►
From YouTube: CNCF SIG Security 2021-02-17
Description
CNCF SIG Security 2021-02-17
A
A
C
C
E
C
A
F
A
Just
keep
do
cncf
guidelines
and
be
nice
and
friendly.
So
today
we
have
two
topics.
We
are
looking
for
scribes.
So
if
anyone
can
help
subscribe
for
today's
meeting,
that
would
be
good,
so
we'll
be
going
through
kind
of
updates
on
just
going
around
today,
and
then
we
have
two
main
issues
that
we
will
talk
about.
A
A
G
G
G
So
I'll
I'll
think
about
a
way
to
maybe
introduce
it
for
a
cloud
native
audience
that
might
be
relevant
and
I'll
put
into
the
chat,
a
and
also
in
the
notes
here.
So
don't
worry
about
copying
it
over
for
describe
a
list
of
the
ieee
standards
body
groups
that
are
working
on
blockchain.
It's
pretty
amazing
they've
got
a
lot
of
stuff
going
on
a
lot
of
it
doesn't
end
up
being
a
standard,
but
just
the
diversity
of
interest.
There
is
kind
of
interesting.
H
So
that's
it
put
the
rest
in
the
chat.
There's
also
a
lot
of
blockchain
related
stuff
happening
in
the
confidential
computing
consortium,
the
focus
there
being
it's
more
energy
efficient
to
perform
blockchain-like
calculations
inside
a
trust,
execution
on
environment
or
enclave
rather
than
on
general
purpose,
compute,
so
stuff
happening
over
there.
I
don't
know
if
there's
interest
in
bringing
folks
in,
but
I'm
happy
to,
connect
if
they're.
If
there
is
well,
we
should
be
interested
for
moral
reasons
right.
A
Yeah,
that's
an
interesting
thought.
I
feel
like
that's
that's
kind
of
content
to
it.
If
you
usually
think
about
anything
that
runs
within
some
kind
of
security,
however,
to
be
so
so
all
you
know,
that's
the
trade
of
that.
So
that
should
be
an
interesting
discussion.
Maybe
we
can
make
it
one
of
the
topics
next
time.
A
I
I
I
It's
also
part
of
the
it's
part
of
the
cii
badge,
but
this
would
be
calling
it
out
that
the
and
I
proposed
that
this
happened
at
incubation,
which
was
wow
roundly
seconded,
so
that
projects
at
incubation
would
all
all
they
have
to
do
is
say.
This
is
what
you
do
when
you
find
a
security
issue,
so
people
felt
that
was
a
low
bar.
I
did
say
that
it
might
be.
People
were
worried
about
like
that.
I
There
might
be
projects
that
are
already
an
incubation
that
might
not
know
how
to
do
this.
So
I
wanted
to
see
if
there's
anybody
who
might
volunteer
to
help
audit
the
projects
that
are
incubated
and
graduated,
to
see
if
there
are
ones
that
you
know
like
to
provide
data
to
the
toc
to
say:
oh,
you
know,
90
of
them
have
it.
You
know,
whatever
I'd
suspect,
that
most
projects
have
it,
but
I
don't
know
for
sure.
I
A
Yeah,
I
remember
we
had
like
a
section
in
the
assessments.
That's
like
what
are
the
security
response.
Oh
at
least
we
were
discussing
this
initially
when
we
were
talking
about
assessments,
but
there
wasn't
really
a
benchmark
to
compare
that
against.
So
is
that
already
an
issue
open
for
this,
or
should
we.
D
I
D
I
No,
no!
It's
just
that
there
is
a
process,
got
it
for
reporting
and
then
communicating
the
ones
that
are
security
vulnerabilities.
So
there
are
a
lot
of
projects
that
aren't
security
focused
right
and
they're
like
you
know,
they
might
not
have
come
up
for
them
because
they
think.
Oh,
we
don't
have
anything
to
do
with
security.
I
They
don't
have
the
insight
they're
less
mature,
they
might
have
people
you're
like
getting
incubation,
you
don't
need
a
lot
of
users
right.
You
just
need
to
be.
You
know,
there's
a
bunch
of
criteria,
and
so
it
could
still
be
experimental
in
some
way,
but
it
has
nothing
to
do
with
security
and
they
just
don't
have
security
experts
on
their
team
and
they
don't
foresee
it
happening.
But
of
course,
as
we
all
know,.
D
J
I
D
A
I
Yeah
with
where
there's
some
discussion
that
they're
not
going
to
insist
incubation
any
particular
speed
in
responsiveness
but
just
making
sure
that
groups
have
thought
about
it,
which
yeah
you're
right.
If
the
cii
best
practices
badge
is
required
for
incubation,
then
they
should
have
already.
But
this
is
just
raising
awareness.
J
There's
another
rubric
item
in
there
that
around
the
response
time,
I
don't
recall
the
exact
exact
wording
or
time
frame,
but
I
think
it's
96
hours
providing
a
response
within
96
hours
and
have
addressed
publicly
known
vulnerabilities
that
have
been
reported
in
the
last
six
months.
Now
it's
entirely
up
to
a
project
whether
they
like
not
disclosing,
while
they're
working
on
it
right
for
for
obvious
reasons.
J
So
while
it
is
a
self
certification,
you
you
need
to
provide
a
link
to
your
policy
or
procedure
that
captures
that
whatever
the
process
is
so
it
does
make
matters
for
us
easier
to
hey.
Let's
go
look
at
the
ci,
but
the
the
batch
app
for
this
project.
Let's
look
at
this
particular
section:
let's
see
what
they
entered
in
there.
What
is
the
link?
So
we
know
where
to
find
it
in
their
repository
structure
and
their
directory
structure
then
rather
try
to
like
figure
out
how
to
band
where
to
find
it.
C
So
if
the
policy
just
needs
to
be
something
implemented
in
repository,
that's
in
the
easiest
way
to
do
this
through
automation,
like
sort
of
for
a
secure
scorecard.
That's
a
good
pro
and
one
of
the
google
projects
to
do
this.
It's
just
checking
if
you
have
certain
things
in
your
wrapper,
if
this
is
like
formal
verification
that
this
is
like
really
happening.
I
A
F
Just
a
quick
one,
then,
on
the
supply
chain
working
group,
so
we're
getting
a
lot
more
content
onto
the
document.
I
think
we're
gonna
restructure
it.
I
know
that
emily
sent
through
some
feedback-
that's
great.
I
think
we're
probably
another
another
session
away
from
having
something
that
we'll
then
start
to
go
through
and
do
editorial
on
and
then
report
back
more
fully
to
the
rest
of
the
group,
but
obviously
all
the
work
that
we're
doing
is
open
on
that
google
document
and
we're
also
discussing
it
in
google
chat
as
well.
K
L
L
A
I
C
F
A
M
Yeah,
hey
guys
so
yeah.
My
name
is
frederick,
I'm
I'm
from
india
I'm
into
so.
I've
been
working
in
the
sock
side,
the
blue
team
side
of
things,
and
now
I'm
new
I'm
getting
into
kubernetes
security
and
kind
of
playing
around
with
linux,
internals
and
evpf
and
things.
So
I
like
how
I'm
really
amazed
at
how
you
guys
work
here,
and
I
learn
a
lot
from
these
meetings.
D
M
I'm
okay,
I'm
new
to
the
securities.
I
mean
sorry,
the
open
source
space,
I'm
more
so
earlier.
I
was
into
the
windows
in
infrastructure
security,
like
thread
detection,
all
those
kind
of
things,
but
on
the
windows
side.
So
I
I
wanna
like
get
in
on
board
with
contributing
to
some
of
the
open
source
stuff
and-
and
I
really
learn
a
lot
by
just
attending
these
these
things.
So
I'm
just
gonna
like
stay,
I
mean
for
the
ride.
A
Awesome
yeah
and
feel
free
to
reach
out
to
to
chat
or
tl
so
or
anyone
in
the
community
if
you're
you're
interested
in
booking
something
yeah
sure
cool.
So
I
think
that's
all
the
updates.
I
have
a
really
quick
one
on
my
site,
a
couple
of
folks
in
the
community.
Together
myself,
we
are
having
a
club
native
for
starting
out
cognitive
security
meet
up
in
new
york
for
now,
of
course,
it's
virtual,
so
I'll
just
put
a
link
to
it.
K
So
justin
capos
initiated
a
apac
friendly
meeting
as
of
tuesday,
so
for
anyone
here
where
the
time
is
inconvenient,
you
can
go.
Look
it
up.
On
the
read
me,
there
is
an
apac
friendly
time
zone
that
you
could
possibly
join.
It's
barely
getting
started.
It's
only
last
meeting
we
had
two
people
show
up
and
both
of
them
were
like
super
super
interesting.
We
learned
quite
a
bit
from
them,
so
just
wanted
to
drop
in
there
to
give
people
the
convenience
of
the
time
that
they
want
to
join.
B
It's
been
linked
in
the
chat,
as
well
as
a
particular
comment
in
there
that
kind
of
does
a
high
level
summary
of
what
it
is
that
we're
talking
about.
What
do
these
changes
look
like
so
one
of
the
first
things
that
was
recommended
was
the
utilization
of
the
term
security
assessment
was
confusing
for
some
of
our
community
members
who's,
getting
mixed
up
with
security
audits
and
we're
not
really
doing
a
full-blown
assessment
or
a
full-blown
audit
on
it.
B
B
So
with
the
change
of
the
name,
we
went
through
the
documentation
that
we
currently
had
found
some
areas
where
we
really
could
pull
more
from
the
projects
to
help
them
better,
create
their
security
documentation
based
off
of
some
of
the
previous
assessments
that
we've
had,
and
I
feel
like
every
every
assessment
that
we
do
gets
better
and
better
because
we
are
getting
excellent
feedback.
So
the
overall
changes
are
kind
of
minimal,
but
they
do
make
a
little
bit
more
sense
and
it
creates
slightly
more
artifacts
as
a
result
of
these
evaluation
processes.
B
So
the
readme
has
been
updated
to
provide
a
more
comprehensive
overview
of
what
the
security
review
process
is.
The
actual
guide
that
talks
about
the
security
review
process.
Steps
now
includes
more
detailed
information
links
to
the
new
documents,
links
to
templates,
there's
a
joint
readme
template
for
the
first
time.
This
actually
is
a
template
that
was
built
from
the
existing
readmes
from
previous
project
security
assessments.
So
now
that
we
have
a
standard
document
for
sig
members
to
actually
pull
and
summarize
content
into
the
joint
review
template
replaces
the
existing
self-assessment
template
that
we
have.
B
It
builds
on
top
of
the
secure
the
self
assessment
which
is
performed
by
the
project.
So
one
of
the
discussions
for
why
we
were
going
to
break
these
two
things
up
was
to
allow
projects
that
weren't
quite
mature
enough
or
at
a
at
a
point
where
they
could
get
or
support
a
full
joint
review
or
full
security
assessment,
as
we
traditionally
performed
them
could
take
the
template
themselves
and
kind
of
do
an
internal
reflection
on
what
is
the
state
of
their
security.
B
How
are
their
security
development
practices
looking
kind
of
guide
them
down
that
path
of
thinking
about
security
in
their
development
practices?
So
it's
a
little
bit
more
day-to-day,
instead
of
a
big
hurdle
for
them
later
on,
when
they
would
come
for
a
security
assessment.
It's
a
much
lighter
weight
document,
it's
much
smaller
than
the
joint
review,
but
a
lot
of
the
information
that's
generated.
B
There
gets
them
thinking
about
security
in
a
way
that,
when
they
come
back
for
a
joint
review,
they've
got
all
the
information
put
together
and
it
should
help
them
and
help
us
when
we're
doing
that
joint
review.
The
project
lead
information
was
updated
with
the
new
naming
conventions
and
some
small
content
updates
that
have
needed
more
clarity.
B
And
now
there's
a
review
survey
to
go
to
provide
with
projects
so
that
we
can
get
consistent
feedback
from
them
and
what
they
thought
about.
The
effectiveness
and
the
experience
of
the
entire
security
review
process
was
the
security.
Reviewer
role
was
also
updated,
with
a
new
naming
convention
and
content.
So
this
is
a
very
large
pr.
There's
a
lot
of
new
content
in
here
there's
a
lot
of
new
suggestions
based
off
of
the
feedback
that
we've
gotten
from
the
community
and
the
existing
issues.
B
So
I
wanted
to
bring
this
to
everybody's
attention
to
kind
of
talk
about
it.
How
do
we
feel
about
the
the
content
and
the
changes?
Do
we
feel
that
it's
a
good
direction
for
us
to
be
moving
in
as
well
as
if
we
want
to
like
set
another
standard
for
another
five
against
this
new
process
and
then
reevaluate
or
reiterate.
B
Yep,
that's
right,
so
I
I've
been
working
on
this
for
a
while
with
some
help
from
magno
and
a
few
others,
and
I
feel
like
I'm
a
little
too
close
to
it-
to
do
a
fair,
shake
on
doing
a
review.
So
an
extra
set
of
eyes
to
make
sure
that
everything
makes
sense
that
we
haven't
missed
anything
that
there
isn't
a
link
in
a
wrong
place
or
that
something
is
not
clear
and
could
be.
More
could
be
better
explained.
A
B
I
Hate
sarah,
I
read
through
it
over
the
last
week
or
so
thanks
for
emily
for
being
really
super
responsive
and
one.
I
I
having
been
a
reviewer
for
multiple
security
reviews.
I,
the
separation
of
the
project,
would
check
in
itself
assessment
and
then
the
review
team
would
create
a
new
document.
Pulling
from
that.
My
hypothesis
is
that
that
would
make
it
easier
on
the
project
themselves
because
and
put
more
burden
on
the
reviewer
on
the
review.
Team
and
they'd
have
to
be
presumably
the
lead
reviewer.
I
I
don't
know
if
this
was
spelled
out,
because
I
guess
it
could
be.
Anyone
would
be
like
taking
suggested
edits
and
committing
them,
whereas
in
the
past
it's
been
the
project
lead
that
takes
questions
and
suggested
edits
and
revises
this
document
and
that's
been
like
it
seems
like
that,
was
a
little
arduous
for
the
project
lead
at
times,
because
they
just
felt
like
barraged
with
questions.
I
However,
it
puts
on
the
the
security
reviewer
then
has
to
assert
things
right,
so
it
I
would
feel
a
little
uncomfortable
with
some
of
the
projects
because
I'm
like
I
don't
know
like
sometimes
I
would
make
suggested
edits
being.
I
think
this
is
true
and
it
would
be
comforting
to
have
the
project
lead,
say:
okay,
I'm
going
to
commit
this
as
truth
from
the
project's
perspective,
but
I
think
flipping
the
roles
will
make
it
move
faster,
but
I'm
really
interested
to
hear
from
people
who
are
project
leads,
like
you
know,
maybe
ash
and
andre.
B
Yep
one
other
thing
that
I
wanted
to
highlight
is
the
new
template
and
the
updated
process
does
allow
the
community,
the
sig
community
to
perform
a
limited,
hands-on
review
of
the
projects.
So
that
was
something
that
was
requested
about.
Can
we
do
it?
How
would
we
do
it?
What
does
that
look
like?
We
have
there's
all
sorts
of
caveats
and
instructions
that
we
need
to
provide
around
that.
B
How
do
we
ensure
a
level
of
rigor,
so
there's
been
some
careful
attention
paid
in
that
particular
area
about
whether
or
not
a
review
did
include
a
hands-on
review
or
if
it
didn't,
and
what
all
that
means.
So,
just
as
you're
going
through
the
document
being
aggressive
and
letting
me
know,
there's
stuff
that
we
missed
or
stuff
that
wasn't
fully
thought
through.
J
B
B
What
sarah
is
referring
to
is
the
new
process,
or
the
updates
to
the
process
was
designed
to
more
closely
align
with
the
cncf
phases
of
incubation
and
sandboxing
and
graduation
such
that
there
was
a
clear
kind
of
path
for
projects
moving
through
those
different
phases,
but
because
that
requires
discussion
with
the
talk
to
for
concurrence
and
confirmation
that,
yes,
that
looks
right
and
that's
what
they're
looking
for.
We
broke
that
out
into
a
separate
document.
So
you'll
see
some
of
the
language
in
the
488.
I
I
just
put
a
link
in
the
chat,
so
so
yeah,
so
the
idea
is
that
to
first
merge
in
the
process,
improvements
that
are
purely
within
the
sig's
domain
right
and
then
propose
the
toc.
This
is
how
we
would
see
it
happening
at
different
project
stages,
which
then
sets
up
this
opportunity
to
make
it
a
requirement
at
some
future
time,
but
obviously
we're
not
in
a
position,
maybe
not
to
everybody,
but
we
are
not
in
a
position
to
require
anything
of
the
projects.
A
Gotcha,
okay.
So
let's
move
on
to
the
next
agenda
item,
which
is
actually
mine,
which
is
on
the
cloud
native
security
landscape,
which
we
have
now
renamed
to
the
cognitive
security
map.
So
I'm
gonna
give
kind
of
a
quick
background
on
on
on
what
this
is
about.
So
initially
we
had
the
cognitive
security
white
paper
and
we
had
this
kind
of
notion
of
landscape
within
the
the
security
repo
right.
A
A
G
A
Okay,
okay,
see
my
screen
now:
yep,
okay,
cool,
so
cloud
native
security
map.
This
is
the
new
name,
so
the
the
kind
of
motivation
about
the
same.
When
we
bring
some
about
this
and
we
voted
on
it.
What's
around
kind
of
we,
we
took
a
lot
of
inspiration
from
the
native
trail
map,
so
we
looked
at
the
cncf
landscape,
which
was
kind
of
just
like
a
whole
ball
of
information,
which
we
didn't
really
find
that
useful
in
terms
of
what
we
wanted
to
do.
A
So
the
idea
is
we
would
we
would
make
kind
of
a
hybrid
between
the
the
original
landscape
and
something
that
more
closely
resembles.
This
cncf
trail
map,
so
what
we
ended
up
with,
we
called
it
cognitive
security
map,
and
it
was
around.
There
was
a
lot
of
ideas
around.
You
know
that
being
multiple
continents
which
represent
categories
of
security
and
then
you
would
be
able
to
navigate
and
go
through
these
areas
and
learn
about
security
for
that,
so
the
the
workers
in
the
site
channel
is
security
geography.
A
So
the
overall
landscape
goal
here
is
basically
to
provide
a
more
practical
view
of
the
cognitive
security
of
my
paper.
So
the
white
paper
covers
everything.
On
the
conceptual
level,
it
covers
kind
of
the
different
categories,
but
then
the
the
question
that
that,
if
you're
a
practitioner
you
may
want
to
answer
is
like
how
do
I
go
about
doing
this,
while
it's
on
the
resources
that
I
can
look
at
and
what
some
of
the
projects
that
I
should
look
at
in
order
to
implement
this?
A
So
the
idea
is
to
have
kind
of
a
different
continents
of
different
categories
of
security,
and
one
should
be
able
to
navigate
between
these
things.
So
these
are
a
few
pictures
that
emily
has
kindly
drawn
up,
which
kind
of
showed
like.
Oh,
you
have
different
items
or
security
categories,
and
then
you
can
export
them
and
then
you
have
to
go
through
like
from
develop
to
distribute,
and
you
know
what
are
the
steps
that
you're
going
through
it.
A
A
So
the
idea
is,
they
will
start
off
with
very
broad
categories
or
another
way
you
could
do.
It
is
if
we
would
embed
links
of
the
security
map
into
the
white
paper
itself.
So
if
you're
reading
student
white
paper,
you
see
a
concept
that
you're
interested
in,
you
can
say:
okay
bring
me
to
the
security
map
on
this,
and
then
it
will
link
you
into
this
document.
That
will
tell
you
for
this
particular
concept.
What
are
the
projects
and
how
do
you
use
it
in
terms
of
adopting
an
organization?
A
So
the
idea
here
is
you'll
be
able
to
go
into
different
areas.
They'll
give
you
information
about
it,
and
you
know
you
could
go
into.
For
example,
image
scanning
it'll
tell
you
a
bit
more
they'll
talk
about
technologies
that
you
can
use
and
so
on,
and
the
idea
of
this
is,
for
example,
within
certain
categories,
for
example,
image,
trust
and
integrity.
A
A
Some
kind
of
span
different
different
categories
such
as
you
know,
in
this
case
image
truss.
Where
you
have
it,
you
need
to
do
it
when
you're
developing
and
distributing
a
container
image
or
artifact
by
the
end.
At
the
same
time,
it
only
makes
sense
if
you
have
good
key
management
and
you
also
enable
verification
of
the
runtime.
A
So
these
are
the
kind
of
ideas
that
we
were
thinking
right,
being
able
to
see
this
information
and
being
able
to
navigate
this
information.
I
think
about
the
main
goals
that
we're
trying
to
achieve
here
so-
and
you
know
you
can
just
navigate
this.
However,
you
want
so
that
is
kind
of
what
we
are
trying
to
do
with
this
gear
declarative
security
map.
So
we
are
now
going
towards
phase
2,
which
is
kind
of
content,
contribution
and
design
iteration.
A
We
hope
to
get
all
this
done
in
time
for
coupon
eu
and
hopefully
do
some
publicizing
of
this
project,
then,
like
we
did
with
the
cognitive
security
pipe
paper,
so
kind
of
to
wrap
up
what
we're
doing
now
is
really
we're.
Looking
at
how
do
we
populate
the
content
of
this
right?
So
we
have
this
document,
which
is
for
the
content,
and
this
is
an
example
of
content
right,
so
we
have
application
manifest,
and
this
is
a
template
that
we
came
up
with.
A
A
quick
description
on
the
the
security
relation,
quick
recommendations
of
what
can
be
done
to
protect
it
and
instances
of
those
recommendations.
So
these
are
more
concrete
examples.
So,
in
this
case
and
we're
saying
application
manifest
can
be
kubernetes
cmos.
You
know
you
don't
want
to
use
the
latest
tag.
You
don't
want
to
to
run
continuous
privilege
around
this
root
users
and
so
on,
and
we
will
have
projects
and
references
that
we
could
have
also
all
right.
A
A
N
E
So
so
brandon
at
this
point,
if
folks
want
to
say,
contribute
to
a
particular
section
within
the
the
content
doc.
Are
we
like
maintaining
a
spreadsheet
of
you,
know
who's
writing
for
what
content
or
do
you
recommend
them
joining
the
slack
channel?
Or
do
you
recommend
them
joining
the
the
meeting
that
we
have
before
this
call
like
the
buy
weeklies
or
whatever?
So
what's
the
recommended
way.
A
A
K
B
H
N
A
H
H
H
A
A
A
A
A
I
A
A
E
Cool
awesome,
just
just
a
quick
note,
brandon
to
all
the
new
folks
out
there,
so
we
are
we're
adding
a
new
section
to
the
talk
which
lists
some
of
the
good
first
issues
to
get
started
with
some
low
hanging
fruit
issues,
so
we'll
keep
on
adding
more
issues
to
that
tag
in
github.
So
if
you
are
interested
in
like
just
contributing
to
any
kind
of
you
know,
issues
with
six
security
feel
free
to
check
out
that
section.