Add a meeting Rate this page

A

So I'll give a brief on what happened in the TOC call is today we just gave a status update to the TOC call highlighting the highlight members that we have in the affiliations that have with the activities that we are doing in terms of in terms positions and then the governance structure that we've created and stuff. So that's what happened is today, but it's too big for me to fill in dance shoes, so I'm just gonna yield to Cormac, hey Justin. Welcome!

A

Do you want to take over and run the meeting.

B

Ok,.

A

All right so Stu, let's do chicken.

A

Justin, you seem to be first on my list anyway,.

C

Okay, I is that who is that? Is that Justin Campos in Santiago or Justin Cormac? Who do you want to go? First.

A

Justin Cormac seems to be the first on my list.

D

Report I've been on holiday and what I'm looking forward to working with on the piece we're gonna do around the the stuff with Santiago and supply chain security which we're gonna start this week, which I'm looking forward to but I don't have much report.

E

Perfect.

A

All right, the next step on my list is go. Look at it. Dear gee, I, don't.

F

Know you nothing.

G

You know the re spot, my second name all right so yet cast product sneak this last week, I've actually mainly been on holiday, which has been very nice which doesn't, but it didn't mean I did not do anything related to security of any strike.

A

Seems like a fun holiday, but obviously missing out on security. Oh yeah.

G

It was, it was nice to me sound security for a week.

A

Joshua look: oh.

H

Yeah I, don't really have anything share of just turn of this week, because I'm interested in the supply chain, security, stuff.

A

More goldberg.

I

Yeah, I everyone nothing to show report, I'm actually I think it's it's the first or a second time, I'm joining you guys, yeah, but happy to learn and see how can I contribute.

I

You know mostly around areas of identity and access, which is where I come from nice. Nice, nice.

A

Please densha.

B

So we've got confirmation this week that we.

B

Are sessions at Q Khan, so, in addition to secure today we will have the traditional sort of intro and deep dive sessions that we've been doing. Those been productive. You know, and many of you joined us following this session, so keep on keep on plugging away at those and I. Think we're gonna try to take a slightly different tack, this time around and actually really present different things in the intro and Deepak. So nice as it comes out the event.

A

All right, Chris welcome, I.

J

Think.

K

Those me.

J

Yeah, okay, mostly just continuing our work in Falco and getting it ready for our goal of proposing it to get moved to the incubation around October. Once we hit our one-year mark, we've brought in three different outside repositories for to github org and we're going to start putting together some demos of a couple of new tools and how to use Falco and kubernetes and what the the end user stories could look like.

J

So, if folks are interested in a demo either here or just to check it out online, we're happy to help the one action item I had from last week was to follow up regarding some questions about us here in the cig. Duty is the one who has the more information on that I. Don't think you could go into call today, so we're gonna push that one off until next week, and hopefully we'll have more information for folks line.

A

Perfect yeah seems like something that yeah seems like that, something that we should consider for a demo in this group. Some point I would at least create an issue for that and see if we could slot it at some point. Okay,.

J

If you create a feel free to tag me at Chris, no but and yeah put some stuff together, awesome.

A

Stuff Roger Roger kay, oh.

A

If you're speaking, you're immune okay yeah just now.

L

Talking not just moving my lips, it's weird. We at Souza our heads down in a release now we're doing our gold master candidate this week. Talk about language that persists from you know, that's about as relevant as dialing. The phone is Gold Master I think these days, but.

L

Part of a big change in this release for us has been incorporating psyllium and moving to.

L

You know stronger image, network security and security policies and so I've been spending a lot of time playing evangelist in-house for that and starting to do customer Roadshow on latest updates. So we'll probably focus on.

L

Communities.

K

Network.

M

Security.

A

Nice Thank You, Martin I.

M

Know for me, I don't have much to updates I'll continue my work on Claire I. Oh there they share with you guys what is the project about? So, if you have any quote, it's a static. Its analysis for containers for security vulnerabilities in them, but yeah.

M

That's for me.

M

And also I'm interest too I shared this in an issue about the observer or / intern role in the security assessment. So I will be interest to discuss this topic. Oh, perfect yeah.

A

Just in Kappas in just in Cormac as your go-to person for that.

A

Jenkins Jenkins Oh janek's yep, that's.

E

Me I'm the first time this means I work at welcome.

M

Okay,.

E

Bye dance and we're happy, is you sure and adopting all of other ciencia components such as VP spire, so I working on production, Tintin access management, so I thought I've been just helpful for me to do in a meeting to understand the role map for the coming security features for those kind of platforms.

A

Perfect awesome yeah, if you, if you've not done it yourself, is contributed. There is github as friend page made me. So if you want to go add yourself, then you can start contributing great.

E

Thank you.

F

Thank you.

A

Hayden.

N

I.

O

Am adore.

N

Anything specifically related to the working group but I work for and about.

N

So TGS is the technology transformation services, so we run a lot of.

F

And.

N

Search gun-walking, knocketh and cloud etc, and then do a lot of work, sort of modernize from technology with other agencies, Sarah used to work with.

P

Hi.

N

So reach out to me, if you're interested in hearing more.

A

Mark mark Manning yeah good to have you here in.

A

Mark Jonah go next mark.

F

M.

Q

Yeah, can you hear me now yep yep, sorry, so my name is Mark I'm from NCC group and I'm still trying to determine where to kind of fit in and contribute some of my co-workers doing. Security related audits is usually our background. So we've been listening to your direction to go into some of the threat, modeling projects that I think you're currently working on we're going to see if we contribute there we're also doing some public fuzzing projects that we, like some partnership in the next couple weeks.

Q

Anybody's interested in that type of thing please reach out.

A

Somebody has a contributor, I'd suggest doing that, and while doing that even followed that before, but a sapping in terms of liquid, which which area you are interested in, if you could note note that- and it will be helpful for the rest of the team to tie, give so Christian la cena.

R

Heather kami.

R

Okay, there we go well I'm, just the I'm filling in for my colleague here Rey who usually attends this meeting and actually I did attend a couple of meetings ago and the supply chain stuff actually caught my ear and raised a few ears on my at my my companies in my company's team. So I wanted to see if there were any updates on that and otherwise I just wanted to keep ray abreast of any updates in the cig.

F

Thanks.

A

For joining thank.

F

You.

A

Jonathan Meadows.

S

I'm Jose I put together a couple of my thoughts on the smoker supply chain in the SPL ski work. It's really important to us in organ and I, sent it through and had a quick chat with Santiago sorry interested in the inter piece of their working group.

T

Hello, so I'm, Santiago speaking through a Justin's computer, keep going I'm trying to kill.

C

The camera yeah.

T

Scream so I'm, mostly interested in having this meeting move forward with the software supply chain security project that we we've been talking about and yeah I'm really excited to hear what everybody thinks and I'm hoping we make the meeting with a specific back forward. Probably we can Folsom starting things going: okay,.

C

Great and I guess my updates this week, so I had a chat with Sarah over the weekend. Thank you, Sarah for doing that about some of the Open Sesame we've had some back and forth on that. I found some folks that are actually real world supply chain. Folks they deal with manufacturing and stuff that are actually quite interested in using in toto, so we'll see how that works in their process.

C

So I guess that one of the lessons from that is, is that if we build something good from a security standpoint, though the real world and real people actually may want to apply it to whatever things they're doing. In that case, we finally just got the in tote of a logo. I think finally approved like Chris a so we're. Gonna have a new logo up soon and our secure systems live, is an official Debian package and unstable, and we should have in toto and tough in there.

C

If not at the end of this week, then, before the next meeting.

F

Looks like Thank You, Brandon.

U

Hi yeah I'm on vacation as well last week, so not too much okay,.

A

Thank you, Ricardo's turn right.

V

Yeah Ricardo and I work for Rakuten, and this is the first time I attended this meeting. So there's a couple of items and agenda that Brendan actually put up in contact with them. So I just want to hear about that, and hopefully I can learn something and glad to hear how I can country myself too.

A

Thank you, Mark mark Underwood.

O

Everybody I'll keep it short, so nothing new to report I usually represent things going on with NIST. Today, there's a public document released on cyber resilience, it does occur to me we might be kind of slacking in our group dealing with resilience issues. So maybe that's just a tip of the hat to that one and reminder I also work at a fin tech, so we're interested in supply chain related stuff and Justin. The people in the in the MRP world, where I came from decades ago, call this the Bill of resources.

O

So the mapping from the software build materials to that is a time-based, a configuration management tool that that they use for that so and when you figure that out sell it to Boeing, that's it for me.

A

Perfect. Thank you. Christian christian.

W

Security team, nothing big new to report. We have an ongoing discussion internally about a machine, readable metadata format that capture some of the software supply chain stuff, so mostly to figure out. If there's any, if you find a security problem, if you that you can trace that to affected, you know end products right, so I've asked them to make that bring that into shape that maybe we can bring that to this group at some point. So how to do that fantastic.

A

Thank you, Sarah.

P

Catching up on some github TR, so I meant to reach out to the triage group and I, didn't I added to an action item of this meeting.

P

If anybody's up for doing a final review of the meeting facilitator role, we came up with some preconditions, so particularly people who help that ascribes or play it as some kind of leadership, role and group or newcomers to read to review that, and it's already been sort of been principal approved, but I added some kind of catch-up process thing so would love somebody's review on that also caught up on the last action item from that's on our side from the in toto assessment.

P

The discussion today is what we're doing is a cig to kind of look at supply chain attacks in general that Santo Santiago's leading, and then we have this other action item that we were going to. We recommended to the CN CF that perhaps they could identify a UX researcher to figure out. You know kind of whether there are speed bumps in adoption of in toto or if the project should do something if the focus should be on companies adopting or perhaps there's some dependency.

P

That would be more fruitful for in toto to spend effort on so I added that to the notes feel free to click on links and chime in or review or whatever. Oh.

P

Also I've been chatting with Jonathan Meadows about presenting next week about the security. The training he's got going on so I think I'm going to pencil that in because we haven't gotten uh I, don't know if we finalized that but I'm putting that into the planned meetings proposal.

A

Is there should be definition you thought better?

A

Is that going to be tracked as a doc outside.

P

Let me see if there's an issue for that, if not I'll ask nicely. Thank you. First, like.

H

Amy.

K

It's having trouble coming off me howdy.

K

Around any of the security day stuff that's happening at San, Diego and any other kind of CNC was my friend around.

K

Thank.

A

You yeah security, there's gonna, be I mean like a lot of heavy lifting, is done by Amy Emily.

A

Might be useful after we finish the rounds that might be useful for you to give a little bit of an update on so we'll sis, there's a Colin user and and as six five zero. Six four four four eight seven, eight hey.

X

It's Emily, I wanna call.

X

So quick updates, the cube con notifications went out so we're encouraging everybody to posts and their various social media sites that they can recycle their security, cube con and cloud native con talks to security day. So right now, what we're trying to do is drive up the CFP submissions make people aware of it. There are still sponsorships available, which just means that we get a nicer security day.

X

The website is available. It has all the content talks about open spaces right now, we're just trying to drive more cfp traffic so that when it comes time to close the submissions we have more than just a couple to look at. We've got five that have been submitted, eight that were in draft as of yesterday, so we're hoping to get a lot more. If you know anybody in the security space that has a good idea, we've overheard them talking about a really good thing relevant to native security, encourage them to submit it as a CFP.

X

Maybe do a KO presentation as well. That's all I have for updates I.

A

Would I'd encourage some of the senior security projects to.

A

Advertise about this in their forum, in whatever form that they have I know we have spiffy. We have oppa as well, so I think we should only use those channels to advertise, so I can personally reach out to both of them or and then keep them in a Oscar for promoting it within the community.

V

I mean it's already and the agenda, but regarding the six security summit, is that an independent event, or did you also get a pass if you're a speaker of that event, you also get a pass to Q Khan, so.

K

I can speak that right now, no way if that is an issue when you weren't accepted speaker reach out to me.

V

Okay, thank.

K

You.

A

Thank you, so I am for this mentality that we are trying facilitate. Sarandon has been helping out facilitators for quite some time, so I'm still kind of fit into the shoes, and each of this region is way bigger than mine, but I'm gonna as I catch up and I said trying to get the agenda squared away for the next meeting for this meeting. Is there I'd like to keep this as an open agenda unless this this prior agenda? That said already, then, if you can comment on it, that will be useful, but.

B

Today, we're excited to have discussion around splotchy. Okay, though, are you able to get that up today or I've been a year old, fighting over Justin's computer.

Y

Yes,.

T

Often having the proposal and I think there was some hesitation by Cormac about it.

T

I also made with the Jonathan I think also the Fox I think it's Emily Fox took a look at the the meeting notes that we have prepared, and my understanding is, that timeline wise. We can probably start the proposal as a repository in which we take the existing in toto supply chain compromises list and start enriching it with the with content regarding certain types of compromises and then we're gonna click roll it into like a guide that people can actually refer to and eventually try to answer questions about.

T

What's the best way for users to consult this resource and use it to tighten their security process, which I think that's the end goal I, don't know, I miss quoted you just in Cormac I, don't have I know what you think. I.

D

Mean I think that well I, think I think you'll be helpful if we're clear about who the audience for this is upfront and and what kind of what kind of maintenance we're going to do.

D

Practical things and how long yeah we can juice and what can't what you know an outline of what we actually want to produce.

T

Right so I feel we can elaborate a little bit on the document that already Jonathan and Emily helped me prepare, but the audience is as far as I understand this and the consensus is, we are trying to help developers, cloud native application developers and software engineers to tighten their software supply chain in terms of security. So, with that in mind, I think we pretty much want to like compile a list of recommendations and case studies and and probably the future feature like scanning tools and things like this.

T

My my hope is that we can probably start with something small that doesn't require a lot of time and, as we see whether it has some success or not, we we can increase the scope and the reach of the project.

P

So Santiago you mentioned, there was a document that you started. I don't do. Is that something you want to share here or I think there was.

K

Some kind.

P

Some interesting discussion on the thread that was because originally it was focused on this catalog and then there was some discussion about kind of taking slightly different approaches and I'm just kind of curious, where you're at with that.

T

No no well, the catalog is something we would be moving over because I think that will help us make foundation. Oh it's like Google Doc. It's that Google Doc I posted it on the security chat on the channel.

T

Sorry, black or.

P

The chat terminals, it.

T

Probably a reply to just a core matter of fact: I think it's there.

C

Alright, so I'll post in both places, I've posted more obviously there and I'll list it here.

P

And there everybody can so.

T

It's a little bye, everybody just just a word of warning, but basically the idea that I was having. If we move the catalog and from the catalog, we derive like a list of priorities that we can write recommendations about and the reason why I think the catalog is important, even if it's not completely comprehensive, is that I think it drives a sense of reality and why and sense of urgency and I think it will make people understand by software supply chain.

T

Security is important and why they need to follow this practices, which I think it's a it's part of the battle that we're having that a lot of people are alerted they're skeptical about this problem, I.

S

Think a big bit of this is raising people's awareness, actual issue I think I've gone on. This call realizes it is an issue but I wonder and I get mixed feedback from others when I'm talking to people. That's why I change security and I think with that that catalog that Santiago is proposing and other examples of this issue.

S

I think one outcome of this sort of mini project would be to focus on raising people's awareness, then, based upon that, we can look at providing best practice guidance of how you know focusing on an audience of software engineers and cloud native developers that can.

K

Actually,.

S

Fix that issue or start to mitigate some those concerns. But to me my personal thing would be awareness and an ability to work fix that.

E

Pretty.

H

Good nowadays, at least in developer circles, the Pope one of the problems is we get these big splashy headlines. That say, though, as a supplies, you can't compromise and then very little insight into what the compromise was, which is why the catalog would be so beneficial and a lot of the supply chain compromises we're seeing well, several of them end up being you know, rudimentary user blunders we use the same password everywhere and it got scraped and so I've got mine, ruby, gems, published under my account or whatever.

H

But then there are the problems which are different and where it's easier to sort work on a technical solution beyond just you know telling everyone to use 2fa or whatever so I think the catalog. That's why I'm really interested in the catalogs try and get a better understanding of the variety of the attacks and the different attacks beyond just account compromise I.

P

Also, really liked the idea of having the catalog segregated into Group two categories right: different types of threads, so that then also, if it's you know, if it's listed by chronologically, then it sort of implies that we're trying to write down every single one there ever was, but putting them in categories then makes it more feel like. There are examples and I don't necessarily want to sign up for keeping it fresh with every single possible thing that happened, but good examples of each category, I think, would be a great goal to have.

D

You can have examples of things that would mitigate that type of thing alongside the example and things I.

A

Write I think they're, a good idea really I was just coming through the doc quick. One thing that I would suggest. I'd also suggest that leave a comment in the dark as well is to document non goals. I see like goals and activities documented, but non goals are not.

T

Right, yeah, I, think I, think that's I, think it's a valid point and I think we can like from the conversation we can pretty much extrapolate certain yeah.

T

What I'm thinking is I feel there's a little bit of consensus on well, we will take this catalog put it into categories, then use this categories to drive, recommendations for best practices and and I feel that if, if we were like on the same boat in that department, we could probably move on to a more formal proposal in which we actually have like a project that organic tea grows right.

T

It feels that I'm brushing but I'm also a little bit of afraid of like circling a little bit too much in the issue and then eventually not having a an actual thing. We can contribute out there well.

P

Jd wasn't here when we talked this initially, but this is this was a proposal we all agreed to do it so there's no. This isn't. This discussion is not a gate to any action. This is a discussion with the group to help the initiative move forward by pulling on the wisdom of the team here, so so yeah so I think we're.

P

You know, like I, think we're trying to refine and capture and help, but not creating any sort of gate here and I love the idea of coming up with the first iteration, that's small and tight and effective, even if it doesn't do everything we possibly want, and then we can add additional issues for improvements. We'd like to implement I mean.

D

I think yeah, if it's going to be for raising awareness and I think making it short and readable, so no more than 106 pages or something in the sri lankan, so good as a PDF, say you'd be really helpful in that, rather than something this feels like a catalog. So something that you could you could pass around people and point at them and email them or whatever that they could just to understand. The problem.

H

If you can encourage a community to maintain a catalog, you can use that as a data source for other things. People who are talking about these things don't have to keep talking about the same compromise it was made in 2011. They can, you know, refer to something more recent in the same domain or.

T

Right, that's my hope, with a organically growing community like everybody can, I know well, I just found this sort of lighting compromise and they think it relates to this other. Keep it around this reference.

A

Make sense I mean.

H

Feels like this can help with wider wider education efforts of the group as well like not strictly related to supply vision, compromise, but choosing st. open-source dependencies is obviously a problem from the fact that, when ruby gems had multiple compromises a couple of weeks ago, it turned out that, like 1200 people were downloading a gem that it only existed for a week and was cryptic. I think you can. You know, use this as motivation to drive other education efforts.

H

Yeah.

N

Is this motivation, the main sticking point I mean or or is it just like, knowing what like the ladder is I, guess what I'm more interested in especially I, think all of us here so really bought in I, haven't so much gotten as push back as like knowing what the like lowest lift solved to. You know each sort of category or each sort of I'm thinking but visually.

N

If look one of the different segments of our delivery process that that these attack like what are all the attack factors basically and then what's the easiest like mitigation for each I.

T

I feel that that's on scope, I feel that we probably would defer that a little bit for a second iteration, but uh some of them are like immediate right. We find a bunch of compromises of certain nature and we go, and we know that the solution is so. We can pretty much point to the right place. I feel that the catalog will was also prioritize, which which solutions we want to be more clear about and more up front about, digit waiting.

F

So.

U

The question about the locality, it seems like a fairly like modern man, then I'm assuming like developers and maybe.

U

Is it possible to know so I, don't know that this would be in scope, but we have I kind of like executive level or something that like executives, could use this I.

T

Think it cut off a little bit on my side. Could you.

U

So I just wondering with the like what level of technicality with the document be, whether is it going to be written, very technical, or is it going to be also accessible to business executives? What's the audience here, just kind of getting engaged with that, so my.

T

My understanding and I think we can also discuss this, but was that probably want to target like developer /m up singing near audience because are the ones that can make the decisions like a separate track in which we can also give them resources to convince their project managers or so well? We can also do that, but I I I, don't know how broad we want to be on this.

P

First equation: what sounded like the beginning, like you know, with the awareness goal? This is why everyone needs to be concerned about supply chain, so it sounded like from the way you were discussing it. Santiago that the like, maybe the first page for the first half page, would be the kind of thing that you could give executives right like. This is why this is why me as a developer- or you know, my team should be spending a little time on this right, copy-paste, abstract and then then then people can dig into the meat of it.

P

Who are actually going to do the mid right.

B

And then the.

P

Guild during.

S

You can abstract, maybe sorry.

P

Jonathan didn't hear you sorry.

S

Then I think you started that security into your engineering level and provide a reasonable man detail so that then someone can abstract it and provide it to the senior management. That would be a useful, beautiful place to go in and then you've got my detailing subsequently abstracted, because when I talk to a lot of people in different industries, I mean in the financial industry. It's at that level that the awareness isn't quite universally distributed.

S

As long as we get that level of detail, then perhaps we get a one-page or someone the other engineers good and strike that up.

B

Right and I think this is a great opportunity. You know if we get the core resource to you know that level of utility to you know, delegate the extended activity to the scenes have right that translation, you know, to kind of the business stakeholders seems like a great opportunity to partner with the you know the broader CAF bring in some you know: marketing tech riot or support and extend yeah the work that did we.

B

They can't do the technical efforts that we can provide, but they can do some of the you know with Polish translating and mapping back to that confused at.

A

Some point, but also I mean I also think, is a it's a great way I'm.

A

It might also be useful for us to think through if it does have to go through a curation process or if it's like what gets submitted is what kids seen in other words. Do we need is. Is anyone concerned enough to raise their hands for, like oh I'll, moderate this, so that there is quality check in this? Or do we just trust in terms of hosting, because I heard, like someone.

A

You'll be a nice way, I think it sent what San Diego San Diego, so you're saying like it will be useful for somebody to come in and post the ones that they see online.

A

So I would yeah what do you? What do you think? What are your thoughts on that.

T

So I don't know how explicit or implicit assess but I. My understanding is that I would be the one that will probably make sure that project stays live and that there's no like on unexpected changes that the community doesn't agree on. I, don't mean to say, I, never lent a caterer for life, but more of a like the guy. That's keeping an eye on it and making sure that everybody is on board with the direction that this is going.

P

Yeah and I also just posted in the notes in a chat. The this sort of this action item proposal came out of the noticing that there was that in toto had collected this supply chain compromises list. So.

K

If.

P

People have enthusiasm to point out supply chain attacks that aren't on this list right, so we could use this. You know where it is. You know, as a the plan was to use that as a starting point and and then and.

C

Then Santiago agreed to take me to.

P

Curate it and drive the initiative forward for the benevolent dictator, slash leader.

K

For.

P

The duration of the project, relatively short, but important and corralling a bunch of people who have been Susie a Stickley, agreed to help yeah.

A

Thank you.

A

Yes, so the next steps on this is to I mean like what said. I was saying not to get honest and next.

A

Get to the next stage of getting a proposal out in the we do have I mean they do not on me laptop, but I think that is that we have later the processor how to make this a project.

F

Okay, this is its.

P

The title still said proposal, but it was already labeled as a project so like.

K

I think that I'm.

P

Sorry, if we, you know our transfer chair, didn't communicate that well, but but since I was able to join today Santiago, maybe you can first chime in and say if you need anything to move forward, it sounds like not and then I think also. A lot of people came to this meeting because they're curious are interested and we can also use some a little bit of time for people to chime in with questions or things. They want to contribute.

P

Yeah.

A

Yeah, sorry: apologies for not being coordinated but yeah. Anybody who wants to chime in.

A

That is a otherwise. We could talk a little bit about.

A

Simile, an Amy and there any anything that we want to bring up to the steam or Michael joined us well,.

D

Yeah there was one thing that came out at the CN CF meeting yesterday, which was the nurse said that she was going, was going to ask all the snakes to provide some kind of gap, analysis or project analysis of.

O

Spice.

D

And at some point fairly soon, and so that there will be a requirement for us to do that since I'm going soon. But they are formal, Ahoskie couldn't.

A

Think it's still in the talks and discussions in terms of yeah.

A

Yeah we need to follow through with this listen joke on that to see, because there is a whole bunch of qualification criteria in what if there is overlap, how much of overlap is considered. I know, okay, overlap, kind of questions that may arise symptoms of picking and choosing different in the gaps.

A

So we want some clarity in what I can say: Matt CNC of project.

N

Gaps yeah.

P

So can you clarify a little bit cuz I firstly had to miss this meeting. Is.

A

Okay, okay, yeah! Let me summarize that for the men of Judaea team, so there is a trade. That's going on! I think it's also an email, trade anyways, but Liz brought up a point about not randomly accepting projects to CNC you but being able to like pick and choose projects or even to some extent go and look for projects that actually fill in gaps in the CN CF landscape.

A

What we considered as landscape right, so that translates to security as well. In terms of like what do we? What do we consider this landscape? Where are the gaps there? Are there? Any projects out there that fill the gap is something that was encouraged by this and the TOC in general.

A

For us to consider, it is still very much taught in progress and I think that needs to be a little bit more definition or criteria in terms of like how we go about looking at it, but I think it's it's a really good suggestion and an idea. It forces in both ways in terms of like getting a landscape- that's understandable and applicable and useful for the end users, and also be able to like relate to the projects within the scope of a landscape.

A

So their people can choose those projects from their users can choose those projects for their benefit right. So.

A

Thank.

P

You JJ for that summary and I'm actually really excited to like hear that being discussed at the TSE level, because I think that a lot of the motivation, at least that I've heard individually from people to come to this group, is because they see a gap right or they see. You know, issues it.where or speed bumps. You know in the inn or they're building things themselves that they wonder. Why am I building this? There ought to be a thing and, and why I'm really excited about this supply chain initiative that Santiago is spearheading?

P

Is it was it precisely that kind of a gap that led to us wanting to do kind of a bottom self approach on the supply chain thing, because we agreed that we, even though that the two on some edges to in toto and we're like well we're not sure that you know it. We totally respect that in toto can't solve every single supply chain attack in the world and then we're like ooh what happens when you get to the edge there there some things there aren't.

P

You know easy to like you know: there may not be easily referenceable solutions there, so so we're we've been doing that from kind of a bottoms-up approach through the security assessments were kind of early days there, and so it's really I think, from my perspective, wonderful to hear the TSE talking about that as well.

A

Absolutely I think it is useful for the general sense of community and security, specifically kis, pointed out in that studied I. Think if anybody has any opinion, thoughts and suggestions, whether you want to raise it here, whether you want to raise it as an issue and some propose things not projects in general, but like things that are that we think are gaps that would be useful to curate their information or, if you want to reach out to be personally asked, and that's fine too, like an un office I.

P

Also want to point out I think you mentioned you, maybe weren't on a computer JJ the Aiden who's new. That group mentioned he's worked, I, don't know whether I haven't had she had to look at it, but maybe Aiden could had identified something that he's working on that we could talk about whether that's appropriate for this group or whether it's just a hey, I'm working on this. If anybody's interested.

A

Someone's good yeah: let's do that. We have eight more minutes. Amy.

N

Yeah sounds good, I'll be fast about it, so we I manage a number of large number of get up organizations with marginal repositories, like probably 1,300 1,400, something like that and for a lot of them they are not making change, as you can imagine, and so I've been doing some work around automating, like the archiving of repositories, with the goal that they're on comm and so using the relative. The new github.com feature to automate pull requests for upgrading like tendencies on you know: Ruby JavaScript, Python, etcetera projects I, which are much the languages we use.

N

So this is more application level concerns, but it's something I've been thinking about sort of that scale and I've been working on an NPM package to do that. Automation. So if you're interested I put the link in the agenda, I'll bring it down to the notes, but you know just reach out to me if you're interested in collaborating using it we're only using it internally right now, so I'd be interested in getting someone else to try.

N

To answer questions or see the rest of the time.

A

So that was useful. Thank you. So much then yep. Please do put it in the notes so that it's useful for others to track and, like I, said anybody who's joining in joining in knew and would like to contribute.

A

Let's just make sure you do a PR on the front page of CN security github, so that we'll be able to to you for any helpers, and you start contributing me loads. Thank you. We.

P

Also have a open pull request for a new members page. So if you're a member, you can check out that via and diamond. Well, it's in process and soon ish will have a new members page. So it has some like set of pointers and tips about where to start I started. You know, working with the working group.

A

Yeah I mean if we have a few minutes and if amy and emily has anything to talk about our michael ducey join. So if you want to check in and then give a given update on now in six security, be yeah.

Z

I joined when Emily was actually given an update, so I'm not sure which she had actually said. But sponsorship looks good. We need their CST responses, but that's trying to get an engine.

K

There.

N

Was a question earlier in the chat around who should.

Z

Buy another diamond sponsorship.

Z

No.

K

I know: that's really the challenge, it's kind of like Oh, yikes and being able to actually make sure that we've got space for everybody. It's going to be fun and.

A

The trailer dashboard isn't shared with everybody right, maybe a read-only version. If you could share it with everybody, so that people in the status would be.

K

To be talking about.

AA

The cello.

A

Board.

A

That's that's awesome. Yeah there. It is cool anything from you, Dan Sarah, by the ways we can give back three minutes to the steam.

U

Thoughts also an acute cond is there kind of a blocker for the sick security. They are the three separate things.

A

They are separate things, so you could submit the same talk to both of you. One two.

Z

What do you mean two separate things? I guess is kind of my thought. If you you have to be registered for coop con to go to any of the day's events, and then these are just add-on for that day, which cost a nominal fee just to help us get the room, and everything like that, so you do have to be registered for coupon. If you got rejected a coupon that I encourage you to submit your talk to the cloud native security day.

U

If they have a top, that's accepted, for example, weakness for coupon. If that talk is including a coupon, doesn't mean that the countries in six security day.

K

I would just submit, and we will solve this problem as it comes up, think.

A

So.

K

I would love this problem.

P

Well, I, don't know that we want to encourage everyone with a security focus. Talking cube con to submit it also to sig security. Well,.

Z

People have already been notified, so people are either accepted, wait-listed or rejected. At this point.

P

Well, the question is, if you were accepted, figure was.

Z

If you were wait-listed yeah.

G

Oh I'm.

P

Sorry, I misheard. If.

Z

Your wait and you're interested and possibly Cindy, also speaking or speaking. Instead at the six security day, please go ahead and submit, and then we can make we can work with the CN CF people to make that decision on the backend, whether we slotted into security day or whether, if they slot it into the main agenda.

Z

It's not acceptable. Amy.

K

As I come off Butte, yes, that is absolutely accessible. Please.

M

Please submit.

Z

Met early and often.

U

If.

K

You've got any other questions. We have a channel over on slack for security events. You can also compute and I'm happy to be able to help answer questions.

A

Thanks team see you all next week, all.

K

Right good to see you.

Y

You.
youtube image
From YouTube: CNCF SIG-Security Meeting - 2019-09-04

Description

Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io

Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects