►
From YouTube: CNCF SIG Security 2020-09-30
Description
CNCF SIG Security 2020-09-30
A
Morning
afternoon
evening,
team
we'll
wait
for
a
few
more
minutes
and
then
we'll
get
started.
This
is
jj.
B
D
E
Yeah
this
is
this
passcoding
you.
This
is
the
first
time
I
I've
got
the
the
prompt,
oh.
D
F
That's
going
to
be
in
the
long
run,
I
mean
actually
writing
the
password
next
to
it,
and
the
text
is
probably
more
effective.
Yeah.
A
Yeah
awesome
all
right,
let's
get
let's
get
started,
I
will
need
two
scrapes.
I
I
took
some
looks
like
click
on
and
subscribe.
Thank
you.
Anyone
any
update
anyone,
volunteering
for.
A
Subscribing
so
we
have
few
things
that
I
think
we
would
want
to
cover.
Please
everyone!
That's
there
mark
your
attendance
and
then
mark.
If
you
have
any
updates,
that's
going
on.
A
I
Yeah
sure
so,
I'm
new,
so
I'm
tanner
randolph,
I'm
the
I'm
a
senior
manager
for
cloud
security
architecture
in
devsecops
architecture
at
lowe's
we're
a
big
phone
with
cncf.
I
C
I
think
I'm
I'm
a
next
one
who
joined.
I
wasn't
sure
if
I'm
the
only
one
hi
everyone,
my
name
is
celine
estroff.
I
am
with
their
by
dance.
Probably
some
of
you
heard
about
this,
but
if
I
say
tick,
tock,
probably
everyone
will
stall
and
start
smiling.
C
I
am
an
engineering
manager,
they're
working
on
security
infrastructure
and
infrastructure
security
in
general,
a
big
fan
of
first
pfe
inspire
and
yeah.
We
were
building
lots
of
for
new
stuff
and
all
infrastructure
and
being
early
adopters
of
lots
of
cncr
projects,
but
I'm
more
on
security
side.
So
I
thought
my
points
might
be
valuable
for
a
different
things.
We
are
working
on
here.
So
this
is
why
I
decided
to
join
and
looking
forward
to
learn
from
all
of
you
guys.
J
I
am
trishank
not
entirely
new,
but
I
introduce
myself
again
I'm
a
security
engineer
at
datadog
and
I'm
involved
with
some
cncf
security
projects
like
duff
and
dodo
no3v2
cnab.
I
know
some
of
you
folks
here
nice
to
see
you
again
nice
to
see
all
of
you
who
are
new.
I'm
also
here
to
follow
developments
in
the
on
the
sick
security
white
paper,
which
I'm
very
very
excited
to
learn
from
and
contribute
to.
J
A
Also
had
trouble
with
passcode
logging
in
so
she's
trying
to
login.
I
think
she
has
some
presentation
for
today
all
right.
So
today
we
have
few
things.
One
major
update
that
I
have
is,
I
think
most
of
you
have
seen
there
is.
A
A
A
But
I
don't
think
emily
could
join
today,
but
if
she
watches
the
video
congratulations,
emily.
A
The
second
update
that
I
had
is,
I
don't
know
how
many
of
you
attended
the
last
week's
assessment
thing
brandon,
if
you
want
to,
if
there
is
anything
that
we
can
update
on,
that,
that
will
be
good.
E
Yeah,
so
so
we're
still
in
the
process
of
we
sent
out
do
the
poll
if
you
want
to
be
involved
with.
Basically,
we
with
we're
coming
to
end
of
the
first
five
security
assessments,
so
we
kind
of
want
to
take
a
step
back.
Look
at
everything
see
whether
there
are
ways
in
which
we
can
improve
on
the
process
on
the
documentation,
and
you
know
try
and
kind
of
see
what
one
of
the
next
things
for
security
assessments.
E
So
there
is
an
issue.
That's
open
that
talks
about
this.
Let
me
link
it
I'll
link
it
in
the
meeting
minutes
in
the
chat,
but
we've
created
a
site
channel
six
security
security
assessment
working
group.
I
will
I'll
paste
that
link
as
well,
so
we
have
to
do
the
poll
kind
of
trying
to
find
a
slot
where
people
can
meet
up
next
week
if,
depending
on
time
zone,
I
know
you
know.
B
Ask
one
question
sure:
so
we
had
made
the
determination,
perhaps
a
couple
of
months
back,
that
we
would
only
be
doing
one
assessment
at
a
time
or
we
would
only
like
do
one
more
before
like
taking
the
spots
and
processing
integrating
reassessing
everything,
and
at
that
time
we
had
other
projects
in
the
queue
that
had
requested
for
an
assessment,
I'm
speaking
specifically
about
build
packs.
So
perhaps
it's
worthwhile
to
reach
out
to
maybe
we
don't
have
the
clarity
of
how
long
redesigning
or
evoluting,
maybe
not
we're
deciding,
but
just
rehabilitating
alongs
can
take
us.
B
So
we
may
want
to
give
them
like
hey
it's
going
to
be
a
while
before
we
get
back
to
you
and
take
it
up
so
perhaps
yeah
just
some
community
reach
out
to
to
projects
that
may
be
standing
by
on
an
assessment
to
be
performed.
E
E
I
think
if
we
hit
the
critical
mass
to
go
forward
assessment,
I
don't
think
there
is
a
need
to
wait
on
improvements.
I
think
it's
not
the
the
process.
Isn't
it?
It's
fine
right,
I
don't
think
there's
anything.
That's
any
huge
red
flags
that
we've
seen
most
of
the
suggestions
so
far
has
been.
You
know,
improvements
and
quality
of
life
things.
E
So
I
think
that
we
don't
want
to
get
in
the
way
if
we
find
that
the
project
has
made
is
able
to
put
some
time
in
with
final
group,
both
security
reviewers.
To
do
it,
we
should
go
ahead
and
we
should
then
kind
of
wait
for
that,
because
you
know
sometimes
it's.
It
may
be
difficult
to
get
people
back
even
saying
that.
Oh,
let's
push
this
back
by
a
couple
of
weeks.
People
may
not
be
free
anymore.
B
I
think
at
the
time.
Well
just
looking
back
to
the
notes.
Something
had
come
up
to
rob
for
robert
and
I'd
stepped
up
as
lead
reviewer,
but
in
conversation
with
justin
elsewhere,
not
in
this
threat.
I
think
it's
another
issue.
He
said
hey.
We
have
a
lot
of
people
focused
on
key
cloak
right
now,
it's
perhaps
we
could
get
another
team
going
in
parallel
of
different
individuals.
B
B
E
Okay,
yeah
and
key
clock
is
kind
of
just
winding
down.
I
think
it's
it's
pretty
much
of
the
final
stages,
so
I
don't
think
that
there
is
a
allocation
without
that.
F
The
corporate
entity
behind
bill
packs
is
not
the
correct
wording,
given
it's
a
cncf
project.
Just
there
are
some
maintainers
from
vmware
who
work
on
that,
which
is
not
a
blogger.
B
A
A
A
L
Sure
happy
to
do
that.
I'm
jojo,
thank
you,
so
I'm
part
of
cloud
security
alliance
and
a
research
fellow
for
them,
and
we
have
a
number
of
initiatives
right
now
related
to
containers
and
micro
services.
One
of
the
work
groups
that
I'm
leading
is
security
controls
for
serverless
or
serverless
best
practices.
L
So,
as
part
of
that
word
group,
we
have
a
white
paper
that
we
are
publishing
and
we
had
lots
of
interesting
discussions
about
what
is
serverless
right:
the
definition
of
serverless
and
whether
it's
just
function
as
a
service
or
it
is
container
as
a
service
right.
It
may
be
serverless
to
the
consumers,
but
essentially
it
does
have
a
infrastructure
underneath
that
somebody
else
is
managing.
L
So
we
decided
that
the
scope
of
the
project
is
going
to
going
to
be
container
as
a
service
like
eks
and
those
kind
of
services
that
providers
provide
to
us
and
function
as
a
service,
and
with
that
context
in
mind,
we
have
kind
of
developed
a
draft
paper
actually
to
work
in
progress,
you're
still
finishing
it
up,
and
then
we've
identified
the
scope
and
the
landscape,
as
well
as
the
use
cases
that
are
relevant
in
the
industry
to
serverless
and
cars,
and
then
we've
done
a
detailed
thread
model
related
to
cast
technologies
and
deployments
and
as
well
as
fast
and
then
based
on
those
threats.
L
We've
identified
a
number
of
mitigations
and
security
controls
for
each
type
of
deployment.
If
you
have
a
function
as
a
service
deployment,
what
are
the
controls
that
you
need
to
be
cognizant
of,
and
you
know
orchestration
of
functions
and
what
are
the
threats
there
and
how
do
you
mitigate
them
and
what
security
controls
you
need
to
put
in
place?
What
about
runtime
detection
and
response
for
enterprises?
L
And
then,
obviously,
similarly,
security
controls
are
contained
as
a
service
as
well.
So
there
is
a
lot
of
overlap
in
different
security
controls
that
different
white
papers
are
proposing.
We
had
done
another
project
at
csa,
which
was
best
practices
for
microservices
and
application
containers.
L
Similar
controls-
I
mean
subset
of
those
controls,
apply
in
this
domain
as
well.
So
last
friday
we
had
a
discussion
between
different
container
working
groups
at
csasd.
How
do
we
bring
it
all
together?
Because
there
are?
There
is
overlapping
content
and
multiple
of
these
initiatives,
so
I
did
mention
to
them
about
the
six
security
work
that
we
are
doing
here
as
well
and
seems
like.
L
There
are
some
synergies
and
if
you
guys
are
interested
I'll,
be
happy
to
bring
in
experts
from
there
and
set
up
a
cross
connect
session
networking
as
to
how
we
can
collaborate-
and
you
know,
ultimately,
they
are
also
non-profit-
and
this
is
non-profit
open
source
as
well.
It
is
for
the
benefit
of
the
wider
user
community,
as
well
as
enterprises
who
want
to
leverage
best
practices
so
at
a
high
level.
That's
what
the
structure
of
the
paper
is
and
after
the
security
controls,
we
are
also
talking
about
future
direction.
A
Thanks,
I
think
if
there
is
a
there,
isn't
an
issue
already
I'll,
probably
create
an
issue,
and
if
you
can
put
the
content
into
that
issue
and
link
to
the
paper
prior
to
next
meeting,
that
will
help
the
team.
K
H
Yeah
sure
jj,
thank
you.
So,
as
most
of
you
are
aware,
you
know
the
team
has
been
working
on
the
cloud
native
security
white
paper
and
there's
a
lot
of
progress.
That's
been
made,
and
I
think,
though,
where
it
is
right
now
is.
We
are
we're
pulling
the
threads
together.
We
we've
had
a
lot
of
comments,
come
in
and
we're
pulling
all
those
comments
incorporating
it,
and
I
think
we
have
another.
Please
correct
me
jj.
H
If
we
have
another
couple
of
weeks,
I
believe,
where
we're
hoping
to
receive
more
comments,
make
the
necessary
changes
necessary
from,
for
you
know,
pulling
the
different
sections
together
as
well
as
making
sure
that
we
have
the
right
tone
and
voice
and
right
level
of
abstraction
and
addressing
all
the
needs
in
terms
of
how
a
potential
cso
could
consume
the
paper
and
then
also
discuss
how
it
could
be
potentially
broken
out
into
multiple
other
papers
to
provide
a
deeper
dive.
H
We're
also
making
sure
that
we
have
all
the
relevant
sections
that
require
more
or
deeper
dive,
represented
appropriately
in
the
landscape
paper
that
brandon
and
team
are
working
on.
So
so
that's
where
we're
at-
and
you
know,
jj
myself
and
gadi-
have
made
some
decent
progress
on
the
illustrations
that
we're
hoping
to
provide
as
companion
for
the
the
narrative
as
well
to
to
really
help
anchor
the
discussions
and
provide
some
better
context
around
the
verbiage.
H
So
so
that's
where
we're
at
and
we're
shooting
for
the
next
two
weeks
to
really
pull
a
lot
of
this
together
and
have
it
ready
for
a
potential
discussion
with
the
broader
cncf
team.
A
Thanks
renee,
so
few
few
other
updates,
I
think
emily
is
not
here
but
she's
driving
the
cloud
native
security
day.
I
think
it's
there
is
link
up
it's
supposed
to
it's
scheduled
for
november
17th,
it's
a
virtual
event
and
there
is
a
slack
channel
where
things
are
getting
discussed
about
that,
and
there
is
a
core
group:
that's
actually
working
on
putting
that
event
together
and
if
you
do,
if
anybody
is
interested
in
contributing
or
participating,
then
that's
where
that's
where
that's
where
to
go.
Look.
E
B
It's
some
interesting
feedback.
I
heard
yesterday
from
presenting
at
the
open
networking
and
telco
summit
on
monday
was
that
it
would
be
nice
to
see
shorter,
denser
sessions,
because,
if
you
have
like
eight
thirty
to
an
hour
like
you're
competing
for
the
audience
attention
with
the
rest
of
the
internet
right
or
with
their
schedules,
but
if
even
if
you're
going
to
do
like
longer
breakouts,
if
you
could
condense,
like,
I
don't
know
everything
that
will
be
on
the
regular
schedule
into
five-minute,
lightning
talks.
B
A
A
I
will
convey
this
to
emily
in
in
our
meeting,
but
I
think
if
you
post
it
there,
it
will
help
the
rest
of
the
team
as
well.
C
Okay,
so
it's
better
recorded,
I
mean
it's
like
having
more
content,
might
not
be
like
where
a
longer
session
might
not
be
a
problem,
because
if
you're
watching
online,
you
can
like,
if
it's
not
online
event
and
pre-recorded
it's
much
easier
to
ski,
but
for
like
for
some
folks
who
are
just
starting
in
the
area.
Having
some
background
information
and
data
might
be
helpful,
so
they
might
not
skip
basically.
B
Yeah,
that's
a
good
point.
If
it's,
if
it's
on
demand,
it's
less
of
a
concern
to
like
compete
for
attention,
but
just
having
a
a
reference,
digital
brochure
of
of
all
the
content,
with
like
a
little
bit
of
information
or
just
like
how
this
title
all
together
or
here's
like
yeah
you,
I
guess
like
abstracts
kind
of
accomplished
that
and
if
you
put
it
on
the
side,
I
don't
know
like,
I
think
I'll
start
talking
in
circles
pretty
soon
so
I'll
start
writing
things
down
and
put
it
on
the
event
thread.
C
Yeah,
it
would
be
easier
probably
to
if,
if,
if
the
reason
is
a
way
to
split
it
into
chunks,
like
here's,
an
intro,
here's,
the
main
kind
of
part
to
go
along
with
presentation
result
like
basically
needs
to
do
our
transcribe
of
folder.
All
the
talk
for
the
details,
but
yeah,
something
like
that:
okay,
totally
yeah
yeah.
A
Yeah,
so
there
are
issues
that
are,
on
the
other
hand,
will
be
sort
of
triaging
them
volunteers
to
help
triage
issues
is
much
appreciated.
There
are
real
some
real
interesting
issues
around
oscar
and
compilation
flags,
and
then
there
is
also
assessment
outline
which
I
think
it
it.
C
What
kind
of
issues
and
where
they
were,
where
I
can
find
them
yeah?
So
let
me
post
it
on
this.
C
A
Yeah
take
take
a
look
at
those
issues
if
anybody
feels
they
have
enough
to
offer
on
any
of
the
issues.
K
So
what
what
do
you
mean
by
triage?
You
want
us
to
like
see
if
they're
topics
to
bring
back
to
the
meeting
or.
A
Yeah
I
mean
if
there
are
topics
that
interest
you
in
terms
of
like
this
is
something
that
I
want
to
take
up
and
start
working
on.
Then
you
can
the
ones
that
you
want
to
bring
up
to
the
meeting
where
you
think
it
will
be
useful.
A
We
can
do
that
as
well.
In
addition,
I'll
go
through
my
own
thing
of
like
seeing
if
there
is
a
fitment
of
any
issues
that
I
could
possibly
bring,
that
back
to
the
team
to
discuss
I'll,
do
that
as
well.
Okay,
so
that
was
kind
of
a
pun.
A
So
that's
most
of
the
most
of
the
update
brandon
any
any
more
updates
anything
to.
E
Add
yeah,
I
guess
two
things
so
so
one
of
it
it's
actually
not
really
related
to
six
security,
but
a
couple
of
us
myself,
eli,
andre
andreas
and
emily
as
well
plus
others
are
working
on
a
spiffy
spire
book.
So
that
will
be
something
to
look
out
for
probably
towards
the
end
of
next
month,
talking
about
spiffy's,
buyer
and
and
kind
of
the
open
source
projects
and
departments,
and
so
on.
It's
a
lot
of
good
content,
so
so
just
want
to
try
that
out
there
right.
B
C
Eli
yeah,
I
guess,
sir,
the
value
of
it
would
be
to
get
an
early
feedback
from
people
who
wants
to
race
through
these
and
provide
the
feedback.
I
think
it's
in
a
condition
right
now,
where
it
is
a
little
bit
too
early.
C
We
still
identifying
the
gaps
that
we
need
to
feel,
but
after
next
week
I
think
it
will
be
in
a
in
a
good
enough
state
to
share
with
the
rest
of
community
and
get
another
feedback
and
see
if
he
kind
of
missing
something
important
in
there,
but
it
will
be
close
to
the
finish
line
and
we'll
just
need
to
polish
it
up.
B
E
Turn
the
point
to
you
as
well,
on
the
the
top
nature
fill
packs.
I
think
you
said
that
we're
still
looking
for
another
two
three
reviewers
with
this.
B
Yes,
whoever's
interested
in
participating
in
this
security
assessment
love
to
cut
with
your
help
whether
you've
done
an
assessment
before
or
this
will
be
your
first
one
happy
to
chat
if
you're
on
the
fence
or
undecided.
B
But
if
it's
something
you
want
to
go
just
link
to
the
issues
in
there
the
build
packs
team
has
completed
the
self-assessment.
Already
a
link
is
in
the
issue.
So
that's
something
you
can
start
looking
at,
but
I
would
point
you
first
to
go
over
the
assessment
process
and
get
like
familiarized
with
the
timelines
and
and
process
that
we
go
through.
A
H
Yeah,
I
was
just
going
to
say
the
same.
So
typically,
I
think
what's
been
done.
Is
that
there's
an
issue
and
then
I
think
there's
someone
who
takes
up
the
baton
and
then
you
know
asks
for
other
people
to
join
in
the
assessment.
Has?
Is
there
a
placeholder
for
an
issue
for
this
one.
E
Yeah,
that
is
yeah,
I
think
interests,
but.
K
E
Yeah,
maybe
andreas,
if,
if
you
could
also
fill
out
the
the
details
of
it
as
well
in
the
in
the
kind
of
like
the
the
first
comment
like
who's
project
security,
lead
and
so
on,.
A
Yeah,
you
can
live
in
so
you
have
to.
B
A
For
the
for
the
book
sprint,
if
you
brandon,
if
you
think
you'd
want
to
have
like
either
a
presentation
or
a
review
from
the
rest
of
the
group,
do
you
mind
creating
an
issue
putting
that
on
agenda?
Whenever
you
feel
like
it,
it
will
be
ready.
G
A
B
B
You
elicit
the
knowledge
and
experience
from
the
subject
matter,
experts
from
their
heads
and
start
just
dumping
it
in
writing
and
just
through
iterative
process.
It
becomes
a
really
consistent
voice,
yeah
and
you
get
to
work
with
illustrators
who
are
just
riffing
off
your
ideas
and
and
turning
it
into
images.
It
becomes
pretty
neat
nice,
nice,
yeah.
G
Ascribed
a
few
times
now:
do
you
really
need
the
table?
Template
thing
I,
like
I,
always
type
in
the
one
box
there?
Do
you
really
need
the
table.
G
A
So
maybe
we
should
reform
it,
because
I
had
that
same
issue
to
whenever
subscribe,
and
then
I
was
willing,
like
you,
just
go
into
one
box
and
then
you
do
the
whole
stuff.
In
that
one
box.
A
It
might
be
better
to
put
horizontal
two
boxes
for
two
different
stripes
because
then
separate
it
so
that
it.
G
The
two
columns,
the
columns,
are
great,
I'm
just
talking
about
the
rows
like
there's
a
box
for
gita
pr's
like
for
one
attendance
and
designating
stripes.
No
one
writes
anything
there.
Never.
E
No,
I
think
we,
I
think
it's
that's
good
feedback.
I
think
we
should
spend
some
time
reformatting
the
template,
yeah.
E
Yeah,
so
so
this
was
originally
we
we
had
kind
of
like
a
single,
sequential,
sequential,
vlog,
right
and
then
matthew
garcia.
E
When
he
was
supposed
to
consider
taking
the
meetings
found,
it
would
be
better
to
have
separate
scribes.
I
think
the
idea
was
to
kind
of.
E
Read
across
the
same
topics,
rather
than
being
like
offset
at
different
different
roles,
but
it
seems
like
maybe
we
can
do
some
consolidation
of
that.
I
A
F
A
Yeah,
if
there
is
there,
isn't
much
that
anyone
has
any
updates
or
to
add,
then
we
can
give
back
20
minutes
of
the
time
to
the
rest
of
the
group.
E
Awesome
and
jj
next
week
is
it
we're
gonna,
have
the
confidential
competing
consortium.
E
A
B
A
Yeah,
I
mean
it
seems
it's
insensible,
but
I'll
yeah
I'll,
add
it,
but
do
what
makes
sense
for
the
presentation
and
we
can
always
push.
We
can
create
a
pipeline
for
our
other.
Now
later
we.
A
Usually
presentations
at
the
end
of
the
presentation,
there
is
a
decent
number
of
questions
and
answers.
So
I'm
when
there
is
a
presentation,
I'm
just
worried
about.
A
The
the
timing
aspect
of
it
so
there'll
be
a
few
updates
in
the
presentation
and
then
we'll
there'll
be
probably
a
q.
A
so
it'll
probably
take
the
whole
whole
hour
up,
which
is
okay.
A
A
Yeah,
that
makes
sense
all
right
so
yeah,
so
that's
for
next
week
and
thanks
you
all
thanks
for
thanks
for
joining
and
thanks
for
the
help
have
a
good
one.
Take
care
good.