 Oh, it's a really decent, sorry. Oh, great, thank you. When you start screen sharing, it moves all the windows. Yeah. People aren't adding themselves, we have 16 participants and almost 16 there. And Lorenzo, thank you. Now that we have scribes, we will have check-ins. So this is where, if anybody's new, we just go around and we check in and we say who we are, what we do, what's happening with security in our week or you can feel free to share something personal, if you like. And just anything that the group would, it doesn't have to be things security has done. It could be some article you read about security, a conference where you went to, we welcome kind of cross-fertilization because we can't all do all the things. So I'm Sarah Allen. I'm one of the co-chairs of SIG Security and most of what I've been doing in the last week is covered in the agenda. I've been doing a lot of meetings and report wrangling. So we'll get to that when we get to it. Jonathan. Thanks. So spend a lot of time this week updating some of the security tests and having a look at kind. This is all based on the threat model that we have. So yeah, just getting into some deep, kind automation at the minute. Can you say who we is in the threat model we have? It's JP Morgan. Excellent. Thanks, Jonathan. Daniel. Hi, my name is Daniel Zirov. I'm a security engineer out of the Winter. And past weeks, I didn't do anything with containers, unfortunately. Yeah, that's it. Excellent. And thanks for sharing your video. I've heard from people who don't have great audio connections or aren't native English speakers that seeing people talk, if you're willing to turn on your video when you're speaking is helpful to people here. Lutz. Hi, my name is Lutz Binker. I work for Figo, which is a fintech in Germany. My doings in security this week was mainly getting devs to do more tests in preparation for something like in total in the future long term. Thank you, Nadir. Hi, I'm a field engineer at VMware. So this week I've been talking upstream in Kubernetes and CYCLUS lifecycle. We're going through a security sprint in Kuwaitia. It's one of the beach travels of Kubernetes. Great. Justin Kappos. Oh, yeah, I presented. So am I unmuted? Yes, we can hear you now. Right, sorry, there was some visual problem with the UI. Yeah, so I'm, this week I've been doing, presented to the TOC as I think we're going to be talking about in a little bit. And also, of course, doing a lot with being Toto and related things like that. Craig. Hey, I'm Craig. I work at Heroku. I'm also part of the Kubernetes Security Auto Working Group. So this week we are actually pretty close to, I think next week having that audit and all the white paper threat model and the security assessment release except for a couple of issues that are going to be under embargo with the product security, the PSC for Kubernetes for a little bit of time and get those issues fixed. So it's an exciting news for that project. Right, yeah, and that would, I think that that might be something that we, if you're interested in coming back and presenting it, maybe we could have a little brainstorm about presentations we might like from different people in the group who are involved in different activities when it wraps up and you feel ready to. That might be neat. Yeah, that's great. Mark Underwood, maybe you're muted. Hey, did you call me? Sorry, trying to have a little duplex. Hey everybody. So Mark Underwood, I apologize for the background noise. We're trying to wrap up standards and ontologies in one meeting. It's not going to happen. No news from me. I'm at synchrony working in cybersecurity. We're still trying to build knowledge graphs around cybersecurity. So people interested in that ping me. Otherwise, no progress. All right, thanks Mark. Leonardo. Hello everyone, I'm Leo Di Donato. I'm one of the maintainer of Falco Continuative Security Runtime. This week, basically, we worked with me and Lorenzo with Curf53 for the internal audit of Falco and we are not there. Basically, in the soon, the audits will be published in a public way. And so this is what we've done about the security topic. Excellent. Congratulations. Yeah, please share it out on Slack as soon as it's published. I'm sure everybody, everybody loves your security audits in this group. Lorenzo. I'm Lorenzo Fontana. I work on Falco with Leonardo. My update is basically the same as Leonardo, but I also want to add that on the Falco side, we have been doing a lot of improvements in the stability of the project, basically. And we think that that will also improve the overall security of the project itself. It's just little things that make the project more maintainable and easier to spot the bad parts of it. So I'm very proud of that. And I hope that by doing this, we also fix all of the things found in the security audits. Great. Brandon. Hi, I'm Brandon. I'm from IBM Research. So I guess what happened recently was we were at Q-Point China. There was some interest in the group. I think I got some feedback on, some folks were interested in the idea of if we were able to give certain recommendations on security configurations and equipment at these clusters and things like that. Other than that, we managed to meet up with a fairly small group. I think I met a few people in the class and then I met Tupang and Kaita from Falco. We ran out for dinner. So that was fun. More recently, during the past week, I'm moving apartments so nothing much fun. So I'm through my boxes to go. Great, thanks Brandon. Good luck with that. Amy. Yeah, I'm the CNCF program manager. Last week was KubeCon Shanghai. My real role today is coming in and chatting about logo. But that's later in the agenda, so. Thanks Amy. Ash. Hi, I'm Ash. I work on the open policy agent. This week I've just been working on OPA and how we can integrate with the PISTO. So that's pretty much what I'm doing this week. Nothing much, thanks. Emily. Emily Fox from the National Security Agency in the United States. Just got off the call about doing more program planning for the security day that is coming up. We'll talk more about that during the agenda. Erin. Hi there, I'm Erin with the MEFG Union Bank. Security engineer, this is my first one of these meetings so I don't have anything unique to report. Broadly speaking, data activity monitoring and open policy agent are some things that I have on my plate, though I have not done anything specific with them in the past week or two. Great, welcome. Peter. Hey, this is Peter here. I'm a software engineer with a background in security working at Teradata and I've been working to solve for software supply chain in our environment. So integrating open policy agent and evaluating a few other CNTF projects to help us achieve secure software supply chain. Great, that has been Peter. Christian, I've been trying to highlight people so that I'm aware of you. Hi, I'm Christian. I work on the Google Cloud Security team. We have been thinking a lot about how to express policy composition. So policies on policies, how meta, some people call it meta policy. This is in the context of how we can enable what we call the platform engineer, I think, right? We decided that might be another persona. So I'm still interested in having that discussion at some point. Oh yeah, that's great. Did you write an issue for it? I think I did. Yes, I think I did. Yeah, if you add it, I'll find it. I'm gonna write a note. Yeah. Thank you. Carlos. Hey, I'm Carlos Vicente. I'm working for Intel as a security researcher. I was working in some PRs about the logo on this community and also selecting two projects that will review it on the security assessment. That's pretty much it. All right, excellent. So I'm going to skip down to... I'm gonna put this actually below. Emily, are you online? Can you add the issue link to it before we get there on the agenda? I wanted to just do a couple of highlights on PRs and issues that need input. So we've been doing some wrangling of trying to get so that we don't have as much in progress. And so one of the things that we co-chairs talked about is... And we've talked about informally in the groups, but we were formalizing it, which is we did these draft landscape categories earlier this calendar year. It was an effort that was started in 2018. And there's been a bunch of feedback that I'm actually working on making sure it's all written up as issues. But we've realized that having more contextual material when we're finalizing these categories is important. So we have a while back, we started the white paper, we put it on pause. JJ is going to spearhead picking it up again, but we decided that we would formally pause this and put a stake in the sand that we would revisit after we have a draft of the white paper. So I just want to let people know that we... We added another item to our checklist of how we're going to get to a landscape. And then we're kind of queuing that up for a little later in our road... In our to be figured out roadmap. And the process that we're following, that we're still in the midst of, is we are actually echoing our process in GitHub. So for those of you who are new, we have a proposal process. If you're looking governance, anybody in the group can propose something that the group would work on. If you actually want to do work on it, then you can make it a proposal. If you just have an idea, but you're not sure you want to work on it, then it's a suggestion. So proposals carry a little more weight because we know somebody is actually volunteering to work on it. And then that's brought to group discussion at some point. And then if we all decide that we are going to do it and we have bandwidth, then we make it a project. And so we are now... Brendan did a lot of triage on the issue wrangling and Howard is working on doing that on the policy side in a different time zone. And then Justin Kappos is wrangling all the security audits. And so we're trying to get everything tracked in GitHub. So then we will have a number of issues that are projects and we will queue them up in a this. If we don't change anything, this is what we're actually doing. And then we can have a discussion about whether that's the right priority. So that's what we're working on right now. And if you're interested in kind of getting into the weeds and making sure that all of the stuff's written down that we're working on, join the triage channel on Slack. So other issues that need input, Amy, do you wanna talk about the logo? Sure thing. Yeah, so we've got a final call out for being able to say, if there's any feedback that you would like to be able to put in for the logo, please do so. We're about to go back to our designer at CNCF and probably come back with roughly four options to be able to say, here's where you can move from there. So if you can get that done, I know we've got this July 4th holiday coming up if you can get it in by the end of Friday, I will be able to come back with more directions for us. So, and what I'd like to ask people to do is so we captured notes from the last, we went around the last time and sort of people had ideas about imagery, they thought of. This was actually done, this ideation was done before that. So our designer got all excited and based on some ideation that was at KubeCon came up with these things and out of their own heck of head. And so different people have pulled out different things and made a comment on them. If you agree with it, use your emojis. You can just kind of emoji like different ones. And then I did for an example here, my voice carries, it doesn't carry any more weight than anybody else's. Saying why you like it really helps the designer. And so I just pulled out two that captured what I liked, what one of the group members said about having something iconic in a logo. So that's an example of something that would be helpful. Like if you see one of the things in this set that hasn't been commented on that you really like, pull it out, add it to the comment, say what you like about it, what you think it evokes. And if you don't like something, you can just leave it aside unless you want to vigorously say let's not do something for reasons that other people have said that they would like to do for other reasons. And you can see a discussion about visual representation that maybe we shouldn't use. So please chime in on the issue if you have thoughts. And particularly welcome any reasons you have those thoughts but any feedback is definitely valued. And then also wanted to, this is a relatively minor thing but it's very hard to write up the what we do, right? And Emily gave some great feedback on like there's been a discussion of we have a bunch of new roles relatively new in the last few months that are written up now. And there was this phrase that was difficult to capture which is what I'm trying to say is if you take on a role in the group it's your job to figure out what the right thing to do is and how to conform to be like having, we have a lot of ideas that are somewhat written down that we like to be to respect each other and be friendly and we value each other's opinions and all sorts of good collaboration things that we try to do and we try to be inclusive so that if just because one person is working on something doesn't mean that they're dictating that to the rest of the group. And so we have like a bunch of words that are trying to express the good collaborative communal feel we have but it isn't really well captured. So if you have, you know this just needs a little help to try to write this down in some way. So if you've been in the group for a while or you've been in groups like this if you kind of know what I'm talking about and you have some idea of how to capture that in words and you're willing to wade through our governance docs everybody should wade by the way because lots of people work hard on them then that really could do some input. Although it's not particularly urgent we should probably get to it some point. Six security day, Emily. You wanna start talking while I bring up the issue? Yes, I can start talking now that I've unmuted. So we had a call earlier today to talk through some of the planning in the 209 issue that got started. So Michael updated the ticket content with the proposed format and layout. So we had some good discussion essentially boiled down to we're really happy with the proposed format but now the question is whether or not we go with something that's considered a more formal day at the conference or if it's more informal. So next week what we're gonna end up doing is having somebody present about un-conference so we can learn a little bit more about that style. There seems to be a lot of various ways that you can do an open kind of space feel at a conference. We're not necessarily looking to do a mix of both because we feel logistically that would be a little bit difficult to manage but if it's formal we're running short on time for some of those things. If it's informal we have plenty of time however it's a little bit more legwork to source presentations. So if you have any feelings on anything about it feel free to read through the comment it's posted in the notes for the update of what our last meeting was and if you have a feel one way or the other for more formal or informal certainly post that will take it into consideration as we work through in trying to figure out what's gonna work best for what we're trying to accomplish. So as a reminder the whole point of Security Day is to bring like minds together passionate people about security in a cloud native environment so they can discuss and work together on either identifying solutions sharing lessons learned anything associated with that. We're not looking to generate a standards or a body associated with the conflict of security day but more make available any presentations that are put together or any notes that are taken if we do lightning talks or the open spaces environment. So feel free to provide comments on the tickets we'll certainly add them we'll certainly review them and when we meet next week again to learn more about on-conference hopefully we'll have a decision by then to share our CNCS so they can begin marketing and promotions of the Security Day. And we have a Slack channel. Yes. Security events. So this is we decided that it would be for any live event. So right now we're focused on this Security Day but then this is an ongoing channel for things like this. So feel free to join that channel if you're interested. And then JJ is going to take over as the SIG chair sponsoring this initiative so and because it'll happen mostly organizing will happen outside at the working group meetings. Any questions? Thank you, Emily first for getting this and Michael who is I think in another time zone and on vacation this week. What's that? Michael is not here is on vacation back anyway. Yeah. Yes. But he's been doing a lot of work behind the scenes and we appreciate that. So report from the CNCF TOC. Justin can you talk a little bit about the presentation you gave and I will dig up slides while you do that and link to them and a bit about the discussion that was had. So basically we just had a conversation about the security assessment process why we're doing it what it's used for what both the end users in the community are expected to get out of it and what the TOC is supposed to get out of it. Most of the feedback there was that related actually security assessments was fairly minor a few clarifying questions about things but we had a much more spirited discussion which I think we're going to talk about in a little bit here. So I will I do want to say a couple actually a couple quick things. So in total assessment which is a software supply chain security project is going to be presented next Tuesday at the TOC meeting. So this is going to be the TOC's first chance to really look at a completed assessment and give us feedback. So it is actually a good opportunity for people to see what the TOC thinks about this and would be a good meeting for people in general here in sick security to make because of this. It's very interesting security assessments. And the other thing is that I'm going to be pushing people a little bit to actually formally completely complete the OPA assessment. So Ash, I'll be prodding you a bit and I'll also be prodding people from our side to finish up the very small number of very, very minor things so we can actually get a PR in. Did you want to do the, do you feel like we've addressed, we kind of had a shorter than planned presentation and Q and A session. Do you feel like that's been addressed to Async or do you think that we should allocate some time for part two of that presentation? Because that was right before KubeCon and then it got interrupted by KubeCon EU and vacations and things. I, okay. So I'll leave it open to other people on the call who read over the OPA assessment and OPA documents. Were there questions that you felt like you wanted to ask in that context? Well, maybe we can just, I wanted to put it out there. I don't think we have to decide right now, but like I wanted to let Ash know and you know and the folks on the call who are reviewing that that if it would be helpful to take it to a close to have a discussion, we can set aside time for that. Yeah, and I'd like to say also that we definitely don't want, the part of my worry about doing this is making this too open-ended of a process. We want to have a definite sort of finish point for this and he came and presented and maybe we didn't allocate our time very well for that meeting, but the, you know, in general, we should be able to find a way to carve off something like 45 minutes of time for an assessment in the meeting itself. And, but we shouldn't be dragging people back multiple times except for, you know, I guess while we're still figuring out the process which we sort of kind of are. So hopefully poor Santiago is the only one really, you know, the process should be smoother after certainly hopefully the OPA one works out all the rest of the kingdom. Yeah, I think that what my lesson learned from the last one is just that, I think that having the person's leading the assessment facilitate the meeting to make sure that the pacing is getting the results that we want, I think, well, is a nice little process improvement there. So in terms of the other thing that, oh, any questions on the security assessment presentation to the TOC and kind of where the next steps is really... Would be nice if you could get access to this because it seems it's locked. Oh, that was not intentional. Share. Share is related, Sarah. What's that? I have a question that's probably related, but I don't know. May I go ahead? Go ahead. So I'm trying to understand because now for the sandbox exit, there's a technical due diligence to do. I'm just trying to understand what are the actors involved? We should perform the due diligence. Is like the CIG or the TOC? Well, the TOC can add its option delegate to the CIG. So that's one of the things that we're trying to figure out with CIG security. If it's a security project and due diligence needs to be done, then we would participate in that. Historically, it's been done by a TOC contributor. Like the TOC says, hey, anybody can volunteer as a contributor. That means that you're saying, hey, if you need help, I will corral myself or people at my company to help. And so that's how the TOC started to kind of expand its footprint. And then the idea is that the CIGs kind of cover the span of all the projects. And so the TOC hasn't quite figured out. One of the things that came up in the TOC meeting was actually having kind of like a workflow diagram would really help everybody instead of it being as ad hoc as it is. Like, you know, the TOC doesn't always speak with a single voice, you know? You never know where like, you know, we've gotten different requests from different TOC members and when there's contention, it hasn't always been clear who sets the priorities. Now, as of a few months ago, we have TOC liaisons for each CIG. So if it's like a storage product, then the TOC would likely ask CIG storage to do diligence on a move from sandbox to incubation or incubation to graduation. However, they may also ask CIG security about it if it's an open question in some way. And so that's where we're kind of security cuts across a bunch of, you know, other projects as well that might have security implications but aren't for security. And so some of that is kind of where in that realm and a lot of it, because the TOC doesn't always have bandwidth to figure this stuff out in the timeframe that we need to know it, we've taken the approach of taking the initiative on like, hey, what do we think is important? How are we gonna approach this? So we have to the extent that we have bandwidth if the TOC doesn't ask for help, but we're like, hey, we kind of wanna weigh in on this project, this particular project transitioning from one thing to another, we can prioritize that participating in that and anybody can come to the TOC meetings and chime in or chime in on the issues. Thanks for the very detailed answer, it's more clear now. Great. And so one of the things that came up that I just, I definitely like, I wanna discuss amongst ourselves and we'll get TOC input in as well is that Joe Beta, who's actually one of our TOC liaisons like brought up this, how do we prioritize the assessments where are they always CNCF projects? We had talked about that we would prioritize CNCF projects, we might not even have bandwidth to do all the CNCF projects and we would also prioritize the ones that are specifically delivering security, except that we will also wanna do in this first five, do something that is not itself for security. So we kind of get a sense of what that kind of security assessment is like. And so Justin Capos, if you wanna just chime in a little bit about how we came up with this list, like this list that, and your thoughts about prioritization to kick off the discussion, that'd be great. Yeah, sure. So some of this was provided to us because we were provided with a set of projects that the TOC thought were security projects and we took a few of those and omitted them from that, from the review, at least felt they were a lower priority. For instance, I had just prior to this done, Autistic Inspire, which is mentioned down at the bottom of the screen there. And so because I had just sort of done of actually a more rigorous audit process or assessment process than what we're doing in our assessments, it seemed less important for us to do that right away. The same was sort of true of, yeah, perfect. So looking at that list, on that list, the things that we clearly wanted to audit were Falco and OPA, because those were on the list of things proposed by the TOC. InTodo had also been mentioned because InTodo was, which is a software supply chain project, brought up by the TOC that they would like to have it go through this process. So InTodo project, which I'm involved with, went through, I did not participate in the assessment from an assessor standpoint, but we did the OPA assessment in the meantime in terms of the other things on the list there. Those are projects that were largely people mentioned to us as either the developer saying, hey, we would like to be a part of this or we think this would be good to have this assessment or someone else said, hey, this is a project you should look at. And in terms of the actual order, we've mostly tried to take projects when they say they're ready to go. We haven't really pushed anyone to do this when they weren't ready. I do think... Okay, the last part of the question she's asking about was prioritization. I would like to see ideally even two projects that are not security projects listed here in the first five or at least the first five or six however many we decided to go to before we kind of reassess the process. But I think having some of those projects is also important because I believe we should do this process for every project that wants to be considered for graduation. And I think there's an argument to be made we should also at least every few years do this for every project in the CNCF. But those are just my personal opinions and don't represent anyone else's. Didn't we have a ticket open to discuss like the frequency at which these audits are supposed to be performed and at what stages and membership with the CNCF the projects are supposed to be reviewed? I feel like almost Asia view that we've started to have that conversation at some point. I don't remember what's the ticket number. Yeah, so there's a ticket. So it has been decided. I think we should write it all up and review it but it was proposed to us by the TOC that the assessments should be valid for a year and we should re-review them annually. And so there's, I wrote up an issue that that should be written down. What the annual review is, is TBD. We thought we would wait until a year goes by on one of these before we worry about exactly the content of that annual review. And we thought that for a lot of projects that might just be a like, hey project has anything changed and some kind of quickie thing. So I think that that's, I think the thing that we haven't talked about at the other half of that is how do these assessments relate to sandbox, incubation and graduation? Yeah, and I know that we had, I know, well, I remember commenting on a particular ticket where we had discussed that. So I'm happy that CNTF has come forward and said like, we'll do it annually but we get to define what the scope of that annual review is supposed to be. But I know that we talked about it in at least one of the tickets and for the life of me, I cannot find it right now. But we had, we tried to figure it out, like what should the model look like? Should it be before they graduate completely? Should it be just that each, in order for them to like move from the sandbox, incubation, whichever phase that they're currently in or trying to get into, that's when an initial review is done. Should it be like a lightweight to, for anybody that's being proposed into CNTF? How, at what time frequencies or what life cycle stages should SIG security get involved? And whether or not there is a requirement for somebody to graduate, like Cooper Denny's has graduated, that they have a full audit complete head to toes done for that effort. And I just can't find the- So I've got it up on the screen here. Which is just this, the thing, this is just that there is an annual review process documenting that and Robert's volunteered to get it into our docs. I think that I want to pause on the, we should write up separately and maybe we can have a chat or on Slack to find whether there actually is an issue that is the other thing, which is the graduation processes. They like the incubation sandbox and so forth. The more substantive thing that I wanted to have discussed is whatever we decide to do for quite a while there will be a large backlog of projects, right? CNTF has dozens of projects. There are many, many things that need to be, that would benefit from a security assessment. How do, if we were thinking about like going out and outreaching to projects and saying, oh, don't you want to do a security assessment? Do we want, like, what are the things? Like, do we want to do that? Do we want to just be like, oh, well, first come, first serve? Or how do we want to think about reviewing it? And I want to, in light of the, let me find a, I want to just remind everybody of why we're doing this, which is that I'll actually go to our charter and governance, that our mission is to reduce risk that cloud native applications expose end user data or allow other unauthorized access. And our charter is like, so generally we're doing this to reduce risk to the whole ecosystem and the security assessments themselves, I'm not going to go through this in detail, but just point out that it's here, have that kind of elaborated that we believe that one is the assessments themselves will reduce risks and that the data that's provided and the exercise will itself accelerate adoption of cloud native technologies, which is the mission of the CNCF. So in that light, how should we think about using our time and queuing up these assessments? People have thoughts. I don't know if we start approaching projects, we will be able to keep up with the scale, but for sure approaching projects that are, I don't know, super popular, we can define what is super popular later, what benefit like for in general the cloud adoption, let's call it. Does anybody else have any thoughts about like, I got really curious, I thought about like, there's some projects that aren't CNCF projects that are very widely used, right? And then there are ones that are CNCF projects that are less widely used, right? And how should we think about like, what level of use presents more risk people have? I mean, given that the security is from the CNCF, I would tend to focus scope on CNCF specific projects and that if there is an effort outside of CNCF that is widely used, that perhaps it should be looked at bringing brought into the fold for inclusion within the CNCF and review by security, I worry that the landscape is so large that just saying, cause there's a large project out there that everybody's already using, can you guys take a look when we've already committed to a bunch of other things might stretch current resources too thin. So kind of re-scoping it to focus more on CNCF and then maybe evaluating at a later date if there is something that's no kidding part of the ecosystem and so widely used and adopted like almost to the scale of how Kubernetes is, maybe those ones should be the exception to that role and they have to have, I don't know, some quorum of agreement for review. My suggestion, and yeah, a point taken, my thinking about this is, it's the degree of dependency and this kind of begs the questions of Justin's supply chain project, what counts as the highly dependent ones but the ones that are widely employed in the DevOps space but that are not CNCF but are part of the tools pipeline should be at least addressed even if we address the fact that we really don't take a deep dive into them. But we should also not forget that we rely on participation of the project, right? So if there is a project that is not part of CNCF and could be hostile to the CNCF for whatever reason, they are probably less likely to participate in something like that but we do rely on having some good will from the project owners. Yeah, I think that's a good point. I mean, we have just to tell everybody what we've been, we have for practical reasons favored projects who are excited to participate. And I like that idea because we have really, I think, been successful in making this a collaborative approach so far. Yeah, my think on this is that I mean, I feel a lot of the security stuff came before, the stuff that came before currently like the key measurements and stuff like that. I think it's important to consider it within the landscape but I'm not sure whether really having a security assessment of it is really necessary since I think a lot of these projects are usually very well established or have been there and they are kind of being looked at that other users of security besides cognitive as well. Yeah, that's a good point. I think that the person who first brought up widely used was it's not clear how we would define that. And so if it's so widely used that everybody understand its security profile or there's something, there's somewhere, I think that there's widely used as a proxy for need. So I think that's a good point, Brandon. Yeah, things like the Linux kernel where I'm not sure that they have actually established enough of a security baseline and a lot of people are working to make sure that the kernel is secure but I'm not sure that Linus cares. But that's what SELinux kind of does. I mean, there's already other efforts involved in that and the Linux foundation itself and OpenStack also have security groups. So I worry about expanding the scope of this group into other areas that have their own respective security teams so we're not stepping on everybody's toes. That's a really good point and I think for the people who are new we have two things that are filters for what we work on and one of them is it actually has to be cloud native. So Linux is often used in the cloud but it isn't really particularly, like it's also used outside of the cloud. We talked about like spam filters for email, right? Like it doesn't require the cloud. It is not specific to cloud. So we really wanna focus our efforts on things that are really different because of cloud and cloud native to whatever we think that means. And then the other thing is we try to, if there is a group already doing a thing and we try to reach out and invite that person to tell us about it or learn about it. And I think CII best practices is a good example of that that we've kind of like folded into our process a little bit and then we brought in experts from NIST and from Kubernetes groups. And so I think so far we've done a pretty good job about that. So Emily really good point that we wanna continue to do that. Other thoughts on how to figure out priorities of our assessments? But one of the things that might be interesting is what priority should the recertification get, right? So if we still have a backlog of projects that we have never looked at, is it really useful to look at a project again to make sure that they didn't fall out of whatever compliance standards we have? I really think at least for the time being we can solve all this by just having the TSC tell us. Just tell them what bandwidth we have and then they pick. We can make suggestions, but I think, I mean, Christian, you're absolutely right. But I feel like we're, I don't know, the TSC is supposed to guide us in this area. So doing what's most useful for them probably makes us the most useful SIG. Yeah, I think what I was saying is that we have so far gotten, we're gonna talk to Liz and Joe about this and in an upcoming, hopefully our first meeting with them together. And I wanted to make sure that if we had strong feelings in the membership group, but we brought that to them too, because I think we sometimes, I mean, we're lucky now because we have people who actually know a lot about security on the TSC. Whereas last year it was, there were very few people on the TSC who were as knowledgeable about security as Joe and Liz are. So we kind of, in that void, had to, like we were bringing to them what we thought was, and they were looking to us to say what, what are the things that could be safe? We're supposed to validate if they're missing something, right? We wanna raise it. Any other thoughts or shall we? I think just maybe one, final one on that one. Some members may have already done security assessments or liked security assessments or similar products anyway. And I think, if people are willing to share that sort of information, at least as an initial stage, that might be useful contribution back to the group. Not to sway the prioritization, specifically I kind of agree with Justin on that one. But look, if you already implemented half of it, I'll bring it to the table and assist that way. Actually, that's a really good point because we do that with the audits where, you know, like we had this vision that like the assessment would inform an audit, but if audits have already happened, we read them as part of the assessment and just pulling together that. And I think you're absolutely right that there's a lot of the member companies that would be happy to share audits that they've done that cover the open source projects if they happen to have them. So that's, I think that's a way that we can use the CNCF and the end user community and figure out how to communicate to them. Would that be beneficial to include not necessarily in the projects area, but in a separate area of, here's one that security hasn't personally looked at, but here's what we already know about them. So if we're trying to encourage people to come to us to understand what it is that we've done, security status of a particular project or effort looks like, they also have that as a resource to dive into. I think that's a great idea. I think we have an issue open for like some kind of an index. So that would be a great thing to have. The assessments is listing one. I just commented on it. Thanks. What NIST does in this space to deal with this problem is to have conformance levels and expect that you're not going to audit everybody. And some people that you don't reach that are not purely cloud native can self certify or at least disclose what level of conformance that they have to this. And if you go in that direction, it's the declarations and process around the audit that's more important than the audit itself in the long run. But you have to establish the value by doing good audit. So it's not either or. That's a good point. Lorenzo says, I have a cardboard with priorities on it. Yeah, on your right, on the other side. Oh, behind you. Oh, I do. Oh, I have priority mail. How topical. Fabulous. Oh, and then I also wanted to call on Justin Cormack because you've been involved in, you were involved in this as a TOC contributor with Justin Kappos before we became a SIG. And if you had any thoughts too, whether there've been, you know, you've been involved in discussions about how those activities got prioritized in the past or thoughts? Yeah, I don't think, I don't have any inside information. I wasn't directly involved in discussions with the TOC. So I did get the impression from the meeting yesterday that some people had strong opinions about prioritization and that we're slightly, the discussion over that seems to take quite a long time. So I think that we should just listen to them. Yes. So I think one of the things. You know, you can't force people to prioritize things they didn't want to do and these are volunteers. And I think that if people want to do work that we all agree is important, then we shouldn't stop people doing it either. Yeah, I think one of the things that I'm trying to increase is transparency because there was some question about why we did in TODO first before they're a CNCF project. But in fact, we did in TODO because we were asked to buy the prior TOC. So we need to do a better job of communicating, hey, TOC, you asked for these things and we are doing them. Yeah. So you members, this is what we're doing, right? And so I think Amy is going to actually help us get into like a heartbeat of communication with the TOC so that as new members come in, there's some continuity. Yeah, and I think they seem to recognize that they need a more structured onboarding process for new projects because it is very ad hoc. So maybe they will formally ask us to do assessments for some or all of the projects that are coming in, which would definitely make sense. Well, I think... But obviously, I mean, looking at the current backlog, there are a huge number of projects potentially coming in as sandbox or maybe not an old sandbox. I don't know, so they need to make that more clear. Yeah, and part of it was, I think, before there was such a backlog, when in the era of like Q4 last year, they asked us to look at in TODO as a way to pre-filter in TODO before they gave a presentation and that they said, well, whether anybody says they want to give a presentation to the TOC, why don't you do a security assessment if they're a security-related project, right? Which is why we're queued up key club. So it's a process. And I think that what I was referring to is actually, I think there needs to be a onboarding of TOC members that maybe we should think about when there's a new TOC elected next year that we invite them to tell them what SIG security does or we have like us, or maybe Amy could have a all new TOC members. This is what all the SIGs do. So that there's a little more continuity for the TOC because we treat them as if they're one body, but they're actually different people every year. Well, there will be more overlap in future. It was only historical reasons there was so much change. I think it'll be 50, 50, not almost 100% next time. In terms of, because I think the seats are now now staggered more. Yeah. Great. And so in all the prioritization thing, it's not ready for discussion, but I just wanted to let you know this process that I referred to before of like making things labeled as projects. So the triage team and the chairs are working to catalog the things that we're actually working on. And I'm experimenting with this board so that we can see, oh, look, here are some things in progress. We haven't captured everything in progress. And the idea is that these are, there's a lot of little things in progress where one person is working on a PR to clarify something. And so this is supposed to capture the things that a group of people are doing together that require coordination and attention. And we probably don't want too many of these things at once because some of them might need extra help. And let's make sure that we finish something before starting a new thing. So I just wanted to give you an idea that this is like what we're working towards. And then once we collect all of these things, we'll get insights from Joe and Liz and we'll also review it with the whole group so we can get everybody's feedback on how we're prioritizing things. Because we wanna have all of the various proposals and different things. And we might even get to the point where we have requests for proposals because we have things that are on our written mode roadmap that we haven't gotten to. So just to let newcomers know, we have a roadmap here, which is very broad, right? And we're kind of in the process of doing this kind of, how do we describe what is cloud native security? And there's a lot of enthusiasm for, wait, I know that this thing is missing, let's do it. Let's take care of this thing. And we are doing a fairly long, slow process of, but I think we were getting to the end of it, which is this is what we, this group think of as cloud native security and having that written down, which is we've got a number of the artifacts written down already. And then we can actually dive in more into filling those gaps. And so, and then we started to catalog the things that we've done. And so we envision that this will evolve into a things that are a set of proposals, projects, requests for proposals. So that people, there's more transparency about what do all these words mean and how do I scrub in and help and participate. So more on that later. I just, you know, if people wanna add notes to issues, the sort of triage work of like, what is this thing? Can we just take care of it with a PR or do we actually have a discussion? Is it something that we need multiple people for or we can just take care of with some async discussion? All of that we're trying to sort of clear the decks. So to whatever extent people have time and inclination to dive in to help us resolve some of the smaller detailed things that would help a lot. And then we'll raise it in a future meeting. And I think that ends our meeting for today. Thanks, everybody. Cool, thank you. Thank you. Thank you. You're welcome. Thanks. Happy 4th if it applies. Oh yes, for the Americans. Happy Independence Day tomorrow. Brexit 1776, apparently. Yes, right. Being out ahead on that one. Far great thinking. Hi, everybody.