 Good day, just doing a very quick mic check. MSU, yep, I can hear that. Thank you, Jonathan. Okay, we've already got almost a dozen people on the call. We'll give it maybe two or three more minutes tops and then we'll get things underway. Okay, good day everyone. Welcome to this week's iteration of our six security meeting. I just pasted a link in the typed chat for the benefit of attendees. It's a link to the document if you wanna track the notes or add anything to it yourself. Before we get underway, could I request any volunteers to be scribes for this meeting? Just keep rough, quick meeting minutes in the document I've linked there. I can volunteer to do that. Thank you. All right, so we'll get underway. And if anyone by chance has an opportunity to step in as a second scribe, so much the better. Okay, so I do not see any specific PRs or tickets to bring up. So what we'll do is we'll go through any partner SIGs or working groups or team check-ins. And then individual check-ins if there are any topics anyone wants to raise, then we'll just go through some announcements and give new attendees or for people for whom this is their first instance of joining this meeting, a chance to introduce themselves and we'll wrap up. All right. So let's see what we've got here for working groups and teams they're checking in. Pardon, my computer chose an ideal time to leg. There we go. Let's see here. Pardon, I don't know why it's doing this. Let's see, we have Alex Floyd Marshall from Security Pals. Alex, would you like to grab the mic? Sure. So I'll just do a quick update. Emily introduced this last week under the name Security Buddies. Some of you may remember. There's been, since then there's been some vigorous debate on the name. A bunch of ideas have been floated and workshopped. I think we might have a poll out in the field somewhere with phone bankers working it. But it seems like the momentum is behind the name Security Pals. So that's what we're moving forward with right now. And just in a nutshell, what this program is, is attempting to get CNCF projects, especially those which are in the sandbox stage to start thinking about security a little earlier in their development process. So we're hoping to connect with those projects, not as code contributors, but as something kind of akin to sort of an outside consultant to kind of guide them through the process of thinking about security and doing a self-assessment. So where we're at with that right now, there's an existing model for this that the Container D project has had or has given us, which is their security advisors program. That's a little bit more focused on helping them deal with incoming vulnerability reports, but has a sort of similar structure of being sort of an outside voice that's helping them process security issues instead of being kind of internal code contributors. So we're looking at that. We're trying to learn from their experience and figure out what they might be able to, what pointers they might be able to give us as we get this project off the ground. And then our next step is going to be identifying a handful of CNCF sandboxed organizations that can be sort of pilot projects for this group to go work with and start engagements with to help them start thinking about security. So that's where that's at. That's just the quick update. If you're interested, do you want to follow along or jump in? The ticket number, it's issue number. I should have put this in the document, sorry. It's issue number 554 if you want to jump in there and participate in that. And that's all I got. If somebody wants to give the next update, maybe Mark. I see a note in chat from Mark saying his audio is not working. Looking down the list, I think I've got the next update in the just the roll call list. The IETF RATS working group is, sounds like they're getting close to approving the remote attestation specifications. The IETF Triennial Conference is this week, I believe. So, look for updates if attestation and hardware, remote attestation for hardware is interesting to you. Look for updates from that in the next week or two. And in parallel, the CCC is voting on approving an attestation working group tomorrow. And so I'm expecting that work to pick up in the week or two after that. So again, if folks are interested in attestation related to hardware enclaves and TPMs and things like that, I'll be sort of sharing more updates here over the coming weeks for how you could get engaged in the CCC if you want to. That's it for me. Looking at the list, either Matt or Jonathan, do you want to go next? I'll just jump in. This is Jonathan. Just giving you a quick update on the supply chain working group. So, work's continuing on the document. We've got a lot of content in there now. We're up to sort of 50 pages. Cole and I are going through it, doing some pretty heavy editing right now. To be fair, I think there's still quite a lot of editing work on there and a lot of smoothing out to do, but it's certainly coming along. And if people want to take a look at the document, they can just reach into the working group chat on Slack or take a look at the GitHub link and please come in and help out. I think there's some areas around Sbom that we could do with some help with. We're a little light on the ground in that regard. But there's a lot of quality content in there now. It's actually looking pretty decent. Just as I say, quite a lot of editing to go. So, still working on it, but it's coming along. That's my update. So, hand over to Magno or Ash, perhaps. Sure. Yeah, Magno here. Yeah, just a quick update on the next meeting that we're going to have Jen Burns talking about the MITRE attack for containers, just a reminder again for everyone since people asked me to do so. So, yeah, on the next week, I'll just follow up with her, just making sure that everything's okay and that she's ready to go. And yeah, I'll provide another update on Slack channel later next week. Thank you. Thank you. And pardon for my absence, two minutes ago Zoom froze and then the rest of my computer followed suit. Are there any other check-ins from partner groups, working groups or SIGs? Hi, this is Pushkar. I have one update. So, many of us have been working on retrospective for a SIG security white paper. So, we have now a good list of questions about 19 of them. And what I'm asking for is help from all of you to basically create a shortened list from 19 to 10. I'll soon paste the links to the survey questions in our channel. And basically anything you can add as a comment where you like the question and would like to be in that in the survey or something that seems a duplicate of another question, those comments would be really appreciated and we'll finalize the final list of 10 questions by end of this week. So anything you can share today, tomorrow, Friday would be highly appreciated. You and me, Kansas, if you're like me, is fine. Thank you. Okay, and with that, before the start of the meeting, I did not have any pre-suggested topics or PRs to cover. So at this point, if there are any check-ins or individual contributions anyone wants to bring up, we'll just go back to you through the list or please feel free to grab the mic now. Actually, Matthew, this is Vinay here. I think Ash, you had an update on the SIG, the security map work. Yeah, so just a quick reminder. So last week we introduced to the group the Cloud Native Security Map, a new effort that we are working on, which is going to build on the Cloud Native Security White Paper. So we had our meeting just before this call and I'll share a doc in the chat. Essentially, we are looking for folks who can provide or contribute some content to different aspects of the Cloud Native White Paper, some practical projects or practical examples for each section. So I'll post the link in the chat. Please take a look at that doc and if you want to contribute to that, the map, please let us know on Slack or you can add it to the doc. That's it, thank you. Hey Ash, quick question. Don't be confused by the... Sorry. Go ahead and write now. So I was just asking Ash if we should, if we are able to give example some industry projects that we know of. Yeah, so the way we've structured it is you can provide examples of open source projects, CNCF projects and commercial projects and if you look at the doc, we've kind of separated them into three subsections. So what you want to do is just collect real world examples and practical examples which can build on the white paper and that's what we are, this effort is around the security map. Okay, thank you. Thank you. Jonathan for a clarifying question on the scope of this white paper. Is it existing technology or technology that people are still developing that you want to include in the landscape? Specifically I'm asking about things like confidential containers, running containers in on-claves. It's existing technology, but let me know. No, I was actually thinking, I think that's a great point something we didn't consider. We were focusing more on the current landscape existing technologies, but maybe it's something for us to index as to what's coming down the pipeline and how you can think about it. That's a great point. Yeah, and I think just to add to that, we do have a section which you can add links and other relevant docs. So probably this can go in that section. So yeah, feel like add these there and then later we can obviously create and add an appropriate piece. Got it, thank you. Sure. It is a recurrent theme that we don't just want to perpetuate what people have been doing and like the past of security and that there are breakthrough ideas under development that we should be representing because we don't want people to follow, we want people to lead, we want people to contribute in advanced technologies. So maybe we want to do a map, but then we also want to include a section of things that are not fully charted yet, like distant horizons. So yeah, great point. We should try to incorporate that in the map and the other efforts, like supply chain white paper, because yeah, no matter how many times you reassemble a stack with the exact same set of Lego pieces, you're not gonna achieve meaningfully different things on that rather than, hey, let's restate all assumptions and incorporate those new things. So one guiding principle that we are having with the security map is also that it's a, how do you say it's an offshoot of the security white paper that we had and we're trying to keep it in sync with that as much as possible. So that's something else that we should factor in as we are indexing future state. Totally. And while some of the discussion was, well, you know, this is really not like a topographic map, but it's more like a metro map where you have a destination and you have like train stops along the way and like where you're starting from in relation to where you're trying to get at is gonna influence an individual or an organization's journey. But yeah, while knowing what's out there is what ultimately informed that, right? Like, well, it's like the different vectors of this time space. One thing I wanted to add when I collided with Eradna is don't be confused by the vanilla and the title. Like vanilla does not imply that this is plain or high level or very light. It's a versioning naming convention that came up. But it's just like this ref of the document has been called vanilla. So is it somewhat arbitrary as opposed to implying say default or a baseline? That is what I understood from racing it last time, but I'll let Ash answer to that. Yeah, it is, I think it's based on Android version schemes or something. I think Brandon came up with that. So yeah, it's arbitrary. And if I want to contribute to this, should I be editing the Google doc or should I be opening a PR to the CNS map project? So now we'll give you access to the Google doc and you can edit the Google doc itself. We just ask you don't edit somebody else's content. Just add to the content. And then next week we have the first deadline, which is March 17th. That's where we'll review the content that we have and do any editing passes over it. So yeah, if you need to get access, just send us your email on the Slack channel. Or you can send it right now. I can add it to you right now as well. So, in the template. Sure. Sorry, just to clarify. So when you say content, you're talking about don't make changes to already existing topics and to contribute your tables. Are we talking about? Right, so for example, for each topic, you can have multiple contributors. It's not one contributor per topic. So if somebody's already contributed to a particular topic and you think you like that, just add to it instead of changing what somebody else already attended to it. Sounds good. Thanks, Ash. Sure. One question that just popped up in the chat here restricted me, but maybe it was intended for the general audience. It was from Andres Vega regarding CN security day. Did you want to raise that, Andres? Yeah, just quick update. Yeah, thanks, Matthew. Quick update regarding cloud native security day Europe. We completed CFP reviews. Thanks to the program committee. It was pretty artist and intense work over the last week or so. Talk of acceptances have gone out. We're waiting on submitters to confirm their participation, but schedule should be posted shortly. So keep an eye out for the schedule. Yes, it's been finalized. We're just well ensuring that people are still available. Sounds good. That's that. Yeah. So I'm just going to quickly do a recap here. And again, pardon for dropping out for a couple of minutes there. Mark Underwood, I believe earlier noted, put some notes in the chat and indicated that he was having some audio problems with Zoom. So Mark, is that still the case? Do you want to grab the mic? And if not, I was going to ask if one of the scribes is able to copy paste Mark's notes from the chat into the Google doc, if possible. I already copied the notes from Mark from the chat in the links. Thank you. Okay. I'm just going to go through here and anyone please feel free to let me know if we've already covered this during the moment my computer was down. Ava Black, if I got that correct, an update on IETF RTS and CCC. Did you already get a chance to grab the mic or would you like to grab it now? I did. Thank you. Great. Let's see. Going through Magno Logan, reminder of ATT and CK for containers presentation. Did you want to grab the mic? I did it already. Thank you. Gotcha. And then Jonathan Meadows, brief update on supply chain working group. I believe we already get to do it. Is that so, Jonathan? Thank you. You did. All right. All right. Just going through the list here and then from Ash Narkar with respect to OPA, were there any updates you wanted to present? I updated already. Thank you, Matthew. Wow, that was a very quick reboot. Okay, then it looks like we've got everything here at least on the list of things that people wanted to bring up. And there are no particular tickets or PRs that were raised here. So at this point, we'll just open up the floor if anyone has any specific issues or announcements they'd like to roll out. Well, I have one for myself, very, very brief. And that was, Brandon Lum had previously sent out an announcement essentially sort of an open invite for people, security enthusiasts in general, if they wanted to look over the security map that derives from our white paper and if they want to contribute add suggestions or whatnot. And periodically I interact with the community of TPM developers and enthusiasts on TPM.dev. And I just relayed that their way and a few members may be interested and might reach out to us in the coming weeks and add their two cents. We'll see what happens. So that's about it for me. Yeah, it's in the DMTAR already reached to us in the previous meeting we had one hour ago. Awesome. Yeah. Okay, if there's any last minute updates, anyone's free to grab the mic and step in. In the meantime, I was just gonna quickly offer new attendees a chance to introduce themselves. I'm just gonna go through the list of people who have indicated that they are new to our meetings here. So starting from the top, there's Rory McCune, if I got that right. Rory, do you wanna take a minute to introduce yourself to the team? Sure, hi everyone. So my name is Rory McCune. I've been around in kind of container security and collaborative security for a while. I haven't been able to participate in this group just from time, just started a new role as a cloud-native security advocate at Aqua, company some of you will probably have heard of. So hopefully I'm gonna be able to help out here and attend the meetings. Thank you. Okay, and with that, we have all of our check-ins, mark tickets, intros and whatnot. If there's anyone else that wants to grab the mic or anyone I've overlooked that wants to introduce themselves, now's the time. Otherwise, we'll call it a day. Thank you very much. Thank you, Matthew and Matthew. Thank you, everyone. Thanks, Vux. Have a great day, everyone. Cheers, all.