►
From YouTube: CNCF Security TAG Regular Meeting 2021-12-08
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Yeah
good
morning,
all
we
are
two
minutes
after
let's
give
one
more
minute
to
for
folks
to
join.
Someone
else
is
trying
to
join
the
meeting
and
we'll
get
started.
B
Okay,
I
think
we
can
get
started.
I
haven't
seen
anything
on
the
agenda
for
today,
but
I
know
we
have
a
team
here
that
is
working
on
cloud
native
security
controls
and
we
have
john
frederick
and
other
folks
who
are
participating
michael
here
as
well,
who
are
participating
in
that
effort.
C
All
right
so
yeah
this
will
be
pretty
brief.
I
think
it's
after
some
recent
conversations.
We
wanted
to
give
a
bit
of
an
update
on
what
the
cloud
native
security
controls.
Catalog
project
has
been
up
to
what
we
have
done,
what
we're
planning
to
do
next
and
see
if
we
can
gather
a
little
bit
more
momentum
and
and
make
some
progress,
get
some
initial
releases
of
some
sort
of
deliverable
out
and
continue
to
iterate
on
that,
so
this
project
has
been
going
for
a
while.
C
I
am
currently
leading
the
initiative,
but
that
was
not
initially
the
case,
so
we've
had
a
little
bit
of
a
handover
there
and
I
slowed
down
the
project
a
little
bit,
but
we're
looking
to
pick
things
back
up
here
is
essentially
the
the
team
of
people
who've
been
contributing.
So
thanks.
Everyone
he's
been
doing
that
sort
of
work,
so
so
just
to
talk
a
little
bit
about
what
the
controls
catalog
is.
Our
goal
is
to
expand
on
the
existing
cncf
bodies
of
work.
C
Kind
of
map
to
those
white
papers
using
a
creating
a
list
of
controls
that
map
to
those
white
papers.
So
while
it's
useful
to
have
the
kind
of
white
paper
format,
sometimes
we
found
our
audience
could
use
a
little
bit
more
of
a
bulleted
list,
and
so
that's
one
of
the
things
that
we've
started
to
do
so
far,
as
well
as
to
add
additional
implementation
details
for
those
controls.
C
I
also
felt
like
it
was
important
to
say
what
the
scope
is
not
for
this
project,
so
we
are
not
looking
to
redo
any
mappings
that
existing
that
already
exist,
so
things
like
crosswalks
between
iso
and
853
and
high
trust,
fedramp
things
along
those
lines.
We
may
use
those
and
we're
not
looking
to
kind
of
redo.
C
That
work,
though,
so
the
general
theme
of
this
work
is
to
become
a
catalog
right,
an
index
of
the
controls
in
some
of
these
different
frameworks
and
provide
some
additional
details
is
suggestions
in
implementation
where
that
doesn't
exist,
and
the
audience
that
we
envision
would
find
this
useful
are
partly
technical
and
partly
kind
of
more
on
the
audit
and
grc
side,
so
devsecops
engineers,
sres
platform
engineers
looking
to
use
the
implementation,
guidance
and
kind
of
maybe
learn
how
to
implement
some
of
the
control
suggestions
that
are
outlined
in
the
white
papers,
as
well
as
auditors,
regulators,
people
in
grc
roles
to
look
at
an
environment
and
identify
whether
or
not
it
is
meeting
good
practices
or
the
practices
that
are
outlined
in
the
white
papers,
all
right,
thanks
rory,
so
current
state
we,
the
work,
is
outlined
in
issue
635.
C
This
is
a
quick
snippet
of
the
spreadsheet,
but
I'll
just
kick
over
to
it
real
quick.
Essentially,
what
we
have
is
a
listing
of
controls
that
were
identified
in
the
different
white
papers,
and
you
know
we've
got
maybe
a
197,
almost
200
of
them
right
now.
We've
done
some
iteration
on
the
schema
of
how
we
want
to
outline
this
stuff,
but
the
format
is
still
a
little
bit
rough.
C
C
Maybe
a
little
bit
on
keys
are
rotated
frequently
or
at
least
give
some
context
around
it,
and
the
idea
is
that
the
implementation
details
we
would
be
fleshing
out
over
as
well
mapping,
mapping
to
those
controls
all
right
and
then
there's
some
kind
of
partially
complete
work
for
mapping
to
853
you'll
notice.
That's
a
little
bit
in
the
future
state
of
this
project
down
here,
but
yeah.
C
We
are
doing
some
mapping
to
nist,
853
or
4r5
of
of
these
controls,
with
the
idea
that
a
lot
of
pre-existing
controls,
crosswalks
exist
and
many
of
those
include
853
and
so
mapping
to
that
may
be
helpful
to
map
into
other
frameworks
without
having
to
actually
do
all
of
that.
Mapping
work
ourselves
and
admittingly.
Admittedly,
that
would
be
a
little
bit
lossy,
but
an
imperfect
but
non-zero
benefit
believe
so
that's
kind
of
what
we
have.
C
We've
worked
a
bit
in
the
two
existing
white
papers
and
planned
to
keep
up
the
date,
as
we
know
that
more
revisions
of
those
white
papers
will
be
coming
out,
but
also
want
to
dig
a
little
bit
deeper
in
the
controls,
information
that
are
provided
in
the
deliverable
so,
like
I
mentioned
mapping
to
853
things
like
800
to
18
the
ssdf
from
this,
and
also
starting
some
collaboration
with
the
policy
working
group.
C
So
I'm
a
little
personally
less
familiar
with
this,
but
we
were
talking
recently
about
providing
outputs
or
information
in
more
machine-readable
format,
using
auscal
or
potentially
something
else
instead
of
having
this
in
a
spreadsheet
format
as
well.
As
you
know,
one
of
my
big
goals
for
this
project
is
to
be
able
to
automate
assessments
of
an
existing
environment
against
these
controls
to
identify
whether
there
is
partial
implementation
or
complete
implementation
of
some
of
these
controls
and
finding
different
ways.
Different
integrations
programmatically
to
identify
those
and
to
better
equip.
You
know.
C
Auditors,
regulators,
grc
teams
to
walk
into
an
environment
and
assess
how
they
are
doing
against
the
controls
outlined
in
you
know
the
white
papers
that
the
cncf
has
put
together
and
potentially
others
in
the
future
as
well,
and
then
you
know
be
able
to
feed
that
to
implementation
teams
to
improve
the
security
of
their
environments,
so
yeah
I'll
pause
there
for
a
second
did
anyone
have
any
questions.
B
No
questions
this
is
called
for
participation
right.
We
need
more
folks
focused
on
this
who
can
help
potentially
in
mapping
some
of
these
standards.
We
know
ssdf
version,
one
is
still
draft
and
it's
just
come
out,
and
that
is
the
piece
where
you
know:
cicd
pipelines
and
all
the
supply
chain.
Security
controls
can
be
also
mapped
into.
This
there's
work
to
be
done.
B
I
just
need
more
help
here,
and
you
know
I
know
john
and
frederick
and
michael
and
a
few
other
folks
have
been
kind
of
focused
on
this.
We
need
more
hands
here,
so
if
anyone
is
interested
in
making
a
huge
impact
so
think
of
about
it
like
a
cloud
controls
matrix
for
cloud
native
right,
like
ccm
from
cloud
security
alliance,
this
will
become
equivalent
to
that
for
cloud
native
security
so
which,
which
has
had
a
huge
impact
on
the
industry,
as
you
know,
so.
D
I
could
add
one
thing
to
it:
real,
quick,
so
one
of
the
big
value
propositions
that
this
provides
us
is,
if
you
have
an
auditor
right
now,
we
have
auditors
who
they
don't
know
how
to
audit
a
cloud
native
system
and
the
security
controls
environment
is
one
of
the
key
is
one
of
the
key
documents
that
they
will
be
able
to
use
to
determine
whether
or
not
somebody
in
the
cloud
native
space
is
compliant
or
not,
so
that
should
help
increase,
not
only
the
the
total
security
stance
of
of
companies
over
time,
but
should
also
increase
the
total
adoption,
because
one
of
the
key
blockers
to
adopting
cloud-native
technologies
in
some
scenarios
of,
or
rather
accelerating
the
adoption,
I
should
say,
is
how
do
I
observe
this
thing?
D
B
Yeah
and
and
the
goal
of
integration
with
oscar
is
it's
continuous
ato
right
authority
to
operate
almost
like
fedramp.
Similarly
cloud
native
controls,
they
are
dynamic,
so
it
has
to
be
continuous.
B
So
once
we
have
this
automated
integration
with
our
scale,
it
will
be
very
easy
to
find
where
the
gaps
are,
but
at
the
same
time
there
is
an
existing
poc
that
policy
working
group
did
with
oscar.
We
can
potentially
leverage
that
once
we
have
mapped
all
the
controls.
Obviously
thank
you.
E
So
one
other
thing
to
add
there
so
yeah,
I
haven't
had
a
lot
of
time
myself,
but
I
plan
to
sort
of
hopefully
find
a
few
folks
from
for
my
team
to
continue
to
contribute.
But
would
you
folks
be
interested
in
giving
a
demo
or
a
presentation
also
to
the
financial
services
user
group
in
the
cncf?
E
That's
one
of
the
ones
I
co-chair
and
I
think
they
would
be
very
interested.
Given.
I
think,
as
as
frederick
mentioned
there
right
like
this
is
makes
auditing
a
lot
easier.
If
you
tell
somebody
who
works
in
finance
hey,
this
will
help
you
out
in
auditing
they'll,
be
like
hey
yeah.
How
can
I
contribute
exactly?
B
So
yeah
we
can
take,
take
it
on
a
road,
show
john
right
and
get
some
more
participants
that
way
and
see
if
we
can
make
some
big
leaps
and
getting
these
mappings
out
right.
I
also
wanted
to
mention
that
csa
has
reached
out
to
us,
and
nist
has
reached
out
to
us
on
number
of
initiatives
where
they
want
to
collaborate
with
us,
so
we
might
be
able
to
get
some
additional
volunteers
from
those
collaborations,
but
still
work
in
progress.
B
We're
still
having
those
conversations,
and
once
that
is
finalized,
we
might
be
able
to
expand
our
volunteer
base
to
work
on
this
project.
C
Awesome,
so
if
there
aren't
any
other
questions
or
comments,
just
wanted
to
wrap
up
with
some
quick
references,
so
everyone
knows
so
we
do
have
a
channel
on
slack
the
tag
security
controls.
C
We
have
a
weekly
meeting,
it
is
on
wednesdays
at
6
pm
eastern.
I
am
unsure
if
the
issue
was
able
to
get
updated
with
the
correct
timing,
but
we
did
move
to
wednesdays
yeah.
So
this
is
inaccurate.
This
needs
to
get
updated.
It
is
on
wednesdays
at
6
pm.
There's
a
meeting
invite
if
you'd
like
to
be
added
just
shoot
me
a
quick
message-
and
I
can
add
you
all
I
need-
is
your
email.
C
Here's
where
we're
meeting
so
you're
also
welcome
just
to
show
up,
and
we
have
meeting
minutes
which
I
believe
should
be
shared,
pretty
pretty
publicly
at
least
read
only
if
you're
interested
in
to
see
what
we've
been
up
to
going
back
to
may
so
yeah.
I
can
also
share
these
slides
if
everyone,
if
anyone
is
interested
I'll,
just
throw
a
quick
link
in
the
chat
that
should
give
you
edit
access,
I
believe
and
yeah
that's
pretty
much
all
I
had.
B
So
I
don't
have,
I
didn't
see
anything
else
on
the
agenda
for
today,
but
we
have
time
for
open
discussion.
If
anyone
wants
to
bring
up
anything
that
they're
concerned
about
or
any
other
areas
where
we
should
be
working
on.
E
One
other
just
quick
follow-up.
Just
regarding
the
the
financial
services
user
group
is
that
they've
been
the
folks
on
the
call
have
been
expressing
some
desire
to
kind
of
see
some
more
interesting
projects
that
some
of
the
other
folks
throughout
the
cncf
are
working
on,
in
particular
things
that
people
might
think
hey.
You
know
you
work
in.
You
know
finserv,
you
might
be
interested
in
in
this
tool
and
I
think
one
of
the
things
that
we're
all
very
interested
in
is
security.
E
So
you
know
in
the
new
year
I
think
we'd
be
very
interested
in
both
contributing
and
also
seeing
demos
from
various
cncf
tag,
security
projects.
B
That's
interesting
so
yeah
we
should
have
a
greater
collaboration
there
right.
Are
they
aware
of
all
the
policy
white
paper
that
we
are
ready
to
publish.
E
I
don't
think
so,
yeah
I
I
I
I
some
might,
but
I
I
know
when
it
comes
to
a
lot
of
a
lot
of
the
folks
in
that
user
group
is,
you
know,
finance
finserv
has
a
has
a
has
a
reputation
of
being
very
insular
and
and
cut
off
from
the
rest
of
the
world
and,
being
you
know,
and-
and
I
think
that
is
relatively-
that
is
a
true
assessment
and
so
a
lot
of
times
we're
just
not
very
familiar
with
some
of
those
things.
E
So
it
would
not
surprise
me.
B
Yeah,
so
we
need
to
figure
out.
How
can
we
cross
collaborate
right?
There
are
a
number
of
other
initiatives
which
might
be
interesting
to
those
that
group
right
and
there
are
so
another
piece
of
work
that
app
delivery
team
is
working
on
is
the
kos
security
curves
engineering,
and
that
is
the
third
layer
of
detection
and
response
right
to
improve
your
cloud
native
platforms
and
their
security,
and
that
could
be
interesting
to
that
group
too.
B
So
so
maybe
we
should
have
an
offline
discussion,
michael
as
to
what
all
they'll
be
interested
in,
and
then
we
can
facilitate
right.
How
do
we
cross-collaborate
there,
along
with
that
yeah,
of
course
cool?
So
I
can
give
talk.
Updates.
Yesterday
was
a
talk
meeting
that
I
presented
to
I've
shared
the
status
of
work.
We
are
doing
the
cloud
native
security,
white
paper
version
2
and
the
feedback
that
we
had
provided
on
ssdf
version
one
to
nist
and
what
we
are
going
to
do
about
that
in
the
next
year.
B
What
happened
is
just
had
a
very
tight
timeline.
On
a
friday
afternoon,
we
were
sent
the
ssdf
to
review
and
me
emily
and
brandon
got
the
chance
to
review
it,
and
we
provided
over
300
200
some
items
as
feedback
to
them,
but
they
were
not
able
to
incorporate
that
reason
for
that
that
they
had
a
deadline
to
go,
live
with
the
draft,
so
draft
is
out,
but
we
we
still
have
work
to
do
to
incorporate
all
that
feedback
that
we
had
provided
on
the
cloud
native
technologies.
B
So
that
will
be
a
piece
of
work
which
will
take
up
in
next
year
and
also,
as
I
mentioned,
csa
has
been
reaching
out
to
us
for
better
collaboration.
So
the
feedback
I
got
from
talk
was
that
this
is
really
great
that
external
entities
are
reaching
back
to
this
group.
That
means
we
are
really
contributing
to
the
industry
and
they
are
interested
in
the
work
we
are
doing
so
kudos
to
all
of
you
for
building
this
community
and
making
an
impact
in
the
industry.
B
So
that
that
was
the
talk,
update
and
we
know,
serverless
white
paper
is
still
in
work
and
there
are
some
subsections
where
we
still
need
help.
So
if
you
are
familiar
with
the
technology-
and
you
would
like
to
contribute,
please
reach
out-
and
you
know,
comment
on
the
issue
and
we
can
include
you
in
that
white
paper
as
well.
I
know
ariel
john
kinsella
and
pushkar
have
have
taken
up
some
sections
and
they
are
going
to
be
revamping
those
sections
in
the
white
paper
as
well.
F
Yeah,
thank
you
for
the
update,
er
tonight's
interesting.
That
csa
is
also
interested
in
participating
just
for
what
what
it's
worth.
I
work
a
lot
with
the
csa
colorado
chapter,
I'm
a
part
of
the
board
there,
but
we
don't
necessarily
participate
a
lot
in
like
working
groups,
it's
more
like
building
the
community
within
colorado,
but
it's
good
to
see
the
csa
global
team
chipping
in
as
well
yeah.
B
So
folks,
I
don't
have
anything
else
unless
you
have
any
other
questions,
comments
or
feedback.
D
So,
michael
in
terms
of
your
call
out
for
the
for
the
financial
services
group,
I
can
talk
on
two
particular
subjects
as
well.
The
first
one
is
on
spiffy
and
and
spire.
The
focus
should
be
more
on
spiffy
than
spire
itself.
That
can
help
them
to
achieve
a
workload
identity
strategy.
D
The
second
one
is:
I've
also
done
a
lot
of
stuff
in
the
supply
chain
space
as
well.
So,
if
they're
interested
well
not
if,
but
when
they're
interested
in
supply
chain
work
that
we're
doing,
I
can
put
together
an
overview
of
things
that
we're
doing
within
the
community
that
can
help
them,
which
also
ties
into
the
into
the
work
that
ntia
and
cisa
are
doing
towards
towards
achieving
that
that
goal.
D
So,
let's
see,
if
we
can
connect
afterwards-
and
perhaps
we
can,
we
can
have
some
discussions
on
what
would
be
appropriate.
E
Sure
yeah,
I
know
I've
definitely
given
some
demos
on
some
of
the
supply
chain,
work
in
the
supply
chain,
working
group
and
some
of
the
other
things
that
we're
doing.
But
I
know
that
there's
a
lot
of
areas
throughout
all
this
that
they're
going
to
be
very
interested
in.
I
think,
obviously
most
of
these
things
will
all
be
happening
in
the
new
year
with.
I
think
us
taking
the
next
couple
of
weeks
off.
As
far
as
also
the
fsug
meeting.
D
Yeah
and
the
the
end
goal
for
me,
with
with
this
or
not
young,
one
of
the
goals
is
that
the
supply
chain
provenance,
like
the
s
bombs
and
similar
metadata,
that
we
can
gather
from
it
feed
into
spiffy
in
such
a
way
that
I
can
control
whether
I
issue
a
spiffy
identity
or
not,
based
upon
the
supply
chain,
provenance
and
metadata.
That's
there
so
tying
into
things
like
continuously
checking
what
cvs
are
there?
How
do
I
audit
up
the
chain?
D
What
if
I
want
to
put
an
enforcement
action
on
something
and
like
how
do
I
that
that
gives
us
a
really
a
really
strong
control
point
that
that
helps
unify
these
particular
these
particular
things
together?
So
that's
part
of
how
I
would
pitch
a
possible
integration
to
them
would
be
through
through
that
path
as
well.
E
Yep
and
and
sounds
very
interesting
actually
something
that
personally
I've
been
working
on
something
similar.
Quite
recently,
you
know
my
team
has
been
working
on
quite
similar,
so
we
definitely
be
interested
in
collaborating
and
seeing
on
that
on
that
front
as
well.
D
Perfect
yeah
and
I'm
on
slack
so
definitely
king
me.
There
yeah.
E
A
I
think
this
was
the
last
one
if
I
am
right:
yeah
yeah
the
when
brandon
put
up
his
eighth
december
wheatie
as
usual,
then
break
to
the
new
year
and
then.
B
Okay
cool
well,
if
you're
not
meeting
for
the
rest
of
the
year,
then
I
want
to
wish
you
all
merry
christmas
and
a
happy
new
year
and
we'll
talk
to
you
all
in
2022..