►
From YouTube: CNCF Security TAG Regular Meeting 2021-08-25
Description
CNCF Security TAG Regular Meeting 2021-08-25
B
B
A
B
A
Up
the
notes
back
in
the
chat
again
for
those
of
you
that
are
just
joining
us
going
to
wait
about
two
more
minutes
before
we
get
started,
I
will
paste
them
again
if
you
could
click
the
link
in
the
chat,
go
ahead
and
add
yourself
to
the
attendance
be
sure
to
put
your
company.
If
you
have
one
your,
if
you
were
on
any
projects
or
or
working
groups
updates,
and
any
updates
that
you
may
have
for
projects
that
are
ongoing
within
the
stag.
We'll
do
a
round
robin
of
quick
project
updates
for
what's
going
on.
A
All
right,
let's
go
ahead
and
get
started
hello.
Everyone
just
a
reminder
that
this
meeting
is
being
recorded
and
posted
to
youtube
shortly
thereafter.
Your
participation
in
these
meetings
is
an
agreement
to
abide
by
the
cloud
native
security
code
of
conduct
which
can
be
found
in
the
repo.
If
I
could
have
someone
volunteer
for
scribe.
Thank
you
rory.
I
really
appreciate
that
for
existing
members
and
working
group
reps,
please
remember
to
include
your
organization
company,
along
with
working
group
that
you're
involved
with,
and
you
have
an
update
on
that.
A
Oh
hi
phil
nice
to
meet
you
same
here,
I'm
lurking
all
right,
so
we
didn't
get
quite
as
many
new
issues
in
the
queue
yet
so
I'm
not
going
to
spend
a
ton
of
time
going
through
them,
but
I
do
want
to
draw
everyone's
attention
to
the
repo
we're
going
to
have
a
couple
of
items
that
are
going
to
be
brought
up
today
from
john
and
pushkar,
we'll
cover
those
on
the
agenda
leader,
but
we
do
have
two
new
presentations
coming
to
upcoming
meetings,
so,
if
you're
interested
in
attending
them,
there
are
dates
on
the
proposed
agenda
items
up
above
in
the
meeting
notes
document.
A
All
right
project
updates
audio
who
from
the
audio
group,
can
talk
about.
What's
going
on
with
that.
A
No
one:
okay:
how
about
supply
chain
group.
C
Yeah,
I
guess
I
could
give
a
quick
update
on
that,
so
we've
started
with
the
the
set
of
authors,
or
so
the
set
of
authors,
who
can
actually
dedicate
a
reasonable
amount
of
time
to
it.
They've
been
introducing
a
whole
lot
of
content
into
the
into
the
dock,
and
I
will
bring
it
up
and
link
it
in
chat.
I
don't
know
you
might
need
to
request
access
to
it
because
I
think
we're
trying
to
just
keep
it.
C
You
know
mostly
just
the
folks
who
really
want
to
contribute
at
this
point,
but
yeah
so
stuff
is
still
going
on
in
there.
We're
still
looking,
obviously
for
more
folks
to
provide
thoughts,
provide
feedback.
You
know
we're
definitely
looking
for
anybody
who
is
who's
interested
in
helping
out.
A
Awesome
serverless.
D
We
have
there's
there's
a
bunch
of
work
in
progress
on
the
paper
itself.
We've
been
sort
of
challenged
to
find
additional
contributors.
D
So,
of
course,
if
you
want
to
join
the
effort,
now's
a
great
time
to
join
the
effort,
I
we
had
a
leads
meeting
yesterday
afternoon
to
kind
of
figure
out
how
we're
gonna
try
to
unblock
the
effort
and
sort
of
figure
out.
What
is
a
new
set
of
reasonable
timelines
to
get
the
paper
to
review,
which
you
know
continues
to
be
a
bit
of
a
moving
target
sort
of
due
to
the
lack
of
participation.
D
I
don't
know
if
aradna
wants
to
also
mention
anything
from
that
meeting.
E
Yeah,
thank
you,
andrew
for
providing
the
update
family.
We
got
together
last
night
and
we
discussed
timelines
we'll
have
to
shift
to
the
right,
but
partially
because
of
cubecon
and
all
the
other
conferences
coming
up
and
participation
being
low
in
the
united
states,
we're
trying
to
readjust
the
timing
of
the
meeting,
so
we
can
find
more
contributors
who
can
participate.
E
With
that
said,
there's
been
some
progress
made
on
the
paper.
There
are
some
we
put
together
a
table
of
contents
and
then
now
several
sections
have
been
filled
out.
We
just
need
to
review
and
start
commenting
on
the
content.
That
is
there
because
different
people
have
different
understanding,
and
so
we
want
to
make
sure
generally.
We
are
in
agreement
with
the
content
and
that's
that's
pretty
much.
The
update
on
several
s.
A
F
Sure
so
554
I'm
going
to
share
a
screen
out
for
a
second
I'll
put
the
link
to
this
comment
in
the
chat
so
where
we
are
right
now
we
we
got
to
write
in
on
this
over
the
last
week
or
two,
this
sort
of
thoughts
we're
seeing
on
the
screen
right
now
what
I've
been
putting
together.
I
think
we're
at
a
point
where
we're
sort
of
ready
to
close
this
bad
boy
out,
but
we'd
love
to
get
input
back
from.
F
You
know
the
community
in
the
tag
about
how
can
we
sort
of
how
can
we
sort
of
improve
what
we're
doing
here
and
I
think
really,
if
I
sort
of
go
down
and
if
you
want
to
read
the
learning,
it's
probably
too
small,
to
read
on
the
screen
I'll
talk
through
the
highlights
bless
you.
But
what
we're
seeing
is
probably
two
things
we
need
to.
It
seems
like
there's
value,
there's,
definitely
value
in
what
we're
doing
right,
the
the
the
projects
out
there
when
we
first
engage
with
them.
They
love
it.
F
So
I
think
it
comes
down
to
sort
of
having,
as
as
we
can
figure
out.
How
do
we
make
that?
I
don't
use
word
process.
I
want
to
be
a
little
more
pally
and
friendly,
but
the
same
time.
What
we're
seeing
is
we
lay
out
sort
of
a
timeline
of
you
know
week,
one
week
three
week:
five,
these
are
sort
of
things
we're
expecting.
We
want
to
help
you
with,
but
do
it
on
a
timeline
that
seems
to
be
really
of
value
as
we
originally
were
thinking.
F
This
would
be
a
week
or
two
it
ended
up
being
I
don't
know
what
a
month
or
two,
and
I
think,
that's
sort
of,
because
that
we
lost
some
people,
so
I
think,
if
we
sort
of
tell
people
both
on
our
side
and
their
side
up
front,
how
long
this
actually
going
to
be,
and
then
additionally
sort
of
figure
out
how
to
time
box
that
that'll
probably
help
and
then
the
last
thought
I
had
from
it.
I
love
the
idea
of
a
pal
right.
F
I
love
the
idea
of
you
know
it's
a
single
person
going
out
we're
going
to
you
know
it's
personable
we're
going
to
help
that
project,
we're
going
to
figure
out
as
a
security
person.
What
what
they
need
and
what
they
need
help
with,
but
that
becomes
a
single
point
of
failure
on
our
side.
So
is
there
benefit
or
how
do
we
sort
of
have
like
a
pool
people
would
sort
of
loop
through
and
sort
of
one
person's
be
someone
else
can
reach
out
to
them,
and
how
would
that?
F
What
does
that
look
like
so
that's
sort
of
my
thoughts
with
it,
but
love
to
get
feedback
from
people
and
any
thoughts.
E
Yeah,
so
we
had
a
meeting
yesterday
and
it
seemed
like
we
need
to
have
a
discussion
on
scope
of
that
project
and
what
we
are
going
to
cover
because
generic
security
controls
you
can
find
in
all
frameworks
right.
How
do
they
apply
to
cloud
native
platforms?
And
then
are
we
addressing
you
know
infrastructure
as
a
service
bare
metal?
You
know
a
container
as
a
service
or
function
as
a
service.
E
We
need
to
provide
detailed
guidance
around
controls
in
those
three
categories,
at
least
so
we
we
have
set
up
some
time.
E
The
following
following
meeting,
which
is
next
week,
we'll
have
a
discussion
on
scope
and
then
start
delineating
how
we
split
up
the
existing
controls
and
map
them
to
the
details,
because
at
a
higher
level,
these
controls
are
not
so
useful.
Unfortunately,
because
data
address
encryption,
everybody
knows
we
need
to
do
that,
but
how
does
that
apply
to
a
cloud
native
platform
and
which
layer
right
so
that
that
is
the
discussion
we
had,
but
yeah
still
forming
and
norming?
I
think
over
time
we'll
evolve.
A
A
All
right,
those
are
all
the
project,
groups
and
working
groups
that
I
have
on
our
regularly
scheduled
meeting
so
now
regular
stand
up
from
folks.
I
have
one
update
cloud
native
security.
Con
schedule
has
been
posted,
so
if
you
were
holding
back
on
your
registration
because
you
weren't
sure
what
the
content
was
going
to
be,
it
is
now
available
for
you.
So
please
jump
in
get
registered
for
either
in
person
or
virtual.
Please
pay
attention
to
the
in-person
requirements
and
we
hope
to
see
you
there
either
online
or
in
person.
A
Next
up
for
updates.
Let's
see
here,
frederick.
B
Sorry,
yeah
meat
was
a
bit
difficult
to
get
to
get
to
and
they
cut
out
for
me
for
a
brief
moment
is
this:
just
for
my
personal
update.
B
B
So
I
just
wanted
to
give
a
heads
up
that
some
people
from
there
may
reach
out
to
some
of
you
in
the
near
future
and
if
you
give
them
some
some
attention,
I
would
greatly
appreciate
it,
and
I
also
instructed
them
to
put
together
a
short
presentation
around
10
minutes
and
to
to
submit
it
for
for
here
where
you
can
see
what
kind
of
things
that
they're
they're
doing.
So
I
just
want
to
give
you
all
the
heads
up.
A
Greatly
appreciated,
I
think
the
next
update
is
pushkar
and
you're
actually
on
the
agenda
for
today,
because
I
think
I
guilted
you
into
it.
G
Yes,
can
everyone
hear
me
fine?
Okay,
so
I
share
quickly
some
context
and
the
link
to
the
issue.
G
Basically,
when
we
did
a
retrospective
and
review
of
the
survey,
one
of
the
feedback
was,
we
want
everything
to
be
secure
by
default
from
the
respondents
and
then
that
led
to
a
very
nice
and
useful
debate
from
all
of
us
about
what
secure
default
means.
How
can
it
be
applied?
What
are
the
problems
in
applying
it
sometimes,
which
meant
like
it
might
be
worth
breaking
out
on
that
topic
and
share
our
point
of
view
to
the
community
and
everyone
else
about
what
it
means
for
us.
It
could
be
potentially
a
blog
post.
G
It
could
be
maybe
a
webinar.
It
could
also
trickle
down
into
the
whitepaper
version
too,
but
we
need
an
owner
for
that
for
it.
So
what
I'm
asking
for
from
everyone
is,
if
you
feel,
really
passionate
about
it
and
have
something
to
share
and
want
to
drive
that
there
is
an
open
issue
where
we
can
basically
mold
it.
The
way
you
want
it
to,
and
just
oh
pick
up
that
issue
and
if,
if
anything,
I
can
do
to
help
review,
write
it
or
make
it
part
of
the
white
paper
or
set
up
webinars.
A
Thanks
pushkar,
so
we've
talked
about
this
in
the
past
during
one
of
our
sessions,
and
I
wanted
to
bring
it
up
yet
again,
because
I
think
this
is
something
that's
important
and
the
end
user
community
is
specifically
requesting
this
as
a
potential
area
for
us
to
provide
real
value
to
them,
and
we
want
to
be
able
to
act
upon
the
feedback
that
we're
receiving
from
the
surveys
make
sure
that
folks
know
that
we're
paying
attention
there's
a
few
different
avenues
that
we
could
go
about
doing
this.
We
can
start
with
something.
A
That's
very
small
scale,
potentially
choose
a
project.
That's
currently
up
for
graduation
and
work
with
them
to
kind
of
identify,
a
secure
configuration
for
that
project,
or
maybe
even
look
at
it,
working
with
them
to
establish
some
secure,
defaults
or
at
least
security
specific
documentation
about
that
particular
project.
So
there's
a
bunch
of
different
ways.
We
could
do
this
as
far
said,
there's
blogs
that
we
could
write.
A
G
I
I
like
that
idea.
A
lot,
maybe
hope,
I'm
not
putting
you
on
the
spot,
john,
but
would
security
pals
be
able
to
find
maybe
a
potential
project.
That's
around
that
phase,
where
they're
thinking
of
graduation
and
kind
of
we
jump
in
and
say,
hey
we've
been
also
getting
this
feedback.
Is
this
something
you
would
want
to
consider
as
part
of
your
graduation
process.
F
Yeah,
I
I
think
at
least
for
me,
I
can
do
a
better
job
of
keeping
track
of
when
those
projects
are
getting
closer
to
graduation
and
then
we
can
sort
of.
Maybe
we
can
sort
of
sync
up
offline
and
see
if
we
can
find
if
you
test
that
out
on.
G
H
I
think
I
think
talking
to
projects
before
graduation
is
good,
but
actually
one.
It
is
one
of
the
things
that
is
good
to
fix
in
a
project
early
because
it
defines
how
how
people
expect
to
consume
projects
and
how
on
what
users
have
to
do
and
and
those
kinds
of
things.
So
it's
actually.
It
is
something
that's
helpful
early.
I
know
that
it's,
it's
often
quite
difficult.
People
find
it
difficult
to
change
insecure
defaults
later
on,
because
they
it's
like
well
everyone's
used
to
it
being
like
this.
H
A
So
it
sounds
like
there's
two
potential
ways
of
going
about
this
projects
that
are
seeking
graduation
to
kind
of
do,
an
initial
kind
of
help,
push
from
a
security
perspective,
but
also
shifting
left
and
moving
closer
to
projects
that
are
trying
to
gain
some
traction
within
the
community.
A
So
I
wanted
to
kind
of
focus
on
this
today.
This
is
the
only
specific
topic
agenda
that
I
had
besides
security
pals,
because
I
wanted
to
get
folks
thinking
about
it.
How
could
we
potentially
start
small
with
this
build
momentum,
be
able
to
demonstrate
value
back
to
the
end
user
community
and
then
continue
to
kind
of
drive
this
across
multiple
other
projects.
H
Yes,
one
option
might
be:
if
we
could
can
we
come
up
with
anything
around
just
principles
for
security
faults,
so
you
know
if
you're
doing
communications,
you
should
always
be
using
encryption.
It's
a
fairly
basic
one,
but
just
having
those
and
saying
well,
here's
some
basic
high-level,
secure
defaults
that
you
could
we
could
give
to
projects
early
on,
and
so
here's
areas
you
should
be
thinking
about
without
having
to
like
super
drill
into
while
they're
still
working
on
it.
A
Yeah
michelle
mentioned
that
yeah
as
well.
I
Hi
yeah,
that
was
exactly
what
I
was
thinking.
You
really
need
a
pattern
or
a
principle
statement
if
you're
going
to
sort
of
have
that
philosophy
be
thematic
throughout
configurations
and
products
that
there
are
capabilities
that
are
part
of
the
cncf
suite
of
sandbox
or
incubator
projects.
I
think.
G
There
won't
be
a
single
project
that
does
everything,
but
there
may
be
projects
that
do
two
three
things
in
those
set
of
principles,
which
would
be
a
good
thing
for
people
to
refer
to
saying.
Yes,
there
is
state
of
previous
state
of
art,
and
this
is
not
something
that
everyone
is
going
to
start
doing.
Suddenly.
I
So
my
feedback
to
that
is
that
you
may
want
to
keep
it
a
bit
generic
in
terms
of
principles.
I
You
tend
to
want
to
make
them
more
abstracted
away
so
that
it's
it
becomes
more
philosophical
and
then
it's
easier
also
for
reusability,
so
that
it's
a
way
of
infecting
organizations,
because
then
the
architects
will
be
lazy
and
just
then
copy
and
paste
what
we've
written,
which
means
it
embeds
into
an
organization
more
easily.
G
I
Yeah
I
write
patterns
all
day.
I
like
capital,
one
used
to
love
to
write
them
a
pattern
right
all
the
time
so
yeah.
I
I
and
I
also
have
principal
statements
and
patterns
on
my
blog,
so
I'm
kind
of
used
to
writing
those
so
but
with
somebody,
because
I'm
not
I've
been
kind
of
in
and
out
of
the
cncf
security
group
because
of
job
changes
and
stuff.
So.
G
Yeah
no
worries
I
mean
I'm
definitely
happy
to
lend
my
hand
and
whatever
I
know
about
it,
would
really
help
michelle
so
that
we
don't
lose
this
kind
of
discussion
to
maybe
share
your
thoughts
on
the
github
issue
with
interest
to
work
on
this,
so
that
we
could
potentially
assign
it
to
you
and
then
start
seeing
where
this
goes
I'll.
A
Awesome
that
that's
been
great
discussion,
so
that
issue
is
7
34
in
the
repo
for
folks
that
are
interested
or
would
just
want
to
watch
the
discussion
go
ahead
and
comment
on
the
issue.
I
see
this
is
kind
of
like
a
larger
overlap,
effort
or
the
natural
next
progression
of
the
security
pals
work,
as
well
as
the
most
recent
updates
to
our
security
review
process
and
see
how
we
can
get
projects
to
be
a
little
bit
more
active
john.
You
had
something.
F
I
Yeah
yeah
yeah,
that's
pretty
typical,
like
principles
patterns,
maybe
sample
like
implementation.
Like
specific
implementation
patterns,
I
mean.
E
G
I
Go
both
ways
with
patterns
like
some
pattern.
Work
is
kind
of
very
abstract,
but
it
could
also
have
specific
examples.
I
mean
I've
personally
done
both
I'm
sure.
Everybody
else
has
two.
F
But
just
the
idea,
I
don't
know
if
it
would
be
like
a
security
pre-pal
like
could,
could
we
have
something
in
a
section
of
a
tag
of
like
hey,
you're,
starting
a
project?
Here's
some
suggestions.
We
have
for
you
just
like
as
you're
getting
going.
G
I
I
wonder
if
there
is
a
template
for
cncf
projects,
that
for
when
you
create
a
repo
for
it,
where
we
can
add
a
markdown
saying
these
are
the
secure
by
default
principles
coming
from
tag
security,
and
it
is
something
you
could
follow.
That
might
be
a
clear
natural
way
of
maybe
sharing
without
a
lot
of
bandwidth
consumed
from
the
group.
G
Oh
nice,
I
I
like
crosstalk
work,
so
I
can
definitely
help
out
on
that,
but
if
somebody
can
more
more
than
one
people
can
also
start
writing
the
principles.
E
E
The
principles
this
is
a
rad
now.