►
From YouTube: CNCF SIG Security 2021-03-29
Description
CNCF SIG Security 2021-03-29
A
Yeah,
I
missed
the
last
meeting,
but
we
had,
I
don't
know-
maybe
10
ish
people
the
time
before
so
a
little
surprised.
I
wonder
if
somehow
we
missed
something
that
they
wanted
to
skip
this
week
because
of.
A
Well,
I'm
sort
of
kind
of
the
lead,
usually
okay,
so
yeah.
Let
me
let
me
tell
you
a
little
bit
about
sync
security.
So
basically
it
started
as
kind
of
a
a
working
group.
That's
called
safe
or
something
like
that
and
then
became
an
official
thing
under
the
cntf
and
around
that
time
it
really
started
to
take
off
and
they
got
more
formal
structure
and
things
like
this,
and
so
one
of
the
things
that
a
few
people
did
is,
for
instance,
I
started.
A
I
came
up
with
guidelines
for
doing
security
assessments
and
did
a
few
other
things
related
to
that
for
the
sig,
and
so
then,
as
a
role,
they
have
a
couple
different
types
of
roles
they
have
chairs,
which
run
it
and
also
do
administrative
work.
A
So
I'm
a
tech
lead
I'm
currently
in
shanghai.
I
don't
know
how
much
longer
I'll
be
here
I'll
either
be
here,
maybe
two-ish
months
or
I
will
be
here
until
after
christmas,
but
I'm
unsure
about
that.
Yet
and
while
I've
been
here,
I've
been
trying
to
get
the
asia
pacific
folks,
like
things
to
kind
of
spin
up
a
little
bit
more
yeah,
but
I'm
very
surprised.
It's
three
minutes
passed
and
there's
no
one
here.
A
My
guess
is
that
this
meeting
must
be
canceled
because
there'd
be
at
least
there'd,
be
at
least
probably
three
or
four
people
here.
If
you
know
I,
I
can't
imagine
that
everybody
just
sort
of
decided
not
to
come
well.
Why
don't
you
introduce
yourself,
though,
and
yeah
I'm
sure.
B
About
you,
so
I'm
richard
richard
clark,
I'm
a
senior
application
security
engineer
for
a
gaming
startup
here
in
perth,
western
australia
kind
of
I'm
also
trying
to
start
a
cncf
chapter
here
in
perth.
B
So
there
wasn't
one
here
I
worked
for
so
the
company
is
called
vgw
we're
in
a
bit
of
an
interesting
space,
in
that
we
have
some
business
units
kind
of
almost
fully
cloud
native,
kubernetes,
open,
telemetry
and
all
this
lot,
and
we
then
also
have
other
business
units
which
are
still
use
the
various
cloud
providers
and
that
whole
shared
responsibility,
model
and
kind
of
we
have
different
business
units
of
different
skill
sets.
B
So
we're
a
bit
of
an
interesting
position
that
we're
kind
of
some
were
able
to
bring
some
of
that
technology
or
learnings
from
those
that
have
adopted
fully
cloud
native
and
bring
them
back.
But
yet
also
other
business
units
are
selecting
like
the
right
projects
for
themselves
and
it's
kind
of
yeah
a
lot
of
for
me.
B
This
is
kind
of
I'm
new
to
this
space
in
terms
of
like
kubernetes,
at
least
and
cncf,
and
I
just
really
wanted
to
surround
myself
with
the
community,
because
I
think
there's
a
lot
of
design
patterns
and
learnings
in
the
way
that
applications
are
deployed
and
modeled
and
so
forth.
Using
cncf
projects
that
help
security,
and
so
I
kind
of
just
trying
to
surround
myself
and
try
and
absorb
as
much
as
I
can
and
contribute
back
from
my
own
learnings
in
my
career
experience.
A
Great
sorry,
I
thought
I
was
the
opposite.
I
thought
it
was
muted
the
whole
time,
but
I
was
unmuted
so
yeah.
So
one
one
thing
I
can
tell
you
a
little
bit
about
and
you
may
know
I
mean
how
much
do
you
know
about
the
cncf
projects
a
little,
not.
B
I
would
say
a
huge
amount,
but
I
guess
this
is
where
this
like
a
lot
of
the
incubation
projects
like
spiffy
and
spire
interest
me
a
lot
yeah
and
kind
of
just
trying
to
do
the
whole
thing
yeah,
but
I
think
that's
these
yeah.
It's.
A
Expert
on
spiffy
inspire,
but
I
did
do
a
security
assessment
for
them,
along
with
some
of
their
engineers,
so
I
understand
it
well,
but
I
haven't
really
like:
I
haven't
used
it
operationally.
A
So
it's
a
little
bit.
You
know
it's
kind
of
different
knowledge,
but
it
seems
to
be,
I
think,
a
very
solid
project.
It
handles
a
secure,
introduction
problem.
How
do
you
take
an
ephemeral
thing
and
give
it
keys
and
identities
and
stuff
like
that?
Without
you
know
having
to
worry
about?
You
know
a
man
in
the
middle
a
you
know:
malicious
parties
doing
a
bunch
of
things.
It
has
a
bunch
of
really
strong
parts.
A
It
has
some
areas
dealing
with
federated
trust
that
they're
working
out
now
like
how
do
you
federate
multiples,
50
servers,
50,
spire,
servers
together.
A
It
used
to
be
the
case
that
effectively,
if,
if
the
server
was
compromised,
you
really
lost
all
security
in
the
system
and
with
federation
I
haven't
really
looked
to
see
how
they're
containing
it
I've
been
a
little
swamped
with
other
things,
but
I
think
that's
that's,
like
a
kind
of
interesting
touch
point
to
look
at
other
projects.
A
You
should
probably
be
aware
of
in
the
space
that
you
may
know
about
I'll
I'll
name
drop
some
some,
I
know
more
about
than
others,
but
like
harbor,
so
yeah
tough,
I'm
you
know
notary
in
toto.
A
Let
me
think
about
what
else
those
are
those
are,
I
think
ones
that
come
to
mind
and
full
disclosure
like.
I
I'm
the
creator
of
the
tough
project
and
one
of
the
creators
of
the
in
total
project,
so
yeah,
but
then-
and
obviously
I
don't
know
if
you
know
notary-
is
an
implementation
of
tough.
That
also
has
some
other
functionality
in
it
to
integrate
better
into
cloud-native
environments.
A
So
I
sort
of
have
like
a
little
bit
of
a
well.
A
I
have
a
dog
in
the
race
to
kind
of
say
it
you
know
colloquially,
but
and
in
general
the
tough
notary
thing
is
likely
something
you
just
enable
correctly
at
your
provider
rather
than
a
real
decision
you
make
in
total
something
you
need
to
do
a
little
bit
of
work
with,
but
once
you
set
it
up,
it's
transparent
and
it's
it's
really
effective,
harbor's
interesting
in
that
it
takes
a
bunch
of
things
like
tough
notary
and
a
bunch
of
other
technologies
and
kind
of
stitches
them
together,
and
we
did
a
security
assessment
for
them.
A
I
think
I
I
don't
remember
whether
I
was
just
part
of
it
or
whether
I
let
it
but
the
like
the
problem
I
or
the
the
concern
I
had
about
harbor
is
it's
a
lot
of
very
complicated
things
that
are
all
kind
of
glued
together
and
I
think
it
where
the
seams
connect
there's
a
lot
of
potential
for
things
not
living
up
to
all
the
security
guarantees
they
want,
but
in
general,
it's
better
than
you
trying
to
glue
stuff
together
yourself
and
in
general
it
really.
A
You
know
the
complexity
you
have
there,
someone
you
know
like
smart
groups
like
nation,
state
actors
or
something
like
that
would
likely
have
to-
or
I
don't
know
at
least
reasonable
hackers
would
have
to
spend
a
fair
amount
of
time
doing
a
deep
dive
and
then
they
can
probably
find
all
my
guess
I
mean
once
again
I'm
I
could
be
wrong,
but
my
guess
is:
they
could
probably
find
a
variety
of
different
issues
of
different
severities
in
how
like
technology
stitch,
but
I
think
overall,
I
think
it
provides
like
pretty
good
security
guarantees
out
of
the
box,
and
so,
if
you're
not
likely
to
be
a
serious
target,
it's
it's
like
quite
quite
an
excellent
project,
and
I
I
think
if
you're
would
be
stitching
it
yourself,
then
it's
it's
still.
A
I
think
it's
it's
worth
doing,
but
I
I
wouldn't
trust
you
know
10
million
dollars
in
bitcoin
to
a
system
protected
by
harbor.
A
A
Harvard,
okay,
so
I'll,
let
I
I
don't
want
to
sort
of
misrepresent
harbor,
but
it's
kind
of
everything
with
a
registry
with
delivery.
It
sort
of
is
like
the
amalgamation
of
of
like
how
you
how
you
store
and
get
software
places.
A
I
don't
really
to
be
honest.
I
haven't
used
it
as
a
user,
so
I
also
feel,
like
I
don't
know,
all
the
use
cases
for
harbor
and
how
people
do
it,
but
it's
it's
sort
of
the
registry
side
plus
a
bunch
of
other
stuff,
tough
and
notary.
A
They
will
be
a
man
in
the
middle
right
and
the
goal
of
tough
is
to
provide
you
the
best
security
possible
in
any
of
those
type
of
environments,
while
so
have
like
a
graceful
degradation
of
security.
So,
for
instance,
if
you,
if
a
man
in
the
middle
controls,
all
your
network
traffic,
they
you
know
should
be
able
to
stop
you
from
downloading
an
update
by
just
you
know,
failing
to
deliver
the
bids,
but
they
can't
put
malicious
software
in
an
update
or
do
something
like
that.
A
If
they
take
over
the
registry,
they
may
be
able
to
convince
you
that
a
slightly
older
version
of
something
is
the
most
current
version,
but
they
shouldn't
be
able
to
give
you
a
significantly
older
version
and
they
shouldn't
be
able
to
do
things
like
you
know,
give
you
something
that
isn't
signed
with
the
correct
keys
that
wasn't
produced
by
your
developers
right
if
you're
doing
things
so
right
and
that's
that's
the
general
idea
behind
notary
and
top
okay
and
then
in
toto
is:
is
software
supply
chain
security?
A
So,
basically,
when
you
make
your
software,
you
sign
git
commits
check
them
into
a
repo.
You
run
it
through
a
build
farm.
You
have
maybe
a
cacd
pipeline.
You
do
testing
you
package,
it
you
contain,
or
you
know
whatever
you're
doing
containerize
it
you
go
and
you
deliver
it
and
in
toto
produces
cryptographically,
signed,
metadata
and
checks
through
all
the
steps
that
occur
there
and
so
you'll
know
something
like
you'll
know.
A
If
the
build
server
manipulated
your
files
and
added
something
in
or
if
you
know,
someone
didn't
actually
run
the
tests
and
they
push
something
and
it's
it's
all
like
cryptographic
signed
and
verified.
So
it's
assumed
that
those
boxes
on
your
network
are
not
perfectly
trusted,
and
so
there's
been
a
lot
of
interest
in
this
because
of
the
whole
solar
winds,
attacks
and
the
things
related
to
that,
because
in
toto
is
basically
the
only
thing
that
really
has
a
hope
of
protecting
against
something
like
that.
A
We
work
and
integrate
very
closely
into
technologies
that,
along
within
toto
things
like
reproducible,
builds
and
stuff
like
that
that,
if
you
use
like
reproducible,
builds
and
then
verify
the
cryptographic
metadata
within
toto
from
that,
you
have
a
reasonable
hope
of
being
able
to
protect
against
something
like
solar
winds
and
similar
attacks,
and
things
like
that.
B
So
do
internal
and
tough
work
together
in
any
way
so
you've
got
kind
of,
like
you
know
the
left
side
of
the
registry
and
the
right
side
of
the
registry.
If
you
will
so,
I
guess
it
kind
of
seems
like
those
two
products
could
work
very
well
together.
A
Yeah
they
do
they
integrate
well,
datadog
did
a
deployment
with
them,
and
we've
also
really
in
toto,
goes
as
far
right
as
tough
and
even
actually
further
right.
Also,
it's
it's
like
more
overarching,
but
like
datadog,
actually
put
out
a
nice
blog
post
where
they
talk
about
how
they
did
their
tough
and
in
total,
combined
integration
along
with
a
bunch
of
stuff
with
git
signing
and
stuff
like
that,
and
we
actually
oh
cool.
A
Actually,
we
found
the
we
found
a
bunch
of
design
flaws
in
the
way
git
signing
worked
and
got
them
to
change
the
way
they
do
tag
signing
over
to
our
architecture
about
four
years
ago,
or
something
like
that.
So
we've
been
kind
of
pushing
at
different
points
in
this
like
software
supply
chain,
for
better
words
of
it
for
the
last
I
don't
know
for
a
long
time
and
slowly
kind
of
securing
them
and
making
them
better
and
better.
A
We
didn't
get
our
complete
architecture
into
git
yet,
but
if
you're
signing
get
tagged,
you're
using
my
student
santiago's
code
and
he's
the
lead
of
the
intoto
project-
and
you
know-
has
just
done
an
amazing
job
with
with
everything
yeah
there's
yeah,
so
that
that's
that's
the
basic
overview
of
those
bits
and
pieces
that
I
know
pretty
well,
I'm
trying
to
think
if
there's
anything
else,
I'm
sure
that
if,
if
other
people
from
security
watch,
this
call
which
they
makes
it's
recorded,
that
some
of
them
will
be
screaming
at
the
screen.
A
Like.
Oh
you
didn't
talk
about
this.
You
didn't
talk
about
that,
but
I
I
feel,
like
I'm
forgetting
stuff,
a
bunch
of
important
things,
but
that's
that's
their
fault
for
not
being
on
the
call.
I
guess.
B
That's,
that's
quite
all
right,
yeah,
it's
good
to
just
start
off
with
some
something
somewhere
in
space,
and
I
can
go
away
research
that
and
see
how
that
could
work
for
us
and
and
likewise
how
I
can
contribute
back
is
a
in
terms
of
these
general
meetings.
Is
there
anything
else
that
goes
on
or
is
there
anything
expected
of
members
that
participate
people.
A
Just
talk
about
efforts
that
they
want
to
do
we're
creating
a
like
kind
of
a
security
landscape
document
where
you
can
look
at
what
happens
and
as
like
a
company
and
decide
like
what
products
with
like
what
cncf
technologies
and
things
you'd
want
to
employ
different
places
to
get
different
security
properties
and
but
really
everything
here.
A
It's
mostly
somebody
says.
I
think
this
is
a
good
idea.
We
need
a
white
paper
on
this
or
we
need
to
create
a
document
on
this
or
we
need
to
do
this
and
then
they
rally
interest
around
and
they
start
it.
It's
not
like
a
you.
Don't
have
to
have
a
motion
to
have
a
you
know
to
have
a
document
created
to
do
this
and
do
that.
You
know:
there's
no
like
there's
not
like
high
overhead
in
in
doing
things.
A
People
just
tend
to
do
them,
and
if
they
get
momentum
then
they
tend
to
be
really
successful.
So
yeah
and
we'll
have
more
discussion
about
that.
In
fact,
I
think
if
you
watch
the
meeting
about
that
was
two
meetings
ago.
We
talked
about
a
lot
of
that
and
I
didn't
watch
the
video
from
last
meeting,
but
that
should
have
had
some
as
well.
A
Yeah
I
mean
you
have
some
of
that,
but
the
problem.
Sorry,
the
problem
is
that
this
there's
only
usually
one
or
two
people
that
overlapped
the
two
meetings
because
they're
in
semi
time
zones-
and
so
sometimes
we
do
have
that
spillover.
Jj
is,
I
think,
he's
one
of
the
chairs
he's
been
to
both
meetings
a
couple
times
and
emily
fox
is
a
chair
and
she
was
in
the
meeting
last
time
that
I
wasn't
able
to
make
it
to
so
yeah.
So
we'll
it'll
happen
from
time
to
time.
A
Good
well,
it
was
really
nice
meeting
you
richard.
I
will
try
to
figure
out
what
the
heck
is
going
on
here
with
future
meetings,
but
I
expect
that
we'll
have
a
bigger
group
on
the
13th
cool.