►
From YouTube: The Level Up Hour (E42): IT security jargon and lingo
Description
A lot of terms get thrown around when it comes to IT security, and sometimes it's hard to keep it all straight. So in this episode, let's go through the various security buzzwords and jargon you've likely come across as developers. We'll explain any basics you may have been missing during the last episode, and some of the deeper topics we'll cover will be: authentication, authorization, attestation, DevSecOps, SPIFFE, SPIRE and anything else you can think of. So if anything in that sentence was a new term to you, buckle up because we'll cover it in this talk. Oh, and let's not forget TLS, which is *not* SSL, but everyone thinks it is.
Follow us:
Langdon White https://twitter.com/1angdon
Chris Short https://twitter.com/ChrisShort
What is the Level Up Hour?
Every Wednesday at 9am ET we stream live demos on how Red Hat Enterprise Linux (RHEL) users and admins can benefit their organizations and improve their careers by learning how to use containers, Kubernetes, and Red Hat OpenShift.
Learn more at:
https://red.ht/leveluphour
http://red.ht/3ayHlHI
How to participate in the The Level Up Hour:
Watch on YouTube every Wednesday at 9amET
Chat with us on Discord https://discord.gg/5VMVGJt
Check out our GitHub repo https://github.com/level-up-hour/
About OpenShift:
Red Hat OpenShift is an open source container application platform based on the Kubernetes container orchestrator for enterprise application development and deployment.
https://www.openshift.com/
https://github.com/openshift/
#RedHat #OpenShift #tluh
A
A
A
A
A
B
B
C
A
It's
like
okay,
now,
there's
a
tornado
watch.
Okay,
now,
there's
a
tornado
warning
and
it's
like.
Okay
to
the
basement,
we
go
and
spent
48
hours
without
power.
Almost
we
had
no
cell
service
cell
service
is
still
spotty
throughout
the
region.
Think
about
that
from
an
infrastructure
perspective
right
like
how
impactful
that
is
to
not
just
you
but
like
fire
safety,
all
the
other
things
that
are
involved
right
so
yeah
it
was.
It
was
interesting.
B
Yeah
right
right
so,
as
I
said
before,
I'm
lying
to
white,
we
have
a
bunch
of
special
guests.
Today,
however,
we
will
talk
to
them
in
just
a
minute.
First,
we
need
to
do
my
awesome
awesome
slides
because
I
spent
so
much
energy
on
these,
and
I
will
give
the
caveat
to
the
people
who
design
the
new
logo,
the
people
who
designed
some
graphics
here,
they're
good
at
stuff.
B
B
A
B
With
langdon
with
a
one
join
us
on
our
discord
where
we
chit
chat
on
occasion,
it
kind
of
goes
seems
to
go
in
cycles
about
how
how
much
we
end
up
talking
there
but
feel
free
to
join
us.
There
and
chit
chat
all
the
channels
there.
The
there's
every
every
show
kind
of
does
some
content
there.
So
you
know
feel
free
to
ask
about
any
of
the
shows,
but
mine,
obviously
in
particular,
because
you
know
and
then
so.
B
Last
time
we
talked
about
devsecops
and
kind
of
the
shift
left
idea
and
I
kind
of
realized
it
was
that
maybe
we
should
talk
kind
of
a
little
bit
more
basics
about
security,
so
I
invited
some
people
who
I
think
would
be
good
good
to
talk
about
it
and
they
are
here
with
us
today,
but
I
have
to
stop
the
slides
now.
So
I
don't
give
away
our
sweet,
sweet
internet
points
not.
B
Yet
so
why
don't?
We
start
we'll
start
with
randy
just
because
he
is
in
the
top
right
corner
of
my
screen,
and
so
why
don't
you?
Can
you
just
tell
us
a
little
bit
about
your
background,
introduce
yourself
and
as
we
you
know
my
terrible
joke,
but
you
know
red
hat
rearranges
itself
all
the
time,
so
I
never
know
what
each
department
is
called.
So
you
know
if
you
can
give
us
a
little
of
that
too.
D
D
Exactly
so
I
I
am
the
director
of
certification
at
red
hat,
and
so,
if,
if
you've
ever
heard,
the
term
red
hat,
certified
system,
administrator
or
red
hat
certified
engineer
or
red
hat
certified
architect
any
of
those.
I
manage
the
team
that
runs
those
programs
and
produces
those
lovely
exams
that
people
enjoy
taking
so
much.
D
B
A
B
E
E
E
Maybe
it
seems
like
today
we're
gonna,
be
speaking
about
security
and
how
it
ties
to
to
containers
so
I'll,
be
happy
to
to
to
give
my
two
cents
about
that
and
yeah
mostly.
I
focus
on
pipelines
and
and
devops
things.
So
since
we're
talking
about
devsecops,
that
might
be
a
good
topic
to
to
bring
up
today.
B
B
C
A
C
B
C
B
B
B
Now
that
you're
in
the
system,
what
things
are
you
allowed
access
to?
And
so
I
don't
you
know
I
I
don't
have
a
mnemonic.
I
don't
have
a
whatever
it's
one
of
those
things
I
just
kind
of
have
to
you
know
kind
of
periodically
like
catch
myself,
step
back,
think
about
it
for
a
second
and
remember
which
one's
which
and
then
the
latest
one
of
attestation.
B
It's
not
really
the
latest,
but
it's
one.
That's
become
much
more
important
in
recent
years
because
of
basically
the
proliferation
of
like
tiny
little
devices-
and
you
know
things
like
that
at
a
station.
Is
this
idea
that
you're
you're
probably
running
some
software
on
some
hardware
and
then
mechanisms
for
doing
that,
but
with
another
a
word
in
the
mix
that
now
throws
off
the
other
two
for
me
kind
of
even
worse.
So
so
those
are
those
are
kind
of
my
example.
A
C
So
I
struggle
with
firewall
rules
like
blocking
and
that
kind
of
stuff,
pretty
pretty
good
with
that,
but
especially
in
the
container
space.
There's
a
lot
of
forwarding
that
happens,
and
I
just
messed
that
up,
I,
I
may
or
may
not
have
had
to
drive
to
one
or
more
data
centers,
because
I
locked
myself
out
of
the
machine.
C
B
B
If
I
say
you
know,
if
I
make
a
an
operation
in
firewall
d,
it
will
operate
on
the
active
zone,
except
if
you
have
more
than
one
active
zone,
it
will
only
operate
up
one
of
them
and
I'm
not
sure
which
one,
maybe
you
know,
randy
who's
kind
of
more
on
the
training
side
of
things
I
don't
know,
maybe
you
know
how
to
figure
out
which
of
the
active
zones
it's
going
to
operate
on,
but
as
far
as
I
can
tell
it's
basically
random.
So
that
seems
fun.
D
B
E
Well,
I
know
one
of
the
things
that
come
up
quite
often
with
containers
is
like
the
capabilities
that
you
that
are
allowed
within
the
container
image.
So
like
the
things
we
handle
with
the
sccs
and
such
things,
and
it
can
be
pretty
daunting
to
understand
exactly
how
to
define
those
within
containers
and
kubernetes
space.
I
don't
know
if
those
were
discussed
previously,
but
that's,
I
think,
that's.
B
B
That's
a
really
good
one.
I
you
know
we
actually
we
had
dan
walsh
on
the
show
a
bunch
of
episodes
ago
and
one
of
the
things
that
I
think,
particularly
even
newcomers
today
to
linux.
You
know
our
system
administration,
you
know
whatever
think
of
root,
as
this,
like
you
know,
block
right.
You
know
it's
like
you
are
root
and
it
kind
of
is,
but
at
the
same
time
it's
gotten
so
much
more
sophisticated
than
that.
Now
you
have
all
these
things.
These
capabilities
right.
B
Root
has
all
of
you
know,
but
you
can
kind
of
parcel
them
out.
Individual
there's
individual
pieces
and
you
know
so
there's
it's.
This
whole
breakdown
a
much
more
sophisticated
kind
of
security
model
that
allows
containers
to
do
their
thing
and
allows
containers
to
do
more
than
their
normal
thing,
but
not
as
much
as
like
you
know
that
are
really
important
and
they're
just
getting
more
sophisticated.
So
you
know
really
think
of
thinking
of
root,
as
a
non-monolith
in
a
sense
is
really
really
important.
B
These
days
and
and
I
find
it-
you
know
like
it's-
it's
new,
you
know
right
to
randy's
point.
It's
like
you,
keep
changing
the
stuff
on
me.
I've
gotta
I've
gotta
catch
up
again
every
time
and
the
capabilities
are
tough
like
that,
so
yeah.
I
think
that's
a
great
example
as
well.
I
don't
know
any
other
examples.
You
know,
or
I
mean
I
know
chris
is
perfect
in
every
way.
So.
A
A
So
we
had
to
like
create
a
carve
out
for
that
vlan
to
just
kind
of
bypass
the
ips
and
ids,
because
it
was
picking
up
like
random
strings
as
like
vulnerabilities
and
stuff,
when
we
were
just
backing
up
stuff
from
primary
to
secondary
data
center
right
like
right,
so
it
was
like
how
did
this
vlan
end
up
way
over
here
on
the
edge?
That's
not
good
right.
So
then
that
was
like
a
whole
breakdown
of
like
okay.
Where
are
our
vlans
yeah
good
stuff?.
C
B
We
got
to
keep
those
guys
in
business
yeah,
you
know,
otherwise
they
get
lonely.
I
will
say
speaking
of
dns,
though,
like
one
of
the
most
fascinating
kind
of
tech
stories,
I
think
I
ever
read
was
wired
did
a
really
good
piece
years
ago
about
the
vulnerability
they
discovered
in
dns.
That
was
basically
what
was
it
like:
the
name
like
root,
name
server
hack,
and
it
was
basically
a
protocol
design
flaw,
and
so
they
basically
flew
in
people
from
around
the
world.
You
know
basically,
security.
B
You
know,
like
government
security,
you
know
took
over
and
we're
like.
We
we
need
this
solved,
please
all
get
in
a
room
and
fix
it
and
it
basically
changed
the
protocol
around.
I
think
it
also
led
to
dns
sec
kind
of
eventually
or
by
extension,
but
like
if
you
can
go,
find
that
old
wired
article
it
was.
It
was
really
good,
really
interesting.
A
B
A
No,
we
have
not,
and
I'm
curious
out
there
in
user
land.
What
kind
of
security
problems
are
you
hitting
today?
As
far
as
you
know,
you're
running
containers
you're
trying
to
run
them
in
production.
Maybe
your
security
team
is
pushing
back
and
needing
some
things.
Like
agents
installed,
that's
a
common
question.
We
get
jafar,
I
know,
and
you
know,
having
that
paradigm
shift
from
you
know
your
traditional
like
hey
all
these
vms,
have
all
these
agents
and
av
and
all
this
other
stuff
on
it
to
now.
E
So
so,
actually
sorry,
chris
there's
something
that
came
up
to
my
mind.
While
you
were
speaking
about
the
paradigm
shift
and
for
for
the
many
years
where
I
was
working
as
an
essay
on
openshift
one
of
the
biggest
security,
I
would
say
talking
points
that
we,
where
we
had
issues
with
the
customers,
were
how
how
how
they
could
trust
the
the
sdn
like
how
they
would
change
the
project
from
something
where
everything
is
defined
within
their
firewalls
and
they
have
application
tiers.
Where
something
is
hardly.
E
You
know
bounded
by
by
fire
ruling
rules.
And
now
you
start
talking
about
about
network
networking
managed
directly
by
openshift
with
with
network
policies
and
such
things,
and
it
was
something
that
took
a
lot
of
time
because
before
they
they
could
start
thinking
about.
Okay,
we
can
delegate
security,
networking
security
to
to
the
platform
itself
and
not
try
to
to
control
everything.
You
know
from
a
traditional
standpoint
right
and
yeah,
so
I
think
that
up
up
to
now,
it's
something
that
you
know
some.
E
Some
sysadmins
or
network
security
guys
still
prefer
to
to
handle
things
the
old
way,
but,
as
things
are
evolving
and
as
the
the
the
container
ecosystem
also
is,
is
maturing
up
in
terms
of
giving
some
visibility
allowing
us
to
to
get
some
alerts.
Whenever
you
have
some
networking
breaches
and
such
things,
people
are
starting
to
change
their
minds
and
and
start
to
embrace
that
new
modern
way
of
handling
network
security
within
the
container's
work
so
yeah.
That
was
you
know
I
I
wanted
to
say
it
before.
I
forget
it
so.
A
No,
it's
a
good
point
and
red
hat's
actually
giving
away
a
great
book.
I
contributed
a
part
of
it
as
well
as
many
other,
very,
very
smarter
people
or
very
much
smarter
people
or,
however,
you
say
that
than
I
but
it
you
know.
I
touch
on
security
in
the
book
in
a
cloud
native
context,
kind
of
from
a
high
level,
but
then
other
people
do
as
well
and
I
would
highly
recommend
you
downloading
this
book.
It's
just
basically
a
book
of
97
essays
from
97
different
authors.
A
A
E
B
B
A
B
Yeah
yeah
you
never
you
never
can
tell
so,
let's
see
what
else
would
I
would
I
wanted?
Oh
another
one
I
wanted
to
talk
about
was
so
another
one
that
comes
up.
I
guess
a
lot
for
for
people
this
one.
I
I
really.
I
think
I
usually
get
it
because
I
I
watch
too
much
gi,
joe,
the
cartoon,
but
so
red
team
versus
blue
team.
So
I'm
gonna
pick
on.
You
know
whoever
whoever
wants
to
answer
that.
B
C
I
was
so
red
team
versus
blue
team
is
basically
you
have
a
team
of
attackers
on
your
product
and
a
team
of
defenders
on
your
product,
and
usually
the
blue
team,
is
the
defenders
and
the
attackers
of
the
red
team,
and
so
it's
a
way
that
you
can
it
interactively
kind
of
get
real
people
to
test
the
the
efficacy
of
your
security
stuff
by
telling
them
no
holds
barred.
Do
do
what
you
got
to
do.
B
E
E
B
C
B
A
B
E
Are
the
papers
depending
oh
yeah,
yeah?
Well,
the
other,
the
other
meaning
I
know
about
about.
It
is
like
you're
trying
to
penetrate
the
system
and
like
trying
to
find
security
holes
and
basically,
as
you
said,
you
are,
you
know,
trying
to
hire
some
people
who
are
very
skilled
at
finding
breaches
and
trying
to
make
sure
that
you
you
you
find
that
ahead
of
time
before
releasing
your
products,
so
you
can
fix
the
security
holes
before
they
are
into
the
the
outside
work
right
is
that
is
that
correct.
B
B
Yeah
right
right,
yeah,
I
mean
so
on
the
security
side
right
like
I've,
never
kind
of
worked
in
a
place
where
I
would
like
hire
a
red
team
right
like
I've
always
been.
You
know
more
kind
of
on
the
application
side
in
the
sense
of
like
looking
at
like
sql
injection
attacks
and
things
like
that
and
making
sure
kind
of
that
the
code
looks
good,
so
a
bunch
of
that
when
you're
looking
at
kind
of
the
external
to
internal,
you
know,
I
don't
actually
have
that
much
experience
with
it,
but
yeah
it's.
E
Yeah,
so
so
so
since
you're
mentioning
it
one
of
the
craziest
rfps,
we
had
to
to
answer
to
had
a
whole
pen
test
section
where
actually,
the
guys
within
the
rfp
submitted
like
the
pen
test,
that
they
are
planning
to
execute,
and
it
was
something
for
openshift.
Then
they
had
like
10
pages
of
here
are
the
inject
the
code
injections
that
we
are
going
to
try
on
this
this
this
component
and
please
make
sure
that
you
know.
Do
you
ahead
of
time?
E
B
B
B
B
So
I
think
that's
a
really
important
thing
to
remember.
You
know
yeah,
I
commonly
will
say
things
like
you
know
when
I
write
a
software
application
today,
there's
like
a
million
lines
of
code,
maybe
maybe
more
underneath
it
that
are
provided
by
third
parties.
But
kind
of
this
is
the
beauty
of
open
source.
You
know
all
bugs
are
shallow
right
with
enough
eyes,
so
it's
unlikely
that
the
problems
are
going
to
be
in
that
million
lines
of
code
or
undiscovered
at
least
right.
B
This
is
the
whole
idea
behind
cves
and
the
jokes
we
were
making
about
dns.
So
most
you
know
the
first
thing
to
really
watch
for
is
kind
of
we're
talking
about
a
bit
last
episode,
you
know,
look
at
oasp,
look
at
those
kinds
of
things
and
look
at
your
application
and
make
sure
there's
nothing
missing
there.
So
that's
kind
of
the
first
thing
where,
where
else
would
you
go
look
you
know
what
what
other
kind
of
examples
would
any
of
you
have.
C
So,
for
example,
if
you're
based
your
stuff
on
the
universal
basis
image
on
july
20th,
there
was
a
important
cbd
issued
against
systemd,
yes,
which
affected
the
universal
base
image
if
you're
using
the
standard,
ubi
or
ubi
init
images,
and
so
we
rebased
or
rebuilt
the
ubi
images
to
account
for
that.
For
that
updated
systemd
package
that
was
released
by
red
hat.
But
if
you're
running
a
universal
base
image
from
four
weeks
ago,
you
you
don't
have
that
update.
E
That
showed
how
many
base
images
were
having
cves
and
how
how
behind
in
terms
of
versions
they
were
and
like.
So
he
was
monitoring
that
every
week
and
if
like
he
had
a
lot
of
images
that
show
up
as
not
being
patched
there
was,
like
you
know,
a
top-down
hammer
that
was,
you
know,
going
through
the
to
the
it
guys
to
the
project,
guys
to
make
sure
that
they
are
patching
their
images
accurately
and
not
staying
behind
x.
Many.
E
You
know
x
versions
compared
to
to
the
the
latest
one
that
were
rebuilt,
so
they
built
a
specific
dashboard
that
pulled
tags
from
like
the
red
hat
registry
and
that
compared
that
to
the
base
images
that
they
were
using
and
it
was
checking
if
there
were
some
cves
in
those
images
and
basically
showing
up
some
alerts
and
depending
on
you
know
the
gravity
or
you
know
the
not
the
gravity.
But
the.
E
Impact
of
that
of
that
security
issue,
the
cio
was
managing
that
himself,
so
I
found
that
it
was
pretty
impressive
to
see
that
they
were
taking
that
specific
topic.
That
seriously,
because,
as
you
said,
it's
you
know
it's
the
base
of
everything
you
run
on
the
platform
right.
So
if
you,
if
your
base
images
are
corrupt
and
they
are
not
correctly
patched,
then
it
can
spread
out
to
the
whole
platform
very
easily
yeah.
A
A
A
A
Maybe
even
hours
sometimes
is
getting
down
to
the
point
where
an
actual
like
tool
will
be
added
to
metasploit,
to
take
advantage
of
that
zero
day.
So
you
know
you
have
to
be
careful
when
you're
using
these
tools,
because
you
can
penetrate
your
own
systems
and
break
things,
but
also
you
have
to
be
very
cognizant
that
so
can
others
and
metasploit
keeps
adding
those
zero
days
faster
and
faster
and
faster.
So
like
and
that's
like
becoming,
for
you
know,
security
beginners
like
the
first
tool.
B
Maybe
maybe
that
was
maybe
it's
g
chat.
Is
the
problem
took
out
my
old
computer?
I
was,
I
was
kind
of
impressed,
so
yeah,
so
apologies
if
I
missed
a
little
bit
of
the
context,
but
did
we
want
to
move
on
to
another
question
from
the
chat?
I
I
heard
you
guys
talking
about
the
metasploit,
but
I
wasn't
sure
if
that
was
the
next
question
in
the
chat,
because.
A
B
B
Yeah,
there's
other
there
are
other.
You
know
what
we
you
know,
probably
you
know
loosely
referred
to
as
script
kitty
tools
right
that
are
so
so
just
by
way
of
explanation
right.
So
there's
this
there's
this
kind
of
new
class
in
a
sense
and
not
really
that
new
of
hacker
or
attacker
really,
and
if
you
want
real
throwback,
you
know
we're
not
supposed
to
use
the
word
hacker
we're
supposed
to
use
crackers,
but
we'll
get
into
that
some
other
day.
But
I
think
that
ship
has
sailed.
But
this
idea.
C
B
But
the
this
idea
that
you
know
there's
a
lot
of
new
people
who
are
starting
to
use
the
internet
on
a
pretty
regular
basis.
You
know
12
year
olds,
15
year
olds
and
they
learn
or-
and
they
want
to
get
into,
they
want
to
break
into
stuff
right
because
they
think
it'll
be
cool
and
so
they're
they,
but
they
don't
really
know
enough
about
technology
to
kind
of
really
work
out
these.
B
So
also
kind
of
being
aware
that
there's
other
stuff
out
there
that
you
can
kind
of
throw
at
your
network
and
usually
you
can
find
them
pretty
easily
with
you
know,
when
I
you
know
I
want
to
hack,
you
know
I
want
to
hack
something
you
know,
but
it
kind
of
goes,
and
actually
this
brings
up
another
term
when
I
was
doing
a
little
research
for
the
show.
Apparently,
black
hat
and
white
hat
are
also
terms
that
people
mix
up,
which
that
one
I
find
interesting
as
well.
So
but
a.
B
Right
so
the,
but
basically
the
idea
being
is
that
there's
there
are
people
who
are
attacking
places
or
whatever
for
with
legitimate
reason.
This
goes
back
to
the
red
team
discussion
right.
You
went
out
and
hired
a
team
to
attack
your
network
intentionally.
It's
it's
all
above
board.
You
know,
but
you're
testing
it
out
versus
people
who
are
trying
to
break
into
your
network
or
your
environment.
B
B
There's
there's
a
lot
of
stuff
and
it
continues
to
grow
a
friend
of
mine,
actually
in
high
school,
like
he
was
in
high
school,
I
was
in
college,
wrote
one
for
example
that
was
like
similar
to
metasploit.
You
know
because
he
couldn't
and
that's
you
know
that's
to
do
when
you
can,
but
the
flip
side
is
you
know
you
never
know
what
use
it
will
be
put
to
you
so
so.
E
B
B
They
call
it
right
in
your
software
application
to
design
in
your
application
deployment,
and
you
really
need
security
to
be
a
part
of
your
everyday
life
when
you
are
a
developer,
a
sysadmin
or
whatever,
because
it's
getting
so
easy
for
people
to
attack.
You
right,
you
know,
right
by
like
I
want
to
be
able
to
ssh
into
my
house,
but
I
either
have
to
like.
Have
the
porch
jump
around
or
something
or
like,
because
I
just
get.
I
get
bombarded
all.
A
B
C
E
B
So
surprise,
I'm
surprised
honestly
that
we're
not
seeing
more
kind
of
consumer
level,
like
you
know,
we're
your
wireless
ap
right,
which
is
usually
your
router
and
everything
for
your
whole
house.
I'm
kind
of
surprised,
you're,
not
seeing
more
of
them
coming
out
with
separate
iot
networks
from
home
network
from
you
know,
I
don't
know
you
know
consoles
network.
You
know
that
those
aren't
kind
of
getting
built
right
into
the
devices.
E
A
B
On
my
network
now,
that's
not
even
running
that
crazy.
You
know,
and
you
know-
and
I
I
really
don't
want
a
lot
of
those
iot
devices
talk
anywhere
near
my
actual
computers.
You
know
because
they're
so
ludicrously
insecure
as
as
a
well-known
twitter
handle,
which
I
I
will
not
repeat,
is
fond
of
commenting
on.
C
A
E
D
E
I
think
we
can
all
agree
that
there's
not
one
single
aspect
when
you
are
speaking
about
security,
it's
like
it's
spread
everywhere
and
it's
something
that
you
need
to
take
care
of
at
every
stage
of
your
application's
life
cycle.
So
it
all
starts
with
you
know.
If
you
are
using
an
os
that
has
some
corrupt
stuff
in
it,
then
you,
you
might
have
a
security
issue
as
you're
writing
your
application
in
there.
E
But
if,
as
a
developer,
you
are
writing
some
code
that
is
not
properly,
you
know
secure,
you
are
introducing
loopholes
or
security
breach.
If
you
are
using
some
libraries
that
have
some
security
holes
in
there
as
a
developer,
you
know
even
in
the
early
phases,
you
are
introducing
some
security
issues
in
your
application.
E
E
Once
once
you
publish
your
application,
so
I
would
say:
okay,
we
have
written
some
lines
of
codes
and
we
have
built
the
application.
We've
submitted
the
the
binary.
Then
your
binary
is
stored
somewhere
in
an
enterprise
repo,
but
I
believe
linkedin
said
mentioned
something
about
attestation.
So
what
what
so?
I
can
find
my
my
words,
english,
but
what
proof
do
you
have
that?
The
binary
that
you
are
in
building
into
your
your
container
image
is
actually
the
one
that
has
passed
all
the
tests
etc.
E
So
that's
why
you
have
what
you
have
signed
binaries
that
cannot
be
altered
by
some
somebody
that
just
makes
a
change
and
submits
a
new
jar
somewhere
in
the
repo
right.
You
have
a
pre,
pre-staging
pre.
You
know
you
have
development
jobs
that
you
can
use,
etc.
But
at
no
point
in
time
should
you
be
able
to
take
the
development
jar
and
put
it
into
a
container
image
and
ship
it
as
something
that
is
ready
to
consume
right?
So
you
have
this.
E
This
mechanism,
where
your
binaries
are
signed
and
only
the
signed
binaries,
can
then
be
built
into
a
container
image.
If
you
want,
then
you
can
distribute,
because
then
you
have
proof
that
you
have
a
secure
application
itself
and
we
are
not
speaking
about
the
container
image
and
all
the
base
components
that
it's
gonna
bring
to
the
table
afterwards
right.
E
So
you
are
secure
introducing
security
at
every
every
step
and
the
reason
why
you
want
to
have
that
notion
of
dev,
sick
ups
is
because
you
want
to
make
sure
that
everything
happens
automatically,
which
means
that
no
single
person
can
alter
those
things
intentionally
in
a
manual
way,
because
if
anybody
is
able
to
answer
things
along
the
way,
then
you
lose.
That
notion
of
I
know
that
it
has.
It
hasn't
been
tampered
with
with
within
the
process
of
shipping.
E
The
application,
through
staging
through
pre-prod
and
through
production
and
and
basically
devsecops
is
is.
Is
this
notion
where
you
you
put
security
checks
at
every
stage
of
your
application
life
cycle
and
make
sure
that
nobody
can
tamper
with
those
and
make
sure
that
you
have
proof
for
anything
that
has
been
built?
So
you
have
proof
that
your
libraries
are
secure
because
you
have
security
scanning
tools
like
sonar
that
are
going
to
analyze
your
code
and
then
you're
going
to
have
links.
E
B
Well,
actually,
I
was
just
going
to
say,
like
one
of
the
things
that
I
I
think
you
commonly
hear
as
well
is
to
avoid
some
of
those
problems.
You
could
just
build
your
own
binaries
right
and
sign.
You
know,
even
if
you
have
signing
like
sign
them
themselves
and
one
of
the
things
that
I
find
you
know
really
surprising
about
that
or
whatever
is
that?
There's
this
belief
like
one
of
the
things
that,
like
an
organization
like
red
hat
or
even
an
organization
like
fedora
right,
brings
to
the
table
when
they
ship
binaries?
B
Is
that
an
expert,
or
at
least
theoretically,
an
expert?
Is
the
one
who's
kind
of
packaging,
the
code
into
place
right
and
then
kind
of
saying,
okay,
I'm
going
to
do
a
build,
and
then
I'm
going
to
test
that
this
build
came
from
this
source
code,
but
they
also
know
what
the
source
code
looks
like
right.
A
B
B
You
know
open
source
channel,
so
other
people
can
take
advantage
of
the
fact
that
you
have
experts
who
are
attesting
about
this
binary.
So
I
just
think
it's
it's
kind
of
important
to
note
like
there
are
actually
there's
not
just
efficiency
benefits
in
a
sense
to
leveraging
the
work
of
others
or
you
know,
kind
of
the
community,
or
you
know
like
organizations
like
red
hat
or
fedora.
You
know
things
like
that,
but
it
just
and
also
there
are
also
actual
security
benefits
there.
B
A
A
B
I
think
we
should
do
the
points
and
the
announcements
first
and
then
yes
visit
back
to
people.
I
just
I
always
try
to
get
the
points
within
the
the
level
up,
yeah
and
but
obviously
we
have
a
ten
small
tendency
to
not
actually
finish
within
the
level
of
hour
yeah,
so
yeah.
So
let
me
let
me
hit
the
slides,
real,
quick
and
I
hope
this
will
work
well
because,
as
I
mentioned
a
few
minutes
ago,
everything
crashed
so.
B
All
right
cool
all
right,
but
we
are
on
the
wrong
side.
Let
me
also,
I
have
my
cheat
sheet
for
the
points
too,
but
here's
where
we're
at
I
don't
know
narendev,
I
think,
missed
the
last
episode
or
missed
submitting
points
for
the
last
episode.
Netherlands,
hackham
still
neck
and
neck
with
narendev.
No
friction,
I
think,
still
holding
steady
at
4
000.
B
B
The
points
as
always,
you
can
go
and
get
your
own
sweet,
sweet
internet
points
by
following
the
links
I
just
pushed
into
the
chat,
there's
a
kind
of
a
short
link
which
will
take
you
to
the
forum
itself
and
then
you
put
in
the
code
manually
or
the
other
one.
All
that
does
is
pre-populate
the
form
with
the
code
to
make
your
life
a
little
bit
easier.
B
You
know
please
keep
in
mind
if
you
want
to,
you
can
say
private
for
the
the
nickname
and
if
you
do
that,
we
won't
mention
you
on
air.
We
won't.
You
know
you
just
can
kind
of
collect
the
points
and
you
can
get
your
own
status
of
of
how
many
points
you
have
without
you
know
revealing
anything
about
yourself.
If
you
so
desire,
we
actually
had.
B
One
of
these
participants
was
originally
always
marked
as
private,
and
then
one
day
decided
that
they
had
come
up
with
a
cool
enough
nickname,
and
so
they
revealed
themselves
with
a
big
jump
in
the
points
it
was.
It
was
pretty
funny
to
be
honest,
so
that
is
our
sweet,
sweet
internet
points
we
love
giving
them
out,
even
if
they
are
just
an
intrinsic
award
chris.
Actually,
I
think
we
we
heard
again
yeah
that
we.
B
A
B
What
I'm
hoping
that
you
know?
Hopefully
we
don't
have
to
involve
any
mice,
but
you
know.
Maybe
it
is
the
answer
to
you
know:
life,
the
universe
and
everything
and
if
you
haven't
read
the
hitchhiker's
guide
to
the
galaxy,
this
doesn't
make
any
sense,
but
you
should
try
and
if
you
haven't
read
it,
I.
B
Oh
all,
right
all
right.
It's
a
lot
of
fun.
The
funniest
one
of
the
funniest
things
that
came
up
about
it
recently
was
the
whole
premise
of
the
book.
Is
that
it's
about
another
book?
That
book
is
actually
crowdsourced,
so
it's
basically
it's
the
equivalent
of
wikipedia,
but
it's
kind
of
a
really
hilarious
example
of
open
source
in
action.
A
B
B
New
group,
which
is
all
about
computing
and
data
science
and
teaching
people
about
or
like
kind
of
approaching,
how
we
teach
computing
a
little
bit
differently,
also
reaching
out
into
other
organizations.
So
that
or
like
other
majors
kind
of
so
that
we
can
kind
of
leverage,
data,
science
and
things
like
journalism
and
give
them
kind
of
the
formal
teaching
and
that
kind
of
stuff.
A
B
I
am
going
forward,
I
am
leaving
you
in
the
capable
hands
of
our
current
guests
and
randy.
I'm
sorry.
I
missed
your
twitter
handle,
but
these
are
their
twitter
handles,
so
you
should
find
them
on
twitter.
You
can
also
talk
to
me
on
twitter.
Still,
I
will
still
be
there.
I
will
still
also
be
of
my
expectation
as
I
will
be
heavily
involved
in
fedora.
B
I
also
think
because
red
hat
and
bu
boston
university,
sorry
have
a
very
strong
relationship,
and
so
I
continue
or
I
hope,
to
continue
to
work
with
red
hat
on
the
regular
basis.
I
also
find
all
of
this
quite
confusing,
because
my
son
is
also
starting
college.
He
is
also
going
to
be
you,
which
is
bucknell
university.
A
E
B
C
B
A
B
So
yeah
so
next
week
we
are
planning-
or
you
know
so
so
these
folks
will
be
talking
to
the
crane
team,
which
is
part
of
conveyor,
so
we
had
for
some
reason.
I
always
want
to
call
it
trackl.
I
don't
know
why,
but
to
tackle
a
few
weeks
ago,
and
so
there's
this
overarching
thing
about
moving
applications
into
containers
called
conveyor
tackle
is
a
piece.
Crane
is
another
piece
and
then
there's
a
third
piece
that
we
thought
would
be
good
for
the
show
which
would
be
in
another.
B
I
want
to
say
it's
not
not
for
another
month
after
that,
but
so
crane
is
is
next
week
we
actually
were
are
not
having
a
show
the
following
two
weeks
after
that,
because
we
already
scheduled
it
because
that's
when
I
was
supposed
to
be
taking
the
sun
to
bu,
and
so
it's
kind
of
already
set
so
there'll
be
two
weeks
dark.
Sadly,
but
then
you'll
be
back
in
action.
Let's
see
so
we
have.
B
I
was
very
impressed
we
had
on
my
other
show
we
had
elena
hushman
yesterday
and
when
I
said
that
she
very
conveniently
pointed
down
so
scott
I'm
a
little
disappointed.
I
thought
you
would.
I
thought
you
would
help
me
out
with
the
click
like
and
subscribe,
but
yeah.
So
I
will
miss
you
all.
I
will
miss
doing
the
show
and
I'm
going
to
be
doing
it
apparently
more
like
live
and
in
person,
except
about
data
science.
C
A
B
Yeah
everything
exactly
exactly
so
well,
I'm
also
I'm
really
excited
because,
like
this
whole
group,
that
I'm
joining
is
in
place
to
try
to
be
to
try
to
bring
more
people
into
the
fold
in
computing
and
data
science
and,
as
you
know,
probably
from
watching
the
show.
This
is
something
that's
important
to
both
chris
and
I
I'm
sure
it's
important
to
randy
and
scott
jafar,
but
you
probably
haven't
heard
that
from
them
on
our
show.
B
B
A
So
langdon
it's
been
an
incredible
ride
with
you.
I
really
appreciate
you
know
doing
this
every
every
week
for
the
past
42
weeks,
the
the
amount
of
information
I've
learned
from
you
over
the
year
year,
plus
we've
been
working
together.
Is
I
mean
I,
I
can't
put
it
into
words,
so
thank
you
very
much
for
all
everything
you've
done
for
the
channel
for
me
for
helping
me
learn
things
so
for
so
on.
But,
yes,
we
will
be
hacking
away
at
all
your
stuff
that
you
do
online.
So.
B
Yeah,
yes,
I
yeah,
I
very
much
appreciate
it.
You
know
like,
as
many
of
you
can
guess
right.
My
my
stronger
background
is
on
the
development
side
and
on
the
linux
side,
and
so
it's
been
really
great.
To
kind
of
take
the
perspective
of
you
know
a
stronger.
You
know
somebody
who's
been
full-time,
sys
admins,
you
know
much
deeper
into
openshift
and
kubernetes
than
I
have
been.
So
I
think
it's
been
a
really
good
learning
journey.
B
I
hope
along
the
way
for
the
show-
and
I
really
hope
you
know
bringing
some
new
perspectives
will
really
kind
of
take
the
show
to
the
next
level.
You
know
scott
might
even
know
rel
better
than
I
do.
I
know
jafar
knows
openshift
better
than
I
do
you
know
so
as
as
evidenced
by
our
slam
to
do
the
cody
awards
a
few
months
ago.
E
Yeah,
so
it's
been
already
said
privately
but
yeah.
I
wanted
to
say
it
publicly.
Also
you
you're
certainly
going
to
be
missed
and
it's
been
a
shock.
You
know-
and
I
heard
just
not
so
long
ago
that
you
were
living,
but
we
can
only
be
happy
for
you
because
it's
for
the
better.
It's
like
something
for
your
personal
accomplishment,
there's
no
hard
feelings
with
red
hats.
E
A
B
Of
the
things
that
I'm
really
been
learning
because
I've
been
teaching
a
couple
of
classes
like
kind
of
on
the
side
you
know
for
a
while
now
over
bu
is
what
I'm
really
starting
to
learn
is
how
much
more
sophisticated
teaching
is
than
I
quite
realized.
Like
you
know,
I
thought
it
was
basically
just
going
into
a
room
once
a
week
and
basically
giving
a
talk,
and
it's
not
like
it's
it's
quite
different
and
you
know,
and
I'm
starting
to
like
grok
the
nuanced
differences
and
and
so
yeah.
B
B
I
think
I'm
a
pretty
good
teacher
already,
and
so
I
think
you
know
I
hope
everyone
has
learned
a
lot
from
the
show
and,
like
I
said,
I'm
really
looking
forward
to
the
change
of
perspective
as
you
go
forward
with
the
show
and
that
you
know
there'll
be
even
more
stuff
to
learn.
Right.
It'll
it'll
cover
a
whole
bunch
of
things
that
I'm
just
not
that
good
at,
and
so
I'm
really
excited
to
see
it
go
forward.
A
C
C
C
C
E
So
we
have
a
proven
track
record
of
of
securing
the
platform
and
having
it
been
efficient,
where
other,
maybe
distributions
or
other
ecosystems
didn't
succeed
as
much
because
of
the
secure
by
default
standards
that
we
have
within
the
platform.
But
again
we
can
only
test.
You
know
so
much
things
within
the
platform,
but
if
something
that
is
running
in
your
in
your
containers
has
a
security
issue
that
has
something
to
do
with
your
application
layers
or
with
one
of
the
libraries
that
you
are
using
within
your
container
image.
E
Then
it's
not
something
that
we
are
going
to
be
able
to
prevent,
because
you
know
there's
so
much
combinations
that
can
happen.
But,
yes,
we
have
a
very
robust,
very
solid
platform
that
you
can
trust,
but
you
know
you
can
always
the
the
security
issues
happen
on
the
edge
they
happen.
You
know
on
the
far
edge
of
the
testing.
E
A
I
was
just
going
to
say
right,
like
most
attackers
aren't
like
oh,
I
know
the
central
app
I'm
going
to
get
to
it.
No
they're
going
to
find
some
other
vulnerable
piece
of
thing
like
look
at
the
target
hack
right.
They
hack
their
way
in
through
some
gateway
between
you
know
the
pos
network
and
the
hvac
network
at
one
store
and
that's
how
they,
you
know
broke
into
all
of
target's
stuff
and
made
basically,
the
entire
united
states
embraced
chip
and
pen.
A
It's
those
little
intricate
little
details
that
you
may
just
overlook
or
not
realize
that
are
in
place
like
you
will
start
at
one
place
in
your
attack
vector,
and
you
will
end
up
where
you
want
to
be
because
of
all
the
configuration
or
vulnerabilities
that
may
lie
within
your
infrastructure.
So
it's
never
like.
Oh,
I
want
to
hit.
You
know
the
main
bank's
website
like
they.
They
don't
target
that
they
find
other
ways
to
get
in
to
get
to
the
thing
they
want
to
that's
the
biggest
thing
right
like
and
and
to
se
linux.
A
You
know
to
that
point
right,
like
with
openshift
and
all
the
kubernetes
vulnerabilities
have
come
out
over
the
years.
Sc
linux
has
been
the
thing.
That's
stopped
most
of
those
vulnerabilities
in
their
in
their
tracks
right.
So
that's
another
layer,
that's
put
on
the
cluster
to
protect
you,
but
it's
not
all
encompassing
protection
right
like
that's
something,
to
keep
in
mind
that
there
could
be
some
other
vulnerability
that
somebody
could
exploit
your
infrastructure
to
get
inside
your
cluster.
B
A
B
D
B
A
B
One
other
quick
note:
I
was
gonna
offer
and
you
know
I
crack
about
consultants
a
lot
just
because
I
was
one
for
a
long
time.
This
is
one
of
those
places.
Security
is
one
of
those
places
where
you
know
you
want
somebody
else
to
take
a
look
at
your
stuff.
If
you
can
you
know
because
it's
one
of
those
you
know
just
like
why
you
have
somebody
edit,
you
know
or
proofread
your
your
text
right.
B
It
can
be
really
helpful
to
have
somebody
kind
of
review
your
you
know,
security
plans
and
things
like
that.
You
know
we
talked
about
a
bunch
of
like
real,
specific
examples
like
pen,
testing
and
red
team,
and
you
know
stuff
like
that.
But
there
are
organizations
out
there
that
can
kind
of
provide
you
a
third
party
audit
or
a
third
party
review
or
whatever,
and
it
can
even
be
relatively
casual.
B
You
know,
obviously,
you
want
to
have
a
bunch
of
nba
type
stuff
in
place,
but
it
can
be
relatively
casual
in
that
it
doesn't
have
to
be.
You
know
from
an
on
high
security
audit
kind
of
thing,
but
having
somebody
else
take
a
look
at
your
stuff
is
often
a
good
idea
because
it's
really
easy
to
miss
things
in
a
secure
when
you're
modeling
security.