►
From YouTube: CNCF SIG Security 2020-01-15
Description
CNCF SIG Security 2020-01-15
B
A
Thanks
Erica
and
Erica,
while
we,
while
we're
waiting
for
people
to
just
get
started,
Erica
I
thought
it'd
be
nice
if
you
would
be
willing
to
just
kind
of
give
an
intro
to
what
the
policy
group
is
and
what
you're
been
talking
about.
You
know,
maybe
in
the
last
few
months,
just
to
because
I
think
we've
got
a
lot
of
new
people
who
haven't
necessarily
heard
about
what
that
groups
doing.
Look
you
up
for
that
today.
A
Format,
which
is
that
people
annotate
your
name
if
you're
new
or
if
you're
the
lead
of
one
of
the
projects,
and
so
that
we
can
make
sure
that
the
people
who
are
active
leaders
in
the
group
introduce
themselves
and
new
people
or
if
you
have
security,
related
things
that
may
or
may
not
be
interested
to
the
group
that
you
want
to
report
or
work
that
you've
done
as
part
of
SIG's
security
in
the
last
week.
To
give
updates
on.
A
C
A
A
A
A
D
Acquisitions
I
know,
but
yeah
so
I'm
part
of
the
kubernetes
policy
working
group.
It's
the
policy
policy
in
general
for
cloud
native
security
policy.
It
is
a
kind
of
large
thing
that
everyone
cares
or
means
and
cares
about
and
thinks
it's
really
boring,
but
I
happen
to
think.
It's
very
interesting.
How
many
govern
our
clusters
and
our
cloud
in
a
secure
and
automated
way
that
works
for
it,
this
cloud
native
era,
so
Howard
and
Robert
or
the
other
co
deeds.
We
meet
every
other
Wednesday.
D
E
D
D
Looking
at,
we
like
have
it
kind
of
overviews
of
various
policy
related
projects,
some
active
work,
we're
going
at
policy
violations,
cut
some
resource
to
unify
some
of
the
tallest
plug-in
projects
and
they
kind
of
first
start
so
we're
discussing
that
as
well
as
some
other
investigative
kind
of
trying
out
different
some
formal
verification
methods
for
verifying
policy
configurations
and
various
tools
and
then
just
more
mundane
discussion
of
what's
gonna
happen.
Fahd
security
policies
and
the
like
here
are
our
notes.
D
A
And
I
hadn't
heard
that
Robert
was
Co,
leading
the
group
as
had
joined
her
leadership
team.
So
please
submit
a
PR
to
the
because
I
we
had
some.
We
have
some
PRS
like
in
crossing
each
other,
so
I
last
week
added
the
see
team
to
the
route
repo
and
so
yeah
if
you
feel
free
to
PR
in
Robert
or
Robert,
if
you're
here,
PR
yourself
and
so
that
we
keep
this
up
to
date,
so
that
just
spread
awareness
of
the
great
work
you're
doing
and
and
so
for
the
folks
who
are
new.
A
We
consider
to
be
policy
essential
for
security,
because
how
can
we
secure
things
if
we
don't
know
what
we're
trying
to
do?
I
think
so.
So
that's
why
the
policy
working
group
is
part
of
SIG's
security
and,
and
then
the
at
the
moment.
It's
the
same
group
of
people
that
does
kubernetes
policy
so
that
that's
why
it's
kind
of
one
group,
one
group
of
people
to
structural
groups,
but
it's
efficient
because
we
have
a
small
set
of
awesome
people
focused
on
policy.
A
It's
not
a
good
summary
Erica
that
works
for
me,
okay,
great
and
so
I
hear
from
Justin
Capo's
is
intermittently
online.
He's
gonna
skip
the
update
for
now
because
of
connectivity
issues,
but
he
is
our
security
assessment,
facilitator
so
thing
among
slack
or
if
you
have
questions
about
security
assessments.
A
F
Am
here
talking
for
both
myself
and
Michael
Ducey
who's,
not
on
the
call
traveling
I
am
one
of
the
co
leads
for
the
cloud
native
security
de
Amsterdam,
2020
and
I
do
have
an
agenda
item
update,
but
I
wanted
to
let
everybody
know
the
website
is
now
live
for,
CFU
submissions,
so
it's
very
exciting
and
if
you
have
someone
capable
of
potentially
sponsoring
prospectus
is
also
on
the
site.
So
that's
all
I
have
for
now
great.
A
A
Thank
you
so
much
so
I
think
that
those
are
all
of
the
official
updates
and
well
dive
into
the.
If
I
just
wanted
to
have
check-ins
in
case
we'd.
Do
we
have
anybody
from
we
covered
the
policy
working
group?
Do
we
have
anybody
from
the
sig
off
or
any
of
the
other
working
groups
that
wants
to
give
an
update
all
right.
A
F
So
one
of
the
things
that
we're
talking
about
and
kind
of
need
feedback
from
everybody
on
is
typically
Amsterdam
or
any
of
the
cube
con
cloud
native
con
European
instances
of
the
conference
are
a
smaller
audience
and
when
we
did
this
security
day
in
North
America,
we
had
a
open
spaces
kind
of
forum
and
there
were
a
fair
amount
of
people
that
knew
what
it
was
and
really
enjoyed
it.
A
lot
of
people
didn't
know
what
it
was
we're
exposed
to.
It
also
enjoyed
it.
F
There
were
some
people
that
were
still
kind
of
confused,
didn't
get
it,
so
we
felt
that
there
was
a
good
conversation
going
on
with
that,
but
this
space
was
constrained,
so
it
didn't
necessarily
allow
itself
to
be
the
best
that
it
could
be
now
fast-forward
to
Amsterdam.
We
are
having
space
limitations,
so
we
cannot
do
a
capture
the
flag
and
in
open
spaces,
but
we
could
do
an
open
spaces
or
all
briefings
or
a
capture
the
flag
in
the
afternoon.
So
that's
kind
of
a
time
block
that
we're
looking
at.
F
So
there
are
some
pros
and
cons.
Each
it
was
talked
about
that
doing
briefings
in
the
afternoon
creates
a
full
day
of
briefings,
which
is
just
like
some
of
the
other
activity
that
go
on
at
Cuba
on
cognitive
con,
and
one
of
the
things
that
makes
us
different
is
that
we
don't
do
the
full
day
of
briefings,
but
still
they're
easily
accessible
for
the
larger
audience.
Everybody
has
a
same
expectation
for
what's
going
to
happen.
Then
there
is
open
spaces.
F
This
would
be
our
first
time
doing
security
day
in
Europe,
so
there's
a
new
audience
new
folks
showing
up
that
may
or
may
not
be
familiar
with
the
open
spaces
concept
and
just
getting
people
involved
in
like
how
to
have
those
dialogues
and
leading
them
along.
So
there's
that
and
then
capture
the
flag.
So
this
is
in
rod
up
a
lot
by
the
community,
potentially
doing
a
capture
the
flag
activity,
and
for
those
of
you
that
don't
know
what
it
is.
F
Basically
it's
when
you
have
teams
working
or
individuals
working
together
on
teams
against
each
other
to
capture
and
defend
their
snippet
of
code
or
a
particular
file
and
there's
more
information
online,
just
Google
will
capture
the
flag
security,
a
whole
bunch
of
websites
come
up,
so
we
had
some
folks
express
interest
in
running
to
capture
the
flag
in
the
afternoon
for
security
day.
We
believe
that
they
are
still
interested,
but
there
is
concern
about
how
technically
involved
that
is
from
an
audience
perspective.
Not
everybody
coming
to
security
day
has
a
security
researcher
or
hacking
background.
F
F
There's
also
the
logistics
of
setting
it
up
the
space
that
we
have
only
sits
about
152
people
so
breaking
up
the
teams
benefits
are
it
gets
more
security.
Folks,
coming
to
a
typical
developer
conference
and
giving
them
that
cross-pollination
of
ideas
back
and
forth
between
the
two
communities
that
typically
are
very
disparate
and
in
cold
water
has
talked
about
this.
A
lot
or
yeah,
clear
water.
I've
talked
about
this
a
lot
in
some
of
their
presentations
about
how
security
development
communities
are
very
different
and
they
don't
usually
talk.
F
H
G
You
know
so
so,
if
there's
more
than
one
track,
I
think
that
that
a
walk
through
a
CTF
fish
walk
through
kind
of
demo
like
like
what
was
initially
proposed
awhile
ago,
could
be
really
could
be
really
good.
But
if
it's
single
track,
then
then
maybe
it's
a
cool
idea.
That's
just
not
right.
Mike
come
on.
F
That's
it
so
just
a
reminder.
Is
it
because
the
space
is
so
small?
We
don't
have
access
to
other
areas
to
do
multitrack,
which
is
what
we
would
really
love
to
have
so
doing.
This
kind
of
event
in
Amsterdam
is
probably
not
going
to
be
possible,
but
we
want
to
have
the
conversation
and
explore
it
and
see
what
other
ideas
are
being
generated
around
us,
because
we
did
get
feedback
that
folks
wanted
something
a
little
bit
more
hands-on.
A
Are
there
other
people
who
have
thoughts
on
this,
both
people
who
have
done
CTF
activities
before
and
maybe
have
perspective
about
what
it's
like
to
have
people
with
less
experience,
doing
that
and
people
who've
never
done
a
CTF
before
who
capture
the
flag
before
who
might
enjoy
it
or
find
it
like?
I,
probably
won't
go
because
of
it.
I
So
personally,
if
I,
were
they
really
find
this
interesting
I
can
see
why
others
would
also
find
it
interesting
and
enjoy
having
a
hands-on
thing
to
do.
It
does
feel
a
little
tangential
to
the
work
that
the
group
does
on
a
regular
basis,
but
it
is
highlighting
some
things
that
are
good
to
know
about
security,
so
that
is
nice.
I
I
J
A
That
is
a
good
perspective
right.
One
idea
from
organizing
things
like
I
went
to
a
like
a
diversity
training
once
where
they
at
the
beginning
of
the
breakout
session.
They
did
like
a
spectrograph
which
is
like,
whatever
you
ask,
a
question
and
everybody
lines
up
according
to
their
answer,
where
people
are
like
how
familiar
are
you
with
diversity
stuff
and
on
the
you
know,
on
one
side
of
the
room
was
this
is
all
new
to
me?
A
A
Oh,
my
god,
I
have
to
get
101
diversity
class
as
a
manager,
training
and
I
teach
things
like
this
and
I
kind
of
like
I,
appreciate
it,
but
I'm
kind
of
tired
of
the
intro
stuff
and
then
I
was
with
like
super
experienced
people
right
and
then
the
novices
work
together
right.
So
that's
an
idea
for
Emily.
A
If
we
can
move
forward
with
that
as
a
way
to
like
divide
people
and
also
I'll,
just
chime
in
like
I've,
never
done
a
capture
the
flag
because
I'm
more
on
the
developer,
you
know
the
the
creator
of
things
and
trying
to
build
things
that
are
secure
rather
than
attacking
things
to
make
sure
they're,
secure
and
I.
Just
think
it
would
be
really
neat
yet
I
would
be
reluctant
to
just
dive
into
one
with
the
professionals
with
no
experience
you
know
so.
I
think
this
would
patek.
F
Where
folks
are
what
should
be
happening,
what
they
should
be
seeing
why
it's
important
those
kinds
of
things
to
kind
of
help,
if
they're
not
actively
hands
on
the
keyboard,
participating,
we're
reinforcing
the
concepts
of
what's
going
on
and
then
for
those
that
haven't
completed,
challenge
1
2,
3,
whatever
it
is,
providing
them
with
the
mechanism
or
the
instructions
to
get
them
past
that
challenge,
so
that
that
was
some
of
the
other
stuff
that
we
talked
about.
But
it's
a
real
balance
between.
We
don't
want
to
turn
people
away.
F
We
want
to
try
this
new
idea.
How
do
we
make
that
work
and
I?
Think
dividing
up
the
team
is
based
off
of
experience
is
important,
but
we'll
need
to
figure
out.
How
do
we
do
that
either
day
of
or
at
some
point
before
then
to
ensure
that
we
have
the
right
mix
of
experience,
because
if
we
only
have
four
or
five
people
that
have
done
CTF
before
feel
really
confident
in
their
skills
and
we've
got
145
other
people?
That
is
not
going
to
work.
Yeah.
A
Another
thing
another
idea
is:
if
you
know
there
are
people
with
the
time
to
prep,
is
to
have
like
something
that
is
more,
like
you
know,
some
written
material,
it's
more
like
a
tutorial
on
how
to
use
the
tools
with
a
little
CTF
thrown
in
that
some
of
the
groups
could
really
be
doing
more
of
a
step-by-step
thing.
Even
if
we
don't
have
a
separate
room
right,
we
could
have
be
like
Oh
groups.
A
C
Is
what
is
the
goal
of
the
CNCs
Security
Day?
What
do
we
want
to
convey
to
the
people
that
participate?
I,
think
that
is,
that
is
important
too,
to
decide
on
how
we
want
to
do.
That
seems
to
be
unclear.
What
is
it
that
security
is
important
about
what
specific
security
tools
are
available
to
them
to
address
the
I?
Guess
the
the
threat
to
jewel?
F
Goal
of
the
day
is
captured
in
the
ticket
number
305,
which
I
have
linked
in
the
notes.
The
goal
of
the
day
is
to
bring
together
the
broader
cognitive
security
community
and
a
community
oriented
space
to
discuss
and
share
current
challenges
and
solutions
and
cognitive
security
and
we've
been
really
pushing
that
open
collaboration
and
communication
and.
K
F
This
last
year,
through
the
open
spaces
paradigm
in
the
afternoon,
we
also
combine
presentations
from
the
community
with
thoughts
to
talk
about
stuff
I.
Believe
we
had
at
least
one
talk
about
the
kubernetes
security
audits
and
we
had
several
other
great
ones
so
doing
adding
the
CTF
capability
into
security
day
and
lieu
of
open
spaces
changes
how
that
collaboration
and
that
community
involvement
can
happen
from
a
different
perspective.
F
F
It
them
getting
a
more
hands-on
technical
exposure
through
doing
it
themselves
or
shoulder
surfing
with
another
individual
who's
talking
them
through,
like
what
it
is
that
they're
doing,
and
why
they're
doing
it,
but
also
to
provide
them
that
community
involvement
that
they're
meeting
new
people
that
there
are
different
skills
associated
with
us
and
that
we're
not
leaving
them
to
like
you
guys,
are
beginners.
You
stay
over
here,
and
these
are
security
experts
and
they're
going
to
be
over
here
and
you
guys
will
never
talk
to
each
other.
And
we.
C
F
C
F
F
Activities,
it's
been
a
while
since
I've
been
to
one
but
I'm
they're,
either
really
loud
or
extremely
quiet,
depending
on
the
team
dynamics.
So
with
that
large
room
and
150
people,
even
if
we
were
to
divide
the
room
in
half
and
say
half
of
half
of
the
folks
that
want
to
do
two
CTF
over
here
and
the
other
half
of
you
don't
want
to
come
over
here.
Having
somebody
present
or
do
a
talk
can
be
distracting
to
the
activities
that
are
going
on
in
a
CTF.
F
L
G
L
So
watch
for
that,
mostly
because
I'm
looking
up
realizing
like
we've,
got
a
lot
of
space
in
the
calendars
between
March
and
November,
which
is
our
next
two
gigantic
gathering
things.
So
maybe
we
can
look
towards
being
able
to
say
if
we
don't
want
to
be
able
to
do
this
in
person
directly.
Maybe
we
do
something
over
the
summer
virtually.
F
H
H
What
are
it's
going
to
be
the
process?
So
if
you
had
been
to
a
few
other
CTS
where
it
was
completely
online
and
you
were
expected
to
just
be
in
a
slack
channel
where
all
the
announcements
were
made,
so
you
could
potentially
do
it-
something
like
that
or
hybrid
to
try
to
mitigate
some
of
those
issues
or
concerns.
So.
A
Before
we
just
dive
into
the
I,
like
that,
thanks
for
Amy
for
the
suggestion
and
whoever
was
just
on
the
phone
for
like
a
little
elaboration
on
the
virtual
stuff,
I
want
to
go
back
to
like
it
sounded
like
I
mean
it's
certainly
technically
possible
for
us
to
do
it
on
site
and
and
I.
Think
that
we've
heard
some
some
people
who
like.
A
So
if
there
are
two
Christians
question
about
the
goal
of
this,
when
we
did
it
before
when
we,
the
initial
planning
of
the
one
for
San
Diego
I,
had
at
least
thought
that
the
majority
of
people
who
came
would
be
from
our
sig.
And
so
it
would
be
more
an
extension
of
the
work
that
we're
doing
in
the
sig
to
build
community
within
the
sig.
And
then
it
turned
out
that
there
were.
A
It
was
oversubscribed
with
a
lot
of
people
who
were
new
to
cube
con
or
new,
to
had
never
heard
of
the
sig
and
and
the
content
was
all
you
know.
Just
a
was
about
cognitive
security
and
so
I
think
that,
and
we
do
have
I'm,
not
sure
that
everybody
knows
we
have
two
slots
during
the
cube
con
plug
native
con
conference,
one
for
an
intro
presentation
and
one
for
a
deep
drive
which
those
are
really
about
the
SiC
itself.
A
Although
we
have
had
some
conversations
that
maybe
those
should
have
more
a
little
more
cloud
native
security
content
content,
because
we
have
also
people
coming
to
learn
about
cloud
native
security.
So
I
think
we
could
do
a
better
job
with
those
descriptions
I
just
wanted
to.
Let
everybody
know
that
this
is
one
of
three.
You
know
three
things
that
the
sig
is
doing
at
cloud
made
have
gone
in
Amsterdam.
So
are
there
people
who
haven't
spoken
up?
C
So
so
there
there
are
two
other
kind
of
methods
of
unconference
side
that
I'm
aware
of
that.
I'm,
not
sure.
If
you
have
discussed
in
one
of
the
previous
meeting,
one
is
World
Cafe
that
we
have
done
before.
Where
you
have
separate
tables.
Each
table
has
a
host
and
people
rotate
through
the
tables
and
I've.
Seen
that
work
very
well
at
an
internal
conference
here
at
Google,
and
it
was
it
worked
surprisingly
well,
and
so
that
might
be
an
option.
It's
called
World
Cafe,
there's
a
Wikipedia
page
for
it,
I
ain't.
C
You
just
had
to
look
it
up,
because
I
talked
about
how
it
was
called
and
the
other
one
was
I
think
called
fishbowl
which,
where
people
sit,
you
have
a
number
of
people,
sit
in
front
on
the
stage
and
somebody
that
has
something
to
say
can
conjoin
and
somebody
else
drops
off,
and
so
you
rotate
through
it's
a
little
less
participatory.
But
but
you
you
get
different
people
to
speak
up.
You
need
people
to
be
relatively
comfortable
to
be
in
front,
so
that
may
not
be
the
best,
but
I
think
for
the
community.
M
A
M
Was
going
to
say
for
the
on
side
capture
FLAC,
probably
a
good
compliment
is
to
have
a
proctor.
That's
a
member
of
six
security
that
keep
in
mind
that
there
may
be
a
lot
of
outsiders,
a
lot
of
newcomers,
but
it
also
makes
sure
that
all
teams
make
similar
progress.
Whether
the
team
is
balanced
or
there's
mixed
experiences
and
backgrounds
that
way
the
proctor
or
facilitator
can
make
sure
they
all
have
the
same
takeaways.
They
all
get.
The
same
experience
make
sure
everyone.
H
B
H
Just
get
fewer
points,
but
the
idea
is
that
you're
still
learning
and
you're
still
achieving
it,
but
you
aren't
necessarily
degrading
the
overall
for
the
high
achievers
who
are
able
to
get
it.
They
can
get
full
points,
but
hopefully
everyone
is
still
learning
and
in
a
sort
of
self-service
model,
because
a
if
you
have
virtual
people
joining
in
blue
lion
on
Proctor's
may
not
be
practical
as
well
as,
if
there's
a
lot
of
people,
it
can
be
hard
to
make
sure
everyone's
getting
their
questions
answered.
H
At
the
same
time,
the
other
thought
sort
of
going
back
on
what
Sarah
was
saying
about
splitting
people
up
by
skill
level.
I
was
just
going
to
say
another
CTF
that
I've
gone
to
at
the
outset
of
the
CTF.
They
you
sort
of
put
people
in
similar
lanes
of.
Are
you
an
expert
medium,
completely
new
and
instead
of
grouping
people
together
by
that
they
actually
forced
a
mix
of
different
experience
levels
into
groups?
H
So
you
would
have
one
experience
a
really
experienced
and
a
few
medium
or
less
knowledgeable
people
and
try
to
even
it
out
the
challenge
with.
That
is
a
that's
not
enough.
So
they
can
do
that
for
excuse
me,
virtual
and
I
think
Emily
mentioned
before
concerns
about
heavily
waiting
if
we
have
lots
and
lots
of
new
people
and
only
a
few
really
experienced
people
that
can
be
hard
to
even
out
so
just
another
approach
with
its
own
pros
and
cons.
A
There,
thanks
for
those
ideas,
Steven
we
do
hi,
we
have
a
chat.
We
have
another
agenda
item,
so
I
want
to
just
open
the
floor
for
feedback,
and
then
we
can
follow
up
on
slack
and
the
organizing
team
can
take
the
feedback
and
do
something
and
I
want
to
emphasize
to
everybody.
We
consider
this
to
be
a
continued
experiment,
so
just
because
we
like,
if
we
do
that
this
time
that
doesn't
necessarily
set
a
pattern
where
we
would
do
it
every
time
right.
F
And,
and
to
piggyback
off
of
Sarah's
comment,
there
is
a
thread
in
slack.
It
sends
the
security
channel,
not
the
events
channel.
So
if
you
have
an
idea
or
you
kind
of
want
to
reinforce
something
that
you
said
on
the
phone
go
ahead
and
post
it
on
that
thread,
and
then
the
events
team
for
security
day
will
pull
them
together
and
discuss
them
at
our
next
meeting
and
hopefully,
by
the
end
of
the
meeting,
have
a
decision
on
what
it
is
that
we're
going
to
do
and
we'll
share
that
with
everyone.
A
A
E
H
E
E
A
Reading
this
and
I
don't
understand
these
things
so
that
when
the
security
team
does
a
security
review,
like
probably
half
of
the
body
of
the
self-assessment
is
just
preamble
like
this
is
how
the
brain
works,
and
so
then,
then
they
can
focus
more
on
the
you
know
they
can
just
come
up
to
speed
and
focus
more
on
the
security
stuff,
rather
than
the
clarity
of
the
narrative,
so
ash
I
think
is
on
the
call
Robert
I,
don't
know
if
you
are,
if
I
was
wondering
if
one
of
the
what
we
want
is
somebody
who's
participated
in
a
security
review
before
be
willing
to
do
the
lead
so
that
they
understand
the
process.
A
H
D
A
The
experience
don't
have
the
time
so
I'm,
Erica
I,
think
it'd
be
really
high
value
if
you
were
a
normal
viewer,
cuz
we're
normal.
Yes,
what
we're
trying
to
do
and
I
have
a
to-do
item
to
go
and
clarify
the
docs
cuz.
The
there's
like
this
conflict
review
thing
where
I
did
I'll
just
give
a
quick
update
on
the
conflict
reviewer
question,
because
we
worked
very
hard
to
write
that
down
clearly
and
in
retrospect
it's
not
clear
at
all,
but
I
just
checked
in
with
at
least
Dan
and
Shaw
who's.
A
K
A
We
need
to
clarify
what
do
we
mean
by
a
conflict
because
one
of
the
soft
conflicts
is
which
doesn't
prevent
to
anything
is
I'm
contributing
to
the
project?
And
so
it's
not
clear
is
we
on
someone
on
the
team?
You
have
some
experience
with
the
project
if
that's
at
all
possible,
but
we
just
don't
want
everybody
on
the
team
to
the
Thunder.
A
That's
what
I
want
to
clarify
and
then
we'll
sort
of
catch
up
on
the
review
of
that
but
Erica
since
you
have,
you
know,
experience
in
the
cloud
in
the
policy
space.
It
would
just
be
amazing
to
have
you
on
the
team
and
then
I'll
just
check
in
with
people
who've
been
through
it
before
there's
a
lead.
Reviewer
primary
role
really
is
to
keep
the
process
moving.
So
excellent
to
me.