 Hello, Brandon do we have a template of that table? Yeah, I'm I'm looking at that right now Yeah, it's a Would you figure out a better way to put the template every time I have to screw all the way down to the end of the document It takes forever documents. Yeah This is a scroll button events Yeah, just give me a sec to put this in I finally reached out on the document All right, there we go. Let me think the meeting notes into a chat. Okay. I'm having issues with zoom now one second Can someone post the link in the in the chat the chat doesn't seem to be working for me Thank you. Thanks friend. All right So, please put your name down in attendance We are looking for scribes. So if you can help scribe today Please put your name in down in the scribe section and I believe today is so working session And we are going to be talking about the DoD document that Tim said I was talking about last week Let me make sure I raised the week before that was Something that Matt Hamilton who I see is also at least according to the notes on the call To discuss about Sort of potentially making security assessments Contain more security audit like properties. Okay. Yeah, let's put it down as well Yeah, it shouldn't I hope be that long of a discussion But I think we should just kind of start to let that idea percolate and see where what people think Okay, I don't see Tim on the call yet. So maybe we can start with that once we get to check in Who's this by the way? I can see your name on there. Okay. Let's start with check ins Let's see updates I Matt do you have any other other updates besides the agenda item you talked about? No, no just the agenda item. Okay, cool Okay Also, I think we we we missed this last week. So if you are a new member Also, if you want to put a new member beside your name in the attendance and then we can do some introductions as well Okay, uh Jefferino Yeah, I pronounce it right cool. Do you want to give a short introduction of yourself? Yeah, my name is Jefferino sequera Currently, I'm a senior security analyst at Bishop box I do a lot of just kind of Cooper Denny's assessments and Cooper Denny's reviews for Fortune 500 companies in this role and Just coming by to check this out and see if I can help at all Cool, welcome. Thank you All right Okay, Vinay, do you have an update you want to talk about that? I wasn't sure if this was the best way to convey that but I just wanted to mention that I think as Tim requested I made a few additions to the The security practices to the DOD document. All right. Thank you All right, and looks like there's no other check-ins And thanks Emily for signing up for scribe Okay, so checking in from work groups any updates for work group policy or this big on this data Okay, looks like we're all good for that So let's start with The item that Matt brought up on kind of providing a security Audit angle to the security assessment. I don't know whether it's a good way to put that. Yeah, so just for some for some background I was Assigned or violent volunteered for the the key cloak assessment a little over a week ago and My understanding of the you know, six security assessments is that a lot of it is Reviewing the the self-assessment and the document that is produced by the authors of you know, the application or whatever The working group is looking at And then providing feedback based off of that documentation I Personally, I'm a very tactile person and I like to poke things because I feel like you know, it's Implementation can can be whatever people think, you know, or sorry design can be whatever people, you know Want it to be but implementation is where you know, things actually get interesting In the in the particular case of the assessment that I was on I set up the application and within 30 minutes I found something that really should be fixed a Security issue that that that team has has agreed with that it should be fixed. So in saying this I I was wondering why why is it that sick security assessments? Don't have there's no, you know, Practitioning angle to this nobody actually sets up the application and attempts to you know Compromise it or identify any security issues and I understand that that is, you know A security assessment that that likely the blocker is bodies and people who are you know able to perform those those competent reviews But from from my perspective if you know, we there was a small group of you know Volunteers who didn't necessarily do the traditional sick security Assessment process but instead performed very light very, you know, just once over review penetration tests of applications or you know Practitioning security assessments. I think that would go a long way in improving the security of projects that come through Sick security and doesn't require, you know the formality and the you know The otherwise potentially very large time investment of a formal penetration test And so I was wondering, you know, what are what are the blockers here? Is it is it just bodies? Is it just people, you know able to do these reviews? right so so the the first thing kind of The the the first initial thought of this was that the CNCF for projects that reach a retro stage would end up Performing a security audit for it. And so it's kind of like there would be a bit of overlapping of Task that we're doing but at the same time I Do see kind of a bit of value in terms of doing a cursory look of it just because it kind of Translates to the security posture of the project itself, right? I Yeah, I want to Sorry, go ahead and finish your thought. I didn't mean to cut you off. It's it's hard to tell when people are talking and yeah Yeah, I was just gonna say like it definitely like translates to the security posture itself, but I I'm just wondering like what would be How could we scope in a way that you know, um, doesn't become a football now that how do we say, okay? How do we determine this? Have a process for it that can be easily replicable across different projects. Yeah, go ahead, Justin Thanks. I was just gonna say that I think So in general, I'm in favor of this I Would like to see it be sort of done and provided in a more uniform way and One of the kind of logistical concerns I have is To this point, we haven't really had anybody step up and directly do this We've had people occasionally do things that are kind of like this Like it's not that we didn't necessarily play with some aspects of the tool or things, but I it certainly hasn't been universal it hasn't been uniform and We I think would need to have people that are willing to step up and do this for different projects You know, I think it is intensely valuable though and to kind of like talk a little more about something you said And and something that that Matt also said which is that By doing this you get a very different view of kind of reality of the project and For us to do something like an assessment It's really important for us to understand not just what the project tells us but sort of Enough to really understand the actual projects scenario and set up Because It's I think very easy for a project if they were malicious to Say they've done certain things and from an assessment standpoint We might not check that and then we may even push the TOC To move in a direction like hey audit this part or something like that Feeling we're doing the right thing when really we've just avoided Like a big problem that the project has because we maybe got the wrong information from the people doing the Self-assessment or maybe we just you know, like overlook something obvious that we didn't see because We weren't looking in the right way. So I'm very much in favor of this if this If we can find a way to do this Fairly like uniformly and get a cadre of people in Yeah, I'm a bit hesitant on kind of phrasing it that way in terms of saying that okay We kind of necessarily we have to do kind of do diligence Based on what they're putting in the end assessment because I feel like 80% of the assessment process is based on that I'm not sure we can really, you know, make that statement and try and validate that statement I Wondering whether we can just put in a way that you know, we are evaluating. I'm sorry. I'm not sure what exactly the bug was But I'm thinking about it in terms of is that way to say okay in terms of can we somehow measure the quality of security design rather than You know try and question the Better the T of the self-assessment. Um, I just I mean just just to interject Perhaps this is the more valuable component And I'm only speaking for myself as a tester, although I'm sure that there are a lot of other people who are, you know In the same position when I when I look at an app within 30 minutes, I can tell whether or not it's garbage So just you know, if it's nothing more valuable than that a lot of times you can get a gut feeling about This might be an area of concern of this, you know, this authentication scheme is very roundabout and it, you know It there's there's too much going on such that it could become a problem It's very very easy to do that at least for me, and I'm sure that others are the same way So I don't know, you know, other than just findings what what Information would be valuable to this group into the assessment process, but I think you know defining that would be good too So I guess my question is for this information to be made available Other things that we can kind of request from the project site to help us evaluate this It I mean it Personally, no, I mean again, this is just me personally like I in the app that I was recently looking at I had used it before and many years ago So I knew what it was but if you know if I open that that six security document and I watch the the walkthrough and all of that And you know, that's that's great and a lot of times I can understand it But a lot I personally need to poke stuff The only thing that I you know would benefit from as a tester is Instructions on how to set up an environment that that works, you know, just links to installation and setup instructions That's the only thing that I would need from a project I was a bit worried Sorry, Brandon recently we updated the Assessment information. I believe that we updated maybe it's the pending PR to talk about how Assessors our security reviewers Have flexibility to go through the documentation that the project has we don't require it But it does help them get a better understanding about The what the project is how it actually functions. This is beyond the actual self-assessment that's made it It was my thought when those updates were made that it's an individual wanted to do a little bit of poking around and skull it on their desk On a machine to figure out how it works if they happen to discover any vulnerabilities That was entirely their choice if they wanted to do that I don't think it's something that we discourage because it's if you're working with the group of individuals doing this security Project self-assessment and we find a blatant problem with it Sometimes it's an indicator in the documentation that this is not written right. It reads a little funny actually mean this And then we dig in a little bit more and find they're going early for instance But if there is a tactile way for that information to come to light I don't think it would necessarily be an issue as that part of the Just to add to that this is in reference to the key club assessment and so currently the Assessment is in the terrifying question phase In which we're just trying to like see if the doc conforms to the assessment guidelines all the Accessory fields and stuff like that and after this phase is done after the clarifying phase is done You have like an entire week for people to chime in and then actually try the project like matter So I think we have time after the initial dumb question a terrifying question phase to actually go around and poke into the project if somebody would like to do that so And we have we have we have a set up like a week to actually do that So we're not in that stage yet because the project is still working on the on the self-assessment itself So once that's done then Definitely folks can go in throughout the project and then obviously we have a presentation in the later stage So we can bring up all these issues. So we have time to bring this this stuff up. So just Yeah, my my word was around some projects also which are require a more elaborate setup Yeah, that was why I brought this up, you know, sometimes you can just install a helm chart Sometimes it's you know, it's configuring a lot of moving parts to too complicated to you know Ask a security tester to spend six hours setting up some weird environment. Yeah, oh in the case of like POSSEC, right? Well, I don't have a I don't have a HSM I kind of really test this because I don't have the necessary out of it The other thing I'm gonna bring up and like Matt, this is a great great idea It's something that if we had the people to do it every single one of the assessments that come through I think everybody would be happy with that and we get a lot of great information the other concern that I have and any time that I've worked with a security tester or a security researcher is Mechanism by which they go around and poke at some of these projects or some of these applications is different from others so back to the point I was mentioned earlier about uniformity if We were to do an assessment and we had one maybe two maybe like ten individuals Actually poke around at the application. It may not necessarily be consistent between assessments, which Some projects we don't want anybody to think that the security review of the project is considered an endorsement for said project That's not how it works. It's more of a computer review. This is our process. These are the things that we found if we were to start Claiming that we are also doing a lightweight security audit of the project That has a little bit more weight to it and there's no way for a measure It's a great idea if you have recommendations how we do that So great as well. Yeah, so I guess just to address both of those points the first point being that different people do things different ways I mean, I think that's just kind of an unsolvable problem. That's the way that everything is right So I don't understand why that would apply to this more than people reviewing the written document or anything else And in regards to people interpreting the results to mean something different because we're doing a poking audit I mean personally when I when I joined this group of you know, I guess month or so ago I assumed that was what was going on here Like when you hear security assessment, that's just what you assume So I think to add that functionality just It just it makes sense. I think it's filling a deficiency. It's not adding something extra than now. We have to explain or worry about Well, you know, the let me let me jump in I want to make sure that we You know cover a bit of the context of Like how we got here You know, so this You know, what was the working group that you know became sort of the prototype for the SIG inside the CTF you know started as safe working group secure access for everyone And then when we landed as SIG I actually pushed real hard to have it, you know, get rid of the You know background him and You know move to a single word And we chose security so like the Community of members here are primarily builders and to the technology is supporting the cloud native infrastructure you know up until You know recently we really haven't had any pentesters or professionals that You know are at our disposition to Build process and you know enable things like this. So You know when we as a SIG Take on a responsibility You know, we need to make sure that we can You know continue to staff it basically We know with the volunteers that we have So, you know, if we have something that an individual is interested in doing You know, we'll look for ways to get integrate that into existing processes But you know, until there's a lead until there's a Contingent of individuals that can do that regularly Yeah, I share I'm always concerned that introducing You know new features and capabilities of what we can do Does introduce a bit of a liability You know, we should call it out when It's happening but Matt, I absolutely want to You know enable you to explore this and I'd love to see us You know build a deeper relationship with the testing community and You know, you know really You know integrate the You know the whole world of You know the security awareness side To those that can can help us and be partners in the validation of what we're starting Yeah, that makes sense. I guess again back to my original question then if it's a matter of bodies It's a matter of people who are able to do the task. What what is that number? How how many people do we have to have before that could you know be considered to become a codified process? my sort of community management standard is You know three get to n equals three And you know that gives you enough stability that that you know pay a structure can stand on it. Okay. Thank you An ideal not all from one organization with one You know, right. Yes order like with the same supervisor above them where something changes and maybe we lose them all Yep, got it. Great clarification. Thank you So, so I do think that there's Possibly a space for this. I'm not sure whether we I know we we had a Lot of discussions when we were talking about something called the observer role in which people say, okay How do I do a security assessment? I would like, you know what just like observe a few people doing it But I think that this could be Part of a document where you can write down. Okay. Here are some ways you can go about Doing a security assessment. One of it is Downloading the tool and trying it out Another part of it is like looking to the repo identifying issues seeing what the issues are indicate that repository Matt, would you be opposed to submitting an issue? To find out how many members of security are interested in creating that audit team or that Lightweight penetration testing team. Yes, I'm happy to do that I think that would be a good next step first to see if we have the membership that's capable of supporting that kind of activity and Then conferring with those individuals. What a process would actually look like incorporated into it And then when you're done with all of that kind of reporting back to the group Sounds good. I also wanted to suggest that you know I know Justin does a fantastic job of articulating the objectives of the security assessments But does it and I don't know if it's already there. Does it make sense to have in the security assessment templates? the clear objectives the goals as well as the non goals and You know, for example, when we did the harbor review We brought up I brought up some of the things that has it gone through all these best security best practices in terms of scanning vulnerability risk assessment all those kinds of things and I think the response there was hey We've already subjected hardware to a lot of pen testing and here are the results. So we said, yep That makes sense. So we could put call these out as requirements Are areas to cover and if that's not one of the goals for the security assistant Actually call it out to say that we don't cover these and and and as Dan also mentioned There's also these liability issues. It's not like a thorough or full-fledged pen test security audit But it's mapping back to best practices, you know, how are you managing your keys when something phase? You know, those are the kind of aspects that we cover recovery graceful degradation All those kinds of things to maybe just call out the goals and then also call out the non goals if that makes sense I don't know that makes sense to me documented Yeah, for sure the the one that when you get the recommended process by how we could potentially include this there will be a lot of things a lot of documentation Updated and discussed like the goals for the assessments that we currently have might potentially change in scope Our non-goals listing might increase the liability statements that we have on the repo Potentially and so there's a whole bunch of stuff that would go into this that'll have to be considered But I think We have feasibility to execute and a recommended process Does it make sense for me to take a stab at it Emily to just start putting together and then We can see where we land and capture all the different impacts and from a from a legal perspective from a Liability perspective just to have it somewhere so that we can discuss and then they can choose as we deem fit I I think that would be good to have and I would also Recommend that you engage with mad on a couple of those things that as we're finding people across the community that are from different organizations and teams and backgrounds and experiences the like Diversity is great because it brings all those different viewpoints together So somebody may be thinking about something that we've all missed in our brand new because they learned this really cool trick So definitely think getting together with Matt And if you could link to the parts of the repo where those dots potentially need to be updated That would be super helpful for when we have to break down that work and do this We'll do thank you sounds good Okay, um Any other comments on this I'm new and still kind of figuring everything out. But if you need any help with that, I'd be happy to help too This is jeffreina So matt when you create the ticket if you could post it in the slack channel That way folks that are interested can find it very easily and then comment on the issue So you have a whole listing of everybody that wants to help you yep And sorry just to be clear I will open a separate ticket to capture the security assessment goals and non goals, right? I mean, or do we want to and then we can link the two I would I would leave it as a separate ticket but still link it that because we're probably going to need that stuff anyways Brandon, what do you think? Yeah, I think there are two kind of different prs. Um Right, I think that Yeah, it probably will be an issue and then it will eventually evolve into pr against the The assessment read me. That's what I'm seeing So, yeah, I agree on that. Let's keep it. I have a comment in here and I'm wondering um When we do an assessment Assessment against what? That would be the question that I think most people will have If you don't have a frame of reference that is common to every assessor under this group Isn't it very difficult and it's going to become almost subjective On the assessment and then how do you maintain the consistency? Among these different assessments are done by different assessors They're all experts in different things But there is no one consistent way of doing it unless we put something In front of us. I mean, it's it's it's beyond just goals and non goals. I mean, it's basically saying, okay Well, this is what we are following either a standard that in the industry for certain for example identity management or for example vulnerability is testing or something like that whatever it might be And I realize that the liability portion and all those things, but I think the moment we become officially call ourselves A security working group. You have some inherent liability one or the other. I mean, we are under cncf And we were presenting that so I mean Either we make progress in that way or we don't really matter right to the community I don't know that There's a lot of like individual points in there that I would sort of push back on I think that you know, necessarily we are a group of volunteer different people that are going through and looking at extraordinarily diverse Things that are are so different from each other and In many cases, there aren't effective established standards for how to do this and furthermore, we're not even you know, we're not We're not claiming to do something like a professional audit. We're giving the TOC Some general recommendation and giving some some general notes about What this group of assessors thought for the project. So in order to do something like what you describe, I think There's a lot of things that are well outside of the control of what this group could possibly do That would have to change including figuring out how to standardize a lot of Like, you know to do something like PCI level standardization across every possible project that would come to CNTF Which would just be crazy. I think it's it's the space is moving too fast so we're we're really I think making a You know the alternative to us if we just say well, we'll just do nothing then Then what we end up with is we end up with the model that we had before where the TOC members A few of them poke and prod in what little spare time they have for the projects that come up and try to form some opinion And then try to convince other TOC members What they think their opinion is based on some, you know, them getting to spend an hour or two Probably I'm guessing in some cases kicking the tires on these projects So we're we're doing a more extensive, you know, I view as we're doing something in between those two extremes We're doing something where We're getting a much deeper much more involved engagement Um with the project, but we're not, you know going and doing a month long security audit digging through the code line by line with a team of You know, eight to ten professional security penetration testers You know, we're we're striking. I think a reasonable balance so that There is some good Uh, you know, there is a good overall assessment of the project security done um without you know, like without You know like like expecting that Uh, the assessors would be perfect and drop everything and have this be their only Day job that they would do and be professional security penetration testers No, I I don't disagree with that. All I'm saying is that perhaps If we can put down some very high level Somewhat of a scope or maybe some guidelines And we don't do everything, but we do some things In other words, whatever that something is at a very high level, maybe it's just an architectural issue Maybe it's just philosophical issue Or whatever that level that might be that if we don't go to the court assessment Which I believe is obviously is two details and difficult and I agree with that But I think if we say that okay, these are the things that we look at and this this is the frame of reference that we are looking against So that it's not an individual subjective Assessment because every individual is a different level of expertise And you can put that against any subject matter And you can come up with different assessments depending on who is the assessor And that's not a very I'm not sure that that is very valuable to the community then you basically Attaching at someone's name and saying okay. Well, this is the person that assessed this one And And the rest of the individuals that are interested are going to look at doing is Defining what that process looks like and seeing what kind of Common things that we should be looking for like with anything There's a minimum like whenever we do a self assessment Or whenever we do an assessment on a project We always expect them to complete the self assessment And that outline has a lot of good information from the project to help us for you My expectation would be Matt and company would be putting just something to deliver very similar Where they have an outline of the things the basic things that they're looking for And then maybe there's a few freebies and we can always link back to whatever that Documentation off that looks like in each of the assessments the same way that we link back to what our processes are When we write up the final report for what we're finding But this is all new and we're not really going to know about it until The issue gets created folks comment on it and they start talking about how do we do this? How do we make it work for the community because we are volunteer based? And what does that look like and then we won't know if it actually works or what the community's feedback is So we try a lightweight process or a lightweight Assessment to include a lightweight Audit on a project that's willing to allow us to experiment But we won't know until we get there. So these are all really good recommendations and i'm sure Matt is more than willing to address them And whenever those conversations get started and you're always welcome to join and comment on that ticket To ensure that they have your feedback and input on how to make this the best that it can be So yeah, go for it. Sorry one thing I wanted to mention real quick too is it it sounds like, you know, this isn't really happening Um regularly and I don't think the goal should be You know an audit The one thing that that they would need to kind of feel secure Um, but some level, um, you know 30 minutes an hour or whatever Um, some level of just checking things over testing things. I think would be um beneficial and Um The goal shouldn't be a perfect test But if it uncovers a couple of vulnerabilities, I think I think that'd be beneficial and kind of do it at job Yeah, um Also, I so I was thinking about it from a different angle But also that we need to kind of say that okay someone has done due diligence on this project And I think in past security assessments of the recommendation to TSE for example in spiffy and spire is that We've looked at this project in terms of how it fits in the ecosystem, but We have not audited the project. And so the recommendation was that because this is such an important project in terms of security and infrastructure CNCF should do a proper security audit for it Um, and I'm just wondering whether is that anything that we can point to kind of like What we do with the CICD pipelines some kind of batch certification That says that this project has gone through some level of security audit and you know, if they haven't done the security audit then um We could make like if if met and others have formed like a quorum of people that Have the expertise then we can have it as kind of what we offer as a SIG as well Like I like that idea Yeah Um, I'm not familiar with that. So I'm not sure what certifications are out there today But yeah, I'm looking forward to the issue. I think it should be a good discussion there Okay Just want to check in is Tim around or anyone that wants to represent the DOD document He pinged me outside. I said that he's saying that he wants us to talk about it So I just want to make sure we have time for that. So Tim looks like he's not around but Probably uh, maybe if I dare to Take a spot and maybe just present that document does that make sense and talk about some of the additions I personally made for example on how I interpreted the document Yeah, definitely Go for it. Just give me a second Can you all see the DOD for CNCF spreadsheet? Yep. Hello. Yep. Yep. Great So, uh, you know the the way I interpreted this is I think uh, there there is a whole bunch of categories that have been defined in this uh In this tab, you know, uh, you know Belongs in Kubernetes stig and then they controls meets NIST requirements for a Kubernetes stig And then belongs in a vendor specific docker Open shift lineup container hardening belongs in a container platform. And I think this is actually a quite a comprehensive list of controls that has been put together and And it's it's it's a it's a great start from our work in progress and Obviously, there are so many different facets But you know, I think it talks about all the different uh best practices, right? One of the things that I think about I believe it's the NIST 800-170 which is the container compliance So if I think about that a lot of the controls that have been talked about in that NIST standard has been uh talked about here So it's a really good start for any kind of uh, let's say in this particular case It's the department of defense But an operator to be aware of as they deploy their applications and their cluster So it's nothing out of the ordinary, but you know, just a whole bunch of best practices controls that need to be addressed so I'm I'm not doing justice to the full intent of this. I must mention that but the way I Can think of as how this can be consumed is for let's say the dod to put together some kind of a Reference framework on the controls that need to be enabled across all their You know for their containerized applications And I I don't want to go through all of them. But you know, there are different categories if you will So quick question before we dive into this. I noticed that there's a the stick the The different aspects of it for example, like limit the number of processes um They seem to be pretty generic, but then there's this column that says vendor. What does that mean? You know, I'm really not sure. I think uh, they have uh, how do you say they Check what that column is the vendor that provide it's a recommended. Oh, yeah. Yeah, exactly. I think I think they've done like, uh in a Request for comments if you will or something like that and then so the vendors that have actually provided that those recommendations All right, thank you. Sure And so there is some kind of classification in terms of how the you know mandatory recommendations What is the severity based on? non applying these not applying these controls if you will and I'm sure a lot of these are very very familiar to a lot of us and really really bringing together a lot of the You know, maybe the layered approach in terms of system capabilities, right? You know, you can use a lot of the Sec comp rules. Can you use a lot of the linux capabilities? How should you be configured? How should you be handling secrets at rest? And there is a whole bunch of similarities that I draw from the from the comments here in terms of how we actually Perform our security assessments. For example, so secrets and manage the secret management is a huge Uh dimension that we think about when we do our security assistance for a lot of these projects in itself logging, auditing You know runtime security Security for different types of components. For example, the hcd encryption at rest And remote logging, etc and so there's been a lot of focus and on the orchestration platform And then there's a lot of kubernetes specific stuff There's some open shift kind of stuff and then what I went and added and there's some references to how to interpret the cap net draw. So there are some places where Explicit capabilities have been called out. There are some places where they have been clubbed into a bigger bucket, if you will and uh, you know how to handle namespaces, etc and Given that I can talk to some I just want to highlight some of the stuff that I added from my perspective, which was You know, there was not enough emphasis on Um, you know the shift left Aspect and the ability to actually incorporate those best practices. So I added this, you know The ability to do vulnerability scanning file into the runtime security file integrity monitoring malware scanning The need for network visibility network protection and you know scanning kubernetes manifest Uh, and I'm hoping that's a lot of these things can also go back into some of the points that matt brought up to say You know when you deploy a lot when let's talk about the kubernetes kubernetes manifest There are a whole bunch of things that can be scanned and called out even prior to those Actually being deployed. So I called some of those out. So that's as far as I dare to go with the describing The intent for this document cool, um, thank you. I think that's a that's a comment from mark and chat about It'll be nice if it could be somehow mapped since a lot of these Asked them from a lot in this guidelines, right? Right, right in terms of me because it is coming from a lot of those different standards. Otherwise, there'll be duplication And we lose the context. I agree I can take a note to Try to maybe call that out somewhere Is this space? Um, you said it was based on 800 190 Um Does that are you familiar with the deck hub versus application or just kind of platform? It looks like a lot of these are platform specific. These are these are very much, uh, uh platform and uh I can't comment to that the top of my head. I have gone through the entire standard, but I'll have to get back to you on that all right This is interesting and yeah, you guys have a slack channel also, right? Exactly. I was just going to call out anybody who wants to contribute. Please. There is a slack channel So should be adding directly to the request the access to dock and and adding things to it or I clicked on the link. I don't have access. I just put in the request for or commenting in the um in the slack channel or What's kind of the call to action? What should we what are you at? What should we be doing to contribute? So from what I gathered clearly, I'm not the owner of this I just want to make that very clear But I'm also similar to you guys as a contributor But the I would recommend getting on that slack channel and then maybe requesting access from Tim and uh, and then just starting to add your recommendations and maybe provide the attribution so that they can appropriately be followed up and handled So there is an issue that you can go to for more information. It's issue number 391 I have at least in the agenda the ask from Tim specifically is review of the documentation the excel documents that they have Determine if the recommendations they're all found on point. If there's anything missing potentially be tweaked So that that was the minimum asked, but there's a little bit more to it than just that they're looking for like the entire issue and and What is an appropriate? Stig for a fully cloud native Deployment of any of their applications, which that's the bigger ask. So I would recommend if you have comments associated with that reach out But for the purposes of issue 391 and that excel document um Use of this slack channel and the ticket would be great Vinay, thank you for putting on your vendor hat and uh, you know, uh pushing that forward Really love, you know getting some contributions there. Um, as you went through that, is there anything that you were like, uh, you know It'd be great to take this from the vendor level and uh, you know, sort of extracted out and built consensus uh, so we can you know, potentially go forward with um, a sig level recommendation Absolutely, there is a there is a plethora of very very Interesting and important Aspects that we could take out of that and we have a product agnostic sig level recommendation. Absolutely We're done I think that would be fantastic and something that Uh, it's you know, really the spirit of what you know, tim was hoping for in the long run is You know to build that that the broader participation um I don't know what the best way to to get that started. Uh, you know, just continue working through an issue or um, you know, is this something that we want to to integrate in sort of a presentation um Or documents somehow My sense is I think a document would be a great first start So that we can all collaborate just bring bring our ideas together and figure out how we can Put it into a format that we can put it put out there for external consumption Yeah, so if you have some cycles to pull some of those items out and kick off a document, um, that would be amazing Sure The document would be a great first step. Um Vinay, I could I could absolutely help you there. I've written some stuff very similar to that for susa Um, which a lot of it is very general anyways, so I can certainly Work here as well Thanks a lot. Cameron will definitely ping you Okay Did I hear that this list is available to the public for Making contribution or comments or anything or is it limited to a specific few specific vendors Not at all. I think uh, and once again speaking for Tim Is uh, there is a slack group and I believe there is also to emily's point. There is a Issue 391 and then the document is linked there. So I'm not sure about who has access But if you click there, if you have access, I would imagine you're free to comment on it Just is is right at least by default document is not viewable unless you request access So you have to click on it and then click on the request access button Under here I was going to suggest that when we have a document that we're sort of halfway okay with then We could invite one of the reps from sei to one of our meetings Uh, because they have they're actually paid by dod to To monitor the work in this and you know, I don't know if that would be formal But it would be way for us to really I think deliver Something tangible and then they can decide if they want something formal with cncf Is that a contact that you can provide? Yeah, sassan yasara and it's somebody that tim knows as well Okay, great good But I I agree if we have something to show it's always better, right? yep I'll start putting together and maybe I don't want to be overly optimistic But maybe in a couple of weeks, hopefully we can have maybe a first version to review Sounds great When you uh met the ticket for that they were tracking that would you post it in the slack channel for others to be able to Yeah, I I put it. I put it in Oh, do you mean the slack channel? For the for the work that Is Yeah, let me update the Announce the the header to include the link to the slack channel in the main security channel as well Yep, that would be great. Yeah Okay, if not, I think we're almost out of time So I guess we'll see everyone next week. Thank you. Thank you. Thanks