 Emily. Hey JJ. Hey, I requested tonight to see if we can run. I have like this bad throat and cough thing. So I'll listen in. Good morning or good afternoon. All right, everyone, we're going to give folks a couple more minutes to get down and Vinay, are you good to facilitate? Yes. Awesome song. I'll take two minutes to set up the document and stuff, I guess. It's already set up. We're ready for you to run it. All right. We just need scribes. Welcome everyone. Once again, we typically start give everyone about a couple of minutes. Maybe we'll start at 10 or two and take it from there. Please feel free to add your name to the attendance list for today. Thank you, Vinay. Can you just put a quick link to that doc again? Thanks. Thanks. Thanks, Ash and JJ for volunteering to be scribes for today. I'm estimating that the load will be a little light today. All right, everyone, let's get started. Maybe just to recap. I mean, go through the list and then I'll do a really recap. Okay. I'm just going to go through the list. I'm just going to go through the list because. Anybody have anything that they would like to. Update the team. The group on. Anything that you'd like to discuss at this time. I don't see any updates at this point, but I just want to make sure that everybody's had a chance to update the list. I actually have one. Oh. Go ahead. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Good news, everybody. We now have an APAC region, SIG security meeting set up and scheduled. The PR was merged into the repo. So if you're interested, go check out the meeting information. This is a huge thing for us because now it means that we can increase the amount of SIG contributors and take on the activities that we've been talking about for a long time with more and more involvement. So this is a really great thing for us. And. Thanks, Emily. As I go down the list. I see you have something that you'd like to talk about. Please go ahead. Yes. So I've contacted Jen Burns from MITRE. And she agreed to speak with us on our meeting on February 10th. So I submitted a ticket for that. So if everybody's okay, she would come and speak with us show. What are the goals for the attack for containers and how we can help providing any feedback or any information that would be helpful for the matrix attack and everything related also to. If they're planning on doing like a separate one for Kubernetes or just the same one. And everything else. And. And that, that's it. And for another thing that I have is that I've created a ticket also to. Start the translation of the cloud native. Security white paper for Portuguese. And I have a group of people interest. So we're probably going to start that off. Probably this week or the next one. And it should be done. I think in four to six weeks. Awesome. That's fantastic. Thanks. Thanks. It'll be interesting to hear from. Jen on how we can, you know, map the MITRE attack framework to a lot of the, to Kubernetes and containers in general. That's awesome. So I don't see any other updates today. And maybe, maybe I can just take this opportunity to put a couple of folks on the spot. I know the last couple of weeks, we had some great presentations on, you know, supply chain security and, you know, the, this is the supply chain working group. I mean, Jonathan, would you like to maybe just recap on where we landed? If there's no other, maybe five minutes on this. And then just, I know there's a lot of stuff that we talked about. Maybe we can just do a quick recap and figure out what, maybe the next tactical steps, how we can all figure out how we can contribute to that. Sure. Happy to. So we formed the working group a couple of weeks ago. We initially provided a presentation looking at software factories and some of the thoughts a group of us had put together around software factories. Myself, Andrew Martin and Sabry Blackman from control plane and Justin Cormack from Docker. It's really just some of the thoughts that we put together on software factories and how we could perhaps create one pipeline and some of the challenges we were thinking through around how we could improve the provenance of the code that we were creating and sending through that pipeline using potentially spiffy and in Toto, which we're still working on. But the wider scope of that was really sort of a call to arms to ask people to join and perhaps form, which we've now done a working group to look at supply chain security with the aim of putting together a common architecture and potentially a reference implementation. Well, it's a fairly significant amount of stuff for a working group to look at how, you know, how we can provide best practices on supply chain security. So we're now in a working group that's been created. We also have a Slack channel and we have a shared document that we're starting to add to or we will be doing it independently and pasting it in. And the idea is to initially put together a white paper of best practices and identify gaps in perceived gaps in the supply chain and then look at how we could provide an architecture to provide that capability. The end goal there is a number of different end goals, but it would be really beneficial, we believe that to provide a architecture that people could look at and potentially start to adopt in the open source forum so that they can adopt that architecture and have a build platform that would then be somewhat secure and have the ability to deploy secured artifacts that are signed with SBOM material perhaps as a way of improving the security throughout. So really that's kind of the goal. I'll certainly post a link to the white paper and to the working group. I think it was issue 510 where you can take a look and see the conversation as it stands. We have quite a number of people offering to assist and go through that which is fantastic and the way I think we'll start to look at it is having people adopt or suggest topics for that white paper and we'll progress that way. We do have a working group meetings on Fridays at 4.30 GMT at the moment. That was just how given the look hows of the people involved, we certainly changed that if additional people are looking to join. And I think the next session we're possibly going to dig into that in total and the signing piece, figure out how we could work with those keys as well as the white paper itself. One thing I did miss out there was a really, really good presentation last week. By the Recall team that had a heavy supply chain element I'd recommend people take a look at that. And also obviously a lot of the work that we're looking at is based on DevSecOps principles from the Department of Defense which is a document that you can read on the internet. That's awesome. Thanks a lot Jonathan. So a lot of stuff there everyone and I think there'll be fantastic opportunity to contribute towards the architecture and the white paper there. I think we have all the links up on the chat. Maybe I'll take some time to maybe transfer a lot of those links to our meeting notes as well. Yeah, we're certainly welcome for anyone to assist and help. There's a lot of work to do there and it's a key area that a lot of people are really interested in contributing. So certainly open to all. Jonathan, Ava makes a good point about the Linux Foundation having a couple of other projects and efforts that are working on supply chain security. So maybe reach out to those different groups and find out where they're at in those discussions and see if there's some cross foundation collaboration that can happen. Great call out as well. I think we can connect as well. One of the founding members of I think both of those foundations is here in Microsoft with me. Please, if you could reach out to me. And I'll reach out to you to connect that because that's definitely something that we'd like to do. We have made initial conversations with the open SSF. And I think there's additional work happening in the S-bomb community. There's a number of different S-bomb communities that we're trying to tie into this as well. Great point, Emily, though, because there is a huge amount of work in individual pockets. So that's one of the sort of suggestions we're sort of pointing out. What we're trying to do is trying to connect those dots and trying to reach out to those different groups and perhaps provide that architecture across the top. Because we see it as there's individual point solutions for these different areas but not necessarily joined up with the C-N-C-F working group. I would assume that the focus is going to be on the C-N-C-F projects and workflows. Whereas I know both open SSF and CD foundation are looking at the broader like open source as a whole. So there's probably some good tie-ins there, but the scoping of this is very different. We're actually keeping it fairly generic but also very cognizant of making sure we connect to those exact groups. So I didn't mention the motor on, but we are trying to reach out to those groups. So I think that's one of the things that we're trying to do. I think that's one of the things that we're trying to do. We're working with a couple of members of open SSF and we do want to expand that. We're not duplicating any of that work, but just pointing to it. Thank you. Really appreciate that. Great. Thanks. Thanks, Jonathan. Thank you all for the comments. And let me see. Well, I don't see any other topics that we want to have covered here. So what we can, what we have set up for next week. So Vinay, we actually have two things on the agenda. We have issue 422. Okay. And then we have issue 514. Okay. So do we want to talk about that? Who wants to talk about issue 422? So I think I'm kind of on the hook for both of those. Okay. So I'm dropping 422 in the chat because that's the first one. So for those of you that are new or have been super busy doing a lot of other things, I've been going through the repo and trying to clean up some of the outstanding issues that we've had for a long period of time, seeing if we actually missed stuff. Issue 422 is one of the issues that we missed. So this is a suggestion from the community about. And I think it's kind of including hardening binaries through our recommendations to projects that are coming through our security assessment process or incorporating this concept into other documentation or conversations that we have in the cloud native community. And that's kind of the extent of my knowledge in this particular area. The issue has a ton of information on it with a lot of excellent resources. And I wanted to bring it up because when I'm not an expert in this area, but too I wanted to get the community's feedback on whether or not they see this as a potential worthwhile effort, something that we can easily incorporate into our existing processes or whether or not this is a much larger ask by the community to kind of push this. And if it's a worthwhile effort to push into the community. The first thing that comes to mind there is you'd have to do it in a little more language agnostic way than what this issue shows. But it's worth considering. And we've talked in the past, or at least we've had other discussions for potential efforts about setting up automated hardening for cloud native projects in their development. That way they have like a standard framework to be leveraging to ensure that like the base distribution of all cloud native projects is secure. So I'm not quite sure how this fits in with that, but I do know that we've talked about that in the past. I think there was a proposal on it, but I don't have the ticket number if it was even a ticket. Maybe I'd like to have a sound out a few thoughts Emily is, I mean, if we can definitely have these guidance kind of documents and made available to all the project teams and, and make them aware of the, let's say hardening flag as we perform assessments. So that's one way. And the second way to only, how do you say test and enforce it is, you know, I don't know when, maybe the first meeting of this year we talked about this, the automation that you talked about, right? When we, the automated and security scans, if you will, generically speaking, if we're able to do that, then that would be, this would be a great dimension to that effort as well. So I think there is some correlation there. Let's say start with the scan, right? And then add in hardening. Hardening sounds great. I know if we had this conversation 10 years ago, there'd be a good chance of breaking things. I think that sort of decreased a lot, but some folks are still to be worried about that. Yeah, I agree. And I'm sorry, just to clarify, I'm only talking about from a guidance perspective, right? Sorry. Yeah. The owners of the projects, we're just saying, Hey, this is something that we are familiar with. We provide guidance on and we run your project through our flags, if you will. And this is what we found missing and, you know, not to break anything from their pipeline perspective. At least that's my sense, given where we are today. All right, Emily. Would you like to talk about the second issue? The SIG app delivery operator, white paper. Please. Yes. Okay. So SIG app delivery. So CNTF has a ton of, a ton of SIGs. Some of our members are members of other SIGs. And this SIG app delivery reached out to me. They're looking for a security perspective on. Their operator white paper that they're writing. This is a new effort for them. They have a current draft going on. And they actually have a specific issues. The first issue associated with whether they're looking for help, which is, I'm pulling it up right now. About building trust documentation, security constraints, implementation, metrics and user observation. So what they're really looking for is to have a SIG representative or a few SIG representatives jump in and help in this particular area of their white paper. They're not looking right now to rehash the entire draft that they have. That'll be probably later review phase for those of you that are member of the cloud native security white paper. We wrote all the content and then we opened it up for reviews. This is more about contributing specific security focused content to an operator white paper. So this is a good opportunity to get to know other members of different SIGs. As well as get some cross SIG exposure. From a security perspective. I was hoping that I could get a few volunteers to jump on this effort. It doesn't appear to be a huge ask. Not. Anywhere near as monstrous as writing the white paper for us was, but I would certainly expect it to be a couple of hours. Over the course of two weeks, potentially maybe a little bit more. This is something I'd be happy to jump in with. We've done a bit of threat modeling around. Operators and mutable states and stuff. Is there any indication of. Timescales. Not that I know of. So. The ticket actually has the POCs for it. So I would recommend reaching out to them and jumping in the SIG app delivery channel. So Cameron and Andrew, if you guys could comment on the ticket that you're interested and then jump over into the SIG app delivery channel and let them know that you guys are going to. Get on that and help them out. That would be great. And we would love to hear out. Another meeting about how it's going. Same goes for anybody that's interested. Awesome. Thanks. Thanks, Emily. And I guess. The, for the folks who volunteered, please, you know, chime in on, on that ticket and make sure that you, you have all the necessary resources and get connected. Did I miss anything? And sorry, I'm going to look to you. Emily, did I cover all the agenda items? I think that was actually everything that we had. Legitimately written down. Okay. Next week, though, we've got. The security scanning presentation. From. Which was a request from. Liz Rice and the talk. To have that presentation to us, which if anybody saw that thread on the mailing list, it was a fascinating thread. That's a great dialogue. So hopefully we can get a lot of attention to that presentation because it sounds like it's going to be amazing. Awesome. Well, you want to open it up once again, any folks, any comments, any updates, anything interesting you'd like to share that we might have all missed. Thank you very much. And looking forward to the presentation next week. Don't miss it. Have a great week, everyone. Cheers. Thank you. Bye. Bye. Bye.