►
From YouTube: CNCF Security TAG Regular Meeting 2022-01-05
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
A
We've
had
two
folks
volunteer
to
be
scribes
for
today
to
ensure
all
actions
and
primary
content
discussed
is
recorded
in
the
written
notes
and
can
be
referred
to
later
for
existing
members
and
working
group
representatives.
Please
remember
to
include
your
organization
and
company,
along
with
the
working
group
you're
involved
with
and
a
corresponding
update.
A
A
All
right,
no
new
members,
I'm
not
gonna,
go
through
and
triage
the
current
issues,
because
I
have
been
out
for
a
very
long
time.
I
do
know
that
we
don't
have
another
time
zone
currently,
unless
that
changed
has
can.
B
A
Can
I
go
with
that's
a
no.
Anybody
have
any
notes
from
any
of
the
recent
talk
meetings.
I
know
that
the
last
one
was
cancelled
and
the
next
one,
I
think,
is
like
january
18th.
A
D
Yeah
I
can
give
at
least
a
quick
thing
so
still
waiting
on
the
internal
technical
writers
to
do
some
cleanup
and
generate
you
know,
addre,
you
know
a
pdf
draft
or
for
the
document.
I
believe
that
there
was
some
miscommunication
at
some
point
where,
but
also,
I
believe,
with
the
holidays
and
everything
else.
It
looks
like
it's
sort
of
sitting
there,
so
I
did
message
them
again
yesterday
in
the
jira
ticket
to
ask
about
what
the
status
is
of
it.
D
I
I
do
hope
it
goes
out
sooner
rather
than
later.
If
it
could
take
a
while,
we
might
want
to
think
about
a
different
approach
to
sort
of
releasing
this
for
feedback,
because
I
know
we
want
to
get
it
sooner
rather
than
later,
so
that
we're
ready
by
kubecon
valencia.
C
Currently,
we
have
no
eta
or
indication
that
they've
actually
have
started
working
on
it
and
a
lot
of
the
thinking
why
we
had
submitted
it
to
them
before
opening
to
feedback
was.
We
know
the
production
and
publishing
process
takes
place
so
get
that
started,
and
once
we
have
like
I
cleaned
up
pdf
we
could
circulate.
That
would
be
really
easy.
C
Having
like
the
production,
template
and
all
just
to
make
updates,
but
yeah,
probably
a
good
idea.
If
we
can
like
circulate
the
artifact
that
we
have,
we
don't
expect
it
to
change
other
than
like
cleanup
and
wardsmithing.
Perhaps
so,
yeah
expect
like
the
document
to
be
circulated
and
start
gathering
feedback,
so
we
can
parallelize
both.
A
Okay
and
that
that'll
be
a
call
for
public
comments,
that'll
go
out
through
lists
and
the
security
channel
and
twitter
is
that
correct.
A
Okay,
when
can
we
expect
to
see
that
happen
sometime
in
the
next
two
weeks.
D
A
D
So
I
mean
my
personal
opinion
is,
is
especially
given
how
many
contributors
and
obviously
reaching
out
to
me
just
saying
hey:
when
is
this
going
out
and
then
also?
I
noticed
that
I
saw
a
couple
of
projects
recently,
one
from
the
folks
at
mattermost
who
actually
are
citing
already
the
the
the
google
draft,
and
so
I
think
people
are
starting
to
cite
the
paper
we've
just
sort
of
put
it
out
there.
All.
A
Right
yeah,
so
within
the
repository
there
are
instructions
for
issuing
a
call
for
public
comment
about
the
document,
so
I
believe
they're
under
governance
or
paper
resources.
Apologies,
it's
been
a
while.
A
Yep,
so
let's
go
ahead
and
get
that
process
kicked
off
for
the
public
comments
and
then,
if
you
there
should
be
a
template
in
there
for
you
to
follow
once
you
have
that
template
ready
to
go
and
you
send
it
to
our
mailing
list,
we
should
be
able
to
coordinate
the
twitter
posting
about
it
as
well
and
get
the
approvals
to
have
that
sent
out
to
the
mailing
list.
So
this
is
really
exciting.
I'm
happy
that
that
we've
finally
gotten
to
this
point
where
we
can
start
sharing
it
and
asking
for
more
feedback
on
it.
A
Okay,
what
I
know
about
it:
oh
a
lock,
are
you
here.
E
F
So
for
the
serverless
white
paper,
the
initial
team
has
completed
the
first
round
of
the
draft
and
there
were
some
sections
in
which
more
contents
need
to
be
added.
So
before
the
holidays.
In
the
last
meeting
we
had
called
out
to
folks
who
can
help
us
contribute
more
on
the
paper
so
that
we
can
add
contents
to
the
remaining
sections.
A
Awesome:
okay,
have
you
heard
back
from
any
of
the
folks
that
you
reached
out
to
yeah.
F
A
A
G
Sorry,
I
wasn't
expecting
to
go
that
early,
I'm
trying
to
figure
out
what
the
status
is.
I
have
everything
pr'd,
but
I
haven't
had
contact
from
the
two
security
folks
since
before
the
breaks,
so
the
the
pr's
are
kind
of
sitting
there
and,
as
far
as
I
know,
they're
complete.
I'm
not
sure
what
my
next
step
should
be.
A
So
the
cloud
custodian
joint
review
looks
like
there
were
changes
that
were
requested
against
it.
Let
me
check
that's
pr786.
Thank.
G
A
G
Oh,
it's:
okay,
I've!
My
my
there's,
I
probably
missed
it.
A
It
looks
like
there
was
a
question
about
whether
or
not
it
should
be.
The
self-assessment
should
be
integrated
into
the
pr
it's
up
to
you.
If
you
want
to
do
it
as
a
separate
one
or
if
you
want
to
integrate
it
in
this.
G
Yes,
so
what
I
did
is
I
have
a
separate
pr
with
the
self-assessment,
okay
and
the
last
time
I
I
talked
to
both
of
them.
We
weren't
sure
if
they
were
going
to
merge
that
or
if
I
should
just
grab
it
all
and
merge
it,
because
I
don't
want
to
step
on
their
toes
either.
A
Okay,
so
that
sounds
like
it
needs
to
still
be
resolved
with
matt
and
robert
correct.
A
Okay,
I'll
make
sure
at
least
one
of
them
or
me
will
reach
out
to
you
about
it.
G
A
Okay
and
then
next
up
for
the
security
reviews,
it
looks
like
we
have
two
and
the
q.
Argo
is
coming
up
and
captain
so
keep
an
eye
out
for
those
ones.
I
think
argo
is
next
up
on
the
list.
A
All
right
next.
E
This
is,
this
is
robert
sorry,
I'm
just
trying
to
figure
out
how
to
unmute
on
phone.
E
A
All
right,
anyone
from
the
security
controls
working
group.
B
B
B
Yeah
things
have
been
a
little
bit
delayed
and
I
also
think
I
may
now
have
covid
so
that'll
probably
contribute
to
things.
Oh
no,
we'll
see
yeah,
hopefully
something
later
this
month
or
early
next
month.
We
can
start
getting
some
deliverables
pumping
out
of
there.
H
Awesome
emily
the
security
controls
work.
We
had
discussed
that
we
could
get
some
additional
integration
with
csa.
So
I'll
talk
to
john
offline
on
that
and
then
later
this
month,
when
we
have
that
conversation
csa,
we
can
expand
the
audience.
D
One
quick
question
so
one
of
the
things
so
I'm
also
the
co-chair
of
the
financial
services
user
group
and
a
bunch
of
members
of
that
expressed
interest
in
getting
a
demo
from
the
controls
working.
You
know,
controls
work
group
just
to
sort
of
better
understand
what
you
guys
are
what
you
folks
are
doing,
and
if
there's
you
know
any
way
that
you
know
the
the
financial
services
and
users
can
help
contribute
and
and
so
on,.
H
Yeah
michael
it'll
be
good
to
expand
the
audience
after
the
first
version
is
tied
up.
John
john
and
team
are
working
on
getting
that
finalized,
but
then
does
we
change
the
vision
in
the
middle
right
and
we
need
to
expand
it
further,
a
little
bit
further
for
it
to
be
actually
more
useful
for
financial
organizations
and
other
entities.
So
are
we
good
to
get
their
input?
Definitely
on
what
they're
looking
for
and
what
additional
things
we
can
include
in
that.
A
Still
lots
of
work
there,
that's
fantastic
cloud
native
security
map.
A
F
Ahead
cool,
so
since
we
last
met
what
we
decided
was:
let's
create
one
separate,
github
issue
for
each
of
the
deliverables
and
that
exists
today
over
the
holiday
break.
This
is
the
parent
issue.
I
just
started
on.
Zoom
747
people
started
adding
a
comment
on
each
of
those
issues.
With
saying
I
want
to
take
ownership
of
this.
I
know
few
folks
in
the
call
have
taken
some
ownership
there.
F
There
are
still
some
open
ones
that
need
an
owner
to
actually
do
the
work
and
write
the
stuff.
That's
in
scope
for
that
particular
issue.
So
anything
that
you
see
in
the
github
issue.
I
pasted,
which
says,
need
owner
and
doesn't
have
any
comments
saying
I
want
to
take
this
and
if
you
like,
that,
please
add
a
comment.
So
we
know
that
you
are
interested
in
working
on
this.
F
I'm
also
hoping
to
start
a
recurring
meeting
for
all
of
us
who
are
interested
in
contributing,
maybe
next
week
before
this
meeting
so
watch
out
for
that
calendar.
Invite
I'll
try
to
find
a
way
with
the
chairs
on
how
to
send
that
out
to
everyone
involved
and
yeah.
If
you
have
any
more
questions,
reach
out
to
me
here
or
reach
out
to
me
on
slack.
A
Fantastic
okay.
So
over
the
past
couple
of
months,
we've
had
a
few
new
issues
that
have
come
in.
The
co-chairs
have
met
with
the
cloud
security
alliance,
because
there's
some
overlap
and
some
opportunities
there
for
us
to
collaborate
a
little
bit
more
closely.
So
you'll
be
hearing
more
about
that
later
over
the
next
several
meetings
that
we're
going
to
be
having
part
of
those
discussions
resulted
in
a
new
issue
in
the
repository
for
a
global
vulnerability,
security
summit
or
something
along
those
lines,
it's
been
interesting.
A
So
if
you
are
interested
in
learning
more
about
that
check
out
the
issue
in
the
in
the
repo,
I
don't
have
the
number
of
hand.
I
apologize
we're
still
in
the
very
early
stages,
trying
to
get
logistics
around
planning
and
expected
content
scope,
and
all
of
that.
So
if
you
are
interested
either
in
attending
or
in
volunteering,
for
that
go
ahead
and
comment
on
the
issue,
it
looks
like
it's
issue.
835.
C
One
thing
that
came
up
over
the
holidays
is
someone
pointed
out
around
the
paper
on
applying
secure
defaults
on
how
there
was
lack
of
attribution
to
like
seltzers
and
schroeder's
security
aid
principles,
and
that
it
wasn't
clear
whether
those
things
were
like
dismissing
those
or
like
layering.
On
top
of
those,
but
probably
acknowledging
that
some
form
of
attribution
and
spelling
it
out
would
be
beneficial.
F
Hey
andres,
this
looks
like
probably
a
miss
this
meeting
when
it
was
discussed
but
happy
to
understand
more
is,
if
I
understand
correctly,
are
you
saying
there
was
a
question
on
whether
salsa
and
cloud
native
8
is
kind
of
related,
and
if
there
is
some
overlap,
is
it
worth
adding
appropriate
attribution
for
that.
C
So,
there's
a
well-known
publication
in
computer
science,
from
the
70s
from
jerome,
saltzer
and
michael
schroeder,
like
pretty
much
that
the
manifest
of
like
when
you're
building
secure
systems,
you
must
incorporate
least
privilege
you
must
do
open
design.
You
must
do
all
these
things,
something
we
attest
for
like
best
practices
batch.
So
like
the
introduction
of
this,
it's
unclear.
How
do
these
map
and
like
maybe
calling
out
like
a
short
like
hey,
acknowledging
the
existence
of
it
and
putting
it
out
as
like
an
attribution
of
sorts,
would
be.
I
could
clear
any
confusion.
F
H
F
A
Pushkar
might
be
beneficial,
given
the
eight
principles
from
seltzer
and
schroeder,
as
well
as
the
existing
body
of
work
in
the
security
space.
To
add
a
new
section
to
the
cloud
native
security
white
paper
called
existing
work
and
either
call
out
that
we
are
expecting
readers
of
this
to
be
familiar
with
them
and
any
deviations
from
those
original
existing
principles
and
works
are
called
out
within
the
document.
Otherwise,
we
assume
that
you're
adhering
to
them.
F
C
Yeah-
and
you
know
it
may
even
have
to
be
like
the
root
of
the
problem-
would
be
like
association
with
the
names
like.
I
know,
because
these
are
like
eight
items,
it's
convenient
to
call
them
like
secure
cloud,
negative,
eight,
but
it
does
have
certain
connotation
in
people's
minds
already
so
calling
the
paper
like
applying
secure,
defaults
to
cloud
native
systems
might
be
more
appropriate
and,
like
you,
could
have
a
pikeline
that,
like
these
are
eight
guidelines.
A
Okay,
two
or
three
last
minute
things,
so
the
stag
leadership
team
is
gonna
resume
our
regularly
scheduled
meetings,
so
stay
tuned
over
the
next
several
weeks
months.
To
hear
more
about
some
of
our
top
priorities
for
calendar
year,
2022
we're
hoping
to
finally
kick
off
that
clout
that
security
technical
advisory
group
website
in
conjunction
with
the
cloud
native
security
map,
so
stay
tuned
for
that
and
for
those
of
you
that
are
not
aware,
kubecon
called
nativecon.
Europe
is
open
for
registration.
A
It
is
going
to
be
a
hybrid
event
this
year
and
great
news
cloud
native
securitycon
is
now
going
to
be
two
days
because
of
the
overwhelming
response
we
had
from
north
america
last
year.
So
if
you
are
interested
in
attending
kubecon
cloud,
nativecon
go
ahead
and
register
early.
If
you're
interested
in
cloudnativesecuritycon
pay
attention,
cfps
are
going
to
start
opening
up
very
soon,
so
keep
an
eye
out
in
slack
channel
and
twitter.
F
C
Answer
is
you
can
submit
them,
but
if
your
kubecon
talk
gets
approved,
you
cannot
do
a
repeat
of
it
and
security
con.
C
C
A
If
you
are
accepted
at
both
of
them,
you
will
unfortunately
have
to
choose
one
if
you
have
submitted
a
talk
in
the
past,
that
was
not
accepted
and
you're
very,
very
interested
in
feeling
very
much
that
you
should
present
this
talk
at
the
conference.
A
It
might
be
beneficial
to
reach
out
to
some
of
your
security
tag,
member
members
or
other
members
of
your
network
to
find
out
if
there
are
things
that
you
can
do
to
improve
the
overall
quality
content
and
relatability
of
your
talk.
So
on
occasion,
some
of
those
cfps
do
get
passed
over
because
they're,
just
not
up
to
par.
A
E
Having
having
participated
and
chaired
some
of
the
tracks
in
kubecon,
I
can
also
say
some
of
the
decisions.
There
are
extremely
difficult
where
you
have
a
limited
number
of
slots,
and
you
end
up
rejecting
90
of
the
of
the
talks
there
and
end
up
having
to
make
some
very
difficult
decisions.
So
it
doesn't
always
mean
that
your
talk
was
bad
or
or
even
unrelatable.
F
Definitely
recommend
on
that
I've
given
feedback
and
received
feedback
on
proposals
in
kubecon
and
at
least,
if
I'm
reviewing
it.
I
have
very
copious
thoughts
on
why
this
is
good
talk.
Why
this?
What
improvements
can
be
made?
So
if
you
have
have
a
talk
that
you
thought
was
really
good
but
couldn't
make
it
ask
for
feedback,
and
there
will
multiple
people
who
have
looked
at
it
in
the
program
committee,
who
will
have
very
good
feedback
which
might
lead
to
a
future
talk
getting
accepted
for
you.
A
All
right
go
ahead.
E
E
I
put
a
link
in
the
document
in
the
section
in
the
attendee
section,
so
if
you're
interested
in
what
happened
in
those
events,
definitely
definitely
take
a
look
at
what
I
wrote
up
there
and
I
also
strongly
recommend
people
read
up
about
vex
v-e-x,
so
that
link
also
includes
a
write-up
on
what
vex
is
as
well
and
it's
something
that
we'll
hear
a
lot
more
about
in
in
time.
E
I
don't
want
to
go
too
much
into
it
right
now,
but
but
it's
it's
something
that
will
be
good
to
get
awareness
out
over
over
time.