►
From YouTube: CNCF SIG Security 2021-02-17
Description
CNCF SIG Security 2021-02-17
A
A
A
No,
we
have
some
calendar
troubles
as
usual.
C
C
A
All
right,
I'm
gonna,
face
meeting
notes
and
again
just
because
it
doesn't.
E
C
A
F
A
Just
keep
do
cncf
guidelines
and
be
nice
and
friendly.
So
today
we
have
two
topics.
We
are
looking
for
scribes.
So
if
anyone
can
help
subscribe
for
today's
meeting,
that
would
be
good,
so
we'll
be
going
through
kind
of
updates
on
just
going
around
today,
and
then
we
have
two
main
issues
that
we
will
talk
about.
A
A
G
Sure
I'll
keep
this
short,
so
we
because
of
some
recent
uptick
in
interest
in
cryptocurrency
stuff.
I
just
wondered
if
we
had
any
open,
prs
or
threads
on
blockchain
here
either
from
like
there's
a
distributed
identity
foundation.
Is
you
know
working
on
the
identity
side?
They
have.
G
I
think,
a
storage
section
that
worries
about
that
stuff,
but
I
don't
know
that
it's
come
up
here.
Has
it.
G
So
I'll
I'll
think
about
a
way
to
maybe
introduce
it
for
a
cloud
native
audience
that
might
be
relevant
and
I'll
put
into
the
chat,
a
and
also
in
the
notes
here.
So
don't
worry
about
copying
it
over
for
describe
a
list
of
the
ieee
standards
body
groups
that
are
working
on
blockchain.
It's
pretty
amazing
they've
got
a
lot
of
stuff
going
on
a
lot
of
it
doesn't
end
up
being
a
standard,
but
just
the
diversity
of
interest.
There
is
kind
of
interesting.
H
So
that's
it
put
the
rest
in
the
chat.
There's
also
a
lot
of
blockchain
related
stuff
happening
in
the
confidential
computing
consortium,
the
focus
there
being
it's
more
energy
efficient
to
perform
blockchain-like
calculations
inside
a
trust,
execution
on
environment
or
enclave
rather
than
on
general
purpose,
compute,
so
stuff
happening
over
there.
I
don't
know
if
there's
interest
in
bringing
folks
in,
but
I'm
happy
to,
connect
if
they're.
If
there
is
well,
we
should
be
interested
for
moral
reasons
right.
A
Yeah,
that's
an
interesting
thought.
I
feel
like
that's
that's
kind
of
content
to
it.
If
you
usually
think
about
anything
that
runs
within
some
kind
of
security,
however,
to
be
so
so
all
you
know,
that's
the
trade
of
that.
So
that
should
be
an
interesting
discussion.
Maybe
we
can
make
it
one
of
the
topics
next
time.
A
Okay,
that's
going
down
so
emily
has
an
update.
That's
ridiculous
agenda!
Andreas
son
did,
did
you
have
you.
I
That's
all
right
yeah.
I
just
wanted
to
do
a
quick
update
from
the
toc
meeting
on
tuesday,
which
I
attended
where
they
talked
about
renaming
the
sigs,
so
they
are
proposing
calling
our
group
a
technical
advisory
group
or
a
tag.
I
So
there
is
an
open
issue
on
github,
where
the
toc
is
voting
on
a
new
name
for
our
group.
So
I
thought
everybody
might
be
interested
so
I'll
put
the
github
issue
in
the
notes,
but
but
it's
also
on
the
cncf
toc
and
then
also
more
substantively.
I
I
Things
like
that
for
for
people
to
submit
security
issues
and
have
that
documented
process,
and
that's
one
of
the
things
that
we
look
through
in
the
assessments.
I
It's
also
part
of
the
it's
part
of
the
cii
badge,
but
this
would
be
calling
it
out
that
the
and
I
proposed
that
this
happened
at
incubation,
which
was
wow
roundly
seconded,
so
that
projects
at
incubation
would
all
all
they
have
to
do
is
say.
This
is
what
you
do
when
you
find
a
security
issue,
so
people
felt
that
was
a
low
bar.
I
did
say
that
it
might
be.
People
were
worried
about
like
that.
I
There
might
be
projects
that
are
already
an
incubation
that
might
not
know
how
to
do
this.
So
I
wanted
to
see
if
there's
anybody
who
might
volunteer
to
help
audit
the
projects
that
are
incubated
and
graduated,
to
see
if
there
are
ones
that
you
know
like
to
provide
data
to
the
toc
to
say:
oh,
you
know,
90
of
them
have
it.
You
know,
whatever
I'd
suspect,
that
most
projects
have
it,
but
I
don't
know
for
sure.
A
So,
sir,
is
this
kind
of
like
seeing
that
they
have
a
process
to
handle
these
things.
I
Projects
like
it's
in
the
readme
do
this.
If
you
have
a
security
issue,
but
in
the
assessments
we've
found
some
projects
that
don't
have
that
well
documented.
A
Yeah,
I
remember
we
had
like
a
section
in
the
assessments.
That's
like
what
are
the
security
response.
Oh
at
least
we
were
discussing
this
initially
when
we
were
talking
about
assessments,
but
there
wasn't
really
a
benchmark
to
compare
that
against.
So
is
that
already
an
issue
open
for
this,
or
should
we.
D
I
D
I
No,
no!
It's
just
that
there
is
a
process,
got
it
for
reporting
and
then
communicating
the
ones
that
are
security
vulnerabilities.
So
there
are
a
lot
of
projects
that
aren't
security
focused
right
and
they're
like
you
know,
they
might
not
have
come
up
for
them
because
they
think.
Oh,
we
don't
have
anything
to
do
with
security.
I
They
don't
have
the
insight
they're
less
mature,
they
might
have
people
you're
like
getting
incubation,
you
don't
need
a
lot
of
users
right.
You
just
need
to
be.
You
know,
there's
a
bunch
of
criteria,
and
so
it
could
still
be
experimental
in
some
way,
but
it
has
nothing
to
do
with
security
and
they
just
don't
have
security
experts
on
their
team
and
they
don't
foresee
it
happening.
But
of
course,
as
we
all
know,.
D
I
Yeah
so
so
yeah
I'll
write
that
up
as
a
github
issue,
we'd
love
to
have
some
help
doing.
J
I
Yes,
and
that
is
the
self-assertion
on
behalf
of
the
project,
so
this
would
be
there
validating
it
from
the
toc
perspective.
So
yeah,
I
guess
if
it
is
a,
I
didn't
realize
it
was
an
incubation
thing,
so
maybe
they
all
have
it
already,
because
they've
all
done
the
badge
yeah.
D
A
Okay-
and
I
guess
also
to
kind
of
like
ask
a
bit
more
questions
on
that
regard
right
if
they've
had
any
incidence
report
before,
how
did
they
handle
it,
and
you
know
what
was
the
speed
of
the
execution?
I
think
like
that.
I
Yeah
with
where
there's
some
discussion
that
they're
not
going
to
insist
incubation
any
particular
speed
in
responsiveness
but
just
making
sure
that
groups
have
thought
about
it,
which
yeah
you're
right.
If
the
cii
best
practices
badge
is
required
for
incubation,
then
they
should
have
already.
But
this
is
just
raising
awareness.
J
There's
another
rubric
item
in
there
that
around
the
response
time,
I
don't
recall
the
exact
exact
wording
or
time
frame,
but
I
think
it's
96
hours
providing
a
response
within
96
hours
and
have
addressed
publicly
known
vulnerabilities
that
have
been
reported
in
the
last
six
months.
Now
it's
entirely
up
to
a
project
whether
they
like
not
disclosing,
while
they're
working
on
it
right
for
for
obvious
reasons.
J
So
while
it
is
a
self
certification,
you
you
need
to
provide
a
link
to
your
policy
or
procedure
that
captures
that
whatever
the
process
is
so
it
does
make
matters
for
us
easier
to
hey.
Let's
go
look
at
the
ci,
but
the
the
batch
app
for
this
project.
Let's
look
at
this
particular
section:
let's
see
what
they
entered
in
there.
What
is
the
link?
So
we
know
where
to
find
it
in
their
repository
structure
and
their
directory
structure
then
rather
try
to
like
figure
out
how
to
band
where
to
find
it.
A
Yeah,
so
maybe
that's,
let's
have
that
issue
we
created
and
then
we
can
also
have
it
as
part
of
the
discussion,
if
there's
one
or
two
people
that
want
to
take
the
lead
on
the
issue.
C
So
if
the
policy
just
needs
to
be
something
implemented
in
repository,
that's
in
the
easiest
way
to
do
this
through
automation,
like
sort
of
for
a
secure
scorecard.
That's
a
good
pro
and
one
of
the
google
projects
to
do
this.
It's
just
checking
if
you
have
certain
things
in
your
wrapper,
if
this
is
like
formal
verification
that
this
is
like
really
happening.
I
A
Yeah,
okay,
so
let's
let's
go
along
to
the
other
updates.
I
think
the
next
under
this
is
jonathan
meadows
with
supply
chain
update.
F
Just
a
quick
one,
then,
on
the
supply
chain
working
group,
so
we're
getting
a
lot
more
content
onto
the
document.
I
think
we're
gonna
restructure
it.
I
know
that
emily
sent
through
some
feedback-
that's
great.
I
think
we're
probably
another
another
session
away
from
having
something
that
we'll
then
start
to
go
through
and
do
editorial
on
and
then
report
back
more
fully
to
the
rest
of
the
group,
but
obviously
all
the
work
that
we're
doing
is
open
on
that
google
document
and
we're
also
discussing
it
in
google
chat
as
well.
K
L
All
right,
robert
hi,
we
had
our
policy
work
group
meeting
this
morning.
It's
eight
o'clock
pacific
happens
every
other
week,
currently
we're
in
a
deep
dive
around
mapping.
L
The
policy
report
crd
to
different
frameworks,
in
particular
one
that's
used
in
the
federal
space
from
nist
called
oscar,
but
you
know
at
some
point
we'll
come
up
for
aaron
and
talk
to
other
frameworks,
and
then
I
think
also
on
the
agenda,
we're
going
to
try
to
build
out
a
kind
of
position,
paper
or
architecture
white
paper
on
on
how
all
these
pieces
fit
together.
L
A
Maybe
we
can
take
that
offline
with
the
the
chest
and
the
else
it'll
be.
I
think
we
have
access
to
the
zoom
account,
but
maybe
we
can
discuss
of
whether
we
can
provide
access
or
somehow
speed
up
the
videos.
Okay,
great
I'm
happy
to
connect
to
the
offline.
I
C
Like
how
do
we
get
a
link
to
the
like
this
morning's
8
a.m?
There
is
a
link
like
on
on
top
of
this
meeting,
notes
to
youtube
channel.
A
Well,
so
that's
that's
the
one
for
the
security,
the
policy
videos
don't
get
uploaded
there.
I.
F
A
Yeah,
okay
and
we
have
frederick
fernando
who's
a
new
member.
Do
you
want
to
give
a
quick
introduction.
M
Yeah,
hey
guys
so
yeah.
My
name
is
frederick,
I'm
I'm
from
india
I'm
into
so.
I've
been
working
in
the
sock
side,
the
blue
team
side
of
things,
and
now
I'm
new
I'm
getting
into
kubernetes
security
and
kind
of
playing
around
with
linux,
internals
and
evpf
and
things.
So
I
like
how
I'm
really
amazed
at
how
you
guys
work
here,
and
I
learn
a
lot
from
these
meetings.
M
I've
been
here
for
like
two
or
three
meetings,
and
I
really
appreciate
how
I
mean
the
things
that
I
learned
from
you.
D
A
Oh,
if
you
secretly
want
to
get
it
on
that
you
can,
you
can
drop
a
dm
to
pop.
You
know:
okay,.
J
M
I'm
okay,
I'm
new
to
the
securities.
I
mean
sorry,
the
open
source
space,
I'm
more
so
earlier.
I
was
into
the
windows
in
infrastructure
security,
like
thread
detection,
all
those
kind
of
things,
but
on
the
windows
side.
So
I
I
wanna
like
get
in
on
board
with
contributing
to
some
of
the
open
source
stuff
and-
and
I
really
learn
a
lot
by
just
attending
these
these
things.
So
I'm
just
gonna
like
stay,
I
mean
for
the
ride.
A
Awesome
yeah
and
feel
free
to
reach
out
to
to
chat
or
tl
so
or
anyone
in
the
community
if
you're
you're
interested
in
booking
something
yeah
sure
cool.
So
I
think
that's
all
the
updates.
I
have
a
really
quick
one
on
my
site,
a
couple
of
folks
in
the
community.
Together
myself,
we
are
having
a
club
native
for
starting
out
cognitive
security
meet
up
in
new
york
for
now,
of
course,
it's
virtual,
so
I'll
just
put
a
link
to
it.
A
This
one
such
that's
going
on
next
week
if
people
are
interested
okay,
if
not,
let's
go
hit
with
the
agenda
item,
so
I'll
pass
the
mic
to
emily
first
to
cover
the
security
assessment
and
perfect.
K
So
justin
capos
initiated
a
apac
friendly
meeting
as
of
tuesday,
so
for
anyone
here
where
the
time
is
inconvenient,
you
can
go.
Look
it
up.
On
the
read
me,
there
is
an
apac
friendly
time
zone
that
you
could
possibly
join.
It's
barely
getting
started.
It's
only
last
meeting
we
had
two
people
show
up
and
both
of
them
were
like
super
super
interesting.
We
learned
quite
a
bit
from
them,
so
just
wanted
to
drop
in
there
to
give
people
the
convenience
of
the
time
that
they
want
to
join.
B
It's
been
linked
in
the
chat,
as
well
as
a
particular
comment
in
there
that
kind
of
does
a
high
level
summary
of
what
it
is
that
we're
talking
about.
What
do
these
changes
look
like
so
one
of
the
first
things
that
was
recommended
was
the
utilization
of
the
term
security
assessment
was
confusing
for
some
of
our
community
members
who's,
getting
mixed
up
with
security
audits
and
we're
not
really
doing
a
full-blown
assessment
or
a
full-blown
audit
on
it.
B
B
So
with
the
change
of
the
name,
we
went
through
the
documentation
that
we
currently
had
found
some
areas
where
we
really
could
pull
more
from
the
projects
to
help
them
better,
create
their
security
documentation
based
off
of
some
of
the
previous
assessments
that
we've
had,
and
I
feel
like
every
every
assessment
that
we
do
gets
better
and
better
because
we
are
getting
excellent
feedback.
So
the
overall
changes
are
kind
of
minimal,
but
they
do
make
a
little
bit
more
sense
and
it
creates
slightly
more
artifacts
as
a
result
of
these
evaluation
processes.
B
So
the
readme
has
been
updated
to
provide
a
more
comprehensive
overview
of
what
the
security
review
process
is.
The
actual
guide
that
talks
about
the
security
review
process.
Steps
now
includes
more
detailed
information
links
to
the
new
documents,
links
to
templates,
there's
a
joint
readme
template
for
the
first
time.
This
actually
is
a
template
that
was
built
from
the
existing
readmes
from
previous
project
security
assessments.
So
now
that
we
have
a
standard
document
for
sig
members
to
actually
pull
and
summarize
content
into
the
joint
review
template
replaces
the
existing
self-assessment
template
that
we
have.
B
It
builds
on
top
of
the
secure
the
self
assessment
which
is
performed
by
the
project.
So
one
of
the
discussions
for
why
we
were
going
to
break
these
two
things
up
was
to
allow
projects
that
weren't
quite
mature
enough
or
at
a
at
a
point
where
they
could
get
or
support
a
full
joint
review
or
full
security
assessment,
as
we
traditionally
performed
them
could
take
the
template
themselves
and
kind
of
do
an
internal
reflection
on
what
is
the
state
of
their
security.
B
How
are
their
security
development
practices
looking
kind
of
guide
them
down
that
path
of
thinking
about
security
in
their
development
practices?
So
it's
a
little
bit
more
day-to-day,
instead
of
a
big
hurdle
for
them
later
on,
when
they
would
come
for
a
security
assessment.
It's
a
much
lighter
weight
document,
it's
much
smaller
than
the
joint
review,
but
a
lot
of
the
information
that's
generated.
B
There
gets
them
thinking
about
security
in
a
way
that,
when
they
come
back
for
a
joint
review,
they've
got
all
the
information
put
together
and
it
should
help
them
and
help
us
when
we're
doing
that
joint
review.
The
project
lead
information
was
updated
with
the
new
naming
conventions
and
some
small
content
updates
that
have
needed
more
clarity.
B
And
now
there's
a
review
survey
to
go
to
provide
with
projects
so
that
we
can
get
consistent
feedback
from
them
and
what
they
thought
about.
The
effectiveness
and
the
experience
of
the
entire
security
review
process
was
the
security.
Reviewer
role
was
also
updated,
with
a
new
naming
convention
and
content.
So
this
is
a
very
large
pr.
There's
a
lot
of
new
content
in
here
there's
a
lot
of
new
suggestions
based
off
of
the
feedback
that
we've
gotten
from
the
community
and
the
existing
issues.
B
So
I
wanted
to
bring
this
to
everybody's
attention
to
kind
of
talk
about
it.
How
do
we
feel
about
the
the
content
and
the
changes?
Do
we
feel
that
it's
a
good
direction
for
us
to
be
moving
in
as
well
as
if
we
want
to
like
set
another
standard
for
another
five
against
this
new
process
and
then
reevaluate
or
reiterate.
B
Yep,
that's
right,
so
I
I've
been
working
on
this
for
a
while
with
some
help
from
magno
and
a
few
others,
and
I
feel
like
I'm
a
little
too
close
to
it-
to
do
a
fair,
shake
on
doing
a
review.
So
an
extra
set
of
eyes
to
make
sure
that
everything
makes
sense
that
we
haven't
missed
anything
that
there
isn't
a
link
in
a
wrong
place
or
that
something
is
not
clear
and
could
be.
More
could
be
better
explained.
A
B
I
Hate
sarah,
I
read
through
it
over
the
last
week
or
so
thanks
for
emily
for
being
really
super
responsive
and
one.
I
I
having
been
a
reviewer
for
multiple
security
reviews.
I,
the
separation
of
the
project,
would
check
in
itself
assessment
and
then
the
review
team
would
create
a
new
document.
Pulling
from
that.
My
hypothesis
is
that
that
would
make
it
easier
on
the
project
themselves
because
and
put
more
burden
on
the
reviewer
on
the
review.
Team
and
they'd
have
to
be
presumably
the
lead
reviewer.
I
I
don't
know
if
this
was
spelled
out,
because
I
guess
it
could
be.
Anyone
would
be
like
taking
suggested
edits
and
committing
them,
whereas
in
the
past
it's
been
the
project
lead
that
takes
questions
and
suggested
edits
and
revises
this
document
and
that's
been
like
it
seems
like
that,
was
a
little
arduous
for
the
project
lead
at
times,
because
they
just
felt
like
barraged
with
questions.
I
However,
it
puts
on
the
the
security
reviewer
then
has
to
assert
things
right,
so
it
I
would
feel
a
little
uncomfortable
with
some
of
the
projects
because
I'm
like
I
don't
know
like
sometimes
I
would
make
suggested
edits
being.
I
think
this
is
true
and
it
would
be
comforting
to
have
the
project
lead,
say:
okay,
I'm
going
to
commit
this
as
truth
from
the
project's
perspective,
but
I
think
flipping
the
roles
will
make
it
move
faster,
but
I'm
really
interested
to
hear
from
people
who
are
project
leads,
like
you
know,
maybe
ash
and
andre.
A
Yeah,
maybe
if
folks
want
to
kind
of
take
a
look
at
the
pr
get
a
better
sense
of
it
and
then
you
know
we
can
have
the
discussion
there
and
you
know
if
everything
is
good,
then
I
think
it's
it's
default
version.
A
So
thanks,
emily
magno
and
those
who
opened
this.
B
Yep
one
other
thing
that
I
wanted
to
highlight
is
the
new
template
and
the
updated
process
does
allow
the
community,
the
sig
community
to
perform
a
limited,
hands-on
review
of
the
projects.
So
that
was
something
that
was
requested
about.
Can
we
do
it?
How
would
we
do
it?
What
does
that
look
like?
We
have
there's
all
sorts
of
caveats
and
instructions
that
we
need
to
provide
around
that.
B
How
do
we
ensure
a
level
of
rigor,
so
there's
been
some
careful
attention
paid
in
that
particular
area
about
whether
or
not
a
review
did
include
a
hands-on
review
or
if
it
didn't,
and
what
all
that
means.
So,
just
as
you're
going
through
the
document
being
aggressive
and
letting
me
know,
there's
stuff
that
we
missed
or
stuff
that
wasn't
fully
thought
through.
J
A
I
There's
a
companion
pr
that
I
requested
being
pulled
out
because
it
requires
toc
approval,
which
has
been
long
requested
but
is
awaiting.
B
B
What
sarah
is
referring
to
is
the
new
process,
or
the
updates
to
the
process
was
designed
to
more
closely
align
with
the
cncf
phases
of
incubation
and
sandboxing
and
graduation
such
that
there
was
a
clear
kind
of
path
for
projects
moving
through
those
different
phases,
but
because
that
requires
discussion
with
the
talk
to
for
concurrence
and
confirmation
that,
yes,
that
looks
right
and
that's
what
they're
looking
for.
We
broke
that
out
into
a
separate
document.
So
you'll
see
some
of
the
language
in
the
488.
I
I
just
put
a
link
in
the
chat,
so
so
yeah,
so
the
idea
is
that
to
first
merge
in
the
process,
improvements
that
are
purely
within
the
sig's
domain
right
and
then
propose
the
toc.
This
is
how
we
would
see
it
happening
at
different
project
stages,
which
then
sets
up
this
opportunity
to
make
it
a
requirement
at
some
future
time,
but
obviously
we're
not
in
a
position,
maybe
not
to
everybody,
but
we
are
not
in
a
position
to
require
anything
of
the
projects.
I
What
we
do
is
purely
you
know,
to
the
benefit
of
the
community
in
the
projects,
and
then
the
toc
could
choose
to
set
it
these
things
as
requirements.
A
Gotcha,
okay.
So
let's
move
on
to
the
next
agenda
item,
which
is
actually
mine,
which
is
on
the
cloud
native
security
landscape,
which
we
have
now
renamed
to
the
cognitive
security
map.
So
I'm
gonna
give
kind
of
a
quick
background
on
on
on
what
this
is
about.
So
initially
we
had
the
cognitive
security
white
paper
and
we
had
this
kind
of
notion
of
landscape
within
the
the
security
repo
right.
A
A
So
what
we
found
was
that
the
style
of
information
or
that
style
categorization
wasn't
really
very
useful
for
what
we
wanted
to
do,
which
was
to
kind
of
provide
a
more
practical
use
of
the
aspects
of
security,
so
kind
of
taking
the
the
topics
that
happen,
the
white
paper
and
provide
a
more
some,
more
practical
advice
on
how
you
can
go
about
those
things,
not
just
on
a
conceptual
level,
but
also
pointing
directly
to
projects
that
will
cover
some
of
these
areas.
A
So
let
me
share
my
screen
really
quickly
and
show.
Oh,
I
can't
share
my
screen.
A
G
A
Okay,
okay,
see
my
screen
now:
yep,
okay,
cool,
so
cloud
native
security
map.
This
is
the
new
name,
so
the
the
kind
of
motivation
about
the
same.
When
we
bring
some
about
this
and
we
voted
on
it.
What's
around
kind
of
we,
we
took
a
lot
of
inspiration
from
the
native
trail
map,
so
we
looked
at
the
cncf
landscape,
which
was
kind
of
just
like
a
whole
ball
of
information,
which
we
didn't
really
find
that
useful
in
terms
of
what
we
wanted
to
do.
A
But
then
we
looked
at
the
cloud
native
show
map
which
kind
of
was
contained
information
about
the
projects,
a
bit
more
technical
information,
but
it
also
provided
a
way
for
practitioners
to
kind
of
navigate
the
cognitive
space.
A
So
we
wanted
to
kind
of
mimic
this
kind
of
layout
information,
so
someone
should
be
able
to
go
to
this
document
and
really
be
able
to
explore
cloud
native
go
go
into
areas
which
I
bought
it
to
them
to
be
able
to
figure
out
how
they
should
approach
cloud
native.
A
So
the
idea
is
we
would
we
would
make
kind
of
a
hybrid
between
the
the
original
landscape
and
something
that
more
closely
resembles.
This
cncf
trail
map,
so
what
we
ended
up
with,
we
called
it
cognitive
security
map,
and
it
was
around.
There
was
a
lot
of
ideas
around.
You
know
that
being
multiple
continents
which
represent
categories
of
security
and
then
you
would
be
able
to
navigate
and
go
through
these
areas
and
learn
about
security
for
that,
so
the
the
workers
in
the
site
channel
is
security
geography.
A
This
was
when
we
still
didn't
have
a
name
for
it,
but
we
knew
we
wanted
to
have
it
be
something
with
maps.
A
So
the
overall
landscape
goal
here
is
basically
to
provide
a
more
practical
view
of
the
cognitive
security
of
my
paper.
So
the
white
paper
covers
everything.
On
the
conceptual
level,
it
covers
kind
of
the
different
categories,
but
then
the
the
question
that
that,
if
you're
a
practitioner
you
may
want
to
answer
is
like
how
do
I
go
about
doing
this,
while
it's
on
the
resources
that
I
can
look
at
and
what
some
of
the
projects
that
I
should
look
at
in
order
to
implement
this?
A
A
So
the
idea
is
to
have
kind
of
a
different
continents
of
different
categories
of
security,
and
one
should
be
able
to
navigate
between
these
things.
So
these
are
a
few
pictures
that
emily
has
kindly
drawn
up,
which
kind
of
showed
like.
Oh,
you
have
different
items
or
security
categories,
and
then
you
can
export
them
and
then
you
have
to
go
through
like
from
develop
to
distribute,
and
you
know
what
are
the
steps
that
you're
going
through
it.
A
So,
in
this
case,
for
example,
to
go
from
develop
to
distribute
you
go
through
the
ceo
scanning
and
also
kind
of
thematic
example
here,
and
then
this
is
okay,
then
you're,
looking
at
pre-combat
herbs,
doing
application,
manifest
scanning
and
so
on,
and
you
finally
arrive
at
the
sm
hopper.
A
So
that's
the
general
idea
in
which
we
want
to
have
people
be
able
to
explore
the
the
topics
within
the
landscape,
and
we
imagine
that
so.
This
is
the
last
artistic
version
that
I
I
drew
out,
which
kind
of
talks
about
maybe,
like
example,
flow
of
how
people
would
use
this.
A
So
the
idea
is,
they
will
start
off
with
very
broad
categories
or
another
way
you
could
do.
It
is
if
we
would
embed
links
of
the
security
map
into
the
white
paper
itself.
So
if
you're
reading
student
white
paper,
you
see
a
concept
that
you're
interested
in,
you
can
say:
okay
bring
me
to
the
security
map
on
this,
and
then
it
will
link
you
into
this
document.
That
will
tell
you
for
this
particular
concept.
What
are
the
projects
and
how
do
you
use
it
in
terms
of
adopting
an
organization?
A
So
the
idea
here
is
you'll
be
able
to
go
into
different
areas.
They'll
give
you
information
about
it,
and
you
know
you
could
go
into.
For
example,
image
scanning
it'll
tell
you
a
bit
more
they'll
talk
about
technologies
that
you
can
use
and
so
on,
and
the
idea
of
this
is,
for
example,
within
certain
categories,
for
example,
image,
trust
and
integrity.
A
A
A
So
this
was
this
is
kind
of
like
the
idea
behind
this
is
that
we
realize
that
there
are
a
lot
of
different
categories
within
cloud
native
security.
A
Some
kind
of
span
different
different
categories
such
as
you
know,
in
this
case
image
truss.
Where
you
have
it,
you
need
to
do
it
when
you're
developing
and
distributing
a
container
image
or
artifact
by
the
end.
At
the
same
time,
it
only
makes
sense
if
you
have
good
key
management
and
you
also
enable
verification
of
the
runtime.
A
So
these
are
the
kind
of
ideas
that
we
were
thinking
right,
being
able
to
see
this
information
and
being
able
to
navigate
this
information.
I
think
about
the
main
goals
that
we're
trying
to
achieve
here
so-
and
you
know
you
can
just
navigate
this.
However,
you
want
so
that
is
kind
of
what
we
are
trying
to
do
with
this
gear
declarative
security
map.
So
we
are
now
going
towards
phase
2,
which
is
kind
of
content,
contribution
and
design
iteration.
A
We
hope
to
get
all
this
done
in
time
for
coupon
eu
and
hopefully
do
some
publicizing
of
this
project,
then,
like
we
did
with
the
cognitive
security
pipe
paper,
so
kind
of
to
wrap
up
what
we're
doing
now
is
really
we're.
Looking
at
how
do
we
populate
the
content
of
this
right?
So
we
have
this
document,
which
is
for
the
content,
and
this
is
an
example
of
content
right,
so
we
have
application
manifest,
and
this
is
a
template
that
we
came
up
with.
A
You
have
some
one
or
two
sentence:
motivation
on
why
it's
important
tracks
and
incidents
if
they
are
available,
so
this
is
kind
of
similar
to
what
we
see
in
the
security
supply
chain
catalog,
where
okay,
what
are
some
examples
or
incidents
that
happen,
because
there
was
adapting
security
in
this
area?
A
A
quick
description
on
the
the
security
relation,
quick
recommendations
of
what
can
be
done
to
protect
it
and
instances
of
those
recommendations.
So
these
are
more
concrete
examples.
So,
in
this
case
and
we're
saying
application
manifest
can
be
kubernetes
cmos.
You
know
you
don't
want
to
use
the
latest
tag.
You
don't
want
to
to
run
continuous
privilege
around
this
root
users
and
so
on,
and
we
will
have
projects
and
references
that
we
could
have
also
all
right.
A
So
that's
where
we
are
today.
We
want
to
be
able
to
populate
this
for
basically
all
the
different
categories
that
we
had
in
the
white
paper.
So
there
will
be
some
definitely
some
reuse
of
content
over
there.
What
we
would
really
be
adding
on
is
really
here.
What
are
the
projects.
A
N
A
So
I'm
gonna
put
the
ish
the
link
to
the
issue
in
the
chat
and
also
I'll
put
a
few
notes
on
how
we
can
contribute
to
the
content
here.
E
So
so
brandon
at
this
point,
if
folks
want
to
say,
contribute
to
a
particular
section
within
the
the
content
doc.
Are
we
like
maintaining
a
spreadsheet
of
you,
know
who's
writing
for
what
content
or
do
you
recommend
them
joining
the
slack
channel?
Or
do
you
recommend
them
joining
the
the
meeting
that
we
have
before
this
call
like
the
buy
weeklies
or
whatever?
So
what's
the
recommended
way.
A
A
So
so
we'll
organize
another
kind
of
check-in
next
week
before
this
meeting,
but
I
would
I'm
gonna
put
like
a
set
of
instructions.
What
it's
to
be
like
is
basically
find
the
topic
that
you
want
to
write
about
and
then
just
put
like
a
name
yeah.
K
Actually
related
to
that,
if
we
can
comment,
I
think
a
few
other
six
have
also
reached
out
to
emily
trying
to
replicate
emily's
process
of
how
she
ran
the
white
paper,
and
there
is.
K
B
Yeah
there's
actually
an
open
issue
on
that
jj.
Let
me
find
the
issue
number
I
had
talked
to
vinay
and
benay
said
he
was
very
interested
in
volunteering
for
that,
but
I
do
know
that
it
is
a
big
ask
because
there
was
a
lot
of
stuff
that
went
on.
So
I.
H
N
H
Is
there
a
section
in
the
dock
or
a
place
in
the
process
that
I
could
start
coming
in
for
emerging
technologies,
things
that
aren't
yet
in
cloud
native
landscape,
but
that
folks
are
interested
in
and
I'd
like
to
help
support
more
folks
using.
A
So
so
we
do
have
one
section
so
so
this
just
kind
of
this
is
just
a
photocopy
of
the
the
topics
that
is
in
the
cognitive
security
white
paper.
We
do
have,
I
think,
the
the
section.
Actually,
I
should
have
the
white
paper
here
somewhere.
A
Yeah,
so
that
is
kind
of
secure
security
stack.
This
kind
of.
H
H
H
A
A
Yeah
yeah,
I'm
gonna
put
this
issue
in
the
notes,
as
well
as
I'll
put
it
down
the
side
channel
as
well
as
some
instructions
on
how
to
contribute
to
the
content
and
also
to
figure
out
where
finney
and
emily
are.
Maybe
we
can
discuss
on
that
and
document
some
of
those
steps,
as.
A
A
A
So
I
think
that's
all
that
we
have
for
today.
Next
week
we
have
doug
who's
gonna
talk
about
the
service
working
group.
I
Yeah-
and
it
would
be
great
if
I
could
have
a
volunteer-
who
would
facilitate
that-
I
do.
I
A
I
Somebody
who's
like
there's
a
team
interested
in
serverless
security
it'd
be
great
to
have
one
of
them,
but
anyone
really
who's
going
to
keep
the
meeting
on
track
and
make
sure
q
a
happens.
A
Yeah,
so
so,
if
you're
interested
in
fostering
the
meeting,
there
is
a
plan
meeting
sections
in
the
meeting
notes.
So
you
can
just
put
in
your
name
there
and
then
you
can
reach
out
to
one
of
the
chief,
the
chairs
or
tls,
to
talk
about
what
what
you
need
to
do
to
know.
Just
the
facilitation.
E
Cool
awesome,
just
just
a
quick
note,
brandon
to
all
the
new
folks
out
there,
so
we
are
we're
adding
a
new
section
to
the
talk
which
lists
some
of
the
good
first
issues
to
get
started
with
some
low
hanging
fruit
issues,
so
we'll
keep
on
adding
more
issues
to
that
tag
in
github.
So
if
you
are
interested
in
like
just
contributing
to
any
kind
of
you
know,
issues
with
six
security
feel
free
to
check
out
that
section.
E
A
A
This
is,
this
is
where
we
start
the
air
right.