 Hello everyone. Hello, how's it going? Don't seem to be hooked up. Tell me if there's an echo and I'll mute myself I don't know why zoom isn't picking up my headphones. I could hear you okay for what it's worth Hello, you can still hear me. Okay. Yeah, we can all hear you. Yeah, okay. I will Well, I think the there's a risk of echo or if my machine isn't doing good noise cancellation but maybe the echo cancellation gods are with me and Everybody should put add yourself as in it in the attendance in the notes or shout out if your can't access a computer right now And would love to I'm facilitating the meeting and would love because I think I forgot to line up a facilitator for this week I would love to have help with scribes If somebody could volunteer and we'll just spend a few minutes for people to be And then also feel free to this is a working session. So that means for if anybody's new What we do is we'll add ourselves to the agenda in the meeting notes and if you have something that might be of interest to the group add a note and We do a sort of intros updates sort of stand up and also if you are in a role in the group Or leading a project put that Add that note so that new people or people who are new or to the group Know who you are and we'll do just sort of quick intros of people with updates and people with roles and then For we have a somebody some folks from the kubernetes working group security audit Who puts in the on the agenda and so and then I also have some cube con updates Um, I have we have um, I'll give those when we have them about the session and you know So this is a good time to talk about stuff that we might want to do there um that You know, I heard a bunch of ideas last cube con. So I'd like to kind of Chat about the things that I've heard and um, see what people If people have enthusiasm to do various things So I'll start my name is sarah allen. I'm one of the co-chairs of sick security and on deck for these couple months facilitating meetings um and I will be facilitating today's meeting um Next i'll call on justin to just introduce yourself I'm justin capos. I am I guess i'm being proposed for tech lead and i'm also the uh, like a security assessment facilitator Next up And then i'll put also the tech lead toc update on the agenda too um craig Don't just introduce yourself so people know who you are and recognize your voice. Yeah, sure My name is craig ingram and i'm part of the working group for the kubernetes security audit Great And then justin cormac Hi, i'm justin cormac. Um, i'm helping out on assessments and various other things Hi, robert. Gaia. I'm also working on the policy work group and i'm leading the falco assessment process Super You need to peer yourself to the read me Oh, okay That you're So we can add you officially um And also i'm asking people to i think we did an edit to governance a while back that If you accept a role that you are responsible for having reviewed the governance and the details and responsibilities of being a member and being the person in your role so um, so robert i'm gonna just start with you And require you to have some assertion that you've read the stuff in the governance um And i want to just there's a lot of important detail in there and i just want to make sure folks have read it before we And is that a is that a commit i make or just a comment or so when you do the pr that says you're um The policy, you know, we have the leadership roles in the read me um actually um I won't take the time to screen share but in the read me i refactored it a couple weeks ago so that it has roles in a section and so the it it So we did this basically because we were trying to When we were sorting out the priorities for the security assessments because they're prioritized some because the toc can like We're giving them the authority to intervene and reprioritize even though that has you know, that doesn't happen that That often we needed to specify the different roles. So Basically for the working groups We have or the different ongoing projects. We have a project lead or you know Working group leads and then we have a chair who's responsible And so the chair acts as if the toc is ever like hey, we're We want information or we're concerned about this particular subgroup or work stream Then there's a specific chair who's responsible for like knowing what's going on and being able to communicate And vice versa if the group Feels like they need something from the cncf or the toc then the chair is the one who will follow up and File a ticket at the service desk or bring something up in a toc meeting or or with the toc liaison So we're just kind of divvying up the chair roles so that everybody every subgroup has a point person to go to And so all of that all the individual naming of people we've decided is in the root read me so so Robert just like add yourself to the root read me and then Assert that you've read the governance roles And when you're reading it if you're like this isn't totally not clear what my responsibilities are as one of the leads of a project Then that's a good time Yeah, excellent. You can open an issue You don't have to actually resolve the problem before we because you're already acting as Lee I mean, we're still a little bit in the bootstrapping process So people, you know the policy group has been going on for a really long time But we're kind of formalizing it and writing out the you know, like the governance of it after the fact um, so Can be a little light on the process great So, um, so I will just kick off our agenda with craig I'm talking about the kubernetes working group for security audits Yeah, sure. Thank you for the time to do this. Um Yeah, so so basically some some history The security audit working group was formed by the kubernetes psc Sometime last year, um, and we went through a round of audit sc The product security committee council committee. It's been both. It's the council now. I think okay. Thank you So that's a group inside kubernetes in the kubernetes ecosystem that's focused on the security of kubernetes Exactly. Yeah, they handle triage of incoming like security vulnerability reports and and things like that and then release I don't know Joel from our group is is a member of it and it sounds like maybe we have some other members on the team But so they can probably explain it better. Um, but essentially, you know managing and triaging vulnerabilities related to kubernetes um and so we went through the whole process of um a request for proposals from vendors Uh, evaluating those set setting the criteria for what we wanted the audit to accomplish And then having this big audit and threat model done for kubernetes as a product That was released at the end of last year Uh, we are ramping up to start another assessment and after kubernetes and a lot of like press and articles about it There's been more interest in our working group Um, since then six securities formed Um, you all have been doing a lot of great work with a lot of other security assessments and We were kind of as a working group is sort of like the four of us as leads doing our own thing Not really out in the open Not intentionally or not other than you know Contracts and things like that with vendors but With the additional interests in our working group and what we're doing Just looking for some guidance and advice on and you know what you all have seen that works How we can be more open about what we're working on if anyone else is interested in helping out with this round of Creating a new proposal getting a new assessment going and things like that Basically, we've been so successful We don't know what to do with all the people who want to help And you seem to have a pretty rigorous governance system in place And we'd love to learn from you Great. Well, thank you. We've been working hard to Make it everybody be able to act autonomously and communicate um, so uh, so yeah, so first one thing that i'm not sure um that we That you've heard about or maybe not even everybody in this group has heard about but um We're we sort of switched up the process in the last I don't know since last cube con where All of the projects that haven't yet we the cncf projects that at a certain stage can ask for an audit And that now anyone that hasn't When they first ask for an audit will make sure they do a security assessment first And so we are envisioning our assessment process As we've actually designed it to be complementary to the audit Because why be redundant there? And also that kind of works well for the kind of expertise we have You know like there are people who do security audits in their day job and they don't particularly Need to be doing it as a volunteer in this group um, and the real value of having the diverse experts that we have in this group is being able to kind of have an outside look at the project and understanding like sort of What's it supposed to be doing anyhow, right? And what's you know, what is the threat model and how does that fit in with other projects and you know, which you know kind of trying to tease out the ecosystem from a security perspective and so We're envisioning this thing that you know, like we're bootstrapping so things have happened out of order in the past but That um as the as we went through the audit process last the sorry the assessment process last year What we realized is that the majority of the documentation is like or like half of it. I would say Is what is this thing anyhow? What's it supposed to be in a lot of what? We end up adding value in is helping a project see where its bounds are or Communicate where its bounds are because what we find is that a project will be like well, of course, we're not doing that But looking at it from the outside that's not at all clear and so so anyhow um, I just wanted to mention that and Like I think it would be exciting if you wanted to go through the assessment process because now You've done a lot of the pre-work and so and it would be the first product like kubernetes is A many part project and we may get be getting a little bit of that with spiffy spire because it's a spec and an implementation Right, that's sort of a mini project with different things in it um And in total was kind of like that too a mini project with different things in it because it's got You know different sub projects, but kubernetes is a really big project with many things in it Um, and I'm you know, I'd be curious about that But but first I want to give uh, justin capos the floor to you know Like chime in because justin capos facilitates our security assessments and actually was doing this before we were Yeah, before we were and brought um kind of his experience as a toc contributor doing Audits slash assessments to you know, and that really is what informed our process and kind of kicked this thing off So justin Sure, um, I'm not sure exactly where the best place to start is I mean I can talk about some of the history of that and some of the things we've done with Like spiffy inspire assessments and the way that we we set things up and these are different, but um, I'd also Like to kind of hear from you about what you'd like us to discuss and talk in more detail about how can how can The things that I say be most useful to you. Well, first off justin, I was wondering if you've thought at all about Whether are like would our current format for security assessments? Like would it be like plug and play with a project like kubernetes? Or would you be thinking that? Might need some tweaking I think mostly it will fit um one thing that we haven't done that much in the assessments We've done so far that we did do in the spiffy spire assessment that you probably want to borrow is um Dealing with um, basically failures or attacks or things that that um, have multiple different components Inside of them and have an attacker that that can sort of move You know like move between components because they get access to one thing so rather than than sort of thinking about um, You know individual points in the system as being separately Compromisable and separately vulnerable and providing separate security guarantees Thinking about what happens when somebody gets into place a and how they can use that to then move um, and and compromise b c d e Because obviously in in any type of distributed system like that like, you know kubernetes It's much more of that type of thing than Some of the things that we've been we've been doing assessments on to this point. Um, it it becomes a much broader concern Actually having a bit of a language barrier. Can I ask a couple real quick questions? Um, and I'd also like to Yeah, I caught that with jay and joel on the line also We just kind of brought everybody apologies So I think chime in if they have something to say What is in in in the vernacular of this group? What is the difference between an audit and an assessment because and a lot of times we use them interchangeably? Yeah, okay, so an audit is something that Sorry, so an audit is something that's typically going to look at source code and look for very specific vulnerabilities um In at like a quite a deep level an assessment is trying to understand Sort of the the design of the system and the components and the way that they work together And it looks more at a sort of modeling and understanding things at a higher level So you often won't look directly at source code in in an audit an audit will catch something like here's a buffer overflow a An assessment will do things like point out. Hey, you know if somebody breaks into thing x that you didn't think was important There's a big problem or did you realize that? You know, you're going to be leaking all this sensitive information into logs that the typical way you set it up Is you put these in some public forum? So this is you know, there's a big privacy concern in the way you've done this in your system and and so on I see I see that might interesting. Okay, so I think maybe we might need to back up a few steps and explain What it is we've been doing What we intend to be doing And how we would what how what kind of help we think we might need Uh, so the four of us who have joined you today Have backgrounds in kubernetes and security and we were asked to help facilitate getting a third party to come in and perform an audit But but in our case we actually asked them to perform an audit and an assessment and your vernacular Because we thought both were really important to the to the security of the project And we did we finished that we finished that whole ordeal So we ran a comprehensive assessment and a comprehensive. Well, that's maybe the wrong word In depth assessment and in depth audit of kubernetes And got the results back and we would have those are probably available and I think that they would be an enlightening read We we've looked at them and actually had The folks who did this give a keynote at One of our prior meetings like an in-person meeting that we had and oh you guys. Oh great Yeah It doesn't matter i'm bad with names, so i'll let someone else chime in but yeah, it doesn't it doesn't matter. Yeah, yeah So Sorry, you go you go you go All right. Yeah, and looking at that. I mean, I think they did a very nice job at both things but I think also that um There were some questions around the parts of it that would have been in an assessment There are things that would have been caught there Within assessment, which is tends to be a little lighter weight and there was a fair number of things where And i'm just speaking from memory. I'd have to go back to pull up examples, so But there were a fair number of things that said well We're going to consider these things important and these other things out of scope And you know just kind of dive in and get this done. Yes, and um the assessment process would Definitely spend more time thinking and reasoning about that And would be something that is more appropriate for for you folks Like folks in your community To basically go and help to guide with because you may also understand things about How the you know like basically how the system is You know like how it's deployed and ways in which people are using it and stuff like that that might be hard for for them to You know like them to Necessarily fully understand all the use cases and stuff like that um, and and so that can help you to Sort of figure out where you want people to dive really deep and look in and do more of a deep source code dive Um, I will also say from my experience Although it doesn't i'm not saying that's true of the situation you had you seem to have a good Team go through and do like the assessment slash audit as I guess we would call it an urban actular But I have seen quite a few Um firms that are quite good at doing audits, but are not very good at doing assessments Because it it the skill sets are still but not the same Um, you know being able to find kind of like buffer overflows and code does not necessarily mean you've really taken the time to understand how the Software gets used in practice and whether you know the people there's some UI thing that's going to just confuse users And make them default into insecure configurations really often or all the other weird stuff that just comes up Yeah philosophically, I think we're in agreement. Uh, which is why we we asked it to build a threat model At least that was the the the motivations behind it As well as the rapid risk assessments. So maybe I don't think I understand fully what it looks like for a project like kubernetes to go through To go through your assessment process like what do we I assume that we have to dedicate some some energy into helping that happen and then I assume there's value that occurs I just don't really know what that is Uh, you know, again philosophically we we knew that we had a pretty time boxed and admittedly financially boxed Effort so we did have to scope it pretty tightly And then we plan on coming back in subsequent years and expanding on the research that we started initially Uh, given the fact that we do have more people What? Oh, no, I go ahead. I was agreeing. I was saying Oh, yeah Um, but given the fact that we have a lot more interest coming from the kubernetes community now It could be that we have Helpers who could help facilitate us Uh going through your assessment process in addition to Uh hiring another outside firm to do to expand on the throttle and to to perform a I just wanted to say I just dropped a couple of things into the chat Um, there's our overview of our process. Um is in slash assessments in the repo and then There's an outline the process includes doing us the project doing a self-assessment where they write this Outline and one of the benefits of that or we're Hoping expecting that to happen once we have a bunch of these Is that if somebody's like new to cloud native or thinking of they'll be able to see all of the cncf projects With the same format, right? And then they can say does this project match my risk profile, right? And so it's an opportunity for sort of kubernetes to like, you know, sort of match that format and be like part of our catalogue It would be kind of sucky not to have kubernetes In that list once we have more than a few um And so uh, so I think that that would be high value to have Like that's a big We're anticipating that's a key value that is sort of independent of the work that the security experts do in the community Here, right? And then I think there's um, and so like that's like a like so then the other thing that I think you we get out of sick security that you would the A paid service is not in a position to do Is that if there's things that if we're if we see gaps, right? A project may well say Wait, that's not outside of the scope of my project But then we have a community who would say like, oh Well, I do this here or I use this thing here and it helps us build that muscle and we might Right make a recommendation that oh, why don't you create a page in your docs? It says Here are things that you can use for this thing that we don't do And out of that came, you know, when we did work within toto and it, you know Santiago was very clear that like this doesn't this doesn't mean there are no Vulnerabilities in your supply chain if you use in toto there are there's a place that it begins and a place that it stops And so that led to his contributing the Catalog the list of supply chain Compromises that he had collected And then we're we have a little sub team working on categorizing that to Help the community understand that right so in that case it was like a piece of documentation that came out of it Right that was bigger in scope than in toto right and so similarly there might be Some edge of kubernetes, right where everybody inside kubernetes is like well, of course, we don't do that Yet what i'm hearing in the community is people new to our community are bigger cloud native community They hear a If you want to Do cloud native netties and they get and they get They get the impression that that will solve all their problems And then they quickly learn that's not true, but then the documentation of What do you do? In addition to kubernetes Is like well do whatever you want And that's not that's not Right and I think also some of the value that the project themselves get out of this A good way to see this is you can look through the spiffy spire There's a couple things on spiffy spire one is they've done some of the pre assessments. They're Actually going through our formal process now but They I wrote a couple blog posts along with folks from the spiffy spire team talking about what we found and why this was valuable When we went through this like, you know, it wasn't really our assessment process process before and Fundamentally it really helps you figure out that it helped them figure out that things that they didn't think were that Like important from a security standpoint were actually really important and needed a lot of focus And some things they'd spent a lot of time on weren't actually going to contribute very much to their security posture And it really helped them kind of redirect and look at things in a much Much better way and also made it so that somebody coming into the project and trying to understand Like what does this do? What does this provide? What doesn't it provide? You know, what do I still need to be worried about? They get that information As sarah was saying in a in a format that's sort of easier for them to digest and Look at and understand I think i'm seeing the value of the the self-assessment And I will definitely take the time to go dig through your formal process that you've documented It turns out. I just learned I actually unfortunately. I have a hard stop at 10 30. My apologies. I didn't know that I I would also like to hear a little bit about how you're managing a community as large as your community and how You've found ways to engage a lots of people and and help them contribute to a larger scope of products that you have And I'd also like to get thoughts and insights from the other Working to the outside insights from the other Working to the things Okay Wait, wait, wait, I already had a hard stop in two minutes Do you want to I do but I do but they'll all stay and they'll tell me everything that happened I I unfortunately There's a lot going on at work. Yeah, I'll forward it Great. So Justin, I cut you off go ahead Okay, um, and by the way, I'm getting some leg with some of the discussion So if I'm talking over people or things like that, let me know it's probably like a network thing and I apologize um So in general what we tried to do is just try to encourage There's a lot of people that I think want to be involved in security and want to help out But maybe aren't that confident Like they feel like they've done a little bit and so on and then there's some people that Have been doing this for a long period of time and feel very comfortable so one thing we tried to do when we do these assessments is First of all, we try to be welcoming and try to build a pretty big group Not only to get a lot of different perspectives, which is really important to do one of these types of things but also To sort of train the next generation of people who are going to lead the next set of security audits and I don't know the actual numbers, but There's something like four or five people per security assessment that that we're doing tends to be quite typical of which I'd say you know, maybe one two of them are people that You know don't didn't necessarily view themselves as comfortable going in and being an sort of equal member Um, but I think rapidly kind of get up to that level um And we try to be supportive of encouraging and encouraging about things working with The box has has also been really key Trying to give them good feedback trying to Have the the process they go through where they provide the self assessment We iterate back and forth with them quite a bit to make sure that this is as clear as possible And one of the other things we we're trying to do is because the documentation we want to provide is supposed to be useful Lots of people really anybody who's contributing to security Has a level of security background. They should be able to understand anything in the documents that are provided and so there's sort of this opportunity to um, you know like You know, so I'll just draw from my own experience because I'm a I'm a professor at NYU um When I have new students come in to a project and they're doing things like going through the documentation I'm I tell them very explicitly what you're doing is really valuable right now You have something that none of us has you have an outsider perspective Right, so you can help to fix our documentation in a way that we can't because to us We know what all these weird terms we invented mean and all this other stuff like that Right, but but other people won't and so getting that perspective in and getting You know the the documentation to be cleaner when Everybody's talking about oh, we have this agent and this and that and it's like well. What does your agent really mean? What does it really do is it, you know, like how does you know? What does that mean to people that haven't been steeped in your knowledge? Yeah, and so that's a that's a big part of it and of course Maybe sarah others want to say more about you know She's been great and others in the community being great bringing people in and making this a friendly place So I'm going to drop. Thank you guys so much. Um, I'll I'll check in with work group when when we're done Uh, we'll probably come back say hello again Great. Thanks sarah So yeah, I'll chime in a little bit on the the process stuff. Um, because like I think that like I've done a lot of open source and grassroots organizing and you know have done stuff in the private sector and the public sector and like from and a lot of like remote async work and basically the philosophy is anyone should be able to come to our repo and be helpful And get involved without talking to anyone not that we're not happy to talk to people but that It's all transparent and that takes an incredible amount of rigor Right to and it takes like, you know, we have an open issue with the conflict You know, like I work to write everything down and then when we actually need to use that we're like wait This doesn't make sense. This is ambiguous, right? You have to practice You know people using these guidelines, right for it to actually work But then that means that it's like people who are around or like there's always a smooth path for people to step up and do something Which then allows and we kind of have we have this philosophy that You know, there's certain things that the toc prioritizes, right? And those of us into named roles like the chairs were like, okay If the toc asks us to do something we'll do it. They might have to prioritize things in a queue But, you know, we serve at the pleasure of the toc um But everybody else in the group is here for their own reasons You know, it's not, you know, like and then so if somebody feels that something is important and they have the time And we have the bandwidth to like coordinate it Then that gets prioritized Right. It's not that anything gets prioritized just because somebody wants to do it because we want to have peer review in a certain group bandwidth And so I think that that like the fact that people see things happening that they raise their hand They want to make something happen and then, you know, after a while we queue it up and it happens I think that helps like you want to have a feedback of lots of like People do things and they're actionable and they move on does that Does that all make sense? Does that help? Is that the kind of thing you might have been looking at? find out Yeah, definitely, uh, that's super helpful for me, um to to hear that experience and I think um There's a lot in in the repo that we can go and give another read and learn from as well So thank you for sharing all that resources and information so, um So the other thing that um, great Oh Sorry, did you want to sorry? I I I keep on muting on the on my phone, but not on the but not on the screen So just I keep trying to talk and and but I'm but my own muting but my own muting is stopping me from saying anything um Yeah, so for me, uh, Joel and I are the other two working group leads on the on the Kubernetes third-party security audit group and Um, I think the biggest takeaway for me Here is wow. I've got a lot to read. I don't like I can't wait to read. I can't wait to read You know more like I started to read, uh, the spiffy spire self-assessment doc during this call like As Sarah it's just been really awesome for you to paste all these links in and so, um, Yeah, I I just I want to I want to um read and understand more about What the what? What the cnc f6 security, you know, um security assessment is, you know, kind of like And understand the gaps you're like, where are Where are places where our threat model did a little bit more than you do where where Where are the many places potentially where our threat model did a lot less than what you do and and can we You know and and that'll give us a that'll give us a Part of the reason for that gap analysis is if we know the places where the threat model You know may have fallen short of the of the assessment model you guys do Then we can take all the volunteers, you know, we take all the signal the all the all the working group members we got out of cube con and Um And ask them to help us fill in, you know, and ask us to fill in, you know, the last year's worth of effort to At least have it so that our first, you know, our first go-round we're doing this, you know We're doing this sick click play Is you know is more complete then Because that sounds that sounds great And then great and Yeah, and I just want to say one other thing You will see a little more of this in the spiffy spire audit than is required in our format But the spiffy spire audit as I mentioned before they they worry more about collusion Sort of cases which I think very appropriate for the project and also as part of that assessment we did a much broader examination of Trying to quantify the risk of different type compromises to Prioritize where they would put efforts To fix things whereas in the normal security assessments That we do for other projects Our goal is to really find out the current security posture Not as directly to go through and try to make detailed recommendations for their team to guide their development which was more of Like was a much stronger focus when we did the spiffy spire assessment So, uh, I think there'd be a sorry Go ahead Would there be one that you guys think like if we were to read spiffy spire So like if we were to take like a kind of reading list it seems like spiffy spires on the list the You know the the overarching, you know, this is this is what you know, this is what we're doing Well, you know, this is what we call each of these things. But is there is there a second? Um, is there a second assessment that you'd recommend? Um That we also look at to kind of get those two like you know You're going to describe them what you did for spiffy spire and then what you did for others and I'm game for reading too Yeah, um, so I think so one thing you also might want to do is read just the That talks about the work we did for the pre-assessment because this is kind of The value that people saw coming out of it And it's a two-part blog post. There's one in part two is linked off of part one But in terms of another assessment, I think you could read really just about any of the other assessments like the in-toto assessment and get Like a slight it's it's a very, you know, going to be very similar obviously, but it's not going to be It's not going to be identical. Whereas the spiffy spire one Was sort of they'd done some extra work in some areas and maybe there were a few things that they didn't quite need to do For this like um, only later did we add some of the discussion about How is your software actually built and who reviews things and stuff like that where that wasn't part of the examination You know, I didn't look at how they built the The spiffy spire like the you know, the spire support they were using as part of it. Um That initial priest like a pre-assessment thing But but that sort of got the spiffy spire is I think the most exhaustive one that we've had Due to the fact that they've had sort of both of these processes happen Um, but something like in toto the in toto assessment, which I can post a link in a minute would be I think more representative Okay, so spiffy spire in toto Two blog the two blog posts and then the standards that and then the standards that sarah's been pasting in sarah, you're muted. You were you were talking about your Oh, I think yeah, so um, so I want to leave a little time to talk about kubekan Um, and I just wanted to maybe we can have a point person who would be interested in following up I think that um There was a kubernetes threat model that was presented last week from the financial user security group And there's we had sort of like well, that's not really particular about finance and we were thinking about You know, like should we move it? We we should at least refer to it from our repo and they move it and then like If there is if you have volunteers who are enthusiastic and either knowledgeable about kubernetes or wanting to learn about it there are some ideas about you know, like Presenting it in different ways, you know, maybe experimenting with different parts of the tree. So if you Have um interest Maybe I can follow up offline with one of you Sure. I I think I think uh, joel and craig and I will probably nominate erin Under the whoever leads the whoever's out early gets gets things assigned to them. Um, should be first follow-up I'm sure one of us will help defeat your clients, but um, you said there's a there's another kubernetes threat There's another kubernetes threat model besides the one art that we did. There's a you said there's one out of a financial group So they did a like a attack tree and um, oh nice It's very it's really nice and it's nicely presented and I think the format is cool I'm like a bruce schnire paper And we had some discussion like alternate ways to Present, you know in terms of, you know, what's a link and what's a node um that justin capos brought up and I've been needing to like write up an issue for like, hey Maybe somebody, you know wants to do that and so if I wrote up an issue like, you know Like maybe one somebody from your group would be interested in helping with that and we could, you know, like collaborate on Bringing that into more of a general forum, right? And then, you know, you could chime in and say this is our threat model description and so forth Is this is it was that um, was there presentation something that was done in this where we could go and watch the zoom recording? Yeah, so the last week's You recording should be on youtube by now Okay, I'll I'll go watch it today Jonathan who worked on that had reached out to us While he was working on the process and while we were getting a reporting done and we weren't able to get too much collaboration But really love the results of all the work there. So it's great to see That's not my lunch video now All right So um, so now, uh, thank you very much for coming in and talking and if anybody from the group has um I wanted to give time for other people to chime in please mention things in chat and then we'll circle back. Um async if needed and um, and you know work together and you'll hear more about this But um, I wanted to just for a few minutes chat about kubecon. Um, with uh, normally at kubecon The sig has an intro and a deep dive session the eu venue is um More space constrained and kubecon keeps growing. So we will have one session, which I think is fine And because we are also having a cloud native security day on the day zero And one of the things that I asked amy Is whether we could have a location one of the things that happened at the last couple of kubecans as people are like Where do we meet and we're like we'll meet by the puppies and it's like async via slack But not everybody's on slack. So I was thinking of having like a Figuring out like I'm sure we can get someplace with a sign that we know ahead of time That at least has like some places to sit down or and or a table So that we could you know At minimum have us chairs, you know there, but like maybe we could like Basically have like office hours for security or a place just for us to meet each other And I wanted to just see if people had Thoughts ideas like this is the time that if you want something from sig security at kubecon You they were very influenceable Um, and then the other thing about the I wrote up the description to be Um an introduction to cloud native security Rather than an introduction to the sig Because that was like kind of based on a bunch of feedback. So I thought I would just try that this year and might ask various people here to um like Present parts of it or I you know, I haven't quite figured out what it's going to be but I think that would be a better interest and then we can surface a bunch of the resources that we Provided and leave some time for people to meet people with the sig so Thoughts from the group Yeah, um, I'd like to uh To mention one thing so um The projects like the maintainers of projects are offered to be able to Like have a booth or to this add a certain booth and have sort of office hours during the event Was that also offered to the sig because this seems like an ideal way to do it? Yes, that was not I have requested that So I'll chime in here. Um I want to be able to give everybody everything that they want but as we've noted Europe is really really space constrained What I think we can probably do is definitely get like a meeting place sign setup I am not sure if we've got the space to be able to have the sigs also included in being able to have the uh In the project pavilion. Yeah, so it I'm not saying that it has to be any space. It isn't already planned It's just that we pick one of the many meeting areas to put a sign Ideally that we would know ahead of time so that it can be Because not everybody is like on it's hard sometimes to communicate to new people you know So that's it's really just like picking a spot and sign and making a sign and having a sign Amy Yeah, no, that's totally fair right now We're events team has actually been pretty busy in getting the schedules out together as we move forward from here We'll be able to actually give more information about like how the project pavilion is getting set up Um, uh, you know other pieces on site. So yeah, but I mean the last time we met with the puppies, right? Like it does It's totally doesn't like half. I mean it might be nice to wherever you think it would be Good, I mean and we could also potentially Meet at one of the security projects for some time, you know, like I think that the actual venue is Flexible, but I what I wanted to get feedback from the group and thanks to Amy for chiming in because I I'd heard that but I think everybody needs to hear Um, where we know we are in the process of preparing for cube cone. So appreciate that But wanted to hear from the group like you know, whether people would be interested in like Participating in office hours or you just think it's a good idea Which should have been there when you were new or you don't care, you know, if you don't care, you don't have to say anything I would be interested in participating and we actually Didn't I decided not to do a tough maintainer booth thing like that um in part because we Think we get enough traffic during the talks and things like that um That we're able to to really connect with most of the people that we need to so um, I do wonder It does seem like You know, maybe there's a way to do that or maybe there's even I I'm going to go off on a tangent here. That's probably a bad idea, but I just want to throw it out there so In some ways it would be nice also if we could select like x talks and say this is like the security block Um, so that we don't end up in situations like we have in the past where there's talks on tough and in toto at the same time or talks on sick security the same time as Uh, you know notary or opa or something else that we all might want to go to Um, and then that might also if that were to be a thing that might also give away for You know as people stumble into that you can kind of chat with people and learn about security and sort of like have the have the crew around but Yeah, once again, I apologize for the tangent That's okay. That wasn't nearly as bad as I thought it was going to be. Um, uh, as I look at a, uh, draft of the schedule I will review to be able to see if there's like obvious conflicts like that Great. Thanks, Amy Are there folks in the sick who have thoughts? Yeah, I think as I mean, I think it's a good idea to have somewhere that we Have an advantage. I mean there's enough of There's enough people involved in sick security. I think it's actually I mean again like just now we didn't ask for Uh, both or anything for notary just because there's not enough people to be Able to you know, have anyone there all the time but for sick security. I think we could have kind of office hours in a more kind of Any way that doesn't interfere with other people's ability to go to talks and things like that all the time great So yeah, we'll see if we can set that up and um, we'll uh, you know Look be in as we figure stuff out. Um, I don't know if Dan's still here I didn't introduce um So There was one more thing about kubcom that I Have not spaced. Um, so I think that uh Oh, I was going to mention the toc. So those of you who don't know the toc is having elections right now we have a Board of folks Who are being nominated for the open positions on the toc? and um and the toc is kind of paused and it's voting while it's onboarding new members. Um, we have um identified some folks. Um, who have agreed to be nominated as tech leads who have been Um, very active in this group. Um, so we nominated um, Justin Emily fox and brandon lum and I've like little I was getting a Yes, I agree to be nominated from each one of those before I communicated to the group. Um, so Uh, so yeah, so we're sort of figuring out the process as we go and I have some pr's out on the um The toc repo to try to clarify this thing. So, um, so I just wanted to um to mention that that's that's going on too And um, and then so we're going to nominate them and then they'll be voted on by the new toc when it's appointed And that will probably all happen async so, um, and then we're anticipating that that will be that will will over time have a larger group of tech leads, but we want to start with You know, kind of a small group of people who've been playing leadership roles so that we can just kind of expand the leadership team capabilities and those of you who are around at the very beginning of SIG security, which was like Six seven months ago What we decided to do at that time is our current chairs dan jj and I Are chairs who also act as tech leads because the toc Separated the chairs have a sort of more administrative facilitation role of the whole SIG and how it fits in with the rest of cncf And then the tech leads are expected to be Deep subject matter experts who could do like a deep dive on a project and are like kind of You know sort of deep in the I mean topic matter. I mean, of course the chairs would be knowledgeable about it And so We wrote in our governance that as soon as we had two tech leads Then the chairs um can you know sort of act as More like step back into that facilitation role. So I still have to like sort of I caught some things where our governance isn't aligned. But now we are Out of our bootstrapping mode or we will be as soon as we actually appoint tech leads and then We'll be sort of Disambiguating the chair from the tech lead role and in the future you could have a chair that is a tech lead um So that in june dan Shaw's Term expires so that we can have staggered terms and then we could have somebody who is you know Like maybe more on like familiar with the security landscape from a business perspective who isn't Wouldn't be somebody who could also be a security reviewer or something like that, right? It just sort of Expands the set of people that we could potentially have as a chair Um and it aligns with what the to see decided to do with the SIG roles So so I kind of made it wanted to make everybody aware that that's going on in slow motion And uh open the floor if you have I think Amy knows more about the TOC process if anybody has questions All right, then Thanks, everybody. We'll end a few minutes early chime in on slack if uh, if there's any follow-ups And thank you note takers I really appreciate um catching up on notes Thanks, everybody