 Brandon, how are you? Good. Good morning. How are you, Dan? Not too bad. By the way, do you want people to call you Dan or Pop, or what's the... What do you prefer? Pop's probably the easiest, but it's really up to you, man, whatever's easier. Thanks for volunteering to fuzzle the day. Glad to help. Yeah, I see that you have a video way ahead of the game, you've already set up everything in the meeting notes. Yeah, I got a lot of help, I think. Should have done more there, but... I just popped in the link to the meeting notes as well for people to sign up. Obviously some time for folks to jump in and all that fun stuff, right? Yep. And also get scribed if anyone wants to jump in with that as well. Thanks. Well, we can start the meeting. Matt Jarvis is here. The man, the myth. Good to see you, Matt. Thanks for that. Hi, everyone. Can you hear me? Yep. Oh, thank you. That's great. I love your background, by the way, John. Amazing background. Yeah. First time, Julie Nuis. Welcome. Thanks. We'll kick it off, I guess. Brandon, you want to start in a couple more minutes? Give people like five minutes? Yeah, we can probably wait another one or two more minutes then. Okay. No worries. Any volunteers for scribes? Should I wait until more people join? That's fine. I think it would just fill up whenever. We realized after a while. So just, just like kind of just taking a couple of notes here and there is good enough since we have. We are actually able to pull off the recordings. And I think there was an issue where we were discussing how to kind of make that available as well. It's a very manual process right now. Kind of like how it's done with the YouTube videos is that we don't have anyone to do it. Yeah. I'm just, I was thinking in the context of meeting notes, right? Like, is somebody taking, anyway, no, no worries. All right, it looks, looks like we have critical mass. Hello, everyone. I'm Dan Papandre. I'll be the facilitator for the six security meeting for December nine today. Just a reminder, the meeting is being recorded and posted to YouTube shortly after your participant patient in these meetings is an agreement to abide by the six security code of conduct, which will be found in the repo. Now that I got the housekeeping out of the way, let's start the magic. So in terms of our proposed agenda today. First on the docket here is to discuss replacement of exclusionary language in favor of inclusive language. Very important topic. And the six security repo looks like Andres Vega. You're the point of contact for us. If you would like to kind of discuss with the group. Thanks. I think, I think before, actually, sorry. Before we jump to that, I think that's kind of the question. I think there were mentioned a couple of new folks. So we can do. Oh, I apologize. I wasn't on the agenda. No worries. Go ahead. Yep. So let's do a round of who's new to the meeting and just want to welcome you to six security. We were right into business all. Yeah, very efficient. John consults you for contact with the accurate sub in the container scene for a while, getting more active in CNCS. Awesome. Welcome John. I'm John here at Johnny from Toronto, Canada. I'm actually the manager for most secure computing. So we're basically a security consulting firm and currently with some focus as a cloud. Applications. Mostly on the Kubernetes. Thanks. Awesome. Anybody else. Cornering the market on John's new members and John's today, which is good. Awesome. Yeah. If John's you can, you can add kind of. I'm not sure if the link is still there. I'll paste it again in the meeting notes. If you add the name and kind of where you're from. It also gives a good way for people in the meeting to kind of sync up if they have something interesting to talk about with you or a couple of interests. Sorry. Go ahead. Yeah, no worries. No worries. I literally just reading from the script. Over to you again, we can discuss the, the first topic on the agenda as we saw there. So Andreas, if you, if you'd like to comment on it, I'd love to hear about it. So we did. So with the group. Yeah. As I dialed it into the zoom today, you were saying, wait for people to join in all that fun stuff. And I was like, wait, since when did this call became fun? I'm not sure. I did fun once in my life. It was terrible. It was not for me. I decided never again. But, well, now that we have pop here, things might change. I'll reconsider that. So that is true. The title is self-explanatory. I think this is actually large of the broader concerted, like initiative from CNCF. Just, we don't need to like, take it up all under like the big umbrella, but like individual projects can like self-start and start making changes there. Obviously. There, there is so long low hanging fruit. There's things that are maybe sprinkled on, on text all across the repo that we can start to take up on. Obviously moving from master to main is, is more of a change. Well, I think Brandon, you'd looked into some of the deaf tooling built around whether like, what be the level of impact that making this move might change. So we might, might want to evaluate that. I've had a busy day in the last, well, busy two days since opening the, the issue. So I haven't quite caught up on the latest conversation. I saw a quick mention of lending. So, yeah. Yeah, I think there's, I think there's a new PR that's open. Let me find that it is. Example of PR fall 72. John Hill Hill, Hill Gus has opened it. It looks pretty good. And I think kind of that may be kind of good place, but it as well. Let me link that in the pull request. So yeah, I think that could be a good way to kind of just scan the, scan the repo, just make sure that those, those words are highlighted and then we can, you know, reflect them every time there's a new PR and things like that. Right. Yeah. Then the other part of it is just like consciousness and stuff, awareness of like what language we use during this discussions. So just call it to action, keep it in mind. I think we understand the importance of fostering an inclusive environment. Just in the interest of the broader community. And having like plural thought. And this discussion is making sure that everyone feels safe and encouraged to be part of the group. So that's that. I don't know. We need to talk a lot about it. Maybe have thoughts. Either. So, so there's one thought I have in that the, if you all haven't seen the cube contact by select Oregon in terms of inclusive naming, maybe that is a good kind of start to understand like what, you know, what that's there. So I'll put this in chat. I thought it was very well done. And she, I think was on, I believe the group with, I think Stephen Augustus and some folks from IBM and red hat that kind of put together that kind of naming. So it might be, I just put, I'll put that in chat right now. So if you all want to take a look at that, just to kind of understand the grounding, obviously, and why it's a very important topic. I saw you raise up your hand. Did you want to say something? I just had a question. All on board full speed ahead to chew. But do we want to like formally recognize the inclusive naming.org is kind of the standard bear. Is there, I'm thinking about, you know, putting something in the repo so that people moving forward who are new. Discover it rather than trip over it. Sure. Great idea. Rock and roll. I was just just reading the PR. So it looks like if I'm understanding the PR, right, that there is some low hanging fruit in the docs that need, could be addressed fairly easily, right? Is that am I understanding that right? That there are things that need addressing that are already in the repo. Are you talking about the issue I filed or? Yeah, in the issue. Yeah. Yes, there are instances. I came across particularly assessments as the area been involved the most where self assessments describe the architecture and properties of a project. There's mentions of white list, black list, et cetera, et cetera. So there's assessments and checked in at the assessment sub directory once completed. So yeah, those were some of the instances. So I think address. I think you created this as a proposal. So you'll be willing to kind of. Head up this, this effort. I think we can, we can make this a kind of official project and track it on the project file as well. Okay. Chase had a muted. I think you want to say something else. And I love working, working with Chase every chance I get. So. I was going to ask, and it's totally cool either way, but for rolling things, right? Like the repo and content makes sense for a point in time artifact like an assessment. If we do replace our language swapping. I have a small wonder if maybe it doesn't change semantics of certain language. It's possible that that's totally. Not a real concern before kind of historic artifacts. I'm not totally sure if the right thing to do is to go back and change them to place. Or if that's the best thing is to move forward with that language kind of negotiated in real time with, with the other entities. That was my only thought. That's fair. I see, I see that as a valid argument. We should evaluate that and just balance. I could see either way. I just wanted to mention it. I'm not sure if that's a good consideration. So I'm going to interrupt and get on a hobby horse. If we can tolerate a slight sidebar. Here's the, I'll keep it to a minute. You know how we normally think of metadata sitting here and data is over here. And that there's huge amounts of data and it's moving in streams. There is a rethinking of this, that the metadata is the bigger part and that that goes with the data. And then there's a reclassification of things like gender and other designations that at a later point in time become either problematic or just rearchitected as in the case of gender. So the metadata frameworks need to go with the data. That's kind of the messaging. And we're trying, we're wrestling with this as an enterprise wide data protection scheme. And so I thought I'd bring that up here as it really, it can change the way we think about things like access permissions and the tagging that goes with that. So, yeah, no worries. I was just, everyone okay with this for us to move on to the next topic. No other thoughts on this. All right. Next up, the venerable Brandon Lum talking about discussing the security security landscape. Again, I read from scripts everyone. I'm a trained monkey. That's what I do. Thanks Bob. So we were chatting about this security landscape. Somewhere earlier in the year. The idea was kind of looking at the original security landscape where, you know, there's a bunch of categories. Actually, let me, let me just share my screen. I think it may be easier to show that example of it. Screen. This one. Cool. So if we go, this was kind of, this is kind of like the first landscape that we did. Right. So we had these things for categories. And then if you go into categories, we just basically say this is identity access control, privacy, provision name, blah, blah, blah. Unfortunately, we created this and we realized there were two kind of big issues. One of it was, it wasn't very useful. It's just like defining key of things here and there. They really talk about, like identity access control, you know, this spans multiple things. How does it really fit into the ecosystem and things like that? Right. These concepts, like alone, are useful to be defined, but they're not really useful in terms of talking about it in the ecosystem. The other thing that we had here was, you know, there was a lot of back and forth on what exactly these things meant. And so the idea was that we would kind of create a security landscape version two, which really provided a view of the security landscape through different processes or like different components of the ecosystem. So we had this issue, security landscape iteration two, that we kind of started out a little bit and the idea was like we wanted to be able to say, okay, here's like a couple of processes that, a couple of, you know, larger topics that you'll be involved with in looking at the security ecosystem of your organization or your deployments. And for example, one that we started looking at was, okay, building a cognitive application. Here are the steps that you kind of need to do. And then for each individual one, like if you hover over it, they'll talk about the trends. You talk about the prevention and mitigation. And also if you click more details, you know, there may be some information about what projects you can use or what are the relevant projects which touch this. And the idea here is that, you know, we would have these multiple processes and we could also show like how these topics will link to each other. For example, if you're building a cognitive application, part of it is like signing the content to ensure the integrity. But at the same time, you know, when you're setting up the infrastructure, you need to ensure that you are able to verify that, that signature as well. So the idea was to kind of give a high-level overview on how these things interact with each other and also provide a point of specific projects. Now around like I think it was me or something, we also started again on the white paper effort and we found that there was kind of like an overlap between these two things where both of them were kind of trying to define like high-level topics and break down cognitive security. So what we said then was that maybe let's use the cloud native security white paper to kind of form what are the big topics around that we should look at. And then the landscape is going to be scoped down really to how do we map the concepts of the cloud native security white paper to actual projects and products. So you see it almost as like a quick start. Like what I mean by quick start is, you know, like the white paper should be in my humble opinion, should be like this pretty exhaustive, you know, data of like all of these pieces. And then somebody who's new to any project in general in terms of security should be able to look at this and quickly discern, okay, here's what I need to do for, you know, whatever it might be in the landscape, right? Is that kind of a thought process as to why, you know? Yeah, exactly. And kind of the way we were seeing the cloud native security white paper and for those that were involved with the process you saw that were things like we took off all the projects and examples and said that, okay, this will link to the landscape. So the idea is that the white paper will be updated and every single section would be clickable where it could link you to the appropriate part of the landscape. So if you're going through and said, okay, work with integrity and you click on what are the things in the landscape, it'll bring you to the landscape with a certain filter that shows you visually what are the projects that you have to look at and what are the kind of other components that it's linked to as well. Brandon, one observation is appropriate. Or another way for feedback at the end. Cool. Thank you. Thank you. Thank you. Thank you. Thank you. Last. So. People have different entry points regardless. They're, they're newer or otherwise. And when you look at it at a landscape is dislike. Vast land of things. And you're seeing everything that pops up is a little bit overwhelming. You talk about dependencies and relationships of this different projects. And it's like, you know, you might intersect or it's like you're coming in because you've been working on an OPA and just realize there's all these other products that you could potentially integrate or interoperate with. Like what are the things that OPA works with that you might want to look next or FACO or spiffy, whatever your entry point is, or if you're new or relatively new, you must have some background and systems. So based on what your vantage point, what are the immediate things of relevance instead of looking at like, oh, well, these are the 50 or 60 or 70 security projects. Yeah. Exactly. So, um, I think the idea is to have initially what's a graph. Um, I think it'll be ideal if we could kind of have that same representation. So you would look at, for example, if you click something in the white paper, you would look at dependency management, right? So you look at this and then you could, um, let's say it involves some projects, um, for dependency management and those projects also appear in other parts of the ecosystem, right? So then it would be relevant to look at, start looking at those parts of the ecosystem to kind of see. Um, so for example, dependency verification, maybe link to supply chain. So then, you know, someone could kind of start looking at supply chain, like how do these things relate to each other? Um, or, you know, they could also take that approach that you said, but they, you know, just zoom out a little bit, see what are the adjacent connected, connected topics and then look at those as well. Is anyone familiar with, um, what Cheryl Hums doing in terms of the tech radar? So she's basically like taking the landscape projects out there and saying, okay, CICD for instance, right? And it was like, what is the, what the, what, what the, um, the community or the folks using it and users were saying where, where the projects would be ideal. Also is to include a link to that in this document as well. So then, well, because eventually she's, I believe they're doing a security specific one of this. And that would be ideal because then it's the actual projects that are, let our, you know, the folks are actually using out there, like, you know, the opas or the world of Falcos and all the others. Right. Yeah, that's interesting. I think I have already seen that on the radar yet. So let me, I may go pink Cheryl, see what's what's up over there. Yep. Yeah. I know when I talked to her, like that was on the docket, but I think they went to, they went for it with CICD. They didn't observability. And I think security was one that like, again, everybody on this call would have some amazing feedback to, you know, all right. So could be helpful for Cheryl as well. Yeah, for sure. Thanks for bringing that up. One thing I've heard from end users and like perspective end users is they've used the CNCF trail map as the blueprint for implementation projects. So they get that list and yes, we're going to bring Kubernetes and this other like peripheral things to it. And maybe that takes nine months to a year. And at that point is like, okay, what should we look next? And then this, they discovered this radar. So they discover something else. And at that point in time, like all this afterthoughts become like another like lengthy planning and deployment effort as opposed to like bringing earlier and like to their teams and in their projects to say, Hey, we have a greenfield deployment. We need to plan all the security things ahead. Like if we're looking at this, like what are what are the other things like Chase said, like the when and the where, like making that when and where like much earlier, like an immediate as opposed to like, oh, like let's get to all this, this things like we discovered during their journey, like much later on and put like big demand to start up. Yeah, I think one of the potential things that we're looking at also is kind of recommendations to the CNCF of what are some other projects that we think would be good to be part of the CNCF as well as also recommendations on, you know, if we took the security white paper and then we looked at the different projects and we saw a couple categories that didn't have any open source projects, for example, then we would recommend the CNCF that, you know, we should, they should kind of say that we need more of these projects or there needs to be more open source projects into this. Right. And once you have those in like water the knobs, you should turn on. Yeah, great. Having having a specific shelf where like just like running there, but actually not like set up. It's not great for actually consume. Exactly. So there's like a default set of whatever like that's recommended, like that would be ideal. I mean, but obviously I think the first thing is to create that foundational like the house, right? Like, because, you know, people, if you, if you get two in the weeds, then people just look at the document like what, you know, like, that's, that's my take on it. Yeah, it has to be a progression, right? It's like, yeah, you couch to secure and like people talk about secure by default is this panacea and like, if you make it super restrictive, well, for one of you, if you publish this, this thing with all this recommended practices, people are going to be like, what? Like where do I even start? But if then if we ship like this controls and restrictive mode without explaining the why, people are just going to like bypass them as opposed to like, hey, you're doing this stuff. That's not ideal. Actually consider running it like the restrictive way or the secure way. Right. Like phase one audit detection phase two, you know, actual controls and, you know, post-mortem instead of response. No, it's, it's completely totally understand that that's awesome. Hey, Brandon, one question comparing the white paper with the landscape you shared and comparing that with CNCF landscape. I wonder if we may end up creating some sort of a mapping because I see like different categories in CNCF landscape. And if we compare it with white paper, we have those four workflow phases, right? Develop, distribute, deploy, auto and runtime. So I wonder whether that would create a confusion or should we kind of baseline to one or the other? Because otherwise if we have to map CNCF project to one of those four phases and then map it back to a category, it might create a lot of confusion. Yeah, I think that's definitely a thing we have to look at. But I think we're going to see this as kind of like independent of the cognitive security landscape. Sorry, the cognitive landscape, the overall one. I think they kind of serve different purposes. Okay. Yeah, I think we are kind of looking at it more in terms of we want to be able to provide some practical usage. Whereas I think the cloud native security, the cloud native. CNCF landscape is about providing and high level overview and kind of provide and like, I almost want to say like a skull cut for. Correct. Yeah. Yeah. Yeah. As you can figure, as you just realized, right? I think the name being the same, the landscape. That's a good point. That's a good point. Because if those are different, then maybe it's something else should be called something. So that people who are coming out without any context might not confuse these two things which maybe are unrelated. That's a really good point. Yeah. Maybe we should come up with a new name. As we were talking about with assessments because. Yeah. By definition, those are the assessments. Yeah. Yeah. Okay. Yeah. That's a good point. I think, I think we can. So, so we have kind of issue open. It's in the agenda. I'll let me paste it in the chat as well. If you're interested in kind of. Talking about this, you know, being involved with this, just comment on the issue. We have kind of, I think mainly we're looking at, you know, how are we going to present this information, the content of what the information is going to be. We can get help from the CNCF design team to kind of help do up some mockups and things like that. Yeah. So if you're interested, if you have a couple of comments on this, I think. We are looking to kind of start focusing up on this again. Once the. In January. So after the holiday season. All right. Brandon, are you all set? Yep. All right. I'm going to give the floor to our, to the, to everyone here. Anybody have any open things for discussion. If you're reading on, on that issue, the process orientation looks really good. Like what's the context of what you're doing depending on that. These are the things you want to look at. When the previous person talked about mappings, it came, it came to mind, well, how about we think about outcomes? If you're after confidentiality, these are the things that you should be engineering together. If you're looking at MTLS together, these are like three projects you can piece together to accomplish that sort of thing. So yeah, sort of to jump back into the previous topic, but just follow up. Make it hard for a facilitator to keep control of this meeting, Andreas. I'm telling you, man. You know, keep me on my toes. Definitely. You know, I was going to hit you back when you become the facility. I'll put you on the hot seat, my man. Have fun. All righty. Again, everybody okay at this point, anybody have any other thoughts before we, I guess, finish the meeting? Hey, Pop, one question. I was wondering what everyone is thinking. So many of us worked on the CNC security white paper. I think it's been now two, three weeks since it was published. So what I was wondering is, is there a way we could come up with to sort of do a retrospective with, while getting feedback from the community in terms of what they probably would have liked in the paper, what could have been better. And that will kind of give us ideas into the next version when, whenever we publish that. Can you create an issue on this and then tag, tag myself and Emily. I think that this is something like the chess can go up to CNCF and get them to get us feedback for. Okay. Okay. Sure. I do that. Thanks. And with that, we bring our six security meeting for a close everyone. Thank you all for joining. Awesome. I did it. I did it. Yay. Thanks so much. You say folks. Great job. Thanks everyone. Bye.