 Okay. I think we are just meeting on Matthew to join us. He contacted me and said he is okay being a facilitator today. Just as a reminder, if you're a new member or if you have an update, please provide your name. If you are a member of the SIG with a role, please include the role after your name. Good day. Sorry. Could I confirm that my audio is coming through? Yep, you're all good. Awesome. Thank you. Pardon. I had myself on mute for 30 seconds. I feel silly. So take two. Good day everyone. Welcome to this week's CNCF security weekly meeting. I'm just going to just post a link to the meeting docs. And I meant to do that to everyone. Really, today is not my day. I'm going to ask if anyone is able to take over for a scribe role today, essentially meeting minutes slash note taking. If so, there's the link there and just feel free to jump in. But that said, I'm just going to jump into our today's agenda. And I believe Emily has some topics to cover so I'll largely do for her to take the lead today. So let's see, we got the attendance items here. Okay, so I'm just looking at the SIG slash chair check ins and there are no updates of that. So I see the one from Emily here on security day and cloud native security white paper. So Emily, would you get to grab the lake? Of course. So quick updates security day is still happening. We have over 800, I think 700, over 790 folks signed up, which is amazing and actually very awesome that we've got that many people. So I've also heard about the CTF that will be running on cloud native security day and it sounds like it's going to be super awesome. So if you know of anybody that's interested in a CTF, we're going to be running one day. All they need to do is join in for security day. We'll also be promoting the security day event on the CNCS twitch channel. So if you're on switch or interested or no folks that want to learn more about it. I believe we're doing that next Wednesday. About an hour and a half after the meeting or maybe within an hour of the meeting. So that's coming up and then the cloud native security white paper. I had mentioned in the chat that she got a lot of compliments on the paper and the quality of the content so she wanted to pass on kudos to the team. But I also wanted to mention that we got over 1200 suggestions, changes and comments about the document which more than 80% of them were included, or had slight tweaks before being included so really awesome job by the working group to get that done. The review is officially ended. I'm still waiting on that paragraph from the storage team. They're working diligently on it to get it over to me. And I'll have it added in and then we are presenting it to the talk next week during their meeting to get buy in and feedback off of that and next steps. So right now everything is on hold. So those are my updates. Does anybody have any questions about any of those things. Emily, do we have to incorporate these comments before to come. So everything was already merged into the paper so all of the comments that we got. I think you and I know JJ and myself went through the document and started adjudicating several of the comments, but there shouldn't be any of them that are outstanding at this point. Okay, great. Thank you. Next up so today is a working meeting. There's only two things that I have on the agenda. And Brandon said that he could not join us today, but he wanted me to put a reminder out there. The synthesize list of improvements for the security assessment working group are up. Please comment if you're interested in looking at any of the items, or lead a discussion in any of the particular categories and that's issue number 167. Anybody that is interested in that and I will post that in the chat as well as make it available in the doc in just a minute. Next up, you probably have seen changes to the Google doc for the meetings and that was at the suggestion of one of our numbers to make it a little bit easier for scribes to use the document. I know that we had anybody sign up to scribe today. Ah, we do. Yes, excellent. So want to make sure that the new format is much easier to use. If it is great if not please provide feedback on the ticket, I believe it's ticket 426 on ticket 426 to see how we can improve this and make it easier for everybody to provide comments on our documents. We've also gone through and added in upcoming dates of importance for when we're not having meetings so as of right now it looks like the next meeting we're going to have is November 11. We don't have any suggested topics for it. And then that'll be it for the month of November. Does anybody have any questions about the new scribe template in their meeting notes. So you've just graciously went through and removed all of the 2019 meeting notes and move them separately and linked it. I was Matthew here I was just going to ask on the template. What's the best way for someone to reuse it like is the at the very bottom of the document in the heading section there's something I think titled meeting templates. Should we just purge everything beneath that and put a new one that's pretty much a copy past of the one we're using today, just so people can copy paste it page break at the top and put a new one in and keep it in sync. Yeah, so that's a good question. I moved the template or I made a template off of one of the suggestions and linked it within the document so if you scroll up above the security meeting for today you'll see a couple of links over linked to copy meeting notes template instead of scrolling to the bottom. So if you open that document it's a blank template that you could just copy in and move over, but open to suggestions, whatever makes it easiest for everybody if it's scrolling or if there's another option that works best for everybody. The link sounds looks good. It's something we probably invest a couple minutes in every day but having a new template probably saves a lot more than that so awesome. Okay, and is Sarah on. I don't see her. Okay. Well hopefully Sarah will be able to join us today had checked in with her and it seemed like she might be able to so I've been going through a lot of the issues to make sure that our members have something that they can work on we have a kind of fixed issues that are like needs help help wanted good beginner issues. So going through and starting to review them if others want to jump in and take a look at them as well and see if there's something that might be good for a new member in the repo to get involved with that would be super awesome. But also wanted to try to clean up some of our older issues in our queue and Sarah had submitted a ticket on key elements of trustworthy systems, which is issue number 20. I wanted to see who all was interested and kind of furthering that conversation determining whether or not it was still in need. My initial look of the Google Doc LinkedIn the ticket that I just dropped into the chat. Looks like it could be a follow up to the white paper and potential new working group for the for the SIG. So I'm happy to work on the follow up of the right paper Emily. Okay, I will tag you on the ticket. Does anybody have any thoughts on the issue. Is this sorry, I was just quickly reading it is this number 20 issue 20 components of no sorry, key elements of a trustworthy system. So is this meant to be like a general, say, guideline or is it more like an official prescription like these are sort of some baselines people should cover in general and here are certain tools or whatnot that go into the pieces when designing infrastructure. Like is it something we sort of would put CNCF securities name on as we endorse this is the way thou shalt set up a baseline distributed system for security, or is it more of these are best practices. I guess what's the intended audience of it. So that's what's not entirely clear. And Sarah could probably speak a little bit more to it but I wanted to try to make people aware of it and start having that discussion is I believe it's intended to be a best practices documents and more of things that you should be considering in your organization so kind of using as a reference. What's different from this and the white paper. This one looks like it goes into a little bit more detail but that's also part of the conversation is whether or not the white paper already covers this content and then we can mark this issue is complete. Or if there's something else going on that we that were, we really need to have a separate document for. And then I can add some color to this. This one was originally when we formed the safe working group I think this was like the initiation of white paper or structure around like think that we need to think through white paper. So this is more of a descriptive thing. The key elements of respiratory system should be more aligned with the landscape and should be more of a prescriptive thing so between white paper and landscape I think we can probably merge this to be like a one thing. Separate. So JJ does that mean that we are talking about really high value assets and how do we protect critical applications like confidential compute and those kind of concepts in this paper as well. So we. The idea was like the most of the ideas that we had when we put together the key elements where captured in white paper. So I wouldn't actually try and separate this, but the thing that you're mentioning can be somewhat captured in the landscape. Yeah, I would add comments to the issue to create some clarity around this and then if Sarah has anything to add to that I think it'll be good to follow through on the comment on the issue itself. To make sure I didn't miss your one part earlier is the intent that this issue 20 that this document would become a section of say the white paper at one point, like a chapter prescribed best practices sort of thing, or long term would they remain a separate entities this document plus the white paper. So, I would, until we finish landscape. It might be worthwhile to defer this until we finish landscape because landscape will cover a bunch of what needs to be covered here, and then it's possible that we don't have to do this, or we may have a need to do like a best practices, based off of the review of white paper and landscape together, right so I don't know how prescriptive will go in the landscape until we finish the landscape so might be a bit too early to say. I myself fell out of a touch I was absent for about a month from meetings the landscape is this essentially a subset of the CNCF interactive landscape but focused on security or is it our own landscape and does it use the CNCF landscape engine like the nice presentation of your little security things you can throw into your. With all the boxes know I think Brandon might be able to add more color to what the landscape is going to look like but it's more of a more about the projects what it solves. And how does it relate back to the white paper content that we have. That's the, that's a core of what landscapes going to look like. I think, Emily, there should be an issue for landscape. That is an issue for landscape. Yeah, that's actually what I was just looking for. I know we don't have a label for it. Yeah. It may exist only in Google Doc. Probably. This is one proposal security landscape preparation to issue number 34. Okay, so number 348 there. I'll post a link here quickly for everyone in the chat. Okay, I think I get a better idea of this. This is probably me putting a cart before the horse. So we won't bring it up but I've heard colleagues have noticed have found that into the CNCF interactive landscape is pretty darned because they're sort of gives them this first view of what they need for their projects in general know what they don't know, and take it from there so maybe a nice little predication down the road. Could it be possible best practices document links into say a separate instance of that landscape with just the security focus pieces. One needs an ingress controller one needs a an admission control maybe mutating admission controller policy enablements service and stuff like that. It might be sort of onboarding tool to supplement work that's already in the document. Just my two cents. In my mind. It seems a little bit redundant if we're talking about that native security with the white paper. If you look at all the elements in there from a trustworthy system. A lot of those elements are already talked about in the white paper. It seemed redundant to me but is there any other points or discussion that anyone wants to bring up on this then the white paper on the landscape document. So I did post. I did post that as a feedback on the issue itself so we can pick it up on the issue if there is anything more to be done there. I think if we more define what the purpose. What that document was supposed to provide. Maybe there's a different purpose there that we're not seeing. That was exactly my comment there so you can follow through on the issue. I'll throw a comment and they're in the issue. Okay. I'll drag this one to Emily are there any additional topics in this thread or. Good. No, that was it. I'm very excited we got through like two issues talked about today. Hopefully we can get revived. Awesome. Okay, I'll just quickly jump back here to the. Okay, part in for the delay. I didn't see additional updates in the meeting minutes. There's just waiting for the doc to reload, and I don't see any little check ins or anything from SIGs or groups. So, at the point, I'll just open the floor for anyone that wants to grab the mic or bring up any topics or tickets that need attention. And after that, if there's any new people that would like to introduce themselves, I'll open the floor for that. Anything else anyone wants to bring up. Okay, looks like we're good on that front shorter meeting today. Last but not least, are there any new attendees anyone just listening in or looking to join on the security that would like to quickly introduce themselves. Yeah, yeah sure. I'll do this myself. Can you hear me. Yeah. I can. Hey, Ron. Yes. Hey, so my name is on wider. Like I mentioned in the select channel yesterday. I'm a security researcher for almost a decade. And I'm a co founder and the CDL for stealth mode startup. And I can't wait to contribute to the group. Awesome. Thanks for joining us Ron. Good to be here. I'm going to grab the mic introduce themselves. Any other new attendees today. Hi, my name is Marla Weston. I'm over at Intel. And so I'm listening in at this point. I'm trying to get some of our internal people more involved but sometimes the way you spur that is by getting involved and then dragging them with you. Pretty much. Welcome aboard. Good to have you. I just wanted to step up. All right. Looks like that's a wrap for today. Thank you Emily and thanks for one and everyone has a great week and stay healthy. Thank you.