 Okay, everyone. We'll just wait for other folks to join. I know some of us were in a previous meeting. That's just wrapping up. Hi, everyone. I am Pushkar. I am the facilitator for the meeting today. First time as facilitator, so go easy on me. We'll start in couple of minutes. I know some folks, Brandon, Emily and others are tapping up the other meeting and I see they join. Yeah, sorry, I did a horrible thing. I dragged the meeting way over time. No worries. Okay, so just some quick logistics. This is a reminder that this meeting is being recorded and pushed it to YouTube shortly after. Your participation in these meetings is an agreement to buy by the Six Security Code of Conduct, which can be found in the repo. So I've shared the links to the agenda and the meeting minutes in the chat. I'll also share it on screen and then we can get started. So I see folks are still trickling in. One, I think important update in the episode agenda we have is from Magno. So maybe Magno, you can share that first and then we can see if we need to move on to some other topics or others, others if they have anything to discuss. No problem. Yeah, so I just received an email from Jen half an hour ago. And she said that she had a family issue, an urgent matter that she won't be able to attend today to present the matter attack, minor attack for containers, right? What I can tell you guys so far is that they're working on a version for the matter attack for containers, right? Since Jen released the blog post last year on December 17, I can get you the link soon. But, but yeah, and we've been we reach out to them and we've been helping them with like providing evidence of real world scenarios and everything. And they're planning to release the draft version publicly to the community next week. So I think we will definitely reschedule this meeting after the draft for the attack for containers is published. So yeah, that's all I can say. Thanks, thanks Magno for the update. So it seems like February 24 meeting would make more sense versus the next one. Is that correct? I'll have to double check with her. So our update, I'll get the updated dates next week. Okay, sounds good. So we also need some scribes if anyone wants to volunteer, but most likely this will be a quick meeting now that the proposed agenda topic has to be rescheduled. Yeah, I can't access the Google Doc for some reason, but I was just having that same problem. I thought it was just me. Yeah, no, it just happened for me to I started typing. Yeah, I can access it now so hopefully it gets back to you all this way. Thanks for having me to describe as well. Sorry, if we have, if we have time. I'd like to kind of discuss a little bit about the presentation that we had last week around the Linux, the Linux foundation security scanning service and kind of. We had some suggestions on the call today so kind of figure out a little bit about that in terms of what we can do to engage there as well as you know how we are going to see that as part of the TLC process. Yeah, yeah, I think we have time so we can discuss that now and then I'm thinking we'll get to the updates from John and Andrew. So quick, quick update from me. We have a little container. Sorry, the supply chain working group. We're progressing. There's quite a few people contributing now to the document. Still got a fair way to go I'd say, but the conversations we're having during the meeting and offline are pretty fruitful, and I think we're starting to get some decent best practices into that document, but still as I said quite a way to go there in the chat room that we have the on the Slack channel. There's a really interesting article that was published about dependency confusion. I'd recommend people read it but it was quite nicely aligned to some of the work we were doing within there. So, definitely one for the list of references and recommend people read it. Just a brief update for me. Jonathan, are you thinking of a follow up call to bring together the offline work. Or how do you want to go from this point on. It's really the regular Friday meeting calls that we have just trying to update that document. I think in in sort of three four weeks we should come back to the informal group and sort of important progress, but everything that we're doing around the working group is funneled in that Friday call at the moment. Fantastic. So John for the benefit of others in the meeting is, is there a wave where people can join the Friday call what would you recommend. And there's the slack channel the details are in the slack channel for with the zoom meeting details and the link to the paper we're writing as well. Okay, all right. It's on the, it's on the CNCF calendar now, if you subscribe to the CNCF calendar. Okay. Yeah, Jonathan, do you think that it would be useful to also put that on the read me so that anyone that comes by the page can kind of go directly to it. Which read me you're referring to the CNCF the six security read me. Sure, I'd be happy to. Yep. And also, I'm not sure which zoom that you're using other kind of I saw the question about the meeting recordings is that being set up, or if not thinking that if you use the this this meeting ID, it will be uploaded automatically. Brandon they have a separate meeting. I think that's something that only the chairs can control so let me go back through, I'll take an action to go back through and pull the recordings out and get them posted into a document or an agenda note, if it's the one that's in the channel. channel. Great. Thank you. One more question so in discussing supply chain security as a whole. There's many different areas that come together are there particular areas where you're looking for help say key management is a is a topic that's often unresolved, or are there different opinions, or runtime security, something like that. Absolutely. Well, we're open to contributions for every single one of those I think pki I believe Cole who's on the line took that particular area but I'm sure would be open for any contributions around, around supply chain security I think for runtime, or runtime or perhaps some of the protections we can put within the software factory itself, we're probably a little light at the moment. All right, great. So I know Brandon and Andrew have a couple of updates whoever wants to go next. And you can go ahead. Thanks Brandon I was about to say the same. Yeah, just a quick one for me. It is an appeal for papers. The sands cloud security summit is now free this year, whereas traditionally they weren't. It is open till the 22nd of Feb, and is well aligned to the copious interests of this group. There are lots of topics are interested in specifically probably as usual case studies best practices, innovation, identity, hybrid environments and all the good stuff. I will post what I've just said into Slack and into this channel. I'll be to thank you Magnum Magnum. I'll put those notes in there as well. Yes, so should be good. I will also be slinging my or in with something as yet and decided and all are welcome please do submit. Thank you, Andrew Brandon want to go next. So, this is more kind of like a quick discussion I don't know whether it's maybe we can have have this offline as well but this kind of more for more for Justin I think we had a presentation last week. About the next foundation scanning tools. I forget what it's called Alan access something like that. We're wondering whether other new plans kind of to integrate this into the project process for to see is there anything that we can do for the sick perspective to kind of evaluate this or you know, start integrating the use of it into our assessment process. Just looking at the notes it seems like it's quite LFX. Yeah. Hey Brandon can you do a quick recap on what was specifically discussed at that meeting for folks that may not have been able to meet it or had chance to watch the video. Yeah so so the meeting was about Laura gave kind of overview of the last foundation they have. They have a bunch of a suite of things right so one of it was like the, the, the landscape stuff and all the stuff that does and they have this new new solution which is kind of like in beta. And the idea is they are providing kind of like a scanning solution for the notes foundation projects. And so it is a dashboard where they can scan the different projects into the notes foundation, they come over reports and the idea for this is to kind of provide you know, show show people that the projects have gone through security testing that that is a way for them to evaluate the security of the open source projects when they want to use it with enterprise amongst many other things. So it seemed like they wanted to kind of build what they were doing into kind of like something I like to the CI badging system. As I think one of the things that came to mind was, is this something that you know we could say as part of you know the, the graduation process or incubation process that you have to be configured of the scanning has to be done and your sort of percentage of their projects or the code has to be scanable or set up for scanning. Yeah, I think it's definitely something we should, it would be helpful for to evaluate, like what we think would be most useful. I mean I think that if, if it goes into the badging program then obviously we're going to auto kind of adopt it so that would be one route but I think while it's in beta maybe we want to try and help some projects try it out and CNCF and see if, see what's working for them was not working for them whether they find it easy to adopt and things like and see what value they're getting from it from it. I think that will be something that we could, if some people could hand hold it through some projects and see help help and try it out. Okay, yeah, yeah, I think that sounds good. And maybe we can see whether we can get a few logins from for, you know, the assessment project be so that they can better try and include some of that in the assessments as well. We have the build pack assessments, either starting soon or started or going on. Would that be a potential project that we can roll into this. Yeah, I think that's, I think first we have to figure out how we are going to get the logins because we can't access it yet I think. So I can take that as an action item to kind of figure out how we can get access to that. So the build backs team already produced their self assessment without being aware upfront that this would have been an ask, I think at this point this is probably too late is also unclear of like which of the tools, for example, there's a partnership with SNCC. That's great. A lot of projects would use would like to use SNCC, but they don't have the resources to pay for a paid subscription, or need to find a sponsor to do so. So looking at the security tools under LFX staff there's like cloud foundry so not sure how what might be applicable to build packs but it might not be applicable to other products to use cloud foundry. So we need to do some work to evaluate like one of these things should make it there. Go ahead Justin. That's the results for scanning cloud foundry not for. You're right. Yeah. My coffee is yet to kick in today. These are products that have used the scanning that they're highlighting there. Yeah, I think we also kind of need access to it. So, you know, whenever that becomes available. We can kind of also look at this as like more of a variation so anything in retrospect where we can look at the results of the scans of those projects and kind of look at it, how it will have affected the security assessment and evaluate whether it's useful. Yeah. Looks like sign up is like you can sign up. I'm using my Linux foundation account and it lets me through. It does however ask for adding a public get repository. Let me do an exploration and report back. Is that from a snake. This is from LFX security tools. Okay. If it's tied into a snake. I think that's that's the requirement for for snake once you log in. You type to your public GitHub account, and then you can add your, your like public open source projects to that so they're going to start scanning. That's right. All right. Do we have any other comments on this topic from anyone else. Yeah, one, one just comment that I noticed went to the Linux foundation for tell. This is something called red team project. And under the red team project, there are a number of security tools that have been mentioned. I have not investigated enough to make any judgment at this point, but they might be relevant to our discussions. I don't know if anyone else here in this group that may have been exposed to those. And if so, I'll be interested also to knowing as to what their observations are or comments are meant for I believe as a number of security tools including the pentesting containerized, you know, pentesting risk analysis. These kind of things so. Right. Do you mind sending the link to the. I will do so in the chat chat message box. Okay, okay. Thank you. So, it looks like Andre also has an update on the security thing. Correct. Thanks. So we are finalizing the program committee. A number of you had expressed interest to participate this is cloud native security day for keep coming you're up. We are doing around is making sure everyone is still interested to participate those of you had expressed interest to do so. And that if you haven't obtained your sick membership that you do so that you familiarize with what's the charter of this group what's cloud native security day at the end of the day ultimately all about. And as part of that that you just put your name onto the sick membership if you've been a regular attendee of these calls for a period of time. If you're not from there, well we will, we are engaged with the LF planning team for the event, and there's going to be coordination logistics CFP is open. I know folks had made some comments on the channel around whether the dates could be shuffled around to allow cube con acceptance or rejection of talks to happen. And it would be great for people to know whether like maybe they could reuse those talks here. We did check with the team at Linux Foundation, and it created a lot of pressure and moving moving dates around particularly it would give presenters a much shorter runway to prepare presentations. And on the back end that created a lot of other complications so dates will remain as is we did try to look into that. So if you want to add some extra color to that. That's where we're at. They updated the site with some more information so if you're interested in applying for cube con and submitting a CFP there as well as for security day you can certainly do both and then the Linux Foundation's Program committee is going to work through and kind of do an audit to make sure that we don't inadvertently force you to talk twice at the same event. If you get picked for cube con we we believe in the organization believes that you want to make that your stage and not cloud native security day. At the same time we would encourage you to think of class for cloud native security day to be targeted at a primarily security audience. More so than while we're using something you would you would present somewhere else or if you had great experience on on a subject you've worked on but you can hone that a little bit to be security focused that would be fantastic. That is the goal of this very special arena that we only get to have twice a year. That's it. I don't know if anyone has questions or comments but feel free to tag me on Slack or on the cloud native security day issue. A quick question about the club and security day. So, do we have any dates to plan for the timeline for the CFP reviews. Yes, I did get your confirmation tie. Thanks for that. I will reply to the group with the timeline we're looking at. I will I'll give you a sneak peek of that right away before the wider group we're still waiting for a few other confirmations to come through before kicking off the work stream. Thank you. So just wanted to make sure there. Right. Any other questions on security day from anyone. I would like to say that even if you can't attend or you can't submit a CFP please suit about it and share it with your network we had a ton of attendees last year. I'm going to be running the flag event again this year. So, stay tuned for more information that at a later date but please, please share that that's actually a huge level of visibility for the SIG and for the CNCF across the community bringing more of the security professionals in with the developers and SREs and open source projects. Tune in tonight to cloud native TV I'll be talking a little bit about this. So, yeah, I'm going to definitely give the want to make sure the group because I think it's again it's, I like a co-educated day on on your cube con that has to do with security specifically because look you get. We all know during the course of even like virtual events it's like you get bombarded with so much stuff this is very specific to the audience here and I think there's going to be amazing content, just from the whole swath of security so it's awesome. And, and likelihood as it happens with trance a lot of it's going to revolve around supply chain security this year, which is a topic that needs a lot of attention right now. It's great like if, like, you have great folks here that are experts and we're trying to advance the space of feel free to lean on those people if you have ideas in mind that are not quite fully formed and and you could use some help. Jonathan is available. Mr Dan pop is available. All of this is really good. And then please send you send the link to your to your stream so folks. The CNC upstream I'll put it in the channel no problem. Thank you. My pleasure. Okay, anything else on security day from anyone. I know that Dan wanted to turn this into an improv session today. I was waiting for Vinay I was you know Vinay really kicks us off you know he's he's got he's got a way about him. So, I do have one joke. Why did the IT team set up the remote office from the beach. Why. It was too cloudy. Come on. No, I can't. That was a good one. What do you call a turtle that serves the dark web. He tore toys. I'll stop. I'll stop. And the meeting please. I am actually all for improve that so we should sync up later. I'm a big fan of improv. Yeah, yeah, Andrew, you know, maybe we can have this as part of college security day. If security improve or something like that. Let's make this a feature in every meeting will give five minutes to do like a couple of jokes. And if it goes well, you know, let's use the entire meeting for it. You're supposed to train your strengths not your weaknesses are played to your strengths not your weaknesses. Okay, all right. So, okay, everyone back to business. So, I think we don't have any other updates from anyone. So I'll make one last as the facilitator. So we had our first meeting today on retrospectives for the security white paper. We five or six of us met. We discussed basically in terms of next steps, a survey that would be drafted soon to get answers and information about things we want to know about the white paper and its distribution, as well as how it was received. So we will be drafting that today, starting today. And in a couple of weeks time we'll meet again. If you want to be involved and haven't sent me already an email, feel free to send me one. And I'll set up set up the invite for the retrospectives about couple of weeks from now, same time one hour before our six security weekly meeting. Second update there would be more to do with anecdotal feedback. Anything you have heard as an author or a contributor of six security or a reader of the paper, where you want to share some details. Feel free to let us know, either put it in our six security white paper channel as a post or share it with me. And if you want to be invited also DM me on Slack because I tend to miss zoom direct DMs. So I'll send you the invite for next, the next time when we meet again. Alright, so any questions on this. Okay, so we have reached we are a 1030 Pacific right now. If no more topics, we can probably close early, or people can continue with improved sessions or jokes I am all for it. But if not, we can finish for the day. He's ready. Thank you. Why are you putting me on the spot. That's improv baby. You know something I don't know about myself. Sorry, it's too easy for me to pick on Andre's all the time. All right. Okay, so it looks like we have we missed one update. From a lot. Sorry, which update is based out there for a minute. Okay. Maybe I misunderstood that in that case, I think we have No, I'm not improv person. Right. Okay, so if no update then great. Thank you everyone for the meeting. I know I have some folks who have shared interest with improve today. I think that I will consider that as a win for today's meeting. And let's catch up again next next week. Thank you. Thanks. Okay. Bye bye. Thank you on slack. Thanks. Sounds good. Thanks.