 artistly for the past six months to pull this, capture the flag and talk, track, line up as we had. But besides of that, there is a bunch of things we do. I'd say not as much as a community, but more as a society of security conscious individuals. Brandon, if you'd share with the audience, what are some of the other things we do? Why are we doing this for? Yeah, so tech security, part of the CNCF, we have our main charters to kind of improve quality of security, create common tooling, making sure that we come together as a community, we work together, we define goals and kind of move towards those as a community and to make sure that we collaborate on the efforts. So besides the usual things, we have our weekly meetings. We have weekly meetings, we have presentations, we have a ton of different working groups. We have a lot of different projects. So the way our community is organized is all around GitHub. We have folks coming in from different areas with different expertise, whether you're someone that is very technical, whether you're someone that loves design, writing, there's a place for everyone. We do white papers, we do catalogs, and I think we'll go through some of them soon. Talking and not doing is the same as doing nothing, or learning and not doing is not something you retain with you. So most of our work streams and initiatives are centered around artifacts that we can externalize and share with the community that can capture the pence around security as representative as possible. The Cloud Native Security White Paper initiative led by Brandon is a great example of that. Yeah, we have a lot of what we do, even the white paper, these are things that are like, we like to call them live documents, right? Everything that we turn out as a group is always evolving, technology is moving really quickly. So everything in this paper is up in GitHub, you can create a PR, you can find something cool, maybe something new in supply chain, you want to add it, feel free to just go ahead and add your thoughts and all the good stuff in there. If you're here, you clearly have an interest in security. That said, security can be intimidating, particularly when we're talking as formal verification, a very advanced object, the last talk week we had. But we want to make it relatable, we want to lower the barrier of entry, we want to make it accessible that you can wrap your head around the different projects and have a good new user experience and that you can short in the path of, well, I just learned from this open source project, checked out the code to, hey, here's something that's running as a production system in my organization. Is anybody here not in the tech security slack or anything like that? Can you raise your hands? Cool, it's awesome, we have a good representation here. But great to have you join us because what the thing is, you'll find out a lot of what's going on in the cloud native world, but also from a security perspective. So we welcome you and we do, like Andre said, there's a lot of things like white papers and there's also kind of vulnerability assessments and all those things you can volunteer to do. So please get involved. Yeah, and I, on top of what Pop just said, we have mailing lists, Slack is still like our main communications. Our leadership team, all the TELs, all the co-chairs are very friendly. Just feel free to slack us. There's nothing that, there's no such thing as a stupid idea or anything that's too small, right? Every contribution really adds up. And one of the things, for example, is we just went by the supply chain catalog. That was actually one of our members at Tiago who was like, oh, I want to do this really cool thing. And then the leadership team were like, yeah, it sounds like a good idea. Let's support it. And this is now one of our main activities. And this is something that folks continue to contribute to. To paraphrase the great Ian Coldwater, often it's more about showing up. Sometimes we don't know where to get started, how to contribute. But people you see as leaders in the community are people who attend the meetings, have particular interest or passion to tackle something. And they go for that. And then they might move to something else. I was really bummed about Tiffany Jordan and John Schell who had a session on the schedule, Accidental Security Leaders, of their journey of how they found themselves driving strategy and secure software supply chain as a matter of just being part, listening to the conversations, helping other folks navigate that. So yeah, just flip super quick through other things we do. The great Ian Coldwater also said, look it up, baby. So all this stuff is there as well, if you all want to see some cool stuff. So shout out, Ian. There's a lot of stuff there. And again, people are doing a lot of amazing things. And by the way, just one quick shout out to Andrew Martin, who braved coming across the Atlantic to come to visit his friends and take care of the CTF. I mean, you have been the engine behind this whole thing, you and your group. So you want to speak a little English, the UK, excellent for everyone. Across the Atlantic with a detour to the Baltic, I hear. Yes, precisely. I enjoyed the Croatian sun for a couple of weeks. Yeah, I mean, again, just to amplify some of the things you guys said, that joining the meetings and like seeing these people who've like published papers and like done security research can be really intimidating. But it is just about showing up, contributing and actually listening to what people, listening to how people think it's so instructive to understand where they sort of derived their security perspective from a lot of the threat modeling things that the group generates are just preeminent, really, really, again, very insightful. Yeah, I have to thank my team at Control Plane for all the hard work they've done on the CTF. We've had, I think, up to like 10 people rotating in and out. We ended up with about 60, 60 players of the game. If anybody would like a special edition, I believe, from the artistic hand of Emily herself. Yeah, special edition stickers to certify playing the CTF. I've got a bunch, so please do come and tap me up. And yeah, a few people asked if they can kind of play the scenarios another time. We will do another kind of community flavored version of this because I think this was some of them were a little bit maybe a little bit crazy difficult. Our red team, I left them alone for a week. And yeah, they tried to build engagement realistic scenarios. So we'll do something again, just taps up somehow on Twitter or whatever. I guess we'll put an invite out in security as well, because there's another three challenges of kind of increasing difficulty. Andy, there's a question I'd like to ask you. So people typically leave security con or the CTF super excited. They geeked out. They come back to work, and they struggled to relate this to other people and convinced them of how to bring this like what advice do you have for folks? What to reference? What can they reuse? What can they bring home and to the workplace with them? That's an excellent question. And it seems like a perfect segue for the book. So I've just written a book called hacking Kubernetes. If you really want to scare your managers, it's full of all the CVs is full of all the bypasses. And that comes out on, I think it's going to print today. So it'll be on over Riley in the next sort of three weeks. It's there on early access to I think using real world examples to demonstrate. Actually, one of the things I've had to do in my career as a consultant a lot of times was to actually demonstrate CVs to have a VM on the right kernel version to say, oh, look, you can like the run C breakout, for example, containers are not impenetrable. It's the same for hypervisors like everything has been attacked, but you just need to get often people with no kind of hands on experience into the headspace where they can see there are viable chains of attacks or computer broken shut down the Internet. So we're going to hand it over to Brandon and talk about security assesses. We're almost done. We're almost done. All right. So one of the activities our group does and this started way early on, I think this was more than two years we've been doing this is security assessments. The idea behind security assessments is we want to help evaluate the security posture of the different CNCF projects. We want to be able to provide a kind of perspective of how they fit into the cognitive security ecosystem and kind of the security concerns coming from a adoption standpoint, you know, if I'm interested in something like OPPA, I'm interested in using something like cloud custodian, how does it fit within the cognitive ecosystem within my deployment, what other security considerations, threat models I should be thinking about. So these security assessments help projects kind of think about security, help them produce a document that they can then share with others. Part of this is also, you know, all the reviewers that are doing this are also part of the community. This is something that we keep doing. We have Argo coming up. We have Captain. Yeah, so we have a ton of interesting reviews coming up. It's a very, very fun process. It's like two, three weeks intensive go through the project back and forth with the project maintenance. If it's a project that you've been wanting to find out, but you know, haven't had the time, it's a good like two weeks, get in there, go really deep and then write a bunch of things about it. So we are always looking for more reviewers. Feel free to just mention on Slack, say that I want to review something I'm interested. You know, you don't have to be really deep technically. It really is about, you know, assessing the security posture overall of the project. Another way that audits are extremely helpful is it's really easy to check out code from GitHub and do a proof of concept with it. But it's a really hard job to convince your security peers of what are the failure modes of this technology when put in place into our infrastructure? What are the security attributes? What are the compensating controls? So we tried to frontload that for the community. So we really screwed a nice all the security aspects. We produce documentation. We produce a threat model. We help certify the projects towards the core infrastructure best practices batch to a test that they follow secured software development best practices. And we provide a lot of consideration around sharp edges. So if you're looking to adopt any of these really like bleeding edge, sharp security tools, we want to make that well easy for you and make sure that it doesn't stall within an internal audit or review because well as a community, others have gone through this process and we're all crowdsourcing that knowledge. There's opportunity for career development. We help out the CNCF in developing certifications. Most recently, we did the CKS with them. I see some faces on the audience have taken the test. Another great opportunity to showcase your expertise and help other folks like up level their skill set. Look, I mean, there's a survey that was done. There's a skills gap. I mean, the Linux Foundation did out there is like 97% of employers say they can't find folks with open source experience. If you don't have these certifications, you are less marketable than you would be otherwise. So please explore these as options. I get nothing for saying anything about that. But at the end of the day, it's CKS, the CKDs, all those things are good things for your careers. You do? Okay, I'll kick it back to you, dude. We like to keep our finger on the pulse and restate our assumptions. What's the actual state of things? Are these technologies actually getting the traction that we presume they are because we're so close to the problem? So we survey the ecosystem often. Here are a couple lengths of the surveys that are put out there. Yeah, one of them was actually released today. It talks about some of the concerns today around, you know, not only just supply chain. I talked about vulnerability management, secret management. It also talked a little bit about age security and what's important. So this is all of the press today. Yeah. So awareness through effort. That's all that we're really after for. We understand the pressure, the risk. That was our very last slide. I appreciate it. So it was timely. So we're going to say again, a big shout out to Emily Fox, who's now with us again, our engine. Please, let's give a fair, we wanted to recover quickly. So please give a round of applause. It's a good vibes. Fox love. So I want to kind of end this kind of like we started. Security is not a single vendor. It's not a single project. It takes a community to look at these, look at security as a whole and be able to dress these things. We want to see your involvement. How can we help? How can we do this all together? Thank you so much for being part of our first cloud native security day to come for excuse me, cloud native security conference that we're calling out. Okay. That's correct. All right. That's right. And I'll say a big thank you, especially to Emily Andrews, then who's been driving kind of the event, making sure everything's in place, you know, going to the runoff show, making sure that everything's perfect that you guys are all having a great time. And thank you all for being here. Takes a village.