►
From YouTube: CNCF SIG Security 2020-04-08
Description
CNCF SIG Security 2020-04-08
A
A
A
B
A
A
By
the
way,
do
you
by
chance
know
who
added
them
the
I
guess
the
open
item
for
discussion
today,
I,
don't
see
any
PRS,
but
I
see
this
actually
can
I
confirm
with
my
screen
shares
working
I'm,
just
I've.
Never
everything
I
want
to
zoom
lets
me
share
a
single
app
just
so.
B
A
Beauty
exotic
security
controls
for
kubernetes,
just
cuz
I
saw
this,
but
no
one
put
their
name,
and
there
was
no
update
there.
So
I
just
want
to
know,
call
out
or
offer
to
step
up
and
cover
this
topic
when
we
get
to
it,
I
will
find
out
and
if
not
I'll
just
shelve
until
next
week,
till
someone
decides
they
want
to
raise
this
topic
specifically
right.
A
Then
here
I
moved
it
from
the
top
section
of
the
document
which
was
sort
of
planned
future
meetings
and
moved
it
to
today's,
and
this
whole
highlighted
areas
pretty
much.
The
edition
wrote
slash
verbatim
and
someone
just
died
of
this,
but
I
didn't
put
an
author
or
anything
there.
So
I
wasn't
sure
whom
to
offer
to
discuss
this
I.
A
D
E
F
C
H
H
A
H
But
you
know
like
the
client
software
for
zoom
has
a
bunch
of
bugs
and
problems
and
they've
done
a
bunch
of
really
poor
things
from
a
security
posture.
That
makes
me
think
that,
like
having
a
group
like
six
security
for
the
CN
CF
using
zoom
sends
a
poor
message,
so
I
think
we
should.
We
should
consider
if
there's
something
else,
we
could
use
the.
A
Only
ones
which
I'm
burst
or
least
familiar
is
WebEx
and
slack,
which
I
believe
you
re
up
slack
but
I,
don't
know
if
we
have
to
pay
more
come
up
with
funding
for
video
chat
calls
exorcism.
Why
do
you
want
a
chance
Justin?
If
you
don't
get
the
chance,
I
could
do
it,
but
do
you
want
to
throw
a
maybe
an
issue
in
the
github
page
there
and
I'll
add
it
to
the
next
meeting
and
at
least
address
it
to
the
best
of
my
ability.
After
this
meeting
that
sounds
like
yeah.
C
You
know
set
aside
for
us,
so
you
know
through
mechanisms
if
so
just
know
that
when
we
we
decided
to
break
for
the
pack
when
an
if
we
decided
to
break
from
the
pack
that
you
know
there
is
a
phenomenon
there
that
will
have
to
you
know,
be
advocating
and
potentially
there's
the
potential
for
us
to
lose.
That
battle,
and
you
know
the
broader
collective
to
say,
hey.
C
A
Okay,
I,
don't
you
have
any
describes
at
the
moment
if
anyone's
able
to
step
in
great?
Thank
you
push
comes
to
shove,
I'll,
wait
till
the
meeting
goes
up
on
YouTube
and
I'll
just
extract
some
minutes
post
facto
from
that,
so
we're
going
forward.
Is
there
anyone
from
any
external
working
groups
or
special
interest
groups?
The
CNCs
SIG's
here
today
that
has
any
updates.
A
I
Hey
everybody
I'll
keep
this
short,
so
I
belong
I
published
a
paper
a
long
time
ago
with
a
separate
professional
association
that
deals
with
simulation
standards.
Interoperability
and
in
light
of
this
pandemic
thing
I
think
there's
a
lot
of
lessons
learned
around
how
to
integrate
simulation
into
security.
This
is
one
of
the
takeaways
I
think
that
we're
gonna
end
up
with
in
the
past.
I
This
usually
came
up
in
terms
of
cloud
scalability,
but
I
think
there's
more
to
this
than
scalability,
and
you
know
I
could
invite
somebody
from
that
association
to
talk
about
the
current
state
of
the
art
in
that,
and
you
know
how
this
might
be
fit
into
security
practices,
but
I
just
thought
I'd
mention
that,
in
light
of
this,
you
know
I
used
to
own
the
pandemic
simulation
comm
site,
because
we
had
a
failed
proposal
to
deal
with
this
in
the
h1n1
era
that
would
be
2009
or
so
so.
I
had
some
familiarity
with
the
ban.
I
Dod
and
DHS
were
both.
It
showed
some
interest
in
it
and
in
that
time
frame,
but
it
really
hasn't
been
fully
adopted
and
security
practice.
So
you
know,
given
that
we're
kind
of
leaders
in
the
cloud
space
it's
something
we
could
think
about
I-
think
it
fits
in
the
the
bleeding
edge
category,
as
opposed
to
must
do
things
for
incubating
projects.
Of
course,
how
was
it
thank.
A
C
C
We
have
three
new
projects
that
are,
you
know
coming
into
our
our
flow,
so
decks
and
key
cloak
our
identity
projects
that
we,
you
know
are
so
depending
to
evaluate
and
JJ's,
become
putting
together
a
bit
of
an
overview
for
you
know,
may
as
kind
of
an
identity
month
and
we'll
dive
into
a
couple
identity
projects,
and
you
know
how
the
self
sovereign
identity
that
Sarah
is
gonna
connect
on
through
so
suddenly
for
the
horizon.
Just
in
Cormac
there
was
another
project
that
was
supposed
to
be
on
my
radar
idea,
Excel
or
something
like
that.
B
C
G
J
C
A
E
No
problem,
no
problem.
I
know
my
family
name
is
hard
to
pronounce,
even
in
Bulgarian,
so
I
had
a
question.
I
I
committed
that
I
wanted
to
join
as
a
observer
on
the
harbour
assessments
like
a
couple
of
days
after
the
sign
off
from
Dan.
So
I
would
I
wanted
to
ask
if
I
can
formally
join
I'm
already
reading
the
self
assessment,
but
I
just
wanted
to
clarify
this.
E
E
H
Was
trying
to
start
this
zoom
issue
up
on
the
thing
and
I
had
a
hard
time
finding
the
tapped
on
mute,
I,
don't
I,
don't
have
any
real
problem
with
it.
I
don't
know
what
officially
being
an
observer
does
for
you
that
that
unofficially,
going
in
and
putting
comments
and
doesn't
do
but
I,
don't
think
it
really
matters.
If
you
did
the
conflict
forum,
which
I
guess
you
did,
then
I
I
don't
see
a
real
issue,
so
I
can
go
ahead
and
add
that
I'll
do
that
I
asked.
E
A
So
it's
reasonable
in
general.
I
myself
want
to
do
the
same,
but
time
didn't
permit
for
me
to
take
part
even
just
as
a
fly-on-the-wall
observer,
but
I
also
wanted
to
take
part
in
a
similar
capacity.
Just
so
I
can,
let's
say
we're
versed
in
security
reviews
from
our
own
backgrounds
or
with
our
own
company's,
but
we
like
to
sit
back
watch
the
experts
figure
out
what
the
standard
approach
is
and
then
next
time
around
not
make
any
silly
mistakes
at
least
that's
how
I
did
approach
it
myself,
yep
I,
agree.
Thank
you.
B
Have
a
question
maybe
to
justin
capless:
this
is
Vinay
here
and
is
there
a
formal
document
that
we're
trying
to
put
together
in
terms
of
the
next
steps
that
we
need
to
be
getting
together?
I
know,
there's
a
meeting
suggested
for
the
13th.
This
is
the
first
meeting
where
we
get
together
and
figure
out
a
plan
to
go
forward
with.
H
I
think
in
general,
as
you've
been
you
and
others
have
been
doing
like
going
and
just
responding
to
the
questions
that
the
reviewers
have
is
a
pretty
good,
waited
two
things
and
in
the
end
there
will
be
two
documents.
There
will
be
your
document
that
you
write
and
then
there
will
be
a
document
that
we
write.
That
kind
of
is
a
summary
of
what
we
think
and
in
general
we
will
try
to
push
you
to
make.
Your
document
include
the
kinds
of
things
we
wanted
to
say,
but
you
know
we
also
have
this
document.
H
That's
a
page
page
and
a
half
two
pages,
something
like
that
that
it
gives
us
the
ability.
Also,
you
know
if
we
can't
agree
or
if
we
want
to
state
something
a
little
differently
to
sort
of
in
our
own
words,
summarize
things
so
I've
been
going
through,
and
obviously
you
you
seen
over
the
last
few
nights
and
earlier
today,
I've
left
a
lot
of
pretty
detailed
comments
in
different
places
and
we
can
try
to
chat
about
those
either.
H
H
C
And
I
have
one
last
update
here
from
just
this
closed
loop
there
with
Martin,
so
Martin
and
and
and
you
Matthew,
you
know
on
being
an
observer.
You
know
in
in
terms
of
you
know,
assessment
complex
sign-off,
it's
it's
really.
You
know
escalating
to
the
co-chairs
is
really
you
know
to
help
us
navigate
through
any
issues
where
there
are
complex
in
the
situation
where
there
are
no
conflicts.
You
know
it's
really
at
the
discretion
of
the
assessment
team,
and
you
know
it's.
It's
always
great.
You
know
one
of
the
topics
there.
C
One
of
the
questions
that
came
up
yesterday
at
the
meeting
is:
oh,
my
goodness.
It
seems,
like
you
know,
there's
increasing
interest
in
going
through
six
securities
assessment
processes
like
great,
like
that's
why
we
build
a
process,
and
why
were
you
know
continuing
to
invest
in
growing
that
that
team?
So,
in
terms
of
you,
know,
observer
bandwidth,
you
know
I'd
really
look
to
to
Andres
and
you
know
Justin.
C
As
you
know,
the
overall
you
know
lead
in
that
area
to
advise
on
how
much
capacity
an
individual
session
has
to
be
able
to
to
have
observers
have
additional
helpers.
It's
like
you
know,
managing
interns
right,
you
know
it's
it's,
it
can
be.
You
know
free
help,
but
it's
also
a
lot
of
extra
effort
to
you
know
carry
folks,
you
know
through
the
process,
so
you
know
we're
all
dealing
with.
C
You
know
kind
of
crazy
times
and
Quarantine
right
now,
and
you
know
fitting
in
all
of
these
things
and
trying
to
you
know,
keep
the
keep
everything
moving
forward.
So
as
long
as
you
come
in
with
the
mindset
I'm
here
to
help
you
know
the
kubernetes
mindset
of
you
know:
chop
wood
carry
water,
you
know
that
is
always
going
to
be
well-received
and
you
know
look
to
undress
and
Justin
for
for
guidance
on
that.
A
A
D
You
from
from
a
hardware
standpoint,
I
came
back
since
I
saw
you
guys
talking
about
hardware,
I
have
to
zoom
meeting
side
by
side.
Rather
what
is
interesting?
You
know
from
our
side.
You
know
we
welcome
more
observers
like
more
eyeballs
into
these
are
gonna,
raise
questions
that
are
improving
our
dogs
or
improving
our
process.
The
one
thing
I
will
ask
is
that
you
know
we're
almost
at
the
tail
end
right
now.
D
We
have
our
live
discussion
on
Monday,
so
you
know
we
went
through
two
weeks
or
of
questions,
so
I
don't
want
to
kind
of
start
all
over
from
the
beginning.
Obviously,
for
the
right
reasons,
we'll
do
everything
like
good
questions
that
come
up
go
with
it,
but
you
know
bear
in
mind
that
in
about
three
business
days
or
having
a
live
discussion,
we'll
start
wrapping
up.
So
we
are
towards
the
end
of
that
timeline.
A
H
H
D
Yeah
absolutely
and
I,
when
I
call
that
so
you
know
undress
and
Justin
and
others
have
added
comments
that
they
took
me
a
while
to
actually
go
and
I
mean
I'm
writing
I
wrote
like
three
four
pages
of
new
content
for
questions
that
came
up
so
far,
so
you
know
yeah
and
I.
Try
every
night
to
replenish
them.
D
H
D
I
understand,
thank
you,
I
mean
I.
So
far
everything
has
been
reasonable
and
you
know,
obviously,
to
an
outsider
that
doesn't
know
hardboard
the
questions
don't
seen
other
work
like
media
and
no
hardware
a
this
is
this.
Is
this?
Is
this
expected
that's
their
natural
thing,
but
obviously
this
document
is
meant
to
be
standalone
or
stand
on
its
own.
So
it's
so
far
everything
has
been
reasonable,
so
I've
been
adding
them
as
like,
as
you
go
along.
There
are,
you
know,
for
the
most
part,
I
think
address
asked
for
night.
D
There
were,
let's
say,
ten
links
that
pointed
to
other
documents
he
has
for
somebody
in
this
dog
I
think
eight
out
of
those
ten
I
did
it
for
the
other
two,
because
he's
a
living
document
and
things
like
road
maps
and
other
things
change
so
frequently
I
opted
to
keep
the
external
links,
because
it's
the
right
thing
to
do
like
someone
that
sees
this
two
months
from
now.
I
will
get
completely
out
that
information
in
some
of
those
areas,
but
thank
thanks.
J
I
A
A
Before
I
go
to
the
open
floor
since
there's
no
presentations
or
additional
topics
there
and
I'll
just
quickly
note
that
if
there's
anyone
that's
new
here
today,
I'm
still
learning
all
the
names
myself
feel
free
to
just
ping
via
the
chat
function
there.
If
you'd
like
to
be
introduced
or
introduce
yourself
with
that
being
said,
we
can
just
jump
straight
into
the
open
floor,
so
anyone
wants
to
bring
a
many
topics.
Now's
your
chance.
B
B
Do
the
security
assistance,
of
course,
that
we're
doing
and
those
kinds
of
things,
what
are
the
other
activities
that
we
could
take
on
and
propose
just
broadly
speaking,
I
mean
if,
if
then
you
or
someone
could
talk
about
that,
it's
just
just
a
good
sense
of
what
are
the
broader
projects
or
activities
that
we
could
take
up
an
address.
That
would
be
helpful
to
identify
an
index
as
we
think
through
what
we
can
do.
Does
that
make
sense
so.
B
Not
not
necessarily
plugged
in
or
yeah
identifying
where
we
can
plug
in
where
we
can
contribute,
as
well
as
what
are
the
broader,
broader
charter
for
sick,
sick
eating.
Where
do
we
get
plugged
in?
How
do
we
contribute?
How
do
we
collaborate
with
the
broader
ecosystem,
or
how
do
we
do
we
float
new
security
projects?
Does
it
come
out
through
here
like
incubating
project?
You
know
those
kinds
of
things
got.
C
It
so
let
me
let
me
sort
of
start
with
some
of
the
nose.
So
in
terms
of
you
know,
building
actual
you
know,
CN
CF
projects
we
have.
Many
of
you
know
active
participants.
You
know
from
projects,
but
you
know
this
cig
is
you
know
a
consortium
of
subject
matter,
experts
that
supports
the
actions
and
activities
of
the
TOC.
So
we
are
not
in
the
business
of
maintaining
software
or
you
know,
kicking
off
an
effort
you
may
go
through.
You
know
these
meetings
or
through
you
know
the
activities
of
sig
security.
C
You
may
meet
somebody
that
you
know
then
peel
off
from
there,
but
you
know
there's
no
expectation
that
I
would
said
that
this
is
going
to
be
a
source
for
oh,
okay.
We
need
to
go
build.
This
thing,
you
know,
start
writing
code,
it's
much
more,
a
forum
of
subject
matter
experts,
so
you
know
right
now
our
most
active
and
repeatable
workflow.
Actually
there
are
two
of
them.
There's
the
security
assessments
and
there's
you
know,
run
a
business,
so
Matthews
been,
you
know,
very
graciously,
acting
as
facilitator,
so
you
know
he's
gone
through.
C
You
know
the
past
month
as
a
facilitator.
We
will
in
the
near
future.
You
know
be
nice
to
have
it's
a
rotation
of
the
forces.
So
if
you'd
like
to
you
know,
take
up
some
of
the
you
know
that
work,
there's
there's
that
you
know
kind
of
an
immediate
activity,
then,
in
terms
of
engaging
you
know,
various
other.
You
know
working
groups,
there's
need
you
know.
We
have.
You
know
kind
of
an
open
discussion
with
you
know
NIST
as
an
organization
where
you
know
there's
some
crossover
interest,
but
there's
no
active
liaison.
C
F
Basically
looking
it's
a
security
focused
project,
so
I
think
it
would
be
of
interest
to
the
security,
sig
and
they've
guess
what
I'm
looking
for
is
because
we're
expecting
to
put
a
presentation
together
for
the
sig
at
some
point
and
looking
for
examples
of
good
practice.
So
I
looked
on
the
call
today
on
the
off
chance
that
there
might
be
a
presentation.
Of
course,
I
hadn't
checked
the
agenda,
so
I
guess
there
are
no
presentations
today,
I
gather
you
record
your
calls
and
put
them
on
YouTube
is
that
is
that
correct?
I
A
F
Well,
to
be
honest,
I
was
kind
of
done.
I
don't
want
to
I,
don't
talk
at
length
about
the
project.
At
the
moment
we
haven't
put
out
TOC
proposal
together
yet,
but
we
are
we're
marshalling
our
forces
to
do
that
and
getting
all
of
the
information
and
all
the
collateral
together
to
make
a
presentation
and
and
and
to
follow
the
documented
process
for
getting
it
for
the
TOC
s.
F
Attention
so
we'll
be
fought,
we'll
be
following
the
documented
process
in
in
due
course
for
now,
I'm
really
just
trying
to
get
a
feel
for
you
know,
examples
of
good
practice
or
any
any
bits
of
advice
in
terms
of
making
good
representation
for
the
project
and
yeah.
That's
that
that's!
It's
really
good.
H
You
there's
two
completed
assessments,
one
for
in
tota
in
toto
and
one
for
open
policy
agent.
If
you
take
a
look
at
those
assessments,
they
also
give
you
an
idea
of
what,
like
the
completed
process,
looks
like
so
that
that
may
be
a
reasonable
place
and
you'll
also
find
template
documents,
and
things
like
that
when
you're
ready
to
start
that
part
of
the
process.
F
Fantastic.
Okay,
yeah!
That's
that's
great!
That's
that's!
That
gives
me
some
things
to
go
off
and
look
at
that's
brilliant!
Thank
you!
No
I
didn't
want
to
take
up
any
more
of
your
time
in
this
meeting
that
I
didn't
want
to
I
didn't
want
to
lurk
on
your
call
and
not
introduce
myself
misuk.
So
yes,
thank
you.
A
A
H
Find
the
there's
a
directory
somewhere
that
has
this
a
I
think
they're
linked
off
here
too,
but
the
closed
issues
should
have
the
assessments
for
them,
but
there's
also
somewhere
under
their
assessments
projects.
There
we
go
there,
you
go
and
and
then
there's
expired
documents
there
too,
so
I'd
recommend
taking
a
look
at
at
those
okay.