Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / TAG Security / Regular / 18 Aug 2021
Cloud Native Computing Foundation / TAG Security / Regular / 18 Aug 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: CNCF Security TAG Regular Meeting - 2021-08-18

Description

CNCF Security TAG Regular Meeting - 2021-08-18

A

Start with any updates on the working groups.

A

Michael or andres, do you want to give us a quick update on the supply chain working group and the progress made there.

B

Michael, you want to go for it sure.

C

um So yeah from the supply chain uh working group uh standpoint, we are sort of consolidating around writing up the architecture and just starting to get like pen to paper, and we had a couple of breakout sessions uh over the past few weeks got a bunch of additional details now we're trying to get a few folks just to um who can contribute the time uh to really do sort of a a first pass of um you know putting everything down and uh yeah. That's really about it. um Andres.

B

Yeah, nothing to that covered at all I'd say I don't know if, if anyone is, is intrigued?

B

uh Well we're we're looking for volunteers and, as michael said, uh people willing to roll their roll their sleeves and commit their time so yeah. You should be able to find us on the slack channel as well as yeah. The regular meeting cadence is posted or feel free to reach out directly to michael or myself, if you're not unsure how to get involved. But it's something you feel.

A

You want to.

B

Do.

A

Great um any updates on.

A

um So I will give updates on serverless working group and there are two meetings being held. Actually three meetings being held for serverless, one is east coast time and one is west coast time and one is um a pack time, a time zone where people are meeting and discussing the white paper that we are writing on uh the serverless.

A

um There has been some progress made, but we are still looking for more volunteers to contribute to that who have worked on serverless platforms and have the knowledge uh we had. Some new participants joined that working group in the last couple of days. So hopefully we'll see some more progress coming out of that working group.

D

Thank.

A

You um do we have updates from any other working groups that we want to share with others. At this point.

E

Do we have anyone from uh club pastorian review on the call.

A

That's not.

A

And and the security controls mapping there's a working group going on there as well uh and there's been some progress made there. Anyone from that working group who will like to provide any updates.

A

I guess not, um it seems like they're trying to check.

F

Me.

A

On mute, I think.

F

Yeah sorry, I'm here from cloud custodian, but we haven't had a chance to meet in the last two weeks, so nothing to report and I don't see either of them here so uh next week. Probably.

E

Sounds good. Thank you.

A

Yeah on the security controls mapping, I think they're looking at different frameworks, nest, 853 and iso and csa ccm, and then they are figuring out what controls actually map to cloud native um landscape right um in terms of, but also some of these standards are very high level right uh to drill them down to the level of detail that cloud native technologies are, I think, there's work to be done, but I'm glad that the working group has been initiated and there are people who are focused on looking at it and if you're interested in working on any of those mappings of controls.

A

You're welcome to join that working group as well.

A

Do we have any new members joining us today who would like to introduce themselves to the group? Please.

G

Yes, hello guys. uh I am new to the group um keylenders from germany. Schwarze are the I.t company of needland karlsland, located in germany and um yeah. I was invited by one of my colleagues to like join the meeting um consume some interesting stuff and just wanted to have a look. uh What is going around here.

A

Welcome to the group. Thank you. Thank.

H

You hi, um my name is justin. uh I this is my second time here, but I never really said anything uh we're. I run I'm responsible for fostering the adoption of curie fence, which is a cloud native or cncf sandbox project, and basically it's a application security platform for cloud native applications, and I really look forward to meeting you all or talking each week.

A

Welcome justin.

G

And uh my name is sophia: I'm justin's colleague uh that's my first time here. So uh I'm also here just to kind of listen uh got some. You know insights get the feeling. I will probably not join every week but uh great to meet you all.

A

Welcome. Thank you for joining.

B

What project is it that you guys are working on? What was it he said, justin.

H

I'm sorry, I broke up a little.

B

Yeah, I was curious, uh I heard sandbox project, but I didn't hear the the name of the project itself.

H

Yeah, it's a curie fence, I'm going to I'll drop the url in here. I hope that doesn't come off. Spammy.

E

We're looking for someone to talk about period.

H

Oh okay: well, here we're we're yeah, I'm I'm, I'm not uh I'm more of the non-code uh open source contributor, uh but we could definitely get someone on uh like zuri who's, the co-creator of the platform uh to come on and talk about it because it's his vision and his baby and I just try to get people to use it.

E

Awesome so um can I create, I think, let me create a presentation issue and can I can you maybe send me a github id and then you can just tag the right people there.

H

Yeah, uh that's mine and I'll get series right now.

B

Yeah well since, since you're new to the group, uh we used issues on github for planning and tracking, so we'll use that to coordinate with you and the rest of your team find a suitable time help. You prepare the presentation, typically, those those take a 30 minute slot of this one hour meeting when we have one and we lost some time for a q, a.

H

Oh great yeah, he um yeah I'll definitely be on the call and he will be driving the um the conversation. So uh we look forward to it and um yeah it'll be great.

C

Thanks for.

G

That.

B

Yeah.

F

Awesome.

B

Glad to have you guys here and looking forward to learning more.

H

Likewise,.

A

Thank you, so I don't see anything on the agenda today. uh Brandon, do you know of any items that we need to work through today.

E

Oh, I don't think we have any particular items that we need to work through. um There are a couple issues that you know. We just want to do a quick triage and just show people um what are the current issues that are being discussed in the triage, and you know in their free time they can comment on that or if they want to have some discussion. So maybe I can spend uh five minutes going through two three issues and then I think if we don't have anything else, then we can. We can call it.

A

Sounds.

E

Good.

A

Brandon go for it all right. One second,.

E

All right so um new in the world of triage. uh We have now this um ongoing triage tracker. um This is an issue that we're gonna write down. You know what are some of the old issues that we discussed in the previous meetings and what is the next bunch of issues that we discuss during our weekly meetings?

E

um So the idea of this triage again, just just for just as a reminder, is that we want to be able to revisit some of the issues. A lot of these issues have been inactive for a while, and we want to kind of highlight them again in the community to see whether there are any new thoughts, any new flames that I can build that are interested in working on these issues. If not, you know, sometimes we have.

E

um We have to decide to take the issue out back to the bot, you know and put it down, so um so a couple issues.

E

I think, let's just take uh three today and we can discuss these um so how this is gonna work is uh I'm just gonna show you what the issues are and then talk a little bit about what what um based on history behind them and we'll pose these issues to the side channels, um so that folks that are not on the call can also review them, and the idea is usually if there isn't that much response or any revitalized interest.

E

We may take the issue and close it for now, so the first one we have is 115. This was opened back in december 2018.. um The idea for this is sme page. You know a place for people to list their skills and experience to contribute to the work of the sick.

E

So the idea here is that you know how we have the member speech. We would have basically um a page similar with the indication of you know I can do assessments I can do you know, apply my expertise in cryptology things like that, and this would uh act as both a way for people to to find volunteers, but also to be able to connect.

E

So there was a we discussed this in previous meetings. There was a specific comment on this. You know this should be scoped directly just for the use within the tag, um just because you know, if you want a network and stuff like that, there are better websites to do it like linkedin.

E

So this would just be you know within uh the tag itself, how do you list your skills or experience that you can help to volunteer on this world?.

E

Cool, so this is the first issue document any review process of the security assessments. So, as many of you know, we have security assessments that we do as part of the textbook.

E

This can be found under cncf tech security session assessments. We have about five or six so far, and the idea behind this process is to say what happens when you know. A substantial amount of time has passed, uh for example, a year.

E

What do we do with those assessments? Are they still better? You know what do we do with that, and I think this has occurred once uh or twice with. I think the the over and the in total review and what we've done so far is kind of like just checked back with the authors of it to ask like okay, has there been any significant changes?

E

uh Is there any um any reason that we should update the security assessment? Are there any significant changes, but I think what we want to do is to be able to have a kind of formalize this process right.

E

um So this is this issue 152, and this last one preview existing frameworks with regards to count native, um we have referencing standard models of vocabulary might be useful.

E

We talk about. You know the different standards, different things.

E

This is relevant to cognitive security controls catalog. So I'm not sure if I don't think there's anyone on this call, but I think the evaluation here would be. Is this issue being addressed by the security controls catalog?

E

Should this issue be closed in favor of that.

E

So that's a quick charge breakdown for today. If you I'm going to put in the issue numbers in here- um and you know, if you have any comments on there, you have any thoughts on that. You want to look like something particular for those issues. You know do feel free to comment on them.

E

Oh thanks arena. That's that's all. I have.

A

Okay, great um at this point, um we have an open forum if anyone wants to bring up any issues relevant to cloud native security or any of the projects that we have currently. Please feel free.

A

John how's, the security paypal is going. What are the projects.

D

I like the way you say that security papers is just about to comment. um I think that's our ongoing version yeah. I I just thought that was in the agenda there to talk about a few of these things, so uh I think we're wrapping it up. um We've got a bunch of good learnings out of it. uh I have a bunch of comments that I've been in. uh How would I say, staging in a a gift that I'm gonna actually copy over to the um the actual issue?

D

For this I see emily ping to me on one of the other ones. That's been related and sort of sitting idle um issue. I can find it really quickly. Of course, I can't yeah. I can um 534 about how to basically align um some of the comments we had coming out of this list. We want it might be beneficial if there's a bit more teeth behind us. Just saying: hey it'd, be a nice.

D

If um so I'll make some comments on that as well and see if this is something there's definitely some benefit of out of it there's definitely the community really appreciated it. I think it comes down to um how we both executed and sort of how we get people to become part of it. So I'll put those comments and we'll see where it.

A

Sounds goes. Thank you.

E

John, has um anybody talk to you about argo cd at all? um No okay, so we we just had a short chat of the tlc. um They mentioned that uh aqua cd may benefit from having a security pal. Oh.

F

Okay,.

E

um So yeah, I think that's just something to keep keep in mind. Maybe you know going forward as we are. We are um yeah kind of digesting the whole experience and yeah what we want to do going forward. You know ago, cd would be a good, uh a good project to maybe have the next experiment on, or you know, if you're gonna, assemble army or people, okay,.

D

Cool um I'll I'll test base with her and um yeah. I think I think, definitely what we've seen from this, the probably a little longer than we wanted to. um I think that's okay, but I think we definitely picked up um early site came up sometimes for how we can sort of attack this better in the future. So yeah I'll stick back with her.

E

Awesome thanks john.

A

Great um yeah, I also wanted to share that the kos engineering working group out of app delivery they're doing some good work in terms of planning, um they're writing a white paper which describes how to do chaos, engineering and we are also plugging in from a security standpoint, how we can do some offensive techniques to create cures from a security point of view and then validate resilient, a cloud native platform or service. So that is interesting piece of work. If anyone wants to get involved, feel free to join that working group as well.

A

Well, if you don't have anything else, I'll be happy to give you back the rest of the time today,.

E

Well,.

A

Thank you all for joining.

E

Thank you. Thanks have a wonderful day. Thank you.