 Good day. Good day everyone. Good afternoon. Good morning. Wherever you had, wherever you may be. So I'm just gonna put the link to the meeting minutes today's section Just put that little chat there so everyone has a direct link. I just created that right now and we'll give another minute or two Get critical mass wait for everyone to hop on board. Okay, I believe we'll get started And I remember to do this first this time is is there anyone that's able to fulfill the role of a scribe Slash minute taker for today's meeting, right? If anyone one of you the role is open trying to take notes along if there's no official scraps for today's With that said are there any individuals from any special groups or working groups that would like to check you have anything To present before we get it. I can say we just a number of us went through the white the plans for the white paper just an hour ago and had a great discussion and included Vinay and Dan and and others It was led by Emily Getting on my name is right so it went well. Would you agree Dan and Vinay and others who were on Anything to add to that? Absolutely. I was actually just writing You know since You know, I'm neither emulator JJ is able to Soldier forward into this session if You or Vinay could give us a brief high level of what's planned us Yeah, sure. So Emily and others laid out a plan for what the white paper kind of the topics and outlined for the white paper It took a lot of feedback over the last two weeks or so In writing that we just had a synchronous, you know zoom discussion about them an hour ago Clarified a couple things and at the end decided that people who are interested Will put their names on various topics on writing the initial content for based on the outline I think we said we'd all do that in the next two weeks and decide who's gonna sign up for which And then keep going on the white paper Great, so, you know call to action there You know if you have cycles and if you're interested in contributing your subject matter expertise You know now's the time I Will work to corral someone to sort of do more of a readout In the coming week You know so everyone can you know see where they can You know sign up. There's a slack channel It's a security Dash white paper issue That is tracking this and if you're not Headpoint, yeah, thanks. Yeah, and if it's a I should get to the document That's not if you don't have access to it or you don't know what we're talking about and want to get It's a good issue to read and comment on if you want to get involved Recording by the way like will we be able to do it? now there's gonna be editing and You know some sort of late-stage contribution that you'll be able to Alright with that said I don't see any updates from individuals in the attendance so far Are any specific PRs or anything that anyone would like to bring up? Matthew, I just had a quick update. Sure. Go ahead So yeah, a couple of weeks ago. We mentioned that opa is going to be applying for graduation and We created a due diligence document So it would be great if six security could take a look at that document and provide some feedback So if I need to create an issue around that or whatever steps we need to do for that Yeah, please let me know. Thank you What are you looking for with respect to this because from Sort of my standpoint You've already gone through the the process like the difficult process of the actual security assessment and in my view Unless major things have changed with opa or you know, if you want to give us just an update This is what's happened. Then we basically the people who did the assessment are likely to look at it and say yep We still you know We still have basically most of the same feedback. We had about opa at the time when we did the assessment, right? Is that basically what you've put together for us or are you looking for something else out of us? It's it's I think primarily the same thing But I think the TOC requires a small feedback from six security since it's a security project And we've kind of highlighted the stuff we've done since the last assessment in a way Like kind of the improvements that you've done taking the last feedback into consideration So I believe we put that as well in the due diligence talk So it's nothing like major or like affecting opa completely from last time But we've just added some new documentation and some some you know some new things to cover what was brought up last time so Okay, and so we just need like a like, you know a small feedback around that document So if you yeah, we'll be happy to provide that and in general I like this process to be very low friction for the projects. So what what you've done sounds great I'm happy to look at it. I think the rest of the original reviewers we can take a quick look at it and Likely, you know, we can produce something that very quickly that just says, you know, yeah opas You know like as I said before our feedback on opa hasn't substantially changed it Yeah This is Robert. I agree. We should review that and now Justin at some point we had talked about doing some sort of More I had to use the word formal but more concrete You know review of the assessments. So I don't know if that falls into scope here But I think at least a quick review of what Ash provided is is reasonable Yeah, I think the thinking was we were going to be doing annual reviews Projects, although at the rate. We're doing things and stuff. We want to be careful that that doesn't Like overwhelm the rest of our work I think doing, you know, this is only it has to be discussed as a group But in general my view is is that the most valuable assessment we're gonna do for any project is probably the first one Um, I agree. Yeah, I think that that like, you know, if we got stuck in a position where we just didn't have the bandwidth to Like look at new projects because we were spending all of our time doing kind of like lengthy reassessments for projects going up for the next level or lengthy annual Re-reviews that I think would be, you know, just my personal opinion, but I think that would be a shame And so as a result, I'm I'd like to make my rough proposal is is that, you know a project nudging us in the right direction and then us going and making a quick determination is probably the right path to go on for For project re-review so that you don't feel like You know, you're kind of having to redo the whole mess Unless you go through something like like for instance a notary v2 Some of the things that are being proposed there are basically it's almost At least, you know, some of the draft stuff that's being proposed now is basically complete rewrite of the system and at that point I think you know, it is Debt it would definitely be worth having a complete reassessment Because the security properties and risks and things like that At least for some some of the proposed things are completely different Well, I think that's the opportunity here Of course, you know OPA was very helpful in the formative stages of what the security assessment would look like in the beginning Here's a great opportunity to kind of define the guardrails on what the refresh looks like and maybe and I'm happy to Put together like here's a ten point Quick yes-no question. You know, have you undergone a major rewrite? Yes No, right and then, you know spin off from there based on those answers So to keep it simple. Yeah, that that sounds great So what I can do is I'll share the document in the OPA security channel we created last time and Then y'all can take a look at that And if you have like those ten point questions stop out or anything else that I can do to help this process as soon as possible So Yeah, let's Just a quick follow-up and I don't want to get in the weeds on this call but it is somewhat germane to CNCF projects that kind of fork off into other CNCF-ish project So I know like OPA and gatekeeper are now I guess somewhat two separate projects or Would that be considered the same scope and and how would we kind of handle that at the CNCF level? Do you mean do we treat our assessment as though it's for both projects or? right I would think You know, this is this is like I think we'd have to talk about that a little on a case-by-case basis But I think in general you'd want to do some kind of reassessment that would be nowhere near as painful Because when you add new kind of trust boundaries and things which is a usual reason You know like a usual thing that happens then when you're looking at things It does often change the security properties and also may change the way people use it and so on so I feel that's That's more like a rewrite of the code even Even but you'll of course retain most of the work that was in the document. I Can't be wrong and I'm happy to hear other opinions Just a quick question. I see from the chat here from Dan Dan has that been addressed or you know, a multi-party Dilligent stock Sorry, I don't know if the audio came through for everyone. I only heard the last couple seconds of that from you Dan Oh dear So once again, I was wondering if a due diligence doc has been created by the CNCF yet Where multiple SIGs are sort of piling on with their recommendations so We've created a due diligence doc so far and I believe it's only six security who's gonna provide feedback for OPA at least That's that's my understanding. So if I can share the doc with you all and then You know, y'all can add your feedback to that document Okay, that's great. You're gonna post that in the the issue Yeah, should I create an issue with it or our link to an issue like, you know, I don't know that we need to create Okay, cool. Sounds good. Thanks And the follow-on was that is there a date you're shooting for? Yeah, I Don't think it's a date we're shooting for but if you can get this process, you know completed as fast as possible That would be really great Okay I Largely think what you should do is is to post the new document on and mention on both six security and the old channel and Like ping, you know, you can also ping us individually But somehow bring it to everyone's attention who participated in the original review if you have feedback within a week based on this Please please give it Otherwise, you know, we just need a nod and then that that will have someone like me or I think I led the OPA effort, but whoever led the OPA effort or The security coordinator or even the TFC chairs if the other people are not available to then say well this period's past There weren't any other things raised Because like I don't want you to get in a situation where you need a strong affirmative action By a large group of people in order to move along it instead should be something where you put make the information available Give people the opportunity to to go and take a look and raise new issues or ask for more time about things but not a You know, not not something where you're blocking on the fact that Somebody took a vacation right now or got busy with other things, right? Yeah, that's fair. Okay I'll post it in both channels and then Yeah, we can go from there. Okay. That's it. Are there any other comments or anything else to bring up on this topic? Okay, then going through the agenda. I don't see any other updates or PRs That's have been scheduled to be brought up. No presentations either. So at this point, we'll open the floor I do have a question about the thank you. I do have a question about presentations. I see in the meeting notes Which page it is but Proposed future meetings. Yeah, I actually on the first page. So Like key lime for CNCF inclusion discuss issues suggestions, etc How do those make the agenda? So those are proposed things for the future meetings When do those actually happen or is that is that just kind of a placeholder for we might want to do these things? in general anyone's welcome to essentially go through the backlog like go through the through the get up Get a ticket system there and either add something that they would like to see there or People may just go through there and see if there's something that someone else's posted that looks interesting And then just copy paste it and say hey, we should get around to doing this. So it's um, I guess a touch ad hoc in terms of taking it from the backlog and putting it into the meeting and Then as for creating the content to begin with whoever wants to propose something can just go create the ticket Whether it's a member of six security or just an external third party that wants to reach out to an engage with six security They just create a get-up account though base the ticket plus their contact info. That's the gist of it Sometimes I'll go through it and pull ones that I see maybe need a little tension and throw it into there If I get a chance so if someone who proposed I'm sorry if someone if someone who proposed whoever proposed these were here today and wanted to present it They would is that accurate? Um They could do it on this on the fly or on the spot if they wanted to and we had time I guess the preferred way is that someone chooses a specific date during which they would present those I think we probably need to purge those ones that are in the the meeting notes document referring to you there I leave them there at least we tend to leave them there for a couple weeks in case maybe we didn't get around to it and We didn't want to eat someone else's work Okay, I'll probably purge all the old stuff there if no one has any objections to the canonical source or get-up issues Not not the document Okay, and another another question right that's what we're finding Sorry, um, so It looks like the things that are generally proposed are you know things around Assessing various things to be you know included And you know and endorse in various ways by CNCF And other things were just the group somebody wants to get the impression of this group. Is that Accurate that you know, basically it can be anything that may be of interest to this group whether it's whereas with whether Action may be taken by CNCF about in the future. It might just be an FYI Is that am I interpreting it correctly? I'd say at least personally, that's a fair appraisal There's also like some I guess you could say housekeeping topics that come up like we need to update some document and or add some rules or At some maybe build bots or something some of our build jobs or LinkedIn the documentation stuff like that Okay Great. I've got a proposed idea for the future, but I'll file an issue for it We can discuss I'm definitely not ready for today and I'll file something to be considered in the future Thanks Matthew and everybody No problem, please feel free to put the issue in the tracker there and if You feel that it's cut the necessary attention and hasn't ended up on the schedule By all means, please feel free to go ahead and put it as a proposed thing right there in the meeting notes and Definitely if it hasn't been noticed in the tickets, although the members of the team are quite diligent So it's not often something slips through the cracks When just a you know, just some framing there You know worth considering that we're you know about to kick off this three-month process and You know therefore You know, it'll suck a lot of folks time So if the thing that needs to be done involves a lot of contribution from a lot of folks You know, you're gonna get pushed back from folks like me You know on timing You know as we try to keep complete that workflow makes sense. Thanks for the context. You bet Are there any additional topics or anything anyone would like to see coverage in next week's meeting? Hey, so this is underwent here so kind of a Related to this topic I think but not a suggestion for a change in practice right now, but We do assessments. This is part of my day job duties and The question of deciding when an application that's already been screened needs to get re-screened is Not necessarily based on the amount of code that's changed I don't think there's a simple rule of thumb for that and in fact part of what we try to do in the Engagement with the projects that come through for assessments in our enterprise not in CNCF Is to try to educate them about what those things might be that need to have them come back for a visit? either in person or in some kind of Written update to the previous Plans so I think it's a worthwhile thing to think about I'm trying to identify what those things are so when the teams come through for the initial big reviews of The sort that Justin outlined That they have a sense for what things would merit You know either personal visit or at least a Sort of debrief back to the security team that did the review I mean, I'll just throw out a couple things like we see changes to encryption or Decision to use tokenization or adding PII to an application that didn't have PII before or we change Partners for who's doing our API security We're doing some some major changes with the security tooling partners and so the The vendor APIs are having to be revisited for some security issues which at the time these Folks came through for initial review Wasn't really a much concern to us. We were happy to see if we didn't really look at it in detail So that's not an exhaustive list. That's just you know, sort of the typical stuff that comes up but there's also other dependencies with other cloud projects the one that comes to mind for me would be Prometheus or the authentication tools, but again, I think if you could we could offer guidance and For the teams to come through that that would be a value add Because I think just saying come back when it's been changed is not gonna help them Justin, what do you think? I think that's sensible. There's a couple things I Think we have to be a little Like we'll have to kind of customize to this environment because in general if Something like the encryption changes But it's just an algorithm swap out Then most of the time from our standpoint, it just won't matter I mean unless someone is swapping out, you know, something for MV5 or something like that or whatever Which you wouldn't expect to have happened I think a lot of the points you make are really good ones and I think if you can share Like, you know, basically what you just said along with any other points that you commonly have that you give as guidance That might be a good Draft Like sort of thing for us to look at I think the other decision we'd have to make based on that is Is that something that We'd look we want to look at for a project immediately when that changes Or do we want to in the annual review go through all of the items like that that have changed for a project? and I don't know the answer to that but Anyway, yeah, so I think that's that's all I'm very and very encouraging of your suggestion mark I would love to have you maybe write up a list of those things that we could we could iterate on I Think you're muted. I am indeed. Thank you My boss said what's the most commonly thing said on zoom. It's your mute. I Was gonna say I'm mindful of your suggestion that we keep a light touch and that the folks who went through extensive reviews Should be you know a prize that that's it's not going to be an extensive review and also I think you know these cases I'm able to think up ad hoc here. Maybe not the best one. So yeah, I'll try to write up a few things and post them for consideration Hey one maybe unrelated question There's been a couple of presentations on CI CD pipelines both on the DOD sec ops group and others I was just curious. Is there a unified working group that's and what's the intended artifact for that? Is that like a subgroup of the SIG or I'm just trying to understand what the outcomes are and how to participate So this is Vinay, maybe I can talk about it. I gave the last presentation on the CI CD security so what came out of that is that there's some artifacts that we could potentially use that can be contributed into the the SIG security cloud native security landscape or I'm sorry. I forget the exact name It's called the cloud native security white paper So so a lot of those the information there will be fed into that potentially we can leverage some of the visuals and illustrations And then they would be the idea there is to actually highlight a lot of these topics as well as then as necessary have a deeper dive concepts that are Distilled in separate white papers. So that's one and then a Brandon and Justin. I've already had a landscape effort underway for quite a while and then potentially we'll see how we can Contribute and leverage to that effort as well Cool. And are there regular meetings on that? Is that just informal? So from the cloud native security white paper perspective, we just had one meeting this morning. There is There is a slack channel that has been established for it. Emily or Dan and somebody maybe someone can invite you to it if you could just bring them and So I think it's just been ad hoc for now But there is a slack channel, which I would imagine is the authoritative way to communicate across the stakeholders Cool. Thank you. Sure Any remaining topics anyone Okay, I save this moment for the end here if there's any new people if this is your first time visiting the sick security if you'd like to Grab the mic and introduce yourself Please feel free Otherwise we'll conclude in another minute Hi guys Matt here I work at synopsis and I'm trying to get up to speed on cloud native security so Yeah, like if anybody has things would be good for somebody pretty new to this space to work on I'd You know, like in an open source way, I'd definitely be happy to to you know, look at some of those things and You know kind of ramp up and hopefully help you out too Sure thing one of the recurring themes and I myself asked that question joining the group There's the backlog on github. There's just joining the meetings a few times to sort of get a feel for What's the current topic? Like if there's a new security review that pops up and people are welcome to join in on it take part in it um, that sort of thing the recurring theme I often hear being uttered is uh We've uh chop wood carry water. So you'll see that in slack a few times Did you have on board? Awesome, yeah, what what's your uh You know, what's your security background and uh, what the sort of ways you'd like to contribute I don't really I don't really know much about security. I'm more you know I like I've done a lot of application development and stuff like that, but not really any security. So For me like getting a good handle on security that's happening in the kubernetes space You know, like keeping clusters secure images and that kind of stuff is super useful for for what we're doing So, yeah, I mean, I'd love to You know contribute in any way that's helpful if that's like writing code or triage and issues or reproducing bugs or whatever, you know, like Yeah anything really um, so in this form you're not going to find uh, you know any opportunities to Uh code directly you're gonna have to go from you know, kind of this uh higher order level here in the sig Uh down into Uh individual projects, uh, you know, a number of the the members of opa Uh present today, uh great, you know, sort of uh place to start getting oriented Um, so if you're looking for you know path contribution, um, you know, this is going to be you know, kind of an abstraction above that You know, you you aren't going to find a lot of opportunities there um The workflow where they were just uh, you know, sort of discussing and kicking off Uh with the white paper, um, will be uh, extraordinarily useful, uh, you know, where a lot of the the Substance of the white paper is uh, you know capturing the understanding of How security is fundamentally changed in A cloud environment and some of the assumptions that we've had um, you know, uh regarding, uh, you know access to systems and and, um, the quote-unquote physicality Of a system as opposed to like the you know, how we virtualize things Um, and and that's uh, you know something that we're uh diving deep in and uh, you know, you'll you'll have the opportunity to be a part of that um, you know over the next three months and then you know in terms of You know, sort of deeper dives into project um, you know participating in a security assessment would um, you know really, uh give you the perspective of uh, you know, what seasoned professionals that work in this space are looking for and You know the types of concerns that uh arise as we're assessing the Uh components that make up a cloud data system Gotcha. Yeah. Yeah. Yeah. Yeah, that makes sense. Yeah, I appreciate it you guys and Yeah, looking forward to learning more about this Uh, as a book i'll add a link here. This is just my piece. This isn't officially endorsed by cf or anything like that, but uh It's an interesting document by essentially on your security and Interesting reading that you mentioned you're interested in container security I found what was interesting was after reading this finding guidance that cited and referenced it And found essentially just a boatload of use information that I've been using to write my own Security policies within my own company. So it's a it's a good starting sort of square one And find your feet so to say so you can see that in the chat window if you look at it Oh, awesome. Yeah, I appreciate it. Thank you Uh with that are there any other new messages on the call today that would like to open up? Okay, with that looks that's a wrap Have a great day everyone and stay healthy Thanks, you too. Thanks for hosting