►
From YouTube: CNCF Security TAG Regular Meeting 2021-11-03
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
we
also
need
a
scribe
if
anyone
can
volunteer
describe.
That
would
be
awesome.
A
Okay,
so
let
me
just
put
it
at
the
chat
once
more
for
those
people
that
are
showing.
A
Cool
so
before
we
start
just
a
reminder
that
this
meeting
is
being
recorded,
it's
actually
bringing
live
stream
to
youtube
right
now,
so
participation
meetings
is
by
name
by
the
cincf,
as
well
as
tag
security.conduct.
That
can
be
found
to
really
call
thanks
ash
for
subscribing
for
existing
members
and
working
group
reps,
please
and
grandpa,
to
include
your
organizational
company
alongside
the
working
group
you're
involved
with
in
the
update,
which
looks
like
most
of
you
have
already
done
that.
A
So
I
think
we
have
a
pretty
light
agenda
for
today.
So
just
a
really
quick
update,
I'm
not
sure
the
axles
of
the
call.
We
had
a
discussion
previously
on
whether
we
should
kind
of
change
the
format
of
these
meetings,
whether
we
should
skip
every
other
week
made
the
second
week
lighter.
It
seems
like
the
poll
results,
seem
to
indicate
that
we
should
try
out
this
having
every
other
week's
meeting
be
kind
of
a
light
light
update
meeting.
A
So
since
we
have
the
light
agenda
today,
maybe
we'll
try
and
try
and
strive
for
that.
So
I
don't
think
we
have
any
new
members
on
the
call
today,
I'm
so
going
to
skip
that.
You
know
the
triage
today.
A
That's
out
toc
meeting
updates.
We
present
the
the
weekly
update
now
weekly
update
the
monthly
update
to
toc.
So
that's
done.
Basically,
it
was
was
a
quick
update
on
the
stuff.
That's
going
on
in
the
group
with
the
reference
architecture
that
microsoft
talk
a
bit
about
soon.
A
We
also
extended
the
nomination
deadline,
which
I
was
okay
talk
a
bit
about
soon
on
the
tls,
and
on
top
of
that,
just
an
update
on
the
security
assessments.
A
Argo
is
going
to
be
the
upcoming
one,
and
then
we
have
captain
k-e-p-t-n
and
litmus
okay
of
sims,
also
in
the
queue.
So
that's
the
tlc
update.
So
maybe
you'll
go
through
quick
updates
on
projects.
Michael,
you
said
you
had
a
update
right.
C
Yep,
so
by
and
large
the
the
reference
architecture,
this
the
and
I
will
copy
that
and
paste
it
in
the
the
chat
here
in
a
second
is,
is
more
or
less
done.
At
least
the
draft
is
done,
we'll
we
will
be
reaching
out
shortly
to
for
rf's.
You
know
request
for
comments
from
the
community
and
yeah.
It's
it's
looking
good
we're
trying
to
do.
C
You
know
some
stuff
on
that
front
and
then,
in
addition
to
that,
one
thing
to
sort
of
add
in
there
is.
We
do
now
have
a
repository
which
we
are
looking
to
eventually
get
more
integrated
with
the
actual
cncps
side.
This
is
based
on.
You
know
it's
a
lot
of
work
based
on
a
lot
of
the
demos
that
a
lot
of
folks
throughout
the
community
have
done,
and
then
we've
sort
of
begun
to
tie
together
to
start
to
build
a
real
reference
architecture.
C
Sorry,
not
reference
architecture,
a
prototype,
implementation
of
the
reference
architecture.
Looking
for
get
you
know,
issues
and
yeah
yeah,
there's
gonna
be
some
over
the
next
couple
of
weeks.
There's
gonna
be
some
pretty
big
rewrite
thing.
C
Looking
for
any
and
all
contributors
who
would
who
want
to
start
to
help
on
that
I'll
help
out
on
that
as
well
and
as
far
as
sort
of
next
steps,
we're
also
looking
to
start
to
partner
with
some
other
folks
throughout
the
community,
like,
for
example,
salsa
to
see
how
we
can
sort
of
say,
hey
salsa
is
a
is
a
you
know,
a
framework
that
is
bringing
in
popularity
throughout
the
community,
and
can
we
take
that
sort
of
reference
architecture
that
we
built
and
say?
C
A
Awesome
thanks,
michael
john:
do
you
want
to
give
an
update
on
superior
hip
house.
B
A
little
quiet
I've
been
busy
last
few
weeks,
apologies!
So,
where
I'm
right
now,
I
think
we,
I
think,
that's
pretty
much
wrapped
up.
I've
got
a
draft
of
what
I
want
to
sort
of
both
put
back
into
that
issue
as
well
as
there's
another
issue
that
emily
had
wanted
me
to
put
some
comments
into,
so
I
think
I
sort
of
figure
out
where
we
are,
what
we've
done
with
it
and
then
figure
out
what
the
next
steps
are.
So
I
think
that's
where
that
is
right.
Now.
A
Awesome
awesome:
do
you
think
you
can,
when
do
you
think,
would
be
a
good
time,
I
think,
to
kind
of
come
to
the
meeting
and
talk
a
little
bit
about
the
experience
and.
B
A
Awesome
yeah,
so
just
I
think
emily
may
have
mentioned
this
to
you.
I
think
one
of
the
other
projects
that
looking
for
something
that
could
to
go
into
the
security
pal
system
is
argo.
A
B
So
I
reached
out
and
talked
to
them.
That's
something
I've
never
got
back
to
following
up
with
with
her
on.
There
seems
to
be
a
disconnect
so
the
way
they
think
they're
doing
and
some
of
the
things
they're
doing
versus
some
of
the
other
folks
that
you
know
brought
that
up.
It
seems
like
people
are
sort
of
out
of
line.
I
think
they're
doing
a
little
better
than
people
think
but
happy
to
talk
about
that
as
well
and
put
it
into
some
notes
somewhere.
A
Awesome
yeah.
Maybe
we
can
chat
about
that.
Let
me
let
me
pick
up
from
emily
that
stuff
and
then
we
can
again
figure
out
how
to
go
forward.
Awesome
thanks,
sean
any
of
the
updates
from
other
projects.
D
Yeah
I
have
update
from
serverless.
I
did
review
the
white
paper
that
was
being
written.
There
are
some
sections
which
need
some
more
work,
so
I've
provided
that
feedback
to
the
team
that
is
working
on
it
after
those
sections
are
filled
out.
I
think
we
can
open
it
up
for
comments.
A
D
But
paper
is
quite
light.
I
would
say
considering
that
the
csi
paper
was
very
heavy
right.
That
was
a
80
page
document,
so
we
have
publishing
like
five
pages
here,
so
need
feedback
from
the
rest
of
the
team,
because
we
don't
want
to
really
overlap
with
what
css
has
already
done.
So
it'll
be
good
to
get
some
people
to
look
at
it
and
get
comments.
A
Thanks
for
right
now,
yeah
I
like
sharp
papers,
it's
good
all
right
anything
else
from
the
audio
any
significant
update
for
audio
controls,
cognitive
security
map
groups.
A
A
Of
course,
if
you
have
any
questions
about
security
reviews
or
how
to
participate,
please
feel
free
to
drop
drop
in
the
chat
in
the
site,
channel
and
astra
cool.
If
not,
I
think
we
can
get
into
one
of
the
items
of
the
day.
Yes,
so
the
first
one
is
just
a
reminder
on
the
company
community
nominations
for
technical
leads.
We've
extended
this
because
a
lot
of
folks
were
basically
busy
during
kubecon,
so
we
figured
we're
going
to
give
a
bit
more
time
for
people
to
to
to
get
their
nominations
together.
A
A
And
we
are
going
by
the
community
nomination,
which
I
will
put
the
link
to
in
the
chat
awesome.
So
that's
a
quick
announcement
and
any
questions
comment
on
that.
B
A
Yeah
yeah
cool.
A
A
E
Okay,
cool-
maybe
I
can
share
screen,
so
it
is
easier
to
discuss.
E
Okay,
cool,
so
just
to
recap,
we
created
a
white
paper,
the
first
one
before
the
supply
chain,
maybe
couple
of
years
ago
now
well
not
couple
of
years,
but
in
november
2020,
so
almost
one
year.
So
the
idea
is
now
after
that,
so
much
of
work
has
been
done
and
we,
oh
as
a
security
industry,
also
has
evolved
into
different
threats,
taking
more
importance
and
then
most
of
our
group
creating
so
much
more
new
content.
So
the
idea
was,
it
would
make
sense
to
have
a
version.
E
E
What
I'm
looking
at
in
terms
of
timeline
and
something
I
want
to
discuss
is
around
end
of
this
year.
We
can
start
working
on
creating
content
for
all
of
these
updates
and
have
some
draft
ready.
Then,
once
all
of
us
are
back
from
new
year's
eve
in
jan
feb,
we
can
start
doing,
reviews
make
more
updates
and
then,
after
that,
we'll
freeze
the
edits
and
just
open
it
up
for
comments
to
everyone
else
who
is
not
in
the
group,
then
we'll
do
final
reviews
with
toc
and
tags.
E
So
we
we
have
some
eight
or
nine
people
already
who
have
said
they
would
be
interested.
E
My
maybe
one
or
two
things
I
wanted
to
discuss
with
everyone
today
was:
do
you
see
anything
else?
We
should
add.
That's
not
already
here,
and
second
thing
would
be.
If
you
haven't
shared
your
interest,
just
add
a
comment
here
so
we'll
know
whom
to
reach
out
and
after
we
have
one
good
enough
idea
of
what
to
update.
E
A
This
is
awesome.
I
I
would
maybe
something
that
that
girl
said
that
this
is
kind
of
to
review.
The
micro
survey
results,
I'm
not
sure
whether
charity
on
this,
I
I
haven't
gotten
to.
B
A
A
Myself
and
emily
got
into
contact
with
this
during
coupon.
This
is
around
the
software
secure
software
development
on
facebook.
So
really
it's
starting.
You
know
here
some
guidelines
around
how
to
match
software
development
lifecycle
with
the
eo
and
things
coming
in
with
the
pipeline,
and
I
think
one
thing
that
they've
mentioned
is
they're
working
on
this
idea
that
they
would
be
able
to
link
to
all
the
public
resources
around.
A
You
know
how
do
you
do
certain
controls
and
things
like
that,
so
one
of
the
things
that
that
we
we
chatted
very
briefly
about
is-
we
could
have
so
I'll
put
the
link
to
the
document,
but
it's
kind
of
like
the
niss
853,
where
they
have
like
different
controls
right.
A
So
I
think
the
idea
is
we
could
do
some
other
mapping
of
the
ssdf
do
some
of
the
parts
of
the
pipe
paper
that
we're
writing.
A
D
We
did
actually
provide
a
lot
of
feedback
to
them
when
they
provided
the
draft.
I.
B
D
And
myself
and
emily
worked
on
that
they
were
not
able
to
incorporate
everything
because
the
level
of
detail
we
were
providing.
The
paper
was
intended
to
be
a
high
level
overview
of
those
controls,
but
our
controls
are
very,
very
fine-grained,
but
eventually
these
fine
grain
controls
have
to
map
to
that
standard
right
and
they
want
to
provide
that
mapping.
So
now
what
they
want
us
to
do
is
all
the
controls
that
we
have
proposed
in
different
artifacts.
We
want
to
have
some
kind
of
reference
numbers
back
and
forth,
so
people
can
map
them
out.
D
E
D
Publicly
draft
is
published,
but
the
you
know
list
drafts
are
out
there
for
six
to
eight
months
or
a
year.
Sometimes
it's
still
a
draft,
but
people
are
using.
It.
B
A
E
Right
right,
maybe
one
question
is:
do
we
need
to
sort
of
align
our
timeline
with
any
of
the
draft.
D
A
D
A
Yeah,
that's
let's
kind
of
clean
up
the
document
and
and
make
it
a
bit
more
more
streamlined.
I
know
we
just
had
like
copy
like
big
chunks
of
data
everywhere,
so
maybe
let's
put
in
a
profit
sheet
and
then
and
then
make
it
public.
D
A
Yeah
we,
but
we
we
wrote
a
lot
of
things
and
you
know
the
feedback
was
like
they
tried
to
incorporate
some
of
it.
Obviously
some
of
it
was
difficult
to,
but
also
you
know
it's
this.
This
particular
document
was
targeting
not
only
about
native
things,
so
some
of
the
things
they
really
had
to
kind
of
leave
still
very
broadly
because
of
legacy
and
like
how
people
do
things
in
the
streets.
A
They
also
mentioned
that
they
would
be
have
someone
that
we
could
probably
talk
to
to
figure
out
that
so
there's
someone
on
this
side
that
has
read
our
white
paper
and
they're
open
to
start
a
conversation
there
to
say
that
okay,
maybe
there
are
a
few
things
that
are
missing,
that
we
should
add
in
as
well.
E
A
There
is
a
person
we
just
have
to.
You
know,
make
the
connection.
You
know
what
I
think
when
this
gets
started.
We
can,
we
can
put
you
in
contact
with
with
them
and
then
we
can
figure
it
out
from
there.
A
Okay,
let's,
let's
add
this
to
the
to
the
bullet
in
case
in
case.
E
E
B
E
I
I
am,
I
I
think
I
like:
how
can
you
be
myself
as
well?
Only
thing
I
realized
from
the
experience
of
the
security
falls
cloud
native
8
reviews.
Was
people
found
it
really
hard
or
new
for
themselves
to
add
a
comment
or
review
it?
So
I
had
to
actually
convert
the
cloud
native
8
from
hackmd
to
google
doc,
and
then
I
started
getting
a
lot
of
comments
and
feedback,
so
just
from
that
perspective,
I
almost
feel
like
whether
we
are
stick
with.
A
E
So
I
think
next
step
for
me
would
be
maybe
we
will
wait
until
next
week
meeting
to
see
if
people
add
more
comments
in
terms
of
if
they
are
interested
and
then
we'll
set
up.
Our
first
call
to
sync
up,
perhaps
maybe
before
thanksgiving
so
that
we
have
a
good
idea
of
where
we
are
and
then
we
start
our
updates
in
december.
If
people
are
not
available
in
december,
we
move
the
deadline
by
a
few
days
and
continue
in
january.
A
Yeah,
I
I
I
think
that
was
one
of
my
concerns
as
well.
I
think
the
the
the
prospect
of
doing
this
through,
like
thanksgiving,
is
actually
like.
A
lot
of
people
are
going
to
be
missing.
Yes,
so
so
maybe
perhaps
a
suggestion
would
be
to
do
the
scoping.
A
Awesome,
cool
and
yeah:
please
go
ahead
and
and
post
this
in
the
in
the
sack
channel
as
well,
and
also,
if
you
wanna
ping
rawagashri,
she
can
also
post
and
give
her
like
a
short
tweet
or
you
have.
If
you
tweet
something
out,
she
can
use
the
cncap
account
cncf
text
secure
the
account
to
the
retweet.
I.
E
I
see
okay,
I
think
that
works
for
me
anything
else
or
any
other
feedback
that
people
would
want
to
add
or
have
about
the
process.
Also
in
general,.
A
Awesome.
Thank
you.
The
last
agenda
item
that
we
had
was
actually
I
I
ended
up,
hoping
that
matthew
was
going
to
be
on
the
call,
but
he's
on
the
call.
So
I'm
gonna
just
defend
that
the
next
time,
so
they
can
talk
a
little
bit
more
about
his
work
there.
A
If
not,
that's
all
that
we
have
for
this
meeting.
I
saw
a
few
other
people
join.
Is
there
anyone
that's
new
that
would
like
to
introduce
yourself
before
we
call
it
today.
D
E
E
So
we
closed
the
cloud
native
8
for
public
comment
last
week
on
friday.
So
now
we
have
feedback
that
we
needed.
I
think
it
is
in
good
shape
and
we
need
to
figure
out.
Where
does
this
land
and
maybe
it
lands
in
multiple
places?
Maybe
it
lands
in
one
place?
Obviously,
white
paper
could
be
one
good
place
where
we
can
put
it
and
it
can
stand
on
its
own
in
the
white
paper.
E
Other
piece
kind
of
tied
to
white
paper
I
was
thinking,
was
cloud
native
security
map
where
we
have
a
website
and
much
of
it
is
coming
from
white
paper
so
either
as
a
side
effect
of
this
getting
into
white
paper.
It
can
go
into
the
map
or
we
can
just
put
it
in
the
map
first,
just
so
that
people
can
start
consuming
it
without
waiting
five
months
more
six
months,
more.
A
Yeah,
I
I
think
in
terms
of
repo
wise,
definitely
kind
of
like
being
a
separate
results,
but
we
were
hoping
to
kind
of
consolidate
the
website
to
be
able
to
include
basically
any
of
the
resources
within
the
regal.
A
So
eventually
the
the
cloud
native
security
map
itself
now
is
like
a
website
that
holds
the
cloud
is
the
security
map.
We
eventually
want
to
make
it
a
website
that
holds
everything
in
the
repo
and
then
you
know
and
the
the
person
that
who
wrote
this
like
banking
on
the
name
right
now.
He
designed
it
in
a
way
that
everybody
basically
reads
mount
down
files
and
then
just
displays
them.
A
So
I
think
one
of
the
things
that
we're
hoping
to
do
is
to
find
a
few
folks
that
are
like
interested
in
developing
this
a
little
bit
more.
But
I
agree
in
the
meantime.
You
know
we
can
take
the
copy
of
the
that
we
put
in
the
main
repo
and
then
we
can
also
mirror
it
on
the
cognitive
security
map
site.
E
A
Yeah
yeah,
I
think
you
can
you
can
just
ping
me
on
that.
A
Yeah
cool
any
other,
any
other
things
that
anyone
wants
to
bring
out
around.
I
just
saw
your
your
comment.
We
are
still
having
weekly
meetings.
It's
just
every
other
meeting
will
be
shorter.
A
Which
will
be
our
month
off?
I
guess
yeah,
we'll
figure
that
out
any
any
other
things
for
folks.