►
From YouTube: CNCF Security TAG Regular Meeting - 2021-07-14
Description
CNCF Security TAG Regular Meeting - 2021-07-
A
A
A
A
D
A
A
C
A
A
A
A
Obviously,
the
the
cncf
and
the
quota
contact
applies
to
these
meetings,
we'll
need
at
least
one
person
to
volunteer
describe.
If
someone
can
do
that,
that
would
be
great
and
thanks
for
filling
up
your
names
and
if
you
can,
please
also
add
the
your
affiliation
or
maybe
the
companies
or
communities
that
you
work
with.
A
A
Okay
looks
like
no
new
members
today,
thanks
dangerous
as
well
for
subscribing,
so
one
thing
that
we've
added
to
the
weekly
meetings
is
a
3x
triage
section.
So
what
we're
going
to
do
is
at
the
start
of
every
weekly
meeting,
there's
a
working
session,
we're
going
to
go
through
a
couple
of
issues
and
kind
of
talk
a
little
bit
about
them.
A
A
H
Before
we
move
on
to
the
next
issue,
could
we
just
close
that
and
say
if
somebody
has
any,
if
there's
any
specific
things
that
aren't
covered
in
the
white
paper,
open
another
issue
or
do
a
direct
pr,
so
that
we
could
end
up
with
specific
issues?
That
would
be
like
closing
it
without
you
know
and
giving
somebody
a
possible
action
rather
than
leaving
it
open.
B
H
A
A
B
F
E
A
Yeah,
I
think
that
the
main
thing
for
these
issues
is
that
the
they've
I
either
been
lost
in
space,
and
we
want
to
kind
of
bring
them
far
again
to
see
whether
the
people
that
are
interested
in
working
on
on
them
are
interested
in
discussing
them.
If
not,
you
know,
we
want
to
kind
of
clean
up
the
issues
a
little
bit
more.
H
Yeah-
and
I
think
the
the
key
thing
is
the,
in
my
opinion,
the
reason
they're
not
scoped
is
because
we
don't
have
somebody
who's,
passionate
about
taking
it
forward
and
doing
that
work
like
either,
because
you
know
you
know
at
any
one
time
we
have
way
more
than
we
could
possibly
do.
You
know
towards
cloud-native
security.
So
so
we
tend
to
prioritize
things
that
people
are
like
eager
to
work
on
or
are
specific
directive
from
the
technical
oversight
committees.
So
these
are
just
they
didn't
fall
into
one
of
those
categories.
E
H
A
A
It's
kind
of
we're
going
to
look
at
all
the
inactive
labels
and
if
it's
fairly
recent,
maybe
we'll
paint
the
author
of
the
the
issue
and
try
and
get
some
follow-up,
and
if
you
know,
we've
seen
that
multiple
attempts
or
follow-ups
have
been
made,
or
this
issue
is
really
really
old,
then
we
bring
it.
We
bring
it
to
this
discussion
to
say
and
that
take
us.
If
not,
if
not,
we
should
close
this.
H
F
H
A
H
Yeah
and
actually
at
the
time
I'll
just
add
a
little
color,
because
I
wrote
this
up
and
then
I'll
stop
talking
for
a
little
while.
So
the
idea
was
to
get
actual
user
researchers
involved
in
like
either
interviews
or
surveys
or
constructing
something
that
would
validate
the
work
product
of
the
group.
But
then
we
didn't
end
up
being
able
to
find
those
people
or
the
people
who
we
found
weren't
able
to
you
know,
follow
through
so
so
yeah.
I
think
that
we
just
don't
have
the
ban.
H
A
A
So
the
question
is
kind
of
that
is
some
overlap
on
these
things,
but
not
exactly
you
know
we're
not
collecting
demographics
of
members
in
the
community
and
things
like
that,
but
yeah.
So
there
is
like
an
ongoing
effort.
This
probably
will
be
created
as
a
separate
issue
to
kind
of
look
at
the
results
from
but
yeah.
I
think
if,
if
we
don't
have
any
bandwidth
for
this,
we'll
probably
end
up
building
this
issue.
I
So
to
make
you
back
off
of
what
brandon
said,
so
that
survey
has
a
lot
of
this
information
in
it.
To
a
certain
extent,
it's
collecting
rural
information,
not
necessarily
industry
experience,
but
what
industry
that
they're
currently
in
country
a
few
other
data
points.
But
a
lot
of
the
cloud
native
survey
is
designed
around
kind
of
validating
the
work
that
the
group
is
doing
and
understanding
whether
or
not
our
products
that
we're
outputting
are
consumable
to
the
community
in
a
manner
that
they're
expecting
them
to
be
so.
H
E
H
E
H
A
A
A
D
E
H
B
A
E
A
Okay,
so
I'm
gonna
go
ahead
with
the
other
follow-up
agent
things
on
the
agenda,
so
review
of
other
the
the
tag
meetings,
the
apec
meetings.
Do
we
have
anyone
that
went
to
that?
Oh,
I
think
that
was
last
week,
so
we
shouldn't
have
any
updates
this
week.
So
I'm
going
to
skip
that
toc
meeting
updates.
D
D
There's
a
there's
a
harry
potter
joke
in
there,
but
all
that's
beneath
me
I'll.
So
I
believe
emily
already
took
care
of
everything
on
that
front
and
I
took
notes
slash
screencaps
of
the
remaining
pieces
there,
but
it's
pretty
much
like
a
a
wall
of
text.
So
if
you
guys
want,
I
can
just
go
put
that
in
the
notes
there,
because
otherwise
I'd
pretty
much
be
sort
of
wrote
repeating
a
dozen
or
so
slides
of
text.
D
A
G
A
I
Sure
so
for
the
supply
chain,
working
group
we're
currently
breaking
apart
our
user
stories
on
our
trello
board
to
help
refine
some
of
the
requirements
for
the
reference
architecture,
we're
hoping
to
have
that
wrapped
up
in
the
next
week
week
and
a
half
and
then
from
there.
We
can
start
assigning
engineers
to
create
subtasks
for
work.
B
A
I
So,
just
a
quick
reminder
not
related
to
the
triage
discussion
on
the
agenda
item
for
prs.
We
actively
encourage
everybody
in
the
community
to
review
prs.
It
helps
the
security
leadership
team
out
by
having
another
set
of
eyes,
go
over
everything
just
to
make
sure
that
we're
not
missing
stuff,
but
also
to
give
us
the
assurance
that
indeed
somebody
else
did
look
at
it.
That
is
not
the
author
makes
it
easier
for
us
to
go
ahead
and
merge
content
in
and
make
sure
that
the
repo
is
up
to
date
and
relevant.
I
D
There
we
go
so
two
quick
updates.
One
is
with
respect
to
build
packs.
The
I
put
in
my
assessment
there
and
I
just
have
to
make
a
copy
of
it
in
the
google
doc
self
assessment,
rather
than
the
copy
I
put
in
slack
for
tracking
slash
histories,
latch
completeness
and
I'm
just
picking
robert
right
now
to
see.
B
A
Yeah,
unfortunately,
for
now
you
have
to
talk
to
one
of
us,
so
just
I
think
just
paying
me
on
ash
and
then
we
will
update
it
for
you.
We
are
still
trying
to
figure
out
what
a
good
way
to
do
it.
Unfortunately,
there's
no
way
to
kind
of
like
dedicate
permissions
easily,
so
yeah
we
are
still
figuring
that
out,
but
in
the
meantime
you
have
to
bear
with
one
of
us
do
it
for
you.
E
E
E
I
think
the
the
folks
behind
them
toto
the
folks
behind
the
stick
store
are,
are
trying
to
structure
things
in
a
way
that's
conducive
to
work
and
outcomes,
so
yeah
marina.
I
don't
know
if
you
want
to
add
anything
to
that.
I
think,
like
the
team
expects
to
have
some
changes
occur
within
the
next
month
or
so,
but
yeah.
I
just
wanted
to
raise
that
for
visibility
and
awareness.
B
Yeah,
definitely,
I
think,
there's
a
lot
of
potential
in
in
all
of
those
projects.
You
mentioned
to
have
some
solutions
in
this
space,
which
is
pretty
exciting,
but
I
think
all
of
them
have
a
little
ways
to
go
before
before
they're
there.
You
know
so
so
that's
just
kind
of
the
way
it
is
because,
like
you
know,
trying
to
achieve
kind
of
you
know
a
really
well
defined
threat,
model
and
figuring
out
what
this
what's
problem
signatures
are.
Solving,
I
think,
is
a
really
key
step.
There.
B
That's
definitely
still
kind
of
an
ongoing
process,
so
if
anyone's
interested
in
that
or
wants
a
particular
thing
out
of
signatures
to
many
of
these
projects,
I
think
this
would
be
a
great
time
for
anyone
to
go
and
communicate
that
to
folks
so
that
we
make
sure
that
whatever
solutions
they
come
up
with
are
they
are
solving
the
right
problems.
Basically,.
E
Just
to
add
more
color,
the
like
the
one
project
or
while
the
one
effort,
I
wouldn't
call
it
a
project
necessarily
that
people
have
looked
as
the
candidate
for
cncf
or
under
the
cncf
umbrella,
doesn't
have
a
threat
model
and
doesn't
have
a
whole
lot
of
code
for
it
other
than
proposals.
That
is
notary,
v2
right.
So
I
think
a
lot
of
the
a
lot
of
the
concerns
step
from
there,
but
you're
attempting
to
to
bridge
that
gap
right.
B
Yeah
exactly
and
try,
and
basically
by
defining
that
stuff,
better
and
so
yeah
the
process
is
definitely
going
to
still
take
some
time.
I
think
that's
kind
of
the
main
takeaway,
but
I
think
eventually,
it'll
come
up
with
something
that
can
that
can
deal
with
this
as
long
as
we
figure
out
what
those
goals
actually
are
and
what
the
solutions
are
solving
for
they
are
yeah.
F
Yeah,
it's
more
of
a
question.
Is
there
a
place
where,
where,
where
we
have
these
projects
listed
or
a
place
where
we
can
keep
track
of
some
of
the
extremely
high
level
things
that
they're
that
they're
working
on,
because
I
think
it'd
be
one
of
the
problems
that
I
that
I'm
seeing
within
this
particular
space?
F
Is
that
there's
a
proliferation
of
different
approaches
and
projects
and
the
people
working
on
them
are
doing
an
amazing
job
working
with
each
other
and
communicating
with
each
other?
But
if
you
have
somebody
new
who's
coming
in
who
doesn't
understand
the
the
space?
It's
it's
incredibly
high
bar
for
them
to
to
even
work
out.
Where
should
they
focus
their
time?.
A
That's
a
that's
a
good
question,
frederick,
so
I'm
going
to
do
a
quick
page
for
our
own
connected
security
map
here.
So
so,
and
then
probably
interested
marina
can
look
at
on
to
this.
We're
trying
to
to
kind
of
consolidate
this
not
only
for
like
supply
chain
signing
stuff
providence
of
s-bomb
stuff,
but
in
general
for
all
of
cloud
native.
A
I
A
I
Recommend
that
this
potentially
be
brought
up
with
a
talk
at
one
of
the
talk
meetings
as
a
potential
concern
area,
as
as
we
identify
gaps
within
the
cloud
native
security
ecosystem
or
cloud
native
ecosystem,
proper
understanding.
What
some
of
these
challenges
are
and
which
projects
are
working
with,
which
other
projects
to
have
them
resolved
would
be
beneficial
for
the
larger
community
to
be
aware
of,
at
least
to
know
where
to
go
to
get
involved.
A
Yeah,
so
I
think
that
one
of
the
one
of
the
next
steps,
I
think
we
we
have
an
issue
somewhere
open-
I
think,
probably
like
a
year
ago
on
this,
so
the
plan
was
to
finish
up
the
map
and
then
kind
of
like
evaluate
the
map
and
take
a
look
at
the
gaps
there,
but
there
seems
to
be
some
kind
of
other.
There
seems
to
be
a
lot
of
knowledge.
That's
lying
around
that.
I
think
we
should
kind
of
take
that
off.
A
E
C
A
E
We
we
care
about
having
a
a
standard
for
this
format
that
gets
used
across
the
board,
because
there's
there's
many
many
different
approaches
and
and
there's
it's
a
disservice
to
the
community,
to
like
make
a
king
out
of
one-
that's
not
complete
yet
and
well.
If
we're
going
to
put
all
hands
on
deck
because,
like
we
think
we
have
the
brightest
minds
with
the
most
experienced
like
work
through
all
the
security
aspects,
capture
it
and
put
this
out
and
we
get
we
get
container
dt.
E
A
A
F
Okay,
so
a
short
update
on
that
so
alex
had
taken
on
the
initial
setup
of
the
of
the
group
to
get
us
all
started,
alex
barbato,
I
think,
was
how
to
pronounce
it,
and
so
the
idea
was
for
the
first
month
that
he
drives
it.
We've
gone
through
that
we've
had
the
initial
setup,
which
I
think
went
really
well.
An
initial
populated
spreadsheet
that
spreadsheet
is
is
available
for
people
with
view.
It
should
be
linked
in
the
flash.
F
So
if
you
want
to
take
a
look
at
that,
they
can
see
it
we're
moving
on
to
the
next
phase,
which
is
going
to
be
we'll
we'll
select
a
new
person
to
drive
the
next
stage
of
what's
going
on,
and
once
we
have
some
scope
on
what
the
next
steps
that
we
want
to
take
on.
It
are
then
we're
going
to
start
doing
call
outs
for
more
people
to
volunteer
to
participate,
so
just
want
to
put
that
status
down
for
the
security
controls
group
thanks.
A
C
C
C
C
So
we
published
the
survey
in
february,
I
want
to
say-
and
then
we
closed
it
early
last
month.
So
after
that
we
started
compiling
the
results,
we
got
good
help
from
cncf
as
well.
Amy,
especially
helped
a
lot,
and
we
were
finally
able
to
compile
the
results.
There
were
about
70,
plus
participants,
and
a
pr
with
some
of
the
details
is
open.
C
C
So
what
I
want
to
do
is
share
the
summary
and
the
results
and
the
graph
and
base
based
on
that
get
feedback
from
all
of
you
in
terms
of
whether
this
makes
sense.
What
are
the
possible
next
steps?
We
should
be
working
on.
Are
there
any
projects
coming
out
of
this?
What
updates
would
we
want
to
make
to
the
white
paper?
Who
would
be
interested
in
all
of
that
anything
else?
You
would
add
before
we
dive
deep.
I
Emily
nope
other
than
just
folks
that
are
really
interested
in
this
there's
a
lot
of
great
content
that
came
out
of
this
survey,
we're
hoping
to
take
advantage
of.
So
I
encourage
everyone
to
take
a
few
minutes
read
through
the
pr
it's
linked
in
the
notes,
as
well
as
displayed
here
and
comment
on
the
issue
with
anything
that
you
think
might
provide
value
as
next
steps
or
how
we
can
provide
a
meaningful
and
significant
update
to
the
paper.
Smaller
changes
are
not
not
usually
an
issue.
C
C
So
so,
then,
that
that
was
interesting
to
me
and
what
probably?
We
is
a
good
reflection
of
how
we
are
sharing
the
survey
or
the
white
paper
is
that
the
beginners
are
not
getting
the
links
and
the
communication
that
we
are
sending.
So
this
can
be
seen
by
maybe
people
who
are
new
to
the
community
not
being
able
to
participate
in
the
survey
or
being
the
least
quite
significantly
at
that.
C
This
one
was
very
interesting
and
I'll
tie
this
back
to
another
question
after
this,
so
vulnerability,
management
and
secrets
management
was
the
most
selected
answer
and
instead
of
what
I
thought
would
be
the
most
selected,
which
is
supply
chain
security
and
the
only
way
I
could
think
of
why
that
would
be.
The
case
is
probably
because
we
are
spending
so
much
time,
effort
and
communication
on
supplies
in
security.
C
C
C
This
one
was
also
not
surprising
for
me,
where
the
most
number
of
people
responded
would
prefer
not
to
disclose,
even
though
the
survey
was
anonymous
for
people
who
were
not
following
earlier
and
then
the
other
ones
after
that
were
vulnerability,
exploited
or
cryptocurrency
miners,
which
is
fairly
well
known
by
now
and
ransomware
was
there,
even
though
maybe
we
missed
the
timing,
probably
because
ransomwares
have
grown
in
number
and
prevalence,
quite
quite
more
than
when
the
survey
was
released.
So
probably
this
number
may
have
been
higher
it.
C
It
also
maybe
means
that
in
cloud
native
environments,
ransomware
impact
has
been
lesser
compared
to
other
environments,
so
the
next
one
was
cloud
native
security
skills.
So
basically
the
answer
was
we
want
everything
and
which
is
which
is
hard
to
do,
and
it
only
tells
us
that
there
it
cannot
be
one
single
person
who
is
responsible
for
cloud
native
security
in
your
company.
There
has
to
be
a
team
which,
which
makes
sense,
and
maybe
each
of
them
can
be
responsible
for
all
of
these
options.
C
The
other
one
was
which
of
the
tools
you
currently
use.
So
this
ties
back
to
the
other
question
where
people
were
saying,
we
need
vulnerability
management
and
we
are
worried
about
that
the
most.
At
the
same
time,
they
are
also
saying
that
we
use
image
scanning
more
than
any
other
control
that
we
have.
C
C
C
C
G
H
Yeah,
so
this
is
a
big
conflict
with
the
many
of
the
projects
want
easy
development
by
default,
and
so
that's
in
conflict
with
people
who
are
like
yeah,
but
don't
give
me
a
bucket
of
bits
like
as
a
developer.
I
would
rather
have
we
have
default
security
for
this
scenario,
and
I
can
figure
out
whether
my
scenario,
how
it
differs
in
that
scenario,
rather
than
what
is
typically
presented
to
me,
which
is
everything's
different.
You
decide
and
I'm
like
I
don't
know
your
product
do.
H
A
I
So,
in
the
interest
of
time,
I
think
that
this
is
something
that
we
should
schedule
another
meeting
to
talk
through
a
little
bit
more
about
like
secure
defaults,
and
what
does
that
mean
to
us
and
what
kinds
of
things
that
we
could
potentially
look
at.
There's
a
lot
of
opinions
in
this
space.
There's
a
lot
of
evidence
about
what
does
and
doesn't
work,
and
it
kind
of
marries
up
more
with
what
our
use,
what
our
users
are
expecting
and
the
different
roles
and
personas
that
they
take
on.
C
A
I
I
think
that
that
probably
is
not
so
much
on
the
sandbox
side,
maybe
on
the
like
graduation,
there
can
be
a
bit
more
emphasis
on
that,
but
it
seems
like
they
will
come
back
to
us
for
that
recommendation
as
well.
So
it
could
be
part
of
the.
Maybe
could
be
better,
be
part
of,
like
the
joint
review,
to
have
half
that
as
like
a
affected
to
chime
in
on.
C
A
A
A
A
Awesome
thanks
for
sharing
cool,
we
don't
have
that
much
time
left
so
go
to
the
last
two
topics
are
pretty
straightforward.
I
think
the
first
one
is
on
the
triage
team.
So
so
we
saw
a
little
bit
about
the
new
changes
with
the
triage
in
this
meeting.
So
what
we
are
trying
to
form
is
we're
trying
to
find
a
triage
lead.
A
A
A
Yes,
emma
yeah,
like
they
said
this
one
right
after
this,
so
you
want
to
drop
by.
I
will
also
put
the
I
will
put
the
the
link
to
the
google
meet
in
the
zoom
link
in
the
slack
channel
tech
security
triage.
So,
if
you're
interested,
please
join
the
section
as
well
yeah,
so
what
we're
going
to
go
through
usually
at
these
meetings
is,
you
know
initially
to
get
everyone
on
the
same
page,
to
talk
about
bit
about
how
we
are
tricking
things?
A
A
G
I
have
a
couple
of
things:
brandon,
the
first
one
is:
let
me
open
my
yeah.
The
first
one
is
the
serverless
security
white
paper,
so
this
is
call
for
action
for
everyone
and
request
if
you're
interested,
please
tag
yourself
to
the
issue.
I
know
we
had
some
hiccups
in
setting
up
an
initial
meeting
because
our
time
zones,
some
of
our
project,
leads,
are
unable
to
attend
the
u.s
time
zones,
but
andrew
is
working
on
setting
up
a
brand
new
kickoff
meeting.
G
G
G
So
if
anyone
from
this
team
is
interested
in
participating,
please
tag
yourself
to
the
issue
and
I
can
forward
the
slack
channel
information
as
well
as
the
project
team's
white
paper,
where
you
can
start
contributing
to
that
as
well
any
interest
you
can
ping
me
also
directly
and
I'll
help
you
connect
with
the
right
resources.
There.
G
Sure
I
will,
and
in
the
issue
itself,
I've
provided
the
slack
channel
there
as
well.
So
I'm
happy
to
do
that.
Brandon
and
the
last
one
is
the
it's
a
new
initiative
about
attack
matrix
for
cloud
native
technologies.
I
know
mitre
has
come
out
with
one.
Microsoft
has
come
out
with
one
just
wanted
to
know.
G
This
is
more
for
our
detection
and
response
teams
right
so
that
they
can
leverage
this
as
well
as
to
where
to
go.
Look
today,
stock
teams
are
challenged
as
to
how
they
can
manage
their
attack
surface
in
their
cloud
native
world,
and
the
goal
is
to
provide
them
more
guidance
and
information
on.
This
is
where
you
start
looking,
and
this
is
how
you
kill
these
type
of
attacks,
and
this
these
are
the
data
points
you
need
to
gather
or
correlate
to
even
identify
these
attacks.
G
B
F
G
H
Just
that
I
wanted
to
draw
your
attention
to
the
chat.
There
was
a
question
about
when
we're
actually
doing
like
so
we
we
started
last
quarter
doing
a
quarterly
roadmap
meeting.
It's
on
the
planned
agenda,
planned
meetings
list,
but
without
a
date
does
that
mean
that
the
next
working
meeting
will
be
a
roadmap
discussion.