►
From YouTube: CNCF SIG Security 2021 03 01
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
You're
that
other
famous
hacker
who
I
I
work
with:
hey
who's,
greg
hello,
hi,
craig
hi
matt,
I'm
great
hi,
matt,.
D
C
D
E
A
F
E
Yeah,
it's
yeah
zoom
seems
to
have
new
and
interesting
ways
to
have
issues
from
every
time.
I
I
use
it.
I
don't
use
it
very
often
other
than
this
meeting
really
but
yeah
it
took
over
a
minute
to
let
me
click
the
button
to
set
up
my
audio
for
some
reason.
I
have
this
time.
G
E
The
time
man,
but
soon
yeah,
well
great
how's,
everyone
else,
yeah.
H
So
that's
one
good
part
I
didn't
justin.
Can
you
I
mean.
C
C
C
E
Sure
so
this
is
the
security
focused
sig,
that's
part
of
the
cloud
native
computing
foundation,
which
is
the
the
biggest
part
of
the
linux
foundation.
E
So
this
focuses
on
all
the
sort
of
cloud
based
technologies
and
things
like
that,
dockers,
kubernetes
and
so
on
have
a
particular
influence
in
the
community
and
about
maybe
three
years
or
so
ago,
a
group
of
people
got
together,
jj,
sarah
and
a
few
others
and
forms
of
security.
E
As
as
a
group,
they
got
some
interested
people
together
and
it's
kind
of
grown
from
there
to
have
a
lot
of
participants.
I
don't
know
exactly
how
many,
but
probably
in
the
I
would
guess
in
the
hundreds
of
participants,
have
come
to
a
meeting
and
done
things.
There's
it's
it's
a
very
welcoming
a
very
nice
community
within
that
community.
E
E
So
I
created
the
way
that,
like
the
first
cut,
how
we
do
security
assessments
for
projects
and
try
to
give
the
toc
and
the
projects
themselves
like
good
security
feedback
for
if
they're
doing,
the
right
things
and
so
on,
and
I've
also
worked
on
a
bunch
of
other
initiatives
related
to
supply,
chain,
security
and
stuff.
E
Like
that-
and
I
also
have
I-
I
created
two
of
the
cncf
projects,
the
tough
project
and
the
intoto
project,
and
have
just
been
active
overall
in
the
community
with
like
this
biffy
spire
folks
and
lots
of
other
folks
in
there,
and
I
moved
to
shanghai
in
september.
And
so,
as
part
of
me
being
here,
I'm
no
longer
able
to
make
the
normal
meeting.
C
That
was
awesome.
No
me
too,
I'm
I'm
stoked
to
have
more
people
here.
Should
we
do
like
some
introductions
for
the
new
folks
hi,
I'm
I'm
matt
since
I'm
this
guy.
Since
I
was
talking
already,
I
actually
work
with
andrew
who's
on
this
call
at
a
company
called
acceler.
We
do
cloud
native
security
and
devsecops
and
help
help.
Other
companies
realize
that
yeah.
J
F
Tools,
daniel
also
originally
from
new
zealand.
I've
been
in
melbourne
about
nine
years,
work
for
seek
currently
kind
of
the
container
in
kubernetes
security
sme
as
part
of
the
security
team
here
just
variously
involved
in
open
source
bits
and
pieces,
and
kind
of
wanted
to
formalize
that
a
bit
more
and
sig
like
this
made
a
lot
of
sense
to
me.
I've
been
in
the
last
couple
of
meetings
I
think
from
our
inception.
I
Yeah
hi,
I'm
I'm
andreas.
Thank
you
daniel
I'm
andres.
I
work
for
for
red
hat
and
I
was
found
or
thought.
Security
is
very
boring
to
be
honest
and
then
matt
told
me
about
a
capture
the
flag
event
that
he
wants
to
run,
and
so
I
got
more
into
into
that
and
then
I
started
to
check
out
based
on
on
matt's
recommendation
the
security
as
well,
and
you
know
I
joined
the
the
slack
channel
and
I
work
on
these
current
supply
chain
white
paper
as
well
that
we're
running
under.
I
K
You
hi,
my
name
is
frederick.
I'm
from
india.
I've
been
working
on
the
soft
side
on
the
blue
team
side
of
things.
Now,
I'm
getting
into
the
open
source
and
the
cloud
security,
the
cooperative
security
and
I'm
exploring
the
infrastructure
security
side
of
things.
G
G
L
Okay,
hi
I'm
dean,
awari,
I'm
I
live
in
japan.
I
had
cloud
native
security
at
checkpoint
and
I'm
in
charge
of
obviously
working
to
evangelize
cloud
security,
but
also
on
all
the
you
know,
all
the
security
for
containers,
serverless
and
everything
else.
So
look
forward
to
see
how
we
can
you
know,
add
stuff
in
the
in
this
seg,
so
I'm
excited
to
have
a
signate
pack
for
the
first
time.
It's
been
typically
in
the
us
in
the
cube,
cons
and
everything
else
so
sounds
exciting.
H
Awesome
so
I
am,
I
don't
know
if
you
can
hear
me.
This
is
jj
like
what
justin
was
saying
like
we.
If
you.
E
H
E
H
Started
a
group
to
just
start
discussing
about
some
of
the
security
stuff
early
on
it
was
originally
called
safe.
H
H
And
then
that
got
transitioned
over
to
security
over
time
and
then
then
now
we
we
have
it
here.
It's
a
pretty
wide
variety
of
group
and
people
from
nist
people
from
cloud
security
alliance
and
a
bunch
of
people
participate
in
sharing
information
and
knowledge.
That's
actually
widely
widely
practiced
in
industry,
and
some
of
it
is
some
of
it
is
still
in
research.
H
So
I'd
highly
encourage
you
to
like
drop
in
or
take
a
look
at
like
some
of
the
videos
that
for
the
emea
sessions
as
well,
because
there's
a
bunch
of
stuff
that
goes
on
so
we'll
try
and
cross
pollinate
as
much
as
possible.
Matt's
been
pretty
active
on
this,
and
I
appreciate
all
the
effort
is
done
so
far
to
get
us
into
the
zone.
H
H
H
Cool,
so
that's
all
I
had
I'm
happy
to
be
part
of
this
group.
I
will
answer
any
questions
and
like
what
justin
said,
contributions
are
super
awesome
welcome.
There
is
also
toc
updates
that
happen.
Every
tuesday,
first
tuesday,
of
every
month,
kind
of
thing
where,
as
a.
H
Group
we
consolidate
every
activity,
that's
going
on
within
the
group
and
then
give
an
update,
which
is
like
a
one
slide
version
of
what's
going
on
with
this
group.
So
that
is
also
something
that
I
think
people
should
pay
attention
to.
If
you
want
to
know
like
a
summary
view
of
what's
going
on,
say,
for
example,
in
this
version
we
sort
of
presented
that
we
took,
we
converted
the
security
white
paper,
somebody
volunteered
to
convert
this
white
paper
to
chinese
and
that
got
merged,
and
then
it's
finally
available
on
the
github
for
consumption.
H
We
also
had
additional
members
join
like
56
different
organizations
or
something
so
we
show
some
stats
around
the
membership
count
as
well
there,
so
a
bunch
of
good
stuff
there.
So
if
you
want
to
drop
in
and
listen,
you'll
probably
get
a
lot
more
information
there,
we
also
did
form
secure
supply
chain
working
group
justin.
I
think
you
might
know
about
it.
If
you
want
to
give
an
update,
that
will
be
good.
E
Yeah,
I
I
don't.
I
haven't
been
tracking
it
too
closely
because
it's
it's
async
with
what's
happening
here,
but
my
santiago
torosadas,
who
was
my
phd
student
and
his
professor
purdue.
Now
he
founded
the
he's.
He
started
collecting
all
these
materials
and
put
together,
and
I
know
that
they've
kind
of
spun
off
into
its
own
sort
of
sub
entity
that
has
a
bunch
of
momentum,
while
they're
tracking
this
they
have.
E
I
don't
know
80
or
so
different,
documented
supply
chain
attacks
that
they've
looked
at
and
things,
and
I
think
that
they're
still
looking
for
people
to
participate
and
and
help
in
that
area.
I
know
some
of
the
more
recent
efforts
have
also
looked
at
mitigations,
because
I
think
there's
there's
a
tendency
from
a
lot
of
especially
kind
of
vendors
in
the
space
to
overclaim,
and
so
I
think
people
are
trying
to
like
this
working
group
is
trying
to
help
to.
E
E
Of
course
you
know
we
just
keep
all
the
bad
folks
out
and
there's
no
problem,
but
I
think
you
know
those
are
kind
of
laughable
now,
but
in
the
supply
chain
space
I
think,
there's
still
a
lot
of
you
know
a
lot
of
people
that
that
say
they
have
these
magic
products
that
that
don't
really
have
them
in
practice
yeah.
So
one
other
thing
I
want
to
mention
about
this.
Sorry
go
ahead.
If
you
have
something
else,
you
want
to
say,
would
you
step
in
go
ahead.
H
No,
no
so
a
couple
of
other
updates
also
carrying
it
from
emea,
as
serverless
security
white
paper
is
being
kicked
off.
There
is
an
effort,
and
there
is
a
github
issue
for
that,
or
there
is
a
dock
for
that.
It's
right
now
in
a
closed
form,
we'll
start
opening
it
up
once
it
gets
a
little
bit
more
traction.
I
Can
I
ask
a
question
on
that
yeah
so
because
I
made
a
comment
in
the
software
supply
chain
security
white
paper
and
I
said
it
would
be
good
to
have
actually
to
call
out
a
project,
an
open
source
project
that
delivers
against
that
recommendation
and
there's
now
basically
discussion
going
on.
We
don't
want
to
make
it
a
tools,
sort
of
conversation
and-
and
I
understand
that-
and
I
don't
want
to
make
it
a
truth-
conversation
either,
but
I
also
didn't
want
that
white
paper
to
be
just
theoretical.
C
I
might
jump
from
here
if
that's
cool,
I
only
just
found
out
about
it
andreas,
but
in
relation
to
the
cloud
native
security
white
paper
at
least
there's
a
cloud
native
security
map.
That's
been
worked
on
and
it
directly
links
to
the
theoretical
components
of
the
white
paper
against.
What's
going
to
be
in
the
map,
which
is
you
know,
practical
ways
of
implementing
a
particular
thing,
so
you
know
container
scanning,
for
example,
with
a
variety
of
tooling
such
as
aqua,
trivia
or
something
else.
I
L
L
It's
a
slippery
slope,
I
don't
mean
to
be
against
you.
I
mean,
I
think.
If
you
want
to
talk
about
scanners,
you
can
talk
about
the
differences
and
our
coverage
and
let
them
let
people
figure
out
which
one
they
want
to
try
because
scanners.
Obviously
the
thing
with
scanners
is
people
kind
of
they
don't
understand
how
it
works
so,
especially
with
supply
chain
I
mean:
do
you
cover
malware
cv
cwes?
L
K
H
What
that
was
sort
of
the
motivation
for
keeping
the
white
white
people
to
be
sorry
tools,
agnostic,
but
I'll
being
choppy
I'll.
Just
basically
stop
talking
and
just
listen.
J
So
I'm
looking
at
the
cncf
list
of
supply
chain
security
compromises
and
it
looks
like
there
isn't
really
much
in
labels
for
the
types
of
compromise
I
mean
they've
got
like
a
column
for
the
type,
but
it's
really
broad,
like
dev,
tooling
or
malicious
maintainer.
J
J
Maybe,
like
a
kind
of
I
think,
there's
a
cloud
native
attack
framework
that
might
be
useful.
For
that
sorry.
Does
that
make
sense.
E
I
I
think
so
one
one
thing
I'll
say
overall,
is
it?
The
group
is
very
good
about
being
welcoming
of
people's
ideas
and
suggestions,
and
the
best
thing
to
do
is
to
reach
out
to
the
folks
that
are
involved
in
this.
E
I
think
there's,
probably
a
like
a
sub
slack
channel,
or
something
like
this
specifically
for
the
supply
chain,
things
to
reach
out
and
then
and
then
make
these
kinds
of
suggestions,
because
there's
no
one
here
in
this
room
who
sort
of
had
or
in
this
virtual
chat
room
that
has
ownership
of
the
of
any
of
these
or
really
has
a
strong
guiding
hand.
E
Often
there's
a
person
who
kind
of
emerges
who
helps
to
shape
it
into
their
vision,
but
getting
all
us
all
of
us
to
say
yeah
that
sounds
great
is
is
helpful,
but
it
may
be
better
to
get
to
get
the
people
that
are
responsible
for
it
and
have
had
their
vision
on
this
particular
document
or
thing
a
move
forward.
E
That
all
being
said.
One
other
thing
I'd
like
to
stress
is
that
the
way
that
things
like
the
security
assessment
guidelines
came
about
wasn't
it
wasn't
that
I
wouldn't
ask
someone
for
permission
or
whatever
it's
that
I
saw
people
were
struggling
to
get
something
together.
There
was
sort
of
this
design
by
committee
thing
that
really
wasn't
making
any
progress,
and
so
I
basically
just
sat
down
and
said:
I'm
gonna
do
it
and
I
I
came
back
and
produced
something
and
people
said
yeah.
E
This
is
pretty
good
and
then
they
used
it
as
a
sort
of
1.0
version
that
they're
now
revising
into
a
better
improved
2.0
version.
So
you
know
I
I
think
you
shouldn't
be
afraid
to
kind
of
grab
your
own
space
and
do
do
things
with
it.
But
if
people
are
actively
kind
of
working
on
a
on
something,
then
you
know
trying
to
talk
with
them.
First
is
is
probably
a
better
better
path.
E
H
Yeah
there
is,
there
is
active
work
going
on.
If
you
are
interested
in
that,
I
can
connect
you
with
taradina,
who
is
leading
that
effort
yeah.
C
J
J
Where
you
can
have
a
project
that
calls
containers
from
two
different
sources,
maybe
a
public
one
and
an
internal
docker
hub,
and
some
people
have
figured
out
that
if
they
can
guess
the
names
that
are
being
used
internally
and
then
register
them
on,
let's
say
docker
hub
right,
then
they
can
own
things.
E
Yeah,
so
we've
been
pretty
active
as
part
of
the
notary,
b2
redesign
and
the
the
the
issue
here.
E
The
reason
why
this
is
a
a
problem
deals
with
the
way
that
they're
sort
of
doing
name
spacing
in
that
area
and
we're
that
probably
sub
discussion
is
probably
the
right
place
to
have
it
unless
there's
going
to
be
a
big
fragmentation
but
but
tuff
addresses
this
there's
something
in
tough
called,
I
think
it's
tap
four
is:
is
the
right
one,
but
there's
a
augmentation
proposal
for
tough
that
deals
with
multiple
repository
situations
and
how
you
do
namespace
mapping
when
you
have
them,
and
so
this
directly
addresses
that
I
can
post
a
link
in
the
chat
just
to
say.
H
Yeah,
I
mean
just
as
in
education.
If
anybody
is
interested
in
presenting
the
problem
itself,
that'll
be
a
good
way
to
get
engaged
with
the
community
and
get
them
up
to
speed
and
come
people
will
be
more
than
open
to
in
one
of
the
following
sessions.
H
We
can
probably
have
like
a
10
or
15
minute
presentation
about
this
that'll
help
list
of
the
folks
to
understand,
but
if
you
want
to
do
that,
if
anybody's
interested
in
doing
that,
we
should
just
create
an
issue
line
them
up
as
a
talk
in
one
of
these
sessions
and
then
in
that
process.
I
think
you
could
also
talk
about
like
the
ways
to
address
that
as
well.
E
Just
yeah
I
mean
we
could
do
that
to
actually
address
it
with
existing
tools.
You,
as
an
operator
can't
really
do
very
much.
E
Your
tool
has
to
sort
of
support
it
because
of
the
way
it
works
yeah,
but
but
the
good
news
is:
is
that
at
least
the
assuming
that
the
notary,
v2
design
takes
the
tough
approach
with
this
which
looks
pretty
likely?
I
guess
I
don't
know
likely
is
the
right
word
but
looks
looks
like
it
hopefully
should
happen.
E
Then
this
this
will
be
a
bit
of
a
of
a
moot
point,
but
we'll
see
we'll
see
what
happens.
There's
there's
some.
I
don't
know,
there's
some
issues
in
that
group
with.
E
Getting
people
to
appreciate
that
security
is
as
important
as
it
should
be
at
times,
but
for
the
most
part
I
think
they're
going
to
come
to
the
right
conclusion.
So
I
have.
E
E
Well
it
it
can
be.
I
mean
you
certainly
have
more
things
that
one
can
attack,
but
there's
also
the
question
of
so.
If
you
do
it
appropriately
and
you're,
you
add
something
like
another
scanner.
If
your
scanners
are
not
able
to
modify
the
artifacts,
that
would
come
out
right
if
it's
effectively
a
box,
you
give
your
pre-built
package
or
your
your
built
software
or
your
source
code
or
whatever
to,
and
it
can't
modify
that
thing.
It's
given
and
put
you
know
a
modified
version
back
in
the
pipeline.
E
So
I
think
one
of
the
you
know
not
to
to
name
drop
tools
too
much,
but
the
the
in
toto
project
here
you
know
it's
its
focus-
is
on
making
sure
that
you
don't
have
those
unintended
modifications.
That
thing
actually
do
run
through
all
the
steps
they're
supposed
to
and
so
on,
and
to
provide
like
cryptographic,
proof
of
all
that.
So
if
you're,
using
things
like
that,
then
adding
security
tools
is
in
general
should
provide
you
with
strictly
better
security,
at
least
security
towards
things.
Like
modification
of
your
code.
L
F
Sorry
dean,
you
mean
specifically
like
kubernetes
versions,.
L
E
For
the
most
part,
the
individual
projects
are
very
disjoint
from
what
our
group
does
other
than
when
we
do
security
assessments
or
do
things
like
try
to
put
things
into
the
landscape
or
mapping
or
something
like
that.
But
we
just
don't
have
the
depth
of
expertise
to
take
dozens
of
very
diverse,
very
different
projects
and
like
try
to
be
involved
in
the
you
know
daily
recommendations
for
the
next
versions
of
whatever's
happening.
E
They
tend
to
have
their
own
subgroups
and
then
they
come
and
will
sometimes
talk
to
us
or
occasionally
ask
people
ask
for
some
advice
or
ask
you
know:
ask
us
to
do
an
assessment
update,
but
we
we
don't
in
in
real
time
we're
not
embedded
in
all
the
the
different
groups
for
the
most
part.
As
far
as
I'm
aware,
hey,
justin,.
C
Just
on
the
note
of
assessments,
andrew
horton,
here
I
brought
along
him
and
I
work
together
and
have
done
between
ourselves.
A
lot
of
assessments
and
I'd
be
pretty
keen
to
get
him
in
involved
with
some
of
the
work
you
you've
done
for,
like
the
v2
assessments.
If,
if
you'd
be
willing
to
spend
a
couple
of
minutes
going
over
where
that's
at
and
what
you
need
help
with.
E
I
I
would
be
very
happy
to
have
you
to
participate
when
I
left
to
go
to
the
apac
region.
E
I
sort
of
turned
that
over
because
I
not
being
able
to
be
in
the
meetings
it's
hard
to
wrangle
people
to
get
them
to
participate
and
so
on,
and
also
when
they
were
doing
the
kind
of
v2
redesign
of
the
things
like
the
original
thing
I
had
done.
I
intentionally
stepped
back
because
I
didn't
want
to
kind
of
overly
influence.
E
You
know
like
be
the
voice
because
I
found
when
I
would
talk
about
things
and
they
would
suggest
things
if
I
said.
Oh,
you
know
I
think
coke
sounds
better
than
pepsi,
then
everyone
is
like
yeah,
we
all
like
coke
too.
So
I
I
sort
of
let
that
community
go
and
do
it,
and
so
I
I
intentionally
am
not
that
up
to
date,
but
certainly
when
I
did
it,
we
always
needed
people,
and
especially
people
that
have
had
experience
doing
it
will
be
most
welcome.
J
C
E
Involved,
yeah,
honestly,
that's
that's.
The
best
thing
to
do
is
just
start
talking
to
people
on
issues
and
try
to
find
things.
E
It's
it's
also
possible
that
there's
something
in
an
entire
thing
missing,
like
this
whole
discussion
around
the
landscape
and
the
map.
We,
I
had
a
conversation
with
brandon
about
this
like
early
on
and
we
started
something
about
maybe
a
year
and
a
half
ago,
or
something
like
that
and
he's
just
kind
of
gone
and
taken
this
and
done
amazing
things
with
it.
E
That
is
way
beyond
the
way
I
sort
of
thought
of
it,
but
at
the
same
time,
we
had
other
folks
like
emily
who's,
one
of
the
co-chairs,
emily
fox
and
a
few
others
that
had
a
sort
of
different
perspective
coming
more
from
a
policy
side,
and
so
we
talked-
and
we
created
almost
like
semi-competing
things
that
eventually
we
found
out
a
good
way
to
separate
out.
And
so
that's
why
you
have
the
thing.
E
That's
the
neutral
white
paper
now
and
you're
having
something
that's
going
to
end
up
being
more
of
an
actual
map
that
that
does
actually
have
projects
and
things
on
it,
because
I
think
we
saw
those
as
a
just
separately,
valuable
and
a
way
to
keep
some
measure
of
neutrality
while
still
promoting
cncf
projects,
which
is
what
we're
obviously
supposed
to
do,
is
promote
like
good
security
practices,
especially
related
to
cncf
projects.
C
I'll
show
you
a
few
links
over
andrew
with
the
assessments
anyway,
I
think
you'd
find
them
pretty
interesting.
C
J
Yeah
sure
send
it
over
I've
been
skimming
through
a
lot
of
the
links.
I've
been
pulling
off
the
previous
meeting
notes,
while
we're
talking
and
there's
heaps
of
really
good
content
here.
D
C
I
just
give
you
guys
a
bit
of
an
update
I've.
I've
been
spending
the
last
probably
four
weeks,
just
familiarizing
myself
with
the
repository
I
spoke
to
brendan
this
morning
and
also
last
week
with
brendan
lum
he's
been
really
really
helpful,
I'm
as
per
him
on
my
convo
with
him.
C
I've
I've
started
looking
into
the
landscape
like
the
v2
landscape,
the
cloud
native
security
map
like
it's
like
a
20-page
document
or
whatever
I've
been
making
some
notes
there
and-
and
I
started
on
the
serverless
security
research
white
paper
too,
but
I
wasn't
really
sure
where
that,
where
that
was
going
like
it's
only
kind
of
six
pages,
so
I'm
just
waiting
to
chat
to
a
radnor
and
and
see
because
she's
leading
that
initiative
by
the
way,
thanks
jj
for
getting
me
in
contact
with
her.
That
was
great
yeah.
C
I'm
sure
a
lot
of
you
guys
saw
I've
been
heavily
promoting
this
organization
on
socials,
like
the
devops
slack
and
on
linkedin
and
stuff.
So
for
those
of
you
who
joined
through
through
my
promotion
thanks
so
much.
I
really,
I
hope
you
guys,
are
actually
interested
in
this
and
want
to
contribute,
because
I
don't
know
I'll
tell
you
from
personal
experience
when
I
started
looking
at
this.
I
was
like
whoa.
Oh,
my
god.
This
is
so
cool
and
then
it
was
like.
C
Well,
oh
my
god,
there's
so
much
information
where
the
hell
do.
I
start
so,
if
you're
like
a
bit
overwhelmed
like,
I
was
just
feel
free
to
ping
me
on
slack
and
I'll
try
to
help.
You
understand
what
I
know
which
isn't
much,
but
I'm
happy
to
help.
K
C
Yeah
man,
I'm
happy
to
help
as
justin
said
and
me
just
before,
like
kind
of
skim
through
the
github
issues,
a
good
place
to
start
is
just
understand
the
repository
that
that's
what
took
me
a
bit
of
time
understand
what
the
open
issues
are
then
you'll
understand
where
the
help's
actually
needed
and
where
you
can
contribute
and
yeah
just
find
something.
That's
interesting
to
you.
I
think
that's
really
important,
because
if
you're
passionate
about
it,
then
you'll
be
more
compelled
to
contribute
that's
kind
of
one
point.
C
Yeah
man
feel
free
to
ping
me
on
slack,
I'm
I'm
blackbeard
on
slack,
I'm
not
matt
flannery,
I'm
blackbeard
there
you
go.
K
K
C
I
think
it's
the
second
or
third
one
yeah
like
just
to
be
clear
again,
I'm
not
an
expert
here,
I'm
learning,
but
if
I,
if
I
can
help
any
of
you
guys
know
what
I've
learned
already
that'll
just
help
me
as
well
and
we
can
learn
together.
So
that's
cool.
E
But
that's
definitely
the
most
active
I
was
just
gonna
say
this
is
definitely
the
most
active
meeting
before
this
we
had,
I
think,
four
participants
or
so
this
is,
I
think,
our
third
meeting
and
it's
mostly
been
how
do
we
get
more
people
to
show
up
so
good
to
see
matt
take
charge
and
obviously
bringing
a
lot
of
fresh
excited
faces
is
terrific.
C
Yeah
my
problem,
just
on
that
note
like
I've,
been
following
the
sig
security
for
over
a
year
now
and
the
biggest
issue
for
me
was
the
time
zone
difference.
C
You
know
if
you
can't,
if
you
can't
join
the
meetings
you
it's
just
too
hard
to
really
contribute
to
be
honest,
because
you
just
have
no
feel
for
what's
going
on
and
just
for
your
information,
brad
and
everyone
else
here.
This
is
a
regular
cadence,
so
pop
it
into
your
calendar,
it
happens
every
every
second
tuesday
at
1
pm.
C
So
at
the
same
time,
so,
if
you
can
try
and
block
out
this
time
attend
the
meetings,
we
can
build
up
a
bit
of
a
regular
cadence
and
you
know,
look
it's
it's
something
you
have
to
do
in
your
own
time.
So
you
know,
I
understand
everyone's
got
day:
jobs
and
families
and
stuff.
Maybe
you
know
I
read
an
interesting
article
about
how
to
start
contributing
to
open
source
recently.
C
Just
you
know
spend
four
hours
a
week.
You
know
if
that
works
for
you,
and
even
that
would
be
super
appreciated.
Personally
me,
my
motivations,
are
I've
been
an
advocate
for
devsecops
for
years,
like
I've
started
the
devsec
up
sydney
made
up
like
three
years
ago.
C
I've
been
preaching
about
container
security
since
docker
existed,
so
this
is
just
a
natural
kind
of
fit
for
me,
and
you
know
it's
a
way
that
I
can
get
involved
with
a
community
of
people
that
are
like-minded
and
have
similar
interests,
and
just
you
know,
learn
more
really.
So
yeah
really
really
happy
to
see
all
you
guys
here
and
looking
forward
to
working
together
with
you.
M
Yeah
thanks
for
boosting
it,
oh
booster
and
then
next
week
as
well.
E
Great
I'm
going
to
have
to
drop
for
another
meeting
in
a
few
minutes,
but
you
are
welcome
to
continue
to
talk.
If
there's
more,
is
there
anything
else
we
should
all
discuss.
C
I
think
I
think
we've
probably
covered
everything
justin.
I
think,
as
you
said,
man
just
to
start
off
with,
let's
try
and
get
some
more
people
and
as
these
guys,
you
know
familiarize
themselves
with
the
issues
we'll
have
something
to
talk.
A
L
E
L
I
hate
you,
it's
just
a
suggestion,
matt
excellent
meeting.
By
the
way,
maybe
we
can
do
some
sharing
of
presentations,
maybe
if
you
could,
maybe
somebody
could
start
with
that
introductory.
E
Yeah,
we
can
do
that
so
typically,
there's
two
types
of
meetings
that
we
have
with
security.
We
have
like
the
working
sessions
and
then
we
have
ones
that
have
some
kind
of
presentation
and
we
could
definitely
do
one
where
we
have
this
meeting
by
the
way
we
labeled
as
a
working
session,
but
we
could
do
one
in
the
future
where
we
have
some
sort
of
presentation
that
tries
to
give
something
like
an
overview
or
something
like
that.
E
If
jj
we're
still
here
since
I
think
he's
able
to
make
both
sets
of
meetings,
he
would
really
be
an
ideal
person
to
do
this.
I
feel
like,
since
I
can't
make
the
other
meeting
and
haven't
made
them
for
months
now.
I
I
wouldn't
be
the
right
person
to
do
this,
but
maybe
jj
or
emily
or
somebody
could
stop
by
and
do
that.
So
I
don't
want
to
promise
them
for
the
next
meeting,
but
we
can
we
can
reach
out
and
see
if
one
of
them
can
do
this
sometime
soon,.
M
I
I
also
run
a
community
group
for
the
cnc
as
well,
so
if
there's
any
like
sort
of
side,
events
or
things
you
want
to
run,
we
can
run
it
through
that
as
well.
If
we
need
to
if
it
doesn't
go
through
the
sub
channel.
C
Okay,
well,
just
on
that
note,
andreas
and
andrew
are
they?
Are
they
the
right
directions?
I
don't
know
I'm
probably
on
a
different
like
little
picture
here,
but
anyway
on
my
computer.
I
point
into
them.
Those
two
guys
are
actually
working
with
me
on
a
like
a
capture,
the
flag
event.
I
know
this
is
unrelated,
but
it's
got
something
to
do
with
cloud
native
security
at
least,
and
we've
got
it
like.
C
A
a
number
of
challenges
have
been
developed
around
showcasing
vulnerabilities
and
flaws
within
kubernetes
as
in
either
default
or
misconfigured
implementations
or
outdated
implementations,
and
so
you
know
if,
if
you'd
be
interested
in
promoting
that,
that
would
be
great.
M
Yeah
we
can
make
a
drafting
today
if
you
want,
and
then
we
can
just
keep
working
on
it
and
come
on
in
cool
man.
I'll
talk.
M
C
Sick
see
all
right.
Well,
I'm
gonna
hop
off
too
so
who's
gonna
follow
up
with
jj
justin
about
that
I'll.
Do
more
I'll!
Do
that
all
right
and
yeah
thanks
man
for
coming,
because,
as
I
said,
if
you
didn't
come,
I
don't
know
how
to
run
these.
E
No,
you
did
great
I'll,
say
less
I'll,
say
less
next
time
you
just
I'll.
Let
you
take
over.
It
sounds
good.