►
From YouTube: CNCF Security TAG Regular Meeting - 2021-07-14
Description
CNCF Security TAG Regular Meeting - 2021-07-
A
A
A
So
there's
a
couple
of
changes
we
made
to
the
the
weekly
meeting
kind
of
template
and
stuff
like
that.
So
let's
see
a
little
bit
of
that.
One
thing
that
we're
trying
to
get
folks
to
do
more
is
to
put
in
their
affiliation
when
you're
writing
in
your
your
name
in
the
meeting
notes.
A
D
A
A
C
A
So
let's
wait
a
bit.
I
posted
the
the
meeting
notes
in
the
chat.
So
please
fill
up
your
name
in
the
attendance.
A
So
there's
a
rename
button
on
the
the
ellipsis.
When
you
click
on
that
on
your
name,
I
don't
know,
maybe
enemy,
try.
It.
F
Yeah,
you
have
to
do
it
from
the
chat
screen.
A
A
Okay,
let's
get
started,
I'm
gonna
paste
the
the
drive
link
again
just
for
those
that
just
joined
in
so
let's
start
off
with
the
usual
script,
so
hey
everyone,
so
quick
reminder
that
the
meeting's
recorded
and
it's
gonna
be
uploaded
after
the
meeting.
A
Obviously,
the
the
cncf
and
the
quota
contact
applies
to
these
meetings,
we'll
need
at
least
one
person
to
volunteer
describe.
If
someone
can
do
that,
that
would
be
great
and
thanks
for
filling
up
your
names
and
if
you
can,
please
also
add
the
your
affiliation
or
maybe
the
companies
or
communities
that
you
work
with.
A
This
helps
us
kind
of
get
in
contact
with
the
right
people
and
kind
of
form
different
working
groups
together
thanks
emily
for
volunteering,
subscribe
cool.
So
before
we
go
ahead,
I
want
to
just
go
through
to
see
whether
we
have
any
new
members
do
any
introductions.
A
Okay
looks
like
no
new
members
today,
thanks
dangerous
as
well
for
subscribing,
so
one
thing
that
we've
added
to
the
weekly
meetings
is
a
3x
triage
section.
So
what
we're
going
to
do
is
at
the
start
of
every
weekly
meeting,
there's
a
working
session,
we're
going
to
go
through
a
couple
of
issues
and
kind
of
talk
a
little
bit
about
them.
A
Let
people
know
that
we
are
looking
at
these
issues
either
to
you
know,
close
them
or
to
follow
up
on
them,
and
so
the
idea
is
to
give
a
general
overview,
some
short
discussion
around
them,
and
then
these
will
be
posted
to
the
slack
channel
as
well
to
get
additional
feedback
and,
for
example,
if
the
decision
is
to
make
to
close
these
issues
at
the
end
of
the
week,
we
will
close
all
these
issues.
A
A
A
The
the
whole
idea
around
this
issue
was
kind
of
to
create
some
some
knowledge
or
some
kind
of
paper
around
compliance
and
things
like
that.
So
there's
some
details
about.
You
know
people
talking
about
compliance.
A
There
was
a
draft
document
and
so
keep
in
mind
this
stock.
This
this
issue
is
from
2018..
A
So
there's
you
know
initial
things
about
small
recommendations
here
and
there
and
talking
about
what
compliance
is,
but
I
think
that
some
of
the
elements
of
this
have
already
been
covered
by
the
white
paper,
and
so
we
want
to
get
some
feedback,
probably
by
the
next
street
cycle
so
next
week,
if
there
isn't
any
additional
concerns,
whether
there
are
other
things
that
are
not
covered
by
the
scope
of
this
issue,
that
will
close
it
in
favor
of
saying
that
you
know
all
these
elements
already
covered
by
the
white
paper.
H
Before
we
move
on
to
the
next
issue,
could
we
just
close
that
and
say
if
somebody
has
any,
if
there's
any
specific
things
that
aren't
covered
in
the
white
paper,
open
another
issue
or
do
a
direct
pr,
so
that
we
could
end
up
with
specific
issues?
That
would
be
like
closing
it
without
you
know
and
giving
somebody
a
possible
action
rather
than
leaving
it
open.
B
A
I
think
I
think,
what's
we
want
to
just
collect
all
the
issues
here
and
then
we
decide
what
the
next.
H
A
A
A
All
right,
so
this
one
was
opened
by
mark
underwood.
This
was
use
cases
for
interoperability.
A
The
idea
is
to
add
additional
text
to
the
use
cases
and
personas
section
to
talk
about
interoperability
of
certain
certain
frameworks
and
certain
tools.
So
this
is
more
of
something
that
was
proposed.
A
B
A
If
I
mean
we're
gonna
close
it,
but
obviously
like
if,
if
if
this
comes
up
again
and
we
get
we
get
a
bit
more,
we
get
a
couple
people
that
are
interested
in
working
on
that
you
know
we
can
open
a
new
issue.
F
A
Okay,
can
you
can
you
do
that
because
I'm
not
sure
which
side
channel
you're
talking
about
or
maybe
just
send
me
a
link
to
this
channel.
E
A
Yeah,
I
think
that
the
main
thing
for
these
issues
is
that
the
they've
I
either
been
lost
in
space,
and
we
want
to
kind
of
bring
them
far
again
to
see
whether
the
people
that
are
interested
in
working
on
on
them
are
interested
in
discussing
them.
If
not,
you
know,
we
want
to
kind
of
clean
up
the
issues
a
little
bit
more.
H
Yeah-
and
I
think
the
the
key
thing
is
the,
in
my
opinion,
the
reason
they're
not
scoped
is
because
we
don't
have
somebody
who's,
passionate
about
taking
it
forward
and
doing
that
work
like
either,
because
you
know
you
know
at
any
one
time
we
have
way
more
than
we
could
possibly
do.
You
know
towards
cloud-native
security.
So
so
we
tend
to
prioritize
things
that
people
are
like
eager
to
work
on
or
are
specific
directive
from
the
technical
oversight
committees.
So
these
are
just
they
didn't
fall
into
one
of
those
categories.
E
A
Well,
that's
that's
what
this
this
thing
is
about
to
just
kind
of
bring
it
up
again
kind
of
like
any
last
words,
if
not
we're
going
to
send
it
away,
we're
going
to
bring
it
to
the
run.
H
A
So
we
we
have
a
bot
that
marks
the
inactive
label
if
no
activity
has
been
done
on
the
issue
for
more
than
I
think
60
days.
So
that's
kind
of
what
part
of
what
the
triage
team
is
doing
right.
A
It's
kind
of
we're
going
to
look
at
all
the
inactive
labels
and
if
it's
fairly
recent,
maybe
we'll
paint
the
author
of
the
the
issue
and
try
and
get
some
follow-up,
and
if
you
know,
we've
seen
that
multiple
attempts
or
follow-ups
have
been
made,
or
this
issue
is
really
really
old,
then
we
bring
it.
We
bring
it
to
this
discussion
to
say
and
that
take
us.
If
not,
if
not,
we
should
close
this.
H
F
H
A
Yeah
yeah,
we,
I
think
we
have
a
topic
on
the
agenda
to
chat
about
that
quickly.
Okay,
so
this
one
validate
personas
and
use
cases.
A
A
So
the
idea
of
this
was
to
have
a
survey
and
to
get
some
feedback
on
that.
H
Yeah
and
actually
at
the
time
I'll
just
add
a
little
color,
because
I
wrote
this
up
and
then
I'll
stop
talking
for
a
little
while.
So
the
idea
was
to
get
actual
user
researchers
involved
in
like
either
interviews
or
surveys
or
constructing
something
that
would
validate
the
work
product
of
the
group.
But
then
we
didn't
end
up
being
able
to
find
those
people
or
the
people
who
we
found
weren't
able
to
you
know,
follow
through
so
so
yeah.
I
think
that
we
just
don't
have
the
ban.
H
We
don't
have
the
people
for
this
for
haven't.
Historically.
If
somebody
wants
to.
I
think
I
still
think
it's
a
great
idea,
but
but
yeah
we
need
the
folks
to
do
it.
A
A
So
the
question
is
kind
of
that
is
some
overlap
on
these
things,
but
not
exactly
you
know
we're
not
collecting
demographics
of
members
in
the
community
and
things
like
that,
but
yeah.
So
there
is
like
an
ongoing
effort.
This
probably
will
be
created
as
a
separate
issue
to
kind
of
look
at
the
results
from
but
yeah.
I
think
if,
if
we
don't
have
any
bandwidth
for
this,
we'll
probably
end
up
building
this
issue.
I
So
to
make
you
back
off
of
what
brandon
said,
so
that
survey
has
a
lot
of
this
information
in
it.
To
a
certain
extent,
it's
collecting
rural
information,
not
necessarily
industry
experience,
but
what
industry
that
they're
currently
in
country
a
few
other
data
points.
But
a
lot
of
the
cloud
native
survey
is
designed
around
kind
of
validating
the
work
that
the
group
is
doing
and
understanding
whether
or
not
our
products
that
we're
outputting
are
consumable
to
the
community
in
a
manner
that
they're
expecting
them
to
be
so.
E
H
E
H
E
H
In
that
we
use
it
for
different,
you
know
for
our
assessments
and
whatnot,
but
that
doesn't
mean
that
it's
useful
generally
to
people
who
are
coming
to
cloud.
You
know
there's
a
whole
range
of
people
who
are
not
represented
within
our
group.
A
A
I
think
the
the
idea
would
be
do
we
have
to
do.
We
have
to
refine
it
or
do
we
have
to
change
it,
or
is
that
something
should
we
broaden
the
scope
of
the
use
cases
and
personas?
A
I
think
the
idea
is
like,
should
we
spend
more
time
investing
into
it
or
do
we
have
to
spend
more
time
investing
into
it?
Oh,
is
it
fine?
I
say
this.
D
E
H
B
A
Right,
sweet
cool,
so
I
I
think
this
is
kind
of
the
the
idea
of
these
three
er
sections
is
kind
of
go
to
a
couple
issues.
I
have
five
lined
up,
but
it
seems
like
I
don't
want
to
dive
too
deep
into
issues.
We
still
imagine
the
items
today
so.
E
A
Okay,
so
I'm
gonna
go
ahead
with
the
other
follow-up
agent
things
on
the
agenda,
so
review
of
other
the
the
tag
meetings,
the
apec
meetings.
Do
we
have
anyone
that
went
to
that?
Oh,
I
think
that
was
last
week,
so
we
shouldn't
have
any
updates
this
week.
So
I'm
going
to
skip
that
toc
meeting
updates.
D
Hey
yeah
from
the
toc
meeting
the
other
week,
I
believe
emily
was
present
and
handled
everything
s.
Do
we
call
it
stag
or
s,
tag
by
the
way.
D
There's
a
there's
a
harry
potter
joke
in
there,
but
all
that's
beneath
me
I'll.
So
I
believe
emily
already
took
care
of
everything
on
that
front
and
I
took
notes
slash
screencaps
of
the
remaining
pieces
there,
but
it's
pretty
much
like
a
a
wall
of
text.
So
if
you
guys
want,
I
can
just
go
put
that
in
the
notes
there,
because
otherwise
I'd
pretty
much
be
sort
of
wrote
repeating
a
dozen
or
so
slides
of
text.
D
Yeah,
I
I
don't
have
anything
to
really
add
on
that
front,
and
then
I
also
have
a
short
check-in
and
I'll
have
to
get
out
of
the
way
in
the
next
10
minutes
before
I
head
out,
but
that's
relating
to
just
two
other
assessments.
So
no
other
updates
for
me
with
respect
to
toc.
A
Cool
all
right,
any
updates
from
partner.
A
Of
some
like
paul,
the
policy
working
group
from
the
supply
chain
working
group.
So
for
those
of
you.
G
So
I
can
speak
to
the
policy
versus
robert
is
here
as
well.
We
started
a
working
session
on
the
white
paper
that
we
are
working
on.
We
had
an
initial
meeting
in
your
meeting
again
tomorrow
to
discuss
progress
and
what
all
we
need
to
cover
there.
A
All
right,
I
thought:
let's
go
to
supply
chain
booking
group,
any
updates
from
that.
A
I
Sure
so
for
the
supply
chain,
working
group
we're
currently
breaking
apart
our
user
stories
on
our
trello
board
to
help
refine
some
of
the
requirements
for
the
reference
architecture,
we're
hoping
to
have
that
wrapped
up
in
the
next
week
week
and
a
half
and
then
from
there.
We
can
start
assigning
engineers
to
create
subtasks
for
work.
B
A
Cool,
I
think
that's
all
we
have
for
now.
Let's
just
go
through
general
stand-ups,
you
know,
let's
see
who
whether
anyone
has
update
I'm
leaving
an
update,
but
are
you
covering
that
in
the
agenda
or
do
you
wanna
just
do
that
as
an
update.
I
So,
just
a
quick
reminder
not
related
to
the
triage
discussion
on
the
agenda
item
for
prs.
We
actively
encourage
everybody
in
the
community
to
review
prs.
It
helps
the
security
leadership
team
out
by
having
another
set
of
eyes,
go
over
everything
just
to
make
sure
that
we're
not
missing
stuff,
but
also
to
give
us
the
assurance
that
indeed
somebody
else
did
look
at
it.
That
is
not
the
author
makes
it
easier
for
us
to
go
ahead
and
merge
content
in
and
make
sure
that
the
repo
is
up
to
date
and
relevant.
I
A
Awesome
thanks
emily.
Do
you
have
something.
D
There
we
go
so
two
quick
updates.
One
is
with
respect
to
build
packs.
The
I
put
in
my
assessment
there
and
I
just
have
to
make
a
copy
of
it
in
the
google
doc
self
assessment,
rather
than
the
copy
I
put
in
slack
for
tracking
slash
histories,
latch
completeness
and
I'm
just
picking
robert
right
now
to
see.
D
We
met
up
with
the
maintainers
a
couple
days
ago,
robert
myself,
emily
you
some
others
and
just
went
through
essentially
some
the
questions
I
brought
up
in
my
own
review
and
I
put
together
the
joint
assessments
that
robert's
putting
up
in
google
docs
now
and
then
we
just
have
to
schedule,
I
guess
time
to
just
sort
of
assign
pieces
for
everyone
to
populate
in
that
document
to
own
and
then
from
that
point
I
believe,
we'll
move
on
to
the
more
hands-on
part
of
the
assessment
sort
of
the
was
it
called
the
bench
top
testing
static,
testing
of
it
and
take
it
from
there.
B
A
Yeah,
unfortunately,
for
now
you
have
to
talk
to
one
of
us,
so
just
I
think
just
paying
me
on
ash
and
then
we
will
update
it
for
you.
We
are
still
trying
to
figure
out
what
a
good
way
to
do
it.
Unfortunately,
there's
no
way
to
kind
of
like
dedicate
permissions
easily,
so
yeah
we
are
still
figuring
that
out,
but
in
the
meantime
you
have
to
bear
with
one
of
us
do
it
for
you.
A
Okay,
let's
see
no
updates
address,
you
have
an
update.
E
A
couple
thanks
matthew
will
work
with
you
on
reaching
out
to
the
build
packs
project
lead
to
have
a
debrief,
make
sure.
There's
no
discrepancies
between
our
findings
like
the
ones
over
they.
They
gave
to
your
to
your
report,
and
we
can.
E
E
Besides
that,
as
as
we
start
to
make
progress
on
on
the
supply
chain,
working
group
that
emily's
doing
a
great
work,
one
area
that
I
have
a
lot
of
uncertainty
around
is
signing
and
verification
and
like
state
of
projects,
and
that
I
think
the
notary
v2
group
is
is
attempting
to
overhaul
their
governance
so
something
to
to
keep
an
eye
on.
E
I
think
the
the
folks
behind
them
toto
the
folks
behind
the
stick
store
are,
are
trying
to
structure
things
in
a
way
that's
conducive
to
work
and
outcomes,
so
yeah
marina.
I
don't
know
if
you
want
to
add
anything
to
that.
I
think,
like
the
team
expects
to
have
some
changes
occur
within
the
next
month
or
so,
but
yeah.
I
just
wanted
to
raise
that
for
visibility
and
awareness.
B
Yeah,
definitely,
I
think,
there's
a
lot
of
potential
in
in
all
of
those
projects.
You
mentioned
to
have
some
solutions
in
this
space,
which
is
pretty
exciting,
but
I
think
all
of
them
have
a
little
ways
to
go
before
before
they're
there.
You
know
so
so
that's
just
kind
of
the
way
it
is
because,
like
you
know,
trying
to
achieve
kind
of
you
know
a
really
well
defined
threat,
model
and
figuring
out
what
this
what's
problem
signatures
are.
Solving,
I
think,
is
a
really
key
step.
There.
B
That's
definitely
still
kind
of
an
ongoing
process,
so
if
anyone's
interested
in
that
or
wants
a
particular
thing
out
of
signatures
to
many
of
these
projects,
I
think
this
would
be
a
great
time
for
anyone
to
go
and
communicate
that
to
folks
so
that
we
make
sure
that
whatever
solutions
they
come
up
with
are
they
are
solving
the
right
problems.
Basically,.
E
Just
to
add
more
color,
the
like
the
one
project
or
while
the
one
effort,
I
wouldn't
call
it
a
project
necessarily
that
people
have
looked
as
the
candidate
for
cncf
or
under
the
cncf
umbrella,
doesn't
have
a
threat
model
and
doesn't
have
a
whole
lot
of
code
for
it
other
than
proposals.
That
is
notary,
v2
right.
So
I
think
a
lot
of
the
a
lot
of
the
concerns
step
from
there,
but
you're
attempting
to
to
bridge
that
gap
right.
B
Yeah
exactly
and
try,
and
basically
by
defining
that
stuff,
better
and
so
yeah
the
process
is
definitely
going
to
still
take
some
time.
I
think
that's
kind
of
the
main
takeaway,
but
I
think
eventually,
it'll
come
up
with
something
that
can
that
can
deal
with
this
as
long
as
we
figure
out
what
those
goals
actually
are
and
what
the
solutions
are
solving
for
they
are
yeah.
A
Frederick
you,
you
have
your
hand
up.
Do
you
want
to
add
something.
F
Yeah,
it's
more
of
a
question.
Is
there
a
place
where,
where,
where
we
have
these
projects
listed
or
a
place
where
we
can
keep
track
of
some
of
the
extremely
high
level
things
that
they're
that
they're
working
on,
because
I
think
it'd
be
one
of
the
problems
that
I
that
I'm
seeing
within
this
particular
space?
F
Is
that
there's
a
proliferation
of
different
approaches
and
projects
and
the
people
working
on
them
are
doing
an
amazing
job
working
with
each
other
and
communicating
with
each
other?
But
if
you
have
somebody
new
who's
coming
in
who
doesn't
understand
the
the
space?
It's
it's
incredibly
high
bar
for
them
to
to
even
work
out.
Where
should
they
focus
their
time?.
A
That's
a
that's
a
good
question,
frederick,
so
I'm
going
to
do
a
quick
page
for
our
own
connected
security
map
here.
So
so,
and
then
probably
interested
marina
can
look
at
on
to
this.
We're
trying
to
to
kind
of
consolidate
this
not
only
for
like
supply
chain
signing
stuff
providence
of
s-bomb
stuff,
but
in
general
for
all
of
cloud
native.
A
So
that's
what
the
ipc
link,
which
is
the
current
build
of
the
the
cognitive
security
map.
So
this
they.
Basically,
we
have
all
the
different
projects
for
the
different
areas
of
security.
A
I
A
I
Recommend
that
this
potentially
be
brought
up
with
a
talk
at
one
of
the
talk
meetings
as
a
potential
concern
area,
as
as
we
identify
gaps
within
the
cloud
native
security
ecosystem
or
cloud
native
ecosystem,
proper
understanding.
What
some
of
these
challenges
are
and
which
projects
are
working
with,
which
other
projects
to
have
them
resolved
would
be
beneficial
for
the
larger
community
to
be
aware
of,
at
least
to
know
where
to
go
to
get
involved.
A
Yeah,
so
I
think
that
one
of
the
one
of
the
next
steps,
I
think
we
we
have
an
issue
somewhere
open-
I
think,
probably
like
a
year
ago
on
this,
so
the
plan
was
to
finish
up
the
map
and
then
kind
of
like
evaluate
the
map
and
take
a
look
at
the
gaps
there,
but
there
seems
to
be
some
kind
of
other.
There
seems
to
be
a
lot
of
knowledge.
That's
lying
around
that.
I
think
we
should
kind
of
take
that
off.
A
So
maybe
we'll
make
that
one
of
the
next
projects
coming
up
we'll
get
the
group
together
to
discuss
this
and
bring
up
some
at
least
first
iteration
of
what
some
recommendations
that
the
toc
can
do.
I
think.
E
C
A
E
We
we
care
about
having
a
a
standard
for
this
format
that
gets
used
across
the
board,
because
there's
there's
many
many
different
approaches
and
and
there's
it's
a
disservice
to
the
community,
to
like
make
a
king
out
of
one-
that's
not
complete
yet
and
well.
If
we're
going
to
put
all
hands
on
deck
because,
like
we
think
we
have
the
brightest
minds
with
the
most
experienced
like
work
through
all
the
security
aspects,
capture
it
and
put
this
out
and
we
get
we
get
container
dt.
E
A
Yeah
so
so,
frederick,
I
I
posted
in
the
the
branch
that
we
have
all
the
content.
You
can
make
a
pull
request
directly
on
that
to
update
the
map
and
yeah.
We
should
continue
the
signing
discussion
at
some
point.
A
We
are
running
a
bit
tight
on
time,
so
I'm
gonna,
I'm
gonna,
move
forward
with
the
agenda
a
little
bit.
Okay,
so
I
think
the
last
update
we
have
is
frederick
on
the
security
controls.
F
Okay,
so
a
short
update
on
that
so
alex
had
taken
on
the
initial
setup
of
the
of
the
group
to
get
us
all
started,
alex
barbato,
I
think,
was
how
to
pronounce
it,
and
so
the
idea
was
for
the
first
month
that
he
drives
it.
We've
gone
through
that
we've
had
the
initial
setup,
which
I
think
went
really
well.
An
initial
populated
spreadsheet
that
spreadsheet
is
is
available
for
people
with
view.
It
should
be
linked
in
the
flash.
F
So
if
you
want
to
take
a
look
at
that,
they
can
see
it
we're
moving
on
to
the
next
phase,
which
is
going
to
be
we'll
we'll
select
a
new
person
to
drive
the
next
stage
of
what's
going
on,
and
once
we
have
some
scope
on
what
the
next
steps
that
we
want
to
take
on.
It
are
then
we're
going
to
start
doing
call
outs
for
more
people
to
volunteer
to
participate,
so
just
want
to
put
that
status
down
for
the
security
controls
group
thanks.
A
Awesome
thanks,
frederick
all
right.
So,
let's
get
to
the
ninja
items
today,
so
we
have
the
first
one
which
is
discussing
cloud
native
security
survey
results.
A
I
think
this
is
from
the
the
white
paper
survey
right.
C
C
Okay,
all
right
I'll
share
my
screen
emily
feel
free
to
interrupt
and
add
more
color
to
whatever
I'm
sharing
and
like
I'm,
sharing
on
a
bigger
screen.
So
let
me
know
if
this
is.
The
text
is
too
small
for
everyone.
C
C
So
we
we
started
tracking
that
through
issue,
which
we
called
as
retrospective
and
part
of
that
was
creating
a
survey
and
sharing
it
across
the
community
with
10
questions
that
not
only
are
related
to
white
paper,
but
also
about
cloud
native
security
in
general
and
see
what
feedback
we
are
getting.
C
So
we
published
the
survey
in
february,
I
want
to
say-
and
then
we
closed
it
early
last
month.
So
after
that
we
started
compiling
the
results,
we
got
good
help
from
cncf
as
well.
Amy,
especially
helped
a
lot,
and
we
were
finally
able
to
compile
the
results.
There
were
about
70,
plus
participants,
and
a
pr
with
some
of
the
details
is
open.
C
We
also
have
a
new
contributor
who
participated
in
creating
a
summary.
George,
I
think,
is
stay
there
in
the
call
today.
So,
thank
you
george
for
this.
C
So
what
I
want
to
do
is
share
the
summary
and
the
results
and
the
graph
and
base
based
on
that
get
feedback
from
all
of
you
in
terms
of
whether
this
makes
sense.
What
are
the
possible
next
steps?
We
should
be
working
on.
Are
there
any
projects
coming
out
of
this?
What
updates
would
we
want
to
make
to
the
white
paper?
Who
would
be
interested
in
all
of
that
anything
else?
You
would
add
before
we
dive
deep.
I
Emily
nope
other
than
just
folks
that
are
really
interested
in
this
there's
a
lot
of
great
content
that
came
out
of
this
survey,
we're
hoping
to
take
advantage
of.
So
I
encourage
everyone
to
take
a
few
minutes
read
through
the
pr
it's
linked
in
the
notes,
as
well
as
displayed
here
and
comment
on
the
issue
with
anything
that
you
think
might
provide
value
as
next
steps
or
how
we
can
provide
a
meaningful
and
significant
update
to
the
paper.
Smaller
changes
are
not
not
usually
an
issue.
C
Yeah
yeah
agree,
so
we
have
a
brief
summary
and
some
anecdotal
feedback.
I
think
this
summary
probably
is
self-explanatory.
If
we
go
through
the
graphs
one
by
one,
so
I
will
start
with
this
one.
C
So
the
idea
was
to
get
the
idea
about
who
are
responding
to
the
questionnaire
or
the
survey,
and
it
seems
like
fairly
equal
distribution
among
people
who
are
engineers,
architects
and
then
developers-
and
there
were
a
few
who
were
vp
or
engineering
leadership
or
c-suit
who
responded
in
terms
of
people
who
have
worked
seems
like
three
to
five
years,
had
a
greater
majority
of
people
who,
who
were
part
of
the
respondents,
five
plus
years
was
interesting,
because
cloud
native
as
a
whole
became
really
popular
about
six
seven
years
ago.
C
So
so,
then,
that
that
was
interesting
to
me
and
what
probably?
We
is
a
good
reflection
of
how
we
are
sharing
the
survey
or
the
white
paper
is
that
the
beginners
are
not
getting
the
links
and
the
communication
that
we
are
sending.
So
this
can
be
seen
by
maybe
people
who
are
new
to
the
community
not
being
able
to
participate
in
the
survey
or
being
the
least
quite
significantly
at
that.
C
Another
thing
we
found
was:
we
definitely
missed
out
on
the
options
in
the
survey
here
where
there
were
a
lot
of
people
who
selected
other
instead
of
the
four
things
that
we
had
pointed
out,
and
some
of
the
examples
that
people
put
in
other
box
was
in
insurance,
company
in
tech,
company
in
silicon
valley
and
some
some
other
interesting
categories.
C
This
one
was
very
interesting
and
I'll
tie
this
back
to
another
question
after
this,
so
vulnerability,
management
and
secrets
management
was
the
most
selected
answer
and
instead
of
what
I
thought
would
be
the
most
selected,
which
is
supply
chain
security
and
the
only
way
I
could
think
of
why
that
would
be.
The
case
is
probably
because
we
are
spending
so
much
time,
effort
and
communication
on
supplies
in
security.
C
C
C
This
one
was
also
not
surprising
for
me,
where
the
most
number
of
people
responded
would
prefer
not
to
disclose,
even
though
the
survey
was
anonymous
for
people
who
were
not
following
earlier
and
then
the
other
ones
after
that
were
vulnerability,
exploited
or
cryptocurrency
miners,
which
is
fairly
well
known
by
now
and
ransomware
was
there,
even
though
maybe
we
missed
the
timing,
probably
because
ransomwares
have
grown
in
number
and
prevalence,
quite
quite
more
than
when
the
survey
was
released.
So
probably
this
number
may
have
been
higher
it.
C
It
also
maybe
means
that
in
cloud
native
environments,
ransomware
impact
has
been
lesser
compared
to
other
environments,
so
the
next
one
was
cloud
native
security
skills.
So
basically
the
answer
was
we
want
everything
and
which
is
which
is
hard
to
do,
and
it
only
tells
us
that
there
it
cannot
be
one
single
person
who
is
responsible
for
cloud
native
security
in
your
company.
There
has
to
be
a
team
which,
which
makes
sense,
and
maybe
each
of
them
can
be
responsible
for
all
of
these
options.
C
The
other
one
was
which
of
the
tools
you
currently
use.
So
this
ties
back
to
the
other
question
where
people
were
saying,
we
need
vulnerability
management
and
we
are
worried
about
that
the
most.
At
the
same
time,
they
are
also
saying
that
we
use
image
scanning
more
than
any
other
control
that
we
have.
C
C
One
was
how
much
of
the
white
paper
you
have
read,
which
was
probably
the
one
question
I
was
very
interested
in
and
it
looks
like
there
were
people
who
did
not
know
about
the
paper,
the
most
and
or
have
read
very
little
because
of
the
size,
and
then
there
were
a
few
people
who
have
read
fairly
almost
100
of
the
paper.
C
C
Was
I
found
out
about
the
white
paper
through
this
survey,
which,
which
means
that
we're
not
communicating
it
as
well
as
we
communicated
the
survey,
and
we
need
to
really
assess
like
what
is
the
best
way
to
reach
out
to
people
and
the
next
one
was
the
blogs
and
the
social
medias,
which
seems
like
was
30
plus
percent,
which
means
they
are
working,
but
we
need
to
do
more
and
then
the
last
one
was.
C
C
So
these
were
10
questions
and
there
was
some
very
interesting
anecdotal
feedback,
mostly
by
one
single
respondent.
So
I
would
take
it
with
the
grain
of
salt,
because
that
particular
user
could
be
responding,
could
be
very
opinionated.
G
H
Yeah,
so
this
is
a
big
conflict
with
the
many
of
the
projects
want
easy
development
by
default,
and
so
that's
in
conflict
with
people
who
are
like
yeah,
but
don't
give
me
a
bucket
of
bits
like
as
a
developer.
I
would
rather
have
we
have
default
security
for
this
scenario,
and
I
can
figure
out
whether
my
scenario,
how
it
differs
in
that
scenario,
rather
than
what
is
typically
presented
to
me,
which
is
everything's
different.
You
decide
and
I'm
like
I
don't
know
your
product
do.
H
A
B
Is
it
also
possible
that
maybe
this
means
the
folks
are
looking
for
something
that
is
somewhat
automated,
meaning
you
know
they
don't
need
to
configure,
they
don't
need
to
find
out,
but
the
security
solution
is
such
that
it
will
adapt
itself
to
the
environment
that
has
been
deployed
on
that
project
and
it
comes
natively
with
any
product
that
people
are
trying
to
sell
under
the
cloud
environment
is
that
is
that
any
is
that
a
kind
of
sentiment
might
be
reflected
there.
B
Anybody
has
any
opinion,
that's
possible,
but
that's
a
more
sophisticated
capability
right,
so
that
that
requires
a
project
to
be
able
to
understand
its
surroundings
and
that'd
be
great
if
you
could
do
it,
but
like
the
examples
I
usually
come
back
to
is
like
if
you're
dealing
with
tls,
encryptable,
tls
or
encryption,
the
defaults
algorithms,
which
are
selected
should
be
secure
right.
I
So,
in
the
interest
of
time,
I
think
that
this
is
something
that
we
should
schedule
another
meeting
to
talk
through
a
little
bit
more
about
like
secure
defaults,
and
what
does
that
mean
to
us
and
what
kinds
of
things
that
we
could
potentially
look
at.
There's
a
lot
of
opinions
in
this
space.
There's
a
lot
of
evidence
about
what
does
and
doesn't
work,
and
it
kind
of
marries
up
more
with
what
our
use,
what
our
users
are
expecting
and
the
different
roles
and
personas
that
they
take
on.
C
A
I
I
think
that
that
probably
is
not
so
much
on
the
sandbox
side,
maybe
on
the
like
graduation,
there
can
be
a
bit
more
emphasis
on
that,
but
it
seems
like
they
will
come
back
to
us
for
that
recommendation
as
well.
So
it
could
be
part
of
the.
Maybe
could
be
better,
be
part
of,
like
the
joint
review,
to
have
half
that
as
like
a
affected
to
chime
in
on.
C
A
Recommendation,
that's
asked
from
the
tag
and
for
us
it
comes
as
a
security
recommendation.
This
usually
is
usually
a
result
of
the
security
assessments
that
we
do
right.
Okay,.
A
Yeah
but
like
emily
mentioned
in
the
chat,
we
do
have
a
thousand
meeting
and
we
have
the
updates
the
tlc.
So
I
think
this
is
definitely
something
that
that
we
should
share
with
them
at
one
of
our
next
toc
updates.
A
Cool
can,
can
you
create
a
issue
on
the
discussion
of
security
faults
and
maybe
we
can.
We
can
pick
up
the
discussion
another
time
we
have
someone
that
would
like
to
present
on
that
topic,
and
then
we
can
have
a
discussion
around
that.
A
Awesome
thanks
for
sharing
cool,
we
don't
have
that
much
time
left
so
go
to
the
last
two
topics
are
pretty
straightforward.
I
think
the
first
one
is
on
the
triage
team.
So
so
we
saw
a
little
bit
about
the
new
changes
with
the
triage
in
this
meeting.
So
what
we
are
trying
to
form
is
we're
trying
to
find
a
triage
lead.
A
They
can
lead
the
triage
efforts.
We
look.
We
are
having
triage
meetings
every
once
every
two
weeks
for
now,
for
now
there
are
in-person
meetings
and
then
we
will
figure
out
a
better
way
so
that
you
know
those
that
may
not
be
able
to
get
to
the
meetings
can
also
participate.
A
But
if
not
the
triage,
we
are
looking
to
form
a
three
html
looking
for
triage
leads.
There
is
an
issue
number
which
is
six
six
five,
the
piece
in
the
chat
here.
A
Yes,
emma
yeah,
like
they
said
this
one
right
after
this,
so
you
want
to
drop
by.
I
will
also
put
the
I
will
put
the
the
link
to
the
google
meet
in
the
zoom
link
in
the
slack
channel
tech
security
triage.
So,
if
you're
interested,
please
join
the
section
as
well
yeah,
so
what
we're
going
to
go
through
usually
at
these
meetings
is,
you
know
initially
to
get
everyone
on
the
same
page,
to
talk
about
bit
about
how
we
are
tricking
things?
A
How
the
group
identifies
things
to
work
on
how
we
identify
things
that
like
whether
we
should
maybe.
A
So
if
this
is
something
that's
interesting
to
you,
please
put
the
note
in
the
the
issue,
as
well
as
join
the
the
tech
security,
triage,
slack
channel
and
I'll
put
a
link
in
there
right
after
this
okay.
If
not,
I
think
the
last
the
last
agenda
item
we
have
is
from
right
now.
G
I
have
a
couple
of
things:
brandon,
the
first
one
is:
let
me
open
my
yeah.
The
first
one
is
the
serverless
security
white
paper,
so
this
is
call
for
action
for
everyone
and
request
if
you're
interested,
please
tag
yourself
to
the
issue.
I
know
we
had
some
hiccups
in
setting
up
an
initial
meeting
because
our
time
zones,
some
of
our
project,
leads,
are
unable
to
attend
the
u.s
time
zones,
but
andrew
is
working
on
setting
up
a
brand
new
kickoff
meeting.
G
So
if
you
are
interested,
please
please
send
your
contact
information
to
them
on
the
serverless
security
slack
channel
right
now,
as
we
see,
we
have
only
two
volunteers
to
work
on
it
so
help
needed.
Please
participate
and
provide
your
information,
so
we
can
invite
you
to
the
discussions.
G
Second,
one
is
kos
engineering
update,
so
the
working
group
has
started
actively
working
on
the
white
paper.
We
had
an
initial
meeting.
There
are
a
number
of
tags
participating
in
that
for
now
I
am
attending
those
meetings
and
contributing.
G
So
if
anyone
from
this
team
is
interested
in
participating,
please
tag
yourself
to
the
issue
and
I
can
forward
the
slack
channel
information
as
well
as
the
project
team's
white
paper,
where
you
can
start
contributing
to
that
as
well
any
interest
you
can
ping
me
also
directly
and
I'll
help
you
connect
with
the
right
resources.
There.
A
Yeah,
if
you
put
in
the
the
issue
number
after
the
meeting
as
well,
that
would
be
helpful.
G
Sure
I
will,
and
in
the
issue
itself,
I've
provided
the
slack
channel
there
as
well.
So
I'm
happy
to
do
that.
Brandon
and
the
last
one
is
the
it's
a
new
initiative
about
attack
matrix
for
cloud
native
technologies.
I
know
mitre
has
come
out
with
one.
Microsoft
has
come
out
with
one
just
wanted
to
know.
G
If
we
need
to
do
any
work
here
or
if
there's
any
interest
in
progressing
that
to
like
kill,
chain
identification-
and
you
know
I
know
we
have
controls
right,
nobody
puts
all
the
control,
layered
controls
that
we
have
recommended,
but
based
on
the
attack
scenarios,
if
we
can
figure
out,
if
you
have
a
b
or
c
controls,
then
you
can
kill
this
attack
completely
and
you
are
protected.
G
G
This
is
more
for
our
detection
and
response
teams
right
so
that
they
can
leverage
this
as
well
as
to
where
to
go.
Look
today,
stock
teams
are
challenged
as
to
how
they
can
manage
their
attack
surface
in
their
cloud
native
world,
and
the
goal
is
to
provide
them
more
guidance
and
information
on.
This
is
where
you
start
looking,
and
this
is
how
you
kill
these
type
of
attacks,
and
this
these
are
the
data
points
you
need
to
gather
or
correlate
to
even
identify
these
attacks.
G
B
F
G
Okay,
those
were
the
three
issues
I
wanted
to
talk
about.
I
mean
again,
we
want
to
do
work
that
everybody's
interested
in.
If
we
don't
have
any
interest,
then
we
obviously
can
prioritize
it
accordingly,
in
our
roadmap.
A
Yeah,
let's,
let's
put
the
issues
if
you
can
put
them
in
the
google
doc
they'll
be
helpful
and
then
also,
let's,
let's
put
these
out
in
the
tech
security
channel
as
well,
so
that
people
get
visibility
that
may
not
necessarily
be
able
to
make
it
for
the
beating.
A
Awesome
so
we
have
three
minutes
left
any
last
words
for
anyone.
H
Just
that
I
wanted
to
draw
your
attention
to
the
chat.
There
was
a
question
about
when
we're
actually
doing
like
so
we
we
started
last
quarter
doing
a
quarterly
roadmap
meeting.
It's
on
the
planned
agenda,
planned
meetings
list,
but
without
a
date
does
that
mean
that
the
next
working
meeting
will
be
a
roadmap
discussion.
B
B
I
E
A
Have
we
have
a
presentation
this
week
by
the
way,
so
that
will
be
next
week's
meeting?
We
have
a
presentation
on
a
new
project.
More
details
will
be
posted
on
the
channel
cool.