►
From YouTube: CNCF SIG-Security Meeting - 2019-06-19
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
Just
to
try
to
start
us
off
because
we're
all
here
and
you'd
be
ashamed
to
sit
around
and
wait.
So
why
don't
we
start
with
these
real
things?
If
you
haven't
already
added
yourself
to
the
meeting
notes
in
terms
of
attendance,
please
do
so
I'll
go
ahead
and
post
a
link
here
in
chat,
and
so
you
can
see,
looks
like
Sarah's
on
now.
Sarah
are
you
there.
C
B
So
I
thought
we
have
a
I
now
have
access
to
the
CN
CF
service
desk
in
our
ongoing
process.
News
it's
coming
together
and
we
have
some
logo
ideas
from
the
artist
which
is
great
and
so
I
thought
as
part
of
our
check-in
before
I
share
those
images
which
were
just
tuned,
there's
kind
of
a
brainstorm
based
on
some
notes
that
is
gonna
verbally
conveyed,
and
so
there's
a
bit
of
a
telephone.
I
thought
it
might
be
nice
as
part
of
our
check-in.
B
If
people
would,
if
you're
so
inclined,
share
any
visual
imagery,
you
think
of
or
things
that
we
would
want
to
embody.
In
our
you
know,
communication
presence,
because
we're
going
to
we're
doing
a
little
microsite
about
cloud
native
security
and
which
is
like
the
idea
is
that
the
repo
is
the
about
the
workings
of
the
sig
and
that's
like
where
we
have
like
if
you're
working
but
all
of
the
in-progress
stuff
is
more
surface
than
the
process.
B
Stuff
is
more
service,
whereas
the
microsite
is
more
about
like
our
output,
what
people
can't
come
and
learn
from
the
microsite
without
necessarily
being
involved
in
the
city?
So
so
anyhow,
so
the
logo
would
be
for,
like
you
know,
for
us
to
put
wherever
and
then
eventually
on
materials
and
things.
So
so
do
we
have
scribe.
Sorry,
I've
lost
my
window.
B
B
Ideas
about
about
representing
cloud
native
security
and
then
we'll
have
agenda
booking
these.
We
have
a
number
of
issues
that
need
discussion
where
we're
moving
towards
this
proposal
process.
So
I
thought
we
could
do
some
agenda
making
and
talk
about
the
things
that
are
currently
proposals
and
things
that
we
would
like
to
have
proposes
for
and
start
following
your
process.
So
my
name
is
Sarah
Allen
I
am
a
co-chair
of
this
working
group.
Dan
may
be
able
to
join
us.
B
Jj
sends
his
regrets
and
I
have
been
working
on
getting
our
PR
count
to
zero
Thank,
You,
Brendan
and
Emily,
and
other
people
Robert
different
people.
Who've
been
chiming
in
with
PRS
and
on
issues
really
appreciate
that.
So
that's
been
my
my
news
for
the
week
lot.
So
I'm
just
gonna
go
down
the
attendance
list
and
then
we'll
see
if
we
missed
anybody
or
meets
okay.
D
B
B
It's
you
know,
risk
reduction,
and
so
so
I
shout
it
out
on
slack
ages
ago,
but
like
maybe
like
a
secret
agent
emoji
like
somebody
we're
all
like
trying
to
figure
things
out
so
I,
don't
know
whether
you
looks
have
any
imagery
around
cloud
native.
You
want
to
add
to
your
stand
up.
D
B
A
Okay,
so
I
don't
have
any
imagery,
so
I'll
just
skip
that
part.
This
week
the
automotive
tough
version
obtained.
We
officially
voted
for
I
Triple,
E,
isto,
certification
of
standardization,
of
the
1.0
version,
for
that
the
project
also
is
going
to
be
joining
the
Linux
Foundation,
not
under
the
ciencia.
So
we've
started
that
process
as
well.
B
A
Obtained
is
going
to
be
under
some
new
thing,
that
is,
housing
specs
in
the
Linux
Foundation,
which
tough
and
other
things
like
spiffy
and
others
may
also
end
up
under
as
well.
It's
it's
not
like
the
CNC
F.
It's
not
like
we
sort
of
leave
where
we
are
to
go
there.
It's
just
sort
of
an
additional
resource
we
can
use
in
this
and
ZF
much
like
we
might
decide
to
use
their
social
media
marketing
or
not
decide
to
use
it.
It
doesn't
change
whether
we're
in
the
CNC
f1,
where
the
other
great.
E
So
I'm,
just
back
from
vacation
I
looked
at
the
Opus
Essman
dock.
It
looks
pretty
good.
I
just
had
a
couple
of
small
comments
with
Justin
addressed,
so
that's
pretty
much
it
and
as
far
as
the
little
boys
concern
I
agree
with
large
something
like
a
shillings.
What
would
look
really
nice
yeah?
That's
good.
G
I'm
Craig
Ingram
from
Salesforce
and
I'm
on
the
kubernetes
security
audit
working
group,
which
is
wrapping
up
or
just
most
of
the
the
findings
and
things
I've
been
in
into
the
product
security
group
for
kubernetes
and
we're
kind
of
just
wrapping
up
like
reports
and
things
like
that
and
a
couple
of
she's
under
embargo
until
product
security
handles
that.
But
that's
exciting
to
have
that.
Wrapping
up
imagery
I,
like
the
the
shield,
the
sword
or
some
type
of
armor
type
thing.
Instead
of
the
lock.
That
sounds.
That
sounds
pretty
cool
great
thanks.
H
So
I've
been
working
on
some
threat,
modeling
work
around
kubernetes
and
reaching
out
to
just
in
Commack
and
attention
any
others
within
the
security
sig
group
to
take
a
look
at
that
and
I
chair,
the
financial
users
group.
This
is
some
work
that
we're
looking
at
contributing
back
to
humanity
from
from
within
that
group.
So
I'm
just
been
looking
for
security
guidance
on
that.
Okay.
I
The
thing
I've
been
working
on
this
week
is
to
get
the
installation
docs
for
ovary
written,
which
that's
been
submitted
via
pull
request
and
then
the
other
thing.
We
kicked
off
our
security
audit
with
the
Cure
53
people
and
so
making
sure
that
trying
to
get
some
things
to
get
those
people
up
to
speed
and
working
and
productive
right.
J
I'm
Brandon
from
IBM
Research,
so
what's
new,
we
are
starting
to
push
to
work
on
image
encryption
into
OC
I
expect
we
already
issued
a
KP
for
the
future,
which
kind
of
gets
me
curious
into.
You
know
how
we
can
get
whether
these
things
are
going
to
be
part
of
the
security
assessments
that
we
do
as
well,
but
does
far
be
a
discussion
on
that
time.
J
Also,
it's
kind
of
just
a
shout
out
if
you're
going
to
be
a
coupon
China
next
week,
comment
on
the
issue,
that's
open
and
we
can
permute
up
imagery.
So
I
like
this.
All
in
the
shield
thing
also
I
kind
of
something
that
I
would
see.
Calculus
like
if
you
had
the
CN
CF
they'll,
go
with
the
shield
as
well.
J
K
Yeah
thanks
yeah
I've,
been
out
on
vacation
I.
Just
came
back
on
Monday,
so
I
don't
have
a
lot
to
report.
My
mental
image
is
we
used
a
uniformed
officer
checking
a
passport
for
one
of
our
products
for
a
while,
not
sure
if
uniformed
officers
is
the
right
thing,
but
checking
a
passport,
maybe
at
night
checking
a
passport
or
something
like
that
to
go
with
the
shield
and
I'm
still
interested
in.
K
K
B
L
M
N
B
B
O
I'm
Emily
Fox
I'm
from
the
National
Security
Agency
and
I've,
been
doing
a
couple
of
pr's
trying
to
get
those
governance
and
a
lot
of
the
documentation
up
to
date
and
integrated
and
trying
to
provide
more
foundations
for
all
of
that
and
I
vote.
Anything
that
is
not
a
security
lock,
I'd
be
happy
with.
P
So
I've
been
kind
of
hold
most
of
my
telling
pulled
by
where
we
are
in
the
release
process,
plus
the
fact
that
we
just
had
some
reorg.
That
was
actually
very
good
for
me,
but
means
that
I'm
bringing
other
people
up
to
speed.
So
that's
been
a
bit
of
a
distraction,
but
I
agree
with
the
anything,
but
a
lock
and
and
I
think
it
should
be
thing.
P
I
like
about
sword
and
shield
is
that
it
can
be
very
simple
I
think
we
should
use
imagery
that
can
that
can
work,
an
icon
or
sticker
size
as
well
as
website
size
and
so
I
think
you
know
things
that
can
be
very.
Very
simple
in
design
are
really
useful.
That
said,
one
of
the
things
I
would
really
like
to
do
that.
I
brought
up
in
Barcelona
is.
P
Starting
with
ride-along
and
then
maybe
getting
more
involved
in
future
assessments,
I
had
volunteered
my
security
engineer,
who
promptly
left
the
company
two
days
after
I
laughter,
I,
put
him
forth
and
I
think
we're
not
going
to
get
to
replace
him
for
that.
That
is
the
security
guy
on
the
kubernetes
distro
team,
till
probably
next
quarter
so
but
anyway,
I
would
still
very
much
like
to
ride
along.
H
B
Justin,
do
you
have
any,
like
so
I
think
chiming
in
on
the
issues
when
there's
one
open
and
then
you'll
hear
about
them
on
like
the
on
the
meeting,
so
that
we
welcome
people
shadowing
and
just
in
capless?
Do
you
have
anything
more
to
add
about?
Is
there
a
process
that
you
envision
for
that
or
do
you
want
people
to
just
join
the.
A
Channel
and
help
here's
a
there's
somewhere
a
document
or
an
issue
or
a
thing
that
says
who
signed
up
for
which
assessments
and
we
do
that.
A
few
people
got
added
to
and
I
wish
I
had
a.
We
should
probably
link
that
somewhere
prominently
off
the
site
and
people
can
add
themselves.
I,
know
I
added
a
couple
people
and
who
reached
out
to
me
and
a
few
people
added
themselves.
So
there's
at
least
an
exist
like
there's
a
proof
it's
somewhere,
but
we
do
need
to
link
it
better.
Cool.
B
B
I'd
like
to
do
a
little
agenda
making
next,
and
so,
if
you
have
a
issue,
project
proposal
or
thing
that
isn't
yet
written
up
and
is
an
issue
that
you
know,
feedback
from
the
group
would
be
valuable
or
you
know,
awareness
if
you
can
put
it
under
here
we
have
the
proposed
or
I
guess
we
can
put
it
here
there.
It
is
thank
you
if
you
can
put
well
just
take
a
few
minutes
and
I
just
put
the
little
go
here
and
Christian
put
in
platform
and
implementer
and.
B
I
B
B
B
And
then
I
think
you
didn't
have
a
urgency
Christian
right
now,
I'm
a
platform
implementer
roll-off
with
that
I
think
it'd
be
good
for
everybody
to
have
a
chance
to
read
that
and
queue
it
up
for
next
week
unless
we
have
a
bunch
of
time
at
the
end,
but
I
think
we'll
be
busy
any
any
other
things
to
add
to
the
agenda.
We're
gonna
go
over
some
process.
B
B
I'll
dig
them
up
while
we're
covering
the
other
things,
so
so
just
quickly.
I
just
wanted
to
show
everybody
if
you
now,
if
you
go
to
issues-
and
you
say
new
issue,
you
can
make
a
proposal,
have
a
security
assessment
or
make
a
suggestion.
I
wish
these
were
in
a
different
order
because
it
makes
it
seem
like
security
assessments
are
the
thing
you
do
after
a
proposal,
but
I
think
they're
in
alphabetical
order.
So
so
generally,
we
are
steering
people
towards
the
governance
model.
B
Where
proposals
mean
that
you
want
to
take
the
lead
or
participate
in
driving
something
forward
and
you're
kind
of
volunteering.
With
the
proposal
suggestions
are
either
it's
like
you're,
not
really
sure
what
it's
gonna
be
so
you're
not
quite
ready
to
volunteer
and
you
want
feedback
or
you
think
it's
a
good
idea,
but
you're
not
gonna
work
on
it.
Right
and
generally
we
prioritize
things
that
have
enthusiasm
for
people
who
stand
up
and
say
that
they're
gonna
work
on
it,
because
this
is
all
driven
by
people
who
step
up
and
do
the
things.
B
I'm
in
and
interrupt
me,
and
so
in
now,
if
you
go
to
issues
we
have
this
proposal
tag
which
then
have.
There
are
two
proposals
where
we
really
should
have
like
something
that
goes
from
proposal
to
like
and
whatever
the
noun
is
for
it's
actually
an
accepted
proposal.
Although
the
internet
has
a
long
history,
of
course,
with
professed
requests
for
comments
becoming
specs
while
still
being
called
the
RFC
is
so
maybe
you
know,
there's
a
precedence
of
leaving
things
as
a
proposal
and
I.
B
Think
SIG's
security
day
is
also
in
that
category,
so
I'm
going
to
assign
a
label
because
I
think
that
this
so
now,
if
you
use
one
of
those
templates,
it
auto
labels,
it
which
is
pretty
nifty,
but
then
I'll
make
this
a
proposal.
And
then,
if
you
see
something
that
should
be
a
proposal
and
isn't
labeled
that
way,
just
shout
out
on
the
triage
channel
or
put
a
note
on
it
and
with
whatever
information
is
missing
and
then
we'll
we
well.
B
Michael,
should
we
go
first
to
six
security
gay.
So,
though,
I
don't
think
this
covers
the
proposal
format.
So
I
will
it's
okay.
We
can.
We
can
just
cover
the
quest
once
you
go
over
what
it
is
in
general
and
then
we'll
cover
the
kind
of
the
open
questions
in
terms
of
what's
missing
from
the
template
format
and
I'll
dig
up
the
template
and
add.
I
It
yeah
we
had
talked
about
this
a
couple
weeks
ago
on
the
cost,
so
I'll
just
bring
it
back
up
for
anyone
who
wasn't
on
it.
The
idea
is
to
create
a
day.
That's
focused
on
security,
so
take
a
step
back
so
every
every
coop
Khan
and
cloud
native
Khan
before
they
have
this
day
of
add-on
events.
This
is
typically
used
by
vendors
as
a
way
to
create
you
know
a
vendor
specific
you
pull
in
their
vendor
specific
community
and
pitch
product.
I
It's
also
been
used
for
the
kubernetes
contributor
summit
is
held
that
day
and
then
last
edition
of
coop
Con
Ed
in
Barcelona.
The
security
folks
got
together,
I
think
almost
pretty
much
like
six
storage
got
together
and
had
a
cloud
native
security
day.
It
was
ran
and
organized
by
the
vendors
of
that
community.
I
It's
a
well
proven
path
in
the
world
of
DevOps
days,
conferences
and
things
like
that
and
other
conferences
as
well.
So
I
would
like
to
see
if
we
could
incorporate
open
spaces
in
some
way,
as
well
as
traditional
kind
of
speakers
and
talks
like
that.
I
think
it
would
have
to
be
a
singletrack
event
just
to
get
started
and
then
eventually
it
could
probably
grow
into
something
multiply
track
if
we
really
wanted
to
put
ever
behind
it.
Yeah.
B
She
doesn't
actually
facilitate
it
anymore,
but
she
facilitated
the
first,
like
you
know,
16
of
them
herself
and
she's
an
incredibly
experienced
facilitator,
who
is
also
an
identity
expert,
so
that
would
might
be
something
to
explore,
and
if
we
had
a
space
which
had
a
bunch
of
different
rooms,
we
could
potentially,
you
know,
have
likes.
Maybe
some
opening
panels
or
things
that
we
arranged
and
then
some
some
of
the
day
be
open.
Space,
yeah.
I
We
will
have
to
see
what
we
submitted
this
as
a
proposal
to
the
CMC,
F
and
I.
Don't
know-
and
maybe
Amy
can
help
us
understand
if
there
are
special
distance
for
cigs
about
adding
on
one
of
these
events
and
then,
since
we're
actually
technically
a
CNCs
sponsor
sig,
does
the
CN
CF
provide
the
funding
for
that
or
do
we
need
to
go
find
sponsors
to
provide
the
money
into
that?
You
know.
Cystic
is
happy
to
sponsor.
N
B
B
If
we
want
to
do
it
like
on-site
at
the
conference
center,
then
it
has
to
be
classroom
setting
and
there's,
there's
no
flexibility
with
how
the
room
is
arranged
yep
and
if,
but
we
can
be
in
the
registration
right
like
we
can
be
like
you
just
sign
up
for
it,
and
then
we
could
get
something.
If
there's
something
available
like
a
few
blocks
away
like
we
sort
of.
I
B
A
So
there's
one
other
related
thing
I'd
like
to
mention,
which
is
that
NYU
every
year
hosts
in
in
early
November,
I
think
it's
six
to
ninth.
This
year
we
host
a
one
of
the
biggest
security
like
events
in
the
world.
This
thing
called
seesaw
and
it
has
people
from
industry
and
academia
and
government,
and-
and
we
have
something
like
twenty
thousand
students
participate
in
at
least
the
initial
rounds,
and
there's
been
interest
from
some
of
our
sponsors
on
having
some
kind
of
security
event
that
they
would
pay
for.
A
To
have
people
come
and
do
this
so
one
of
the
things
I
thought
of
was
to
have
something
I
think
quite
similar
to
what's
being
described
here
and
possibly
try
to
get
some
folks
from
a
lot
of
the
cloud
native
projects
that
have
a
security
vent
or
folks
from
SIG's
security
and
things,
especially
those
in
the
area.
But
of
course
you
know,
hopefully
a
few
people
to
come
in
and
check
it
out.
A
I
A
B
I
B
I
A
It
there's
a
conference
at
NYU,
it's
a
big
security
conference.
We
have
sponsors
that
want
to
host
some
kind
of
cloud
ish
workshop
there.
The
idea
would
be
to
do
something
effectively
this,
and
would
some
people
be
interested
babbling
out
to
do
this.
This
is
this
would
be
going
to
New
York
in
November
6th
to
9th
timeframe
and
getting
to
see
like
massive.
A
You
know
you
think,
of
something
like
RSA
or
something
like
that
with
less
of
a
kind
of
commercial
feel,
so
you
get
the
best
students
in
the
world
that
are
participating
in
CTF.
There's
embedded
hardware
challenges
you
get
research
presentations,
there's
a
dozen
or
so
different
events
that
happen
there
that
are
capture
the
flag
or
trivia
quiz
high
school
forensics
challenge.
A
It's
it's
really
a
neat
event,
so
I'm
wondering
if,
since
the
sponsorship
aspect
of
that
seems
to
already
be
figured
out
from
our
side,
if
there
would
be
interested
interest
in
people
in
this
community
to
come
and
attend
and
participate,
if
we,
you
know
which
would
have
no
charge
other
than
possibly
the
charge
of
going
to
New
York,
although
I
can
try
to
see
if
we
can
cover
some
of
that
cost.
So.
B
Let's
so
I
think
that
so
are
you
put
in
less
you're
proposing
this
instead
of
doing
it
at
Q,
Khan
I,
wonder
whether
we
should
and
we
can
take
quick
feedback
from
people
like
I'm
trying
to
figure
out
like?
Are
you
asking?
Would
this
conflict
because
it's
around
the
same
date
and
then
it
will
there's.
A
Some
uncertainty
about
some
aspects
of
this
about
this
proposal
sponsorship
and
do
we
have
to
charge
people
and
can
we
get
space
and
how
does
all
that
work
and
then
I'm
wondering
if-
or
at
least
you
know,
certainly
for
people
that
are
in
New
York
I
would
hope
that
they
would
be
interested
in
attending
this
event.
If
it
sounds
interesting,
but
I'm
hoping
we
can
put
on
the
show
like
a
program
where
we
would
get
presentations
with
folks
from
like
spiffy
Speier
Falco,
you
know
and
sto
related
projects
and
and
have
a
workshop.
A
That
sounds
very
much
similar
to
what
is
being
described
here.
I,
don't
want
to
kind
of
like
steal
the
Thunder
or
change.
You
know
change
what's
happening
here.
If
this
is
kind
of
a
done
deal,
but
I
wouldn't
just
mention
that
we
don't
have
you
know
we
may
have
some
of
the
logistics.
Also
here
sorted
in
perhaps
there's
another
way.
You
know
there's
another
option
here.
If
there's
problems
with
you
know,
we'd
have
to
get
sponsors
and
we
have
a
hard
time
or
you
know
these.
A
C
Throwing
it
out
there
they
they
sound,
both
like
they're,
separate
things
but
they're
both
really
interesting.
The
New
York
event
to
me
sounds
like
the
audience.
I
could
be
wrong
but
sounds
like
the
audience
will
be.
You
know,
folks
that
go
to
NYU
and
other
universities,
New
York
as
the
actual
audience,
and
then
this
is
more.
You
know
the
folks
that
come
to
cube
con
I
think
the
initial
thing
that
Michael
said
was
for
the
cube
con
thing
and
San
Diego.
C
Currently
what
we
had
today
is
there
security
events
the
day
before,
but
their
vendor
their
champion.
My
vendors
and
though
you
don't
actually
get
a
good
picture
of
what
you
know
the
community
wants,
and
you
know
some
of
the
work
that
we
are
doing
as
a
sake
and
I
think
that's
kind
of
what
I
think.
That's
what
we're
trying
to
check
in
with
this
free
day
event
yep.
A
Exactly
yeah
I
I
think
I
mean
we
do
have
thousands
of
people
come
in
from
out
of
town
for
this
event,
but
it
does
have,
and
it
does
have
academia
and
government
there
in
much
greater
force
than
you'll,
see
at
a
coop
con.
But
there's
also
a
you
know
a
fair
amount
of
Industry,
but
you
won't
have
the
kind
of
people
that
are
coming
in
to
go
to
a
talk
on
storage
and
oh
hey.
The
security
thing
looks
good.
It's
going
to
be
security.
A
C
I
got
you
my
Justin
I
didn't
realize
that
I
thought
it
was
just
like
a
Europe,
you
know
and
what
you
event,
but
no
I
think
it
sounds
cool.
Just
from
like
a
conference
perspective
and
from
you
know,
content
perspective
on
security,
I
think
there's
a
lot
more,
that
all
of
us
could
be
doing
to
actually
be
talking
about
stuff
in
general.
I
You
know
I'd
be
happy
to
participate
with
anything
else
you
saw,
but
I
think
it
would
be
a
in
addition
to
what
we
try
and
do
at
confront
a
me,
because
our
audience
and
our
end
users
are
there
at
coop
converses.
Well,
you
might
have
end
users.
There
see
saw
you
definitely
have
a
much
greater
concentration
of
end
users
at
in
San,
Diego
and
I.
Think.
I
When
I
say
this
from
the
point
of
view
of
a
vendor
as
well,
well
yeah,
you
know
these
are
necessary,
but
I
just
feel
like
the
CN
CF
bills
themselves
as
an
open
source
community
and
which
it
is
and
I
just
think
that
we
need
to.
We
need
to
help
them
emphasize
that
I
agree
and
stay.
True
to
that
mission.
Yeah.
H
B
I'm
trying
to
write
up
this
I
think
the
impact
statement
like
that
this
format
is
I
could
really
helpful
cuz.
It
like
it,
helps
us
maybe
like
frame
this
difference
between
this
event
and
what
doesn't
describe,
and
it
sounds
like
people-
don't
think
that
there's
a
issue
with
having
these
two
close
together,
because
there
are
people
who
live
in
New
York
and
it
would
be
easy
for
them,
because
the
New
York
thing
or
people
who
have
reason
you
know
where
they're
traveling
all
the
time,
and
that
might
be
fine.
B
N
I
K
M
M
Is
it
to
promote
certain
ideas
that
we
are
going
to
be
proposing
as
a
security
group,
or
is
it
just
to
have
some
open
dialogue
where
we
are
collecting
information
from
different
vendors
and
somehow
that
would
be
a
contribution
towards
our
goal,
whatever
that
might
be
at
the
final
form
in
the
security
group
I'm
trying
to
understand
and
clarify
something
so
that
you
know
so
that
we
have.
We
have
a
similar
goal
as
a
whole
group.
What
what
is
actually
happening
in
this
group
at
the
end.
M
I'm,
not
quite
you
know,
peaking
on
the
day
per
se,
but
I'm
thinking
about
you
know
the
purpose
of
these
proposals
on
a
30
day
that
we
designate-
or
we
suggest
as
to
what
do
we
project
to
the
outside
of
this
community-
that
what
are
we
doing
and
how
this
is
write
it
to
this
particular
Groo
weather?
Are
we
going
to
take
these
an
input
and
try
to
massage
them
or
incorporate
them
in
our
final
publication,
whatever
that
might
be
I
heart
before
that
we're
not
creating
standard?
M
K
Typically,
in
an
unconference,
this
is
mostly
about
an
exchanging
of
ideas
right,
so
you
have
the
different
people
coming
together
and
discuss
arbitrary
things
right
and
it
could
be.
Then
some
people
get
together
and
decide
to
come
up
with
a
new
project
or
they
come
get
get
together
and
decide.
You
know,
maybe
we
should
have
a
stand
or
something
all
right.
So
I
don't
think
this
is
because
you
mentioned
that
earlier.
I.
Don't
think
this
is
about
mint
attack.
I
think
this
is
typically
about
community
right
yeah.
Anybody
can
propose
any
I
assume.
B
Whoever
shows
up
likes
us
like
knowledge,
sharing
amongst
ourselves,
right
and
and
just
kind
of
furthering
the
end
of
like
what
the
individuals
and
we
together
want
to
do.
Then,
the
open
space
format
we're
not
very
directive
about
that
right,
but
we
could
say
it
even
in
the
open
space
format,
we
could
say
we're
seeking
like
presentations
in
this
area.
Right
or
people
aren't
going
to
be.
You
know
teaching
knitting
they're
going
to
be
doing
things
around
security
and
see
and
so
forth.
B
So
we
we
can
frame
the
open
space
thing,
so
I
think
that
going
back
to
TK's
question
the
you
know,
this
is
the
objective
of
our
group
right
to
discover
and
produce
resources
that
enable
secure
access
policy,
control
and
safety,
and
then
we
have
like
a
big
long
charter.
That
does
that.
That
elaborates
on
that,
where
you
know
like
we're,
basically
kind
of
I,
think
the
vision
actually
captures
at
best,
which
is
like,
which
is
that
there
exists
a
future.
Where
we're.
B
We
have
all
the
tools
we
need
to
make
secure
systems
and
when
we
talk
to
each
other,
there
isn't
a
great
deal
of
confusion
about
what
we're
talking
about
and
and
that
after
we
get
through
the
basics
of
explaining
to
each
other
in
the
world
in
a
common
way.
What
is
what
do
we
mean
by
cloud
native
security
anyhow
and
what
are
the
things
that
people
are
doing
today?
B
That
at
least
I've
talked
to
most
most
people
in
this
group
that
I've
talked
to
one
on
one
believe
that
there
actually
are
a
lot
of
gaps
right
now,
and
there
are
a
lot
of
there's
a
lot
of
DIY
security
which
everybody's,
like
I'd,
rather
not
be
building
all
this
myself-
and
you
know
this-
this
actually
security
risks
from
just
like.
Oh
yeah,.
H
B
B
Think
the
the
key
thing
about
the
versus
a
bunch
of
people
who
created
the
CNC
F
seem
to
believe
that
the
work
that
being
a
standard
body
implies
that
you
make
only
one
standard
and
then
you
require
everybody
to
conform
to
that
standard
right.
And
so
that's
not
what
we're
doing
we're
not
saying
we're
going
to
invent
something
that
then
we
set
a
requirement
on
all
CNC
of
things.
That's
what
it
means.
Why
we're
not
making
a
standards,
but
we
can
like
the
cloud
events.
B
M
So
in
other
words,
someone
will
get
some
benefit
from
reading
these
things
of
following
this
documentation
saying
that
well,
here
is
the
guidelines.
This
is
what
we
are
going
to
follow
if
we
want
to
reside
in
the
cloud
native
environment
and
we're
going
to
be
able
to
sufficiently
secure
ourselves
based
on
CN
CF,
six
security
groups,
recommendations
so
I
think
they.
B
Say
this
is
a
big
I
think
it
would
be
actually
really
helpful
to
have
this
as
its
own
discussion,
because
this
is
kind
of
feeds
into
that.
Like
I,
think
that
this
is
one
of
our
challenges
right,
that
we
have
a
white
paper
and
a
landscape,
and
we
have
a
lot
of
questions
about
like
we're.
Not
all
making
this
just
because
we're
all
doing
cloud
things
doesn't
mean
they're,
all
the
same
thing
right.
B
If
I'm,
making
a
hosted
deployed
system,
that's
not
the
same
as
I'm
making
built
software
that
somebody
else
divorce,
and
you
know
libraries
versus
web
services,
so
but
I
think
that,
where
we
veered
off
of
the
topic
of
SIG's
security
day
and
I,
think
that
I
don't
think
that
we're
gonna
finalize
I
think
that
I
think
what
I'd
like
to
do
is
send
this
back
to
you.
Michael,
which
is
that,
like
the
goal
of
the
day,
is.
B
Like
maybe
this
isn't
the
question
to
you
is
after
this
day,
are
you
expecting
that
something
like
what
will
have
been
different?
What
will
have
been
accomplished
at
the
end
of
the
day
like
is
there?
Is
there
anything
that
think
that
the
output
of
the
end
of
the
day
that
you
would
want
to
articulate
I.
O
Would
argue
that
the
security
day
should
provide
the
community
with
an
opportunity
for
education,
information,
sharing
collaboration
and
cultural
shift
with
regards
to
security
and
cloud
native
environments,
if
I
was
going
to
that
day,
I
would
expect
to
walk
away
with
a
punt.
That's
how
this
organization
is
doing
it
in
our
cognitive
environment
or
I,
never
thought
of
integrating
security
into
DevOps
in
that
particular
fashion.
O
More
of
like
an
information
exchange
in
a
collaboration
like
how
do
we
improve
this
base,
like
we
talked
about
all
the
time
whenever
we
go
to
these
conferences
like
this
doesn't
exist,
why
does
it
exist?
Maybe
do
like
a
hackathon
or
recommend
that
in
a
hallway
track
and
then
set
that
up
as
like
sponsored
out
of
SIG's
security
or
in
support
advicing
security?
O
To
do
this
hackathon
thing
at
the
next
I,
don't
know,
conference
event,
I
think
I'm
expecting
this
to
be
identifying
gaps
in
this
space,
enabling
people
to
find
each
other
and
to
work
together
to
achieve
security
in
cloud
native
environments,
but
it's
not
just
the
technology
and
the
tooling
it's
the
processes
and
the
culture
and
the
practices
that
go
with
it.
Yeah.
I
M
O
Yeah,
it
was
me
I
exactly
what
Michael
said
if
there's
conversations
and
open
spaces
that
are
going
on,
the
scribes
should
be
recording
that,
and
that
can
be
one
of
those
archives
documents
or
one
of
those
archives.
Discussions
that
have
gone
on
and
providing
a
centralized
document
for
best
practice
and
and
doing
security
in
the
cloud
is
like
way
way
too
broad
of
an
area.
O
I
think
that,
and
it's
kind
of
outside,
of
the
scope
of
this
sig
in
my
opinion,
and
that
we're
reviewing
the
open
source
projects
or
the
cognitive
projects
that
are
coming
in
to
look
at
how
they're
doing
security
and
inform
the
community
in
a
centralized
fashion.
This
is
the
way
that
they're
doing
things
and
here's
here's
our
recommendations
back
to
those
individual
projects
and
efforts
about
how
they
can
potentially
do
it
better
because
security
is,
it's
not
I
like
follow.
C
B
The
is
there
some
way
to
frame
this
such
that
it
is
more
likely
that,
at
the
end
of
the
day,
whatever
artifacts
are
produced
are
useful
outside
of
the
from
the
outside
of
the
people
who
show
up
right
and
so
I
think
it
might
be
neat
for
I.
Think
Emily.
You
had
volunteered
to
help
Michael
on
kind
of
framing
the
the
agenda.
I
didn't
thank
you,
but
yeah.
B
If
you
could
maybe
kind
of
firm
up
the
the
how
its
framed
so
that
so
that
maybe
there
would
be
some
like
to
at
least
to
be
clear
what
the
outputs
would
be
I
mean.
Maybe
this
day
is
just
for
the
people
who
show
up
right,
but
I
like
the
idea
that
at
least
some
of
it
would
be
the
notes
or
the
whatever
is
produced.
There
would
be
useful
after
and
I
think
like
crisping,
that
up
a
little
bit
would
you
know
I
think
make
the
day
more.
I
B
You
know
they're
they're
more
for
the
people
who
are
there
right
and
which
parts
of
it
are
things
that
it's
kind
of
producing
content
or
resources
which
could
be
useful
afterwards
and-
and
you
know
like
as
you
finalize
the
format
so
do
you
have
it
so
I
have
I
kind
of
have
a
draft
of
this
change.
Michael,
I'm,
I'm,
just
gonna
leave.
This
is
dot
dot.
B
B
I
was
gonna,
move
it
to
the
bottom
like,
so
what
I
did
here?
I'm
gonna,
just
email,
this
to
you,
I'm,
not
gonna,
commit
it,
because
it's
not
done
but
like
if
we
say
that
this
is
the
proposed
format
right
and
the
goal.
So
then
there's
like
a
little
checklist
about
how
far
we
are
through
it
and
you
can
edit
this
okay.
B
I
know
this
was
I
totally
get
it,
and
if
you
want
to
move
some
of
this
to
a
Google
Doc
or
whatever
it's
useful,
that
would
be
good.
B
But
but.
C
B
You
know
we're
retro
actively
conforming
to
our
new
process.
So
that's
it's
all
good,
but
I
haven't
committed
this
I'll
just
send
you
an
email
and
you
can
use
it
or
not
or
whatever
all
right.
So
it's
11
o'clock
thanks,
everybody
I
guess
we
needed
a
whole
session
on
security
good
day.
Michael.
Do
you
if
you
need
any
other
Giannini
other
inputs
from
the
group.
B
Or
we
can
also
like
follow
up
with
slack
right
after
this
or
have
a
quick
check-in
for
the
logistics,
but
it
sounds
like
people
are
very
enthusiastic
I
think
Mike
will
drop
because
he's
gonna
call
all
right.
Okay,
so
and
then
feel
free
to
chime
in
on
the
logo.
I
will
brainstorm
with
the
person
who
does
the
logo?
B
Usually
they
have
ideas
about
how
to
kind
of
converge
on
decisions
that
are
structured,
but
right
now,
I
think
we're
where
I
da
ting
on
imagery
and
and
so
so
yeah
we'll
get
some
of
the
notes
into
the
anybody
should
feel
free
to
chime
in
now,
all
right
thanks,
everybody
and
we'll
see
you
all
next
week.