 Hi, everyone. My name is Brandon. I'm a co-chair of the CNCF tech security and I'm here with Andy. Good afternoon. Hi, I'm Andy. We have one more co-chair who's not with us today and we'll introduce her and the rest of the people who have facilitated and made today possible as we wrap up the day, the CTF, and set you up for the rest of the week. So, yeah, I'm really proud to have recently been voted in as a co-chair of tech security, so I'm here resting on the laurels of other people this time round. There's a lot of hard work that goes into these events. We have Brandon, of course, Radna as well. We operate on a tech lead and sort of a nominative basis. So, right now we have the three reputable individuals, Andres, Atush and Pushkar, and this means that in this position these individuals take initiatives forward. They propose things. They help to shepherd things through and we'll look at some of the great work that people have been doing, and we have just nominated another round of excellent tech lead colleagues. We have Michael Lieberman, Marina Moore, and Raghastra Shekhar. They will come in and help us to move forward at a greater velocity. There is so much work that needs to be done and we really appreciate all the community involvement, all the volunteering efforts that people put in to help move cloud-native security in the tag forward. All right, so besides SecurityCon that we do, well, it used to be called Security Day. We started this about three, four years ago, and it started off as a single-day, single-track event. Now we've gone through two days. We have a CTF going on alongside. We've really evolved this and we're kind of growing this a little bit more. We're kind of excited to see where this can go, but besides that we also do both technical work in terms of writing white papers. We do write some documents about best practices as you've seen in yesterday's presentation, how to use these security supply chain best practices into integrating into the supply chain pipelines in your organizations. So just to share a few, these are some of the new releases that we had. The community has been working together. We have multiple working groups. We have serverless working group. We have a supply chain working group, controls working group. And so these are some of the new documents that are coming out this week for KubeCon EU. So we have the Secure Software Factory Reference Architecture paper. So originally we had the best practices paper. The reference architecture paper really tells you how do you go about to actually build a Secure Builder. So all the links are in here. The presentation is uploaded to chat in the code, so you can just download it from there. We have the Account Needed Security White Paper V2, which includes all the NIST SSDF mappings. If that's the EO is something that you're looking to target and meet the requirements of. We talk about ransomware. We talk about GitOps. We talk about EU regulations and all that. We have the tax security NIST control mappings, which maps the original security white paper to the NIST 800-53. And also for those that have not seen the first white paper and you want to get more like you'd like audio books, we now have like audio recording that was done by various people in the community. And there are lots of things coming up. The Open Source Summit in North America, Austin, Texas next month will feature a new event, the Global Security Vulnerability Summit. This is an attempt to answer the perennial question, what do we do with the backlog of CVEs that we're collecting as an industry? There has to be a better way to do it than we do it now, we presume. And this is an opportunity again to engage with the community interested and excited minds and try and ideate something that will help us to cut through the molasses of CVE management as I'm sure those of us who manage our cloud-native minimum viable security know. Yeah, we also have the cloud-native serverless security white paper that we had a panel on earlier. And so this is currently in public RFC, so we are gathering all your input to tell us like, what are you looking for in serverless security? Are we missing something that should be talked about? We're also working, and a lot of the issues that you see here are new. We are starting to work on them, so if you see anything that you're interested in, we're going to talk a little bit later on how you can get involved. One thing that the supply chain working group is working on is creating cloud-native SBOM guidance. We talk about SBOM, we talk about generating SBOMs, but why are you supposed to generate? Who's responsible for generating SBOMs? And so the effort is to kind of be able to provide guidance on cloud-native technologies. What should we do? Then we have the NIST security controls mapping. Again, looking to help implementers and people working at the Coalface to implement sometimes difficult compliance or auditory regulations. This will give us a view on how to move forward, take advice from colleagues and people who have implemented these kind of things before. The supply chain best practices. Again, a collection of volunteers and interesting minds put together this paper, which is technical detail on how best to secure our supply chains. End-to-end looking kind of farm-to-table or NGZ device to production and looking to tie together all of these nebulous concepts that we have here. The SBOM being a key point right now, what do we actually do with these SBOMs? How do we generate them? And so what we'll do in an effort to make this obvious and repeatable, we'll take an example CNCF product, project rather, and we will put it into the secure software factory. We will apply the best practices to its configuration, to its CI-CD, to its contributor framework, and give what is essentially a cookie-cutter reference implementation of this is what we think good looks like. And then again, do this in a community aspect and allow it to be then critiqued so we can all feedback and then find a shared understanding, hopefully move ourselves forward. Then some really interesting things here. These are some of my particular favourites. The guidance on container breakout vulnerabilities. There have been a lot of kernel-related escapes recently. We look at things like dirty pipe, very quick zero-day drops without much of an embargo. These things require very real and immediate remediation and we're looking to put together a framework again to help understand these, to help move us forward quickly. And then finally, many projects come into tag security with a request for an appraisal and audit, a security review of some description. Part of this and something very dear to my heart is a lightweight threat-modeling exercise. This looks at the broad question, the catastrophisation, what could possibly go wrong? What are we going to do about that thing that goes wrong? And then we iterate and loop around there so that we can apply security controls in an order of precedence based on impact, based on risk, based upon what we think this thing will actually do. And we're looking again just to increase the velocity and to make sure that we can be as valuable to as many projects as possible. And with that, I'd like to invite our esteemed CTF runners, Lewis and James to run us through how the CTF went today. Thank you, Andy. Hey, everyone. I hope if you've got a cluster for the CTF, you enjoyed it. First of all, we had unprecedented demand. Yeah, we spun up over, well, 50 instances for users. So with 50, that meant that we spun up three clusters each. Now, those three clusters had different scenarios. Each of those had five nodes. So we've just spun up over 800 VMs. Some of them were working as we expected. Some of them were. But yes, and so to that, I would like to say first of all, thank you to James CP. If you've seen us set outside, you might see, you're like, why are those guys so stressed? Well, yeah, it's, yeah. SRE on the conference Wi-Fi, trying to manage misconfigured clusters. It's been phenomenal. So our scenarios today. These were brand new scenarios exclusively for this event. We're not going to give you all the answers right now. If you want answers, come and find us tomorrow. We're happy to talk to you about them. But our first cluster was inspired by the movie Back to the Future. If anyone's seen that, did anyone reference the age of the VMs that you're using to begin with? If not, come and find us tomorrow. We'll give you some more of them. The second one that we had, well, and also that was based on inception. So have some fun with that. The next one was Die Hard, which is actually more like, now that's what I call hacking volume 44, which was like our mega mix of lots of different things. And to the next one, I'll pass to James. Thanks, Lewis. So the Quiet Place scenario was based on the film Quiet Place. As some of you may have found, we had a runtime detection agent trying to prevent users doing bits in the cluster. So the idea was it modeled a sort of more red team talent scenario where you were the attacker trying to evade any protections that blue team had put in place. Cool. And do we have a scoreboard available? If not, you can have a look online. Yes. So tomorrow, well, the next three days, James and I, well, tomorrow morning, James and I, we're going to have a lion. There's not been much sleep. It's been intense. But we're going to be at the booth. Now, we'd like to solve difficult problems. If this CTF has inspired you, if this has inspired you to get started within CTFs, within security, thanks. Then please come and talk to us. If you think we could have done better, if you've got an idea, come and talk to us. It's all about we like to solve hard problems. And so please come and discuss with us. Did we have a scoreboard? No, we don't, but no worries. So we had two, well, I passed you just to announce the two winners. Cheers. Yeah, a couple of honorable mentions at this stage for Smarticus and Skybound for being the two highest users on the scoreboard and getting a couple of flags that no one else did. What are you guys? And to that, there were two flags that weren't associated with CTF. No one got the OS flag. So the OS flag was for OSINT, which you simply had to ask either James or I, what's the flag? And no one asked us for a flag, so no one got that one. So try hard on that next time. And the other one was Elite flag. Did anyone get the Elite flag in here? Can anyone figure out what the Elite flag was? Did you figure out what it was for? I can't hear you, but I think you just said to say thank you. And so as anyone who came up to us to say thank you, we gave them the Elite flag. And equally, more people did. And to that is the basis of these events. Everyone around here, so we've worked with Lindsay as well to do this. So everyone who's been here to make this event happen, we are so thankful for you doing this. And so I hope that leaving for us today, just say thank you to the people who do help you out because it means so much to them. So to that, I'd like to say thank you to these two and pass back. So cheers. Have a good conference. Awesome. So I hope everyone had fun. It was a great conference. If you want to get more involved with CNCF tax security, we have a session on Friday. You can drop by, but if you're not going to save for the entire con, we have multiple ways that you can get started. Everything that we do is pretty much on GitHub. So github.com, cncf, tax, dash security. We have a mailing list. Check out all our issues. We have weekly meetings on Wednesdays. We are also on the CNCF Slack and on Twitter as well. So give a moment to let folks take a picture of this. But all this is on the sites uploaded as well. And before we go, big thank you again to our program committee for security con. They've done a lot to make sure that we get all the exciting topics. We have a good program. And of course, again, big shout out to Lindsay and the events team that have made all of this happen. Awesome. Thank you very much. Have a good conference. And if you don't remember anything, remember the GitHub URL. All right. Thank you.