 post the agenda link link to this. So if anyone's new today, please sign into our agenda. That's where we track attendance, stuff like that. And you'll also get to see the agenda for today. Once you get a couple more folks on that list, I'll go ahead and start kicking off check-ins from everybody. Anybody new today? I'm new. Hey, Craig. Great to meet you. You as well. I'm new as well. I'm new as well. Hi, Xavier. Nice to meet you. I'm Dan. I'm also new. This is Carlos. Hi, Carlos. I'm new as well. Peter Benjamin. Hey. Great to meet you, Peter. Hi, I'm Lutz. I'm new as well. Great. Hi, Lutz. Two more seconds and we'll kick off. Meeting another working session. Wonderful. So Sarah Allen had an appointment and she'll be joining us momentarily, one of my co-chairs. I think I've been out for the last couple of sessions, and unfortunately, I wasn't able to make it to Barcelona, to our sessions where I imagine many of you, so I'm sorry I missed that. I've been tied up with some work stuff at PayPal, and I'm actually in Amsterdam right now for the emphasis of a developer event at an event called Money 2020, which is like all bankers and financial services folks looking at how we bring a developer event to the North America edition that's coming up in October. We've been hard at work at landing the SIG, and over the past week, we were formally confirmed. The CNCF TOC ratified our transition from the safe working group. We've been operating as an independent working group with the intent to establish a formal working group inside the CNCF for nearly a year and a half, and we were just ratified as SIG security. So if you hear us talking about safe or the safe working group, they're one and the same, but when we formalized in the CNCF, the TOC decided to shift from the working group moniker to SIGs, and we decided that the secure access for everyone acronym was a little bit too confusing and went with the simple more recognizable single English word with the security. So that's me. I'll go around the room. I'm going to go down the list on the meeting notes. If you're just joining us and haven't seen it, send me a chat message. I'll send you the link to the meeting notes. Carlos, do you want to introduce yourself? Sure. Nice to meet you guys. My name is Carlos Javisintso. I'm working as a security researcher for Intel, so I'm here to collaborate and try to understand a little bit about what is the purpose of this community. Thanks. Great. Welcome. Peter? Yes. My name is Peter Benjamin. I'm a software engineer with about seven years of security experience. Previously I worked as a you know, pentester red hat, I'm sorry, yeah, red team, red teamer. Anyway, so currently at Teradata and looking forward to contributing to SIG security. Awesome. Emily? I am Emily Fox. I work at the National Security Agency as a developer security lead. I'm part of this group to provide my experience on security governance for technology systems and projects. Awesome. Justin? Capos? Thank you for muted, Justin. Ah, thank you. I'm Justin Capos. I'm a professor at NYU and some of my quick updates this week are that Optane is, which is a tough variant for automotive is nearing its standardization by IEEE and we're actually thinking about migrating it in the feature over to somewhere in the Linux foundation. So I actually have a call later today to talk about that. We've on the in-todo side responded to the in-todo feedback and process. So I think we're just waiting on Sarah Allen or others from that group to just actually put the documents in the repository and then we're done from the OPA security assessment side. The OPA folks have been provided their feedback and my understanding is that they just need to respond to it and then we added in the repo and they're done as well. So we're almost done with the first two assessments, which means I'm going to be tapping people on the shoulder for the upcoming ones. Nice. Nice. Fantastic. Thank you, Justin. Craig? Hi, my name is Craig Ingram. I'm a software engineer at Heroku, which is part of Salesforce. My background is kind of similar to Peter. My background is in security, pentesting and things like that and I'm doing software engineering stuff. I'm also part of the Kubernetes security audit working group and so interested in the overlap there with the SIG and if I can provide any updates and things like that and participating more here as well. Great. Welcome. Michael? Hey there. My name is Michael Hausenglas and I'm a developer advocate at AWS where I'm looking after container security. Great. Welcome, Michael. Xavier? Xavier? Yeah. I worked for Heptio, now part of VMware. I'm a systems engineer there. Some background in data engineering and a little bit of application security. Great. Joshua? I'm in the open-source group at VMware working on security-related projects with histories in open-source distribution building Linux distros. Great. Are either you affiliated directly with Joe Beto? Just to send an effect there. A little bit, yeah. The sponsors of the SIG just want to identify any affiliation to our sponsors? Yeah, I'm not. Okay. Cool. I'll work with Joe for a bit. Okay. Do you have any, but no reporting structure? I'm underneath him like a level or two. Yeah. Got it. Cool. Thank you. Let's... Hi. My name is Lotz Binke. I work for Figo, which is a financial services startup. I'm a platform engineer and because I've been working for a public CA many, many moons ago, I'm charged with security. I was not quickly enough leaving the room, so I volunteered for doing a security use case of Figo and I'm at the moment putting together all the information that I am allowed to share, that I want to share, that I think that are interest to the group. And so I'm listening in to see what people are interested in. Great. Welcome. Leonardo? Hello, I'm Leo. I'm one of the new engineers that work on CNCF project Falco security and I'm here clearly because it relates a bit to security. So looking forward to contribute to the SIG group. Great. Welcome. Daniel? Hi. My name is Daniel Zirov. I'm a security engineer at Adavinta. We are using a lot of CNCF tools, so I thought maybe it would be a good opportunity for me to contribute a little bit for security assessments or anything. My background is defensive security and testing. Great. Brendan? Hi. I'm Brendan. I'm from IBM Research. I work mainly on the security stuff related to container isolation, supply chain management and container encryption and so on. Just a quick status update. I was going through the issues of the outstanding unable issues in the CNCF SIG group and I classified them into a couple categories. Hopefully if we have time, we can improve some of that. Nice. Karthik? Hey, folks. My name is Karthik. I work as a developer advocate on Oracle Cloud. I came from the Oracle Kubernetes Engine team and basically was in charge of the testing and security side of things. So interested in that space. So here to help out, however I can. Great. Robert? Hi. Robert Fakaya. I'm working with Stira on the Hopa project. And by way of update, I've just been reviewing the issues and full requests and commenting as appropriate. Thank you. Lorenzo? Hey. I'm Lorenzo Fontana. I'm part of an open source group at SISDIC and currently focusing on FALCO, the CNCF project. And we have been focusing now in working on doing the assessment and like seeing what's happening in the assessment. And that's basically my update. Great. Michael? Do you see? I'm also on the open source team here at SISDIC, one of the leads for the FALCO project. And then just into kind of getting ready for our security assessment and the security audit, we have kicking off in a couple of weeks. We've kind of just been spending some time around rethinking about how we re-architect FALCO to try and add some performance improvements. We have a summer of code in turn that's focused on performance improvements that the CNCF sponsored. So a lot of work going into that over the summer. Great. Justin Kormak? I'm a security engineer at Docker and initially my owner. I have been working with Sarah on the intelligence assessment, but I missed, I was away last week and I missed the working sessions. So I need to catch up with Sarah and work out. I think we're, I think as Justin said, it's done basically. Wonderful. Tibi? Hi, I'm Tsi Korn, Aqua. And I actually participated a little bit a couple of months ago with the SAFE group. And now I have a little bit more time to invest with the CIG group. We find ourselves needing to do a lot more security assessments for Kubernetes. So just here to understand, you know, what hooks we can use in order to make sure that we give the right information for our enterprise users. Great. You know, having sold security products before, nothing like a vulnerability to get the interest of the market. Wonderful. Sarah? Hi. I have been doing, yeah, I'm the co-chair of CIG Security and have been doing a bunch of governance stuff. Submitted a PR for what I think is the last chunk of our governance, which is a contributor guide and code conduct. So happy to have any feedback on that. Just wanted to leave it open for a little while for people to comment, chime in, and just try to create some structure so that people who can't make the meetings know that they can chime in and, you know, participate asynchronously. And then met this morning with Santiago. And I think we have the last bit of the security assessment for Intodo, where we sort of brainstormed a sort of a take at the maturity description, which has been very controversial. You know, like, lots of people have different opinions. Nobody agrees with anything. So the idea is to just do something, write something down, do that five times, and then step back and be like, what's the norm here? So, so anyway, that we just need to do a final, there's like two open issues in the open comments in the write-up that Santiago is going to take care of. One of them is the, there was the template that they used to have like something that we didn't like. So anyhow, it's just like wrapping up the lit and then we're going to put in the repo and then we'll have our first security review assessments. So, so yeah, sorry, lots of words. And then the rest of the stuff that I've been working on, sorry, I'm in a cafe. So I'm gonna mute and mostly participate on chat. Got it. Is there anyone else who, you know, not JJ, I'm holding you intentionally, JJ, to the last, who's our third co-chair? And is there anyone else who hasn't checked in or hasn't been able to sign in? Hey, folks, it's Amar here. I'm new, just tuning in for the first time. I'm just looking to, I wanted to drop in and see what you guys were up to. I like to work on security libraries. Like right now, I was just looking at the Intel to project and seeing the wonderful work that's happening out there. Just wanted to chime in and see if I could help with anything. And yeah, can you hear? Glad to be here. Yeah, that's it. Great. So I dropped into the chat a link to our meeting notes and, you know, attendance docs. So, you know, when you have a moment, you know, please, please check in there. I see Mark Underwood. Hi, everybody. It's Mark Underwood. I'm with Synchrony and the security innovation team, actually a little team here. I'm also the involved in the IEEE DevOps security standard, which is in our third year. So we're probably going to have a draft out this year for those some new people on this call. I'm mentioning this. And we're wrapping up the NIST big data security release version three, which happens later, probably August or September time frame. Great to see all these people here. Sarah and Brandon, thank you so much for signing up for scribe duty. I was out of practice for meeting running and I forgot to debug everybody. I was with, you know, our attendance so high, I wanted to get everyone checked in. Anybody else that hasn't had a chance to check in? All right. I want to introduce our third chair, JJ Jayaprakash. And JJ, you know, I asked JJ to share a bit more context about, you know, safe and some of the work that we're doing. JJ, thank you. Thanks, Jen. Yeah. This is JJ. We ideated and- JJ, can you speak up a little? I think you're a little quiet. Can you hear me? Can you hear me? Okay. Okay. Yeah, this is JJ. We ideated and created the security working group, which was called Safe before with Dan and Sarah. It started around QCon Austin, which is 20, I forget year. It's been too many years. So we've been working on it. 17. Yeah. 17. Yeah. It's been, we've been working on it for a while. There's a lot of interesting contributions and participation that has happened previously. So people who are joining in now, it'll be good for you to go take a look at all the use cases from Cloud Phone Rea, all the thinking about security from folks at Google. So there's a bunch of content there that I'd encourage you to go take a look. But a brief history is this started out as like an effort. I was involved in Spiffy way before. And then looking at Spiffy, which was a cross-cutting concern across all the infrastructure, then there is like a bunch of security concerns across all infrastructure there for. So there wasn't a common place where we could actually talk about address all these issues. And that was the primary motive with which we started this group. And it was surprising to see the amount of people that were thinking about it the same way. So I can't claim the credit to be the first one to think. But it's a honor to be here with all the like-minded people to hash out a problem that probably is going to not get solved in any of our generation. But at least it's a good start. What do you mean? This is the one good time where we finally get security right? Exactly. We're like 10 more attempts before. Yep. I'm happy I'm back. Oh, new internet. Good. I'm here to answer any questions that you have. Or I'll be available on Slack. So please feel free to ping any one of us. Yes. Beyond Spiffy, Istio, and very deep background in security. And, you know, kind of the primary leader for, you know, our white paper efforts. Thank you, JJ. Thanks. Okay. So a bit of an announcement as our first thing. Sarah, are you still online? Do you want to talk to the microsite? Ask? Oh, yes. So we have a lot of, as JJ was saying, there's a lot of resources assembled. It's not, they're not surfaced super well in the repo. Like, it's kind of a working, working, the work in progress is mixed up with the history in ways that are not very transparent to newcomers. So the idea is to make a site with those static site generators, something like Hugo. And we have an issue that has, where Dan and I a while ago curated the presentations that seem like really useful to reflect back. And so I would love to have company of people who would be like, you know, I think picking a template takes more time than making the site sometimes. So if there are people who like, you don't have to like know Hugo or whatever, it's mostly like markdown, YAML, looking at things and deciding some basics of site hierarchy. Like it's not super exciting work, but it is super important for people to be able to have visibility to what we do. So chime in on the issue or in the chat or ping me up on Slack or whatever you want, or whatever is good. We just want to have a couple of those. Great. And, you know, over the last three or four months, you know, we've definitely, you know, had a huge ramp up in interest and participation. You know, we've evolved from, you know, Sarah, JJ and I, you know, being the co-chairs and, you know, primary conspirators to, you know, really having, you know, a series of, you know, very active teams and ongoing, you know, functions that, you know, from the security assessments and beyond. So, you know, this will be one of those areas that we can make things more accessible. You know, we're developers and technologists, so, you know, interacting and participating through GitHub is, you know, kind of normal and our lingua franca, you know, no problem there. But, you know, as you emanate out from, you know, the work that you're doing in open source, you know, the folks aren't necessarily as fluent with GitHub. So this is a great way to make the work that we're doing here accessible and approachable to everyone. Is, I guess, you know, before we move on from that, you know, does anyone want to pile on or is that a particularly interesting thing? You know, we'll probably take that action item as a breakout activity and not necessarily, you know, drive that. We'll bring updates into awareness and ratify things through the SIG meetings, but, you know, that'll be a breakout activity that we, you know, go iterate on, work through together, you know, out of meeting time. I plan on, you know, applying some resources to that from PayPal. We'll kick that off and we'll, you know, keep, I know we have a number of folks, this is your first meeting, so we don't expect you to immediately, you know, dive in. But if you have any background or if there's anybody on your team, you know, a number I know, I just had, you know, three interns, you know, start on my team. So, you know, that's an opportunity, potentially to engage there as well. Okay, so next up on our agenda today, you know, Brandon's gone through our issues and, you know, gone through things in quite detail. Brandon or maybe Sarah, would you like to sort of, you know, walk us through any decisions that we want to make on this or what we want to accomplish? I'll give a little introduction, first of all, that those of you who haven't been reading, like, we've had a very exciting slack activity. So, thanks everybody for joining in, although I could understand it if somebody missed some of the details in there. But Brandon reached out a while ago and volunteered to help triage our issues because we had a lot of things that weren't closed. And so we actually made a little triage team. Howard, who focuses on policy and his time zone doesn't work for him, volunteered to triage the policy things and also write up issues for some of the things that the policy subgroup is working on. And Justin Capos, I volunteered him to triage the security assessment thing. So, basically we have a little triage team, we have a Slack channel, which a couple of people have joined, you know, happy to link, join in, but the idea is basically to have to expand our bandwidth and make sure that our issues are, like, easy to consume and useful in category. And, you know, like, and we're keeping up with the enthusiasm and responding to things appropriately. So, Brandon, I would love to invite you to tell us about what you discovered going through every issue of prefo and the proposed categorization. Yeah, all right. Thanks, Sarah. Yeah, so I went through all the issues. It was a pretty long list. I think you managed to bring it down from four pages to two pages, a lot of them were kind of like events and stuff like that. But the overall, I think, most of the things fit into kind of three different labels. So, most of them were around on assessment stuff. So, assessment process and other process. And then another, so this, the assessment process stuff, there was the white paper and the policy white papers of governance. And the last one is kind of around the use case and personas that were quite a few issues around use case and personas. Unfortunately, a lot of the other issues kind of didn't fall into any of the categories. So, I have this, there's a link in, well, I created a new issue, of course, to document these issues. So, we have this, if you go to issue 194, basically, there's a list of issues which don't seem to fall into any category. But it seems like there are common themes that come up, which I, I think some of them we already do in some capacity, but not really formally. And some of them look like potential things that we could do or improve on. So, the couple of themes that came out was one on really education. And I think this is, this is addressed a lot by Sarah's call for this microsite to statically have, to have all the static information available, to have maybe, to formalize it and format it in a way that's easy, easy to retrieve, you know, have like indexes, articles, things like that, like a block maybe. So, there are a couple of things that fall into this category as well as not only being able to retrieve these things easily, but also, you know, on certain security related topics. So, one that was suggested by Justin Kappos was, you know, to have additional expertise on tactile bugs or crypto usage and stuff like that. The other big ask also in the issues was for security recommendations. This mainly stems on best practices for using cognitive technologies, as well as a couple of them kind of hinting at compliance. So, I think that this exists in certain forms. So, they exist in the white papers that are being written as well as, you know, issues here and there in the security assessments where we create, we have some recommendations on how to use technology, but it's kind of also distributed in a way which is not easily accessible. So, I'm not sure what exactly we can do here. It seems like there are many use cases and many targets of this kind of information. So, I don't know whether there's a really way that we can kind of synthesize that. Yeah, on that one, you know, I think the, you know, that need is one of the core mandates and one of the objectives that we have as a SIG and, you know, the state of the industry and, you know, our sort of coalesced experience around that is still evolving. So, you know, we keep that as, you know, one of the things that we're trying to do is still evolving. So, you know, we keep that as, you know, one of our poll stars. However, you know, we're not the end all and be all source of truth. So, you know, Mark Underwood and, you know, the work that he's been doing with NIST, you know, keeping our pulse on the activity outside of this SIG and bring that to bear to individuals who participate here is a great way to, you know, continue that effort. And, you know, if you're internally producing anything, you know, we, you know, be happy to help you share that out and distribute that. But, you know, that's kind of where I think that lands. You know, there's a shared understanding that there's that need and, you know, we're working towards that. And this is one of our key objectives. Yeah. So, this makes the market even more important as well. I'd say that we're sort of starting with the things that are sort of we are really aligned with and are fairly obvious to us. It might not be obvious to people who are either new to cloud or new to security, right, in their role. And so we're kind of starting with non-controversial or things that we have made non-controversial through knowledge sharing over the last year and a half. And then as we get into things that maybe are being discovered, right, that we are, what we talked about in the past is that we would be open to saying there are multiple ways that people are doing it these days. We're not seeking to really say we're going to pick the one top whatever, you know, but we want to be able to educate people about, like, oh, but lots of people tried this. It wasn't a good idea. Like, might be a good thing to point out. But we're not seeking to, if there is contention, we're not going to focus on that initially. Rather, you know, we kind of whenever there's a difference of opinion, we kind of seek more information to try to refine what that is. And so we want to have that be kind of an ongoing process. So I think this is a good bucket to have. Like, I'm really glad you identified this, Brandon. And we may, like, as we get into the roadmap discussion, it may be, we kind of have that, like, bucket of security assessment improvements where we decided, well, we're going to do five security assessments before we really dig into improving the process. So we just have this bucket for all these ideas. And great, we can just keep collecting the ideas, and then we have a point in time in the future when we reflect them. Right, exactly. Yeah, and, you know, you know, main reason I'm here, and, you know, I know, Sarah and JJ, when this group was formed, the need to ensure that, you know, as, you know, cloud native was evolving, that security was a first class consideration, and that we weren't leaving it, you know, as an afterthought, or, you know, almost just as bad, you know, learning from the experience with, oh, now I'm blanking on the platform. The other cloud setup thing. Open stack. Open stack. Thank you. You know, one of the limitations, I think, and, you know, some of the experience that Vox had with open stack was that security was left as a vendor consideration, which meant that interop and compatibility around security was, you know, basically limited and, you know, a little bit broken on the edges. So, you know, as we, you know, built this iteration of how we all come together and build things, you know, we really wanted to advocate for, you know, security and making sure that, you know, the primitives that we're putting in place that all of the infrastructure of the internet is built on, you know, has, you know, security out of the gate and that we're, you know, doing that hard work of coming together and building consensus around the right approaches, you know, to maintain interop and not just being, you know, oh, you know, your security vendor is going to, you know, provide the bolt-on for security. Brenda, did you, sorry, you know, we deep dive into that one. Anything else we want to go through on issue number 194? Yeah, so I think the only last thing is on the large cluster of other issues that I found was really around discussions of different topics, whether this is getting feedback on certain technologies, you know, discussions that people want to have on topics identity and so on. And I think one of the big issues I see here is that I think a lot of these issues don't get seen by the larger majority of the group unless you're watching the entire gate read repository. So I'm not sure whether we could kind of create, I don't know what would be the best medium, but something like maybe a mailing list or something where people can put, you know, tracking mailing lists that we can create where people can talk about topics. I don't know whether that may make these topics more, you know, more visible. This discussion is more visible, right? Yeah, that and or Slack. I don't know if we have the ability to to like auto post things to to the CNCF Slack. So we could have that might be like I you know, like we could all have on the triage have a GitHub integration. So we see every thing that comes in. I find that nice, but not maybe not in the main channel, right? Because it can get like, so we can put that in the triage channel and invite anybody to join it and just have a smaller group that's actually assigning a label so that we kind of get a handle on like what the heck are we doing and we have clear people who are responsible for areas. But then more discussion, you know, that if we're like, Hey, can somebody look at this? I do want to be a little cautious that we don't splinter our attention because there are many of us are interested in many of the things, right? And most people can't spend enough time every week to watch every issue. And it there's value in having a group. So just to just to clarify, so the specific issues that I was looking at were kind of like, someone says, Oh, I'm looking for a discussion forum for this particular topic. So they want to get feedback about like open the discussion on what do you guys think about acts? And the thing is, I think a lot of people are not seeing the issue. So I'm not saying that all issues should be shared with everyone. But I feel like if the intention is that I want to have a discussion around the greater community, not so much just from the sick perspective, then maybe that I'm not sure we want to create a different avenue for that. Yeah, we could also have like, if there's an urgency to like attending to that topic for a member, like if they're mailing this thread or a breakout session, if somebody could say like, I need this problem solved in my life with somebody, you know, like we if our meeting agendas are. Yeah, then we don't, we don't like, like you said, we don't have too many things going on as well. Some of those topics are, you know, due date back a little bit. And, you know, we may want to sort of, you know, go no go on, you know, do we keep it open and kind of go through a tree, a deeper triage of some of those things, and just identify like maybe the discussion topic didn't get engagement because there isn't, you know, consensus or ready answers to that in the industry yet. Or, you know, at least we're not aware of that. Yeah, so what I'm going to do is I'm going to probably add these tree labels, which kind of have a large cluster of things. And then I will probably put a flag for maybe another 30 to 60 days, if there's no activity I'm going to disclose it. Yeah, and that's that's pretty much it from the tree edge. Great work. Pretty day. Sir, do you want to keep that off? Can you all hear me? Cystic has generously. Actually, do we have somebody from Cystic here who can talk about it so that we don't have the noisy cafe? Yeah, I'm here. Yeah, Michael. So one thing that we wanted to try and do is kind of unite the security community. I feel like it's kind of bifurcated among, at least from like a software perspective, it's bifurcated across a couple of different proprietary vendors. And then some open source vendors are open core vendors. But the last KubeCon what happened was is all these security vendors went and did their own thing. And so there was no kind of community event where the community could actually come together and have conversations about security and it not be focused on one particular vendor's opinion of security. The storage group, and I don't know if this was run through six storage, but the security, there was a cloud native storage day which was vendor agnostic and everyone could come together and talk about solving persistent volume problems in Kubernetes and in cloud native platforms. And that seemed to be fairly successful. So we wanted to try and emulate something where we would have a sick security day the day before KubeCon. KubeCon does all these things of like add-on events that people can add to their registration. They can either be free of charge or they can be something that you know a nominal fee like $100 or something like that just to kind of recover some of the costs. Michael, when you're referring to the last KubeCon, you're not referring to Barcelona, you're referring to the last iteration in America? I'm referring to Barcelona actually. Yeah, okay. Yeah, it kind of happened at... Yeah, Seattle as well. It kind of happened in Seattle as well. Yeah, I remember that. But you know for instance in Barcelona there was a twist lock event, there was an aqua event. We were doing our own thing but we kind of focused more on like cloud native transformation and like the organizational changes you need to have. So we weren't necessarily security focused. But I just feel like if we had... I feel like the end user community is really desiring some real practical guidance around security and it doesn't help the end user community to have this kind of these bifurcated communities where you know vendors are pushing their opinion versus us coming together and giving practical advice. And yes, you might need to use choose vendors as part of that but that's at your discretion. You still need to follow this practical advice. And so I think this security day could help kind of lay that groundwork. Great. Yeah, I like that. You know Sarah or I think Sarah has been taking the actions coordinating with the CNCF team on keynote. We're angling for keynote session. So this is unrelated to that. So let's hold that. We are talking about that. We want to make sure that we have delivered the stuff that we're queuing up and that we have stuff to talk about like stuff we've done. We're on our way with the security assessments and forget the you know surface to stuff that we're doing that people can see then you know it starts to have a right thing. But like I want to have the roadmap so we go hey CNCF we're going along this path and this is what we will have done and then we want a little time here. And I think that everybody's warm to the idea. This is just like a completely different thing. But along the lines of communicating that like CNCF cares about security and it's not a vendor specific area. And so I talked to a few people about this idea so I found officially there are these co-located events that are generally vendor events even if they don't sell there. And I'm still trying to figure out some of them aren't any but due to you know since it's a specific volunteer we sort of like are able to sort of pilot having a sick day without necessarily worrying about it being for every SIG because that can sort of things down. But this is the week that they are that they're like the platinum and gold sponsors are signing up for their spot. And so it's a good I wanted to make sure that something that SIG wants to do and like to have a rough idea of format and then and see if we have a couple volunteers to figure out what the day would be. And then and then we could sort of like with just to help go forth and get together to coordinate it. Yeah we would help with kind of the coordination with the Linux foundation people. What we would need the SIG security people to do is focus on building the agenda getting people in to submit to the CFP opening the CFP all of those sorts of things. And we wouldn't we would be totally like from SISTIC like my role in SIG security I would be willing to help out with that. But just so you know SISTIC would be kind of removed from that. We would help with budget and anything around those lines that we would need to. But beyond that I want it to be like SIG security driven as far as agenda and all of those sorts of things. Yeah Suze is in the same position you know we we've talked both about starting to work with SISTIC but looking for more opportunities with SIG security and I think this is one again with you know supply and labor but being vendor you know not coming to it from a vendor perspective but a SIG perspective. We're interesting and we're interested in working on it too. Right one of the things that I was poking at you know since a lot of those sessions are vendor driven is you know basically do we need to you know pony up money to secure space and venue or you know. I think we're good on that right okay okay but the primary thing for the last 10 minutes of this meeting is what do people want this day to be and I think we want to be cognizant basically I did a little fact finding and there are a set of people who are way oversubscribed out in the Monday like if you are a Kubernetes core contributor you are at that day like you're meeting with these contributors that you don't see in person right. So there's a day of the core contributors all getting together right there's also like you know and so there are concluding things so there are certain people who are completely unavailable on Monday right including our TCOC of what DA's on so they're oversubscribed and so there's I think in my experience there's a lot of people who are concerned about security who are like yeah there's these Monday things I gotta pick and I'm a little more really excited to be right. So so I think we there's an opportunity for the special interest group on security like to pull in people who are you know curious or interested or worried about security and provide some a forum for something and so I'd love to hear from people who've been in the group for a while or you know people who haven't spoken in the last few minutes depending on ideas or what you'd like to see happen. I'd love to get some kind of general like overview slash threat model slash goals and stuff like this for different projects in the security space sort of when you look at the the assessment process that's supposed to be a longer document that gives somebody all the context they need to evaluate is this the right sort of thing for me to use and having a whole bunch of you know 20 minute versions of that for all the security relevant security first CNCF projects as well as a few of the vendor projects if we can keep this without turning into a marketing thing I think would be helpful. Right any other suggestions or you know there are a lot of vendors here present you know any sort of opportunities to specifically step out of the the vendor context to you know build more clarity around you know the context of security as we're still you know working towards that that you know shared objective of you know having you know greater understanding for the industry. Yeah it would be better if we can create just use cases where we can embed the security on top of that instead of trying to depict well tools or security tools that help us to and reach the security on the project would be better if we can just take a couple of end-to-end use cases that the industry is implementing on the yeah on the industry in order to see how can we the peak and put on top of that our there's no method to enhance security on that particular use cases so that is pretty much the idea right now that comes to my mind. Yeah and I think there could be the opportunity where we could get enough like real-world examples of it's mature enough to where there's enough deployments where you could actually you know start real-world stories. Yeah people typically like listening to use cases of how you know how someone else does it so that could be like if this is kind of like a conference day before before cubecon you know people really like use cases so like having end users present so that's like really good. There's also a bunch of things that you know we've done in the working group that can you know potentially become a session and there's also a bunch of features in Kubernetes that you know like we talked about RBAC but there's a lot of folks in my experience that don't know how RBAC even works or like what that is and so it like we have a wide range of folks kind of coming into it and I feel like the actual practitioners that do Kubernetes and cloud native stuff are developers and you know they don't know about a lot of the things in the security world so you almost have to go from you know people are taking their you know maybe not their first step but their second step to all the way to you know how we're actually like doing things uh in in you know in the working group. I like that a lot. Another totally different idea that I had and I don't know what I was interested in it is like we could have like a hack day where you like build like we're like I'm gonna try these security products when uh like the maintainers are around or somebody from the project. That's a really good idea or or even further doing a cap to the flag. Yeah that'd be really fun right. If you want to do a cap to the flag I'm gonna raise some money for that. I love that. Well you have to you know you can contribute to the Netflix pool for that which they're effectively setting up with their configurations with that so yeah. Can I quickly chime in from a user's perspective please because at Kupkan not the not only the core contributors are oversubscribed um users trying to find out what's new in the space are oversubscribed as well. I haven't had a chance to see the talks even a fraction of what I wanted to see um and what I miss the most at the scale that Kupkan has reached is this listening in on people talking in the hallways about topics that I'm interested in so I'd be very grateful for um a security day security piece of hallway if you like um where I can especially with just mentioned with the threat modeling and I have no I have many hats on and I I'm part of a platform team that actually runs the cluster and I'm the one that has in addition the security hat so um what I desperately need is a is a feel for where the threats are and and what people have looked at what um what general approaches I can take in addition to what I've or what we've been doing um and just listening to people discussing um perceived threats things in in in pure research um even if they they don't apply to specific pieces of the puzzle yet for me to give to get an idea what what what I have to look at and what I have to read up on and what I have to focus on um year after year after year one of the things they did at DockerCon last year was um they had hallway tracks set up that you could sponsor a hallway track meaning you had a topic that you wanted to talk to other people about and anybody can like sign up and come and just listen or contribute or if you had a question that you wanted to ask some of them had Docker captains that were like hosting them and running it some of it was just here's a whole bunch of information other cases it was like question and answer um that's how uh I that's how I talked to Michael um from Netflix about their bug bounty that they were trying to get set up to see who would be interested in donating to that and see if there was any community interest and that started from a hallway track so I don't know if that's something that would be beneficial maybe you're recommended to see NCF in the future um is something like that up yeah I can second that um I was in DockerCon last year and I found that more enriching than most of the presentations just discussing with people would would um you know since I wasn't there um would that be something that in addition to you know the conference sessions where we kind of have an area where you know we would continue meeting if you're you're you're interested in in our space you know continues without the event or would that only be in you know so the the the pre-event day they had it throughout DockerCon when I was there it was any day that there was a conference going on the hallway track open for a certain couple of hours and you sign up for a particular time slot now they only had so many areas for you to sit so often it got booked up but some areas were fairly large some of them were a little bit smaller more intimate but it certainly allowed me going there talking to industry finding out what their security concerns are some of the security problems that they're running into with their docker deployments swarm kubernetes cloud native whatever it is that they're doing yeah having it throughout the whole period makes scheduling much easier because otherwise get a sort of compression thing um so so I think it definitely helps to have some matter it sounds like there's an opportunity to have this be both and right you know have have the dedicated day uh and then um you know continue to have a um a space that we all come back to throughout the event um you know I like that a lot yeah that might be good for just I think you're you're you're talking but you're on mute I just want to say like let's keep like well let's follow them up as two separate things right because the cool district of something at the conference and the day before are going to be completely different and then if we manage to have them both then we can connect them um but I can also find out whether the open space thing is possible so it sounds like generally speaking there's enough interest to kind of continue to go forward with the research around executing on the sixth security day yes definitely the aqua security um cube sec day that they had before the conference was good and and a lot of the talks and the container security summit in February was also good there were a lot of people that showed up for that one so that I would argue that there's enough interest in the community to definitely put together a security cloud native day do we have a volunteer who wants to take the to corral the to do the cat herding and take the lead on the agenda I think agenda is probably going to be I mean if you're doing it right then we'd have to probably have like somewhat of a program committee open submission and curate the agenda so well I think there's been a lot of ideas yeah and somebody I would love to have somebody who is not JJ Dan or hi to take the lead on presenting that back to the group and calling a like lines and you know like somebody to spearhead that committee I can happily take it since I proposed it I just don't want I just wouldn't be clear that there won't be a conflict of interest with sister or anything that's all okay I'm happy to help Michael okay keep him honest and keep you on I can help you Mike if you need some ideas yeah me too if you need my help just contact me we can put another session in order to discuss the agenda something to say so Michael will you make a GitHub issue for this I will follow our process and I could be the co-chair sponsor or whatever we called it okay all right I've got a I've got a drop uh sir do you want to wrap us up or are we gonna close on that note like we'll have another working session and we'll keep talking about all of this wonderful thank you everybody for joining us great to see everybody and we'll see you next week same time same channel thanks a lot