►
Description
Here you can find our monthly show focused on all things security, cloud native, and open source projects. Today we are discussing:
- RHACS 3.74 release is out!
- Cloud Native Security Con wrap up
- Zero trust and supply chain security with Kirsten Newcomer
Make sure to subscribe and leave your comments for the team!
A
A
A
B
B
Yeah
very
exciting
Kirsten
newcomers
joining
us
in
a
little
bit
she's
in
the
green
room.
Right
now,
I
can
see
her
watching
us
in
the
background
there,
but
yeah
exciting
news,
so
ACS
are
at
Red
Hat
advanced
class
security.
3.74
is
out,
came
out
Monday.
If
you
see
the
little.
Where
is
it
up
here?
A
little
QR
code?
You
can
scan
there
check
out
the
release.
Notes.
B
I
want
to
talk
a
little
about
some
two
new
features
that
we
have
coming
up
and,
of
course,
big
changes
in
4.0
coming
out
in
April,
ish,
we'll
let
you
know
a
little
bit
more
on
the
timeline
next
month
when
we
have
the
the
show
we'll
get
down
to
the
details
about
what's
going
to
change,
but
yeah
4.0.
So
somewhat
of
a
big
change
want
to
give
you
all
of
the
details
to
make
that
possible
so
that
you
don't
get
stuck
on
anything,
especially
for
our
open
source
users.
B
We
know
that
sometimes
you're
a
little
bit
more
in
the
dark.
You
don't
have
that
support,
but
we
try
to
help
you
out
anyway,
so
3.74
being
out
two
big
things
that
I
really
love.
One
network
policy,
the
the
network
graph,
is
getting
a
huge
upgrade,
slash
update
so
for
me
and
Boaz.
If
you're
watching
this,
please
don't
send
me
a
mean
message:
you've
done
a
great
job,
it
looks
a
lot
better.
B
It's
a
lot
just
more
readable.
The
visuals
are
a
lot
better.
The
functionality
really
hasn't
changed
too
much,
so
you
still
get
that
great
Network
policy
simulator.
All
that
shift
left
goodness
with
the
CLI
and
the
command
line
integration
with
with
mpguard.
So
that's
all
there
it
just
it's
prettier.
So
it's
new
year,
new
network
graph,
I,
think
it's
a
great
job
and
it
will
also
translate
really
well
into
the
scaling
of
the
cloud
service.
I.
Think
that's
awesome!
B
The
second
part
is
the
collections
feature,
so
you
know
coming
from
stack,
rocks
and
moving
into
red
hat.
We've
also
had
to
deal
with,
let's
say,
bigger
use
cases.
Cases
where
there's
large,
extremely
large
clusters,
and
sometimes
managing
policies
at
that
scale,
is
extremely
difficult
as
I'm
sure
anybody
that
deals
with
policy
and
security
is
aware,
and
so
we
came
up
with
a
collection,
so
you
know
grouping
collections
being
able
to
apply
them
as
new
groups.
New
clusters
come
in
automatically
as
labels
get
added
being
able
to
sort
by
exact
labels
by
some
wild
cards.
B
So
you
have
a
lot
of
flexibility
in
how
you
implement
that.
So
I
think
it's
a
really
cool
policy.
You
will
have
to
use
a
new
database,
so
postgres
upgrade,
that
is
in
Tech
preview,
but
you
know
as
part
of
the
4.0
migration,
it's
going
to
be
recommended
to
get
that
collections
feature
and
again,
that's
just
going
to
help
you
scale
it's
going
to
open
up
a
lot
of
new
avenues,
especially
you
know
cloud
service,
integrating
and
just
being
able
to
automatically
apply
those
policies.
B
So
let
us
know
what
you
think
again:
I
will
actually
change
the
QR
code
for
you.
If
you
want
we,
you
know
all
of
these
features
are
available
open
source
as
well.
So
if
you
want
to
test
out
stack
rocks
for
free,
let
us
know
what
you
think
in
the
slack
Channel
about
the
network,
the
network
graph
changes
and
the
collections
future
we'd
love
to
hear
from
you
looking
for
feedback
before
we
get
to
4.0,
so
now's
your
chance
to
weigh
in
all
right,
I'm
out
of
breath
now
Kim.
C
B
That's
right:
okay,
this
will
be
a
good
segue
I'll,
let
my
say
my
Spiel
and
then
I'll
introduce
Kirsten
and
she
can
come
in
and
tell
me
where
I
was
wrong.
I
think
that's
a
that's!
A
good
sign
overall
I
thought
it
was
a
very
pointed
event.
I
thought.
The
conversation
was
really
good.
A
lot
of
security
expertise
in
one
area,
which
meant
that
you
didn't
have
doing
a
small
talk.
People
were
very
hey.
What's
this
do?
Why
are
you
doing
this?
What's
the
market
for
this?
Who
asked
for
this?
B
Everybody
wanted
to
know,
use
cases
and
I
I
found
one
of
the
biggest.
Let's
say.
Changes
from
kubecon
is
just
the
sort
of
grouping
of
security
features.
Everybody
wanted
to
know.
If
your
platform
could
do
everything
it
just
seemed
like
it
was.
Never
it's
it.
It's
not
the
open
source,
let's
say
landscape,
that
it
was
three
or
four
years
ago
when
we
started
talking
about
security
and
and
the
niche
use
cases.
Now,
it's
you
have
to
be
a
whole
Cloud
workload,
protection
platform
or
you
want.
B
They
want
observability
in
their
security
platform
to
say.
Oh
there's,
memory
changes.
Why
can't
my
security
platform
pick
this
up,
so
I
think
there's
a
lot
of
consolidation.
That's
happening.
People
are
trying
to
pick
up
on
some
efficiencies
that
was
a
general
attend.
I
saw
I
thought
that
the
discussions
were
really
awesome,
but
overall
it
was
pretty
nice
week
in
Seattle.
I
had
no
complaints
had
some
great
Seafood
yeah
next
year
and
it's
I
wish
you
could
have
joined
us,
but
I.
B
Yeah
some
people
live
in
the
chat.
If
you
have
any
questions
about
colliding
security,
con
ACS,
3.74
or
zero
trust
with
Kirsten
newcomer
the
conversation
we're
gonna
be
having
just
throw
it
in
the
chat
and
we'll
answer
them
live
for
you,
but
I
think
without
further
ado
Kim,
you
wanna
do
the
honors
sure.
B
D
B
Thanks
again
for
coming
on,
this
is
your
second
time
on
the
show.
I.
Remember
you
kind
of
kicked
it
off
talking
about
supply
chain
last
year,
I
wanted
to
bring
you
on
with
a
more
controversial
topic:
zero
trust
and
supply
chain.
You
know
what's
changed
over
the
last
six
months,
but
before
we
get
into
that,
I
want
to
get
your
thoughts
on
clouding
security
con.
What
you're?
Seeing
in
the
market,
your
users,
yeah
red
hat
in
general,.
D
Absolutely
I
I
would
never
tell
you
you
were
wrong
Mike,
no,
if
if
it
was
appropriate-
but
it's
not
at
this
time,
you,
you
absolutely
nailed
it
one
of
the
things
I
really
appreciated
for
folks
who
don't
know
right.
Cloud
native
security,
con
used
to
be
co-located
with
kubecon,
and
it
would
be
a
two-day
event
kind
of
they
call
them
zero
day.
D
D
Being
its
own
conference
was
was
what
you
said
earlier:
nice
tight
focus
on
security
and
and
we
were
able
to
do
so
much
more
with
it
being
its
own
conference
and
cover
so
much
more
ground
so
supply
chain
security
was
a
Hot
Topic.
It's
been
a
hot
topic
for
a
couple
of
years
now,
really
ever
since
the
solar
winds
hack
and
remains
a
Hot
Topic
many
many
ways
of
many
organizations,
including
red
hat
out,
there
figuring
out
ways
to
help
improve
supply
chain
security,
lots
of
work
in
the
Upstream
Community
as
well.
D
For
example,
you
know
Luke
Heinz
from
Red
Hat
founded
the
Sig
store
Community,
you
can
find
it
at
sigstore.dev
and
that's
really
grown
rapidly
and
quickly.
Making
it
easier
kind
of
the
goal
of
that
is
how
do
I,
integrate
attestation
processes
and
and
policies
into
a
cicd
pipeline,
because
typical
processes
in
that
space,
really
don't
lend
themselves
well
or
traditional
ones,
don't
lend
themselves
well
to
a
pipeline,
but
it
was
a
great
event:
I'm
hoping
anybody
in
our
audience,
who's
interested
in
Kube
and
container
security.
B
So
a
lot
of
technical
knowledge
being
shared
so
you've
been
on.
You
were
on
six
months
ago,
I
think
almost
probably
half
the
toxic
cloud
of
security
con
had
some
sort
of
supply
chain
theme
to
it.
What
do
you
see
as
still
the
Big
Challenge
in
adoption?
Is
it
still
too
bleeding
edge?
Do
customers
just
not
have
the
bandwidth?
What
what
do
you
see
as
some
of
the
big
challenges
for
supply
chain.
D
D
What's
the
point
you
know
am
I
buying
best
of
breed.
Point
tools
am
I.
Looking
for
an
overall
solution
do
I
have
traditional
apps
with
traditional
architectures.
Do
I
want
to
use
a
kubenative
pipeline
like
tecton?
What
are
the
tools
that
work
in
each
of
those
environments
can
I
have
commonality
in
my
security,
tooling
across
those
environments
or
not
and
and
kind
of
so
we're
dealing
with
a
lot
of
change,
and-
and
that
means
we're
talking
about
people
process
and
Technology
and
across
multiple
groups
and
and
also
right
sort
of
the
the
start.
D
D
C
And
Mike
was
specifically
talking
about
how
one
of
our
I
would
say,
sort
of
like
the
trends
or
common
themes
they
were
discussing
at
the
show
was
the
idea
of
having
like
a
platform
approach
or
a
you
know,
approach
where
they
had
several
different
options.
You
know
in
one
solution,
so
I'm
wondering
like
do
you
think
that's
kind
of
to
help
with
the
supports
and
security,
so
they
don't
have
all
these
little
pieces.
D
Yeah,
definitely
that
can
make
things
easier
right,
so
there
are
Solutions
out
there.
There
are
platforms
like
git,
lab
kind
of
where
it's
it's
sort
of
all
in
one.
There
are
offerings
from
cloud
providers
again
where
you
kind
of
can
leverage
all
in
one.
The
a
challenge
with
that
approach
can
be
that
I've
already
got
processes
and
tooling
that
I'm
using
today
and
changing
my
CI
CD
processes
can
have
a
significant
impact
on
my
delivery
of
the
applications
that
the
business
relies
on,
and
so
it's
really
not
just
about
flipping
a
switch
I.
D
D
But
it's
not
the
only
approach,
right
and
and
sometimes
a
more
incremental
approach
can
actually
be
easier
for
an
organization
where
they
can
work
with
an
existing
CID,
CD
tool
set,
but
maybe
start
adding
in
some
new
capabilities
that
they
hadn't
included
before
such
as
you
know,
signing
the
content
that
moves
through
that
pipeline.
That's
again
where
a
project
like
Sig
store
comes
in
people
often
have
the
ambition
to
sign
content
that
moves
through
the
pipeline.
But
it's
never
been
easy
to
do
so.
D
So
even
then,
I
have
new
tooling
to
adopt
I
have
to
think
you
know.
I
have
to
learn
that
tooling,
but
it's
maybe
an
incremental
approach
and
and
so
kind
of
our
experience
and
having
delivered
you
know,
kubernetes-based
openshift,
for
for
gosh
over
10
years
now,
I
I
feel
like
I'm
way
under
counting
that,
but
that
is
that
we
see
organizations
who
want
to
use
their
existing
pipeline
update
it.
D
Incrementally
other
organizations
were
willing
to
adopt
something
new
like
again
tecton,
which
allows
you
to
manage
your
pipeline
as
code,
and
there
are
a
ton
of
tecton
tasks
out
there
on
the
Hub
on
the
tecton
Hub.
So
that
you
can
kind
of
come
and
put
things
together,
pre-built
pieces,
but
there's
no
real
one-size-fits-all
answer.
Yeah.
B
Yeah
before
you
get
into
zero
trust,
you
mentioned,
you
know,
use
cases
and
doing
it
slowly
versus
having
something
to
model
it
against.
How
much
does
something
like
a
validated
pattern,
help
with
that
process
right,
like
it's
very
hard
for
us
to
recommend,
say
this
is
the
way
to
do
it.
At
the
same
time,
we
can
have
an
approach
and
be
slightly
opinionated
right.
D
Absolutely
so,
if
I'm
thinking
specifically
about
building
applications
for
kubernetes
with
a
kubernetes
pipeline,
and
fact
we
have,
we
have
a
what
we
call
a
pattern:
a
validated
pattern
available.
It's
out
on
GitHub.
We
can
share
the
link
if
you're
using
openshift
platform,
plus
you
can
use
this
code
to
deploy
all
the
parts
of
openshift
platform
plus
with
an
instantiated
opinionated
tecton
pipeline
with
integrated
security
gates.
Now
not
everything
in
this
pipeline
comes
from
Red
Hat,
because
we
don't
do
everything
that
you
need
to
do
today
in
a
secure
supply
chain.
D
So,
for
example,
you
might
the
pattern
is
built
with
an
integration
with
sonotype
Nexus
that
helps
produce
an
s-bomb.
You
could
swap
out
sonotype
Nexus
for
jfrog
artifactory.
If
that's
the
repository
you
use
right
or
if
you
or
if
you
wanted
to
use
a
different
open
source
tool
for
for
s-bombs
or
whatever
you
use
Integrations
with
partners
for
static
security.
Analysis
are
also
in
there.
So
but
absolutely
that's
an
opinionated
solution
set
and
if
you
did
nothing
else,
but
look
at
what
are
the
gates.
What
are
the
kinds
of
things
I
should
be
doing?
D
B
And
I
actually
found
the
article
that
William,
Henry
and
Johnny
Rickard
created
about
how
to
architect
a
multi-cluster
pattern
using
the
devsecops
validated
pattern,
so
go
ahead
and
check
that
out.
It's
in
the
chat
for
you
all
right
now,
I
think
on
to
the
well
at
least
it's
controversial
for
me
because
I
personally,
don't
like
the
term
zero
trust,
so
I
kind
of
want
to
hear
your
take
on
it.
Yeah
you
know
see
if
anybody
in
the
chat
has
any
opinions
on
the
the
term,
zero
trust
as
well.
B
But
you
know
how
much
does
zero
trust
play
into
the
securing
the
supply
chain?
Is
it
something
where
you
should
come
in
with
you
know
hard
Gates?
Is
it
better
to
kind
of
implement
the
tools
first
and
then
see
where
there's
a
give
and
take
with
developers
anyways
it's
a
broad
question:
I'll,
let
you
take
it
yeah.
D
They're
they're
great-
those
are
great
questions.
I
also
have
have
struggled
with
the
phrase:
zero
trust
simply
because
it
it
can
be
used
to
mean
so
many
different
things,
and
in
many
cases
you
see
it
a
lot
in
marketing
content
tent
and
you
kind
of
need
to
go.
So
what
do
you
mean
when
you
say
zero
trust?
And
what
do
you
mean
when
you
say
zero
trust
right?
So
let
me
start
with
how
I
think
about
it,
and
and
also
how
red
hat
thinks
about
this
right.
D
So
we're
really
focusing
on
when
I
talk
so
there's
the
traditional
definition
right
that
has
you
know
more
traditional
security
models.
Pre-Cloud
assumed
that
as
long
as
you
protected
the
perimeter,
you
were
good
that
users
within
that
protected
perimeter
were
trusted
and,
and
you
didn't
need
to
focus
heavily
on
them,
that
assumption.
You
know
that
perimeter
assumption
was
was
kind
of
be
shown
to
be
false
with
a
the
solar
winds
attack
and
so
solar
winds
themselves
have
worked
hard
to
apply
zero
trust
principles
to
their
supply
chain.
D
They
did
a
great
talk
at
cloudnative
security
con
at
kubecon
La
a
couple
of
years
ago
about
how
they
did
that,
and
so
let
me
Circle
back
to
again
what
I
mean
by
those
zero
trust
principles.
I
mean
that
everyone
needs
to
authenticate
identity
of
in
individuals,
matters,
identity
of
tooling
matters,
also
identity
for
apis
and
and
what
I'm,
using
anything.
That's
automated
Integrity
matters
right
as
content
moves
through
the
system.
D
I
want
to
be
sure
that
I
can
measure
the
Integrity
of
that
content
that
it
hasn't
changed
when
I
don't
expect
it
to
change.
This
was
a
big
element
for
solarwinds
in
revamping
their
pipe
their
supply
chain
and
their
Pipeline,
and
then
isolation,
matters
right.
How
can
I
ensure
that
users
and
systems
only
have
access
to
the
elements
that
they
should
have
access
to,
so
that
I'm,
preventing
lateral
attacks,
lateral
movement
and
and
really
enforcing
separation
of
concerns
appropriately,
and
so
when
that
comes
to
the
supply
chain?
D
That
means
that
I
want
to
be
able
to
when
it
comes
to
Integrity
I
want
to
be
able
to
attest
that
the
tasks
in
my
supply
chain,
my
CI
CD
pipeline,
have
not
changed.
I
want
to
be
able
to
attest
that
the
Integrity
of
the
content
hasn't
changed
when
I.
Don't
expect
it
to
change.
So,
if
I'm
pulling
down
content
from
external
sources,
that
content
should
be
signed
and
I
should
be
able
to
verify
that
signature
when
I
pull
it
down,
so
that
I
know
that
nothing
got
tampered
with
in
between
now.
D
Of
course,
I'm,
including
that
with
my
custom
content,
so
I'm
going
to
do
a
build
as
the
output
of
that
build,
then
I
want
to
assign
the
output
of
that
build
at
the
appropriate
stage
as
well
to
be
sure
that
I
can
track
that
that
nothing
has
changed
again.
That
I
didn't
expect
to
change
I'm
deploying
content
to
kubernetes
when
I
do
that,
I'm
deploying
an
image
a
pod
I
have
configuration
data
that
also
gets
deployed.
I
want
to
be
sure
my
yaml
hasn't
been
tampered
with
right.
D
I
want
to
sign
my
ammo
and
when
I
deploy,
I
want
to
verify
signatures
on
container
images
and
signatures
on
my
yaml.
So
these
are
some
of
the
Integrity
elements
that
we
can
look
at
and
then
authentication
right.
That's
all
about
ensuring
that
only
the
users
and
systems
that
I
approve
for
access
to
this
pipeline
have
access
what
I
loved
about
what
solarwinds
did,
and
they
did
this
with
a
tecton
pipeline
is
they
had
their
main
pipeline
their
primary
pipeline
and
they
replicated
every
step
in
that
pipeline
in
an
automated
fashion,
and
then
they
checked.
D
B
Okay,
that's
pretty
impressive.
I,
remember.
Attending
a
topic
about
reproducible
builds
as
well
just
everything
to
the
point
where
you
can
reproduce
it.
If
I
give
it
to
you,
you
can
do
the
same
thing.
You
get
the
same
hash,
so
you
know,
nothing's
been
tampered
with.
I
think
that
that
capability
will
be
extremely
useful.
B
D
So
that
sort
of
comes
back
to
kind
of
where
we
started
with
zero
trust
right.
Zero
trust
is,
you
know
how
much
am
I
going
to
trust
the
people
who
work
in
my
company.
How
much
do
I
trust
that
I
protected
my
perimeter
and
that's
sufficient,
but
it's
not
just
the
people
who
work
there
in
my
perimeter,
it's
like
it.
There
are
so
many
new
attack
vectors
showing
up
on
a
regular
basis.
D
So
many
new
vulnerabilities
being
discovered
that
you
know,
even
if
I've
protected
my
perimeter
that
doesn't
guarantee
that
something
won't
show
up
two
weeks
from
now
that
allows
an
attacker
to
breach
that
perimeter
right.
So,
ideally,
you
would
really
be
ensuring
at
minimum
authentication.
You
know
managing
identity,
managing
Integrity
on
premises
and
in
the
cloud
you
might
decide
that
isolation
is
a
little
bit
more
important
to
you
in
the
cloud.
D
D
It
takes
time
to
make
adjustments.
So
look
for
things
that
are
look
for
the
easy
ads
think
about
a
phased
approach
and
figure
out.
How
can
you?
How
can
you
get
get
there
from
here?
S-Bombs
is.
Is
another
really
interesting?
Example,
there
are
a
lot
of
tools
that
organizations
are
using
today:
that'll
output,
s-bombs,
there's
also
open
source
tooling
s-bonds
have
been
at
software.
D
Build
materials,
they've
been
a
thing
for
well
over
10
years,
but
they
have
sudden
prominence
now
and
and
that's
another
way,
to
verify
that
what
you've
got
is
what
you
expect
right
did:
did
my
bill
of
materials
change
from
this
stage
in
the
pipeline
to
the
next
stage
in
the
pipeline,
so
if
you're
not
ready
to
adopt
Sig
store
and
do
signing
in
your
pipeline,
look
for
a
tool
like
sift
and
to
produce
to
produce,
s-bombs
and
and
and
kind
of
track
those
through
your
pipeline.
So.
B
D
D
Well,
gosh
I
can
use
that
list
to
get
more
information
about
vulnerabilities
associated
with
those
packages,
so
the
security
element
became
started
emerging.
You
know
probably
about
10
years
ago,
but
the
and-
and
you
saw
these
tools
that
were
originally
developed
for
license
compliance
starting
to
be
used.
For
you
know
the
same
approach
being
used
for
vulnerability.
Analysis
right,
I've
got
I
know
how
to
identify
open
source
components.
D
I
can
pull
license
data
for
those.
The
popularity
of
the
phrase
s-bomb,
though
that
really
ties
back
to
more
recent
activity
where
you
know,
there's
the
in
the
states
the
executive
order
after
after
the
solar
wind
supply
chain
attack,
everybody
needs
to.
If
you
are
providing
software
to
the
US
government,
you
have
to
provide
a
software
build
materials
for
that,
for
what
you're
providing
so
I
think
that
executive
order,
just
you
know,
really
popped.
It's
amazing.
A
B
It
very
succinctly,
I
think
a
lot
of
people
look
at
security
like
it's
Insurance.
You
know
something
to
have
nice
to
have
but
sort
of
a
cost.
Sync,
you
know
I
think,
but
when
it's
phrased,
like
you
know,
without
it,
you're
not
even
gonna
have
access
to
any
of
these
markets
right.
If
you
don't
have
these
things,
I
think
that's
kind
of
eye-opening.
It's
just
like
you
know.
If
you're
gonna
do
business
with
the
federal
government,
you
have
to
have
these
things
in
three
years.
B
I
think
you
know
a
lot
of
people,
let's
say
shift
their
their
strategy
right.
So
overall,
do
you
see
that
just
continuing
just
I
know
the
federal
government
doing
it?
It's
kind
of
a
crystal
ball
question,
but
you
know
I've
talking
with
most
vendors
I
think
you
know.
Most
people
are
building
s-bomb
verification
checks,
some
sort
of
visualization
into
their
platforms,
whether
it's
like
observability
tools,
but
most
security
tools
are
starting
to
do
that.
Are
you
seeing
this
as
gonna
be
like
a
sticking
point,
a
must-have
moving
forward
in
the
next
decade.
D
Oh
yeah,
I
I
think
in
the
next
two
to
three
years,
everybody's
going
to
be
producing
software,
build
materials,
I
I,
don't
I,
don't
think
it's
going
to
take
us
as
long
to
get
there
that's
five
years,
and
you
talked
earlier
about
what
we're
starting
to
see
about
organizations
at
cncf
security
con.
You
know
end
users
wanting
to
have
to
move
away
from
single
point:
Solutions
security,
Point,
Security,
Solutions
to
broader
ones.
D
D
The
second
most
accurate
is
going
to
be
when
you're
analyzing
a
binary
and
then
once
I
send
a
bill
of
materials
to
my
consumer.
My
end
user
I
can
leverage
that
metadata
for
a
whole
bunch
of
things
but
to
produce
that
the
user
who's
going
to
use
us
create.
You
know,
create
an
s-bomb
they're
either
in
the
app
Dev
team.
D
I'm
gonna
con,
you
know,
do
I
want
to
produce
my
own
s-bomb
when
I
pull
that
down
or
do
I
expect
it
to
be
there
so
that
I
consume
it.
If
it's
there,
how
do
I
verify
it
do
I
need
to
verify
it
can
I
trust
it.
It's
come
from
a
third
party
that
the
answer
to
that
is
going
to
depend
on
what
you're
doing
with
the
contents,
if
you're
just
using
it
as
it
is
trusting
it
and
it's
been
signed,
you
know,
and
you
can
verify
that
it
hasn't
been
tampered
with.
D
That
could
be
sufficient
if
you
are
using
the
source
code
and
and
modifying
that
source
code.
That's
a
whole
other
thing:
you
need
to
produce
a
software
bill
of
materials
that
matches
what
your
your
output
is
and
and
I
think
that
again
because
of
the
Mandate
from
the
federal
government.
Obviously
some
organizations
will
move
less
more
slowly
than
others,
but
the
tools
are
there
and-
and
people
may
not
even
realize
in
some
cases
that
they
have
the
tools
again.
A
vulnerability
scanner
is
going
to
give
you
a
list
of
packages.
D
That's
a
software
bill
of
material
right,
so
a
lot
of
people
actually
have
information
already
available.
It's
just
not
output
in
the
most
popular
format.
It's
the
most,
the
the
two
most
popular
spdx
software
package,
data
exchange
and
Cyclone
DX
Cyclone
data
exchange
are
probably
the
two
most
popular
formats
right.
Now.
It's
not
that
hard
to
update
that,
but
if
I
Circle
back
to
the
consolidation
that
you
and
I
both
kind
of
here
have
have
been
hearing
in
the
market,
security
teams
are
interested
in
buying
governance
and
Risk
Management
Solutions.
D
That
cover
a
broad
range
of
things,
especially
as
they're
moving.
Their
companies
are
moving
workloads
to
the
cloud
right.
So
they
want
Cloud
security,
posture
management.
They
want
Cloud
identity
and
entitlement
management.
They
maybe
want
that
combined
with
kubernetes
security
identity.
You
know
and-
and
that's
broad
that's
entitlement-
that's
you
know
our
back
authentication.
You
know
runtime
behavioral
analysis,
but
those
aren't
the
folks
who
buy
and
who,
who
use
I
shouldn't
say,
buy
those
aren't
the
folks
who
use
the
security
tools
that
need
to
be
in
that
CI,
CD
pipeline
and
so
I
think.
D
There's
going
to
be
this
interesting
tension
also
between
where's,
the
budget,
who's,
the
buyer,
who's,
the
end
user
and,
as
we
kind
of
think
about
devsecops
right.
How
do
we
ensure
that
data
that
tooling
and
data
that's
useful
to
the
devops
team
can
be
fed
into
the
secops
team
for
their
consumption
and
for
them
to
leverage
for
policies
as
well?
So
so
I
think
there's
this
interesting
tension
with
the
consolidation.
I
I,
don't
know
which
way
it's
going
to
go.
B
Yeah
yeah
I
mean
I've
felt
some
of
that
tension
on
some
email
threads.
Sometimes
when
you
talk
about
developers
and
security
teams
and
what
they
expect,
their
tools
to
do,
I
think
developers
if
they
need
any
sort
of
security
information.
It
is
the
vulnerabilities
and
can
I
update
it
just
with
a
package
fix
if
I
just
upgrade
to
this
version.
Is
that
going
to
fix
it?
If,
yes,
okay,
fine
easy
to
do,
but
then
you
get
in
these
conversations,
some
security
teams
say:
oh
malware
scanning
I
want.
B
You
know,
sort
of
like
20
years
old
practices
in
containers
in
kubernetes
in
the
cloud
with
things
that
are
stateless
they're,
not
even
touching
anything,
any
data
really
and
there's
a
big
disconnect
between
I
think
with
what
the
developer
needs
to
get
going
and
to
limit
their
threats
and
then
what
the
security
team
expects
and
these
Cloud
platforms
kind
of
package
it
all
as
one
but
then
there's
a
huge
gap
in
between
that.
Never
really
gets
addressed
right.
So
it's
it's
this
tension
of.
B
It's
always
it's
just
a
challenge
when
picking
Solutions
and
I
think
there's
a
reason
why
the
security
platforms
want
to
be
a
catch-all,
so
they
can
Market
it,
but
also
sometimes
you
get
in
these
platforms
and
it's
not
really
useful
as
it's
not
as
useful
as
you
might
have
thought,
or
it
requires
like
you
to
install
istio
or
something
like
that
like
if
you
want
zero
trust,
networking
and
layer,
7
Network
protocols
and
limiting
all
that
stuff,
you
need
something.
That's
pretty
heavy
duty
to
do
that
right.
B
D
Yeah
and
and
I
think
there's
the
tension
again.
It's
back
to
people
process
and
Technologies
right.
So
why
did
containers
become
so
popular
because
they
gave
more
control
to
the
developers
I
package,
my
system
dependencies
with
my
application
code?
I,
don't
have
to
rely
on
the
Ops
Team
to
get
that
VM.
D
How
does
the
network
security
team
understand
what
the
app
Dev
team
is
doing
and
so
that
they
can
provide
guidance?
And
you
know
kind
of
audit
right
audit
is
really
important
in
in
the
world
observability
you
mentioned
it
earlier.
Audit
is
part
of
observability
right,
so
so
things
like
investing
in
network
observability,
I
think
start
to
and
move
us,
and
this
is
something
that
that
you
know
we've
added
in
openshift
recently:
I,
don't
don't
remember
the
Upstream
project
name,
it's
something!
That's
available
in
stack
rocks
and
in
ACS.
D
D
The
security
teams
need
observability
and
auditability,
and
how
do
we
help
and
that's
what's
going
to
kind
of
bridge
these
two,
but
that
is
a
big
change
for
people
right.
So,
just
like
the
system
dependencies
are
now
in
the
container
image.
Well,
hey.
We
have
to
provide
more
security
capabilities
to
the
app
Dev
team.
D
C
B
There's
I'd
say:
there's
a
tough
approach
to
starting
new
projects.
I
think
too,
at
some
of
these
companies,
where,
if
you
give
a
developer,
you
say:
hey
I,
want
you
to
containerize
this
and
you're
the
Greenfield
one.
Well,
you
don't
want
to
get
six
months
down
the
run
and
then
see
down
the
line.
Then
security
comes
in
and
says
you
have
too
many
vulnerabilities,
but
maybe
they're
all
low
and
medium
right.
They're.
Not
even
you
know,
high
and
critical,
important
vulnerabilities.
B
So
there's
a
tough,
a
tough
line
between
the
two
yeah
mjmj
says:
Network
policy
question
mark
I.
Think
when
you're
talking
about
sort
of
the
gap
between
security
and
Dev
teams,
Network
policies
is
definitely
one
of
them,
because
I
know
there's
a
lot
of
security
teams
that
don't
want
to
go
into
any
sort
of
container
kubernetes
security
solution
to
deal
with
network
policies,
so
I
I,
know
I,
mean
I,
think
that's
kind
of
what
RPMs
are
working
on
with
ACS
in
terms
of
functionality
of
the
network
graph
right.
D
D
There's
this
new
thing
coming
for
Kube
admin,
Network
policies
where
a
cluster
admin
will
be
able
to
set
certain
Network
policies
that
the
project,
admin
or
the
namespace
admin
won't
be
able
to
modify,
but
to
your
point
in
in
stack,
rocks
right,
because
this
is
such
a
confusing
thing
right
again
how
to
defining
Network
policies.
Coop
Network
policies
is
not
easy.
You
have
to
write
it
in
yaml.
It's
somewhat
involved.
We've
been
working
to
invest
in
providing
automation.
D
That
can
be
used
in
the
CI
CD
pipeline
to
recommend
a
network
policy,
that's
appropriate
for
the
app
that's
being
built
so
that
the
developer
gets
that
information,
because,
honestly,
not
every
app
Dev
individual
application
developer
is
going
to
be
great
at
writing.
Those
Network
policies
either
right
and
we
know
that
the
network
security
folks
aren't
reading
yaml
or
writing
yaml,
so
generally
they're
not
going
to
do
it.
So
we
can
auto-generate
these
policies
and
over
time
this
is
work
in
progress.
D
We'll
also
be
able
to
compare
that
to
system
policies
to
find
in
Stack,
Rock
Central,
where
that
system
policy
sort
of
codifies.
What
does
the
security
team
think
is
an
acceptable
set
of
network
policies
to
run
on
the
cluster?
For
example,
do
they
only
want
pods
to
be
able
to
talk
to
each
other
if
they're
in
the
same
name
space
or
is
it
okay
for
them
to
talk
across
namespaces?
And
then
you
can
compare
that
generated.
D
Network
policy
with
the
system,
Network
policy,
the
the
ACs
policy
for
Network
policies
and
find
out
the
development
team
can
find
out
ahead
of
time
whether
they're
going
to
meet
those
requirements
or
not.
So
you
can
have
a
conversation
between
those
two
teams
before
you
even
get
to
deployment
time.
D
C
Yeah
I
think
that's
fair.
It's
I
think
some
things
I've
noticed
with
ACS
that
we've
been
releasing
really
seem
to
be
very
much
focused
on
a
way
for
you
to
be
able
to
dig
into
certain
things
and
be
able
to
have
conversations
from
two
groups
that
may
speak
different
languages
literally
yeah
yeah,
and
it
seems
like
we've
done
a
lot
of
things
in
that
recently
with
the
solution
to
help
with
that
communication.
Yeah.
D
A
B
Yeah
I
think
the
in
the
enforcement
mechanism
is
the
sort
of
the
end
of
the
line,
but
it's
super
important
right.
I
mean
if
your
developer
needs
to
make
a
change
of
configuration
and
then
you
have
to
go
into
like
you
know
s
CCS
or
something
like
that
on
a
host.
You
know
that
workflow
is
kind
of
broken
right.
It's
it's
why
we
have
I'm
blanking
on
the
new
operator
that
we.
D
D
Those
kind
of
Standalone
sccs
are
an
admission
controller
plug-in
that
you
can
use,
for
example,
by
default
on
openshift.
A
privileged
workload
cannot
be
deployed
to
a
worker
node
by
a
regular
user
because
of
the
way
sccs
are
configured
now
those
are
complicated
and
they
they,
you
know,
openshift
has
an
out
of
the
box
seven
or
eight
sccs
that
allow
you
to
kind
of
pick
for
from
different
scenarios,
because
sometimes
you
need
privileged
workloads,
but
the
cool
thing
about
the
security
profile
operator.
D
D
Default
profiles
and
you
can't
build
anymore
if
you
want
to
do
something
more
complicated,
you
use
a
a
tool
outside
of
kubernetes,
okay,
yeah
and,
and
so
the
security
profile
operator
says.
Okay,
I've
got
a
I've
got
to
deploy
a
privileged
workload.
It
needs
a
Linux
capability,
perhaps
like
net
admin,
which
containerized
Network
functions
often
need
okay,
but
I.
Don't
want
net
admin.
That
Linux
capability
gives
you
a
lot
of
stuff
and
if
I
want
to
constrain
it
further
to
just
what
this
app
needs.
D
I
can
use
some
set
comp,
secure,
Computing
profiles,
but
defining
those
and
deploying
those
are
a
pain
in
the
butt,
as
you
just
said,
right
deploying
that
it
has
to
be
deployed
to
the
node
that
the
workload
is
going
to
run
on.
You
have
to
figure
out
how
to
you
know
you
have
to
associate
it
with
the
workloads.
You
can
do
that
with
an
SCC.
D
Defined
you
have
to
do
so.
The
security
profile
operator
helps
you
manage
all
of
that.
The
tool
that
you
can
use
to
help
Define
your
custom
set
comp
profile
or
a
custom
SC
Linux
profile
is
called
udesa
and
is
available
in
Rel
or
in
Upstream.
So
you
kind
of
do
that
definition
work
earlier
in
the
process.
Security
profile
operators
help
you
deploy
it
so
that
you've
got
those
mitigating
controls
in
place.
It's
it's
really
nice
to
like
see.
How
can
we
and
and
honestly
The
Coop
Community
only
recently
supported
having
with
pod
security
admission?
D
Is
awesome
yeah
we
are
actually
going
to
be
I,
can't
tell
you
the
number
of
security
teams
I've
talked
to
who
want
that
capability
right,
so
you're
going
to
be
able
to
actually
without
the
running
container,
knowing
do
a
copy
of
that
of
a
stateful
copy
of
that
running,
container
called
a
checkpoint
right,
it's
being
checkpointed,
and
then
that
checkpoint
can
be
restored
in
another
environment,
a
sandboxed
environment
and
analyzed.
So
we
will
have
finally
have
the
kind
of
forensic
tools
for
containers
that
security
teams
have
been
used
to
having
for
traditional
apps
right.
B
A
D
B
B
That's
why
I
think
the
enforce
it's
a
mechanism
and
being
so
it
being
able
to
use
the
kubernetes
native
controls
also
makes
it
say
it
easier
on
the
engineering
team,
because,
when
kubernetes
builds
this
in,
we
can
just
say:
okay,
well,
we'll
just
we're
used
to
working
with
kubernetes
API.
Let's
do
the
same
thing
and.
B
Yeah,
right
and
and
so
I
think
it's
it's
sort
of
the
open
source
capabilities
of
red
hat
contributes
to
kubernetes.
Kubernetes
makes
it
so
that
we
have
these
controls
and
then
you're
able
to
pick
up
on
this
on
all
the
other
open
source
tools.
It
just
speeds
up
that
development,
so
much
quicker
too
right,
yeah,
absolutely
I
think
it's
awesome
anything
coming
up
on
the
hours
there
any
last
things
you
want
to
hit
on
any
links
you
want
to
direct
people
to
Kirsten.
D
You
back
sure,
of
course,
I
think,
maybe
just
worth
mentioning
that
red
hat
Summit
is
coming
up
in
May
and
there
will
definitely
be
some
cool
security
announcements.
You
know
I
think
I'm
I.
Imagine
we've
talked
on
this
show
before
about
offering
Red
Hat
Advanced
cluster
security
as
a
cloud
service,
so
that's
currently
in
field
trial
and
we'll
have
more
to
say
about
where
that
is
at
Summit.
There's.