►
From YouTube: CNCF SIG-Security Meeting - 2019-08-21
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
And
yourself
Gareth
excellent,
so
we'll
start
down
the
attendance
and
just
ask
people
to
check
in
say
who
you
are
I'll
go
first,
to
give
an
example,
and
then
I'll
go
down
the
list.
You
know
that
written
in
the
attendance,
my
name
is
Sarah
Allen
I
am
one
of
the
co-chairs
of
signature
security,
and
this
week
I
were
in
the
last
since
the
last
meeting
I
outside
of
my
role
as
co-chair
I
kind
of
I
helped
one
of
our
members
escalate.
A
A
security
issue
to
Facebook
through
the
time-tested
channel
of
sending
email
to
random
people
I
know
would
welcome
feedback
on
you
know
kind
of
offline.
Outside
of
this
group,
we
specifically
said
we
are
not
serving
that
role
of
being
on
deck
for
actual
security
vulnerabilities
are.
The
focus
of
this
group
is
to
look
at
how
to
prevent
future
security
vulnerabilities
because
we
don't
really
have
we're
all
volunteers
and
we're
not
really
in
a
position
to
be
like
on
deck
for
a
problem
and
ready
to
respond
quickly.
A
So
so
that
was
pretty
exciting
and
that
I
think
that
was
that
helped
and
and
then
I'm
thinking
a
little
bit
about
audio/video
security.
And
how
do
we
know
that
audio/video
streams
aren't
camford
with
and
stuff
like
that,
because
in
my
day,
job
I'm
looking
at
audio
video
streaming?
So
that's
my
like
non
sig
update
but
interesting
little
notes
about
security
and,
on
the
sake,
III
started
a
little
set
of
repo
highlights
so
helped
Brandon
land,
the
conflict
of
interest
guidelines
by
nudging,
my
co-chairs
and
various
people
to
review
and
give
feedback
so
Brendan.
A
Thank
you
so
much
if
you're
on
the
call
for
making
that
happen,
even
if
he's
not
on
the
call
yeah
Brandon.
So
that
was
a
little
long
update
from
me.
Everybody
feel
free
to
give
a
update
that
involves
a
cig
or
not
other
security
related
things
in
your
life,
because
that's
always
interesting
to
members
of
the
group.
Next
Justin
Kappas.
B
Yes,
in
the
past
week,
so
Santiago
presented
a
paper
on
in
toto
which,
of
course,
we
all
heard
about
and
reviewed
and
things
like
that,
that's
gonna,
a
teaching
security
was
very
well
received.
We
also
have
been
talking
a
lot
with
folks
at
I.
Don't
want
to
break
in
an
Indian
case.
I'll
just
say
one
of
the
big
five
tech
companies,
multiple
product
teams
that
look
like
they're,
starting
to
integrate
it
so
more
to
come
on
that
soon.
B
Now,
on
the
tough
side,
tough
is
going
in
for
graduation
quite
soon,
so
I've
reached
out
to
a
few
people
to
ask
them
if
their
company
is
using
tough
to
please
go
ahead
and
just
post
something
on
the
issue
and
I
would
appreciate
it.
If
anyone
here
knows
folks
at
like
at
Oracle
cloud
flare,
digitalocean
VMware
are
I,
think
some
of
the
big
companies
that
I
know
that
we're
missing
I've
put
a
note
for
the
pull
request
here.
C
Hey
guys,
quick
update
on
security,
Day,
Mike
and
I
had
our
call
in
yesterday
and
we're
kind
of
waiting
on
a
couple
of
things
to
happen.
We
regarding
the
security
event.
We
need
some
more
information
about
where
we
stand
with
sponsors
getting
access
to
the
CFP,
so
we
can
see
if
anybody's
going
in
we're,
also
looking
to
get
our
response
about
CNCs,
potentially
doing
a
twister
Twitter
post
about
this
ESP
that
went
out
for
it.
C
There's
a
couple
of
action
items
that
are
dropped
in
the
sig
Security
avenge
channel
and
we're
just
waiting
on
a
response.
I
did
submit
the
PR
that
was
merged
in
for
the
security
day
site
contents,
but
it
doesn't
look
like
the
website
is
done
yet
so
we're
we're
kind
of
in
a
holding
pattern
until
we
get
some
more
information
about
where
well,
where
we're
at
and
what's
going
on
and
before
we
can
continue
to
move
forward.
So
that's
about
it.
C
A
D
E
Hi
there
Christian
Alexina
here,
I
work
for
our
exam,
we're
a
cloud
native
training
company
and
consulting
and
one
of
the
things
I'm
mainly
here
for
us
to
get
a
good
sense
of.
What's
going
on
on
the
Cougar
and
security
front
and
hopefully
see
if
we
can
get
some
of
those
updates
into
our
course
material
or
see
what
we
can
do
to
push
along
the
training
side
of
security.
F
A
A
F
G
So,
as
Emily
Ariane
dated
you
primarily
on
the
quad
day
of
security
day
in
regards
to
sponsorships,
it
sounds
like
we
have
two
diamond
sponsorships
sold
at
least
one
gold
sponsorship
sold,
so
we're
beating
the
requirements
of
CNC
I'm
use
to
promote
obligation
which
records.
That's
good
I
need
you
to
probably
talk
to
Sarah
and
JJ
at
some
point,
because
it
sounds
like
there
might
have
been
a
third
of
diamonds.
G
I
mean
there's
another
five
minutes
spot
taken
up
on
the
agenda
when
I
know
when
I
cover
them
on
this
college,
we
can
take
it
offline,
pop
and
I.
Just
when
I
know
for
me
to
your
attention
and
then
the
other
thing
is
deep
in
the
realms
of
trying
to
figure
out
how
we
built
the
Falco
container
images
so
hard.
We
make
them
as
small
as
possible
and
reduce
kind
of
the
attack
surface
in
our
container
a
finishing
product.
For
me
right
now,
super.
I
J
J
Also,
using
security,
a
technique
to
securely
and
efficiently
protect
sensitive
data
within
the
same
memory
outer
space
and
Justin
capitalist
at
some
point
and
during
the
conference
suggested
that
I
also
get
in
touch
with
you
guys
to
see.
If
there
is
some
interest
in
using
it,
we're
basically
looking
for
people
to
to
apply
it
to
their
workloads,
but
yeah
for
now.
I
just
want
to
see
what
you
guys
are
up
to
and
listen.
J
K
N
O
Think
this
week,
things
one
of
them
I,
don't
think
I'd
mentioned
before
so
I'll
mention
now
is
folks
in
I
presume.
Most
folks
are
now
familiar
with
Oakland
policy
agent,
mainly
in
the
context
of
communities.
It's
a
sincere
project.
It's
actually
super
general,
but
most
of
the
users
and
uses
says
I've
been
around
communities
at
mission
controllers
or
policy
there.
For
a
little
while
mean
a
couple.
O
Few
of
the
folks
have
been
hacking
on
a
tool
to
make
that
more
about
and
yes,
a
CLI
tool
or
something
that
you
can
use
for
like
unit
testing
or
in
CI
versus
something
you
use
in
production
and
called
cult
test.
We've
shipped
a
new
version
of
that
this
week
and
that
actually
allows
you
to
use
the
RICO
of
policy
agent
stuff
to
test
terraform
code
or
any
arbitrary
llamó
or
any
other
tree
Jason
or
ini
files.
Terraform
code.
P
Again,
for
me,
I'm
not
sure,
if
I
mentioned
before,
but
currently
I'm
working
on
clear,
open,
I'm,
okay,
I'm
working
in
at
VMware,
in
their
open
source
team
and
in
their
security,
sub
team
and
currently
I'm
working
on
clear
on
this
is
an
open
source
project
which
aims
to
may
and
to
make
static
analysis
for
vulnerabilities
in
docker
images
and
also
containers
so
yep
I'm
working
on
support,
more
more
base
images
for
clear.
We
can
look
at
the
project
if
your
interests,
yeah.
A
Q
John
Merrick
from
a
Ford
Motor,
Company
and
yeah
I
lurk
around
in
github
and
providing
feedback
and
relevant
items
addition
to
can't
wait
for
the
key
cloak
audit,
because
it's
really
needed
and
all
the
different
already
identified
vulnerabilities
that
not
been
publicly
exposed.
Addition
to
all
the
other
interesting
work
that
we're
discussing
here
as
well
so
hi.
Everyone
thanks,
John
Debra,.
L
M
So
I
guess
quick
update
on
the
Key
Club
stuff
I
think
some
of
you
may
saw
also
pinged
us
back,
and
he
mentioned
that
they
have.
They
seem
to
be
a
shot
of
stuff
a
bit
more
than
they
thought
it
would
be.
So
he
said
he's
going
to
get
back
to
us,
but
I'm
I'm,
guessing
if
it
looks
like
if
they
have
to
delay
this
I'm,
not
sure
we're
done.
Maybe
we
don't
want
to
bring
Falco
up
to
the
next
one
I
guess
we
can
have
a
discussion
about
this
one.
M
He
gets
back
to
us
I!
Don't
that
I've
been
working
on
looking
at.
We
are
we're,
collaborating
with
Ness
to
to
create
a
reference
architecture
for
kind
of
a
kubernetes
architecture
over
Hardware,
rid
of
trust.
So
the
thing
around
a
lot
with
the
TPM
2.0
stuff
on
the
asset
taxes
stuff,
like
that
we're
trying
to
basically
provide
a
reference
way
to
create
to
bind
Hardware
will
trust
to
the
container
level.
M
A
A
We
should
actually
have
on
our
template
the
switching
this
to
the
new
member
link
when
we
have
it,
but
if
you've
been
attending
the
calls
and
you're
not
on
I,
remember
list,
you
can
PR
yourself
in
as
a
member
to
nor
repos,
linked
from
the
notes
and
I
wanted
to
I.
Don't
think
Roberts
here
today,
I
didn't
hear
him
check
in
so
we'll
skip
the
next
item.
G
A
A
G
The
call
who's
in
this
space,
like
practical
guidance
and
user
stories,
to
go
over
really
really
well
and
then
I
would
also
like
to
see
some
things
more
on
the
cutting
edge
and
then
I
think.
The
supply
chain
stuff
would
be
really
interesting
to
incorporate
as
well
so
practical
items,
cutting-edge,
supply
chain,
all
kind
of
topics
that
come
to
mind
or
talk
about.
A
Right
I
think
Michaels
not
on
the
call
Michael,
whose
name
I'm
is
not
spring:
yes,
how's,
the
boss,
who's
working
on
the
micro
site
and
I've
I'm,
very
passionate
about
also
getting
that
old
content
highlighted
in
some
way.
That
would
inform
you
know
like
highlight
to
the
rest
of
the
community,
the
good
work-
that's
happened
here,
which
is
sometimes
hard
to
find,
amidst
all
of
our
less
riveting
updates
that
happen
day
to
day
week
to
week.
So
I
had
this
I
missed
last
week's
presentation
and
I
thought.
A
Maybe
a
neat
way
to
do
the
work
of
describing
the
presentations
would
be
to
have
a
movie
night
where
we
could.
You
know
just
even
if
it
was
just
a
few
few
of
us,
it'd
be
fun
to
like
have
company
listening
to
or
real
istening
to
things
from
the
archives,
and
then
you
know
writing
up
a
little
summary
or
having
a
little
discussion
about
it.
A
M
Sara,
could
we
have
a
like
pin
message
or
something
with
the
other
side
channel
is
kind
of
in
the
main
site
channel?
Oh.
A
C
So
really
I
was
just
going
through
I.
Had
somebody
send
me
that
article
that
I
had
posted
about
supply
chain
attacks
are
on
the
rise
and
I,
don't
know
if
anybody
had
a
chance
to
skim
through
the
content
of
it,
but
they're
going
in
and
they're
targeting
the
vendors
themselves.
The
trusted
sources
for
which
what
you're
starting
to
get
all
of
our
content
I
mean
we
think
about
this
particular
ticket,
not
getting
updated
in
a
while.
C
So
our
this
started
off
is
proposal
from
Santiago
about
creating
catalog
for
software
supply
chain
compromises,
best
practices
related
tools
for
securing
them.
This
is
a
growing
problem
space
with
almost
no
solutions
available.
There
are
a
couple
posts
in
a
comment
about
some
work
that
miner
has
been
doing
with
their
K
pick
and
there
are
attack
areas,
but
nothing
specifically
about
here
are
the
known
supply
chain
attacks
that
exist.
This
is
the
types
that
exist.
C
This
is
the
way
that
we
we've
been
experiencing
them
or
that
the
community
is
experiencing
them
and
here's
a
recommendations
for
protection
against
it,
and
it's
especially
important
as
we
start
and
review
more
more
open
source
projects
that
come
into
C&C,
F
or
start
graduating
from
CN
CF.
What
are
they
doing
to
secure
their
supply
chain?
C
Because
we
want
everybody
to
be
cloud
native
and
cloud
agnostic
and
be
flexible
in
their
cloud
environments,
and
if
we're
pushing
and
promoting
CN
CF
tools
product
services,
we
want
to
ensure
that
they
have
some
level
of
security,
preferably
we
robust
about
where
they're
getting
all
of
these
projects
from
and
the
libraries
that
they're
using
for
it.
So
I
wanted
to
kind
of
like
bring
some
the
group's
attention
to
is
like
this
particular
project.
C
A
A
Interest
in
a
bunch
of
people
have
read
up
on
and
we
could
have
homemade
about
it,
but
in
the
meantime,
I
I
don't
know
if
you
can
see
the
screen,
I'm
sharing
the
issue,
and
so
oh
em
gee
clouds
linked
to
the
miter
definition
and
is
there
anything
like?
Does
anybody
want
to
chime
in
on
the
recent
postings
to
the
yeah
sure.
Q
Omg
clouds,
ie
jongmin,
urgh
yeah,
it's
interesting,
cuz,
there's
nothing
new
about
quote-unquote
supply
chain
tacks.
You
can
see
my
talk
at
Def
Con
on
the
subject
or
also
look
at
Kim
and
what's
his
name,
I
forgot
when
they
were
over
at
blackberry
and
later
on
before
anyway,
over
to
Microsoft
on
this
very
same
challenge
as
well.
Q
There's
really
nothing
new
I
mean
the
only
thing
that's
relatively
new,
so
to
speak,
is
people
are
using
those
third-party
breach,
databases
to
spray-and-pray
across
NPM,
and
everything
and
y-you
see
it
now.
As
of
late,
ignoring
the
journalistic
pageviews
is
solely
because
the
author
and
controller
so
to
speak,
it
could
be
account
behind
the
rest,
API
library
forgot,
he
even
had
the
account
did
that
gave
Plus
and,
of
course
you
know,
spray-and-pray
they
got
access
and
from
there
it's
a
reality.
Q
There's
nothing
really
new
about
any
of
this
I
mean
sure
we
talk
about
deterministic,
builds
of
all
the
CNCs
projects
and,
as
one
would
imagine,
this
would
come
up
during
the
quote-unquote
security
assessment
of
each
and
every
one
of
these
different
things.
Now
the
hard
part
is:
where
do
you
draw
that
line
turtling
all
the
way
down
to
say
gee,
Lib
C,
for
instance,
because
you're
gonna
find
yourself
turtling
all
the
way
down
to
even
the
hypervisor
or
more
civically,
BIOS
or
equivalent
microcode.
So
there's
a
whole
bunch
of
stuff
to
beast
us.
A
What
why
make
this?
Why
this
feels
very
relevant
to
cloud
native
is
to
me,
and
this
came
up
in
the
atone
assessment-
is
that
this
is
while
you
know
this
is
kind
of
this
area
where,
while
it
pertains
to
stuff
outside
of
cloud
native,
it
is
particularly
critical
in
cloud
native,
because
we,
you
know,
need
to
have
more
automated
systems
as
we,
you
know,
take
advantage
of
cloud
and
virtualization,
and
things
been
up
unattended
by
humans,
whereas
in
the
old
world
there
was
these.
A
Q
It's
definitely
interesting:
I
have
over
20,000
typo'd
third-party
libraries
and
where
we
just
went
for
typos
off
the
main
library
and
I
get
roughly
three
to
four
million
downloads,
a
month
of
which
those
you
have
to
imagine.
Most
of
them
are
as
what
you
allude
to
you.
Don't
see,
ICD
pipelines
grabbing
pulling
building.
You
know,
tear
down
the
environment.
So
it's
interesting
that
yeah
you're
absolutely
right,
especially
there's
no
human
review.
Much
less.
Q
You
know
the
freedom
versus
responsibility
discussions
they
have
over
it
Gnostics
company,
so
it
gets
interesting
when
you
also
end
up
getting
just
a
solicited
defects.
Being
asked
of
you
saying:
hey:
can
you
help
me
debug
this
and
you're?
Like
sure
you
know,
if
you
rev
up
to
this
version,
I
can
live
debug
with
you,
but
obviously
you
can't
do
that
or
you'll
get.
Let's
call
it
legal
contributor
requirements
or
documents
from
IBM
or
ANSI
overlords
group
saying
hey:
can
you
sign
off
on
this
legal
declaration?
So
yeah,
it's
gonna
be
a
fun
project.
O
I
don't
know
if
people
saw
the
rest,
client
Ruby
instant,
like
glittery.
Just
yesterday
they
broke
it
again.
I
people
turned
up.
There
was
a
version
of
the
rest
client,
really
popular
ruby
gem
published
ruby,
gems.
There's
no
tag
on
github
people
opened
an
issue
saying
hey
is:
what's
up
here,
turned
out
that
the
person
who
owned
that
gym
their
account
would
be
compromised.
Someone
uploaded
a
malicious
library,
I
think
what's
happening
in
a
bunch
of
cases
as
well,
is
and
fashions
technologies,
quite
fashion
ish.
O
So
people
go.
People
join
born
language,
community
buildings
that
are
useful,
then
move
on
and
those
libraries
are
increasingly
not
that
they're
popular
they're,
stable
but
they're,
subject
to
attack
and
and
that
maintainer
doesn't
notice
because
they're
not
working
on
it
every
day.
In
fact,
they've
not
worked
on
it
for
months
or
years
and
yeah
there's
we
track
a
bunch
of
them
at
work
and
report
them,
but
yeah
that
certainly
popular
previously
fashionable
ecosystems
are
them
where
they're
mainly
cropping
up
at
the
moment.
A
A
We
got
that
you
know
and
other
projects
are
like
well,
we
should
do
that
and
you
know
I
think
that's
also
an
area
where
you
know
this
group
can
contribute
I
think
we
have
an
open
issue
on
like
best
practices
like
let's
have
some
yeah
there's
so
many
things
right
that
are,
you
know,
there's
not
a
there's,
not
enough
conventional
wisdom
about
what
should
we
do
when
we
can't
do
everything?
That's
at
once,
right.
L
Think
another
thing
that
is
interesting
is
to
raise
awareness
of
this
outside
of
the
security
community
right
I
think
it's!
We
all
know
that
these
attacks
happened
and
have
happened
in
the
past,
but
some
other
people
that
are
only
now
adopting
cloud
native
stuff
want
to
make
sure
you
know
what
what
can
be
done
about
that
I
think
it's
important
that
that
forums
like
ours,
educate
people
on
that.
A
Yeah
and
I
think
that
one
of
the
things
that
came
out
and
when
we
were
talking
about
the
in
toto
assessment,
like
part
of
the
reason
this
came
out
of
the
assessment,
is
that
you
know
like
in
defining
the
edge
of
in
toto
right
like
in
toto.
We
know
we
want
to
support
a
project
in
doing
one
thing
that
it
does
and
it
doesn't
have
to
take
responsibility
for
everything
it
touches
right.
A
Just
because
it's
frequently,
you
know
installed
with
something
else
it
doesn't
mean
it
has
to
do
that,
and
so
so
kind
of
what
came
up
in
conversation
is
that
we
have
this
knowledge
right
in
this
community
about.
Oh
one
should
do
this,
but
it's
hard
right,
but
do
people
know
what
they
should
be
doing
or
why
or
if
it's
hard,
can
we
give
feedback?
Do
the
vendors
who
are
responsible
for
the
things
that
people
are
finding
difficult
even
know
like
have
gotten
that
feedback?
A
H
Yeah
I
think
I
think
it'd
be
interesting
as
well
and
I
think
John.
You
only
have
a
lot
of
experience
in
this
area.
If,
if
there
was
some
or
you
did
have
some
links
around
best
practice,
information
and
advice,
the
core
is
already
out
there
that
you
can
perhaps
put
to
the
PR
requests
on
this
to
educate
the
rest
of
us.
So
we
can
start
putting
together
that
guidance.
You
know,
there's
a
lot
of
information
about
the
actual
attacks
and
details
and
how
that
was
put
together.
A
A
That's
that's
all
of
our
agenda
items.
I
wanted
to
kind
of
open
the
floor.
If
there
was
something
that
we
touched
on
quickly
that
people
wanted
to
follow
up
on
and
discuss
more
or
we
can
we
don't
send
early.
If
there's
there
isn't,
it
seemed
like
we
had
a
really
busy
agenda
and
then
things
went
quickly
because
you
know
there,
you
don't
necessarily
have
all
the
folks
here
to
talk
about
specific
things,
but
I
want
to
open
the
floor
for
anybody
who
has
wants
to
follow
up
on
the
things
we
discussed
or
other
topics.
G
G
A
Yeah
and
I
think
registration
is
open,
so,
yes,
it
is,
and
if
the,
if
it's
a
the
dollar
fee
is
a
hardship
for
anyone
there
will
be.
We
have
an
opportunity
to
have
scholarships
to
that.
So
if
the
main
thing
is
the
the
dollar
fee,
it
does
help
defray
the
costs,
but
it's
also
to
help
avoid
no-shows.
So
we
want
to
have
some
fee,
and
so
the
CFP
is
up
but
and
I
think
the
registration
is.
G
G
A
It's
also
generally
diversity
sponsorships
for
cube
con.
So,
if
you
think
about
people
who
are
security
experts,
you
know
who
might
not
plan
to
go
to
cube
con.
Partly
you
know
if
budget
may
be
an
issue
and
you
think
that
their
voices
should
be
represented,
then
I
think
you
just
brainstorming
about
that
to
yourselves.
Thinking
about
you
know,
are
there
minority
voice?
You
know
whether
it's
minority,
demographics
or
because
they
work
for
a
smaller
company,
but
their
expertise
would
be
really
valuable.
You
can
think
about
that.
A
We
were
getting
to
have
not
too
many
happening
at
once,
and
so
the
cloudburst
security
day
is
linked
here
and
I'll
just
open
the
issue,
so
everybody
can
see
it
who's,
seeing
the
screen-
and
this
has
a
nice
overview
of
kind
of
what's
going
on
and
a
proposed
format
and
all
the
links.
So
if
anybody
has
questions
didn't
want
to
follow
along,
this
is
a
great
issue.
R
One
question
is
that
around
what
we
are
doing
as
a
community,
especially
in
the
Cuban,
IT
security
or
in
general
it
day
and
it
cluster
security
area
I,
know
Cuban.
It
is
as
if,
in
fact,
different
ways
of
securing
parts,
it's
very
positive,
Network
security
policy
and
so
on,
but
are
we
looking
into
projects
or
new
projects
that
are
that
are
trying
to
find
sway
today?
The
actual
views
are
obvious:
brainstorming.
What
we
are
doing,
additionally,
that
what
we
have.
A
Well,
I
think,
there's
a
just
to
give
an
overview,
because
I
think
there
are
a
lot
of
new
people
and
even
people
who've
been
here.
A
lot
may
kind
of
lose
track
of
a
big
picture.
I
think
it's
a
great
question,
so
I'm
just
bringing
up
the
project
tracking
board
as
a
way
to
kind
of
visualize
some
of
the
current
activities
we
are.
So
we
are
a
volunteer
group.
A
So
we
there's
a
lot
of
things
that
we
could
possibly
do
to
make
the
world
a
safer
place
for
cloud
native
technologies,
and
we
are
a
mix
of
things
that
the
TLC
has
encouraged
us
to
do
and
things
that
are
led
by
our
wisdom,
insight.
You
know
in
you
know,
enthusiasm
for
individuals
like
group
who
want
to
spearhead
topics
and
take
care
of
things.
A
One
activity
that's
being
facilitated
by
Justin
caboose
is
the
security
assessments
which
is
looking
at
specific
projects,
so
that
is
like
it's
a
it'll
take
a
long
time
before
that
you
know
sort
of
touches
everything,
but
that
is
bubbling
up
things
that
the
group
is
taking
care
of
like
the
supply
chain
stuff
we
talked
about
and
that
this
group
isn't
given
any
specific,
but
those
projects
tend
to
work
with
kubernetes.
So
that
is
one
thing
in
the
kubernetes
world
that
we
touch
on
and
then
the
other
thing
is
our
policy
subgroup
is
really.
A
So
people
should
feel
free
to
join
that,
and
we
should
make
I
think
there's
an
issue
open
actually
to
make
sure
that's
documented
on
the
repo
and
then
and
then
the
other
thing
that
we're
doing,
which
is
not
kubernetes
specific
but
also
covers
kubernetes,
is
we're
we're
trying
to
do
a
better
job
of
echoing
out
the
what
we
discover
right,
which
is
really
this
micro
site.
So
the
idea
is
our
repo
is
really
for
us
right.
It's
for
the
security
experts
who
are
it's?
A
A
You
know
sort
of
echoed
out
and
then
a
sort
of
companion
piece
is
the
policy
white
paper
where
there
is
analogous
confusion
and
about
like
what
is
policy
anyhow
and
that
that
that's
a
more
developer,
centric
piece
that
you
know
there's
a
draft,
but
it's
I,
think
other
things
have
just
been
cued
up
above
that,
along
with
the
landscape,
where
that
we
decided
to
pause,
we're
you
know,
which
is
another
way
of
looking
at
kind
of
visually
or
by
categorized
categories.
A
Looking
at
what
different
things
people
are
working
on
and
how
they
relate
to
each
other
and
which
things
are
like
either
or
which
things
are
you
should
have
one
of
each
I
think
are
the
kinds
of
things
that
people
are
trying
to
reason
about.
I,
don't
know
that
that
helps
answer
your
question.
I'd
also
invite
other
people
to
chime
in
on
what
is
describ
doing
about.
Maybe
you
could
we
articulate
your
question.
R
No
I
mean
I
think
that's
a
good
overview
of
the
mission.
It's
just
that
I
mean
I
am
big.
As
for
the
C
and
C,
because
C
and
C
F
is
concerned,
I'm
a
big
user
of
Falco.
So
that's
a
Michael
and
I
talk
a
lot
on
how
Falco
can
help
us
all
help
the
community.
When
you
go
to
sea
and
suicide,
there
is
not
a
big
push
for
security
if
you
browse
the
web
sites
right,
maybe
you
see
that
a
lot
of
people
are
representing
different
aspect
of
cloud
and
security
is
not
properly
presented.
A
I
think
that
we
think
that
the
first
of
those
things
is
really
with
the
well
it's
sort
of
like
we.
We
don't,
we
I
think
we
don't.
We
haven't
quite
curated
enough
stuff
to
feel
like
we
can
put
forth.
This
is
what
security
is.
This
is
how
you
should
like
you
know,
reason
about
it
and
there's
a
you
know.
This
definitely
I
mean,
and
it's
just
a
work
in
progress
still.
R
Cool
Thanks
and
you
and
I
should
talk
Sara
some
time.
Offline
VR,
as
I'm
in
frame
I/o
and
frame,
is
a
video
review
and
collaboration
platform.
So
we
do
a
lot
of
on
video
security,
watermarking
and
everything.
So,
given
that
your
background
in
audio
and
video
security,
we
should
chat
sometime.
That's.
P
A
I
will
turn
this
over
to
Justin,
Kappas
and
I'm,
going
to
bring
up
the
assessments
reviewer
to
talk
about
the
shadowing,
which
I
think
is
a
great
opportunity.
I've,
certainly
like
I've
done
a
lot
of
I
play
the
role
of
security
reviewer,
where
most
of
my
expertise
is
receiving
security
reviews,
because
I've
led
a
lot
of
development
teams
and
you
know,
have
30
years
of
experience
being
security
reviewed
rather
than
serving
in
the
security
department
and
so
Justin.
A
A
But
it
could
be
somebody
who
is.
You
know
has
is
just
part
of
the
team
with
an
interest
or
knowledge
of
the
security
of
the
project
or
wants
to
learn
about
it,
writes
this
assessment
and
so
there's
an
initial
assessment
self-assessment
of
the
project,
and
then
we
have
we
kind
of
inserted
a
initial
review
where
which
is
not
actually
detailed
here,
where
there's
a
like
dumb
question
phase,
because
we
realized
that
often
the
project
doesn't
know
what
they
should
say
and
what
is
known
about
them
versus
not
known,
and
so
usually
so.
A
The
this
the
lead
reviewer
will
like
spend
a
little
time,
pre
betting
it
and
make
sure
that
it
all
has
the
content
that
everybody
else
needs
and
then
there's
a
period
of
time
where
we
don't.
We
all
read
it
separately
so
that
we
all
have
a
chance
to
have
like
kind
of
beginner,
mind
and
think
about
things
that
maybe
the
other
person
not
have
all
of
our
questions,
informed
by
other
people's
questions.
A
And
so
there's
always
this
kind
of
moment,
which
you
know
where
we're
trying
to
get
this
whole
thing
to
be
able
to
happen
two
weeks.
We
haven't
yet
done
that,
but
we're
iterating
to
try
to
get
it
to
be
a
little
tighter,
so
that
there's
like
a
clear
you
know
I
think
week
or
four
five
days
or
something
when
you
get
a
chance
to
read
it
without
seeing
everybody
else,
questions
so
in
shadowing
it
I
think
it'd
be
great
to
like
challenge
yourself.
Well,
what
could
I
come
up
with
here?
A
We
had
a
great
presentation
from
someone
from
the
security
team
at
Google
that
Christian
looped
in
and
that
checklists
are
actually
can
be
a
problem
right
that
we
do
want
to
have.
We
all
have
our
mental
checklists,
but
there's
also
value
in
not
having
a
checklist
so
that
people
are
really
encouraged
to
think
about
the
security,
because
the
security
of
each
project
is
different
and
the
biggest
risks
are
the
ones
we
don't
consider,
and
so
that's
why
we've
taken
this
approach,
where
we
have
an
outline
which
is
kind
of
a
checklist,
but
it's
more.
A
These
are
the
different
things
you
should
be
thinking
about
right
and
then
the
security
and
everything
around
this
is
about
how
you
think
about
these
things.
How
you
like
have
the
background
material
right?
What
you
need
to
know
in
order
to
do
a
security
analysis
and
the
core
of
the
write
up
is
really
this
part
right
and
we're
instead
of
having
a
checklist
like
these
are
the
security
things
you
should
implement.
A
Instead,
we
have
a
checklist
of
you
think
about
attacker
motivations,
you
think
about
what
are
the
preconditions
to
this
software
running
and
so
forth
and
so
on.
So
this
is
the
process
where
iterating
through
and
it
this
was
sort
of
a
long-winded
way
to,
and
so
the
question
which
is
to
get
involved
you
chime
in
on
this
security
issue
and
and
then
just
can
join
a
channel
yeah.
M
M
So
the
assessment
matrix
is
kind
of
a
table.
What
are
the
upcoming
reviews
that
we
have,
and
then
we
have
people
sign
out,
but
they
want
to
be
reviewable.
We
also
have
I
think
someone
also
like
had
this.
You
can
like
bracket.
You
want
an
observers,
I
think
we
had
a
column
for
that,
then
many
pasted
it
and
I.
A
M
A
M
So
yeah
I
think,
if
you're
interested
in
just
looking
at
one
of
these
for
the
project
that
you're
familiar
with
for
like
one
day
interest,
you
just
create
a
PR,
we're
just
much
it
in
like
Sarah,
says
I.
Think
I'm.
Looking
at
all
the
past
reviews,
I
think
if
we
can
put
some
things
to
the
old
channels,
I
think
we
should
be
okay
to
be
public
right,
I,
don't
think,
there's
anything
that
yeah.
M
Also,
I
think
that
the
the
presentations
that
happen
at
the
end
of
the
reviews,
those
were
really
helpful
as
well.
It's
going
to
just
see
the
types
of
questions
if
you're,
if
you
have
any
questions
of
that,
I
personally,
will
be
open
to
answer
questions
about
that.
If,
if
you
have
questions
on
that,
thank.