
to
kind
of
cue
up
a
working
group,
hopefully
get
volunteers
from
the
community,
and
this
is
a
great
way
to
get
involved.
If
this
is
your
first
opportunity
to
start
contributing
to
the
sake
to
to
kind
of
look
at
the
way
that
we've
done
things
and
the
processes
that
we've
had
and
how
can
we
improve
them
and
make
them
better
not
only
for
members
of
the
city
but
also
for
the
projects
within
the
cncf
that
are
moving
through
these
different
cycles.
C
So
that's
kind
of
like
the
background
for
why
we're
having
this
conversation
now
and
what
the
needs
of
the
sig
actually
are.
So
I
want
to
kind
of
open
it
up
to
any
questions
that
folks
may
have
for
the
tl's
or
the
co-chairs
or
anybody
else
with
the
history
on
this
and
then
hopefully
we
can
start
kind
of
teasing
out
the
working
group
and
a
little
bit
more
of
the
direction
for
that
to
take.
G
I
I
can
serve
the
fresh
experience
from
kiko
sites,
so
in
general
it
was.
It
was
good
and
worth
doing
like
the
outcome.
I
think,
has
a
lot
of
value,
even
as
a
reference
material
for
the
project
outside
of
getting
the
badge
of
you
know
getting
the
assessment,
I
think,
on
a
kind
of
like
what
could
be
improved.
It
has
been
time
intensive
on
the
project
side
and
I
think
I
was
wondering
is
it
a
barrier
for
for
some
of
the
project?
G
G
Then
you
know
kind
of
like
projects
with
good
community
but
more
targeted
contributions,
so
companies
showing
up
contributing
in
future,
but
not
really
stepping
up
to
do
something
more
and
then
some
projects
which
had
like
really
known
paid
like
all
of
the
maintainers,
are
doing
it
as
a
as
their
evening
or
kind
of
like
you
know,
being
engaged
outside
of
work
and
like
it.
It
wasn't
totally
like
few
days
of
real
work
to
work
on
on
the
self-assessment
part.
G
So
for
for
I
announced
some
projects,
which
has
this
kind
of
like
not
not
none
of
my
intenders
being
paid
to
to
to
work
on
the
project
and
they
have
aspirations
for
cncf
and
for
them.
I,
I
guess
it
would
be
a
hard
barrier
to
to
to
work
on
something
like
this
outside
of
the
working
hours
and
they
could
stall
so
this
and
what
was
kind
of
like
most
of
that,
it
would
be
worth
to
have
a
a
kind
of
like
time
frame.
So
it
starts
it
stops
and
like
we.
C
C
No
okay,
so
there's
currently
several
issues.
They
are
linked
from
the
september
17th
meeting,
which
brandon
I
don't
know
if
you've
pulled
them
up
yet,
but
we'd
like
to
try
to
get
a
group
of
volunteers
to
kind
of
work
on
refining
what
this
process
looks
like.
So
we
we
you've
heard
from
the
key
click
assessment
how
that
went.
We
have
plenty
of
other
videos
on
youtube
from
other
feedback
sessions
with
other
assessments
that
have
been
run
and
we've
also
got.
C
B
Yeah
and
just
to
kind
of
add
on
top
of
that,
so
I
think
what
we're
discussing
is
that
if
we
realize
that
you
know
that
that
that
there's
going
to
be
various
aspects
of
ways,
you
can
improve
the
process,
whether
it
maybe
you
know
some,
some
some
of
it
is
maybe
redefining
it
on
some
of
it.
Maybe
making
sure
that
how
to
improve
from
the
execution
and
from
kind
of
this
working
group,
we
may
split
them
into
slightly
smaller
groups
to
focus
on
whatever
people
are
interested
in.
A
Yeah,
I
was
thinking
that,
like
the
first
step
might
be
to
just
triage
things
into
like
there's
a
bucket
of
things
that
are,
this
isn't
clear.
I
don't
understand
this.
This
doesn't
make
sense
to
me
right
that
are
more
like
not.
This
doesn't
make
sense
to
me,
but
like
clearly,
it's
not
documented
well
right
in
certain
places
and
then
there's
other
issues
which
are
like
in
conflict
with
each
other.
A
What
do
we
think
you
know
and
and
then,
if
that
group
can
get
aligned
or
not
right,
at
least
tease
apart
the
big
questions
and
then
present
back
to
this
group
and
say:
okay,
we
considered
a
b
c
d
e
f
and
we
think
d
and
f
are
good
big
changes
or
we
considered
all
these
things,
and
actually
we
fundamentally
think
it's
reasonable
with
these
tweaks
or
whatever
right
and
then
go
forth
and
as
important
part
of
process
is
like
having
it
all
written
down.
Well,
so
that
people
don't
get
confused
in
the
future.
C
Yeah,
so
I
linked
the
issue
167,
which
is
the
source
issue
to
do
that.
First,
five
improvements
process.
So,
if
they're
and
it
looks
like
there's
quite
a
few
people
that
are
interested
in
contributing
to
this-
which
is
excellent,
happy
to
hear
that,
if
you
all
can
comment
on
the
ticket
that
way
we
we
know
who's
interested
in
joining
this
up
and
we'll
also
post
it
in
the
sixth
security
channel
as
well.
For
anybody,
that's
not
on
the
call
today
to
kind
of
start,
consolidating
that
sarah
do.
A
C
A
F
H
H
G
A
There's
a
there's
a
one
slide:
it's
very
challenging
to
go
into
that
one
slide,
but
the
lead
security
is
responsible
for
creating
that
slide
and
then
the
presentation
like
half
the
slide
is
the
project
saying
their
thing
and
half
the
slide
is
what
the
sig
says
so,
depending
on
how
much
time
we're
allotted
one
person
might
give
the
whole
thing,
but
it's
important
that
a
person
from
the
project
and
a
person
from
the
review
team
be
there
in
case.
There's
questions
on
either.
A
I
have
an
announcement
go
ahead,
sir,
so
we
have
nominated
emily
as
a
new
co-chair
and
the
official
and
that's
been
that's
the
current
chairs,
including
dan.
His
official
term
has
ended.
We
have
a
little,
not
quite
overlap,
and
the
toc
liaisons
have
all
approved
this,
and
so
there
is
a
the
process.
Is
that
two-thirds
of
the
toc
needs
to
vote
on
any
sig
chair?
So
the
nomination
has
happened,
it's
linked
in
the
notes
and
in
the
slack
channel,
so
that
toc
generally
really
likes
it
when
the
community
says
stuff.
A
So
please,
you
know
specific
comments
are
welcome.
You
know
and-
and
you
know
chiming
in
on
the
thread-
I
think
you
might
have
to
be
a
member
like
sign
up
for
the
toc
list
to
come
in,
but
I
just
want
to
make
sure
everybody
was
aware
that
that's
in
process
yeah,
that's
my
announcement.
Oh
and
dan's
here
I
did
also
want
to
say
thank
you.
Dan
for
dan
was.
A
Chairs
of
what
was
originally
the
safe
working
group
secure
access
for
everyone,
or
something
like
that.
I
think
we
had
different
opinions
about
what
the
acronym
stood
for
and
then
it
became
sick
security
as
cncf
and
dan.
It
has
been.
I
didn't
know
dan
when
we
started
this
process,
so
it's
been
wonderful,
getting
to
know
you
and
working
with
you
and
thank
you
so
much.