►
From YouTube: CNCF SIG Security 2021 03 01
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
D
C
D
E
A
F
E
G
C
C
C
E
As
as
a
group,
they
got
some
interested
people
together
and
it's
kind
of
grown
from
there
to
have
a
lot
of
participants.
I
don't
know
exactly
how
many,
but
probably
in
the
I
would
guess
in
the
hundreds
of
participants,
have
come
to
a
meeting
and
done
things.
There's
it's
it's
a
very
welcoming
a
very
nice
community
within
that
community.
E
Like
that-
and
I
also
have
I-
I
created
two
of
the
cncf
projects,
the
tough
project
and
the
intoto
project,
and
have
just
been
active
overall
in
the
community
with
like
this
biffy
spire
folks
and
lots
of
other
folks
in
there,
and
I
moved
to
shanghai
in
september.
And
so,
as
part
of
me
being
here,
I'm
no
longer
able
to
make
the
normal
meeting.
C
That
was
awesome.
No
me
too,
I'm
I'm
stoked
to
have
more
people
here.
Should
we
do
like
some
introductions
for
the
new
folks
hi,
I'm
I'm
matt
since
I'm
this
guy.
Since
I
was
talking
already,
I
actually
work
with
andrew
who's
on
this
call
at
a
company
called
acceler.
We
do
cloud
native
security
and
devsecops
and
help
help.
Other
companies
realize
that
yeah.
J
F
Tools,
daniel
also
originally
from
new
zealand.
I've
been
in
melbourne
about
nine
years,
work
for
seek
currently
kind
of
the
container
in
kubernetes
security
sme
as
part
of
the
security
team
here
just
variously
involved
in
open
source
bits
and
pieces,
and
kind
of
wanted
to
formalize
that
a
bit
more
and
sig
like
this
made
a
lot
of
sense
to
me.
I've
been
in
the
last
couple
of
meetings
I
think
from
our
inception.
I
Yeah
hi,
I'm
I'm
andreas.
Thank
you
daniel
I'm
andres.
I
work
for
for
red
hat
and
I
was
found
or
thought.
Security
is
very
boring
to
be
honest
and
then
matt
told
me
about
a
capture
the
flag
event
that
he
wants
to
run,
and
so
I
got
more
into
into
that
and
then
I
started
to
check
out
based
on
on
matt's
recommendation
the
security
as
well,
and
you
know
I
joined
the
the
slack
channel
and
I
work
on
these
current
supply
chain
white
paper
as
well
that
we're
running
under.
I
K
G
G
L
Okay,
hi
I'm
dean,
awari,
I'm
I
live
in
japan.
I
had
cloud
native
security
at
checkpoint
and
I'm
in
charge
of
obviously
working
to
evangelize
cloud
security,
but
also
on
all
the
you
know,
all
the
security
for
containers,
serverless
and
everything
else.
So
look
forward
to
see
how
we
can
you
know,
add
stuff
in
the
in
this
seg,
so
I'm
excited
to
have
a
signate
pack
for
the
first
time.
It's
been
typically
in
the
us
in
the
cube,
cons
and
everything
else
so
sounds
exciting.
H
E
H
E
H
H
And
then
that
got
transitioned
over
to
security
over
time
and
then
then
now
we
we
have
it
here.
It's
a
pretty
wide
variety
of
group
and
people
from
nist
people
from
cloud
security
alliance
and
a
bunch
of
people
participate
in
sharing
information
and
knowledge.
That's
actually
widely
widely
practiced
in
industry,
and
some
of
it
is
some
of
it
is
still
in
research.
H
So
I'd
highly
encourage
you
to
like
drop
in
or
take
a
look
at
like
some
of
the
videos
that
for
the
emea
sessions
as
well,
because
there's
a
bunch
of
stuff
that
goes
on
so
we'll
try
and
cross
pollinate
as
much
as
possible.
Matt's
been
pretty
active
on
this,
and
I
appreciate
all
the
effort
is
done
so
far
to
get
us
into
the
zone.
H
H
H
H
Group
we
consolidate
every
activity,
that's
going
on
within
the
group
and
then
give
an
update,
which
is
like
a
one
slide
version
of
what's
going
on
with
this
group.
So
that
is
also
something
that
I
think
people
should
pay
attention
to.
If
you
want
to
know
like
a
summary
view
of
what's
going
on,
say,
for
example,
in
this
version
we
sort
of
presented
that
we
took,
we
converted
the
security
white
paper,
somebody
volunteered
to
convert
this
white
paper
to
chinese
and
that
got
merged,
and
then
it's
finally
available
on
the
github
for
consumption.
H
We
also
had
additional
members
join
like
56
different
organizations
or
something
so
we
show
some
stats
around
the
membership
count
as
well
there,
so
a
bunch
of
good
stuff
there.
So
if
you
want
to
drop
in
and
listen,
you'll
probably
get
a
lot
more
information
there,
we
also
did
form
secure
supply
chain
working
group
justin.
I
think
you
might
know
about
it.
If
you
want
to
give
an
update,
that
will
be
good.
E
Yeah,
I
I
don't.
I
haven't
been
tracking
it
too
closely
because
it's
it's
async
with
what's
happening
here,
but
my
santiago
torosadas,
who
was
my
phd
student
and
his
professor
purdue.
Now
he
founded
the
he's.
He
started
collecting
all
these
materials
and
put
together,
and
I
know
that
they've
kind
of
spun
off
into
its
own
sort
of
sub
entity
that
has
a
bunch
of
momentum,
while
they're
tracking
this
they
have.
E
I
don't
know
80
or
so
different,
documented
supply
chain
attacks
that
they've
looked
at
and
things,
and
I
think
that
they're
still
looking
for
people
to
participate
and
and
help
in
that
area.
I
know
some
of
the
more
recent
efforts
have
also
looked
at
mitigations,
because
I
think
there's
there's
a
tendency
from
a
lot
of
especially
kind
of
vendors
in
the
space
to
overclaim,
and
so
I
think
people
are
trying
to
like
this
working
group
is
trying
to
help
to.
E
E
Of
course
you
know
we
just
keep
all
the
bad
folks
out
and
there's
no
problem,
but
I
think
you
know
those
are
kind
of
laughable
now,
but
in
the
supply
chain
space
I
think,
there's
still
a
lot
of
you
know
a
lot
of
people
that
that
say
they
have
these
magic
products
that
that
don't
really
have
them
in
practice
yeah.
So
one
other
thing
I
want
to
mention
about
this.
Sorry
go
ahead.
If
you
have
something
else,
you
want
to
say,
would
you
step
in
go
ahead.
H
No,
no
so
a
couple
of
other
updates
also
carrying
it
from
emea,
as
serverless
security
white
paper
is
being
kicked
off.
There
is
an
effort,
and
there
is
a
github
issue
for
that,
or
there
is
a
dock
for
that.
It's
right
now
in
a
closed
form,
we'll
start
opening
it
up
once
it
gets
a
little
bit
more
traction.
I
Can
I
ask
a
question
on
that
yeah
so
because
I
made
a
comment
in
the
software
supply
chain
security
white
paper
and
I
said
it
would
be
good
to
have
actually
to
call
out
a
project,
an
open
source
project
that
delivers
against
that
recommendation
and
there's
now
basically
discussion
going
on.
We
don't
want
to
make
it
a
tools,
sort
of
conversation
and-
and
I
understand
that-
and
I
don't
want
to
make
it
a
truth-
conversation
either,
but
I
also
didn't
want
that
white
paper
to
be
just
theoretical.
C
I
might
jump
from
here
if
that's
cool,
I
only
just
found
out
about
it
andreas,
but
in
relation
to
the
cloud
native
security
white
paper
at
least
there's
a
cloud
native
security
map.
That's
been
worked
on
and
it
directly
links
to
the
theoretical
components
of
the
white
paper
against.
What's
going
to
be
in
the
map,
which
is
you
know,
practical
ways
of
implementing
a
particular
thing,
so
you
know
container
scanning,
for
example,
with
a
variety
of
tooling
such
as
aqua,
trivia
or
something
else.
I
L
L
It's
a
slippery
slope,
I
don't
mean
to
be
against
you.
I
mean,
I
think.
If
you
want
to
talk
about
scanners,
you
can
talk
about
the
differences
and
our
coverage
and
let
them
let
people
figure
out
which
one
they
want
to
try
because
scanners.
Obviously
the
thing
with
scanners
is
people
kind
of
they
don't
understand
how
it
works
so,
especially
with
supply
chain
I
mean:
do
you
cover
malware
cv
cwes?
L
K
H
J
E
E
That
all
being
said.
One
other
thing
I'd
like
to
stress
is
that
the
way
that
things
like
the
security
assessment
guidelines
came
about
wasn't
it
wasn't
that
I
wouldn't
ask
someone
for
permission
or
whatever
it's
that
I
saw
people
were
struggling
to
get
something
together.
There
was
sort
of
this
design
by
committee
thing
that
really
wasn't
making
any
progress,
and
so
I
basically
just
sat
down
and
said:
I'm
gonna
do
it
and
I
I
came
back
and
produced
something
and
people
said
yeah.
E
This
is
pretty
good
and
then
they
used
it
as
a
sort
of
1.0
version
that
they're
now
revising
into
a
better
improved
2.0
version.
So
you
know
I
I
think
you
shouldn't
be
afraid
to
kind
of
grab
your
own
space
and
do
do
things
with
it.
But
if
people
are
actively
kind
of
working
on
a
on
something,
then
you
know
trying
to
talk
with
them.
First
is
is
probably
a
better
better
path.
E
H
C
J
H
H
We
can
probably
have
like
a
10
or
15
minute
presentation
about
this
that'll
help
list
of
the
folks
to
understand,
but
if
you
want
to
do
that,
if
anybody's
interested
in
doing
that,
we
should
just
create
an
issue
line
them
up
as
a
talk
in
one
of
these
sessions
and
then
in
that
process.
I
think
you
could
also
talk
about
like
the
ways
to
address
that
as
well.
E
E
Your
tool
has
to
sort
of
support
it
because
of
the
way
it
works
yeah,
but
but
the
good
news
is:
is
that
at
least
the
assuming
that
the
notary,
v2
design
takes
the
tough
approach
with
this
which
looks
pretty
likely?
I
guess
I
don't
know
likely
is
the
right
word
but
looks
looks
like
it
hopefully
should
happen.
E
E
E
E
Well
it
it
can
be.
I
mean
you
certainly
have
more
things
that
one
can
attack,
but
there's
also
the
question
of
so.
If
you
do
it
appropriately
and
you're,
you
add
something
like
another
scanner.
If
your
scanners
are
not
able
to
modify
the
artifacts,
that
would
come
out
right
if
it's
effectively
a
box,
you
give
your
pre-built
package
or
your
your
built
software
or
your
source
code
or
whatever
to,
and
it
can't
modify
that
thing.
It's
given
and
put
you
know
a
modified
version
back
in
the
pipeline.
E
So
I
think
one
of
the
you
know
not
to
to
name
drop
tools
too
much,
but
the
the
in
toto
project
here
you
know
it's
its
focus-
is
on
making
sure
that
you
don't
have
those
unintended
modifications.
That
thing
actually
do
run
through
all
the
steps
they're
supposed
to
and
so
on,
and
to
provide
like
cryptographic,
proof
of
all
that.
So
if
you're,
using
things
like
that,
then
adding
security
tools
is
in
general
should
provide
you
with
strictly
better
security,
at
least
security
towards
things.
Like
modification
of
your
code.
L
E
For
the
most
part,
the
individual
projects
are
very
disjoint
from
what
our
group
does
other
than
when
we
do
security
assessments
or
do
things
like
try
to
put
things
into
the
landscape
or
mapping
or
something
like
that.
But
we
just
don't
have
the
depth
of
expertise
to
take
dozens
of
very
diverse,
very
different
projects
and
like
try
to
be
involved
in
the
you
know
daily
recommendations
for
the
next
versions
of
whatever's
happening.
E
They
tend
to
have
their
own
subgroups
and
then
they
come
and
will
sometimes
talk
to
us
or
occasionally
ask
people
ask
for
some
advice
or
ask
you
know:
ask
us
to
do
an
assessment
update,
but
we
we
don't
in
in
real
time
we're
not
embedded
in
all
the
the
different
groups
for
the
most
part.
As
far
as
I'm
aware,
hey,
justin,.
C
Just
on
the
note
of
assessments,
andrew
horton,
here
I
brought
along
him
and
I
work
together
and
have
done
between
ourselves.
A
lot
of
assessments
and
I'd
be
pretty
keen
to
get
him
in
involved
with
some
of
the
work
you
you've
done
for,
like
the
v2
assessments.
If,
if
you'd
be
willing
to
spend
a
couple
of
minutes
going
over
where
that's
at
and
what
you
need
help
with.
E
I
sort
of
turned
that
over
because
I
not
being
able
to
be
in
the
meetings
it's
hard
to
wrangle
people
to
get
them
to
participate
and
so
on,
and
also
when
they
were
doing
the
kind
of
v2
redesign
of
the
things
like
the
original
thing
I
had
done.
I
intentionally
stepped
back
because
I
didn't
want
to
kind
of
overly
influence.
E
You
know
like
be
the
voice
because
I
found
when
I
would
talk
about
things
and
they
would
suggest
things
if
I
said.
Oh,
you
know
I
think
coke
sounds
better
than
pepsi,
then
everyone
is
like
yeah,
we
all
like
coke
too.
So
I
I
sort
of
let
that
community
go
and
do
it,
and
so
I
I
intentionally
am
not
that
up
to
date,
but
certainly
when
I
did
it,
we
always
needed
people,
and
especially
people
that
have
had
experience
doing
it
will
be
most
welcome.
J
C
E
E
It's
it's
also
possible
that
there's
something
in
an
entire
thing
missing,
like
this
whole
discussion
around
the
landscape
and
the
map.
We,
I
had
a
conversation
with
brandon
about
this
like
early
on
and
we
started
something
about
maybe
a
year
and
a
half
ago,
or
something
like
that
and
he's
just
kind
of
gone
and
taken
this
and
done
amazing
things
with
it.
E
That
is
way
beyond
the
way
I
sort
of
thought
of
it,
but
at
the
same
time,
we
had
other
folks
like
emily
who's,
one
of
the
co-chairs,
emily
fox
and
a
few
others
that
had
a
sort
of
different
perspective
coming
more
from
a
policy
side,
and
so
we
talked-
and
we
created
almost
like
semi-competing
things
that
eventually
we
found
out
a
good
way
to
separate
out.
And
so
that's
why
you
have
the
thing.
C
J
D
C
C
I've
I've
started
looking
into
the
landscape
like
the
v2
landscape,
the
cloud
native
security
map
like
it's
like
a
20-page
document
or
whatever
I've
been
making
some
notes
there
and-
and
I
started
on
the
serverless
security
research
white
paper
too,
but
I
wasn't
really
sure
where
that,
where
that
was
going
like
it's
only
kind
of
six
pages,
so
I'm
just
waiting
to
chat
to
a
radnor
and
and
see
because
she's
leading
that
initiative
by
the
way,
thanks
jj
for
getting
me
in
contact
with
her.
That
was
great
yeah.
C
I'm
sure
a
lot
of
you
guys
saw
I've
been
heavily
promoting
this
organization
on
socials,
like
the
devops
slack
and
on
linkedin
and
stuff.
So
for
those
of
you
who
joined
through
through
my
promotion
thanks
so
much.
I
really,
I
hope
you
guys,
are
actually
interested
in
this
and
want
to
contribute,
because
I
don't
know
I'll
tell
you
from
personal
experience
when
I
started
looking
at
this.
I
was
like
whoa.
Oh,
my
god.
This
is
so
cool
and
then
it
was
like.
C
K
C
Yeah
man,
I'm
happy
to
help
as
justin
said
and
me
just
before,
like
kind
of
skim
through
the
github
issues,
a
good
place
to
start
is
just
understand
the
repository
that
that's
what
took
me
a
bit
of
time
understand
what
the
open
issues
are
then
you'll
understand
where
the
help's
actually
needed
and
where
you
can
contribute
and
yeah
just
find
something.
That's
interesting
to
you.
I
think
that's
really
important,
because
if
you're
passionate
about
it,
then
you'll
be
more
compelled
to
contribute
that's
kind
of
one
point.
K
K
C
C
You
know
if
you
can't,
if
you
can't
join
the
meetings
you
it's
just
too
hard
to
really
contribute
to
be
honest,
because
you
just
have
no
feel
for
what's
going
on
and
just
for
your
information,
brad
and
everyone
else
here.
This
is
a
regular
cadence,
so
pop
it
into
your
calendar,
it
happens
every
every
second
tuesday
at
1
pm.
C
So
at
the
same
time,
so,
if
you
can
try
and
block
out
this
time
attend
the
meetings,
we
can
build
up
a
bit
of
a
regular
cadence
and
you
know,
look
it's
it's
something
you
have
to
do
in
your
own
time.
So
you
know,
I
understand
everyone's
got
day:
jobs
and
families
and
stuff.
Maybe
you
know
I
read
an
interesting
article
about
how
to
start
contributing
to
open
source
recently.
C
C
I've
been
preaching
about
container
security
since
docker
existed,
so
this
is
just
a
natural
kind
of
fit
for
me,
and
you
know
it's
a
way
that
I
can
get
involved
with
a
community
of
people
that
are
like-minded
and
have
similar
interests,
and
just
you
know,
learn
more
really.
So
yeah
really
really
happy
to
see
all
you
guys
here
and
looking
forward
to
working
together
with
you.
E
C
A
L
E
L
E
Yeah,
we
can
do
that
so
typically,
there's
two
types
of
meetings
that
we
have
with
security.
We
have
like
the
working
sessions
and
then
we
have
ones
that
have
some
kind
of
presentation
and
we
could
definitely
do
one
where
we
have
this
meeting
by
the
way
we
labeled
as
a
working
session,
but
we
could
do
one
in
the
future
where
we
have
some
sort
of
presentation
that
tries
to
give
something
like
an
overview
or
something
like
that.
E
If
jj
we're
still
here
since
I
think
he's
able
to
make
both
sets
of
meetings,
he
would
really
be
an
ideal
person
to
do
this.
I
feel
like,
since
I
can't
make
the
other
meeting
and
haven't
made
them
for
months
now.
I
I
wouldn't
be
the
right
person
to
do
this,
but
maybe
jj
or
emily
or
somebody
could
stop
by
and
do
that.
So
I
don't
want
to
promise
them
for
the
next
meeting,
but
we
can
we
can
reach
out
and
see
if
one
of
them
can
do
this
sometime
soon,.
M
C
Okay,
well,
just
on
that
note,
andreas
and
andrew
are
they?
Are
they
the
right
directions?
I
don't
know
I'm
probably
on
a
different
like
little
picture
here,
but
anyway
on
my
computer.
I
point
into
them.
Those
two
guys
are
actually
working
with
me
on
a
like
a
capture,
the
flag
event.
I
know
this
is
unrelated,
but
it's
got
something
to
do
with
cloud
native
security
at
least,
and
we've
got
it
like.