►
From YouTube: CNCF Security TAG Meeting 2021-06-09
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
C
C
E
C
C
All
right.
Please
make
sure
that
you
log
or
you
sign
in
for
attendance,
make
sure
we
got
everybody
covered
if
you
have
any
updates
that
you
would
like
to
discuss
during
today's
meeting,
please
put
the
title
of
your
update
in
a
parenthesis
after
your
name
stag
leadership,
if
you
could
also
just
put
your
your
position
after
your
name
as
well,
that
would
be
great
if
you
have
no
updates
just
say
no
updates.
After
your
name,
ash
is
going
to
be
our
scribe
today.
Is
there
anyone
else.
C
C
D
C
Whatever
the
time
zone
conversion
is,
math
is
hard
for
me.
Today
we
talked
about
the
cloud
native
security
controls,
catalog
activities
that
is
getting
started.
We
talked
about
the
serverless
security
paper
and,
what's
going
on
with
that,
we
welcomed
our
new
chairs,
brandon
and
aradna
and
thanked
jj
and
sarah
for
their
service.
C
E
Yes,
we
had
three
people
volunteer
for
project
leads
and
they
are
all
three
going
cb.
The
project
leads
to
a
serverless
that
helps
us
with
backups
right.
If
somebody
is
not
available,
then
the
other
person
can
pick
up.
E
They
are
working
on
scheduling
an
initial
meeting,
so
we
can
set
up
the
logistics
and
you
know
figure
out
the
scope
go
through
the
table
of
contents
and
if
you
need
to
make
adjustments
and
also
timelines
by
when
we
would
like
to
get
this
paper
out
and
also
look
for
other
contributors
who
may
be
interested
and
who
have
not
heard
about
this
initiative-
that's
just
beginning,
so
it's
it
is
the
time
to
get
involved.
E
So
if
any
of
you
have
not
put
your
name
as
contributor
and
would
like
to
contribute,
please
go
to
the
issue
that
we
discussed
last
meeting
last
week
and
put
your
name
in
there
and
get
involved.
Thank
you
very
much.
That's
all
my
update
for
now
emily.
Thank
you.
Thanks,
serata.
B
Hey
emily
yeah,
not
so
much
of
an
update,
as
just
would
like
to
welcome
all
contributions,
all
suggestions
to
that
issue
so
that
we
can
probably
get
a
bit
started
on
that
and
incorporate
all
the
changes,
all
the
suggestions
into
it
before
we
design
a
plan
with
it
within
just
kind
of
a
reminder.
Nothing
else.
C
Okay,
for
those
of
you
that
don't
know
that's
the
security
focused
community
proposal,
it
still
requires
triage,
so
we'd
like
to
see
some
folks
comment
on
it
for
interest
to
determine
whether
or
not
it's
something
that
the
group
can
take
on
with
our
current
bandwidth.
F
G
Hello,
so
part
of
what
we're
doing
is
we
have
a
cloud
native
controls
catalog
that
we're
building
as
a
subgroup
under
the
under
the
stag
and
we're
meeting
every
monday
at
5,
00
p.m,
pacific,
if
you're
interested
in
helping
us
catalog
controls
for
cloud
native
for
cloud
native
projects,
please
come
please
come
and
join
us
at
that
time
or
you
can't
make
that
time.
G
That's
okay,
come
join
us
on
our
on
the
slack
channel
I'll,
make
sure
the
slack
channel
gets
posted
and
we're
finalizing
the
the
schema
on
what
this
looks
like
we're,
not
looking
at
providing
guidance
to
like
how
do
you
adhere
to
a
specific
standard
like
we're,
not
saying
here's
how
you
adhere
to
850-53
as
an
example,
but
right
now
the
initial
turn
of
the
crank
is
about
just
identifying
the
controls
that
are
that
are
there
across
multiple
projects.
G
So
if
that's
something
that
you're
interested
in
helping
in
please
get
please
get
a
hold
of
us,
and
I've
also
listed
the
issue
you're
able
to
to
help
contribute
in
that
area.
Thank
you.
C
C
Okay,
any
new
folks
in
the
group
that
want
to
introduce.
F
Yeah
hi
I'm
andrew
andrew
kruger
work
at
datadog.
I'm
gonna
be
working
on
the
serverless
white
paper.
C
Awesome
welcome
it's
wonderful
to
have
you
all
right
so
next
up
on
our
agenda,
if
there's
no
other
updates
pause,
no!
Okay!
I
want
to
talk
a
little
bit
about
security
reviews,
one
of
the
things
that
this
group
does
that
we
haven't
really
talked
about
openly
or
recently
within
the
past
couple
of
months,
because
they're,
ongoing
and
they're
something
that
typically
happens
in
the
background
is
one
of
the
things
that
the
stag
does
for
the
talk
is
provides
security
reviews
of
projects
within
the
cncf.
C
We
recently
went
through
a
huge
effort
to
revitalize
and
make
updates
based
on
feedback
and
the
first
five
security
assessments
that
we
did
and
right
now
we
have
one
project
that
is
currently
in
process
for
security
review
and
is
getting
closer
to
wrapping
up.
We
have
another
one,
that's
closely
on
the
heels
of
that
and
then
we're
going.
It
looks
like
we
might
have
a
third
one
coming
to
us
shortly.
C
Not
only
whether
or
not
the
application
itself
for
the
project
is
designed
with
security
in
mind
and
is
following
industry
best
practices,
but
also
to
kind
of
determine
what
are
their
development
practices?
Do
they
have
security
around
how
they're
accessing
their
project
and
their
service
source
code.
So
we've
been
focusing
a
lot
on
supply
chain
security
for
those
projects,
in
addition
to
the
general
security
review,
if
you
are
interested
in
becoming
a
security,
reviewer
feel
free
to
reach
out
to
any
of
the
stag
leadership.
To
ask
questions.
C
C
Nope,
okay,
so
that's
about
security
reviews.
So,
if
you're
interested,
we
have
a
couple
that
are
currently
going
on
and
then
we'll
have
some
more
coming
soon.
C
We
recently
made
a
new
governance
channel.
We
wanted
to
provide
everybody
a
place
where
they
can
come
and
talk
to
the
leadership
team
or
talk
about
how
the
group
is
run.
The
way
that
we
do
things
the
processes
around
things,
for
instance,
bringing
a
proposal
into
our
project.
How
does
our
road
map
work
and
kind
of
talking
through,
like
the
basic
logistics
of
what
makes
this
community
great?
C
So
if
you
have
any
questions
or
if
you
have
ideas
or
you
don't
understand
something-
feel
free
to
jump
in
that
channel
and
ask
a
question:
that's
what
it's
there
for
and
then
the
last
thing
that
I
had
on
the
agenda
to
talk
about
was
ongoing
efforts.
This
group
has
a
lot
of
ongoing
efforts.
We
spent
some
time
this
past
year
coming
up
with
a
road
map
to
understand
like
what
is
our
bandwidth
and
what
is
our
workload.
C
We
currently
have.
We
just
wrapped
up
the
supply
chain
paper.
However,
that
group
is
kicking
off
again
to
do
a
reference
architecture,
so,
if
you're
interested
in
that
check
out
the
tag,
security
supply
chain
channel
for
more
information,
we've
got
the
serverless
paper
starting
up.
We've
got
the
controls
catalog
initiative,
starting
up
as
part
of
an
exploration
into
one
of
the
group's
charters
for
auditability.
C
H
There's
also
the
work
around
the
cloud
native
security
map
and
we'll
be
moving
on
to
the
design
phase
real
soon,
probably
by
next
week.
So
we
will
require
the
volunteers
as
well
for
that.
So,
if
you're
interested
in
jan,
please
join
the
cloud
native
security
map
channel
as
well.
H
Right
so
we
had
the
cloud
native
security,
the
the
white
paper
and
the
white
paper
gave
you
an
overview
of
what
kind
of
security
that
you
need
to
do
during
that
development
during
the
distribution
phase,
and
so
they
did
not
provide
any
specific
projects
that
you
can
use
during
each
of
these
phases.
H
And
so
what
the
map
tries
to
do
is
try
to
give
you
specific
projects
which
you
can
do
for
like
development
or
distribution
from
a
security
perspective.
So
we
are
trying
to
build
out
this
map
which
helps
save
new
users.
If
they
want
to
say
they
only
know
about
a
specific
project
and
they
want
to
know
how
they
can
move
on
to
different
aspects
of
security.
H
So
we
initially
have
done
a
text-based
map
right
now,
which
basically
takes
all
the
different
phases
of
the
white
paper
and
puts
them
in
like
a
text
format
with
the
respective
projects
and
thanks
so
much
for
contributing,
like
a
lot
of
folks
from
the
community
contributed
towards
that,
and
so
the
next
stage
now
is
to
be
provide
more
guidance
around
how
you
can
move
about
these
different
phases.
What
are
the
interactions
between
these
phases
and
some
of
the
design
aspects
like
some
of
the
ui
aspects,
to
make
this
more
interactive?
H
So
that's
going
to
be
the
next
phase
for
the
map,
which
is
pretty
exciting.
So
if
you
all
are
interested
in
that
join
the
the
map
channel
on
tax
security
and
reach
out
to
any
one
of
us,
if
you
want
to
contribute
thanks.
D
Hello,
yes,
I
stalled
on
a
little
bit
the
last
week,
but
we're
going
to
be
doing
some
audio
recordings
for
white
papers,
maybe
other
printed
materials
for
distribution
starting
a
new
gig
this
week,
so
got
hamstring
a
little
bit,
but
the
wheels
will
start.
Turning
on
that
soon,
there
is
a
tag
security,
audio
channel.
If
I
recall.
D
Sorry,
it's
actually
a
really
cool
effect.
I
just
do
with
my
voice
just
trying
to
show
off
tag
security.
Audio,
please
join
if
you
want
to
be
recorded
or
help
with
audio
production.
Thank
you.
C
C
How
we
work
through
what
our
bandwidth
looks
like,
because
we
have
a
lot
of
active
community
members,
but
we
want
to
make
sure
that
no
one
is
overburdened
and
everyone
has
an
opportunity
to
participate
and
engage
in
things
of
interest
to
them.
So
we've
got
it's
on
project
board
number
four.
If
you
go
to
the
repo,
if
you
look
through
a
couple
things,
we
have
our
regular
business.
We
have
areas
for
exploration
where
somebody
has
made
a
suggestion
or
it's
within
our
charter,
and
we
should
probably
start
focusing
on
different
efforts
around
it.
C
For
example,
one
or
three
proposals
that
we
currently
have
but
haven't
exactly
had.
A
lot
of
traction
recently
is
cloud
native
security,
paper
webinar,
and
this
might
roll
into
puyusha's
proposal.
C
There's
also
the
concept
of
developing
a
micro
site
for
us
to
be
able
to
categorize
and
highlight
presentations
better
index
a
lot
of
the
content
that
this
group
is
creating
and
then
also
host
many
micro
blogs.
For
that,
whether
or
not
they
are
specific
to
the
group
or
specific
to
any
of
the
papers
that
are
being
generated
so
feel
free
to
go
through.
The
issues.
C
C
D
Can
I
do
elevator
pitch
on
what
the
policy
working
group
encompasses
right?
I
see
it
mentioned
and
I
I'm
not
sure
what
exactly.
E
Well,
so
right
now
we're
working
on
a
white
paper
on
policies
and
there
are
different
types
of
policies:
there's
a
table
of
contents,
which
was
actually
evangelized
even
in
this
group.
I'm
happy
to
share
that
table
of
contents
to
you
or
point
you
to
that,
and
if
you
want
to
get
involved,
please
jump
in.
So,
in
addition
to
all
the
policies,
my
focus
is
security
policies
right.
What
are
the
security
policies
we
need
to
deploy
at
the
kubernetes
layer
at
the
microservices
layer
and
as
well
as
in
the
cicd
pipelines.
E
Then
what
are
the
detective
controls,
then?
If
the
policies
get
violated,
how
do
we
detect
on
them
and
how
do
we
ought
to
remediate
them
so
that
will
be
the
focus
and
that
I
provide
in
that
paper.
So
some
some
people
have
actually
volunteered
to
write
some
subsections.
E
D
E
So
control
catalogs
control
catalog,
is
slightly
different.
In
my
opinion,
right
control.
Catalog
is
how
do
you
continuously
validate
that
you
are
in
compliance?
Yes,
some
of
the
policies
may
be
duplicate
right,
but
still
control.
Catalog
is
much
more
a
bigger
effort,
in
my
opinion,
because
all
these
standards
right
nest.
800-53
plus
you
know
several
other
standards,
right,
socks,
gdpr
all
these
controls
and
regulatory
policies.
How
do
we
continually
validate
them
right
without
having
to
do
all
kinds
of
manual
reviews?
D
Yeah,
no,
it
makes
sense.
I
don't
know
about
policy.
I
have
a
separate
question
as
well
as
long
as
we're
filled
with
questions.
I
noticed
some
efforts
being
referred
to
as
working
groups
and
some
not
and
like
so
when
I'm
looking
at
the
supply
chain
stuff,
if
that
kind
of
group
of
folks
is
pivoting
to
another
kind
of
distinct
deliverable
effort,
but
keeping
that
same
channel
kind
of
blurs
the
lines
for
me
are:
is
there
a
specific
definition
for
an
effort
underneath
of
tag
security?
That
is
a
working
group?
D
Are
we
differentiating
between
sort
of
time-bound
efforts
with
one
deliverable
that
then
disband
versus?
Do
we
have
kind
of
longer
running
groups
that
are
meant
to
be
indefinite?
Maybe
what
I'm
asking
makes
sense,
I'm
just
trying
to
make
sure
kind
of
the
organization
of
things,
or
at
least
that
I
understand.
C
Yeah,
so
I
think
that's
a
great
question.
We've
talked
about
this
amongst
the
leadership
team
for
a
while,
and
I
don't
think
that
we
have
a
solid
decision
on
how
we
want
to
manage
that
organically.
What's
been
happening
is
usually
someone
provides
a
proposal,
they
kind
of
take
ownership
of
that
proposal
and
it's
built
around
a
specific,
concrete
deliverable
and
then
that's
typically
done
so.
C
The
cloud
native
security
white
paper,
for
instance,
that
was
a
group
of
folks
that
got
together
developed
some
content
made
a
deliverable
and
the
group
kind
of
disbanded,
because
that's
the
one
of
the
main
reasons
for
this
tag
to
exist.
That
makes
sense.
In
other
instances
there
is
an
ongoing
community
of
interests
within
this
stag
on
particular
topic
areas.
So
we
see
this
with
the
supply
chain
group.
C
The
supply
chain
group
was
a
bunch
of
folks
that
got
together
who
said
that
they
wanted
to
do
all
these
grand
things
which
is
fabulous,
and
we
love
that
level
of
enthusiasm.
But
we
wanted
to
be
able
to
break
down
all
of
those
ideas
into
more
tangible
and
concrete
specific
deliverables
that
way
they're.
Not
all
trying
to
do
everything
all
at
once
and
boil
the
ocean,
so
the
way
that
that
group
has
been
working
is
some
folks
participated
in
the
paper.
D
That
make
sense
yeah
totally.
The
only
reason
I
may
be
asking
clarification
one.
So
we
can
talk
out
loud
and
other
people
can
hear,
but
two
sometimes,
if
there's
a
kind
of
distinct
deliverable,
time-bound
thing,
I'm
looking
at
it
and
thinking
oh
they're
at
the
end
of
kind
of
their
process.
It
doesn't
make
sense
for
me
to
jump
in
in
the
last
week.
But
if
it's
a
thing
where
it's
just
going
to
kind
of
keep
rolling
forward,
then
getting.
F
Just
like,
if
you
jump
in
last
minute,
there
might
be
folks
looking
for
a
final
review
or
someone
to
go,
buy
a
fine
tooth
comb
so
rather
than
thinking
about
time-bound
deliverables,
I
would
think
about
it
as
artifact
oriented
deliverables.
These
are.
These
are
tactical.
If
it's
gonna
take,
if
you're
coming
in
and
you're,
you
poke
a
hole
or
like
smell
something
that
should
gate
this
thing
getting
published.
F
We
should
delay
that
rather
than
saying
oh,
we
said
we
were
gonna
do
this
by
this
date.
Let's
just
make
a
go,
no
go
at
this
point
and-
and
we
might
have
some
oversight,
so
I
I
think,
let's,
let's
think
about
it
as
we
we're
gonna
produce
something
out
of
this
group.
This
should
be
like
the
project
should
be
tactically
oriented
sure
the
strategy
should
inform,
should
inform
like
the
themes
or
on
their
currents
or
like
how
does
this
fit
in
with
other
artifacts
or
other
pieces
or
prior
work
or
future
work.
D
I
think
that's
totally
fair.
There
are
some
mechanics
there
like
with
the
supply
chain
higher
with
the
supply
chain
selection
right.
If,
if
that
same
group
of
folks
wants
to
pivot
and
work
on
the
second
thing,
do
they
make
another
channel
to
keep
the
efforts
distinct
or
do
they
come?
You
know
what
I
mean
like
just
organizational
function
wise,
but
I
totally
hear
what
you're
saying
as
far
as
don't
hesitate
to
jump
in
even
if
it's
fourth
quarter.
D
Sorry,
that's
that's
an
americanism,
because
there's
obviously
good
things
to
be
done,
but
you
know
it
violates
my
sense
of
manners
to
jump
into
the
last
moment.
Drop
a
bunch
of
you
know
crap
on
something.
So
that's
a
personal
personality
yeah
but
yeah.
I
hear
you.
F
Thank
you.
You
bring
a
great
point
about
the
mechanics
right.
We
don't,
we
don't
want
the
conversations
to
be
lost
and-
and
we
want
folks
to
to
have
an
arena-
it's
not
like
hey.
We
finished
this
thing.
Let's
hit
the
reset
button
start
again,
you
point
out
the
supply
chain.
Grouping
being
a
great
example,
we
do
have
a
a
long
running
channel
or
a
channel.
F
F
Have
a
long
running
call
like
a
bi-weekly
call
for
the
foreseeable
future
and
and
the
channel
in
place,
but
yeah
feel
free
to
like
come
in
or
drop
out.
Any
point
like
if
you
were
not
part
of
the
group
at
the
onset
that
that
shouldn't
preclude
you.
That
only
means
we've
been
missing
out
on
you
all
this
long.
Oh.
C
So
that
that
actually
brings
a
good
point,
we
have
a
ton
of
tag,
security
channels
and
they're
they're
kind
of
centralized
or
they're
usually
created
as
a
result
of
a
deliverable
or
an
artifact
that
the
group
is
working
towards.
But
as
those
activities
come
to
close,
we
don't
get
rid
of
those
channels.
C
E
So
I
can
comment
on
that.
Our
goal
is
to
focus
on
security
for
serverless,
because
there's
already
a
serverless
working
group
in
cncf.
They
also
have
a
previous
white
paper
that
talks
about
what
is
serverless
and
what
are
the
use
cases
so
serverless,
etc.
Our
focus
is
security
and
we'll
be
taking
an
approach
of
identifying
security
controls
from
a
service
provider
perspective,
as
well
as
from
a
service
consumer
perspective.
D
I
Yeah
thanks
that
helps
so
has
there
been
a
definition
or
any
type
of
a
scope
have
been
defined
already
or
is
it
just
starting.
E
It's
starting,
we
have
a
table
of
contents
which
we
still
are
reviewing
and
finalizing.
Please
feel
free
to
jump
into
that
working
group
and
provide
your
input
if
you're
interested.
E
Yes,
it
is
called
tag
serverless.
I
Okay-
and
I
have
one
more
question
on
the
cognitive
portion-
I
heard
what's
been
said
so
far
now
is
the
cognitive
task
group
is
still
alive
and
and
does
it
have
some
sort
of
a
future
tasks
so
to
speak
or
some
sort
of
mini
project
that
has
been
conceived
at
this
point
or
what's
the
what's
the
goal
there
on
the
cognitive.
I
That's
one
of
the
questions,
actually,
I'm
not
sure
exactly
how
many
projects
are
there
in
the
cognitive
side
of
it?
Is
it
numerous.
C
This
group
has
a
lot
of
cloud
native
security
related
projects
if
you
check
out
our
pr
our
roadmap
and
planning
document
or
the
issue,
so
the
roadmap
and
planning
doc
roadmap
and
planning
project
board
was
dropped
in
the
chat
earlier
by
andres.
C
You
can
also
go
through
the
issues
and
see
which
ones
are
actively
being
worked.
Thank
you
for
sharing.
So
this
is
a
lot
of
what's
currently
what
we've
talked
about
in
these
meetings.
What
we
have
planned
and
scheduled
to
be
coming
up,
works
in
progress.
C
Please
forgive
us
if
this
is
not
entirely
up
to
date.
As
of
this
meeting,
because
we
have
it's
human-driven,
not
automated,
so
there's
a
lot
of
different
activities
that
are
going
on
and
we
try
to
keep
everything
that
the
group
has
decided
is
like
we're.
Gonna
we're
gonna
strive
to
get
this
done
this
year
on
this
one,
but
there
are
others.
C
C
We
also
have
our
general
regular
business
about
things
that
are
going
on
within
the
group.
So,
whether
or
not
it's
a
governance
or
changing
some
of
the
structure
within
the
repo
updating,
our
readmes
or
our
roles,
our
process
documentation,
because
we
do
get
a
lot
of
like
just
general
health
and
maintenance
of
the
repo
to
make
sure
the
language
that
we're
using
if
it's
changed,
is
now
consistent
across
the
entire
project.
F
And
we're
sharing
this
for
you
to
know
how
is
the
leadership
team
organizing
work
this?
These
are
not
hard
constraints,
or
this
doesn't
mean
you're
not
able
to
like
share
what
you're
working
on
if
you're
running
an
active
initiative
and
your
organization
or
whatever
other
organization,
you're
you're,
part
of
within
the
community.
F
So
what
we're
discussing
with
chase
earlier
is
like
showing
visibility
of
like
what
are
the
bounds
of
of
what
we're
calling
a
project.
But
this
doesn't
mean
this
is
not
a
place
for
like
free
thinking,
engineering
and
and
bringing
up
new
ideas
or
being
a
form
of
discussions
for
things
that
may
not
be
captured
here.
F
Okay,
great,
thank
you
yeah,
so
with
the
with
the
serverless
paper.
If
you
see
well
like
well
this,
this
is
being
scoped
to
this,
but
that's
not
covering
this
other
thing.
You
can
bring
it
up
and
say
we
should
probably
consider
doing
the
part
that
we're
not
covering
down
the
line
and
creating
a
a
proposal
for
that.
If,
if
it
doesn't
stand
the
case
and
and
within
the
serverless
white
paper,.
F
C
And
one
of
the
things
that
this
group
also
kind
of
strives
for,
but
we
don't
actually
have
captured
visibly
on
those
boards
is
presentations.
C
So
one
of
the
things
that
we
try
to
do
or
bring
to
the
community
is
presentations
with
a
security
focus
around
cloud
native
projects
around
cloud
native
topics.
That's
how
a
lot
of
these
discussions
kind
of
start
up
the
supply
chain
work,
for
instance,
kind
of
kicked
off
from
the
software
factory
presentation.
C
I
Actually
part
of
the
5g
ieee
roadmap
and
it's
for
the
10-year
roadmap
projects
and
a
few
working
groups
there.
You
know
time
to
time
I'm
participating
on
the
security
portion
of
that
working
group.
I
So
I'm
just
trying
to
see
if
there
are
some
common
interests
between
this
and
that,
because
on
the
under
the
umbrella
of
security,
but
their
their
focus
is
obviously
driven
by
the
5g
landscape,
and
I
personally
am
chairing
one
of
the
co-chairs
for
the
edge
working
group
edge
services
on
the
under
the
5g
so
trying
to
see
if
there
is
some
way
to
bring
together.
Some
of
this
issue
under
kind
of
cohesiveness
or
the
same
cohesiveness
perhaps
exist
in
both
places.
So
the
audience
is
reading
the
security
directions
they
find.
I
There
is
some
consistency
among
these.
It
is
getting
very
complex.
Obviously,
no
doubt-
and
I
don't
know
how
you
know-
the
open
source
community
is
reaching
out
to
the
other
groups,
such
as
the
ieee
to
to
see
to
find
a
way
of
bringing
some
cohesiveness
and
for
the
solutions
at
the
end
of
the
day.
Obviously,
that's
that
creates
a
success
for
the
projects
or
not
when
it
gets
understood
by
the
audiences.
A
Sdk,
this
came
up
in
a
previous
meeting
briefly,
because
I
was
mentioning
how
the
telecoms
are
deploying
kubernetes,
and
you
know
I
think
one
way
to
go
about
this
is
to
share
the
use
cases
across
the
two
communities
of
interest.
C
I
C
I
C
Have
we
have
it
tagged
as
just
a
note
within
the
project
board
as
a
reminder,
because
we
don't
actually
have
any
open
issues
for
it,
because
it's
not
been
brought
to
the
group
in
the
past,
so
this
would
be
the
first
time.
So
if
you
have
a
use
case,
presentation
that
you
want
to
do
in
this
particular
area,
go
ahead
and
file
that
presentation
issue.
I
Okay
sounds
good.
We
will
discuss
that
in
our
group
on
that
and
see
if
we
don't
have
anything
ready
made
at
this
moment
to
present
in
this
format,
but
we
are
working
towards
bringing
together
the
security
and
the
and
the
edge
as
it
applies
to
the
edge
or
the
vice
versa,
and
then
also
how
the
aiml
may
place
or
be
used
in
the
same
conjunction
so
we're
trying
to.
I
C
A
I'm
trying
to
get
in
a
simple
thing.
I
think
it's
simple,
I'm
working
on
a
picture
of
how
metadata
gets
used
for
security
and
one
of
the
few
projects
I
can
find
that's
relevant
to
this
is
the
apache
foundation
project,
that's
atlas
and
I'm
confused
about
where
cncs
fits
in
apache,
how
they
work
together
or
don't-
and
you
know,
is
there
any
guidelines
from
the
community
about.
C
A
Yeah
and
that's
the
back
end
that
one
of
the
projects
I
found
out
about
was
using.
That's
how
I
discovered
it,
but
you
know
the
bigger
picture
here
is
telemetry
how
to
get
metadata
gets
built
and
propagated,
how
it
fits
into
cicd,
which
we
do
talk
about,
because
cncf
projects
are
managing
metadata,
like
top,
is
using
it
and
so
on.
So
it's
it's
complicated
and
the
metadata
community,
which
is
another
ieee
group
that
I'm
in,
is
wrestling
with
this,
but
we
have
to
in
their
in
their
venue
for
standards
work.
A
We
have
to
stay
with
open
source
stuff
to
even
talk
about
it.
You
know
minute,
google
or
aws
products
or
mentioned
it
has
to
come
out,
so
we
really
want
to
be
in
cncf-like
or
open
forest
like
venue
for
that.
So
even
if
it's
like,
for
example,
right
in
the
statement
of
how
to
do
this
or
to
propagate
metadata
for
security
purposes,
really
want
exemplars
that
are
coming
from
these
communities.
F
A
A
The
timestamp
becomes
metadata,
it's
created
at
that
time
through
automation
or
you
might
do
it
through
discovery,
so
vlp
tools
in
in
information
security
will
scan
the
environment
and
discover
stuff
which
it
will
through
inference,
create
metadata
like
it
might
say,
this
is
something
related
to
classified
information,
or
this
is
an
infrastructure
artifact
and
the
component
might
be
that
it's
related
to
cloud
as
opposed
to
an
on-prem
kind
of
thing.
So
these
two
things
are
often
what
not
under
unified
dashboards.
They
don't
even
have
the
same
terminology.
A
So
it's
it's
a
problem
and
the
reason
it
matters
for
discover
for
security
teams
is
forensics
and
incident
management
needs
metadata
to
act
quickly
to
mine
data
that
might
be
a
splunk
or
other
open
source
blogs
right,
but
on
the
creation,
applications,
management,
performance,
monitoring,
they're,
really
looking
at
building
the
metadata
in
as
part
of
the
construction
or
developer
artifacts
and
those
are
not
uniform
or
not
like
they're,
not
unified.
Maybe
that's
the
way.
To
put
it,
I'm
not
sure
I
even
answered
the
question:
it's
that
complicated.
A
F
Yeah
it
intersects
with
with
like
supply
chain
security
and
like
the
challenges
we've
talked
around
s-bombs
and
you
want
to
like
put
like
scan
results
and
like
s-bumps,
that
that
marked
vulnerabilities
in
there
and
like
marry
the
two
or
like
be
able
to
like
have
a
relationship
reference
between
those
two.
It
gets
interesting.
F
D
John
kinsella
had
an
idea
around
that
with
the
prescription
tags.
You
know
for
images.
D
Now,
if
you
have
like
something
like
what
john
was
talking
about
for
prescription
labels,
then
you
could
incorporate
some
of
that
metadata,
along
with
an
image
that
gets
scanned
as
well
just
another
way
to
create
that
content,
as
you
are
also
creating
images
as
a
developer
or
some
level
of
distributor.
C
A
you
sorry,
I
was
gonna
say:
there's
a
youtube
video
of
his
talk
from
cloud
native
security
day
on
that
particular
topic.
So,
if
you're
interested
in
watching
that
security,
nutrition
labels
talk
check
it
out
on
youtube
for
the
cloud
native
computing
foundations,
channel.
A
If
there's
an
interest,
I
could,
you
know,
propose
a
presentation
on
this.
I'm
I'm
overexposed
in
this
meeting
already,
generally
speaking,
so
I'm
reluctant
to
do
that.
But
there
are,
I
mean,
I'm
really
enthusiastic
about
this,
because
there's
such
a
huge
gap,
you
know
the
company
I
work
for
spends
millions
on
tooling
for
security
products.
A
Almost
none
of
them
have
capabilities
for
integrated
metadata
management.
They
all
use
their
own.
It
all
gets
stuck
into
splunk.
It
is,
you
know,
creating
all
kinds
of
not
just
confusion
but
cost,
and
it's
just
not
good
for
the
community.
Meanwhile
they're
competing
universal
ontologies
under
development
for
security
by
mitre
and
a
separate
academic
team
out
of
university
of
maryland.
A
You
know
think
about
it.
I.T
and
security
have
to
share
metadata.
Think
about
the
word
container,
didn't
even
exist
10
years
ago,
in
the
sense
that
it's
used
today.
So
if
you
even
say
here's
an
object
or
an
asset
that
lives
in
a
container
at
a
certain
point
in
time
that
that
term
didn't
even
have
meaning.
A
Then
you've
got
the
problem
that
everybody's
got
a
slightly
different
synonym
for
some
of
these
things.
That
are
the
same,
and
that
has
to
get
worked
out.
So
it's
it's
a
really
important
topic
in
the
world.
I
operate
and
trying
to
work
across
tools
and
teams
and
bring
standardized
ways
of
going
about
solutioning
and
security
across
organizations,
whereas
inside
a
company
we
tried
to
solve
this
just
doing
it
our
way.
A
Right,
like
we
know
what
our
tags
are
or
we're
going
to
use
our
data
repo,
that's
built
by
our
chief
data
officer,
to
decide
what
kind
of
analytics
views
and
that's
it
doesn't
scale
right,
even
for
a
big
company.
It's
hard
to
do
so.
There's
my
over
enthusiasm,
overly
enthusiastic
pitch
for
a
future
talk.
If
you
want
to
hear.
A
A
B
Sorry,
just
a
suggestion,
maybe
we
can
like.
We
already
have
some
messages
pinned
on
the
slack
channel
to
welcome
new
members,
and
you
know
guide
them
towards
new
initiatives
or
something
like
that
right.
Maybe
we
can
have
a
thread
pinned
over
there
as
well,
which
includes
probably
all
the
new
initiatives.
B
The
one
problem
that
I
I
see
and,
like
I
mean
I
have
observed
over
the
last
couple
of
meetings,
is
any
new
person
who
joins
in
they.
They
are
aware
of
tag
security
as
a
whole,
but
there
are
a
lot
of
initiatives
that
are
going
on
in
parallel,
whether
it's
serverless,
whether
it's
a
supply
chain,
whether
it's
app
delivery.
B
I
understand
that
we
already
have
a
bunch
of
github
issues
for
people
to
go
through
and
you
know
find
out
where
they
can
contribute,
but
it
also
kind
of
become
a
bit
overwhelming,
because
these
github
issues
also
contain
micro
issues
which
are
within
an
initiative
and
are
related
to
some
work.
That's
going
on
within
the
initiative.
C
That's
a
really
good
idea
to
have
the
projects
lead,
create
a
pin
in
the
main
channel
to
talk
about
what
their
current
ongoing
project
is.
That
way,
anybody
joining
the
channel
can
become
aware
of
it
immediately
and
when
that
activities
come
to
a
close,
they
can
unpin
it
does
that
sound
about
as
a
good
summary.
B
Yeah,
but
I
mean
if
we
create
separate
pins
for
each
initiative
right,
it
just
might
become
a
bit
overwhelming,
so
a
thread
might
be
just
a
better
way
to
do
it.
I
mean
I'm
just.
C
H
Go
ahead
yeah,
so
one
thing
that
we
do
is
that
in
the
meeting
notes
itself,
we
we
tag
the
good
first
issues
for
folks
to
get
started
so
that
you
can
just
check
out
the
good.
You
know
to
get
started
issues.
What
we
can
actually
do
is
we
can
add
another
table
in
the
meeting
notes
which
kind
of
summarizes
the
ongoing
projects,
and
then
you
have
like
a
direct
link
to
those
projects
from
the
notes
itself,
so
just
to
create
more
visibility.
That
could
be
like
one
approach
we
couldn't
do
for
this.
F
Totally
so
yeah
one
thing
we
try
to
balance
is
well.
If,
if
we
want
to
get
anything
done,
we
need
to
be
hyper
focused
and
we
need
to
start
saying
no
to
more
things,
but
at
the
same
time
we
don't
want
to.
We
don't
want
to
discourage
other
people
from
doing
things
or
or
new
work.
So
it's
it's
a
fine
line
of
how
much.
F
How
much
do
we
spend
time
like
already
again,
if
you
want
to
pitch
in
and
help
do
some
of
the
housekeeping
and
help
present
the
work
in
better
ways,
but
we've
actually
put
a
lot
of
time
in
already
and
to
like,
creating
this
roadmap
this
way
and
like
like,
dividing
and
and
allocating
allocating
the
work,
and
a
lot
of
us
are
already
like
trying
to
push
those
initiatives
forward
rather
than
going
to
the
administrative
part.
So
if,
if
we
didn't
do
it
well,
there's
room
for
improvement
great
to
point
that
out.
F
A
I
I
was
going
to
say
what
might
also
help
if
there
is
a
way
to
at
a
high
level,
to
link
all
this
together
to
show
that
this
is.
This
has
a
meaning
under
the
cnc
of
security,
so
to
speak,
so
anything
that
we
are
addressing
different
projects
and
so
forth
and
how
they
are
coming
together
or
what
might
be
a
potential
link
among
them.
C
C
I
Right,
at
least
you
know
just
to
get
some
sort
of
a
high
level
kind
of
a
you
know
view
as
to
how
all
this
kind
of
tied
together
to
serve
one
purpose
from
a
top
level.
F
F
Do
you
have
questions
built
for
free
while
poke
calls
had
it
and
we
can
like
help
crystal
instead,
but
like
this
group,
much
like
open
course,
projects
like
as
they
grow
and
evolve
like
there's,
like
you
reassess
what
your
scope
and
your
mission
is,
but
it
also
happens
that,
as
the
community
grows,
you
kind
of
shift
a
lot
of
focus
from
writing
the
code
and
maintaining
the
project
to
actually
like
taking
on
requests
for
help
for
issues
or
new
proposals.
F
So
yeah,
there's
a
great
book
called
like
working
in
public
by
nadia
that
talks
about
like
this,
this
transition
of
of
shift
like
stages
of
of
a
project
you
to
read
it.
I
I
find
it
fascinating
to
like
right
at
the
moment,
we're
at
but
yeah,
I'm
degrading
there
a
little
bit.
Let
me
paste
the
link
to
the
to
the
charter
branches
off
from
the
read
me
emily,
any
or
ash
or
adna
anything
you
want
to
add
to
that
as
we
wrap
up.