►
From YouTube: CNCF SIG Security 2020-10-21
Description
CNCF SIG Security 2020-10-21
A
B
Yeah
you're
right,
I
just
hopped
on
right
now
was
there
anyone
that
specifically
wanted
to
facilitate
today?
If
not,
I
can
step
in.
I
just
didn't
see
anyone
there
in
the
the
notes,
so
I
just
want
to
make
sure
there
was
someone
to
take
the
helm.
B
A
C
B
Green
screen
effect
it's
creating
like
a
halation
effect
around
your
hair
sort
of
thing.
It's
like
the
hair
is
moving
in
waves
in
the
wind,
okay,
I'll
quickly,
pull
up
the
the
planned
meeting
notes
and
just
formulaically
go
through
the
usual
ho-hum.
D
It
yeah,
so
I
I
think
I
didn't
address
him,
but
I
think
we
were
playing
if
we
have
time
after
the
review,
which
I'm
guessing,
we
probably
will,
I
think
erina
is
on,
and
then
she
can
talk
about
some
of
the
stuff
that
for
csa
that
she
didn't
measure
cover
the
last
time.
A
B
B
Okay
looks
like
we've
got
critical
mass
good
day,
everyone
from
today's
cncf
security
meeting.
My
name
is
matthew,
I'm
an
occasional
facilitator
here.
I've
been
offline,
I
think,
for
about
a
month
and
a
half,
as
we
had
other
more
interesting
people
that
handled
the
facilitation
and
presentations.
B
So
before
we
proceed,
I
just
need
to
see
if
we
can
get
a
one
or
two
scribes.
Oh
yes,
link
to
the
meeting
notes
be
sure
to
mark
yourself
in
intense.
Thank
you
emily.
That's
in
the
chat
there
is
there
anyone
that
would
like
to
volunteer
as
a
scribe,
slash
minute
taker
today.
B
Perfect,
I
generally
try
and
avoid
typing,
while
I
I'm
talking
just
because
it
can
be
distracting
and
I've
won
the
loudest
keyboard
award
at
work
with
my
mechanical
keyboard
there.
So
I
feel
I'm
doing
everyone's
ears,
a
favor
and
whatnot,
not
typing,
so
all
right,
our
members
here
all
right.
So
then
I'm
just
going
to
go
to
the
attendance
here
and
just
see
what
updates
we
have
here
so
emily's
appears
to
be
interesting.
Would
you
care
to
take
the
leelie.
F
Over
600
folks
signed
up
for
security
day,
which
is
really
awesome.
So
if
you
have
not
signed
up
yet,
please
be
sure
that
you
do
so
and
as
far
as
the
cognitive
security
weight
paper
goes,
we've
opened
it
up
for
community
review.
We've
had
over
100
comments
so
far.
Jj
aradna
and
myself
have
sorry.
Amy,
jj,
myself
and
arana
have
gone
through
and
done
a
lot
to
adjudicate
all
of
the
comments
that
we've
been
receiving.
So
if
you
haven't
had
a
chance
to
look
over
the
dock,
please
do
so.
B
Awesome
thanks
emily.
Would
you
be
able
to
throw
a
link
sign
up
in
the
chat
as
well?
Please
was
that
the
one
that
brandon
posted-
oh
thank
you.
B
Okay,
now,
let's
see
have
any
check-ins
from
any
other
sigs
or
technical
groups.
It
does
not
appear
to
be
the
case,
so
I'll
just
go
through
this
as
they
see
so
updates
no
dates
here.
This
brandon
good
day
do
you
care
to
grab
the
mic.
D
Yeah
sure,
thanks
so
quick
update
on
the
security
assessment
working
group,
so
we
got
together
for
the
past
two
weeks.
We
got
a
lot
of
good
feedback
on
you
know
what
some
of
the
problems
and
ideas
we've
consolidated
it
and
put
it
into
different
categories
in
the
mirror
board,
which
I'm
gonna
paste
in
chat.
D
The
next
step
for
this
is
I'm
synthesizing
all
this
information
and
I'm
gonna
create
issues
around
like
each
of
them,
the
big
topics
and
then
we're
hoping
that
you
know
if
you
see
that
this
is
something
that
you're
interested
in
working
on.
You
know
anyone
should
feel
free
to
to
take
the
lead
on
any
of
these
issues.
B
Thanks
brandon,
okay,
going
to
list,
let's
see
if
we
have,
I
don't
believe
I
see
any
updates
from
individuals
and
I
don't
see
any
sig
or
vendor
check-ins
here.
B
G
Hi
I
put
in
I
started
annotating
people
that
I
knew
were
sick
co-chairs
and
tech
leads,
and
some
a
couple
of
people
with
projects
and
pleasing
your
attendance.
G
If
you
are
a
maintainer
of
a
project
or
work
on
a
project
that
is
in
cncf
or
another
open
source
project,
or
if
you
are
responsible
for
you're
working
on
something
with
the
sig,
please
annotate
your
attendance
with
what
you
are
working
on
so
that
you
know
so.
It
kind
of
helps
people
get
to
know
each
other
a
little
bit,
because
our
meetings
have
gotten
fairly
big,
which
is
great,
but
then
sometimes
it's
hard
to
know
who's
at
the
meeting.
B
Awesome,
thank
you,
sir.
I
realize
I
keep
providing
a
thumbs
up
and
my
camera's,
not
on,
but
I'll
fix
that
next
time.
Okay
with
that
said,
I
don't
see
any
additional
check-ins,
but
I
do
see
one
proposed
topic,
at
least
from
the
very
top
of
the
document,
the
question
mark
in
toto.
If
I
got
that
right
in
toto
incubation
review,
is
there
anyone
that
would
like
to
grab
the
mic
on
that.
H
Yeah,
I
don't
know
if
you
want
to
check
the
mic
on
that
brandon
or
just
have
me,
go
edit.
It.
D
Yeah,
so
so
I
think
that
the
discussion
for
last
week
was
that
we
will
discuss
you
know
what
are
the
kind
of
sins
we've
had
the
security
assessment.
What
are
some
of
the
changes?
What
I
are
you
looking
for
and
what
the
cncf
kind
of
us
on
the
recommendations,
and
then
you
know
we
can
discuss
some
of
this
and
kind
of
get
consensus
of
what
we
should.
H
Right,
so
to
give
some
context
in
total,
safe
security
review
was
the
first
review
like
for,
for
those
that
weren't
familiar
with
toto
was
the
first
security
review,
self-assessment
that
was
done
on
on
a
cncf
project.
This
was
when
in
total
was
originally
applying
for
incubation.
H
Back
then,
the
recommendation
from
security
was
to
essentially
allow
it
to
get
into
incubation
and
probably
have
the
cncf
allocate
some
funds
to
help
us
with
some
hci
researcher
or
hci
person,
knowledgeable
person
to
help
us
improve
the
mental
models
for
users
to
better
use
in
toto
now
during
the
application,
in
total,
pretty
much
felt
like
in
the
line
between
incubation
and
sandbox.
H
So
back,
then
it
felt
safer
to
just
get
into
sandbox
and
then,
when
some
time
passed
in
terms
of
like
other
options
and
project
maturity,
collaboration
and
such
then
to
apply
for
incubation
and
well
that
all
happened.
But
what
feels
to
me,
at
least
in
my
interpretation,
is
that
the
original
review
that
was
mostly
focused
on
how
how
do
we
secure
a
process?
Has
there
been
a
thorough,
like
security
analysis
of
the
architecture
of
the
software?
H
How
do
we
manage
vulnerabilities?
How
do
we,
how
do
we
onboard
new
people,
how
we
manage
trust
within
their
organization
and
such
which
all
those
things
haven't
changed?
Fundamentally,
in
fact,
I
think
the
recommendation
still
is
current.
H
We
haven't
had
the
resources,
particularly
because
since
we
got
in
as
a
sandbox
project,
I
think
the
cncf
doesn't
doesn't
support
somebody's
projects
like
with
money
that
much
or
like
as
strongly
as
it
would
do
for
an
incubation
project
and
perhaps
to
to
fund
a
staff
to
do
hci
research
now
also,
since
we
were
mostly
on
the
bar
for
incubation,
because
of
adoption
and
contributor
count,
I
think
those
are
the
changes
that
we
have
seen
on
toto
in
the
last
year.
I
don't
know
if
this
is
the.
H
This
is
the
context
that's
needed
to
like
for
security,
to
kind
of
review.
The
situation
now
fast
forward
a
year
passes.
I
speak
with
michelle
morale
who's.
Sponsoring
us
for
the
incubation,
review
and
part
of
the
process
is
to
actually
I
mean
a
lot
of
things
have
changed
since,
but
now
we
do
need
security
to
give
a
like
a.
H
We
saw
this
project
and
it
looks
like
like
a
good
project
or
like
it
has
been
security
that
has
a
security
audit,
will
not
audit
security,
self-review
self-assessment,
so
that
is
part
of
what
we
need
in
the
due
diligence
document,
which
I
shared
on
the
on
the
slack
channel,
the
due
diligence
document,
I
think
all
the
way
the
bottom
has
essentially
a
slot
for
somebody
on
the
I
guess
of
the
assessment
working
group
to
take
a
look
and
put
the
recommendation.
H
My
understanding
is
that
or
again
this
is
my
bias.
The
position
is
that
it
is.
It
could
be
as
simple
as
just
taking
the
old
recommendation
and
considering
that,
essentially,
nothing
has
changed
in
that
regard,
to
move
it
forward
to
the
new
due
diligence
document.
Now
I
am
not
comfortable
doing
that,
because
there
is
clearly
a
conflict
of
interest
there.
I
am
I'm
here
with
security,
but
I
am
also
a
the
person
who's
pushing
for
incubation.
H
So
so
I
was
hoping
that
somebody
in
the
group
would,
with
enough
lack
of
conflict
of
its,
would
be
comfortable
just
taking
a
look
at
the
old
recommendation.
I
think
I
shared
the
slides
last
week
and
and
just
either
rewarded
in
a
way
that
they're
more
comfortable
with
or
just
a
bit
or
just
move
it
over
actually,
okay,
yeah
and
I
think,
there's
a
couple
people
that
I
didn't
give
access
and
that's
my
bad.
I
should
have
just
let
it
open.
I
So
santiago,
this
is
vinay
here,
so
you
know
from
from
that
perspective,
I've
been
part
of
one
of
the
assessments
in
the
past.
I'm
curious
as
to
what
exactly
the
ask
is
and
how
and
what
kind
of
assistance
is
needed
to
remove
that
bias.
D
So
so
let
me
chime
in
here
a
little
bit.
I
guess
so
the
I
think
the
context
is
that
in
the
cncf
process
there
is
a
requirement
for
the
sick
to
give
recommendation,
and
this
usually
comes
in
the
form
of
oh
here's.
D
D
The
team
has
worked
on
making
progress
towards
fixing
some
of
these
findings,
or
you
know
the
the
recommendation
still
stands
and
usually
there
is
some
kind
of
like
informal
sign
off
by
by
a
co-chair
yeah.
So
my
my
interpretation
of
these
is
that
designed
off
by
by
the
culture,
is
kind
of
what
creates
the
an
unbiased,
like
self-defined
unbiased
view
got
it.
Thank
you,
yeah.
G
Yeah-
and
I
don't
think
it's
just
the
sign
just
a
chime
in
it's
not
just
to
sign
up
by
the
co-chair.
It's
that
santiago
is
an
active
member
of
six
security
and
could
normally
write
up
a
due
diligence
document
that
a
co-chair
would
just
review
and
pro
you
know,
and
if
there
are
lines
sign
off
on.
G
However,
since
he's
the
project
lead
project
maintainer,
it's
not
really
appropriate
for
him
to
write
that
document
and,
like
you
said,
we've
done
most
of
the
like
work
anyhow,
but
so
I
think
that
there's
the
like
the
conflict
of
interest
is
really
just
santiago's
dual
role
as
a
member
of
security,
and
you
know
active
participator,
right
and
pac
participant
and
and
his
role
in
the
project,
and
so
that's
where
vinay
you
could
step
in
and
you
know
do
well.
G
You
know
a
short
write-up
that
addresses
the
incubation
criteria
and
you
know,
and
then
you
know,
one
of
the
co-chairs
could
say
yep
because
I
think
we're
all
fairly
familiar
with
in
toto
at
least
jj-
and
I
were
very
active
in
you-
know
this
very
first
security
assessment,
and
so
you
know
either.
One
of
us
is
familiar
with
the
project
enough
to
probably
give
that
a
quick
review.
G
While
I've
got
the
mic.
I
did
have
one
quick
follow-up
question
which
I
don't
know
whether
you've
addressed
santiago
in
your
documentation,
but
I
wanted
to
sort
of
highlight
for
the
group
I
put
in
the
chat
a
link
to
the
the
the
the
summary
slide.
G
It's
actually
got
all
of
the
projects
or
three
of
the
projects
that
have
summary
slides,
but
I
I
moved
in
toto
to
the
top
and
one
of
the
things
that
was
like
got
it
made
it
be
sort
of
on
the
fence
between
sandbox
and
incubation,
for
us
was
that
there
was
just
one
public
case
study
where
we
underst,
we
just
didn't.
Have
the
you
know.
We
weren't
familiar
enough
with
the
cncf
process
to
understand
how
important
that
usage
was.
G
You
know
in
this
process
and
there
was
actually
usage,
but
you
know
for
security
focused
projects,
it's
a
pretty
high
bar
to
get
somebody
to
say
in
public
that
they're
using
them,
and
so
the
in
this
case
you
know,
I
don't
know
if
there
are
more
public
case
studies,
but
certainly
it
would
be
appropriate
to
share
in
private
what's
happening
and
if
there
are
more
companies
that
we
could.
G
As
you
know,
you
know,
a
member
of
six
security
could
do
a
deep
dive
and
learn
more
about
who's
using
the
projects
and,
potentially
you
know
even
speak
to
one
of
them.
If
that
was
a
concern
and
do
that
under
confidentiality
and
then
report.
Yes,
we,
you
know,
there
are
multiple
case
studies,
so
that's
another
way
where
a
member
of
security
could
step
up
and
participate
in
this
due
diligence
that
I
think
particularly
security.
Focused
projects
have
a
need
for.
H
That's
a
great
point
and
I'm
glad
you
brought
it
up
because
I
didn't
even
think
about
it,
but
I
know
that
michelle
morale
was-
and
I
think
this
is
kind
of
understood
by
the
tlc-
that
now
that
some
of
the
case
studies
can
be
interviews
with
companies.
H
So
I
wonder
if
we
can
do
both
and
have
like
a
sec
security
assessment
person
and
a
member
of
the
toc
be
part
of
the
interview
with
the
company
and
that's
essentially
what
I'm
arranging
now.
I
think
that
I
think
that's
a
good
idea
should
I
just
bring
it
up
with
a
michelle.
Maybe.
A
H
A
H
Sounds
good,
yeah
I'll.
Do
that?
Another
unrelated
like
point
that
I
don't
know
if
there
has
been
a
lot
of
conversation
around
it,
but
I
feel
it
feels
to
me
that
security
projects
also
have
a
higher
like.
It
is
more
difficult
for
security,
focused
projects
to
have
as
much
adoption
as
say
core
or
like
network
projects,
and
I
wonder
what
to
take
of
the
six
securities
of
that
and
when
it
comes
to
like
the
recommendation.
H
It
feels
to
me
that
it
is
hard
to
contrast,
like
all
the
stars
that
kubernetes
has
on
a
good
repository
with
like,
say,
tough
and
both
of
them
are
graduated
projects,
but
like
there's
only
so
many
people
at
security,
yeah.
B
Pardon
go
ahead,
sir.
We
have
a
bit
of
lag
on
my
mic
here.
G
So
yeah
actually
maturity
like
that.
Like
bullet
point
in
the
slide
has
been
the
hardest
thing
for
the
different
projects.
To
say
like
what
do
you
even
mean
by
this
right
and
the
reason
that
we
I
felt
that
it
was
important
to
speak
to
and
we
could
got
aligned
on
that
being
like
a
a
thing
that
was
part
of
the
assessment.
Is
that
when
you're
assessing
the
risk
of
a
project,
how
many
other
people
have
adopted?
It
is
part
of
that
right
and
it's
really
not.
Do
you
adopt
the
project
or
not
it's.
G
How
much
are
you
now?
A
participant
in
developing
the
project
versus
you
can
just
rely
on.
Everybody
else
has
already
checked
the
box.
So
it's-
and
you
know
it's
not-
that
it's
more-
that
there's
validation
from
multiple
companies
and
different
types
of
projects
will
have
different
types
of
you
know
it's
qualitative,
it's
not
quantitative,
so
you
know,
and
it
doesn't
have
to
be
a
written
case,
study
right
and
you
know
personally,
I'm
not.
I
don't
care
about
github
stars
because
that's
like
popularity
contest,
it
doesn't
mean
somebody's
actually
using
it.
G
G
Oh
this
was
adopted.
This
is
a
company.
This
is
something
that
was
made.
It's
been
adopted
by
one
company
and
it's
really
not
going
to
go
anywhere
right.
I
don't
think
in
toto's
in
this
camp.
I
think
you
know,
we've
seen
a
lot
of
traction,
the
ques.
The
challenge
is,
how
do
you
articulate
that
that
traction
in
a
genuine
way,
that's
appropriate
to
the
project
in
the
sector,
and
so
that's
just
a
creative
challenge?
I.
H
I
agree
it
just,
I
think,
not
not
only
the
for
the
in
total
context,
but
I
think
in
a
sense
it.
H
It
worries
me
that
there's
a
handicap
for
security
projects
in
that
sense
and
that
it's
harder
for
them
to
get
supported
just
because
they
have
this
limitation
that
they're
somewhat
niche
to
some
extent.
I
don't
know
if
this,
if
this
is
like
resonating
well,.
H
Right
which
that's
that's
part
of
the
consequence
of
this,
like
self-fulfilling,
like
a
feedback
loop
right,
it
is
harder
for
them
to
get
adopted,
but
then
we,
it
is
harder
for
them
to
get
visibility
because
they
are
not
like
they're
competing
with
projects.
That
naturally,
are
a
little
bit
more
easy
to
adopt
to
say
it's
somehow.
J
J
J
For
spiffy
and
spire,
we
had
similar
questions
and
brian
grant
at
the
time
who
was
in
the
tse
said:
well,
just
just
flip
it
around.
If
any
of
these
companies
and
let's
talk
about
in
toto,
you
were
to
remove
their
supply
chain
logs,
would
they
be
able
to
run
their
infrastructure,
and
if
the
answer
is
no,
this
means
this.
This
is
being
used
in
a
meaningful
way
that
is
critical
for
that
business
operation
or
for
that
infrastructure,
operation.
H
Right
what
I
mean
is
you,
like,
I,
I
think,
there's
a
fundamental
difference
between
you
say:
you're,
building,
kubernetes
right
and
then
on
top
of
that
you're
securing
kubernetes.
Now
one
of
them
predates
the
other.
Just
by
like
a
natural
consequence
of
one
of
them
is
a
thing.
The
other
one
is
securing
the
thing
now
say
that,
after
that,
there
is
something
that
is
kubernetes
plus
plus,
that
is
likely
to
get
more
visibility.
H
Just
because
the
target
audience
is
everybody,
whereas
a
security
product
by
itself,
it
is
limited
to
people
that
want
to
provide
security
properties
to
a
product,
and
I
I
don't
think
it
is
a
competition.
I
think
it's
just
a
natural
consequence
of
like
security
being
a
subset
of
the
whole
world
of
computing.
H
It
would
be.
It
would
be
similar
to
saying
well
say
that
both
there
was
like
linux
foundation
projects
like
that's
a
big
umbrella,
and
you
put
the
linux
kernel
to
compete
with
kubernetes
early.
C
G
This
is
understood
like
that,
if
it's
a
new
project
that
you
can
just
add
on
to
your
cloud
native
deployment,
there's
probably
a
higher
bar
for
the
quantity
of
customers
or
the
profile
of
customer
to
know
that
like
oh,
this
isn't
just
you
got
three
of
your
friends
to
add
it
on
right
right,
whereas
if
it's
a
security,
focused
project,
you
know
three
companies
may
be
a
huge
number
right,
because
it
has
to
be
there's
a
high
bar
for
the
company
to
adopt
it.
And
it's
you
know
for
something
like
in
toto.
G
You
know
or
like
oppa.
It's
like
any
of
these
things
right.
Spiffy's
fi,
like
these
become
a
core
part
of
the
infrastructure
right.
So
I
think
that
people
understand
like
it's.
You
don't
need
a
large
quantity,
it's
just
that
you
need
to
show
that
it's
more
than
one
which
could
be
by
private
disclosure
and
that
they're
different
and
not
they're,
just
they're
different
enough
right.
G
That
they're
not
like.
Oh,
these
two
friends
decided
to
do
it
at
their
companies
right
and
it's
not
that
it's
not
that.
I
care
that,
if
you,
if
anybody,
promotes
their
project
through,
you
know
social
interaction
and
friendship,
it's
more
that
we
are
making
a
commitment
when
we
move
something
to
incubation
and
we
want
to
feel
like
it's
got
some
traction
whatever.
That
means
like
it's,
it's
it's
it's.
H
Right,
no,
I
fully
agree
and
the
the
question
the
reason
why
I
brought
it
up-
it's
not
not
necessarily
connected
to
in
total.
I
think
total
has
everything
it
needs.
H
It
is
more
of
me
worrying
a
little
bit
about
the
security
ecosystem
as
a
whole,
and
I
think
I
don't
know
what
the
answer
is,
because
I
I
don't
think
I
mean
I
feel
that
in
one
hand
we
could
say,
like
oh
security
products
then
have
different
standards,
but
I
don't
think
that's
fair,
because
I
also
know
that
observability
has
probably
its
own
problems.
H
Saying
runtime
will
have
its
own
like
understanding
of
what
a
of
what
an
adopted
project
is.
I
also
think
that
there's
this
like
tacit
understanding,
as
you
said,
sarah,
that's
like
a
lot
of
people
understand
that
security
products
are
have
different
adoption
challenges.
H
J
A
Right,
I
yeah
so
I
mean,
when
I
add
something
to
that
conversation,
so
the
reason
why
we
formed
sig
security
outside
of
kubernetes
as
a
community
is
precisely
to
acknowledge
and
understand
that
right.
So
security
is
a
cross-cutting
concern
across
multiple
infrastructure
and
its
profile
and
projects
and
adoptions
are
going
to
look
a
lot
different
than
what
kubernetes
adoption
is
going
to
look
like,
and
I
think
it's
been
acknowledged
and
well
understood
by
cncf
in
general.
A
But
I
think
there
is
still
to
your
point
the
lack
of
clarity
or
lack
or
incorrect
expectations
in
terms
of
like
what
something
should
look
like
versus
what
something
is
and
what
something's
usefulness
of
it
is
right.
So,
and
I
don't
know
if
you'll
be,
if
we'll
be
able
to
find
like
a
magic
answer
that
says
like
okay
yeah,
we
do
x
at
x,
percentage
of
y.
This
makes
sense
kind
of
thing.
A
It
is
just
going
to
have
to
be
like
this
constant
conversations
like
this
and
then
have
some
like
things
like
assessment,
be
a
guiding
force
for
like
why
this
matters,
because
people
that
are
in
security,
understand
the
context
around
this.
That
will
be
able
to
assess
and
validate
and
push,
and
now
we
have
this
forum
to
basically
do
exactly
just
that
right.
So
I
think
it's
going
in
the
right
direction
to
your
point.
No
it's
very
less
understood,
but
is
there
a
common
consensus
and
a
mechanism
to
push
this
through?
A
I
think
we've
started
having
that
part
of
the
sick
security,
but
your
inputs
and
your
quote-unquote
evangelization
around
this
will
also
help
in
terms
of
trying
to
move
the
needle
on
that.
H
Right
yeah,
I
agree.
I.
H
Yeah,
I
think
I
also
don't
have
a
lot
of
visibility
of
how
tlc
views
things,
so
I
assume
that
also
yeah.
Without
that
knowledge,
it's
easy
for
me
to
catastrophize
to
some
extent.
A
A
J
C
J
Will
have
different
perspectives.
Each
that'd
be
it'd,
be
good
for
you
to
figure
out
what
they're
all
talking
talking
to
michelle
about
something
unrelated
tomorrow
on
smi
but
happy
to
bridge.
This
too.
H
No,
I
I
think,
that's
all,
that's
all
good,
and
I
don't.
I
think
I
really
appreciate
michelle's
perspective
and
I
think
my
my
concern
was
mostly
on
having
very
delineated
numbers.
For
example,
say
three
adoptions
again,
I
think
three
is
a
reasonable
number
for
incubation,
but
at
the
same
time
it
also
feels
that
it
is
a
like.
It
is
not
a
qualitative
measure.
It
is
a
quantitative
one.
B
B
F
So
I
have
one
fellow
co-chairs:
there
is
an
open
pr
that
does
need
your
review
and
approval
and
brandon.
I
think
you
might
have
already
looked
at
it.
It's
the
most
recent
one
when
you
look
at
the.
D
D
Yeah,
it
looks
like
you
got
pulled
away:
oh
yeah,
okay,
emily,
which
issue
are
you
talking
about?
Is
this
the
one
with
changes
to
the
the
governance.
F
Yeah
it's
issue
430
and
pr431.
F
B
Okay
yeah:
are
we
going
to
bring
that
one
up
on
screen
or
a
wrap
for
that
ticket.
A
We'll
take
it
off
lane,
I
think
I
can
do
it.
D
Thanks,
if
there's
any,
I
think
aratna
has
something
to
share
for
csa.
D
If
she's
in
the
call
today.
E
Yeah,
I'm
here
brandon.
How
are
you
today
yeah?
I
can
share
what
is
going
on
with
containers
and
microservices
at
csi
and
to
also
talk
about
the
serverless
working
group
that
we
are
working
on.
E
So
there's
a
special
working
group
that
was
created
about
two
years
ago,
containers
and
microservices
under
csa,
where
they
have
already
published
two
papers.
One
is
on
challenges
for
operators,
end
users
of
containers
and
microservices,
and
it's
already
published,
so
you
can
search
for
it
and
download
it,
and
the
second
one
is
best
practices
for
microservices
and
application
containers.
That
is
also
published.
Obviously,
there's
evolution,
so
they'll
be
evolving
that
paper
and
research
further,
but
those
two
are
available
as
it
is
right
now
more
work
to
be
done
there.
E
This
year
we
started
a
working
group
as
a
subset
of
this
particular
work
stream
to
work
on
serverless
security.
So
I
can
share
some
slides.
I'm
repurposing
slide
deck
from
another
presentation
that
I
gave
a
few
months
ago.
E
So
basically,
this
was
a
presentation
given
at
the
csa
eu
summit
to
evangelize
the
working
group
and
get
some
volunteers
to
help
with
the
initiative
and
efforts.
So
basically
the
the
research
is
talking
about
how
we
have
evolved
in
the
infrastructure
space.
E
Initially,
we
were
all
using
hosts
and
servers,
and
then
we
moved
on
to
virtual
machines
and
what
are
the
challenges
with
virtual
machines,
and
now
we
are
on
containers
and
kubernetes
and
how
more
and
more
enterprises
are
looking
at
functions
to
use
the
the
functions,
as
you
know,
full
application
functionality
so
multiple
functions
orchestrated
to
build
an
application
functionality
and
why
that
is
attractive
to
developers
and
enterprises.
E
Obviously,
there's
a
lot
to
be
done
when
you're
building
a
container
platform.
As
you
all
know,
the
intricacies
of
securing
a
container
platform
as
well
as
developers,
have
still
have
work
to
do
to
package
all
the
application
and
dependencies
in
the
container
and
deploy
them
but
functions.
Remove
that
dependency
as
well.
You
just
purely
write
business
functions
and
use
a
functionality
provided
by
the
cloud
provider
to
go
and
deploy
the
application
functionality
again
then
definition
of
what
this
serverless
we
had
a
lot
of
conversation
around
serverless.
E
What
does
serverless
mean
because
there's
container
as
a
service
offerings,
there
are
containers
service
offerings
from
cloud
providers
which
are
also
serverless
technically,
even
though
in
reality
they
are
not
serverless,
it's
just
that
their
functionalities
are
first
created
from
the
application
owners.
So
hence
we
in
this
paper
we
are
covering
container
as
a
service
as
well
as
function
as
a
service
aspects
as
well,
and
then
obviously
we
talk
about
shared
responsibility
model
for
different
deployment
models.
Ias
we
are
all
familiar.
E
If
we
build
our
own
container
platform
and
say
aws,
we
have
to
do
everything,
including
implementation
of
kubernetes
and
orchestration
engine,
hardening
of
that
and
also
the
runtime
control
plane,
as
well
as
the
data
plane
as
well,
and
I
have
seen
organizations
do
that
as
well.
I've
seen
several
people
trying
to
deploy
openshift
in
aws,
for
whatever
reasons
and
over
time,
cloud
providers
have
matured
some
of
their
services.
So
it
really
forces
people
to
think.
Why
are
we
even
doing
that?
E
Why
don't
we
just
use
container
as
a
service,
but
again
regulatory
and
organizations
where
there
are
regulations
they
have
to
meet
the
kind
of
visibility
and
detection
and
control
they
need
that
kind
of
suffices
their
justification
to
do
their
own
container
platforms
in
cloud
provider,
environments
as
well
and
similarly
function
as
a
service
is
there's
still
a
stack
of
controls
that
the
application
developers
in
an
enterprise
will
control.
So
this
is
just
to
visualize
that
and
then
we
are
also
talking
about
differences
between
faz
and
chaos.
E
Obviously,
event
driven
architecture
short-lived,
like
lambda
functions,
have
a
maximum
time
to
level
15
minutes
and
more
agile
they're,
not
as
portable.
I
mean
the
whole
advantage
of
building
applications
and
microservices
and
containers
is
that
you
can
put
them
anywhere.
Unfortunately,
when
you
use
functions
as
a
service
from
a
provider,
they
are
not
portable
to
another
platform,
whereas
container
as
a
service.
E
Obviously,
it's
managed
control
plane,
but
you
can
choose
the
longevity
of
your
service
that
is
going
to
live
in
your
data
plane
and
it's
more
configurable
and
it's
a
little
more
portable.
I
wouldn't
say
portability
has
been
much
of
a
need
today
in
the
enterprises,
especially
in
financial
services.
I've
seen
multiple
enterprises,
application
teams
have
affinities
to
cloud
providers
and
I
haven't
seen
them
putting
their
applications
from
aws
to
azure
or
google
today,
and
they
just
build
applications
in
their
container
platform
in
a
particular
provider
environment.
E
Maybe
in
future
that
situation
will
come.
But
right
now
and
also
some
of
these
micro
services
are
using
past
services
in
the
back
end.
Imagine
building
some
functions
or
you
know,
applications
and
containers
using
rds
right.
E
How
will
you
put
that
to
sql
server
in
azure
or
similarly,
you
know
google
databases
or
any
analytics
capabilities
there?
If
you
are
utilizing,
you
are
kind
of
dependent
on
a
cloud
provider.
E
And
then
we
are
just
talking
about
why
serverless?
What
are
the
advantages
of
that
in
comparison
to
is
and
pass?
E
This
is
just
a
genetic
slide,
I
guess
architectural
changes.
Obviously
it's
a
constrained
development.
B
B
E
No
ways
so
it's
hard
to
get
visibility
because
they're
so
short-lived
and
cloud
providers
today
provide
some
detection
capabilities,
but
not
to
the
level
of
detail
that
enterprises
today
need.
So
there's
still
a
need
for
capabilities
from
third-party
providers
that
need
to
be
deployed
for
serverless
deployments.
Our
friend
from
palo
alto
can
well
show
that
basically-
and
there
was
a
company
called
puresec,
which
was
providing
detection
capabilities
for
functions
and
palo
alto
acquired
them
as
part
of
their
prisma
suite.
E
Now
they
provide
that,
and
there
are
several
other
third-party
solutions.
There
still
service
level
agreements
are
still
uncertain
because
in
the
shared
responsibility
model,
how
a
function
is
being
codified
is
up
to
an
application
developer,
so
cloud
providers
are
not
providing
any
service
level
agreements.
None
of
the
three
major
cloud
providers
are
providing
any
slas
around
functionality.
Service
and
their
performance.
E
Boundaries
are
not
there
anymore.
There
are
no
network
choke
points
that
exist
per
se
and
applications
are
not
here.
They
can
be
dynamic,
distributed
anywhere
and
integrations
can
be
very
wide,
so
boundaries
in
terms
of
application
functions
are
untrusted,
so
a
lambda
function
could
be
talking
an
emr
instance
or
a
red
shift
instance,
and
so
on
and
so
forth
in
data
manipulation
functions.
E
So
in
in
terms
of
inherent
weaknesses,
I
mean
obviously
no
performance
guarantees,
limited
security
controls.
State
management
is
hard
like
I
said,
monitoring
and
logging
is
critical,
but
a
lot
of
it
depends
on
the
developer,
what
they
want
to
log
as
well,
and
that
that
is
true
for
any
application.
So,
in
terms
of
maturity,
there
are
still
organizations
who
have
banned
functions
or
use
of
functions
for
certain
types
of
activities,
for
example
in
financial
services
because
of
the
regulatory
environment.
E
E
E
As
a
service
and
then
in
container
as
a
service,
we're
just
kind
of
depicting
the
the
additional
controls
that
tenant
is
responsible
for
when
it
comes
to
container
as
a
service
control
plane,
as
well
as
the
data
plane,
even
in
the
control
plane,
cloud
providers
do
provide
some
flexibility
for
tenants
to
be
able
to
go,
configure
some
of
the
configurations
there,
what
images
to
use,
etc.
E
So,
in
terms
of
security
challenges,
I
mean
we've
had
a
lot
of
discussions
around
a
threat
model
around
us
and
we
have.
Since
this
presentation,
we
have
evolved
our
threat
model
in
the
paper
quite
a
bit
and
I'm
happy
to
share
the
link
with
all
of
you,
so
you
can
read
and
opine
on
it
as
well
and
provide
input
basically
misconfigurations.
E
These
are
distributed.
Applications,
imagine
updating
stock
prices
on
a
website
right
all
the
functions
that
will
go
into
that
and
the
criticality
of
the
data
and
inputs
and
validation
and
confidentiality
around
that
until
the
final
price
is
published
so
being
distributed.
E
There
are
a
lot
of
policy
enforcement
challenges
and
configuration
challenges
as
well
and
testing
right.
Obviously,
you
need
an
environment
where
you
can
test
it
before
you
actually
implement
it
in
production,
improper
authentication
authorization
is
a
big
concern.
Concern
basically
because
of
untrusted
boundaries
and
functions
can
go
and
talk
to
a
lot
of
other
services
and
so
appropriate
authentication
authorization
and
implementation.
That
is
critical
policy
violations.
E
As
we've
talked,
if
the
function
is
written,
inaccurately
or
there
are,
there
are
misconfigurations
of
the
deployment
of
the
function,
then
there'll
be
challenges
and
policy
enforcement
and
the
policy
violations
will
be
detected,
but
the
function
is
so
short-lived
that
you
may
not
even
be
able
to
fix
it
in
the
time
code.
Vulnerabilities
still
can
happen.
I
mean
this
is
this:
this
is
application
functionality.
E
Even
triggers
can
be.
You
know
there
are
injections,
sql
injections
as
well
as
even
data
injections,
that
can
affect
the
capabilities
of
a
function.
What
it
can
execute
to
runtime
issues,
obviously,
because
of
code
injections
and
denial
of
service
can
happen.
Malicious
traffic
could
impact
the
resources
that
you're
utilizing
and
the
function
may
not
be
able
to
execute
just
because
the
resources
finished
before
the
function
could
execute
the
full
functionality.
E
E
And
in
an
even
driven
orchestrated
system,
failure
detection
can
be
after
the
fact
like
after
the
event
has
failed.
You
might
detect
it.
So
imagine
five
different
functions
running
and
one
of
them
failing
all
the
subsequent
functions
will
fail
as
well.
So.
E
Well,
and
after
the
threat
model
and
detailed
threats
discussion,
we
are
working
on
security
controls
that
we
need
to
deploy
in
a
secure,
functional
service
deployment,
not
just
functionality
service
but
also
container
container
as
a
service.
E
So
there
are
two
parts
to
that
section
that
chapter
we're
going
to
discuss
all
the
controls
required
and
with
an
architecture
diagram
showing
how
all
the
threats
we
have
talked
about
are
going
to
be
mitigated
for
a
fast
implementation
as
well
as
containerized
service
implementation
and
then
also
talking
a
little
bit
about
future
direction
and
where
this
is
headed
as
cloud
providers
improve
their
capabilities
or
to
mitigate
some
of
these
threats
and
provide
more
visibility
returns.
D
Right
now
is
these
slides?
Would
you
be
able
to
make
them
available
as
well.
H
Right,
thank
you
so
much
for
the
slide.
I
had
two
questions
and
probably
the
first
one
is
a
little
daunt
and
I
apologize.
If
I
missed
it,
but
can
you
talk
a
little
bit
more
about
csa
and
like
what
is
it.
E
Sir
cloud
security
alliance
actually
was
incepted
in
2007
and
I've
been
part
of
css
since
then,
when
all
the
cloud
providers
were
just
coming
out
with
initial
services,
aws
was
really
small,
so
they
do
a
lot
of
work
in
building
best
practices
for
cloud
in
general,
and
that
is
is
sas
and
they
have
slowly
expanded
into
internet
of
things
and
mobile
security
in
a
way.
It's
this
standards
body
that
does
work
around
security
as
well,
complementary
to
cncf
and
I've
been
part
of
csa.
E
E
So
a
lot
of
small-time
sas
providers
and
past
providers.
They
go
to
csa
for
getting
their
services
certified
from
a
security
controls
perspective
and
they
they
have
a
cloud
controls
matrix
as
well,
which
provides
which
is
mapped
to
nest
800-53,
but
at
the
same
time
it's
written
in
a
different
flavor.
It's
also
mapped
to
iso
standards,
but
again
the
due
diligence
that
goes
into
fedramp
invalidation
of
controls
of
providers
is
slightly
more
deep
and
in-depth
compared
to
csa
audits
and
assessments.
E
But
still
it
does
provide
some
level
of
assurance
of
a
provider's
security
posture
and
framework
that
they
are
using
operational
best
practices
as
well.
But
there's
a
lot
of
research
available,
I'm
happy
to
share
the
link
of
csa
research
and
guidance
that
they've
published
so
far.
There's
a
lot
of
working
groups
where
you
can
participate
and
volunteer
and
share
your
knowledge
as
well
and
you're.
Welcome
to
join
the
serverless
working
group
as
well
since
you're
all
working
on
the
cloud
native
stuff
and
serverless
is
cloud
native.
H
E
H
H
It's
not
a
criticism.
I
was
just
curious
to
to
know
it's
always
good
to
hear
different,
like
perspectives,
and
sometimes
it's
like.
Oh
there's,
a
fundamental
like
difference
there.
That's
like
you're
right
that
that
that
is
covered
in
third
party.
B
H
No,
no,
I
I
was
just
saying
that
yeah
I
really
enjoyed
it.
Thank
you.
B
B
B
H
If
you
don't
take
care
of
it
and
I'm
not
trying
to
patch
an
ogs,
it
just
happens
to
be
such
a
big
repository,
we're
doing
analysis
of
their
supply
chain
dependency
graph
to
understand
that
what
we
call
deep
supply
chain
dependencies
and
it's
millions
and
millions
of
packages,
and
many
of
them
like
there's
a
couple
of
very
big
offenders
of
this,
like
that
they
make
a
package
for
the
color
red
and
then
they
make
a
package
for
antsy
colors,
and
then
they
make
a
package
for
coloring
things.
K
I
have
a
quick
question
that
presentation
you
mentioned.
You
touched
on
the
fedramp
and
I'm
curious.
I
think
you
were
suggesting
probably
that
the
css
certification
could
be
a
precursor
or
a
step
towards
going
towards
the
fed
ramp.
Can
you.
K
E
Honestly,
a
fedramp
certification
is
only
given
by
the
government,
the
government
ato
right,
but
the
controls
that
csa
validates
as
part
of
the
ccm
are
mapped
to
fedramp
and
nest
800-53
as
well.
I
know
nest
works
closely
with
csa
as
well,
so
there's
inter
dependencies
there
and
they
share
data
between
each
other,
all
the
controls
etc.
E
E
It's
not
practical
for
a
small-time
sas
provider
to
do
that
right,
it's
expensive
in
terms
of
resources
in
terms
of
effort
that
they
have
to
put
in
place.
So
if
I'm
a
small
application
provider
that
is
now
providing
it
as
a
software
as
a
service,
I
don't
have
time
and
money
and
resources
to
have
fedramp
auditors
sitting
and
enforcing
all
those
nest.
853
controls,
24
7
365
days,
and
I
may
not
even
have
resources
to
secure
everything.
E
E
K
Yeah
are
those
audits,
then,
from
the
csa,
recognized
by
the
fed
ramp
as
the
acceptable.
K
So
yeah,
I
was
just
wondering
whether
there
is
any
advantage
or
leverage
one
could
draw
by
doing
this,
while
they
are
actually
working
towards
the
fedramp
getting
the.
E
Freedom,
but
but
this
csa
audit
works
for
other
organizations
right.
I
work
for
a
financial
services
organization
organization
for
every
sas
solution.
I
would
validate
whether
whether
they
have
a
dram
or
they
have
iso
or
they
have
csa
either
of
the
three,
and
that
gives
me
some
level
of
assurance
of
their
security
practices,
and
then
I
can
do
more
due
diligence
based
on
my
assessment
from
their
audit
findings.
B
I'm
just
going
to
step
in
about
two
minutes
on
the
clock
before
hard
stop
and
just
want
to
offer.
If
anyone
want
to
continue
this
discussion
to
either.
If
you
want
to
post
your
contact,
details
and
chat
or
a
link
to
president
slack,
if
anyone
wants
to
continue,
I
was
just
going
to
save
the
very
last
minute
and
ask
if
there
are
any
attendees
today
that
would
like
to
quickly
introduce
themselves
before
we
wrap
up.
B
All
right
so
then
I'll
just
conclude
with
emily,
put
a
note
here
in
the
chat
by
all
means
hop
on
to
the
cncs
slack
during
the
sig,
secure
anal,
and
if
anyone
like
continues
discussion
there
and
thank
you
enough
for
that
looks
like
we've
got
all
the
pieces
needed
to
continue
this
offline.
B
So
anyone
stay
on
the
call
please
feel
free
to,
but
at
least
at
this
moment
we're
officially
ending
the
meeting
have
a
great
day,
everyone
and
stay
healthy.
Thank
you
very
much.
Thank
you.
Have
a
good
day.