►
From YouTube: CNCF SIG Security 2020-12-02
Description
CNCF SIG Security 2020-12-02
B
C
C
A
Okay,
so
for
those
of
you
that
are
just
joining
us
check
out
the
chat,
it
has.
The
link
to
the
agenda
documents
go
ahead
and
list
yourself
in
the
attendance
and
we'll
get
started
shortly.
A
A
A
All
right,
well,
everybody's,
going
through
and
adding
themselves
welcome
to
the
first
security
meeting
in
december.
A
We
are
going
to
go
ahead
and
get
started,
so
we
don't
have
very
much
on
the
agenda,
so
we'll
probably
just
be
doing
the
new
member
welcome
kind
of
discuss
a
little
bit
about
what
the
sig
does
looks
like
I'm
going
to
be
the
facilitator
today,
when
I
jump
in
so
what
we're
going
to
do
is
if
you're,
if
you're
new,
to
the
call
go
ahead
and
click
the
link
that
brandon
posted
in
the
chat.
That
is
our
agenda
document.
Add
yourself
to
the
attendance
list.
A
If
you
have
an
update
and
you're
a
previous
member
of
the
sig
go
ahead
and
just
put
it
in
the
in
the
parenthesis
next
to
your
name
that
you
have
an
update
or
if
you
don't
put
no
updates,
if
you're
a
new
member
on
the
attendance
list
and
if
you're
new
go
ahead
and
introduce
yourself
and
like,
are
you
trying
to
just
join
this
wig
or
what
you're
interested
in
brandi
did?
I
miss
anything.
A
I'm
talking
to
you
guys,
I
I
got
new
tech
and
I'm
still
working
out
some
kinks
with
it.
So
all
right,
so
I'm
emily
fox,
I'm
the
co-chair
or
one
of
the
co-chairs
of
the
sig
security.
I've
got
two
awesome
counterparts.
Jj
is
one
of
them
and
sarah
is
the
other.
I
know
jj's
on
the
call,
I'm
not
sure
about
sarah.
A
So,
thanks
to
all
of
the
program
committee
members
that
helped
make
that
possible,
as
well
as
thanks
to
the
ctf
team
for
coordinating
and
running
over
300
plus
misconfigured
clusters
in
seven
hours,
that
was
really
awesome
and
the
attendees
of
the
security
day
had
a
blast
to
doing
this
etf,
so
definitely
planning
on
doing
that
next
year
for
eu
there
is
an
issue
open
for
planning
associated
with
that
we've
closed
down
the
program
committee
and
I
think,
there's
like
one
other
person
I
have
to
add
to
the
etf
team,
so
that'll
be
closed
out
shortly.
E
Hourglass
well
go
without
video.
Sorry
about
that
folks.
What
I
wanted
to
share
was
the
the
nist.
What
was
the
this
big
data
group
is
morphing
into
analytics
as
a
service
and
they're
preparing
a
presentation,
probably
to
this
group
really
soliciting
input
to
kind
of
framing
up
what
the
needs
might
be
in
this
space
and
just
to
get
ideas
from
this
group
and
and
then
to
get
some
steering
to
see,
if
maybe
that
topic
needs
to
be
briefed
elsewhere.
E
The
genesis
for
this
was
a
indiana
university
project
called
cloud
mesh,
that's
on
github,
but
that
we're
kind
of
reformulating
to
try
to
leverage
analytics
as
a
service.
The
use
case-
that's
of
interest
to
me,
and
probably
other
people
in
this
group-
is
analytics
around
information
security
and
probably
telemetry
writ
large
beyond
that.
So
stay
tuned
on
that
they're
talking
about
it
for
late
in
december,
that's
probably
poor
timing,
but
that's
what
they're
looking
at
for
now.
A
Okay,
brandon
you're,
the
next
one,
with
a
presentation
or
with
enough.
B
Yeah
so
hi,
I'm
brandon,
I'm
a
tr
for
sec
security,
so
I
just
wanted
to
to
kind
of
have
a
quick
update.
I
was
chatting
with
someone
from
the
red
hat
team.
They
are
working
on
this
new
project.
They
call
rico
recall
I
can
pronounce
it
so
I'm
not
gonna
try,
but
the
idea
is
it's
a
project
that
a
public
is
gonna,
be
a
ledger
kind
of
aim
at
recording
information
about
supply
chain.
B
So
it's
gonna
be
a
similar
concept
to
certificate
transparency
except
it's
gonna,
be
you
know
like
supply
chain,
versioning
and
signing
transparency,
so
they
they
started
a
project
and
I
talked
to
them
about
coming
to
present
to
the
sick.
So
that's
something
that
probably
will
happen
mid
mid
to
late
january.
E
A
Thanks
brandon
pop
you
are
nude.
Can
you
introduce
yourself.
F
Hello:
everyone
I'm
pop
dan
papandrea.
I
work
for
cystic
and
just
wanted
to
join
and
say
hello
to
everyone.
F
F
I
know
some
of
these
faces.
I
know
some
of
these
names,
but
those
I
don't
know.
C
Yeah
hi
folks,
I'm
matt
jarvis,
I'm
a
developer
advocate
at
snake,
as
pop
said,
there's
a
quite
a
few
folks
who
I
know
on
this
call
already
yeah
and
I'm
just
super
interested
to
get
more
involved
with,
what's
going
on
in
security
across
the
whole
ecosystem.
This
is
the
first
kind
of
proper
security
focused
role.
I've
been
in,
and
you
know
opening
my
mind
to
learning.
G
Yeah
hi,
I'm
chris
davis,
my
co-workers
and
pretty
much.
Everybody
calls
me
davis,
which
is
why
my
zoom
name
is
c
davis.
I
work
for
amazio
and
we
have
a
product
lagoon
which
we
have
plans
to
try
to
donate
to
the
cncf
eventually,
so
I'm
a
security
engineer
there
and
I'm
just
trying
to
keep
our
product
as
secure
as
possible
and
immerse
myself
in
the
security
world
at
the
same
time.
So.
H
Yeah,
no
problem,
it's
zeola!
Let
me
turn
my
video
on
yeah,
so
yeah.
So
my
name
is
john
ziola.
I
am
the
cto
at
a
small
security,
consulting
company
and
we
work
a
lot
in
this
space
and
I'm
a
apache
software
foundation.
Member
and
a
big
fan
of
open
source,
somewhat
new
to
the
sienna
cncf
in
general,
but
interested
in
getting
getting
more
queen
acquainted.
I
Yes,
hello,
I
am
alok
raj,
I
am
from
india.
I
am
working
as
a
security
analyst
at
zenon
stack,
and
I
am
here
to
explore
more
about
the
security
domain.
A
Awesome
great
to
have
you
I'll
test,
valani.
J
Hi
everyone,
sorry,
I
can't
turn
on
my
camera
at
the
moment,
but
I
just
wanted
to
introduce
myself.
I
work
for
a
company
called
security
compass
in
toronto,
canada
extensively
involved
in
a
number
of
different
working
groups,
and
I
know
some
of
you
hear
from
this
working
group
as
well,
and
I
look
forward
to
collaborating
with
you
to
help
us
extend
the
body
of
knowledge
of
security
going
forward.
Thank
you.
K
Everybody,
my
name
is
jake,
I'm
a
devops
engineer
in
missoula
montana.
I
have
a
little
bit
of
background
in
security
from
several
years
ago.
I
used
to
work
at
sourcefire.
K
I
was
there
for
when
cisco
did
the
acquisition
thing
lately,
my
data
days,
just
with
devops
and
kubernetes,
I'm
looking
to
foray
back
into
the
security
space,
I
saw
micah
speak
at
aws
container
day
a
couple
weeks
ago
and
he
sort
of
put
out
an
invite
to
join
the
sig
and
I'm
curious,
and
I
want
to
check
it
out.
So
thanks
for
having
me.
L
Yeah
I've
actually
been
through
a
few
of
these
meetings,
but
I'll
go
ahead
and
introduce
myself
again
I'm
tanner
randolph.
I
run
cloud
native
security
architecture
for
lowe's,
so
I'm
responsible
for
all
the
public
clouds,
all
the
kubernetes
services,
all
the
hybrid
cloud
implementations
all
of
our
open
source
implementations.
L
A
M
That's
very
kind
of
you
to
interrupt
flow.
Yes,
just
to
say
thank
you
to
everybody
who
organized
this
cloud
native
security
day.
It
was
really
a
wonderful
thing
to
attend
and
everyone
who
assisted
with
the
ctf
as
well
it's
it
was
a
roaring
success
and
contributed
to
by
volunteers.
So,
just
extending
copious
thanks
to
everybody.
N
Hi,
yes,
my
name
is
daniel
tobin.
I'm
currently,
security
lead
for
a
data
layers.
Startup
called
cyril.
We've
been
working
with
opa
with
our
product,
and
I've
been
in
like
security
space
for
for
a
while.
So
I
wanted
to
to
start
joining
this
sig.
So
thank.
B
B
Oh
emily
yeah,
if
you're
talking.
B
Oh,
I
think
she
sounds
like
she's
on
the
phone
I'll
I'll
continue.
Then.
A
O
Hey
hi,
I
was
curious
what
was
happening?
Yeah
hi
everyone-
I'm
diego
I'm
here,
but
I'm
I'm
very
excited
to
try
to
contribute
and
get
more
involved
in
the
cncf.
I've
been
working
in
the
cloud,
security
matters
and
cognitive
security
for
the
last
few
years
and
I'm
working
a
company
called
messenger
and
which
starts
communications
as
a
service.
A
Awesome
great
to
have
you
ricardo,
pierra,.
P
Hello,
so
I'm
ricardo,
I'm
portuguese
and
I
work
in
consulting
company
company
in
paris
that
is
called
silence
and
I'm
a
cloud
and
the
security
architect
for
them
and
I'm
starting
to
work
a
lot
with
the
cover,
netters
and
security
and
so
on.
So
it's
it's
my
first
time
here.
So,
let's
I
hope
it's
I
could
help
and
I'm
here
to
learn
a
lot.
I
think
so
thanks
a
lot.
Q
Maybe
we'll
see
if
everything
works,
public
service
announcement
is
that
the
eu
cfp
closes
december
13th,
which
is
much
much
sooner
than
I
think
you
all
expect,
and
and
yes,
my
comment
is
basically
like.
Yes,.
N
Q
Get
your
cfp
things
in
that
is
a
sunday,
so.
Q
Correct
there
will
be
different
calls
for
that,
but
wanted
to
be
able
to
just
put
a
quick
note
in
for
cfp
is
coming
so.
Q
This
is
the
virtual
event.
We
are
currently
scheduled
cross
fingers
everyone
for
an
in-person
october
event
with
virtual
components.
Awesome.
R
Hi,
I'm
raj,
I'm
I'm
based
in
the
seattle
area,
but
work
for
a
company
in
east
coast
unisys,
and
we
started
our
cloud
native
journey
two
years
ago,
where
I'm
an
architect
leading
our
move
to
communities
and
a
whole
lot
of
native
stacks
so
excited
to
be
here.
I
saw
you
guys
at
the
kubecon
north
america
and
was
interested
to
join
thanks
for
inviting.
A
Awesome,
so
that's
all
the
new
members
that
listed
themselves
in
the
attendance
was
there.
Anybody
on
the
call
that
I
missed.
If
so,
please
speak.
A
Up:
okay,
that
sounds
like
it.
So
for
everybody
that
is
a
new
member,
welcome.
We
have
a
new
members
page
that
has
some
information
about
being
a
member
within
security
and
some
things
that
you
can
potentially
get
involved
in.
So
I
just
want
to
recap
a
couple
of
things.
First,
when
you
join
a
couple
of
meetings
and
you
get
involved
in
the
group,
you
can
do
a
pr
and
add
yourself
to
the
members
list.
A
Brandon
posted
the
new
members
page
in
chat
for
those
that
are
having
trouble
finding
it
if
you're
interested
in
going
through
and
doing
a
little
bit
more
with
this
sig,
we
do
have
lots
of
issues
that
are
open
and
several
of
them
have
a
help,
one
on
them
and
it's
a
great
way
to
get
familiar
with
the
documentation
that
the
group
has
some
of
the
efforts
that
we're
working
on
brandon.
Would
you
be
comfortable
talking
about
the
security
assessment,
working
group
and
kind
of
what
goes
on
there.
B
Yeah,
so
so
for
those
that,
let
me
do
a
quick
introduction
to
those
that
knew
about
what
security
assessments
are.
So
security
assessments
are
a
process
that
we
go
through
with
a
couple
of
projects
in
the
cncf
and
the
idea
here
is
we
help
the
cnci
for
the
evaluate
what
the
security
posture
of
a
project
is,
provide
some
recommendations
to
the
project
as
well
as
for
the
cnscf2.
B
B
B
So
we
we
spit
into
a
brainstorming
group,
and
we
came
out
with
a
couple
things
that
we
were
targeting
so
for
those
that
are
actually,
you
know
what
I
am
going
to
share
my
screen.
That
will
probably
be
easier.
B
Okay,
so
assuming
that
you
can
see
this,
if
you
go
into
the
repo
into
assessments
on
just
a
quick
overview
of
what
security
assessments
are
what
we've
been
doing
and
if
you
go
into
projects,
you
can
kind
of
see
a
couple
examples
of
what
we
did
so,
for
example,
I
think
the
most
recent
was
the
keycap
one
and
spiffy
inspire.
B
So
if
we
go
into
this,
we
can
kind
of
see
what
the
security
assessment
is
in
terms
of
this
is
the
overview
and
kind
of
the
recommendations
that
we
come
up
with
and
also
there
is
a
self-assessment
document
which
is
really
a
nice
overview
of
what
what
the
project's
about,
what
are
some
of
the
security
considerations.
So
on
so
after
doing
a
couple
of
these,
we
decided
to
kind
of
see
how
we
can
improve
it,
so
we
got
together
and
bring
some,
and
we
have
these
issues
here.
B
B
These
are
what
we
came
up
with
so,
for
example,
if
we
look
at
getting
more
reviews
for
security
assessments,
we
talked
about
some
of
the
ideas
that
we
came
up
with
during
the
brainstorming,
and
you
know
these
are.
This
is,
for
example,
a
good
first
issue
to
look
at
you
know:
how
can
we
attract
more
security
reviewers
to
conduct
security
assessments
because
we
are
volunteer?
B
This
is
on
a
volunteer
basis
and
the
idea
is
that
if
you're
interested,
you
know
we'll
put
more
information
into
the
the
issues
and
then
you
we
can
create
a
pr
to
modify
the
documents
or
people
create
these
incentives
for
reviewers.
B
So
there
is
a
couple
more
that
are
out
there.
So
you
know
there's
some
about
improving
the
process
so
about
mapping
it
more
to
the
toc
process.
So
then,
if
you
want
to
get
involved
with
more
the
cncf
side
of
things,
how
do
the
sick
activities
relate
to
the
cncf
talk
and
the
general
project
process?
Then
this
may
be
of
interest
and
that's
a
whole
range
of
different
activities
right.
B
So
if
you
are
looking
at,
you
know
naming
a
scope
of
assessments,
whether
we
should
include
you
know,
security
code
analysis,
for
example,
then
this
would
be
an
issue
to
look
at.
So
this
is
a
couple
issues
that
we
have
today.
So
if
I
would
say,
if
you're
interested
take
a
look
through
and
if
any
of
them
are
of
interest
to
you
just
you
know
I'll
put
the
command
the
issue,
and
then
we
can
chat
from
that.
S
I
think
most
of
it
is
covered
and
again
thanks
thanks
to
the
team
for
pulling
together
the
cloud
native
security
day
in
kudos
to
emily
for
driving
the
whole
thing
for
the
people
that
are
new.
I
do
want
to
mention
about
the
white
paper
as
well
the
effort
that
we
did
that's
available
on
the
repo.
S
It
there
yeah,
so
that
is
something
that
we've
done.
There's
a
lot
more
work
there
to
be
done.
Vinay,
aradhna
and
brandon
and
gaudi
has
been
phenomenally
helpful
in
shepherding
some
of
that.
Some
of
those
things
as
well
so
reach
out
to
any
of
us.
If
you
have
anything
that
you
feel
like
you
can
contribute
there.
In
addition
to
assessments,
there's
also
policy
working
group
that
this
is
again
for
the
people
that
are
new,
there's.
S
Also
a
policy
working
group,
that's
actually
running
in
asia,
time
zone
and
they
have
a
bunch
of
interesting
stuff
that
they
are
working
on.
It's
currently
primarily
focused
on
kubernetes
kubernetes
security
policy
stuff,
but
that's
again,
something
that
you
can
go
drop
in
and
listen
and
learn
more.
C
It's
that's
it.
That's
all
I
had.
I
had
a
quick
question
about
the
the
white
paper.
I
thought
it
was
a
fantastic
piece
of
work.
By
the
way
it
was
really
really
good.
Are
you
considering
that,
like
a
living
document,
that's
going
to
you
know
change
over
time
as
opposed
to
something
that's
just
been.
A
The
white
paper
for
those
that
haven't
read
it
or
had
it,
is
designed
to
be
kind
of
a
high-level
understanding
of
what
you
need
to
do
for
end-to-end
security
for
cloud-native
products,
applications
and
architectures.
It
is
not
intended
to
be
a
deep
dive
into
any
particular
technical
area
that
the
white
paper
touches
on.
A
So
if
there
is
a
particular
subject
area
such
as
container
encryption
or
image
scanning,
or
something
else
in
that
space
for
which
the
community
lacks
clear
documentation
on
best
practices
or
how
to
move
forward
in
that
area,
those
are
all
eligible
to
become
independent
documents
that
can
be
referenced
back
into
the
white
paper.
So
we
definitely
see
this
as
an
evolving
space
as
we
were
going
through
and
writing
it.
A
We
realized
that
there
was
there's
quite
a
few
areas
where
security
was
just
still
very
young,
and
we
have
a
lot
more
work
to
do
so,
as
we
identify
those.
We
want
to
start
doing
a
little
bit
more
research
on
them,
seeing
what
products
are
already
in
the
space
and
then
creating
additional
documentation
for
it
to
better
help
the
community
and
a
lot
of
the
framework.
A
That's
in
the
white
paper,
as
well
as
some
of
the
topics
that
are
touched
on,
are
going
to
be
contributed
into
the
cncf
landscape
to
help
end
users
and
customers
and
businesses
and
architects
kind
of
navigate
a
little
bit
more
about
how
all
these
components
work
together.
So
if
you,
if
you've
read
through
the
white
paper,
you'll
notice
that
we
purposefully
try
to
avoid
calling
out
any
single
product
to
solve
a
particular
space
and
that's
kind
of
where
the
landscape
comes
in.
T
S
Yeah
there
is
definitely
overlap.
It's
a
work
in
progress.
It's
on.
I
have
an
open
issue
to
figure
out
an
integration
path
between
them.
S
D
D
Given
the
sources
in
google
docs
and
if
we
want
to
keep
that
updated
and
easy
to
modify,
do
we
want
to
turn
that
into
restructure
text
or
markdown
check
it
in
like
take
contributions
there
or
do
we
want
to
do
a
a
new
copy
of
google
docs
and
that's,
like
future
version
2.?
What
do
you
want
to
do
there.
A
So
everything's
for
now
should
be
managed
in
markdown
and
the
repo,
so
the
most
up-to-date
version
of
the
document
is
what's
in
our
project
in
markdown
and
as
as
we
continue
to
add
and
modify
and
create
more
content
for
it.
We'll
have
some
minor
updates,
but
we
I'm
expecting
after
talking
with
the
cncf
team,
that
will
be
doing
pdf
publishment
on
every
release.
So
when
there's
a
significant
content
change
to
the
document,
then
we'll
do
a
new
pdf.
First.
S
Since
I
see
a
lot
of
new
people,
I
also
also
want
to
reintroduce
our
toc
sponsors
for
six
security
as
justin
and
listeners
justin,
you
want
to
say
hello
to
the
hello.
U
S
Yeah
and
amy
is
sort
of
like
the
backbone
for
the
entire
of
6
security
that
nobody
sees
but
she's
been
instrumental
in
bootstrapping
a
lot
of
structure
to
the
to
the
group
as
we
got
started
yep.
That's
mostly
what
I
had.
A
Yes,
she
does
so
that's
kind
of,
like
all
that
I
had
scheduled
for
our
agenda
today,
I'm
expecting
in
the
next
week
we'll
have
a
little
bit
more
formal
things
to
cover
on
the
agenda
some
topics
of
discussion
and
maybe
going
through
a
few
of
the
issues
in
the
tickets
or
I
don't
know
if
we
have
any
presentations
coming,
but
those
are
definitely
always
eligible.
A
So
if
you've
got
something
that
you
potentially
want
to
talk
about
at
a
future
meeting,
there
is
a
proposed
agenda
topic
section
of
the
the
document,
so
just
throw
that
up
there
and
if
you
have
a
particular
date,
you're
interested
in
talking
about
that,
also
tag
that
in
there
that's
all.
I
have
anybody
have
anything
else.
B
I
would
say
also,
if
you
are
interested
in
anything,
create
an
issue
if
and
in
the
past,
if
people
are
interested
in
the
issue,
we've
seen
it
kind
of
trying
to
project
on
its
own.
We
will
bring
it
into
kind
of
the
discussions
that
we
have
during
the
meeting
as
well.
F
Could
I
ask
a
question
and
I'm
sorry
this
might
have
been
covered,
but
is
there
any
low-hanging
fruit
or
something
like
I
just
want
to
pick
up
something
and
help
out
the
you
know
the
group
right
so
like?
Where
would
I
find
that,
like
hey
here's,
something
that
we
need
help
with
or
anyone
in
the
you
know,
that's
joining
that's
new.
B
I
would
say
if
you
go
into
issues
and
select
the
good
first
issues,
I
think
that
couple
there
out
there
and
just
like
or
even
if
you
know,
if
you're,
new
and
you're
reading
through
the
documents
and
you
see
something
in
themselves
like
formatting
or
like
things,
you
think,
could
be
improved.
You
can
just
like
create
a
quick
pr
and
make
some
small
corrections.
D
We're
also
in
the
process
of
assembling
the
crew
for
the
build
pack
security
assessment.
So
if
you
want
to
join
that
and
you
can
join
in
different
capacity,
I
am
leading
the
charge
on
the
review
side
and
you
can
decide
how
much
you
put
in
if
you
want
to
be
like
full-on
reviewer
or
you
just
want
to
observe
the
process
and
like
externalize
from
that
document.
Some
of
the
things
we're
just
like
hanging
around.
While
we
have
meetings
that
is
open
and
that
goes
to
what
the
space.
F
D
What
it
is
so
welcome
to
do
that
and
shadow
and,
like
you,
can
shadow
in
a
in
more
active
way
and
get
feedbacks
and
ask
questions
of
why.
Why
is
this
being
done?
This
way,
brandon
gave
a
great
overview
that
might
have
piqued
the
the
interest
of
some
people,
but
you
may
want
to
learn
more
of
like
the
inner
workings
of
the
assessment
and
what
actually
goes
down.
So
that's
a
great
way
to
do
it.
People
have
done.
F
It
before
awesome,
that's
definitely
something
I'm
interested
in
I'll
I'll
I'll
speak
to
you.
I
guess
in
the
channel
or
whatever.
F
A
And
for
new
members,
as
you
participate
in
some
of
the
months
and
if
we
haven't
gotten
the
assessment
process
updated
yet
your
feedback
is
definitely
going
to
be
appreciated
as
newcomers
and
like
a
fresh
set
of
eyes
on
these
things.
B
That
could
help
if
I
think
we're
looking
in
terms
of
new
compromises
and
also
we
are
kind
of
like
lacking
a
section
there
on
remediation.
So
just
like
types
of
attacks
and
then
we're
talking
about
mitigations,
there's
a
lot
about
that.
So
if
that's
something
that
you're
interested
in,
that
could
also
be
something
cool
to
work
on.
A
A
We've
begun
kind
of
analyzing
a
little
bit
more
of
supply
chain,
attacks
that
are
occurring
in
industry
and
different
ways
that
teams
and
individuals
can
kind
of
mitigate
mitigate
or
resolve
them
when
they
occur,
and
a
lot
of
the
information
that
came
out
of
that
catalog
collection
was
incorporated
into
the
white
paper
for
how
do
we
kind
of
defeat
some
of
these
potential
attacks
from
surfacing
for
organizations
and
teams?
So
it's
still
very
young.
A
The
articles
do
an
excellent
job
of
breaking
it
down,
and
sometimes
they
don't
so
we
kind
of
have
to
speculate
a
little
bit
about
how
it
could
have
happened.
But
definitely
that's
an
excellent
point.
Brandon
brought
up
is
that
that
that
would
love
to
have
some
attention
from
the
community
to
kind
of
make
that
a
little
bit
more
robust
and
bring
it
up
to
2020
a
time
frame
well
late,
2020
time.