 And so I thought we could start actually having some presentations again now that we're getting we're not completely through our backlog of lots of things to do in the repo and but we're getting there. So we'll have a working session today and then I added to the agenda that we could talk about things coming up, including packet coupon. Let's volunteer to give a presentation about his use case so. So we'll talk about that and other things. So yeah and during the, the introductions feel free to add suggested agenda items if you have, you know, a proposal you want to talk about or things that you think should be on our agenda either this and when we'll carry over things to future meetings. So first off, I'm Sarah Allen welcome to six security weekly meeting. And I'm one of the co chairs, and then I will tag the next person. I'll just say the people as we go down the list in attendance and then and tag each of you so Jonathan Meadows. In a second we're supposed to check in about what we've been doing in security land, which I should say that I attended the, the user group of the financial services and shared a bit about what we've been doing. And, and, you know, maybe Jonathan can share a little bit about that group, and also been doing a bunch of GitHub stuff that is now on the agenda. So that's my check in. Thanks. So Jonathan Meadows. And this week, I chaired the financial services user group, which Sarah graciously attended and gave us an insight into the security sync group. And part of the work that we also discussed during the meeting there and certainly been doing this week has been updating the threat modeling work that we've been doing and looking to open source, tidying it up adding feedback and comments that have had from people. And that's, that's looking like it's in good shape. Also, attending to the Kubernetes security training system that we're looking at open sourcing the next week or two. Great. Dan. Hi, everybody. Dan Shaw, one of the co chairs. Been really busy and kind of bogged down last few weeks, you know, one and had a really great working session with Sarah JJ last night. And it's great to get caught up and happy to see everybody. Peter. Peter Benjamin here. Second time attending security. And quick question, Sarah, when you say update on what we've been doing in security land, is that just like within scope of security or Well, just like we shared like I read this interesting article I went to a conference my completely unrelated group that I mean my non directly related group that does something on security did something interesting last week so it can be any kind of check in and sometimes people share things that have gone on your life. I was on vacation Hawaii was great. That's okay too. Well, in my day job I'm actually a security. I provide security subject matter expertise around Kubernetes and the CNCS in general here at work. And so what I've been doing lately is actually to kind of meet some security requirements internally have been working on a Kubernetes threat model following Microsoft stride methodology that I was actually thinking about open sourcing and contributing. So that's great. And I think the Kubernetes team is actually working on something, something like that. And maybe we can somebody can search back in the notes and share, or were you here. I think it was a few weeks ago that somebody chimed in and shared what they were working on somebody from the docs team. So I think, yeah, I obviously we're working on a threat model that we're open sourcing shortly. And it'd be great to discuss that with you Peter in addition, the fail of bits team as part of that audit is I believe, creating a threat model of Kubernetes. So there's a couple of threat models now, good to collect data together. And yeah, I'd love to contribute where we're possible. Yeah, that'd be great if we could get you know people kind of combining into a holistic one. Um, Carlos. Hey, guys. Well, I'm name is Carlos, essentially working at Intel, trying to select basically two projects that we are developing here at Intel in order to send it back to the meaning board in order to do the security assessment of projects. These projects will be tied to the Kubernetes infrastructure. So I will just need to talk to the couple of managers and managers here in order to receive the host, the name of host to the last week. All right. Thank you, Carlos. Let's Hello, my name is lots. I work for Figo, which is a German fintech. I'm basically here to learn and listen. And Sarah, would you be so kind to just quickly outline the difference between a meeting and a working session. Well, yeah, you've been here since cube con when all we've had is working sessions. Working sessions are more are sort of less formal and we have discussions about how we're going to approach different things right so they tend to be like last time we talked all about security day right just like let's do some planning for what we're going to do that cube con it tends to be more about all things right that we're wrangling or discussing or coordinating. Somebody brings a problem to the group that is more like the work of the group kind of problem, and then the meetings are scheduled like we'll have a presentation or, you know, a, a facilitated discussion, or something where somebody prepares what's going to happen at that meeting, and we, we, you know, like sort of have this idea that we would get into a as the group grows, we might get into a rhythm of having larger meetings, right, where it's more of a listening in and fewer people talking but it would be a format that would work for a larger group. And then just the people who are really active on specific projects going on right now would be at a working session. So people could decide to come to one or the other or both or maybe they would come to working sessions when they need feedback on their project but not otherwise or something something. So we're, we're just kind of, and also I think generally like Dan and JJ and I thought like it would be nice to have a rhythm where there's sometimes stuff that is just sort of generally educational and other stuff that is just more active. But we haven't quite gotten into a rhythm now that we've had this, you know, we've had, we've kind of in the last four or five months we've spawned the security assessment project which kind of is its own ongoing project so we may end up having working sessions that are different, like, you know, at different times like we have a breakout of the policy working group that meets in the afternoon. So does that, I don't know if that helps. Yeah, that thanks that answers my question I have to pick up on the meeting of last week, because I dropped out with crappy internet so I still have to catch up with recording. Yeah, although that was mostly talking about what was going to happen on security day so hopefully we will get plans echoed back on that. And we have a, I think folks I'm not here who are working on that, and then I see Lakshmi on the participants list. Do you have audio. Yeah. Now again. Hi. Hi, do you want to give a little introduction. Yeah, sure. So I'm a automation security automation. My name is Lakshmi Velichetti. I work at Shape Security. So my main role is to automate things like developing for a develop services, which are more security oriented. So I heard about this group in my company Slack channel so that's how I came to know about it and I'm here to learn and contribute to open source to whatever you're doing. Yeah, great. It's great to have you good first meeting because we'll be talking about how we work a little bit. Perfect. Welcome. Thank you. So I think I've got everybody. Now, and then, so we wanted to do a little bit of planning Falco's not here at Sieves. So they are deciding upon, I haven't seen their actual security review kick off because I think we're trying to, we're very, very close to wrapping in Toto and Opa, and then we'll be kicking off the next security review we're trying to only do one at a time. We're kind of, I think, in general, we'd like to only do one at a time, but, but particularly while, you know, we're just on our going to be doing our third. So, since I haven't seen their document come in, I think they, we haven't, you know, the next thing would be to schedule the assessment, the presentation. And so I wanted to ask looks if you wanted to pick a date that if you're still up for doing this presentation we wrote up at cube con. Yeah, well, I'm, I can pick a date I haven't written up anything in particular. I because I've made mainly been struggling with the question of what would be interesting to the group. As far as I've been seeing with what when I attended meetings it's just that I would just list the things of yes we do that too, or yes we plan to do that. And I'm doubtful what format I should use to to offer some useful information to the group. Maybe just, you know, maybe actually Dan facilitated a number of these maybe Dan you could speak to this a little bit and I'll look for some slides that I found particularly useful. Yeah, you know, as we've seen with, you know, the threat modeling discussions, you know, by having a share out of our particular context the challenges that we're dealing with. We've been able to to gain insights, you know, sir was just, you know, opening up this attribute based permissioning. So, you know, it was, you know, really interesting to see the, the outcome of years of, you know, trying other approaches and explore how we how ADP ended up with this model. So, and that helps us in draw more concrete evidence as we're building the threat models and helping define the security and access control in cognitive ecosystem. Yeah, so what I recall of this and you can listen to the recording is like that this this kind of like boxes and arrows thing like these are my components and these are how they're hooked up together and this is what you know I worry about. And, you know, it could be something this is more, you know, this is more diagrammed in the abstract, and then I recall cloud foundry did something that was much more the slides aren't here, but it was much more specific it was like, you know, this is how you know everything have the name of the specific component that it was and how they were connected to each other. So I think it would be like, you know, and you know, and it sort of it depends on what you want to get feedback on. Right. So, I think, generally, it's helpful to me to see, you know, like what feeds into something that's either a data flow type of diagram right or or some kind of something that shows like, you know, access or, you know, maybe it's a it's how your how your software is created and deployed or whatever it is that you whatever aspect you want to kind of share about your use case but I think Yeah, most of the things you just listed were where things were ideas I had in in Barcelona to talk about, but a lot of the things were then covered by discussions in the group about this component doing that and yes we use or we try to or plan to use all of the above all the usual suspects. So that's probably not as interesting. But you just said something that I think I can. I would like to share is which is our effort to remove the admin from the cluster and automate fully. So this is this is something that I could talk about because we have had some obstacles to doing that and teaching people not to assume to have the ability to port forward or or exec is something that we've been working hard on. But there are also technical problems and how you deploy certain components and what are expected of admins to to run just things like elastic search which cannot be run in a declarative declarative manner out of the box. So okay, that's the yeah I got ideas what I'd like to talk about. Great. As for a date. I'm one of the lucky people that get three weeks of holidays so I'll probably be available only by and we can also put it in August it doesn't have to be July like if you want to the end of August what's what's more or less the end of August I'd say. Okay. Do you want to anybody come. Let me find a does anybody have a calendar up. And handy. Dan. What are we looking for the the dates after July 24. That is the third. No that was so what would be the end of August so if we were going to see. The end of August is Wednesday the 28th. Sound good to you that's or do you I mean you can confirm later, we can say. Let me put it tentatively on the 14th August the 14th. I think that's that's something I could do I just checked my calendar. But I'll check a number of other things and get back to you. And so we'll call this. And then we'll fill in those dates in a bit. Super thank you so much. We'll just do this PPD. So then I wanted to tell you a little bit about what we've been working on in roles so for a while now we've had like kind of ad hoc conversations about you know this triage role that Brendan's taken on and he's out. He's in China at cube con. And then we've had a lot of conversations about security reviewer roles and I had thought that we could. We were trying to use this triage role in GitHub that I thought would allow us to actually like have people take on issue wrangling sort of roles. It turns out that that's not really possible. So so not only is it a good idea to actually define these roles but I also wanted to kind of go over the group kind of mechanically what we're doing which is we kind of have to give everybody right access to the repo which is OK because we all trust each other but we want to establish roles where people who are relatively new to the group you know could take on a role where they're helping out and doing things and we don't have to like you know sign in blood or whatever it's just GitHub. We have redundancy and if somebody makes a mistake we can always fix it because we have version control. So basically what I've done is kind of written up more detail in this file which is what actually does the permission. So this is the settings.yaml which is actually might be more useful to go and talk about the actual governance roles first. So we have the charter that was approved by the CNCF had the chairs the technical leads and we also included the project leads because our process has this notion of having a proposal and then when that proposal has gotten feedback and it's accepted by the group then well it'll become a project and that project lead may you know it's it's a role that we have defined and we wanted to have that kind of documented in surface so that people could feel like oh I want this is how things get done. It's not some special in club if you want to get something done and contribute that our projects are generally prioritized. You know there are the priorities influenced by the TOC but nothing it happens without some member of the group doing it. So if it doesn't have a volunteer to do it then it's not likely to get prioritized and so we want to acknowledge these project leads and so that was there before and then which is not a role that is appointed by the TOC or anything it's just our group decides what we're going to work on and people volunteer and we do that. So in that same spirit we have a number of facilitation roles. So Justin Capos has volunteered to be the security assessment facilitator and so Dan and I wrote this up which is you know kind of based on what he's been doing where he's coordinating you know the queuing up of the assessments who's ready to you know who's interested and ready and you know and prioritized if needed if there's ends up being a big queue he'll talk to us chairs and if we will touch base with our TOC liaison but mostly we we're just kind of getting through establishing the process right now. But then what we've done is we have a whole we have a directory the assessments directory and now we're saying okay if something's in that directory and it's just a clarification or like you know moving documents around Justin Capos can accept those PRs and do that and manage issues and do everything with assessments and then we trust him that if it's like a change in policy if he's actually changing the process he'll flag one of the co-chairs and we will chime in and review things. So that's a you know kind of a documented role and then what I did was I also linked in right now we only have really one project team with special roles which is the security reviewers and so I merged in you know we have one PR with all these things so the security reviewer role was written up a while ago and so what I've done here is I've just kind of or Dan wrote up which is the security reviewers are really this whole thing is so that we can assign issues to them in order to assign issues to anybody they need to have right access to the repo which is kind of nutty but it is the way it is and so what we thought was like oh well should they be able to also merge PRs and we actually went through the intono summary and it turns out that that assessment also comes with recommendations to the TOC. So based on that we thought okay well there should be a co-chair who reviews before merging but if everybody's reviewed we trust that person to you know like hit the button and do the merge so what we're working on doing is expanding the footprint of the people who are just going to do the administrative work and who we trust to like have stuff written down and follow the policies so that's the security that's the security assessment team and then we have a triage team where Howard and Brandon have been working on helping to triage issues. Brandon's kind of done the lion's share of the miscellaneous issues and getting them tagged and whatnot and so the idea is that we have a team we created a slack channel which anyone is invited to join. It's great to have additional people. Robert who's not here today has been great in chiming into just a bunch of issues to just read the issues and provide meaningful feedback because sometimes if there's a few voices in there it's much easier to make a call and move on to the next step so sometimes it's not controversial it's just that you know one of us who's looking at the issue doesn't necessarily you know know what the you know whether this is something that is just my opinion or everybody's opinion you know and and maybe it doesn't merit a whole discussion if we can have a few people look at it asynchronously. It's also really nice for people in other time zones where this time isn't super convenient for them to have activity that happens outside of this meeting. So the idea is that anybody is welcome and it would be nice if there were you know 5-10 people who were on this SIG Security triage group who like on the list who participated and then we want to probably keep the group that is actually adding the labels and doing any editing small right now there's just Brandon and Howard and then of course the us co-chairs help but then the idea is that anybody who's on this triage team could invite somebody else who's active or ask for a volunteer if they're feeling overwhelmed or like they want more help and then it's a role that people can take on it's pretty high value to keep us moving through getting things done. So are there questions about how this all works? Does that make sense? Suggestions? Is anyone inspired to participate? Does that look interesting and engaging? It absolutely does. I'm just trying to figure out where to add the most value. I don't know if you wouldn't mind posting the link but if you post the link to that GitHub I think it would be useful to add to the minutes and people can reflect on it and figure out where they can add that value. Great. So yeah and then what I'm trying to do is as people kind of start doing things and I think having these roles makes it to somebody put this PR in the minutes. Oh it's right here. And then I think our repo should be at the top here. Yeah. So yeah. The one thing that we didn't formalize in this is how we can best attribute your work and effort to this SIG to the broader community and eventually to your employer. So if there's something that we can do with explicit recognition or if there are any other needs or concerns that you have around that we'd love your input in that so we can refine that process. So everyone who's participating feels like they first and foremost know what to do and how to add value and everybody who's contributing at that level gets the recognition that they need both here and then carry that back into their day jobs and their efforts. Yeah. This is not considered to be the best. I think this was necessarily good enough. The YAML file going and telling the point of your head headed boss to look at a YAML file might be a little bit too much. But yeah. So I think we want to we're trying to balance the like yeah people need to be people are spending work time on this and so we want to make sure that people who are doing the work are acknowledged yet you know we don't expect that like certainly right now it's not high-glory work but you know you get some amount of acknowledgement and prestige from your fellow security experts. But the we do have like we have talked about like well maybe we would organize our member list so that people you know that teams are illustrated that also I think helps for people who are new it's just kind of a very long list of strangers where you know we might have seven or 15 people on any one call and I think breaking it up into teams would make it easier for people to know who's doing what and how they can scrub in like John was saying. Yeah I think that'd be really useful if it was split up into different teams or different focus areas so that if people got a question or something of interest they knew who to reach out to that would be great. So we'll kind of take that into account. So that was the big things are on my agenda and we can I don't know if anybody has anything they want to raise or we can take a look at the issue list and I don't know if anybody who's here has a proposal listed. Dan was there anything at other that you felt that we should get feedback from the group that we reviewed yesterday? The history of things you know really just bookkeeping. Although I think the roadmap might be good to sort of highlight to people we did a little work here of JJ putting the completed milestones in here which we kind of pulled from JJ and I did some work prepping for Cubecom EU and did a little timeline and so this is kind of another way that we can acknowledge people by highlighting significant like PRs where people landed. We actually finished a roadmap item or major accomplishment that was a team effort to have you know kind of a record of when those happen and then the links kind of show you know that the folks who are involved and then and then the idea being that as we that the future roadmap that we're working on wrangling all these issues for now like becomes a list of proposals rather than this you know this was a suitable roadmap when the group was first forming but now we have more specifics that we can highlight. The other thing you know it kind of riffs on the the roles discussion you know in our list of members that we maintain you know the norm is having you know attribution and you know the company that you're involved in so you know one individual who didn't have that you know was you know I asked them to add that information. It's not a you know hard concern you know and there are some individuals who have explicitly you know indicated that they are operating as individuals and not on behalf of their company so in that case you know totally fine that you know not having that but you know especially if you're a vendor and you know participating you know that that context I think is especially useful you know so we're you know just managing through that and understanding that you know you have your vendor interest and you can you know identify whether you're which hat you're wearing you know as you're speaking represent yourself. So we if we don't have anything on the agenda we could wrap early. That sounds good. A quick question. Yes. So how do I mean what is the usual process for new members can we just go around look at the issues and see what we're interested and reach out to people or I guess is that it or is there any process that you have in mind. Maybe we need to get used to we need to read some documentation or some things first even before jumping in on anything which would make sense to me. So I was just wondering if we need to go through some material before or just reach out to people on things you're interested in. So I think chiming in on issues like reading, reviewing PRs and chiming in on issues is a good way to kind of get a sense of what's going on in the group. There tends to be a lot of chatter on Slack more than the email list so that's like kind of also a good way to that tends to be less like some it's it's it's like a chat thing like sometimes it's a little topical um and then before you do like a if you want to actually make a change or propose a PR then like I think reading the contributing guide but this is very like pretty basic right like this is like a writing style and stuff worth but I think it's to read about whether whatever area you're interested in see if there are you know issues that cover it or you know poke around the repo to kind of get a sense of what's going on and you know chiming in on issues where right now there you know the labels are sort of helpful because you can be like oh I'm interested in security assessments and see all of these things it's it's harder to get a sense of like which things are important um right now because we're still like kind of gathering these things um so uh so yeah I think that for where for the stage we are now reading stuff in the repo looking at issues and coming to meetings is a good way to come up to speed and then I think would love have your feedback as a new member about like what would be a good way in like a better way in and are there some improvements that we can make to Britain and you know I would you know in terms of you know following the norms you know there's at least a couple meetings that you you know would attend you know that some of that in terms of you know basically landing the PR you know I go back through and look at attendance to validate that an individual is actually shown up first okay so um so I will demonstrate how we do suggestions probably not even two hours like maybe like it's an hour of writing PR I could definitely comment on that one maybe you could write the initial PR description um yet people doing stuff sooner okay so then um I'm going to submit this as a new issue it's a suggestion so we these issue templates I think really helped a lot um because they kind of give you these prompts and then I'm going to make this a wanted so that's another tip the health wanted tags are like probably anyone could just pick this up um you know like and then I think like sometimes um I had one with a health wanted tag and somebody was like I don't know what to do here right and then it prompted me to write some more stuff so like even questions about like this isn't enough information for health wanted or notes in this meeting or whatever and it's super helpful to just you know like go in and do little PRs we're like oh this would be a good link um because we're we're um things are a lot better than they were a month ago but we're still a little bit of like getting the repo in shape um where we are I think it's fabulous all right then so um yeah join us on Slack during the mailing list um ask questions and um we'll wrap for today and um see y'all next week thanks everybody bye bye bye