 Hey everyone. How's everyone doing? I posted the link to the meeting minutes. Please set yourself into attendance. I'm going to be facilitating today's meeting. I think one of the main things you're going to be doing today is we're going to have the Falco demo. Hi Brandon, this is Lakshmi. Hey Lakshmi. Thank you, Justin, for helping describe. I think we need one more scribe. If anyone wants to volunteer for that, that would be great. I'll try and scribe if you can drop the link and we'll show it all on one. All right. Thank you, Michael. All right. I put the link again in the chat. I'm not sure whether those are just trying. We were able to see the previous one. Please go in and then add yourself to the attendance. Michael, do you know if Chris is going to be giving the Falco demo today? I am guessing she's not going to. She's moving down from Seattle to San Francisco. Okay. I guess we'll push it to next week then. There is some things I wouldn't mind talking about in regards to Falco and our annual review coming up. If you would like some perspective on that, I'd be happy to talk about that a little bit in that time slot. Okay. Yeah. Let's do that then. All right. We seem to have a lot of people on the call, but very few under this. Please add yourself and let's start off with check-ins. Lakshmi. Yeah. I don't have any update for the meeting. I'm just here as an observer. Okay. Great. Next under this is Justin Kamak. We had a cross registry signing and other security interest group meeting last week. Things going on with these cross project working groups on things like signing. There's a lot of work going on with CNAP. If anyone is interested and hasn't got the details of when the meeting is on, please ping me. All right. Sounds good. All right. Next under this is Santiago. Hey. I'm just joining in this time because I wanted to pick up the supply chain work. I spoke with Sarah Allen about what were the next immediate steps, but I also wanted to broader our community to be sure or on board on how we're going to do this operation. All right. Let's add that to the agenda today then. Martin. Hello. For me, I don't have anything in particular to give an update. Mike Brown. Hi. I'm new to the group. I'm Mike Brown. I work at Coinbase on infrastructure security. I've been following the work for a while, but I thought I would join because we're trying to address a lot of the same issues that you all are. Cool. We have a recently created a new member's page. Let me link that in the chat and then please feel free to check that out or reach out to any of us. Thanks. Justin Kapos. Great. Yeah. I've mostly been dealing with things related to the OPA assessment, tough graduation, things related within TOTO. Michael, do you see? Yep. I've been working on the annual review for Falco, which is going to be on the next CLC meeting on October 15th. And then as part of that, kind of reviewing if we're ready to move to incubation or make the request to move to incubation. I'm having to talk about that later on the call, as I said. And one of the things that I'd also like to discuss is hope with due diligence. And if anyone has, when we make that proposal, usually to move to incubation, usually what's going to happen is the CLC will ask for due diligence and usually SIG can do that due diligence for the CLC. So we can talk about that later on the call. All right. Sounds good. Thanks, Michael. Ash. So I've been working on the OPA security assessment. There's a PR up for it, number 275. And also yesterday, we presented the assessment with Sarah on the TOC call. All right. Thank you. Yeah, that went really well. Good job on that. Thank you. Yeah. It was really good. I think everyone understood what the assessment process was about and found it useful. Great. Thanks. All right, Jerry. Hello. I don't have anything to update today. Yeah. Thank you for the comments on the PR right away. I just saw that. Okay. Let me know what you think. All right. Sounds good. Emily. No significant updates. Michael covered anything with the Security Day stuff, but we're continuing to move forward on that front. Actually, I didn't cover anything on the Security Day. Thank you for pointing that out. My apologies, son. So we met yesterday and we discussed potential questions regarding room layout and table arrangements. We're waiting to hear back from Emily, hopefully by Friday of this week, and then we can move forward with figuring things out. We discussed potentially reopening the Security Day registration backup, but that's contingent on room availability layout and other logistics planning. So we're kind of on hold at this point in time. Yeah. We're projecting like 150 to 170 right now, and we've asked for a little bit of a larger room so that we have room to spread out a little bit as we do the open spaces and other things. And then all in, we've had seven sponsors as well. So the CNCF is pleased with that sponsorship rate. It was able to fund most of the day. So overall, the programs coming together as well, that's been announced. I think we talked about that last week, but hopefully we can get more space for everyone and then probably be able to sell about 30 to 50 more tickets. Is there actually an official wait list or are people just being told they can't register at the moment? I think at the moment it is like the folks are being told that it's not available. I can certainly look into if there is a wait list. I mean, I just want people to at least know that they should try again later or something if they... Right. We'll send out emails like the, you know, hey, we're back, but yeah, contingent on being able to get a larger room. All right. Cool. Amy on next. So... Hello. You guys have covered all the things that I had today, which was basically like fantastic job on the assessment on Tuesday. And we have a lovely security day, rock and rolling. All right. Next up, Robert. Just helping with the OPA assessment, and there's a policy working group call today at 4 p.m. Pacific, if anyone's interested. All right. Okay. So Christian, no updates. I think we have a couple folks on the call, but not on the attendances. I think there's Quan Yi and Ray. Any updates from you guys who want to introduce yourself? If not, we'll carry on with the agenda. No updates from me. This is Ray. I'm just listening in. Okay. I joined a little bit ago and we've been kind of off and on. Sounds good. Okay. All right. Let's go ahead then. So check in from partner six. I'm sick of policy. I'm not sure, Robert, whether you want to say anything about the call you guys are having later. I know just other than your invite folks, we do these calls every two weeks, so not a lot in terms of update from last week. So today, if you have anything you want to put on the agenda, either add that to the Google doc, or you can just message me here and I'll add it to the agenda for today. All right. Sounds good. Okay. Anything from SIG of security audit workgroup? This big data workgroup? All right then. Okay. So let's start off with the next item on the list is the FALCO review. Michael, do you want to take that? Yep. Sure. So these slides are really rough. This is kind of like our probably second draft of these. So I apologize for that. But one thing that Chris Nova, who joined the FALCO team recently, has been trying to encourage us to do is try to do more of our work in the open. So you can kind of see these rough slides right now of what we're kind of thinking about for FALCO and our incubation requests. So essentially, if you're not familiar and I apologize for the science in the background, but if you're not familiar with the incubation requirements, we need to document that essentially FALCO is being used in production by at least three independent users, have a healthy level of commits and activity in the project, ongoing flow of commits and merge contributions. And then we should also have, I think what's not on here, which is missing is this due diligence done as well. And so the due diligence is kind of really going through and doing a technical due diligence to make sure you have things like architecture data like that as well, which we need to work on. So if you're not familiar with FALCO, FALCO is essentially container runtime security monitor system called for abnormal behavior. It's essentially a host intrusion detection system that's focused on container workloads. So we have some hooks into things like cryo and container D to pullback container metadata information. We'll contact the Kubernetes master pullback container and pod and deployment and so forth metadata information. And then we'll link that together with the actual system calls that's going through the kernel. And basically you can say for this particular container running in this particular pod with this particular label, I want to have this rule be enforced and basically alert me anytime that it makes an outbound connection to the internet or an outbound connection that's not expected on particular ports or something like that. File IO monitoring and all those sorts of things as well. So falco.org is the website. If you're not familiar with it, I would go and check it out. I'm not going to cover too much about what FALCO is on this presentation. We were joined into Sandbox in October 2018 and it was a project that was started in May of 2016. So the growth of the community has actually been really good since we joined Sandbox. Sandbox and one of the things that I really enjoy about showing the metrics is that how much it's the Sandbox process really helps the project grow. So the pre-Sandbox period is a 29th month period, by the way. And then the post-Sandbox is just a 12 month period. And you can see that commit velocity has went up. The number of contributors involved in the project are up. The number of companies that are contributing to the project is up. Contributors are anybody that's commenting on an issue or a pull request. We're an area that we need to improve on is the number of committers that we have from different organizations. But that's actually a criteria for moving from incubation into graduation. And so that's the person that we'll be looking at improving as well. And then we're also progressing along the CII, which is the Robert. What does that stand for, Robert? Core Infrastructure Initiative. Yes, the Core Infrastructure Initiative. There are several levels. To move into incubation, you don't need to have one of those levels. You just need to start showing that you're on the path into passing. I believe that's the question. Any questions so far? Another interesting kind of community growth. Michael? Yeah. I understand. So we had a little bit of discussion last week on attestation and certification and related to assessments. And I think we've driven things forward more clarity. We're working on PRing some guidance on some of the pages to make sure that this is not a certification program. This is us helping you produce better artifacts. But since you're going through that journey and you're doing the CII process, I pointed to the CII process as being our badging and certification backstop. So I'm particularly interested in, since we've gotten questions about, especially from folks interested in supporting their business outcomes. I have the same needs here at PayPal. If there's anything from a project's perspective that we can help in directing projects to the CII or informing the folks that this is the assessment, this is the journey that we're taking on, by the way, here's more context of the product journey that you're going to be going through in the CII. And if you're looking for certification or you're badging, that is the resource. I really appreciate feeding that backstop. Yeah. So this is a conversation I would love to have because I think if we went through our own journey on it, as we've had CVEs opened up, we went through the security audit to find our own. We've internally, within the last couple of weeks, found our own potential vulnerabilities as well through our own engineering efforts. And that's just one aspect of security. And then there's lots of the other things that we have to go through. And it's been, there hasn't been like that trail map that takes you from, these are the security things you need to do in Sandbox, these are the security things you need to do in Incubation. And it's kind of tied to the CII. But I feel like there's just a little bit of a broader context that you need of why the CII things are important. Right? And what it gives you. Yep. Righty? Well, you need security at cloudco.org because you have to have some sort of security response mechanism to respond to CVDs. And that maps into CII gold status. 12.1, 12.2, 12.3. I'm just making up numbers. But that kind of guidance would be really good. Fantastic. And then part of it has been us kind of figuring out the process of the CNCS. But I think overall, I think the journey has been good. I think just kind of trying to package it up for more projects to use it more in a turnkey way, but I think would be good. Great. And CNCS is going through that journey at the same time. Yeah, yeah, yeah. So, you know, what we typically tend to, what I've done is copied the OPPA folks because they've been, they were a very successful project. And so I kind of just mirror what they do. So I'm not going to cover these metrics too much, but you can just kind of see how like there's much more participation in the community. I think some other interesting metrics is the number of downloads and polls that we have. We have a lot of things that we have shipped as well over this period of time. And just kind of another one that we've added recently is GRPC-based outputs. And this is important because what it gives us is the ability to basically have our outputs go out to a variety of different sources. It makes it much easier so people don't have to write C++. as well. And then it'll just help us be able to integrate into the cloud-native ecosystem a little bit better. And then from an integrations perspective, we have two that I was going to highlight around this Arceint. They're basically a consulting company out of France. And they've built basically an open-source platform, which they call the secure cloud-native fabric. That integrates lots of different tools, as well as NAT, which is another CNCF project, of course, FACO, Kubebench, and some other things as well, which we thought was a pretty interesting use case. And then SumoLogic has been integrating us in as well. So a couple of good use cases of people pulling FACO into their products as well, which I think the CNCF tends to encourage. It's just not about end users, but it's also about how can you help the other software providers build something useful around your project. And then we have a couple interesting end users of note, two of which are speaking at KubeCon. So frame.io is one where they publish FACO events into CloudWatch and then have the lambdas react to them. They actually have a talk at the cloud-native security day where they're using Lambda to basically tie into Amazon machine learning and their application load balancers to basically use the feeds that they're getting, or the logs that they're getting from their application load balancers. They feed them into Lambda, which feed them into Amazon machine learning platform to start to find abnormalities and then kind of a machine learning-based WAF, I guess is what you would call it. So they do some pretty interesting stuff. And then Guzall and Hamilton is also speaking at KubeCon this year as well. So this is pretty much an overview of the projects in the road that we've been on over the last year in the sandbox. All of these end users have been curated during this time. There's a few other that we've added in as well. The interesting thing is, is like nobody told us to create an adopters.md file. And we went and created an adopters.md file. And then all of a sudden, we have a whole bunch of people that are willing to put in a pull request. And tell you that they're using your software. So this is like a great idea. And I'm just like, the things you need to do to go and get, to get the information that you need to be successful. There's another kind of an interesting use case that we're seeing by a lot of people. And you see two right here. Actually these three are all kind of the same use case. There's compliance requirements where you need to have a intrusion detection system. And so in the Kubernetes world, many people are meeting that requirement by deploying FALCO. And then for HIPAA compliance, CCI compliance and other standards like that, they are able to meet that standard. So as I said, one of the things that we have to go through is this due diligence. And so we need to, we need to one submit our pull request to request incubation review. And then we need to go through this and kind of start to answer these questions. I believe it's up, Amy, correct me if I'm wrong, but I believe it's up to Joe and Liz Rice to ask the security to do the due diligence. Is that correct? I think so. Okay. So it would be interesting to know if there's anyone on this call and to security in general who'd want to participate in this and help us do the due diligence, I would basically just be walking through a lot of this with me over the next couple of weeks. Yeah, I think we had some chatter around doing, so I'm not sure whether this is directly correlated with during the security assessment. Yeah, that's the question I have. Is this separate from the security assessment? This is separate from the security assessment. And this is kind of why we've been putting off the security assessment because we have this that we have to go and do and then we have a couple releases we're trying to get out before KubeCon as well. And so I don't, but it would be interesting to see is how much overlap is there in the security assessment. But the challenge is for us, the security assessment is not a requirement as I understand it for us to move into incubation. And so if we have to go and put project cycles somewhere, then I have to put project cycles into doing this due diligence so that we can move up to incubation. Now I would be more than willing to have the spreadsheet of the security assessment next to us as we do this and see how many of those boxes that we can check and make sure that we're meeting those criteria in the security assessment. And then maybe we'd say we're 80% of the way towards getting it done. Yeah, that makes sense. Robert, what's your thoughts on that? Yeah, well, I certainly agree that if it's not a requirement for CNCF, then you're kind of a fork in the road. So I do like the idea of kind of consolidating the process in a quick spreadsheet view so that you can quickly crosswalk that to what you're doing for the due diligence. So I'm happy to provide that. I'll summarize what I think the costs are for the security assessment. Based on the docs that are checked into the repo. And if you and I want to jump on that quick call and crosswalk that to think, I think we could present that back to this group instead. Here's what we're really asking folks to do above and beyond the due diligence process. Yeah, okay. That sounds good. Yeah, that sounds reasonable to me. Okay. And then I'll just put it back out there if there's anyone who's interested in helping with the due diligence. I would appreciate the help there once we make the request for the CNCF. I'm just curious, have we done this with another project before? This is the best time. I think this is going to be the first time. I've seen SIG storage do it for TKIB or TKB. But I think OPA would have been the last one and OPA did it before the new guidelines came in. Oh, okay. Or the TLC member decided to do it themselves, not sure which. Is this for the project to go into incubation? Yes, that's correct. Michael, did you have, were you done with the slides? Yeah, no, I'm done. Sorry, I had lost my connection but I was done with the slide. Right. So I guess we will follow up on that. I would like to call. Any other questions related to Velco? All right then. Let's move on to the next item, which is a quick one. This one is actually on some of the updates I did to the README. So I'm going to share my screen really quick. But this is just a quick call to people to check this out. I've redone the README page so that we compressed, like we moved a lot of the stuff up like the meeting times. We've added a new members page over here. And then we've squashed up with this, this. Yeah, so this is PR280. So if you have some extra time to take a look and provide some feedback on this. Good one. Looking good. All right. And next on the list, we have supply chain security, Santiago. Yes, this is also a quick one. Let's talk with Sarah, about how to move forward with the project. I originally thought that Six Security wasn't some GitHub organization, so we could just transfer the internal repository and take it there and have everything by itself contained. But Six Security is just a repository under the CNCF organization. So what I wanted to know was whether we wanted to move the repository to the CNCF and we have the jurisdiction to do so at Six Security or did we want to either transfer it as a sub-module or just copy it both over separate sub-directory as a pull request or what is the consensus here? How big is the repo? It is not too big. It's let's say it's a couple of files, less than 15. I mean, if it's kind of small, I think maybe doing it as a sub-directory might make no sense for all of them, but okay, that was my impression as well. I didn't want to jump to Ganges yet because I didn't know if there was anything fishy there or if anybody had an idea. My understanding is that we will eventually want to make this website hostable. So we probably want a separate repository, but I think we're going to get into here. I'll make the pull request this week. And probably we will discuss it. Yeah, we can always discuss it on the pull request, but okay, I didn't want to think that we could eventually have a separate repository, but okay, sounds great. All right. I think that's all that we had on the agenda today. Is there any topic that someone wants to bring up on top of that? Do we dive into the OPA presentation at all yesterday? Okay, joined a couple of minutes late, but I think we're just going through check-ins. I don't think we talked more about it, but we could definitely that share, I think the slide that we presented. Sure, I want to say one thing really quick, which is that I think that the model we had where the project effectively presented one half of the slide, and then we the assessors presented the other half, I think that worked well. Did others agree with that? Yeah, that was great. Yeah, it felt like it was really centered on the project, but it had a good balance of, hey, we also sort of backed this up, and I thought the discussion really supported that. That we, unlike our first time through with OPA, we had a few more sort of findings along the way, and those were referenced as supporting the journey and helping drive towards more secure outcomes in cloud native ecosystem, and yeah, it couldn't help but hope for better calls than that. So I just had a quick question on the pull request itself. So what's the next step for that? I've seen that a bunch of approvals on it. What's the next step now? I think it gets merged once we're sure there aren't any other issues. Maybe there's been enough review now that we should go ahead and merge. I've been sick the last, I don't know, weekish or so, and so it's part of the reason why I didn't do the right side of the presentation. Sarah was kind enough to do that, but I've also been hoping that I would have a moment to be okay and go through and read it as well, but I think maybe we need not wait on that. Maybe we should just go ahead and merge it. The TOC has suggested that people should look at the PR and comment on it, so I guess we should maybe give them a few days if there's any external comments. I see, okay. Yeah, I did notice that you and others caught some really important little problems in there. So I think the process of reviewing it has been very helpful, too, that it hasn't just been looks good to me, looks good to me, but people have actually had legitimate things that they've seen by looking at it. Yeah, thanks, Justin. So if you guys have any comments on it, please update the PR and I can address those, is that? All right. Anything else that we want to bring up? Michael, could you link your slides into the notes? Yeah, I can. All right, then. I guess we'll give back another 15 minutes at a time. I'm off. Awesome. Thanks, Vernon. All right, thank you everyone. Have a good one. Thanks, bye. Bye-bye.