 Good morning, afternoon, evening team. We'll wait for a few more minutes and then we'll get started. This is JJ. Hey, JJ. I was wondering if we're having something like an awkward silence contest. I was trying that and Justin Kovac obviously lost that. You've been on track to win, Andres. I think it's always interesting when you join a little early and then you see larger meetings. Hey, Brandon. Hey, La. Good to see you. Good to see you. Yeah, this is a passcode thing, you know? This is the first time I got the prom. Oh, the passcode? Yeah, I think they rolled it out a couple of days ago and it's causing everyone to be unhappy and all this. Yeah, I'm going to go update the readme. Everyone is in a force in it, I guess. I didn't get the prompt for password, it just locked me in. Well, the meeting update was updated with a new URL that includes the password. Right, that's what I saw. Yeah, so that's making it unclear if that's really a password per se. I mean, there are things that you rely on, laziness. And this is one of those things where you won't remember, therefore it's secure. Yeah, I feel like it's more of a preventing bot from trying to randomly guess the Zoom ID thing. Yeah, but given that the calendar is public with the link that includes the password, it's not entirely clear how effective that's going to be in the long run. I mean, actually writing the password next to it and the text is probably more effective. Yeah. Awesome. All right, let's get started. I will need two scribes. I, it had took some, took a slide to kind of subscribe. Thank you. Anyone, any update? Anyone volunteering for scribing? So we have a few things that I think we would want to cover. Please, everyone that's there, mark your attendance and then mark if you have any updates that's going on. I'm going to put Vinay on the spot to give an update on white paper. Sure thing, J.J., right now? Not right now, so as we go through. Oh, sure. So Justin, Cameron, Mark, Kitte, Vinay, TK. I think that's a couple of new folks in the call that are not in the meeting minutes, maybe. Meeting minutes, so we call them out. Yeah, maybe do some introductions. Yeah, sure. So I'm, Tanner, enough. I'm a senior manager for class security architecture in DevSecOps architecture at Lowe's. We're a big proponent of the NCF. We use a lot of the tooling that's in the incubation stage. So I thought I'd take the opportunity to join up, start steering the community towards some of the products that we're using, some of the products that we intend to contribute to. Thank you. I think I'm the next one who joined. I wasn't sure if I'm the only one. Hi, everyone. My name is Elinistarov. I am with their ByteDance. Probably some of you heard about this. But if I say TikTok, probably everyone will start smiling. Yeah, I'm an engineering manager. They're working on security infrastructure and infrastructure security in general. A big fan offers Peefy and Spire. And yeah, we're rebuilding lots of new stuff in our infrastructure and being early adopters of lots of NCF projects. But I'm more on security side. So my points might be valuable for different things we are working on here. So this is why I decided to join and looking forward to learn from all of you guys. Welcome, Eli. Thank you. Hi, I'm Trishank. Not entirely new, but I introduced myself again. I'm a security engineer at Datadog. And I'm involved with some CNCF security projects, like Duff, Indoto, Notary V2, CNAP. I know some of you folks here. Nice to see you again. Nice to see all of you are new. I'm also here to follow developments in the Six Security White Paper, which I'm very, very excited to learn from and contribute to. Thanks. Awesome. Thank you. Awesome. Aradhana also had trouble with passcode logging in. So she's trying to log in. I think she has some presentation for today. So today, we have a few things. One major update that I have is I think most of you have seen, there was a noting for Cico Chair and Emily Fox. The results are out, and Emily Fox has been selected as co-chair by the TOC. And thanks to TOC, and thanks to you all for chiming in on how wonderful Emily has been able to help and be part of this group. So I did link the results issue there. Later today, I'll do a PR to the repo to make the required changes happen. But I don't think Emily could join today. But if she watches the video, congratulations, Emily. The second update that I had is I don't know how many of you attended the last week's assessment thing, Brandon, if you want to, if there is anything that we can update on that, that will be good. Yeah. So we're still in the process of we sent out to the poll. If you want to be involved with the coming to the end of the first five security assessments, so we kind of want to take a step back, look at everything, see whether there are ways in which we can improve on the process, on the documentation, and try and kind of see what are the next things for security assessments. So there is an issue that's open. There are talks about this. Let me link it. I'll link it in the meeting minutes and the chat. But we've created a site channel, security assessment working group. I will paste that thing as well. So we have a do the poll kind of trying to find a slot where people can meet up next week if depending on time zone, I know just in Kappos is in the Eastern time zone now. So we may end up doing like one or two separate sessions. But we're going to start off the brainstorming process and maybe split up into several PRs that we can then work towards. Awesome. OK. So ask one question. Sure. So we had made the determination, perhaps a couple of months back, that we would only be doing one assessment at a time. Or we would only do one more before taking this pause and processing, integrating, reassessing, everything. And at that time, we had other projects in the queue that had requested for an assessment, speaking specifically about build packs. So perhaps it's worthwhile to reach out to maybe we don't have the clarity of how long redesigning or evaluating, maybe not redesigning, but just re-evaluating along is going to take us. So we may want to give them like, hey, it's going to be a while before we get back to you and take it up. So perhaps, yeah, just some community reach out to two projects that may be standing by on an assessment to be performed. I think that if I know the last time, if I wasn't wrong, I think this was Robert was trying to get more people on to build packs. I think if we hit the critical mass to go for the assessment, I don't think there is a need to wait on improvements. I think it's not. The process isn't. It's fine, right? I don't think there's anything that's any huge reflex that we've seen. Most of the suggestions so far has been improvements and quality of life things. So I think that we don't want to get in the way if we find that the project is able to put some time in. We found a group of security reviewers to do it. We should go ahead and we shouldn't kind of wait for that because sometimes it may be difficult to get people back even saying that, oh, let's push this back by a couple of weeks. People may not be free anymore. Yeah. I will paste the link to the issue. I think at the time, well, just looking back to the notes, something had come up for Robert and I had stepped up as lead reviewer. But in conversation with Justin elsewhere, not in this thread, I think it's another issue. He said, hey, we have a lot of people focused on key cloak right now. It's perhaps we could get another team going in parallel of different individuals. We can just do a call for participation for other reviewers to jump in. But let's just cap it at doing the five and then get to build packs. So I'll paste the issue here. Sounds like we may want to put together a crew and reopen this issue. Yeah, thanks for taking that up. I will say my conflict of interest has changed since I put it in there. I will edit there. I have since joined VMware, which happens to be the corporate entity behind build packs. But there's no hard conflict. I think it'd be more of a soft conflict. OK, yeah. And key cloak is kind of just winding down. I think it's pretty much the final stages. So I don't think that there is a conclusion about that. The corporate entity behind build packs is not the correct wording, given it's a CNCF project. Just there are some maintainers from VMware who work on that, which is not a blocker. Thanks, Justin. Yeah, good call out. It is a correct wording on my part. And yeah, good clarification. It is a CNCF project. Yeah, Andrey, if you want to comment on the issue to kick start that, that'll start the trade. Will do. Perfect. Awesome. Aradna, I know she has to drop off a little early. So maybe we'll split the presentation into two parts of the intro today and then push out the presentation to the next time. Sure. Happy to do that, JJ. Thank you. So I'm part of Cloud Security Alliance and a research follow for them. And we have a number of initiatives right now related to containers and microservices. One of the workgroups that I'm leading is security controls for serverless or serverless best practices. So as part of that workgroup, we have a white paper that we are publishing. And we had lots of interesting discussions about what is serverless, right, the definition of serverless and whether it's just function as a service or it is container as a service serverless, right? It may be serverless to the consumers, but essentially it has infrastructure underneath that somebody else is managing. So we decided that the scope of the project is going to be container as a service, like EKS and those kinds of services that providers provide to us and function as a service. And with that context in mind, we have kind of developed a draft paper. Actually, it's a work in progress. We're still finishing it up. And then we've identified the scope and the landscape as well as the use cases that are relevant in the industry to serverless and CAS. And then we've done a detailed threat model related to CAS technologies and deployments and as well as FAS. And then based on those threats, we've identified a number of mitigations and security controls for each type of deployment. If you have a function as a service deployment, what are the controls that you need to be cognizant of orchestration of functions and what are the threats there and how do you mitigate them and what security controls you need to put in place? What about runtime detection and response for enterprises? And then obviously, similarly security controls or container as a service as well. So there is a lot of overlap in different security controls that different white papers are proposing. We had done another project at CSA, which was best practices for microservices and application containers. Similar controls, I mean subset of those controls apply in this domain as well. So last Friday we had a discussion between different container working groups at CSA as to how do we bring it all together because there is overlapping content and multiple of these initiatives. So I did mention to them about the security work that we are doing here as well. And it seems like there are some synergies and if you guys are interested, I'll be happy to bring in experts from there and set up a cross connect session. Networking as to how we can collaborate and ultimately they are also nonprofit and this is nonprofit open source as well. It is for the benefit of the wider user community as well as enterprises who want to leverage best practices. So at a high level, that's what the structure of the paper is and after the security controls, we are also talking about future direction where security for pass is going and so on and so forth. But that's pretty much it at a high level and we can delve deeper into the paper and the contents of it in the next week's meeting for sure. Thanks Radhna. I think if there isn't an issue already, I'll probably create an issue and if you can put the content into that issue and I'll link to the paper prior to next meeting, that'll help the team. Sure, I can do that. Yeah, I'll do that right after this call. We're speaking at a, sorry to interrupt, just speaking at a really high level, we're definitely interested in that, speaking for myself, I guess, that's highly relevant work for what we're doing, it's relevant to the day job and it's kind of a daily concern for security teams if you're working in APSAC at all. Sure Mark, I'll connect you to that group and if you want to contribute in that paper, you're welcome to as well. Okay, great, that's all right. So Vinay, do you want to give an update on the white paper? Yeah, sure Rajayjay, thank you. So as most of you are aware, the team has been working on the cloud native security white paper and there's a lot of progress that's been made and I think where it is right now is we're pulling the threads together, we've had a lot of comments come in and we're pulling all those comments, incorporating it. And I think we have another, please correct me, Jayjay, if we have another couple of weeks, I believe, we're hoping to receive more comments, make the necessary changes necessary from pulling the different sections together as well as making sure that we have the right tone and voice and the right level of abstraction and addressing all the needs in terms of how a potential CISO could consume the paper and then also discuss how it could be potentially broken out into multiple other papers to provide a deeper dive. We're also making sure that we have all the relevant sections that require a more deeper dive represented appropriately in the landscape paper that Brandon and team are working on. So that's where we're at and Jayjay, myself and Gadi have made some decent progress on the illustrations that we're hoping to provide as companion for the narrative as well to really help anchor the discussions and provide some better context around the verbiage. So that's where we're at and we're shooting for the next two weeks to really pull a lot of this together and have it ready for a potential discussion with the broader CNCF team, I believe. Yep, yep, yep. And so that's all I had, Jayjay. Thanks, Vinay. So a few other updates. I think Emily is not here, but she's driving the Cloud Native Security Day. I think there is a link up. It's supposed to, it's scheduled for November 17th. It's a virtual event and there is a Slack channel where things are getting discussed about that and there is a core group that's actually working on putting that event together and if you do, if anybody is interested in contributing or participating, then that's where, that's where, that's where to go look. Yeah, just to add to that as well, I think there are discussions. So this is the last time we chatted about potentially having kind of, because it's virtual, having kind of like a CTF style kind of thing going on. So it's something interesting. Also they check it out. Yep. Yeah, we're still getting used to the virtual events. So Vinay, Vinay. It's some interesting feedback. I heard yesterday from presenting at the Open Networking in Taco Summit on Monday was that it would be nice to see shorter, denser sessions because if you have like eight, 30 to an hour, like you're competing for the audience attention with the rest of the internet, right? Or with their schedules. But if, even if you're gonna do like longer breakouts, if you could convince like, I don't know, everything that will be on the regular schedule into five minute lightning talks in one hour, people could extract and not miss out, like just get the highlights or whatever the speaker want the audience to walk away. Things we can think about. Oh, nice. I guess, yeah. Things are turning to be more like Twitter than newspaper. So, no, it's a interesting thing. If there is a feedback that's there somewhere and if you can post it onto the Six Security Events channel and Slack, I think that will help Emily asynchronously. I will convey this to Emily in our meeting, but I think if you post it there, it'll help the rest of the team as well. Quick question. Will it be pre-recorded event or it will be live online? It was all CNC events are pre-recorded, right, Brandon? Yeah, it's gonna be like you can't, basically. Oh, okay. So it's pre-recorded. I mean, it's like having more content might not be, like we're a longer session might not be a problem. Because if you're watching online, it can like, if it's not online event and pre-recorded, it's much easier to skip, but for some folks who just started in the area having some background information and data might be helpful. So they might not skip, basically. Yeah, that's a good point. If it's on demand, it's less of a concern to like compete for attention, but just having a reference digital brochure of all the content with like a little bit of information or just like how this title altogether or here's like, yeah, I guess like abstracts kind of accomplished that. And if you put it on the side, I don't know. Like I think I'll start talking in circles pretty soon. So I'll start writing things down and put it on the event thread. Yeah, it would be easier probably to, if there is an easy way to split it into chunks, like here's an intro, here's a main kind of parts to go along with presentation result like basically needs to do a transcribe of folder, all the talk for the details. Yeah, something like that. Okay, totally. Yeah, yeah. Yeah, so there are issues that are on the, they're being asked to be sort of triaging them. Any volunteers to help triage issues is much appreciated. There are some real interesting issues around Oscar and compilation flags. And then there is also assessment outline which I think it locked. So those are all still still in flight. If there is highly appreciated. What kind of issues and where they were right, I can find them. Yeah. You posted on this. Okay. There's some, any, yeah, take a look at those issues. If anybody feels they have enough to offer on any of the issues. Well, what do you mean by triage? You want us to like see if there are topics to bring back to the meeting or? Yeah, I mean, if there are topics that interest you in terms of like this is something that I want to take up and start working on then you can. The ones that you want to bring up to the meeting where you think it'll be useful, we can do that as well. In addition, I'll go through my own thing of like seeing if there is a fitment of any issues that I could possibly bring that back to the team to discuss. I'll do that as well. Okay. So that was kind of a pun when I said topics. Yeah. Yeah. All right, thank you. Thank you. Thanks, Mark. So that's most of the, most of the update. Brandon, any, any more updates? Anything to add? Yeah, I guess two things. So, so one of that is actually not really related to security, but a couple of us myself, Eli, Andreas and Emily as well. Plus others are working on a Spiffy Spire book. So that will be something to look out for. Probably near towards the end of next month, talking about Spiffy Spire and kind of the open source projects and departments and so on. It's a lot of good content. So, so I just want to throw that out there. You want to talk a little bit about how we're writing it. I'm not sure everyone's familiar with a book's methodology. It's potentially taken like a process that's been designed to take zero content and go like from concepting to production in three to five days in a physical room. But in current times, this has been adapted to two week online over Zoom. So think of like pair programming times 10 and like a group of 12 of us have been like long, long hours, pretty like long hours, like 10 to 12 hours a day on divided attention on writing a book online with others. And we did first week last week, we're getting together next week again. Yeah, yeah. Like that random or Eli? Yeah, I guess the value of it would be to get an early feedback from people who wants to read through this and provide the feedback. I think it's in a condition right now where it is a little bit too early. We still identify the gaps that we need to fill. But after next week, I think it will be in a good enough state to share with the rest of community and get another feedback. We can see if he kind of missing something important in there, but it will be close to the finish line and we'll just need to polish it up. Nice, nice. Back to you, Brandon. Didn't mean to cut you off. No worries. Well, the second part of what's going on, it's going to point to you as well on the cloud needed fill packs. I think you said that we're still looking for another two, three reviewers, what does that mean? Yes, whoever's interested in participating in this security assessment, love to cut with your help. Whether you've done an assessment before or this will be your first one, happy to chat if you're on the fence or on the side, but if it's something you want to go, just link to the issues in there. The build packs team has completed the self-assessment already. Link is in the issue, so that's something you can start looking at, but I would point you first to go over the assessment process and get familiarized with the timelines and process that we go through. Is there like a standard process for assessment? Yes. Yeah, I was just going to say the same. So typically, I think what's been done is there's an issue, and then I think there's someone who takes up the baton and then cause for other people to join in the assessment. Is there a placeholder for an issue for this one? Yeah, that is. Yeah, I think Andrew just put it in the chat. Yeah, issue 377. Yeah, maybe Andrew, if you could also fill out the details of it as well in the kind of like the first comment, like who's project security beat and so on. I don't have the rights to do so. Oh, you don't have the rights to do so. Oh, right, because it's not created by you. Yeah. You can live in. So you have to... Yeah. Yeah, let me do that then. If you can just put details in or if I can figure out how to give you permission to add that. Maybe, I don't know if you assign it to me. I can't even assign it to myself. I don't know if assigning comparison and elevation of privileges to edit the issue alone. Okay, I just did that. So maybe give it a go. Let's see how it goes. Yeah. We can figure this out. Thank you. For the book sprint, if you, Brandon, if you think you'd want to have either a presentation or a review from the rest of the group, should you mind creating an issue, putting that on agenda whenever you feel like it? It'll be ready. Yeah, I'll do that. I think probably in the end of the next one, which will be in time because we already have a packed schedule all the way to October. Yeah, no, that makes sense. Yeah, before we forget about that, that'll be a good thing. It'll also be a good thing for the team. We have a preview of that in general. Yeah, and outside of the topic alone, it's just a fascinating way to collaborate to produce content. You elicit the knowledge and experience from the subject matter experts from their heads and start just dumping it in writing and just through iterative process, it becomes a really consistent voice. And you get to work with illustrators who are just riffing off your ideas and turning it into images, it becomes pretty neat. Nice, nice, yeah. I'll read through that. Good, I think that's mostly what we had for our agenda today. If... I have a small, very small, administrative question. Go for it. I've been a scribe a few times now. Do we really need the table template thing? I always type in the one box there. Do we really need the table? It was on a trial feature. It was a feature that we put on trial to see how it works. So good to get that feedback. I guess I feel that's why, I don't know. So maybe we should reform it, because I had that same issue too. When I was a scribe and then I was willing, you just go into one box and then you do the whole stuff in that one box. It might be better to put a hundred two boxes for two different slaves, because then separate it up so that it doesn't have to... No, the two columns, the columns are great. I'm just talking about the rows. Like, there is a box for beta PRs, like for one, attendance and designating sprites. No one writes anything there, never. So you just delete those rows. I mean, it's good to just delete them. I want to, I just wanted to ask, there's a special reason they're there. No, I think it does good feedback. I think we should spend some time reformatting the template. Yeah. Brandon, was that optimized for both the presentation slash working session rates? Yeah, so this was originally, we had kind of like a single sequential block, right? And then Matthew, Garcia, when he was first taking the meetings, found it would be better to have separate scribes. I think the idea was to kind of put the read across the same topics rather than it being like offset different rows. But it seems like maybe we can do some consolidation of that. Yeah, yeah. So maybe we can still keep the separate rows for each topic, but we don't have to precategorize every row. Yeah, yeah, exactly. That's a good feedback. All right, thanks. We'll open the issue for that. If you want to open the issue, that'd be great. Yeah, sure, no problem. Yeah, yeah, I'd be welcome to. Cool. So, yeah, if there isn't much that anyone has any updates to add, then we can do back 20 minutes of the time to the rest of the group. Awesome, and JJ, next week is we're going to have a confidential competing consortium presentation, right? Yeah, yeah, CCC. And I think the agenda is there at the top of the talk. And depending on the time availability, I think Aradhan's part two presentation is something that we can see if we could slot it in. But Andre is facilitating the meeting. So I'll just add that to the agenda item and Andre, I'll leave it up to you to see if you can actually slot two presentations or if it's not, if it's just going to be one. Okay, I've been working with Eva to wire that up. So should we shoot for 30 to 35 minute presentation? Does that seem sensible? Yeah, I mean, it seems sensible. Yeah, I'll add it, but do what makes sense for the presentation and we can always push, we can create a pipeline for Aradhan or later if we have to push the part two presentation out. So Aradhan, let's make sure we give the topic justice. Now, if there was room for a second presentation, do we want to take something up from future meetings and read chat to the folks to say, to see if they want to talk about it or should we just leave it open? Usually presentations, at the end of the presentation, there is a decent number of questions and answers. So when there is a presentation, I'm just worried about the timing aspect of it. So there'll be a few updates in the presentation and then there'll be probably a Q&A. So it'll probably take the whole hour up, which is okay. If there is two presentation, it usually, like early on when we used to run, it usually becomes like a rush through thing, which may not be ideal either. So it's up to the team. How do we feel about having two presentations versus one with the Q&A need? I think one with the Q&A seems to work fine in the past. Yeah. Yeah, I agree too. Yeah, that makes sense. All right. So yeah, so that's for next week. And thanks you all. Thanks for joining and thanks for the help. Have a good one. Take care. Bye.