►
From YouTube: CNCF Security TAG Meeting 2021-05-26
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
E
A
Oh
yes,
the
also
known
as
thing
I've
been
doing
that
for
a
very
long
time.
It
really
only
tickles
me.
I
think
people
find
it
strange,
but
I.
A
Fair
enough
appreciate
that
all
right,
I'm
just
gonna
power
forward
everybody
cool
with
that
awesome,
so
we
need
scribes
ash
volunteered
good
enough.
I
think,
typically,
we've
been
getting
along
with
one
official
check-ins
from
partner
groups.
I
know
people
are
still
filling
in
attendance
mark.
Did
you
have
an
update
from
the
miss
nice
community.
F
Yes,
keep
this
short,
so
nist.
Nice
is
kind
of
the
education
side
of
the
nist
operation
and
if
you
want
to
have
input
to
their
curriculum,
this
is
an
opportunity
to
be
part
of
that
community.
So
there's
a
meeting
this
afternoon,
but
I
haven't
been
before
so-
I
can't
attest
to
the
quality,
but
there's
definitely
a
need
there.
A
Okay,
I
don't
see
any
other
general
attendee
pending
updates.
One
thing
is
for
review
of
the
other
meeting
the
other
security
tag
meeting
I
looked
through
their
stuff.
There
wasn't
too
much,
but
I
did
notice
that
they
mentioned
the
community.cncf.io
content.
So
I
ported
that
note
over
and
then
my
thought
on.
This
was
to
kind
of
power
through
the
couple
talking
point
agenda
items
first
for
the
presentation.
D
Thanks
chase
so
issue,
635,
it's
linked
in
the
doc,
was
something
that
I
had
mentioned
casually
in
the
channel
to
try
to
understand
whether
or
not
there
was
an
appetite
for
this.
This
kind
of
moves
towards
the
exploratory
auditability
portion
of
our
fy21
fy22
roadmap,
as
in
it
as
one
way
of
exploring
this
particular
area.
D
The
cloud
native
security
controls,
in
my
opinion,
which
is
just
mine,
very
opinionated,
is
a
way
for
us
to
assist
organizations
in
understanding
implementation,
specifics
about
the
cloud
native
security
white
paper
and
the
software
supply
chain
security
paper
to
and
build
on
top
of
that
body
of
work
to
provide
auditability
against
some
of
those
recommendations.
D
D
There's
a
lot
of
information
in
the
issue
and
the
last
comment
I
have
on
the
issue
is
kind
of
a
sampling
stubbed
out
framework
with
the
listing
of
controls,
because
I
have
spare
time
and
nerd
about
this
stuff.
So
if
anybody
is
interested,
I'm
trying
to
understand
whether
or
not
we
should
turn
this
into
a
formal
proposal
that
we
can
begin
work
on
and
therefore
turn
it
into
our
project.
I
know
that
there's
a
bunch
of
folks
that
have
commented
on
the
issue.
E
So
my
vote
is
yes
and
the
reason
for
that
is
I've
been
invited
by
ffiac
to
provide
a
training
to
their
examiners
on
auditability
for
cloud
native
platforms.
So
this
will
be
interesting
input
for
them.
G
G
A
G
S
no
reason
to
add
to
this
as
well,
so
I've
been
joining
in
on
the
meetings
that
the
ntia
have
been
setting
up
and
that
they're
going
to
provide
guidance
to
list
on
this
and
their
approach
is
very.
G
It
seems
to
be
well
aligned
with
some
of
the
topics
that
we've
spoken
here,
like
there's
they're
being
very
conservative,
because
nist
is
being
very
specific
on
the
type
of
input
that
they
want,
but
they're
looking
at
trying
to
push
things
like
spdx,
which
is
a
linux
foundation,
project
for
the
software
bill
of
materials.
They're.
G
Looking
at
what
other
controls
that
they
can
possibly
put
on
in
the
future
time
as
well,
and
I
also
shop
the
idea
around
to
a
couple
other
groups
as
well,
including
the
ieee
future,
which
looks
to
try
to
come
out
with
guidance
for
telecoms
and
service
providers
for
the
next
five
to
ten
years,
and
that
I
pitched
this
as
something
that
they
can
look
at
if
they
wanted
to
perform
some
form
of
a
standardization
track
on
it.
G
G
A
D
Yep,
so
this
one
is,
I
spend
some
time
going
through
the
issues
that
we
currently
have
open,
trying
to
close
out
some
of
our
long-standing
ones
that
have
either
been
superseded
by
existing
work
by
the
group
or
no
longer
reply,
or
we
just
don't
have
enough
information
or
the
bandwidth
or
the
current
interest
to
pursue.
D
So
this
issue,
638,
is
a
creation
off
of
another
issue
that
was
used
to
track
groups
for
collaboration
and
partnership.
D
So
it's
been
recommended
in
the
past
that
it
would
be
beneficial
for
our
our
group
to
provide
situational
awareness
on
other
efforts
within
the
community
at
large,
as
well
as
within
industry,
where
their
principles
and
goals
kind
of
have
some
level
of
alignment
in
case
members
want
to
do
cross-collaboration
with
them.
So
that's
issue
638,
really
initially
just
looking
for
someone
to
kick
off
a
pr
with
the
contents
of
the
previous
issues
that
have
been
closed
in
this
area
and
getting
it
set
up
into
the
repo
that
way.
H
Hey
emily,
this
is
pushkar.
I
can
take
care
of
this
if
it's,
if
there
is
a
way
to
assign
myself
or
you
can
assign.
A
Okay,
real-time
collaboration.
The
nexogen
item
is
from
me
so
essentially
the
idea
is.
We
have
the
cloud
native
security
white
paper.
It
is
in
text
visual
format,
only
wouldn't
it
be
swell
if
there
was
an
audio
recording
that
you
could
listen
to.
This
could
be
one
narrator.
This
could
be
multiple
narrators
soliciting
for
interest
here.
A
A
I
In
on
the
that
other
issue
sure
to
maybe
inspire
people,
we
have
a
couple
of
people
from
down
under
who
have
volunteered
to
record.
I
love
the
idea
of
having
english.
The
idea
is
to
have
native
english
speakers
right,
do
the
recordings
and
if
we,
you
know,
can
get
different
people
across
the
planet.
I
think
it
would
just
provide
a
great
richness.
I
So
if
you-
and
I
think
we
have
some
at
least
north
americans-
if
not
just
us-
I'm
not
sure,
but
you
know
if
you
have
a
if
you're
a
native
speaker
and
you
have
an
accent
that
is
not
represented
or
like
a
voice.
I
I
just
want
to
encourage
people
to
chime
in,
and
I
also
chimed
in
an
idea
of
you
know
potentially
doing
a
live
thing
that
could
then
be
post-edited
to
kind
of
speed
things
up.
H
One
thing
I
wanted
to
add:
there
is
one
of
so
many
of
you
probably
know
nigel
poulton,
so
he
he
has
an
audiobook
related
to
kubernetes
that
he
has
basically
gave
voice
to
by
himself.
H
H
So
things
like
how
do
you
read
a
yaml
if
you
are
actually
talking
about
the
book
or
how
do
you
write
some
talk
about
json
text?
That's
in
your
book,
so
those
kind
of
things
might
be
useful.
Maybe
it
won't
be
useful.
So
if,
if
you
feel
like
whoever
is
going
to
work
on
is
would
find
that
beneficial.
Please
tag
me
to
the
issue
and
then
I
can
start
a
conversation
can't
guarantee
if
he'll
be
available
or
when
he'll
be
available,
but
I'll
try.
A
Yeah
some
pro
tips
on
deciphering
non-narrative
content
would
be
pretty
welcome
and
interesting.
I
think.
H
Yeah,
I
I
had
one
update
chase.
Sorry,
I
added
it
later.
If
I
can
go
now
instead
of
later
so
one
quick
thing
I
wanted
to
check
with
coaches
and
athletes
and
everyone
else
is.
We
had
the
survey
out
for
cloud
native
security
white
paper
for
about
two
three
months
now
and
so
far.
Last
time
I
heard
we
have
about
70
responses
from
respond
participants,
and
I
think
at
this
point
of
time
it
feels
like
the
right
time
to
close
the
survey
for
two
reasons.
H
One
is
70,
I
think,
is
a
fairly
good
enough
number
and
second
is
this:
will
give
us
enough
time
to
look
at
the
responses
figure
out
what
we
really
want
to
do
and
update
the
paper
accordingly
before
kubecon
north
america
is
there
in
in
october?
I
think
so
that's
what
I'm
thinking
and
if
anyone
has
other
thoughts
or
some
other
ideas,
I'm
open
to
discuss
it
here
or
on
the
issue.
C
J
I'll
go
ahead
and
introduce
myself.
I've
been
part
of
the
group
for
a
little
bit
now,
but
haven't
made
meetings.
Unfortunately,
so
I'm
happy
to
make
this
one
chris
hughes
here,
I'm
in
virginia
beach
virginia
in
the
us.
Definitely
a
big
fan
of
the
work
that
you
guys
have
done
with
the
white
papers,
around
cloud
native
security,
best
practices
and
the
supply
chain.
J
Security
paper
that
just
came
out
have
about
15
years
of
cyber
experience,
mostly
in
the
public
sector,
with
dod
and
other
federal
agencies,
and
you
know
really
passionate
about
cloud
security
and
cloud
native
architectures
and
happy
to
be
a
part
of
the
group
and
definitely
interested
in
the
piece
around
tying
some
of
the
practices
from
the
white
papers
to
certain
security
controls
to
make
them
actionable.
So
with
that
said,
just
happy
to
be
here.
K
A
K
Next,
this
is
yani,
and
this
is
the
first
time
I
joined
this
meeting.
I
just
joined
the
security
slack
channel,
probably
last
week
I
spoke
with
brandon
previously
and
we
actually
work
in
the
same
company
in
a
security
area
just
different
organization
and
I've
been
with
working
in
the
security
area
for
almost
over
a
decade,
mainly
in
the
development.
K
So
the
area
I
work
on
include
the
compliance
auditing
and
identity
access
management
and
encryption.
So
I
I'm
very
interested
in
the
security
area
and,
if
you're
passionate
about
it,
I
would
like
to
get
to
know
more
about
this
community
group
and
see
what
I
can
contribute
to
some
of
the
items
that
I
just
discussed.
K
L
Yeah,
I
can
go
next,
hello,
everyone,
my
name
is
sripad
narayana,
I'm
a
senior
technical
staff,
member
at
ibm,
research
again,
a
colleague
from
college
of
brandon
here
and
my
research
focus
has
been
on
the
dev
sick
house
for
the
last
couple
of
years.
I'm
the
chief
architect
of
the
davis
kop
solution
we
made
available
on
ibm
cloud,
it's
called
code
risk
analyzer
and
currently,
I'm
basically
working
in
the
the
topic
data
that
we
have
been
discussing
like
supply,
chain
security
and
this
this
generating
this
block
material.
L
How
do
you
make
this
more
complete
and
accurate
for
micro
services?
So
that
has
been
the
focus
of
my
current
work
and
one
objective
I'm
basically
driving
is,
is
the
more
collaboration
with
the
and
the
driving
it
with
the
open
source
communities.
So
I'm
really
happy
to
be
part
of
this
community
and
join
this
group
here.
E
Not
you
know,
I
think
I've
been
on
and
off
a
few
times
in
the
group,
I've
been
I've
been
to
regular
I'm.
I
work
at
charter
communications,
which
is
a
internet
service
provider
and
mainly
focus
on
cloud
security,
infrastructure
and
operations.
So
it's
mainly
in
a
public
cloud
as
well
as
container
workloads.
Hopefully
I'm
planning
to
you
know,
stay
more
involved
with
the
group
and
not
keep
playing
peek-a-boo
and
get
more
involved
with
you
know,
development
and
other
issues
to
work
on.
A
And
I
guess
brandon
is
building
some
kind
of
coalition,
so
if
this
were
a
reality,
tv
show
he
would
soon
try
to
vote
the
rest
of
us
out,
but
with
that
I
believe
we
are,
and
I
hope
that
I'm
pronouncing
it
right
is
it
raga.
B
So
cloud
native
security
lexicon.
Basically
this
was
one
of
the
ideas
that
was
proposed
in
the
cns
at
the
security
sig,
which
is
now
tag
security.
Why?
Basically,
we
want
to
do
this?
Project
is
of
cloud
native
security,
cloud
native
ecosystem
is
growing,
and
the
number
of
cloud
native
projects
is
huge.
B
Many
cloud
native
projects
perform
multiple
functions
and
there
has
been
some
confusions
in
the
security
terminologies
and
we
feel
that
few
terminologies
are
overused
or
used
as
a
catch-all
umbrella
incorrectly
presented
or
misused.
Or
you
know
some
concepts
has
not
been
even
defined,
so
we
feel
this
is
the
right
time
to
you
know
to
ensure
all
the
community
members
have
the
same
understanding
of
the
terms
and
definitions
and
how
they
fit
in
their
software
development
life
cycles.
This
is
the
reason
we
initiated
the
cloud
native
security
lexicon.
B
So
the
idea
of
this
paper
was
to
start
off
and
identify
some
of
the
commonly
used
terminologies,
which
needs
the
definitions
and
provide
some
simple
definitions
to
begin
with
and
then
go
ahead
and
give
an
initial
organizational
usage
of
these
terminologies.
B
So
this
is
where
this
paper
is
at
currently,
and
we
have
the
first
draft
ready
and
we
intend
to
make
this
a
single
source
of
reference
for
all
the
security
terminologies
for
the
cn
landscape,
and
once
the
paper
is
complete,
we
intend
to
include
in
all
the
cncf
projects,
as
is
a
reference
point
for
the
terms
to
be
used
in
the
context
that
is
defined
from
us.
So
that's
where
we
are,
as
I
mentioned,
the
first
draft
is
ready
and
we
are
currently
doing
the
internal
review
once
that
is
done.
B
The
next
step
for
us
is
public
community
review
and
we
will
be
sharing
the
mailing
mail
to
the
email
list
we
have
and
a
post
on
the
channel
will
be
coming
soon.
Yep,
that's
from
me,
quick
and
short.
B
Awesome
any
questions
yeah
we
have
to
you,
know
the
slack
channel
where
we
are
communicating
and
we'll
be
happy
to
have
you
all
on
board.
Please
do
chime
in
and
give
us
your
feedback
and
suggestions
on
improvement,
and
I
think
we're
happy
to
have
you.
D
Yep,
so
to
piggyback
off
of
that
everyone.
We
would
like
you
to
take
a
look
at
this.
So
while
not
super
long
and
intensive,
like
the
pre-existing
papers
that
we've
had
it's
important
for
us,
that
we
get
all
of
the
community
of
varying
backgrounds
and
skills
to
go
through
some
of
the
terms
that
are
introduced
or
reintroduce
the
definitions
that
we
have
and
provide
some
more
context
and
make
sure
that
we're
being
clear
in
our
definitions,
our
expectations.
D
K
Just
a
quick
question:
how
long
is
this
review
cycle.
B
I
believe
the
first
review,
what
we
plan
to
do
is
by
end
of
this
week
and
maybe
later
that
we
will
consolidate
all
the
feedback
and
probably
next
week,
emily
can
we
share
it
to
the
rest
of
the
community.
D
Yeah
well,
I
was
thinking
that
we
would
just
open
it
up
for
two
weeks
now
moving
forward
and
then
we'll
have
about
two
weeks
of
adjudication
for
those
comments
right
after
that
way.
We
give
everybody
time,
because
I
know
lots
of
people
have
meetings.
Things
are
going
on
in
their
lives.
We
want
to
make
sure
that
they've
got
an
opportunity
to
provide
feedback.
E
A
I
There's
a
question
in
the
chat
or
an
implied
question
from
mark,
so
I
I
mean
I
I
you
know
so
he
says
here
I'll
start
my
video.
I
He
said
that
that
it
seems
like
the
cloud
part
of
cloud
native
has
been
de-emphasized
in
favor
of
process
defining,
and
I
think,
from
my
perspective,
within
cloud
native,
there
needs
to
be.
You
know,
like
sort
of
more
clear
definition
of
words,
even
amongst
our
own
cloud
native
computing
foundation,
community
part
of
the
motivation
from
this
came.
I
You
know
there
was
a
bit
of
confusion
from
our
group's
perspective
a
couple
of
months
ago
about
what
secrets
management
was,
for
example,
like
the
folks
in
this
group
were
like
well,
we're
pretty
know
sure
what
secrets
management
is
and
then
some
other
branch
of
the
cncf
published
something
where
people
were
surprised
about
how
things
were
categorized,
and
so
so
it
came
up
at
a
toc
meeting
the
technical
oversight
committee,
which
were
kind
of
under
their
governance,
auspicious
auspices,
and
they
said
well,
we
they
would.
I
The
white
paper
didn't
really,
you
know,
while
it
discussed
all
the
terms
and
used
them
in
context,
it
didn't
really
define
all
the
terms
to
the
extent
that
the
wider
cncf
community
would
need
in
order
to
do
different
activities,
and
so
that
was
really
a
request
that
where
this
definition
of
terms
white
paper
came
from,
and
and
so
this
is
we're
going
to
do
this
within
cloud
native-
we're
not
going
to
be
just
defining
general
software
life
cycle
terms,
except
where
that's
necessary
right
in
order
to
discuss
the
other
things
and-
and
my
assumption
is-
and
I
haven't
read
the
whole
current
white
paper
is
that
you
know,
if
possible,
like
whenever
something's,
not
cloud
native
specific
or,
if
there's
another
resource
that
we
completely
100
agree
with.
I
We
can
just
refer
to
that.
We
can
say:
oh,
this
collection
of
terms
is
defined
over
here
and
and
that's
actually
as
a
group,
our
preferred
approach.
If
there
exists
a
resource
that
is,
you
know,
non-controversial
and
captures
all
the
information.
That's
needed,
it's
better
to
just
say:
hey
we're
using
this
resource
and
we
seek
to
there's
enough
work
to
do.
We
don't
need
to
repeat
something.
Somebody
else
has
done
well.
F
Yeah
it's
complicated
yeah.
Let
me
mute
this
other
meeting.
Sorry
for
innovation
in
your
own
career,
what's
happening
with
in
my
enterprise,
is
we're
in
a
journey
to
cloud,
but
the
cloud
native
technologies
are
front
and
foremost
of
the
journey,
so
stuff
happening
in
on-prem
is
using
ci
cd,
we're
using
a
lot
of
the
same
open
source
tools,
we're
dealing
with
supply
chain,
integration
of
open
source
tools,
cloud
and
non-cloud,
and
then
in
places
like
telecom,
which
are
kind
of
doing
some
leading
edge
work
with
cloud
native.
F
The
meaning
of
cloud
is
non-conventional.
It
really
is
still
cloud
but
they're
setting
up
stage
data
centers
that
are
closer
to
the
endpoints
that
they're
trying
to
support.
That
also,
is,
I
think,
a
novel
scenario
for
the
use
of
this.
So
when
I
pitch
this
to
the
people
that
I
want
to
bring
to
this
meeting,
you
know
to
go:
listen
to
the
tape
afterward
and
immerse
themselves
in
the
ecosystem,
I'm
trying
to
paint
a
broader
stroke
for
this.
I
don't
think
it
needs
to
change.
What's
in
the
white
paper,
necessarily.
C
Yeah,
I
think
that
that's
a
good
point
and
I
think
we
we
do
have.
I
believe
we
have
a
expiratory
topic
on
this.
So
I
think
this
is
something
that
you
know
it
will
grow
into
it.
Yeah.
I
personally
am
seeing
some
requirements
of
5g
come
by
as
well
as
yeah
expanding
the
control
plane
of
cloud
native
into
the
hdmi
processor.
G
So
they
defend
the
data
plane,
but
the
control
plane
tends
to
be
trusted
as
a
perimeter
even
across
the
even
across
the
boundaries,
and
that's
going
to
be
one
of
the
challenges
we're
going
to
have
is
how
to
properly
secure
the
not
just
the
the
things
connecting
in,
but
to
also
control
to
also
help
with
the
control
of
the
of
the
infrastructure
itself,
which
is
going
to
become
even
more
important.
Once
we
get
edge
data
centers
with
5g
access
points.
There.
C
Yeah,
it's
it's!
It's
a
really
strange
architecture
like
the
like
you're
saying,
like
the
controller
database,
now
in
totally
different
networks,
sometimes.
G
Yeah
and
like
the
the
protocol
they
use
like
utp,
like
they
literally
assume
that
the
environment
that
they
live
in
is
is
a
is
a
secure
environment
from
from
my
understanding
of
it,
and
that's
that's
something
that
we're
gonna
have
to
to
try
to
work
out
how
to
how
to
deal
with
some
of
these
issues.
M
This
is
michael,
I
don't
think
I've
actually
done
a
formal
introduction
in
this
avenue,
but
I've
worked
with
the
security
or
sorry
the
back
security
group
a
few
times
in
the
past.
Just
a
quick
ad
hoc
thing.
We
brought
it
cole
and
I
brought
this
up
in
the
may
12th
meeting
about
signing
short-lived
or
signing
like
supply
chain
artifacts
with
short-lived
keys
and
time
stamping.
M
We
had
our
first
meeting
that
we
organized
that
day
this
monday,
and
there
was
some
interest
with
that
group
of
people
and
and
creating
a
more
organized
working
group,
and
I
was
just
curious
if
there
is
a
defined
set
of
processes
to
get
that
going
or
is
this
something
we
could
just
do
like
ad
hoc
on
the
side,
then
that's
how
that
kind
of
could
work.
D
So
that
depends,
if
you
check
out
the
repo
there
is
a
process
for
creating
proposals
and
turning
them
into
projects
we're
still
refining
it,
because
it's
not
always
clear,
but
for
right.
Now
you
bring
up
a
topic
during
one
of
these
meetings.
You
create
an
issue.
You
flesh
out
that
topic
area
a
little
bit
more
with
maybe
one
or
two
kind
of
deliverables
that
you're
looking
to
get
out
of
it.
Thank
you,
sarah
for
posting,
the
process
in
the
chat
and
then
from
there.
D
You
represent
it
again
because
now
that
you've
got
more
information
and
you're
trying
to
drive
community
engagement
have
folks
comment
on
the
issue.
If
there
is
enough
interest-
and
the
group
has
the
bandwidth
to
support
it,
then
we
can
move
it
from
a
proposal
over
into
a
project,
that's
planned
and
scheduled,
and
then
you
go
through
and
you
do
more
planning
about
that.
So
this
is
something
that
we're
trying
to
refine
so
bear
with
us
as
we
work
through
it.
D
D
M
Perfect,
thank
you
and
sorry
for
missing
the
the
processes,
but
I
really
appreciate
the
the
talk
through
in
the
forward.
D
I
I
also
I
thought
I
would
chime
in
a
little
bit
on
like
why
we
have
this
type
of
a
process.
Instead
of
a
working
group
process,
we
sort
of
defined
a
bunch
of
our
governance
at
a
time
when
the
cncf
was
spinning
down
the
concept
of
working
groups
in
favor
of
sigs
and
was
there's
a
lot
of
discussion
about,
they
had
attempted
to
have
working
groups,
have
a
deliverable
and
dissolve,
and
then
what
would
happen
is
a
working
group
would
do
the
deliver
like
once
a
working
group
was
established.
I
It
wouldn't
want
to
end
itself,
but
it
wasn't
clear
what
they
were
doing
next
and
so
that
impedance
mismatch
was
a
little
difficult
for
the
leadership
team,
and
so
we
had
had
success
with
multiple
people
just
working
on
a
github
issue
which
has
sort
of
a
natural
end
when
you
close
the
issue
so
that
evolved
a
little
bit
and
we,
you
know,
you
started
using
github
templates
and
it's
worked
really
well
for
there's
a
group
of
people
that
want
to
do
a
thing,
and
so
you
first
collaborate
on
an
issue.
I
If
it
turns
out
that
there's
a
serial
set
of
things,
then
we
create
a
team
which
is
really
only
called
that,
because
there
was
this
like
negative
reaction
to
working
groups
at
the
time
two
and
a
half
years
ago.
So
so
we
have
like
a
policy
team
and
we
have
we
don't
actually
even
have
a
security
assessment
team,
although
maybe
we
should
now
that
started
as
having
an
individual
facilitator
and
having
a
series
of
issues.