►
From YouTube: CNCF SIG Security 2020-09-30
Description
CNCF SIG Security 2020-09-30
A
B
D
D
F
A
A
A
C
C
I
am
an
engineering
manager,
they're
working
on
security
infrastructure
and
infrastructure
security
in
general,
a
big
fan
of
first
pfe
inspire
and
yeah.
We
were
building
lots
of
for
new
stuff
and
all
infrastructure
and
being
early
adopters
of
lots
of
cncr
projects,
but
I'm
more
on
security
side.
So
I
thought
my
points
might
be
valuable
for
a
different
things.
We
are
working
on
here.
So
this
is
why
I
decided
to
join
and
looking
forward
to
learn
from
all
of
you
guys.
J
I
am
trishank
not
entirely
new,
but
I
introduce
myself
again
I'm
a
security
engineer
at
datadog
and
I'm
involved
with
some
cncf
security
projects
like
duff
and
dodo
no3v2
cnab.
I
know
some
of
you
folks
here
nice
to
see
you
again
nice
to
see
all
of
you
who
are
new.
I'm
also
here
to
follow
developments
in
the
on
the
sick
security
white
paper,
which
I'm
very
very
excited
to
learn
from
and
contribute
to.
J
A
A
A
E
Yeah,
so
so
we're
still
in
the
process
of
we
sent
out
do
the
poll
if
you
want
to
be
involved
with.
Basically,
we
with
we're
coming
to
end
of
the
first
five
security
assessments,
so
we
kind
of
want
to
take
a
step
back.
Look
at
everything
see
whether
there
are
ways
in
which
we
can
improve
on
the
process
on
the
documentation,
and
you
know
try
and
kind
of
see
what
one
of
the
next
things
for
security
assessments.
E
So
there
is
an
issue.
That's
open
that
talks
about
this.
Let
me
link
it
I'll
link
it
in
the
meeting
minutes
in
the
chat,
but
we've
created
a
site
channel
six
security
security
assessment
working
group.
I
will
I'll
paste
that
link
as
well,
so
we
have
to
do
the
poll
kind
of
trying
to
find
a
slot
where
people
can
meet
up
next
week
if,
depending
on
time
zone,
I
know
you
know.
B
Ask
one
question
sure:
so
we
had
made
the
determination,
perhaps
a
couple
of
months
back,
that
we
would
only
be
doing
one
assessment
at
a
time
or
we
would
only
like
do
one
more
before
like
taking
the
spots
and
processing
integrating
reassessing
everything,
and
at
that
time
we
had
other
projects
in
the
queue
that
had
requested
for
an
assessment,
I'm
speaking
specifically
about
build
packs.
So
perhaps
it's
worthwhile
to
reach
out
to
maybe
we
don't
have
the
clarity
of
how
long
redesigning
or
evoluting,
maybe
not
we're
deciding,
but
just
rehabilitating
alongs
can
take
us.
E
I
think
if
we
hit
the
critical
mass
to
go
forward
assessment,
I
don't
think
there
is
a
need
to
wait
on
improvements.
I
think
it's
not
the
the
process.
Isn't
it?
It's
fine
right,
I
don't
think
there's
anything.
That's
any
huge
red
flags
that
we've
seen
most
of
the
suggestions
so
far
has
been.
You
know,
improvements
and
quality
of
life
things.
E
So
I
think
that
we
don't
want
to
get
in
the
way
if
we
find
that
the
project
has
made
is
able
to
put
some
time
in
with
final
group,
both
security
reviewers.
To
do
it,
we
should
go
ahead
and
we
should
then
kind
of
wait
for
that,
because
you
know
sometimes
it's.
It
may
be
difficult
to
get
people
back
even
saying
that.
Oh,
let's
push
this
back
by
a
couple
of
weeks.
People
may
not
be
free
anymore.
B
I
think
at
the
time.
Well
just
looking
back
to
the
notes.
Something
had
come
up
to
rob
for
robert
and
I'd
stepped
up
as
lead
reviewer,
but
in
conversation
with
justin
elsewhere,
not
in
this
threat.
I
think
it's
another
issue.
He
said
hey.
We
have
a
lot
of
people
focused
on
key
cloak
right
now,
it's
perhaps
we
could
get
another
team
going
in
parallel
of
different
individuals.
B
B
E
F
B
A
A
L
Sure
happy
to
do
that.
I'm
jojo,
thank
you,
so
I'm
part
of
cloud
security
alliance
and
a
research
fellow
for
them,
and
we
have
a
number
of
initiatives
right
now
related
to
containers
and
micro
services.
One
of
the
work
groups
that
I'm
leading
is
security
controls
for
serverless
or
serverless
best
practices.
L
So,
as
part
of
that
word
group,
we
have
a
white
paper
that
we
are
publishing
and
we
had
lots
of
interesting
discussions
about
what
is
serverless
right:
the
definition
of
serverless
and
whether
it's
just
function
as
a
service
or
it
is
container
as
a
service
right.
It
may
be
serverless
to
the
consumers,
but
essentially
it
does
have
a
infrastructure
underneath
that
somebody
else
is
managing.
L
We've
identified
a
number
of
mitigations
and
security
controls
for
each
type
of
deployment.
If
you
have
a
function
as
a
service
deployment,
what
are
the
controls
that
you
need
to
be
cognizant
of,
and
you
know
orchestration
of
functions
and
what
are
the
threats
there
and
how
do
you
mitigate
them
and
what
security
controls
you
need
to
put
in
place?
What
about
runtime
detection
and
response
for
enterprises?
L
L
Similar
controls-
I
mean
subset
of
those
controls,
apply
in
this
domain
as
well.
So
last
friday
we
had
a
discussion
between
different
container
working
groups
at
csasd.
How
do
we
bring
it
all
together?
Because
there
are?
There
is
overlapping
content
and
multiple
of
these
initiatives,
so
I
did
mention
to
them
about
the
six
security
work
that
we
are
doing
here
as
well
and
seems
like.
L
There
are
some
synergies
and
if
you
guys
are
interested
I'll,
be
happy
to
bring
in
experts
from
there
and
set
up
a
cross
connect
session
networking
as
to
how
we
can
collaborate-
and
you
know,
ultimately,
they
are
also
non-profit-
and
this
is
non-profit
open
source
as
well.
It
is
for
the
benefit
of
the
wider
user
community,
as
well
as
enterprises
who
want
to
leverage
best
practices
so
at
a
high
level.
That's
what
the
structure
of
the
paper
is
and
after
the
security
controls,
we
are
also
talking
about
future
direction.
K
H
Yeah
sure
jj,
thank
you.
So,
as
most
of
you
are
aware,
you
know
the
team
has
been
working
on
the
cloud
native
security
white
paper
and
there's
a
lot
of
progress.
That's
been
made,
and
I
think,
though,
where
it
is
right
now
is.
We
are
we're
pulling
the
threads
together.
We
we've
had
a
lot
of
comments,
come
in
and
we're
pulling
all
those
comments
incorporating
it,
and
I
think
we
have
another.
Please
correct
me
jj.
H
We're
also
making
sure
that
we
have
all
the
relevant
sections
that
require
more
or
deeper
dive,
represented
appropriately
in
the
landscape
paper
that
brandon
and
team
are
working
on.
So
so
that's
where
we're
at-
and
you
know,
jj
myself
and
gadi-
have
made
some
decent
progress
on
the
illustrations
that
we're
hoping
to
provide
as
companion
for
the
the
narrative
as
well
to
to
really
help
anchor
the
discussions
and
provide
some
better
context
around
the
verbiage.
A
Thanks
renee,
so
few
few
other
updates,
I
think
emily
is
not
here
but
she's
driving
the
cloud
native
security
day.
I
think
it's
there
is
link
up
it's
supposed
to
it's
scheduled
for
november
17th,
it's
a
virtual
event
and
there
is
a
slack
channel
where
things
are
getting
discussed
about
that,
and
there
is
a
core
group:
that's
actually
working
on
putting
that
event
together
and
if
you
do,
if
anybody
is
interested
in
contributing
or
participating,
then
that's
where
that's
where
that's
where
to
go.
Look.
E
B
It's
some
interesting
feedback.
I
heard
yesterday
from
presenting
at
the
open
networking
and
telco
summit
on
monday
was
that
it
would
be
nice
to
see
shorter,
denser
sessions,
because,
if
you
have
like
eight
thirty
to
an
hour
like
you're
competing
for
the
audience
attention
with
the
rest
of
the
internet
right
or
with
their
schedules,
but
if
even
if
you're
going
to
do
like
longer
breakouts,
if
you
could
condense,
like,
I
don't
know
everything
that
will
be
on
the
regular
schedule
into
five-minute,
lightning
talks.
B
A
C
Okay,
so
it's
better
recorded,
I
mean
it's
like
having
more
content,
might
not
be
like
where
a
longer
session
might
not
be
a
problem,
because
if
you're
watching
online,
you
can
like,
if
it's
not
online
event
and
pre-recorded
it's
much
easier
to
ski,
but
for
like
for
some
folks
who
are
just
starting
in
the
area.
Having
some
background
information
and
data
might
be
helpful,
so
they
might
not
skip
basically.
B
Yeah,
that's
a
good
point.
If
it's,
if
it's
on
demand,
it's
less
of
a
concern
to
like
compete
for
attention,
but
just
having
a
a
reference,
digital
brochure
of
of
all
the
content,
with
like
a
little
bit
of
information
or
just
like
how
this
title
all
together
or
here's
like
yeah
you,
I
guess
like
abstracts
kind
of
accomplished
that
and
if
you
put
it
on
the
side,
I
don't
know
like,
I
think
I'll
start
talking
in
circles
pretty
soon
so
I'll
start
writing
things
down
and
put
it
on
the
event
thread.
C
Yeah,
it
would
be
easier
probably
to
if,
if,
if
the
reason
is
a
way
to
split
it
into
chunks,
like
here's,
an
intro,
here's,
the
main
kind
of
part
to
go
along
with
presentation
result
like
basically
needs
to
do
our
transcribe
of
folder.
All
the
talk
for
the
details,
but
yeah,
something
like
that:
okay,
totally
yeah
yeah.
A
C
K
A
A
E
Add
yeah,
I
guess
two
things
so
so
one
of
it
it's
actually
not
really
related
to
six
security,
but
a
couple
of
us
myself,
eli,
andre
andreas
and
emily
as
well
plus
others
are
working
on
a
spiffy
spire
book.
So
that
will
be
something
to
look
out
for
probably
towards
the
end
of
next
month,
talking
about
spiffy's,
buyer
and
and
kind
of
the
open
source
projects
and
departments,
and
so
on.
It's
a
lot
of
good
content,
so
so
just
want
to
try
that
out
there
right.
B
C
B
E
B
But
if
it's
something
you
want
to
go
just
link
to
the
issues
in
there
the
build
packs
team
has
completed
the
self-assessment.
Already
a
link
is
in
the
issue.
So
that's
something
you
can
start
looking
at,
but
I
would
point
you
first
to
go
over
the
assessment
process
and
get
like
familiarized
with
the
timelines
and
and
process
that
we
go
through.
A
H
K
B
A
G
A
B
B
You
elicit
the
knowledge
and
experience
from
the
subject
matter,
experts
from
their
heads
and
start
just
dumping
it
in
writing
and
just
through
iterative
process.
It
becomes
a
really
consistent
voice,
yeah
and
you
get
to
work
with
illustrators
who
are
just
riffing
off
your
ideas
and
and
turning
it
into
images.
It
becomes
pretty
neat
nice,
nice,
yeah.