Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Security Special Interest Group / 29 Mar 2021
Cloud Native Computing Foundation / Security Special Interest Group / 29 Mar 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CNCF SIG Security 2021-03-29

Description

CNCF SIG Security 2021-03-29

A

Hello how's it going.

B

Hi justin, how you doing, I don't think, we've been.

A

Fine, I hope we're gonna see some other people show up here. Let me watch.

B

This is my first time attending one of these.

A

Yeah, um I missed the last meeting, uh but we had, I don't know- maybe 10 ish people the time before uh so a little surprised. um I wonder if somehow we missed something that they wanted to skip this week because of.

A

Whatever I don't know, I can't imagine like spring holiday or something like that, but we'll see.

B

Is there? Is there normally a particular lead for these events?.

A

um Well, I'm sort of kind of the lead, usually um okay, so yeah. Let me let me tell you a little bit about sync security. um So uh basically it started as kind of a a working group. That's called safe or something like that um and uh then became an official thing uh under the cntf and uh around uh that time uh it really started to take off and they got more formal structure and things like this, and so one of the things that um a few people did is, for instance, I started.

A

I came up with guidelines for doing security assessments and um did a few other things related to that for the sig, and so then, as a role, they have a couple different types of roles they have chairs, which run it and also do administrative work.

A

And then there are tech leads where tech leads basically kind of have the the accept like commit bit sort of on pull requests and suggestions to things in the documents, and it's usually given to people that have been very active in the community that have contributed in some way.

A

um So I'm a tech lead I'm currently in shanghai. I don't know how much longer I'll be here I'll either be here, um maybe two-ish months or I will be here uh until after christmas, uh but I'm unsure about that. Yet and while I've been here, I've been trying to get the asia pacific um folks, like things to kind of spin up a little bit more um yeah, but uh I'm very surprised. It's three minutes passed and there's no one here.

A

My guess is that this meeting must be canceled because there'd be at least um there'd, be at least probably three or four people here. um If you know I, I can't imagine that everybody just sort of decided not to come uh well. Why don't you introduce yourself, though, um and yeah I'm sure.

B

About you, uh so I'm uh richard richard clark, um I'm a senior application security engineer for a gaming startup here in perth, western australia um uh kind of I'm also trying to start a cncf chapter here in perth.

B

um So there wasn't one here um uh I worked for so the company is called vgw um we're in a bit of an interesting space, in that we have some business units um kind of almost fully cloud native, kubernetes, open, telemetry and all this lot, and we then also have other business units which are still use the various cloud providers and that whole shared responsibility, model and kind of we have different business units of different skill sets.

B

So we're a bit of an interesting position that we're kind of some were able to bring some of that technology or learnings from those that have adopted fully cloud native and bring them back. But yet also other business units are selecting like the right projects for themselves um and it's kind of yeah a lot of for me.

B

This is kind of um I'm new to this space in terms of like kubernetes, at least and cncf, um and I just really wanted to surround myself with the community, because I think there's a lot of design patterns and learnings in the way that applications are deployed and modeled and so forth. Using cncf projects that help security, um and so I kind of just trying to surround myself and try and absorb as much as I can and contribute back um from my own learnings in my career experience.

A

uh Great sorry, I thought I was the opposite. I thought it was muted the whole time, but I was unmuted um so yeah. So one one thing I can tell you a little bit about and you may know I mean how much do you know about the cncf uh projects a little, not.

B

I would say a huge amount, but uh I guess this is where this like a lot of the incubation projects like spiffy and spire interest me a lot um yeah and kind of just trying to do the whole thing yeah, but I think that's these yeah. It's.

A

These upcoming, I'm not.

B

Really an.

A

Expert on spiffy inspire, but I did do a security assessment for them, along with some of their engineers, um so I understand it well, but I haven't really like: I haven't used it operationally.

A

So um it's a little bit. You know it's kind of different knowledge, but it seems to be, I think, a very solid project. um It handles a secure, introduction problem. How do you take an ephemeral thing and give it keys and identities and stuff like that? Without you know having to worry about? um You know a man in the middle a you know: malicious parties doing a bunch of things. It has a bunch of really strong parts.

A

It has um some areas dealing with federated trust that they're working out now um like how do you federate multiples, 50 servers, 50, spire, servers together.

A

It used to be the case that effectively, if, if the server was compromised, you really lost all security in the system and with federation I haven't really looked to see how they're containing it I've been a little swamped with other things, but um I think that's that's, like a kind of interesting touch point to look at um other projects.

A

You should probably be aware of in the space um that you may know about I'll I'll name drop some some, I know more about than others, um but like uh harbor, um uh so yeah tough, uh I'm you know notary um uh in toto.

A

um Let me think about what else um those are those are, I think ones that come to mind and full disclosure um like. I I'm the creator of the tough project and one of the creators of the in total project, um so yeah, um but then- and obviously uh I don't know if you know notary- is an implementation of tough. That also has uh some other functionality in it to integrate better into cloud-native environments.

A

So um I sort of have like um a little bit of a well.

A

I have a dog in the race to kind of say it um you know colloquially, but um and in general uh the tough notary thing is likely something you just enable correctly at your provider rather than a real decision you make in total something you need to do a little bit of work with, but once you set it up, it's transparent and it's um it's really effective, um harbor's interesting in that it takes a bunch of things like tough um notary and a bunch of other technologies and kind of stitches them together, and we did a security uh assessment for them.

A

I think I I don't remember whether I was just part of it or whether I let it but the um like the problem I or the the concern I had about harbor is it's a lot of very complicated things that are all kind of glued together and I think it where the seams connect there's a lot of potential for things not living up to all the security guarantees they want, um but in general, um it's better than you trying to glue stuff together yourself and in general um it really.

A

You know the complexity you have there, someone you know like smart groups like uh nation, state actors or something like that would likely have to- um or I don't know at least reasonable hackers would have to spend a fair amount of time doing a deep dive and then they can probably find all my guess I mean once again I'm I could be wrong, but my guess is: they could probably find a variety of different issues of different severities in how like technology stitch, um but I think um overall, I think it provides like pretty good security guarantees um out of the box, and so, if you're not likely to be a serious target, um it's it's uh like quite quite an excellent project, and I I think if you're um would be stitching it yourself, then it's it's still.

A

I think it's it's worth doing, um but I I wouldn't trust you know 10 million dollars in bitcoin to a system protected by harbor.

A

So just.

B

To roll back a bit, what's the main focus of each horror, tough and notary, I kind of went yeah.

A

um Harvard, okay, so um I'll, let I I don't want to sort of misrepresent harbor, but it's kind of everything with a registry with delivery. It sort of is like the amalgamation of um of uh like how you how you store and get software places.

A

I don't really um to be honest. uh I haven't used it as a user, so I also feel, like uh I don't know, all the use cases for harbor and how people do it, but it's it's sort of the registry side plus a bunch of other stuff, um tough and notary.

A

It's basically making sure that that you get software delivered from a registry, and even if the registry is hacked, it doesn't mean sort of game over for you in terms of security, for all your containers, so tuff has a very serious threat model that the assumption is an attacker will compromise your registry.

A

They will steal some signing keys from some of your developers.

A

They will be a man in the middle right and the goal of tough is to provide you the best security possible in any of those um type of environments, while so have like a graceful degradation of security. So, for instance, if you, if a man in the middle controls, all your network traffic, um they uh you know should be able to stop you from downloading an update by just you know, failing to deliver the bids, but they can't um put malicious software in an update or do something like that.

A

If they take over the registry, they may be able to convince you that a slightly older version of something is the most current version, but they shouldn't be able to give you a significantly older version and they shouldn't be able to do things like um you know, give you something that isn't signed with the correct keys that wasn't produced by your developers right if you're doing things so uh right and that's that's the general idea behind notary and top okay um and then in toto is: is software supply chain security?

A

So, uh basically, when you make your software, you sign git commits check them into a repo. You run it through a build farm. You have maybe a cacd pipeline. You do testing you package, it you contain, or you know whatever you're doing containerize it you go and you deliver it um and in toto uh produces cryptographically, signed, metadata and checks through all the steps that occur there and so you'll know something like you'll know.

A

If the build server manipulated your files and added something in or if uh you know, uh someone didn't actually run the tests and they push something um and it's it's all like cryptographic signed and verified. So it's assumed that those boxes on your network are not perfectly trusted, um and so there's been a lot of interest in this because of the whole solar winds, um attacks and the things related to that, because in toto is basically the only thing that really has a hope of protecting against something like that.

A

We work and integrate very closely into technologies that, along within toto things like reproducible, builds and stuff like that that, um if you use like reproducible, builds and then verify the cryptographic metadata within toto from that, you have a reasonable hope of being able to protect against um something like solar winds and similar attacks, and things like that.

B

So do uh internal and tough uh work together in any way so you've got kind of, like you know the left side of the registry and the right side of the registry. If you will so, I guess it kind of seems like those two products could work very well together.

A

Yeah they do um they integrate well, datadog did a deployment with them, um and we've also uh really in toto, goes as far right as tough and even actually further right. Also, it's it's like more overarching, um but like datadog, actually put out a nice blog post where they talk about how they did their tough and in total, combined integration along with a bunch of stuff with git signing and stuff like that, and we actually oh cool.

A

Actually, we found the we found a bunch of design flaws in the way git signing worked and um got them to change the way they do tag signing over to our architecture about four years ago, or something like that. So we've been kind of pushing at different points in this like software supply chain, for better words of it for the last I don't know for a long time and um slowly kind of securing them and making them better and better.

A

We still have a little more work to do.

A

We didn't get our complete architecture into git yet, but um if you're signing get tagged, you're using my student santiago's code and he's the lead of the intoto project- and you know- has just done an amazing job with with everything um yeah there's yeah, so that that's that's the basic overview of those bits and pieces that I know pretty well, um I'm trying to think if there's anything else, I'm sure that uh if, if other people from security watch, this call which they makes it's recorded, that some of them will be screaming at the screen.

A

Like. Oh you didn't talk about this. You didn't talk about that, um but I I feel, like I'm forgetting stuff, a bunch of important things, but um that's that's their fault for not being on the call. I guess.

B

That's, that's quite all right, um yeah, it's good to just start off with some something somewhere in space, and I can go away research that and see how that could work for us and uh and likewise how I can contribute back um is a in terms of these general meetings. Is there anything else that goes on or is there anything expected of members that participate um people.

A

Just talk about efforts that they want to do we're creating a um like kind of a security landscape document where you can look at what happens and as like a company and decide like what products uh with like what cncf technologies and things you'd want to employ different places to get different security properties and but really everything here.

A

It's mostly somebody says. I think this is a good idea. We need a white paper on this or we need to create a document on this or we need to do this and then they rally interest around and they start it. It's not like a you. Don't have to have a motion to have a you know to have a document created to do this and do that. You know: there's no like uh there's not like high overhead in in doing things.

A

um People just tend to do them, and if they get momentum then they tend to be really successful. So um yeah and we'll have more discussion about that. In fact, I think if you watch the meeting about uh that was two meetings ago. We talked about a lot of that and I didn't watch the video from last meeting, but that should have had some as well.

B

So so and then the relationship with the other sig security meeting, which I guess is more us time based is it kind of like this session- is a catch-up of what's going on there as well or.

A

um Yeah I mean you have some of that, but the problem. Sorry, the problem is that this um there's only usually one or two people that overlapped the two meetings because they're in semi uh time zones- and uh so sometimes we do have that spillover. uh Jj is, I think, he's one of the chairs um he's been to both meetings uh a couple times and emily fox is a chair and she was in the meeting last time that I wasn't able to make it to so yeah. So we'll it'll happen from time to time.

B

All right.

A

Good well, it was really nice meeting you richard. um I will try to figure out what the heck is going on here with future meetings, um but I expect that we'll have a bigger group on the 13th cool.

B

All right well I'll, look forward to seeing everyone. Then all right have a good day. Take care.