►
From YouTube: CNCF Security TAG Regular Meeting - 2021-08-11
Description
CNCF Security TAG Regular Meeting - 2021-08-11
A
A
So,
since
the
last
time
we
did
a
triage
session
for
the
meeting,
we've
had
several
new
issues
that
have
been
opened.
The
first
one
I
will
talk
about
is
fishkar
here.
Pushkar
is
here:
pushkar
had
submitted
issue
747
about
potentially
doing
a
v2
of
the
cloud
native
security
white
paper.
A
We
also
have
an
issue
in
for
argo
to
complete
a
security
review
of
the
project.
Let's
see
here,
I
think
those
are
the
most
recent
issues
that
we
have.
There
are
several
other
issues
within
the
repository
when
the
triage
team
meets
again
we'll
go
through
and
provide
a
quick
update
on
all
of
those,
but
in
the
meantime
everyone
is
obviously
encouraged
to
go
through
and
provide
updates
or
provide
comments
on
things
that
are
of
interest
to
them.
B
A
Hey
then,
we
will
go
ahead
and
run
through
the
updates
from
the
attendance.
C
Sure
yeah,
so
it
just
came
out
of
the
first
salsa
spec
or
salsa
framework
community
meeting.
So
for
those
who
aren't
aware,
salsa
is
a
supply
chain
security
framework.
C
The
initial
work
was
done
by
some
google
folks,
but
it's
now
part
of
the
open,
ssf
and
they're
looking
to
kind
of
get
increased
community
engagement
in
order
to
sort
of
you
know
make
sure
that
it's
not
just
google
is
working
on
it
and
there's
so
that
initial
meeting
went
fairly
well.
There
are
some
initial
folks
who
are
now
part
of
a
steering
committee.
I'm
part
of
now
that
that
that
initial
steering
committee,
it's
unclear
exactly
what
that's
gonna.
C
What's
that
gonna
look
like,
but
just
wanted
to
kind
of
bring
that
up
so
cncf
now
has
some
representation
there.
I'm
also
willing
to
hand
that
representation
off
to
to
somebody
else
as
well,
but
just
wanted
to
kind
of
bring
bring
that
up,
because
I
know
in
this
conversation
as
well
as
some
of
the
stuff
with
the
supply
chain
security
working
group.
There
were
some
concerns
originally
like.
C
Oh,
what's
this
new
thing
it's
coming
out
from
from
google,
but
we're
not
sure
it
does
look
like
it
is
going
to
be.
You
know,
driven
by
the
community.
C
Sure
so
there
is
an
open,
ssf
slack.
There
is
also
the
github
and
I
will
post
both
of
those
inside
the
meeting
notes
in
a
in
a
second
here
but
yeah.
The
the
there
is
the
github,
and
there
is
the
open,
ssf
slack
and
the
salsa
channel
in
that
slack.
That
seems
to
be
the
currently
the
best
way
to
get
engaged.
A
D
Yes,
can
you
hear
me?
I
was
trying
to
speak
earlier,
okay,
cool
all
right.
I
can
share
my
screen
if
people
are
interested
to
discuss
more
but
we'll
go
through
quickly,
both
the
issues
we
discussed
about
secure
by
default,
and
what
does
that
mean
to
the
community
maybe
two
three
meetings
ago
and
the
idea
was
to
break
out
for
a
dedicated
session
with
somebody
presenting
on
the
topic
and
using
that
as
a
baseline
for
the
discussion.
D
D
D
That
will
be
nine
months
more.
So
I
think
we
are
halfway
where
we
can
start
thinking
about
version
two.
We
have
had
good
feedback
from
the
survey.
We
have
made
a
lot
of
other
work
and
progress
on
map,
lexicon,
supply,
chain,
white
paper
policy,
white
paper,
service,
serverless
white
paper,
and
there
have
been
some
new
threats
that
have
come
into
the
community,
also,
which
have
gained
more
focus
like
supply,
chain,
ransomware
and
other
things.
So
with
all
of
that,
it
seemed
like
we
could
potentially
create
a
newer
version.
D
I
have
added
tentative
schedule
of
when
maybe
we
can
plan
on
getting
the
first
draft,
then
reviews
and
final
publishing
around
may.
So
I
am
assuming
all
the
people
who
sub
worked
on.
The
first
version
would
be
interested,
but
if
they,
if
you
weren't
part
of
that
and
want
to
contribute
to
version,
two
you're
also
welcome.
D
So
definitely
add
a
comment
on
that
issue
or
reach
out
to
me
and
we'll
maybe
keep
the
issue
open
for
a
while
and
then
start
picking
up
some
pace
around
end
of
august
september
and
see
where
we
go
from
there.
B
I
did
there
was
a
scheduling
conflict
and
we
weren't
able
to
put
on
our
usual
tuesday
meeting.
The
original
plan
was
to
conduct
the
meeting
tuesday
and
then
tuesday
of
next
week
would
pretty
much
be,
I
believe,
rob
and
brandon
putting
together
a
final
presentation
for
the
tag
security
team.
So
I'm
trying
to
see
if
we
can
get
a
meeting
going
before
end
of
week
to
keep
to
that
approximate
schedule.
If
not,
then
maybe
we'll
just
end
up
pushing
it
out
a
week
and
doing
our
final
meeting
this
coming
tuesday.
E
Oh
yes,
emily.
I
wanted
to
have
a
brief
conversation
here.
I've
tried
to
attend
apac
meetings
a
couple
of
times,
but
it
seems
like
the
meeting
doesn't
happen
and
when
I
reached
out
to
folks
in
apac
region,
they
said
they
attend
this
meeting,
so
I
still
think
we
should
have
that
meeting
because
that
we
could
potentially
get
more
participants
and
volunteers
in
that
region.
So
what
I'm
going
to
do
is
I'm
going
to
create
a
doodle?
I
know
there
are
some
conflicts
between
india,
time
versus
australia,
time
and
other
areas.
E
So
if
people
can
respond
back
to
that
doodle
and
provide
a
time
frame
that
works
for
them,
then
we
can
set
up
an
initial
meeting
and
discuss
initiatives
we
want
to
take
over
in
that
group
right
and
deliver
some
value
and
some
of
the
projects.
Out
of
that
I
know
it
makes
sense
to
have
overlap
right.
Sometimes
you
want
to
attend
u.s
meetings
as
well,
but
at
the
same
time
having
more
focused
discussions
and
work
projects
will
help
us
as
well.
E
So
please
be
on
the
lookout
for
that
doodle
and
I
look
forward
to
hearing
back
from
you
guys.
Thank
you.
A
Okay,
we
don't
actually
have
a
planned
agenda
beyond
discussing
the
apac
meeting
in
that
region
or
other
future
regions.
Does
anybody
have
any
new
topics,
new
ideas,
new
things?
They
want
to
talk
about
issues
that
were
presented,
and
you
want
to
talk
more
in
depth
about.
A
Yeah,
so
the
micro
survey
was
a
request
from
the
cnc
app
to
put
together
a
focused
survey
on
cloud
native
security,
explicitly
so
separate
from
the
cloud
native
security
white
paper
and
getting
feedback
on
the
paper.
This
is
more
for
is
the
security
technical
advisory
group
visible
amongst
end
users
and
abundance
amongst
the
community,
so
do
people
know
that
we
exist?
A
A
If
you
haven't
responded
to
the
survey
or
you
haven't
retweeted
it
or
shared
it,
please
do
so
having
the
most
amount
of
feedback
on
that
survey
would
significantly
help
us.
We
also
have
use
cases
and
industry
types
within
our
repository
or
use
cases
and
personas
within
the
repository
that
are
in
strong
need
of
an
update,
and
we
could
potentially
use
the
results
of
the
micro
survey
and
the
cloud
native
security
paper
survey
to
help
finalize
that
or
update
it
and
drive
more
thoughtful
project
engagement
to
understand
who
we're
really
making
these
things
for.
D
A
It
was
sent
out
to
the
cloud
native
security
mailing
list
and
it
was
on
twitter
a
while.
I
believe
we
posted
it
in
the
channel,
but
I
cannot
recall
offhand.
We
can
certainly
repost
it
in
the
channel,
so
folks
are
aware
that
it
exists
and
if
you
are
not
part
of
the
cloud
native
security
mailing
list,
please
go
ahead
and
sign
up
for
that.
A
A
B
I
do
have
one
question:
it
might
be
off
topic,
so
please
cut
in
if
this
isn't
relevant,
but
do
we
have
a
sort
of
a
team
that
reviews-
I
guess
cloud
native
or
technical
documentation,
kind
of
similar
to
how
we
ourselves
as
a
team,
oversee
projects,
especially
those
looking
for
cncf
graduation?
B
A
So
the
cncf
has
technical
documentation
amy.
You
could
probably
talk
to
this
better
than
I
can.
I
know
that
it's
available
as
a
resource
for
some
projects,
but
I
don't
believe
that
there
is
an
established
group
beyond
that.
B
I
did
reach
out
to
the
tech
dog's
team
on
it.
I
just
wanted
to
make
sure
I'm
pointing
myself
in
the
right
direction.
A
I'm
just
being
your
silent
partner
over
here
in
chat.
I've
already
met
the
directed
matthew
over
towards
tech
docs,
but
it's
good
to
be
able
to
ask
in
here
to
see
if
anyone
is
interested
as
well
be
able
to
kind
of
bring
this
up
so.
B
I
can
show
that
for
now,
but
just
I'd
bring
it
up
and
if
I
figure
out
more
and
it's
relevant
I'll
post
an
update
in
the
future.
A
All
right,
I
posted
a
link
to
details
about
the
survey
and
the
chat
I'll
make
sure
that
that
also
goes
in
the
channel
as
well.
Okay,
but
nothing
further
enjoy
the
rest
of
your
day.
Everyone.