 So, that's a wrap. I hope you enjoyed the event, no matter how chilly it got at times or how pitchy it got at times. So, thank you so much for attending. I know some of you flew abroad and some of you walked a lot and some of us talked a lot and annoyed you. So, thank you so much for staying. And I don't know how to use this, but I hope I'm using it right. Yeah. So, thank you so much for attending the con and it would not have happened without you. We did this for you. And if you enjoyed it and share the opinion and all the yeas or nah, that'll be great. So thank you so much. And I'd like to now go ahead and thank the sponsors. We have our diamond sponsors, Red Hat, Cystec, Optics, and VMware Tenzo. We have a Platinum sponsor, Apero. And we have our gold sponsors as well. So thank you so much. We would not have been able to do it without you. And we also have our wonderful program committee who were here to collect all the wonderful talks that you listen to and provide you with the right agenda, right content. So we were right on top of it for last few months. So thank you so much for everybody. And there are a lot of members that are not mentioned here, be it the CTF team or the events team or anybody who really advised us and got us moving. Thank you so much. And now I will now hand it over to James and Andy to wrap up the CTF. Thank you very much. So the last couple of days, we were running a CTF event here. Yesterday, we ran a couple of introduction workshops. And today we had an all-day event, just a couple of numbers on screen. We had 50 clusters, 80 flags, 11 hints, 560 total points possible, and 74 flags of missions. Next slide, please. Thank you. So we can see it was pretty tightly fought event, which is really good to see. We actually had a lot of collaboration this year, which is great. Lots of people working in teams. And the top four users were Adrian, Nick, Metahertz, and Alex. So congratulations. So thanks to everyone who played. We welcome any feedback. And if you're interested in the solutions, please come and talk to us. Thanks. Excellent. And thank you to Metahertz for choosing a genuine hack and name in the context of the rest of the individuals. Right. Let's talk briefly, if you haven't heard it before, about tag security, who we are, what we do, and why we care so much about trying to raise the bar for cloud native security. We have a repository. Everything we do is GitHub driven. We are modern developer flow focused. We come from a practitioner background instead of an abstract ethereal security deployment stopping background. And really, we're looking to work with projects to enhance their security and dispel some of the latter old security practices which involve perhaps fraud, fear of deployment. Instead, we prefer to deploy regularly and enshrine modern development practices. So what does that mean? It means we are a voluntary and community-based organization. Of course, the Linux Foundation runs KubeCon. We are under the CNCF, the Cloud Native Computing Foundation. But we operate with our own editorial independence, I suppose, from one perspective, which means that we're a collection of a raggedy collection of voluntary individuals, as you can see. Enthusiasts is probably the strongest defining commonality. Many of us are lucky enough to do security for a living. We also welcome people from an educative or academic background, as well as researchers, hobbyists. There is no minimum bar to entry. We're thankful for anybody who chooses to spend their time with us. The goals, really, this concept of strengthening the ecosystem, tag security's mandate is under the technical oversight committee of the CNCF to ensure the products and projects that are looking for that stamp of approval, looking for access to the marketing budget, looking for the reflected associative glory that comes with being in the same foundation as Kubernetes, one of the fastest growing projects in the history of open source, plus the cavalcade of other projects we have with us, are appropriately hardened, that we don't miss the foot guns, that we don't ship things that do not have that minimum standard of technical security quality. We identify gaps. This is part of our threat modeling process that we will talk about. Education is really important. Thank you for arranging and running the CTF today, James. Part of the point of running those sort of things is enshrining the adversarial mindset in defensive security. It's only really possible from a Sun Tzu perspective to know your enemy and defend against them with a full understanding of the suite of capabilities an attacker or adversary may have. I hope that we're the kindest, approachable security group in the history of security. You be the judge. We do meet regularly and have very open discourse. There is no nerd sniping going on here. Fostering maturity, this is part of our mandate to help grow the projects in the CTF. Engaging more communities, we do this intrinsically by virtue of those organizations coming to us as part of that TOC mandate and stepping up through the levels, advancing hopefully to graduate. We're there as part of that path and we look to collaborate and work in tandem with the projects themselves. Finally, nurturing growth and participation. It is a highfalutin goal. We really want as much contribution. We are the product of, or we are the sum of our parts, really, we are the product of the contributions that people make to us. And we're nothing without the community that builds and supports us. So thank you to everybody who has contributed and please do throw your hat in the ring if you would like to understand different security mindsets and different ways of approaching problems. There really is no finer community in my humble opinion. Our charter, protection of cloud-native systems. This is our goal. The advent of all this new technology brings a rush of developers as we saw at the advent of the cloud-native Renaissance. The people who were delivering code were writing Golang. Golang's relatively exclusive in terms of language penetration. In 2013, there were not many security engineers writing that language. And so we see incredible utility afforded to developers and operators with some attenuation of security focus because, again, of the complexity of penetration of dealing with a language with concurrency primitives, I suppose. What about Rust? What about Rust? We ask ourselves, the Rust Foundation is interested. We're yet to see a lot of Rust turning up in the CNCF. Perhaps you can correct me. But, yes, as it advances, we will also be looking for Rust security practitioners because that is certainly somewhere that we do not currently have strong representation. It is exactly the same problem, the long tail of, I suppose it's the short entrance to the humble brag from Mr. Kaffos that we have two implementations of the update framework, one of the first security projects to come through tag security with published security properties and a known attack and defense service. But, yes, please, anybody interested in helping the ecosystem, we are raising the bar of security universally. We have next, helping developers meet security requirements. These are the abstract, sometimes security requirements that developers find hard to reconcile with genuine implementations. This is where we can provide value. We have been through this process multiple times and we look to minimize the friction involved with implementing, again, these abstract security properties and common tooling for audit and reasoning about system properties. We have provided some organizations and I referenced the Spiffy Spire threat modeling work here especially with very detailed security properties that can be given to adopters, so the systems that they build upon these security tools and we're in a space where we know that rolling your own security tools is the method of last resort, that roll your own cryptography, do the minimum you can, try and implement other things, but when there is a gap in the market where there is innovation, when there is the bleeding edge, instead of allowing adopters to be cut on that bleeding edge, we provide them with, for example, in this case, a matrix of compromise, an attack matrix. What happens when an attacker has this level of access to your system? These are the security properties that still remain. These are those that you should mitigate with other controls. I advise you, if you're interested, to look through that work as an entry point to understanding the capabilities of some of the people that I'm lucky enough to work with. With that, thanks to my co-chair, Brandon Lum, who is here today, Aradna, who also spends a huge amount of time working in the team. We're lucky to have an active and vocal tech lead community. We welcome Mr. Justin Kappos back after hiatus. Very pleased to have you with us again. We have Andrews here, push cars in the room, I hope somewhere, or at least was, and is around. And we have, of course, then Michael Liebman, who is also our interface into the OpenSSF and into the Salter Steering Committee. And then I'm lucky to be joined on stage by Marina and Raga, who have joined us recently. We also have Matthew, who happens in here, but is working actively on a complex threat model dealing with Argo CD. This is how modern GitOps-based deployments occur. We also have, as we'll see coming up, work with Flux and GitOps in general, SERT Manager, again, huge thanks to the team, and I will pass over to Marina. All right, thank you. So I'll talk a little bit next about a couple of the projects that the tag is currently involved in. So here's a quite quick highlight of some new projects and things that just finished. So there's the Cloud Native Security White Paper. We have a version two of that white paper that was recently released, as well as an audio version of the white paper that's available online for folks who prefer to consume it in the audio format. Another white paper that was recently released was the Supply Chain Security White Paper. So that's also available. These slides will be available when they have links to all of these projects. They're also available on GitHub. And the other breaking project is this Cloud Native Security Controls Catalog, which is a catalog in GitHub where you can access all of the controls and go through those. Some other upcoming projects, these are in-progress projects. This is a great place to get involved if any of these have your interest and they have open issues on GitHub to track all of the different progress. This includes the lightweight threat modeling project, the version three of the Cloud Native Security White Paper because security is always evolving and so we need to keep making versions of this white paper until we capture everything and perfectly, which will never happen. And then we have the Cloud Native Security Controls Mappings. There's a couple of different versions of that mapping. The Cloud Native Security Controls to existing standardization efforts. And we have some security assessments. There's lots of ongoing ones here. I think a couple just completed. Some links there that are ongoing or upcoming. And the Zero Trust White Paper is also an in-progress project. Another white paper explaining, focused this time on the Zero Trust architecture for Cloud Native. And the V2 of the audio for this Cloud Native Security White Paper that covers the V2 version of the white paper instead of the V1. So that's kind of what we have ongoing. And then again, links to the GitHub. Anything catches your attention with lots more detail about all of these projects. So I encourage everybody to get involved and join us in whichever version of this, whichever project seems the most interesting to you. And we're gonna pass it on to Raga to talk a bit about where you can jump in and some kind of quick calls to action for getting involved today. I missed one thank you, which was, I've been eyeballing him about the Spiffy work. But of course, thank you to Andrews Vega, who is also our tech lead for this piece of work. And everyone else was called out already. Cheers. Okay, so now that we've established we are the kindest, humblest and the most welcoming community here. And there is a ton of work for everybody. And a recent study astonishingly says that there is only one security engineer for every hundred developers, which is a really, really, really less amount of numbers. So we need you. We need you to come join us, collaborate. We're really friendly. We are not at all scary. And we're not scary as our vulnerabilities are. So come join us. And how you could help immediately is by joining and sharing the survey, responding to the survey and share whatever you know, how supply chain is affecting you. So this really helps us in driving our roadmap as well as derive some key insights on where we can improve. So take a moment, take a moment, scan this QR code, please respond to the survey and we really will be benefited out of it. I'll pause a moment. So you actually take your phones out and scan this, please. We are active on a number of communities. If Slack is not your cup of tea, then go ahead, check out our GitHub. We have GitHub as our single source of truth. We maintain everything via GitHub. There are a ton of issues. Last I checked it was more than 130. So feel free to check out all our issues wherever you want to get involved. Just drop a message or drop a comment there and we'll get back to you. We are really active in Twitter as well as well as our mail lists are active as well. So whichever platform you favor, you can go ahead and get involved. And we meet weekly on Wednesdays in two different time zones in APAC as well as US time zones. So feel free to join us, whichever time zone you are, we have a room for you. And if you are sometimes like me, Misson Zoom meets, there is always YouTube for all our recordings. So feel free to go back, check it out and whatever you're interested in, come join us. And more importantly, we are going from colo to solo. So we need your support. Do check it out and the CFPs are open, so submit and we look forward to seeing you here again in four months. Miss us maybe, but we'll be back in four months. Thank you so much. Thank you from our racoon.