►
From YouTube: CNCF Security TAG Regular Meeting - 2021-08-18
Description
CNCF Security TAG Regular Meeting - 2021-08-18
C
So
yeah
from
the
supply
chain
working
group
standpoint,
we
are
sort
of
consolidating
around
writing
up
the
architecture
and
just
starting
to
get
like
pen
to
paper,
and
we
had
a
couple
of
breakout
sessions
over
the
past
few
weeks
got
a
bunch
of
additional
details
now
we're
trying
to
get
a
few
folks
just
to
who
can
contribute
the
time
to
really
do
sort
of
a
a
first
pass
of
you
know
putting
everything
down
and
yeah.
That's
really
about
it.
Andres.
B
Well
we're
we're
looking
for
volunteers
and,
as
michael
said,
people
willing
to
roll
their
roll
their
sleeves
and
commit
their
time
so
yeah.
You
should
be
able
to
find
us
on
the
slack
channel
as
well
as
yeah.
The
regular
meeting
cadence
is
posted
or
feel
free
to
reach
out
directly
to
michael
or
myself,
if
you're
not
unsure
how
to
get
involved.
But
it's
something
you
feel.
B
A
Great
any
updates
on.
A
So
I
will
give
updates
on
serverless
working
group
and
there
are
two
meetings
being
held.
Actually
three
meetings
being
held
for
serverless,
one
is
east
coast
time
and
one
is
west
coast
time
and
one
is
a
pack
time,
a
time
zone
where
people
are
meeting
and
discussing
the
white
paper
that
we
are
writing
on
the
serverless.
A
There
has
been
some
progress
made,
but
we
are
still
looking
for
more
volunteers
to
contribute
to
that
who
have
worked
on
serverless
platforms
and
have
the
knowledge
we
had.
Some
new
participants
joined
that
working
group
in
the
last
couple
of
days.
So
hopefully
we'll
see
some
more
progress
coming
out
of
that
working
group.
D
A
You
do
we
have
updates
from
any
other
working
groups
that
we
want
to
share
with
others.
At
this
point.
E
Do
we
have
anyone
from
club
pastorian
review
on
the
call.
A
And
and
the
security
controls
mapping
there's
a
working
group
going
on
there
as
well
and
there's
been
some
progress
made
there.
Anyone
from
that
working
group
who
will
like
to
provide
any
updates.
A
I
guess
not,
it
seems
like
they're
trying
to
check.
F
F
A
Yeah
on
the
security
controls
mapping,
I
think
they're
looking
at
different
frameworks,
nest,
853
and
iso
and
csa
ccm,
and
then
they
are
figuring
out
what
controls
actually
map
to
cloud
native
landscape
right
in
terms
of,
but
also
some
of
these
standards
are
very
high
level
right
to
drill
them
down
to
the
level
of
detail
that
cloud
native
technologies
are,
I
think,
there's
work
to
be
done,
but
I'm
glad
that
the
working
group
has
been
initiated
and
there
are
people
who
are
focused
on
looking
at
it
and
if
you're
interested
in
working
on
any
of
those
mappings
of
controls.
A
G
Yes,
hello
guys.
I
am
new
to
the
group
keylenders
from
germany.
Schwarze
are
the
I.t
company
of
needland
karlsland,
located
in
germany
and
yeah.
I
was
invited
by
one
of
my
colleagues
to
like
join
the
meeting
consume
some
interesting
stuff
and
just
wanted
to
have
a
look.
What
is
going
around
here.
H
You
hi,
my
name
is
justin.
I
this
is
my
second
time
here,
but
I
never
really
said
anything
we're.
I
run
I'm
responsible
for
fostering
the
adoption
of
curie
fence,
which
is
a
cloud
native
or
cncf
sandbox
project,
and
basically
it's
a
application
security
platform
for
cloud
native
applications,
and
I
really
look
forward
to
meeting
you
all
or
talking
each
week.
G
And
my
name
is
sophia:
I'm
justin's
colleague
that's
my
first
time
here.
So
I'm
also
here
just
to
kind
of
listen
got
some.
You
know
insights
get
the
feeling.
I
will
probably
not
join
every
week
but
great
to
meet
you
all.
B
Yeah,
I
was
curious,
I
heard
sandbox
project,
but
I
didn't
hear
the
the
name
of
the
project
itself.
H
H
Oh
okay:
well,
here
we're
we're
yeah,
I'm
I'm,
I'm
not
I'm
more
of
the
non-code
open
source
contributor,
but
we
could
definitely
get
someone
on
like
zuri
who's,
the
co-creator
of
the
platform
to
come
on
and
talk
about
it
because
it's
his
vision
and
his
baby
and
I
just
try
to
get
people
to
use
it.
E
Awesome
so
can
I
create,
I
think,
let
me
create
a
presentation
issue
and
can
I
can
you
maybe
send
me
a
github
id
and
then
you
can
just
tag
the
right
people
there.
H
Yeah,
that's
mine
and
I'll
get
series
right
now.
B
Yeah
well
since,
since
you're
new
to
the
group,
we
used
issues
on
github
for
planning
and
tracking,
so
we'll
use
that
to
coordinate
with
you
and
the
rest
of
your
team
find
a
suitable
time
help.
You
prepare
the
presentation,
typically,
those
those
take
a
30
minute
slot
of
this
one
hour
meeting
when
we
have
one
and
we
lost
some
time
for
a
q,
a.
H
Oh
great
yeah,
he
yeah
I'll
definitely
be
on
the
call
and
he
will
be
driving
the
the
conversation.
So
we
look
forward
to
it
and
yeah
it'll
be
great.
G
B
F
A
Thank
you,
so
I
don't
see
anything
on
the
agenda
today.
Brandon,
do
you
know
of
any
items
that
we
need
to
work
through
today.
E
Oh,
I
don't
think
we
have
any
particular
items
that
we
need
to
work
through.
There
are
a
couple
issues
that
you
know.
We
just
want
to
do
a
quick
triage
and
just
show
people
what
are
the
current
issues
that
are
being
discussed
in
the
triage,
and
you
know
in
their
free
time
they
can
comment
on
that
or
if
they
want
to
have
some
discussion.
So
maybe
I
can
spend
five
minutes
going
through
two
three
issues
and
then
I
think
if
we
don't
have
anything
else,
then
we
can.
We
can
call
it.
A
E
E
All
right
so
new
in
the
world
of
triage.
We
have
now
this
ongoing
triage
tracker.
This
is
an
issue
that
we're
gonna
write
down.
You
know
what
are
some
of
the
old
issues
that
we
discussed
in
the
previous
meetings
and
what
is
the
next
bunch
of
issues
that
we
discuss
during
our
weekly
meetings?
E
So
the
idea
of
this
triage
again,
just
just
for
just
as
a
reminder,
is
that
we
want
to
be
able
to
revisit
some
of
the
issues.
A
lot
of
these
issues
have
been
inactive
for
a
while,
and
we
want
to
kind
of
highlight
them
again
in
the
community
to
see
whether
there
are
any
new
thoughts,
any
new
flames
that
I
can
build
that
are
interested
in
working
on
these
issues.
If
not,
you
know,
sometimes
we
have.
E
E
I
think,
let's
just
take
three
today
and
we
can
discuss
these
so
how
this
is
gonna
work
is
I'm
just
gonna
show
you
what
the
issues
are
and
then
talk
a
little
bit
about
what
what
based
on
history
behind
them
and
we'll
pose
these
issues
to
the
side
channels,
so
that
folks
that
are
not
on
the
call
can
also
review
them,
and
the
idea
is
usually
if
there
isn't
that
much
response
or
any
revitalized
interest.
E
E
So
the
idea
here
is
that
you
know
how
we
have
the
member
speech.
We
would
have
basically
a
page
similar
with
the
indication
of
you
know
I
can
do
assessments
I
can
do
you
know,
apply
my
expertise
in
cryptology
things
like
that,
and
this
would
act
as
both
a
way
for
people
to
to
find
volunteers,
but
also
to
be
able
to
connect.
E
So
there
was
a
we
discussed
this
in
previous
meetings.
There
was
a
specific
comment
on
this.
You
know
this
should
be
scoped
directly
just
for
the
use
within
the
tag,
just
because
you
know,
if
you
want
a
network
and
stuff
like
that,
there
are
better
websites
to
do
it
like
linkedin.
E
So
this
would
just
be
you
know
within
the
tag
itself,
how
do
you
list
your
skills
or
experience
that
you
can
help
to
volunteer
on
this
world?.
E
E
E
What
do
we
do
with
those
assessments?
Are
they
still
better?
You
know
what
do
we
do
with
that,
and
I
think
this
has
occurred
once
or
twice
with.
I
think
the
the
over
and
the
in
total
review
and
what
we've
done
so
far
is
kind
of
like
just
checked
back
with
the
authors
of
it
to
ask
like
okay,
has
there
been
any
significant
changes?
E
Is
there
any
any
reason
that
we
should
update
the
security
assessment?
Are
there
any
significant
changes,
but
I
think
what
we
want
to
do
is
to
be
able
to
have
a
kind
of
formalize
this
process
right.
E
E
E
So
that's
a
quick
charge
breakdown
for
today.
If
you
I'm
going
to
put
in
the
issue
numbers
in
here-
and
you
know,
if
you
have
any
comments
on
there,
you
have
any
thoughts
on
that.
You
want
to
look
like
something
particular
for
those
issues.
You
know
do
feel
free
to
comment
on
them.
A
Okay,
great
at
this
point,
we
have
an
open
forum
if
anyone
wants
to
bring
up
any
issues
relevant
to
cloud
native
security
or
any
of
the
projects
that
we
have
currently.
Please
feel
free.
D
I
like
the
way
you
say
that
security
papers
is
just
about
to
comment.
I
think
that's
our
ongoing
version
yeah.
I
I
just
thought
that
was
in
the
agenda
there
to
talk
about
a
few
of
these
things,
so
I
think
we're
wrapping
it
up.
We've
got
a
bunch
of
good
learnings
out
of
it.
I
have
a
bunch
of
comments
that
I've
been
in.
How
would
I
say,
staging
in
a
a
gift
that
I'm
gonna
actually
copy
over
to
the
the
actual
issue?
D
For
this
I
see
emily
ping
to
me
on
one
of
the
other
ones.
That's
been
related
and
sort
of
sitting
idle
issue.
I
can
find
it
really
quickly.
Of
course,
I
can't
yeah.
I
can
534
about
how
to
basically
align
some
of
the
comments
we
had
coming
out
of
this
list.
We
want
it
might
be
beneficial
if
there's
a
bit
more
teeth
behind
us.
Just
saying:
hey
it'd,
be
a
nice.
D
If
so
I'll
make
some
comments
on
that
as
well
and
see
if
this
is
something
there's
definitely
some
benefit
of
out
of
it
there's
definitely
the
community
really
appreciated
it.
I
think
it
comes
down
to
how
we
both
executed
and
sort
of
how
we
get
people
to
become
part
of
it.
So
I'll
put
those
comments
and
we'll
see
where
it.
E
F
E
So
yeah,
I
think
that's
just
something
to
keep
keep
in
mind.
Maybe
you
know
going
forward
as
we
are.
We
are
yeah
kind
of
digesting
the
whole
experience
and
yeah
what
we
want
to
do
going
forward.
You
know
ago,
cd
would
be
a
good,
a
good
project
to
maybe
have
the
next
experiment
on,
or
you
know,
if
you're
gonna,
assemble
army
or
people,
okay,.
D
Cool
I'll
I'll
test
base
with
her
and
yeah.
I
think
I
think,
definitely
what
we've
seen
from
this,
the
probably
a
little
longer
than
we
wanted
to.
I
think
that's
okay,
but
I
think
we
definitely
picked
up
early
site
came
up
sometimes
for
how
we
can
sort
of
attack
this
better
in
the
future.
So
yeah
I'll
stick
back
with
her.
A
Great
yeah,
I
also
wanted
to
share
that
the
kos
engineering
working
group
out
of
app
delivery
they're
doing
some
good
work
in
terms
of
planning,
they're
writing
a
white
paper
which
describes
how
to
do
chaos,
engineering
and
we
are
also
plugging
in
from
a
security
standpoint,
how
we
can
do
some
offensive
techniques
to
create
cures
from
a
security
point
of
view
and
then
validate
resilient,
a
cloud
native
platform
or
service.
So
that
is
interesting
piece
of
work.
If
anyone
wants
to
get
involved,
feel
free
to
join
that
working
group
as
well.