►
From YouTube: CNCF Security TAG Regular Meeting 2022-01-12
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
A
C
Yeah
hi
hope
everyone
is
doing
well
well.
I
see
already
10
agenda
today,
but
before
we
get
started,
do
we
have
any
updates
on
the
working
groups?
Please.
A
C
Okay,
cool:
do
you
need
any
help?
There.
A
Not
currently
it's
pending
on
the
cncf
tech
riding
team,
we
haven't
heard
back
yet
we've
been
asking
them
for
regular
updates,
but
nothing
as
of
yet.
Hopefully
we
get
something
soon.
C
Okay,
cool:
I
can
give
update
on
the
serverless
working
group.
The
paper
is
still
being
worked
on
over
the
holidays.
Ariel
schufer
took
a
stab
on
several
sub
sections
and
he's
added
content,
we're
trying
to
schedule
a
meeting
with,
but
sorry
both
u.s
participants
as
well
as
apac,
but
let's
see
that
that
becomes
challenging,
especially
for
the
west
coast
people.
So
we're
going
to
try
to
figure
out
a
time
when
we
can
all
meet
and
decide
the
state
of
the
paper.
C
I
want
to
encourage
you
all
to
take
a
look
at
the
civilized
white
paper
and
put
your
comments
at
least
give
it
a
read
through.
So
we
know
how
you
feel
about
this
paper.
I
I
mean
we
can
write
a
book
on
serverless
right,
but
does
the
content
actually
help
people
who
are
trying
to
do
microservices
right
and
that's
the
input
we
need
from
the
vital
teams,
especially
john
and
pushkar,
if
you
can
give
it
a
read
through
that'll
be
helpful
as
well,
because
you
were
you
had
some
bandwidth
to
support
this
so.
C
Perfect,
thank
you,
john.
Do
you
want
to
give
an
update
on
security
controls?
D
About
that
yeah
yeah,
so
no
substantial
changes
for
the
past
week.
We
are
still
working
on
wrapping
up
kind
of
the
current
phase
of
where
we're
at,
and
we
are
also
involved
in
some
discussions
for
potential
future
collaboration
with
csa
and
we'll
see
what
that
means.
In
the
following
couple
of
weeks.
C
Thank
you,
john.
So
I
think
we
had
shared
with
the
wider
group
as
well.
We
had
some
conversations
with
csa
and
they
want
to
collaborate
with
us
on
a
number
of
initiatives.
We
met
with
them
in
december,
but
we
have
a
meeting
later
this
week
to
discuss
specifics.
Obviously
we
need
some
legal
agreements
in
place,
like
memorandum
of
understanding
how
the
collaboration
will
work,
how
the
branding
will
work,
etc,
etc.
C
So
those
details
are
being
ironed
out
once
that
is
ironed
out,
we'll
get
access
to
all
the
volunteers
that
csa
has
and
we
can
do
some
projects
which
makes
sense
to
collaborate
with
them,
not
all
projects.
Obviously,
but
we've
identified
couple
of
projects.
One
of
the
projects
is
the
security
controls
right.
C
They
have
a
big
ccm
community
and
that
community
maps
all
the
controls
to
nist
853
right
for
cloud,
and
now
they
want
to
do
it
for
cloud
native
and
we
were
doing
something
similar
so
that
that
makes
perfect
sense
there.
And
then
we
can
look
at
potentially
other
projects
where
we
can
collaborate
with
them
as
well,
and
you
know
bring
more
value.
C
E
Yeah
we
did
have
our
every
other
week.
Meeting
again.
We
hadn't
had
a
call
since
early
december,
so
good
to
see
everyone
back
together.
D
E
We
have
last
year
we
finished
our
white
paper.
I
think
we
were
looking
for
some
help
on
the
formatting
of
the
white
paper
to
kind
of
bring
it
in
line
with
some
of
the
other
white
papers.
That
I
mean
it's
fairly
vanilla
kind
of
markdown
content
at
this
point.
So
if
anybody
has
had
any
graphic
art
capabilities,
putting
these
white
papers
into
a
better
looking
format.
C
That
right,
what
did
we
use
for
our
cloud
native
security
white
paper
for
formatting
and
technically.
A
A
E
D
E
Okay,
I
will,
I
think
we
have
a
ticket,
I
think
jim
did
create
a
ticket,
but
I'll
I'll
confirm
with
him
and-
and
that
sounds
like
the
right
process,
the
content,
the
content
is
there
for
anyone
to
read,
I'm
I'm
dialed
in
so
I
can't
post
the
link,
but
I
think
it's
been
posted
before
so
we're.
You
know
happy
to
receive
feedback
and
if
anyone
is
actually
using
it,
we'd
love
to
get
kind
of
case
studies
of
people
applying
the
recommendations.
E
Of
course,
at
some
point,
we'll
be
plotting
out
version
two.
Next
on
on
the
policy
worker,
we're
looking
to
complement
the
kubernetes
crd
for
policy
results
of
policy
reports
with
more
of
a
policy
parameterization
and
specification
so
that
could
overlap
or
or
complement
the
controls
work.
I
think
this
would
be
more
of
a
specification
for
control
selection
and
the
parameters
for
those
controls
in
in
the
oscal,
which
is
a
standardization
effort
or
more
for
from
nist.
E
With
that
policy
specification
discussion,
so
that
that
will
probably
occupy
the
next
several
worker
meetings,
so
any
any
and
all
are
invited
to
attend
every
other
wednesday
morning,
8
a.m,
pacific.
C
Thank
you,
robert
definitely
I'll
start
attending
those
meetings
from
next
time.
A
Yeah,
what
one
afterthought
on
on
doc's
cleanup
is
work
bottleneck
right
now
on
on
the
capacity
of
the
tech
talks
team.
I
did
ask
earlier
the
team
lead
to
see
if
they
could
provide
us
with
the
template
they
use
and
for
us
to
at
least
do
like,
and
then
it
like
populate
the
template
and
print
it
to
a
pdf.
A
A
I
don't
know
that
we
want
to
circumvent
like
the
cncf
editorial
process
altogether,
but
at
least
having
a
template
that
we
can
do.
Some
of
the
initial
like
proofing
work
ourselves
would
would
help.
A
Certainly
it's
something
folks
would
need
to
volunteer
to
to
give
it
like
a
once
over
and
make
sure
it's
it's
close
to,
like
the
first
editorial
pass
that
we
do
ourselves
because
yeah
I
know
a
lot
of
us
are
like
waiting
still
to
to
hear
back
and
there's
like
just
idle
time
and
toil,
and
everything
else
is
a
result
so
I'll
see.
If,
if
I
get
a
response,
if
not,
maybe
we
look
at
coming
up
in
our
own
template
as
well?
A
C
A
I
don't
mean
to
put
you
on
the
spot
either
we're
talking
we're
talking
about.
Well,
we
have
we
have
this
pipeline
of
content,
we've
created
and
right
now.
A
We
haven't
heard
back
in
most
of
the
documents
since
early
december
last
year,
so
thinking
whether
we
should
come
up
with
like
our
own,
like
I
can
probably
share
my
screen
and
show
you
what
I
need
so
the
work
that
the
tech
docs
team
performs
not
sharing
my
screen
yet
good
thing.
I
have
too
many
tabs,
so
people
can't
really
tell
that
I
had
open
so
they
they
turn
it
into
this
nice
book
format.
A
I
presume
this
is
like
a
combination
of
illustrator
and
something
else,
but
maybe
we
could
like
automatically
generate
these
to
some
degree.
We
don't
want
to
circumvent
like
the
publishing
procedure
and
sign
off.
You
know
like
talk.
Liaisons
ultimately
have
to
sign
off
before
anything
gets
published,
but
it
were
to
accelerate
like
production
time
of
at
least
like
drafts,
for
public
comment
in
pdf
format.
G
I
mean
I
I'm,
I
think
that
we'd
be
happy
to
sign
off
anything
in
any
form,
that's
useful
for
people,
so
I
don't.
I'm
certainly
yeah
certainly
happy
to
sign
things
off
in
a
form:
that's
not
absolutely
kind
of
print
perfect
or
whatever.
So
we
could.
We
could
definitely
sign
off.
G
A
A
A
You
know
that's
interesting.
We
we
actually
haven't
seen
many
many
updates,
and
I
don't
know
if
that's
that's
a
result
of
the
perception
of
the
master
being
the
pdf,
which
has
resulted
with,
like
the
security
map
like
assembling
a
crew,
for
like
a
second
edition
that,
like
incorporates
all
the
proposed
edits
that
have
emerged
since.
G
C
Great
thank
you
andres
yeah,
hopefully,
you'll
get
some
help
from
andrews
and
the
tech
dogs
team
right.
C
So
any
other
working
groups
have
any
updates.
C
Fantastic,
so
before
we
get
to
the
agenda,
I
wanted
to
share
two
things
with
you.
One
thing
is
that
there's
an
oscar
nist
oscar
workshop
on
march
1st
and
second,
if
anyone
is
interested,
you
should
attend.
C
I'm
pasting
the
link
here
in
the
chat
window,
because
our
skill
is
going
getting
a
lot
of
traction
in
the
industry
and
especially
in
the
cloud
native
space
and
our
policy
working
group
has
already
been
working
on
integrating
oscar
with
the
policies
right
and
detection
and
compliance,
but
at
the
same
time
there's
another
nest
workshop,
which
is
on
27th
of
january,
and
that
is
about
zero
trust
and
a
lot
of
focus
on
cloud
native
technologies
and
zero
trust
there.
C
So,
if
you're
interested
you
can
join
in
on
that
as
well,
so
we
have
only
one
thing
on
agenda
today,
and
that
is
the
issue.
843
and
843
is
basically,
we
had
a
discussion
in
december
about
rotating
project
leads
because
everybody
was
banned,
is
bandwidth
constrained
and
then
you
know
we
need
the
products
to
continue
to
move
and
at
the
same
time
we
want
to
make
sure
we
get
different
perspectives
into
the
projects
right.
So
the
issue
was
created
by
brandon.
C
C
Process
is
defined
as
to
how
we
will
make
decisions
and
how
we'll
transition.
Obviously
we
want
some
overlap
between
the
existing
leads
and
the
new
leads
and
the
timing
of
the
transition
as
well
right,
when
are
you
transitioning
a
project
from
one
lead
to
another?
A
Yeah
as
as
you're
joining
we're
talking
with
frederick
about
a
an
analysis,
he
did
of
a
belt
packs
producing
ass
bombs,.
C
A
B
Yeah,
I
have
time
for
it
and
I
posted
the
the
link
in
the
in
the
chat,
and
so,
if
you
want
to
read
what
I
had
to
say
in
detail,
it's
it's
on
there.
B
In
short,
do
you
really
understand
this?
You
have
to
understand
what
bill
packs
is
and
there's
a
lot
of
misconceptions
around
it.
People
think
the
result
of
the
bill
pack
project
itself
is
the
build
pack,
but
what
what
it
actually
is
is
you
can
think
of
the
bill.
B
Pack
has
a
as
a
container
image
that
has
two
entry
points,
has
a
detect
and
a
build
phase,
so
you
can
layer
these
things
with
is
where,
when
you
run
the
pack
tool,
it'll
run
a
set
of
these
container
images,
or
when
these
these
containers
and
it'll
check
with
the
detect
is,
is
this
image
is
what's
in
this
image
supposed
to
apply
to
this,
to
the
set
of
inputs?
B
And
if
it's,
if
the
answer
is
yes
and
then
it'll
perform
whatever
the
build
is
so
a
very
simple
example
is,
I
might
have
something
that
compiles
the
link,
I
I
might
say,
detect
a
godot
mod
and
if
god.mod
is
present,
then
run
go,
build
or
go,
install
and
then
take
the
output
of
that
and
then
copy
it
into
a
well-known
location
so
that
the
future
steps
of
the
build
of
the
buildpack
framework
could
then
continue
on
with
whatever
it
needs
to
do
so.
B
They're
composable
in
sense
that
you
could
create
things
like
we're,
going
to
create
a
a
scanner
or
that'll
check
for
certain
types
of
errors,
or
maybe
you
want
to
stick
a
license
detector
in
there
or
or
are
there
some
other
things,
and
what
this
allows
you
to
do
is
to
be
able
to
give
a
single
command.
You
can
just
write
run
pack,
it
pulls
in
all
of
the
tool
chains
as
necessary
based
upon
the
processes
based
upon
which
your
development
team
is
is
using
or
is
built,
and
it
runs
on
the
same
way.
B
It
runs
in
your
local
environment.
You
can
run
it
in
the
same
way
as
cicd,
so
if
you
look
at
use
one
example,
if
you
look
at
at
google
with
their
google
with
their
g
cloud,
there's
an
alpha
product
which
allows
you
to
do
build
as
a
service.
It
uses
this
exact
same
thing
in
order
to
produce
those
type
of
artifacts,
so
the
build
pack
are
the
individual
images
that
you
can
layer
on
top
now.
B
One
of
the
interesting
things
here
is
this
actually
produces
a
nice
set
of
entry
points
that
can
help
with
the
overall
supply
chain
provenance
problem.
The
first
one
is
that
you
can
better
better
track.
Your
tooling
saying
these
are
the
images
these
are
the
s-bombs
for
each
of
the
of
the
bill,
packs
that
I'm
bringing
in
there's
an
opportunity
to
collect
all
of
that
information
and
ensure
that
it's
represented
somewhere
in
the
s-bomb
in
the
final
artifact
response.
B
B
The
second
one
is
the
s
bomb
itself,
or
rather
the
build
pack
itself
for
any
given
language
or
for
any
given
thing
that
you're
that
you're
building
can
itself
have
its
own
set
of
of
s-bomb
generators.
B
So
when
you
run
when
you
run
go
in
this
in
the
previous
example,
if
the,
if
the
person
who
made
the
go
compiler
build
pack
option
to
create
an
spdx
or
create
a
cyclone
dx
or
sift
or
some
other
format,
then
that
gives
the
opportunity
for,
for
that
information
to
be
captured
and
then
sent
down,
and
ideally
the
best
case
scenario.
Would
that
would
be
part
of
the
part
of
the
build
step.
B
B
There
is
also
an
opportunity
for
information
to
be
captured
between
the
layers,
so
in
other
words,
when
you
run
a
bill
pack,
you
have
an
instead
of
of
input
states
before
the
bill
pack
runs
and
they
have
a
set
of
yeah
the
state
after
the
bill
pack
runs.
So
it
is
also
possible
to
to
capture
state
between
the
build
packs.
B
If
that
is
of.
If
that
is
of
interest,
that
way,
you
can
explicitly
determine
the
effects
that
every
build
pack
had
on
a
given
build,
which
could
be
very
useful
when
you're
trying
to
pair
something
up
into
the
site
in
toto
and
you're
trying
to
look
at
the
process,
as
opposed
to
just
the
final
set
of
outputs.
B
So
I
cover
all
of
this
in.
I
got
some
messages
afterwards
through
twitter
that
some
of
this
work
was
already
underway
and
that
there
is
some
prs
that
will
be
released
soon.
That
document
what
is
being
done
so
I'll
do
another
analysis
once
once
that
is
complete,
but
in
short,
the
the
bill
pack
system
itself
and
similar
types
of
systems
doesn't
have
to
be
build.
Packs
could
be
some
some
other
similar
type
of
systems.
B
You
provide
a
an
easy
way
to
have
standardized
tooling
that
allow
us
to
to
make
it
easy
for
the
developer,
because
one
of
the
problems
we're
going
to
run
into
is
that
developers,
it's
extra
work
for
the
developers
and
the
developers
get
limited,
get
limited
benefit
directly
from
the
s-bomb.
The
people
who
get
the
most
benefit
from
the
s-bombs
are
going
to
be
infosec,
cisos
and
similar
types
of
people
who
have
to
go
find.
Where
is
log4j
installed?
B
Where
is,
were
these
go
applications
installed
or
or
or
similar
types
of
processes,
and
so
it
ends
up
being
something
that
the
developer
itself
doesn't
experience
that
level
of
pain,
and
but
it's
not
a
trivial
thing
right
now
to
set
up
a
full
process
that
that
gives
you
high
quality
outputs.
B
So,
ideally
bill
pack
could
be
one
of
the
things
that
makes
it
easy
for
a
developer
to
have
something
that
is
as
easy
as
close
to
a
turnkey
solution
as
we
can
get
without
sacrificing
the
developer's
ability
to
to
engineer
as
as
necessary.
So,
in
short,
that's
that's
what
the
the
article
is
about.
H
Hey
guys
really
great
to
be
back,
I
have
a
conflicting
meeting
I
can
never
seem
to
get
out
of,
but
I'm
working
on
it,
it's
underway
here,
hey
frederick,
about
the
metadata.
That's
that's
in
the
paper.
H
Is
there
thought
about
expanding
the
use
beyond
what
you
seem
to
be
laying
out
there
to
cover
things
like
identifying
which
modules
are
processing
data
that
needs
to
have
specialized
data
protection,
or
you
know,
data
that's
higher
priority
than
others
or
data
that
needs
to
be
processed
earlier,
as
opposed
to
later
other
kinds
of
metadata
that
could
be
domain.
Specific
is.
Is
that
really
more
something
that
could
be
added
to
this?
Or
are
you
really
intentionally
limiting
this
to
the
usual?
B
B
There
are
useful
claims
that
you
can
use
to
make
decisions
on
on
what
you
want
to
do.
It
does
not
perform
a
dynamic
like
as
things
change
over
time.
It
does
not
perform
that
dynamic
portion
and
there
has
to
be
a
point
where
your
runtime
system
is
able
to
through
through
some
some
means,
and
my
preferred
means
for
this
is
at
the
moment
it
may
not
be
the
right
approach,
so
don't
think
it
is
like
the
sole
way
to
do.
B
It
would
be
to
have
some
form
of
cryptographic,
identity
that
defines
what
that
running
process
is
that
cryptographic
identity
can
be
informed,
whether
I
want
to
even
issue
it
that
identity
can
be
informed
by
the
output
that
comes
out
of
pac
or
the
output
that
comes
out
of
the
build
process.
B
B
There
may
be
other
high
impacts
that
if
you
just
bring
the
system
down,
that
that
could
that
could
cause
harm
to
life
or
or
property
or
sign,
or
maybe
you
do
want
to
bring
it
down
and
it
gives
you
an
enforce
the
enforcement
capability.
But
all
these
type
of
things
are
out
of
the
context
of
the
build,
but
the
build
needs
to
produce
enough
information
so
that
downstream
things
can
make
decisions.
H
B
H
Yeah
from
the
build
perspective,
it's
you
know
which
modules
are
touching
the
data
of
interest,
because
that's
this,
this
is
a
property
of
the
build.
So
if
you
have
a
you
know,
a
microservice
that's
been
consumed
and
the
microservice
is
known
to
be.
H
H
You
know
for
lots
of
other
in
purposes
for
security
and
potentially
privacy
and
other
kinds
of
integrity
checking
as
well,
but
the
the
build
needs
to
do
that
because,
if
you,
if
you,
if
you
can't
follow
the
metadata
through
that,
I
don't
know
where
you're
gonna
get
that
so
in
in
our
kind
of
mockups
of
how
we
might
try
to
use
moscow.
E
Oh
thanks
yeah,
because
we
I
just
mark,
as
we've,
been
using
these
these
same
tools
ourselves,
so
you
know
the
components
and
that's
an
overloaded
term
in
the
sense
of
it's
oscar
specific
but
the
components
regardless
of
how
they're
built
I
it
can
be
mapped
to
you,
know
a
concept
of
operations
and
what
capabilities
are
exposed
by
some
individual
component
or
collection
of
components.
E
Yes,
I
agree.
If
the
build
output
metadata
could
attest
to
you
or
annotate,
I
provide
some
capability
and,
if
there's
an
ontology
to
that
or
a
keyword
to
that
that
can
you
can
help
you
map
that?
I
think
that
would
be
an
extra
help,
but
I
think
there
has
to
be
some
operator
knowledge
base.
If
you
will.
C
Sorry,
robert,
I
agree
with
you
100,
but
one
prerequisite
your
data
has
to
be
tagged
and
labeled
right.
If
you
don't
have
the
metadata
to
make
those
determinations
and
decisions,
you
won't
be
able
to
do
it.
A
B
This
is
this
also.
This
ties
into
a
really
nice
to
really
nice
area,
though,
because
I
think
the
the
problem
you
described
is
an
important
one
and
it's
one
that
needs
to
be
solved.
I
don't
think
the
s-bomb
is
the
right
place
to
do
that,
because,
like
I
as
a
vendor,
not
that
I
have
a
vendor,
but
if
I,
if
I
were
a
vendor,
I
could
produce
a
piece
of
software
that
you
as
a
consumer
can
consume,
but
I
can
make
no
guesses
as
to
at
the
end
of
the
day.
B
I
can
make
some
predictions
on
what
you
might
want
to
do
with
it,
but
I
cannot
predict
with
great
accuracy
how
you
can
integrate
it
or
whether
it'll
end
up
touching
at
the
very
end,
except
in
very
rare,
highly
constrained
circumstances.
B
B
Like
is
it
part
of
an
application,
that's
performing
a
set
of
work
and
what
has
it
been
authorized
to
connect
to
and
what
has
been
authorized
to
connect
to
it,
and
the
graph
database
that
was
mentioned
beforehand
is
a
good
example
of
this,
because
this
is
all
dynamic
live
information
that
represents
the
inventory
of
a
live
system,
and
in
this
scenario,
the
software
bill
of
materials
provides
you
with
a
static
list
of
what
of
what
went
into
a
component
but
does
not
help
you
with
the
with
by
itself,
or
I
should
say
that,
doesn't
nothing
doesn't
help
you
it
does
help,
but
by
itself
is
not
enough
to
produce
the
dynamic
live
graph
of
your
of
yours
environment.
B
B
Then
you
might
be
able
to
get
to
this,
but
eventually
even
that
may
end
up
scaling
to
a
point
where,
where
the
build
system,
the
static
information,
there
is
not
enough.
So
it
really
comes
down
to
inventory
like
live
inventory.
G
Yeah,
we
tend
to
late,
bind
configuration
a
lot,
and
so
at
build
time
you
don't
really
know
how
things
are
going
to
be
run
and
because
you
don't
you,
don't
you're,
not
usually
seeing
the
kubernetes
manifest,
is
going
to
be
run
with
or
the
configuration
of
the
system
that
might
inject
side
cars
and
things
like
that,
so
we've
actually
made
it
quite
difficult
to
do
these
things
in
the
ecosystem.
Right
now,
I
think-
and
it's
it's
definitely
limits
what
you
can
do
with
an
s
bomb.
For
example,.
B
Yeah
and
and
that's
and
that's,
okay,
that
it's
limited.
It's
about
understanding
the
constraints.
So
we
know
that
svon
works
really
well
with
static
processes
and
claims
of
what
went
into
those
processes
and
builds.
And
we
know
that
it
doesn't
that
it
can
inform
a
an
inventory,
but
by
itself
is
not
sufficient
to
keep
it
in
to
keeping
a
live
inventory
of
what's
running
because
things
can
be
upgraded
independently
and
you
have
no
way
to
update
the
the
s
bomb
and
keep
the
s
bombing
equal.
C
A
How
do
you
mind
those
policies?
If
all
you
have
is
a
static
list
of
components?
You
don't
even
know
like
what
subjects
or
what
colors
to
apply
that
like
you.
Have
you
have
a
service
calling
and
you
would
need
the
live
graph
to
tell
hey
this
identity
is
made
up
by
this
set
of
things
right,
but
unless
you
properly
identify
things
in
production,
you
can't
do
enforce
those
policies
if
you
can't
like
well.
This
is
a
part.
B
It's
part
of
your
life
system
by
the
static
information
in
your
in
your
life
in
your
life
system
and
at
that
point
the
the
actual
audit
and
enforcement
capabilities
does
not
come
from
the
s
bomb,
but
instead
your
policy
system,
yeah,
your
oppo
or
qrno
or
whatever
it
is
you're
using,
is
able
to
consume
those
s
bombs
and
then
is
able
to
make
decisions.
Do
I
want
to
run
this
workload?
B
Do
I
need
to
audit
this
workload
because,
basically,
do
I
need
to
admit
an
event
that
this
thing
is
out
of
compliance,
but
we'll
still
allow
it
in
because
we
still
need
the
service
running.
B
This
becomes
very
important,
especially
in
healthcare
settings
where
just
evicting
a
service,
because
it's
vulnerable,
you
might
end
up
killing
the
software,
that's
keeping
somebody
alive.
So
we
have
to
be.
We
cannot
simply
say,
shut
down
the
system
simply
because
it
detects
a
vulnerability,
but
we
do
want
to
know
about
it,
and
that
gives
the
ability
for
somebody
to
go
and
remediate
it.
If
you
don't
have
an
automatic
mediation
path
and
of
course
the
third
one
is
enforced
like
you
might
have
a
set
of
systems
that
you
say
we
detected
log4j
came
out.
B
We're
gonna
set
a
deadline
of
two
weeks
to
get
all
this
stuff
taken
care
of
so
keep
auditing
and
at
the
end
of
those
two
weeks,
we'll
we'll
turn
on
the
enforcement
for
anyone
who
is
not
applied
for
an
exception
for
extra
time
and
then
now
you
have
your
infrastructure,
enforcing
the
properties
that
you
and
you
have
something
that
enforces
your
policy
that
is
informed
by
the
by
the
static
information
in
the
in
the
s
bomb.
So
that's
what
I
was
saying
like
there
has
to
be
something
that
bridges
you
from
the
static
information.
B
That's
able
to
consume
that
and
the
policy
engine
is
one
of
the
tools
that
that
has
fantastic.
B
It's
a
tool
that
they
can
make
that
like
oppa
and
similar,
can
make
use
of
these
type
of
things
over
over
time
as
they
start
to
get
built
down.
A
B
But
the
reality
of
this
is
that
not
every
system
will
fit
into
build
packs
or
other
teams
have
very
deep,
have
very
deep
quantities
of
work
that
they've
put
into
their
own
ci
cd
systems
and
the
cost
of
retooling
to
a
bill
pack
is
just
not
feasible
for
the
value
to
get
out
of
it.
So
I
think
part
of
it
is
to
make
it
easy
to
we
have.
We
have
to
have
eventually
something
that
says
this
is
what,
if
you're
using
this
language.
B
These
are
the
type
of
things
you
can
do,
the
type
of
tools
that
you
can
put
in
place,
and
here's
where
you
put
it
and
here
is
the
way
to
output
it
to
make
sure
that
it's
useful,
which
could
include
things
like
best
practices,
could
include
things
like
here's.
Here's
how
you
sign
it!
Here's
how
you
send
it
to
something
like
like
six
store.
B
So
I
think
that
there
needs
to
be
something
there
that
eventually
people
can
pick.
They
can
choose
the
tools
that
they
want,
but
having
something.
That's
high
enough
level
that
that
we're
not
dictating
the
exact
tools
and
types
but
at
the
same
time,
is
low
and
low
level
enough
that
we're
we're
giving
them
solid
information
as
to
what
things
need
to
be
in
their
cicd
system.
B
To
make
this
happen,
I
think,
would
be
a
great
use
and
of
course
we
could
do
a
reference
implementation
if
we,
if
we
really
want
to
to
take
it
down
to
that
level,
but
just
just
getting
that
top
level
thing
saying:
here's
here's!
What
this
does!
Here's
where
you
inject
it
in
this
is
why
you
want
to
have
it
tied
to
the
build
and
not
do
it
as
a
as
a
scan
of
the
image.
B
After
the
fact
has
been
built,
not
saying
that
scanners
don't
have
value,
they
have
an
immense
amount
of
value
and
one
of
the
big
values
we'll
get
out
of
post
post
build
scanners
will
be
validating
yes
bomb
like
as
a
consumer.
I
want
to
sometimes
audit
certain
systems
at
random
or
audit
a
system.
That's
that's
acting
up
that
or
that
is
suspicious
to
see
what's
to
see.
B
B
So
there's
still
value
there,
but
in
short,
in
order
to
maximize
the
accuracy
of
the
s-bomb
and
increase
the
total
accuracy
to
the
consumer,
then
we
we
should
provide
information
there,
because
the
alternative
is
that
s-bonds
that
they
don't.
If
they're
not
accurate,
may
actually
mislead
your
your
infosec
teams
into
thinking
that
they're
more
secure
than
they
than
they
really
are
or
cause
them
to
waste
time
where
they
don't
need
to
waste
time.
A
G
We're
looking
to
as
to
how
we
can
plumb
s-bomb
information
through
a
docker
build
so
we're
starting
a
bit
of
research
on
on
what
would
work
there
so
that
it
can
be.
We
can
take
incoming
s-bombs
from
the
from
layers
put
put
in
stuff
for
the
for
the
things
you're,
adding
and
output
it.
So
we're
looking
to
work
on
that.
So
just
basically
build
a
build,
a
kind
of
parallel
plumbing
layer
alongside
the
build.
G
So
you
can
plumb
through
that
metadata,
but
this
is
kind
of
stuff
that
we're
just
starting
on.
But
you
know
we
definitely
recognize
that
classic
docker
build
needs
a
way
of
handling
this
too,
and
would
if
people
are
interested,
please
ping
me
and
because
I'm
we're
looking
for
people
who
are
interested
in
helping
us
work
on
this.
A
B
Yeah
by
the
way,
build
kit,
which
is,
I
think,
what
the
newer
docker
compose
is
built
on-
is
really
fantastic
for
these
types
yeah.
So.
G
That's
what
this
work
it
will
all
happen.
Build
kit
is
where
we
do
all
the
work
on
docker
build.
Now
all
the
other
stuff
kind
of
is
being
removed,
bill
gates
so
bill
case,
where
this
would
all
happen.
B
Yeah,
because
my
understanding
is
a
bill,
kit
is
effectively
a
a
directed
a
cyclic
graph
of
things
that
you
want
to
build
and
run,
and
it
basically
runs
them.
So
I
mean
technically,
it
has
close
alignment
with
the
frame
with
the
type
of
of
environment
that
that
build
packs
themselves
run.
So,
as
I
was
saying
like
it
doesn't
have
to
be
bill
pack
itself
like
it
could
be
docker
files.
It
could
be
something
else,
just
something
that
helps
provide
some
of
that.
Some
of
that
information.
A
G
E
I
don't
know
george
is
on
the
caller,
the
custodian
folks.
I
think
we
have
everything
finalized
on
the
custodian
joint
review
doc,
but
if
anybody
else
needs
anything
or
if
emily
is
on,
the
call
needs
anything
happy
to
make
any
final
tweaks.
F
This
is
george,
I
think,
emily's
sick,
but
we
have
everything
in
the
pr
and
I
have
an
additional
pr
with
the
self-assessment,
which
is
basically
the
google
doc
just
turned
into
markdown,
and
that
is
a
separate
pr,
though
not
the
same
one.
E
Do
you
know
who
can
pr
approve
or
what.
C
F
After
cube,
connor
or
whatever
we
meet,
though,
I
would
like
to
sit
down
with
some
of
you
and
put
me
to
work
in
some
some
kind
of
capacity.
I've
just
been
slammed.
A
A
F
E
Well,
I
guess
just
point
of
order
there
I
get
now
that
once
you
get
the
prs
approved,
I
think
the
process
is
we're
supposed
to
present
to
this
group.
The
the
assessment
results
correct.
E
F
A
Nice,
that's:
what's
up
cool,
I'm
gonna,
I'm
gonna
give
the
pr
a
review.
I'm
gonna
look
for
completeness,
but
if
there's
any
particular
area
you'd
like
me
to
draw
my
attention
to
or
certain
type
of
feedback
you're
looking
for
pointed
out
in
the
issue.
A
A
Yeah
I
found
like
folks
find
assessments
super
useful
when
you're
trying
to
get
a
project
deployed
and
adopted
within
a
large
organization
and
infosec
hasn't
been
playing
paying
attention
to
the
cloud
native
space
and
it's
new
to
them,
but
they
find
it
very
beneficial
to
come
up
to
speed,
educate
themselves
like
and
develop
a
solid
understanding.
So
yeah
I've
seen
these
reused
quite
a
bit,
so
sure
there's
paid
dividends.
I'm
sure
it's
felt
like
a
lot
of
work
and
a
hassle.
F
You
know
what
it
was
awesome
to
have
the
repo
with
everybody's,
the
prior
project
that
went
because
some
were
really
thorough
and
somewhere
very
short,
so
we
trying
to
figured
out
where
in
the
middle,
we
would
you
know
what
would
work
best
for
us,
and
I
mean
it
was
just
really
great
to
be
able
to
see,
go
back
and
see
all
the
other
projects
before
us.
And
then
you
know
it
was
still
hard
work,
but
you
know
for
sure.
A
C
Sounds
good,
thank
you.
So
we
did
not
talk
about
security
assessments
today,
john
kinsella,
do
you
have
any
updates
on
that.
D
We
are
having
another
meeting
with
argo
tomorrow
morning
at
assistance.
Yes,
that's
7
a.m,
pacific
time,
so
we're
moving
on
that!
That's
going
to
be
the
end
of
the
now.
You
have
questions
and
we're
going
to
get
in
and
try
to
move
on
that
since
we've
been
seriously
over
the
holidays,
but
that's
the
status
of
that
one.
C
I
also
wanted
to
share
with
everyone
the
cfp4
cloudnativecon
eu
is
out.
So
if
you
have
any
good
ideas
to
present,
please
feel
free
to
submit
your
ideas
and
we'll
get
it
into
the
mix
for
evaluation
of
the
conference
content.
C
Anybody
has
anything
any
comment,
questions
concerns.
H
Hey
just
providence
question:
who
was
it
brought
up
the
ontology
when
we
were
talking
about
metadata?
I
want
to
follow
up
with
that.
E
No,
no
I'm
I
I'll
be
back
on
slack
in
the
next
couple
of
hours,
so
either
the
cncf
slack
or
the
kubernetes
slack.
E
H
E
C
A
F
Hi,
it's
rory
here
one.
The
only
thing
I
might
mention
is
the
the
work
we
did
on
an
admission
controller
threat
model
under
kubernetes
security
is
just
about
complete
now,
so
there
should
be
a
blog
post
coming
out
next
week
and
I
can
probably
find
a
link
if
anyone
wants
to
read
the
threat
model.
Look.
C
That'll
be
great,
I
would
like
to
see
that
tomorrow,
please
let
me
go.
F
D
Oh
sure
so
yeah
I
just
as
so.
We
we
canceled
this
this
past
week's
meeting,
just
because
of
there's
some
folks
out,
because
I
guess
they've,
caught,
covid
or
and
other
folks
were
kind
of
caught
up,
because
they
were
coming
for
folks
who,
who
who
either
caught
the
flu
or
coveted
covid,
but
yeah
so
from
the
financial
services
user
group.
We're
definitely
looking
for
additional
collaboration
points
with
the
security
tag
and
security
tag
projects,
as
well
as
looking
for
demos
as
well.
D
I
know
the
security
controls
we're
very
interested
in
seeing
you
know
a
demo
or
presentation,
as
well
as
as
well
as
collaborating
with
the
security
controls
working
group.
C
Okay,
cool,
very
good,
we'll
invite
you,
michael
to
our
follow-up
meetings.
John.
Let's
make
a
note
of
that.
We
are
setting
up
a
collaborative
meeting
with
csa
ccm
group
and
the
security
controls
working
group
and
we'll
invite
your
folks,
michael
I'll,
send
the
invite
to
you
and
if
you
want
to
forward
to
the
other
great
or
I
can
post
it
in
the
slide
channel
and
that
way
people
can
get
engaged.
When
we
get
started
on
those
initiatives.
F
Yeah
definitely
keep
an
eye
out
for
that.
I
think
it'd
be
it'd,
be
worth
like
talking
through
the
process
a
bit-
hopefully,
hopefully
some
interest.
F
So
essentially,
it
was
fairly
loose
and
what
we
we.
It
was
kind
of
an
iterative
process
of
looking
through
of
talking
to
people
in
the
space.
You
know
things
with
the
caverno
project
and
just
going
through
how
you
would
attack
it,
how
you
would
use
it
and
then
the
only
potential
was
using
deciduous
to
actually
create
the
kind
of
graphical
element
of
it
deciduous.
If
you
even
hadn't
a
kind
of
yaml
kind
of
threat
model
generator.
F
I
actually
have
an
online
version
of
it,
but
I
wrote
little
rails
at
because,
because
deciduous
doesn't
let
you
share
threat
models.
It's
just
like
a
one-page
html
app.
So
I
I'll
put
this
in
here
I
created
a
little
kind
of
rails
app,
so
you
can
store
and
retrieve
them.
A
Super
cool
yeah
if,
if
you'd
be
interested
to
talk
more
about
like
process
and
like
working
through
the
threat
model,
I
think
this
would
be
a
great
venue
for
it.
Whenever
we
have
time
some
other
wednesday
yeah,
nothing
super
formal
in
the
results
people
can
read,
the
the
red
model
go
read
the
blog,
but
yeah
yeah
dope,.