 Hello, how's it going? Hi Justin, how you doing? I don't think we've met. I'm fine. I hope we're going to see some other people show up here. Let me... This is my first time attending one of these. Yeah. I missed the last meeting, but we had, I don't know, maybe 10-ish people the time before. So... I'm a little surprised. I wonder if somehow we missed something that they wanted to skip this week because of whatever. I don't know. I can't imagine like spring holiday or something like that, but we'll see. Is there normally a particular lead for these events? Well, I'm sort of kind of the lead usually. Okay. So, yeah, let me tell you a little bit about sync security. So basically it started as kind of a working group that's called SAFE or something like that. And then became an official thing under the CNCF. And around that time, it really started to take off and they got more formal structure and things like this. And so one of the things that a few people did is, for instance, I started... I came up with guidelines for doing security assessments and did a few other things related to that for the SIG. And so then as a role, they have a couple of different types of roles. They have chairs, which run it and also do administrative work. And then there are tech leads where tech leads basically kind of have the except like commit bit sort of on pull requests and suggestions to things in the documents. And it's usually given to people that have been very active in the community and have contributed in some way. So I'm a tech lead. I'm currently in Shanghai. I don't know how much longer I'll be here. I'll either be here maybe two-ish months or I will be here until after Christmas. But I'm unsure about that yet. And while I've been here, I've been trying to get the Asia-Pacific folks like things to kind of spin up a little bit more. But I'm very surprised it's three minutes past and there's no one here. My guess is that this meeting must be canceled because there'd be at least probably three or four people here. I can't imagine that everybody just sort of decided not to come. Well, why don't you introduce yourself though and tell me a bit about you. So I'm Richard Clark. I'm a senior application security engineer for a gaming startup here in Perth, Western Australia. I'm also trying to start a CNCF chapter here in Perth. So there wasn't one here. So the company is called VGW. We're in a bit of an interesting space in that we have some business units, kind of almost fully cloud-native, Kubernetes, open telemetry and all this lot. And we then also have other business units, which still use the various cloud providers and that whole shared responsibility model. And kind of we have different business units of different skill sets. And so we're in a very interesting position that we're able to bring some of that technology or learnings from those that have adopted fully cloud-native and bring them back. But yet also other business units are selecting the right projects for themselves. And it's kind of, yeah, a lot of, for me, this is kind of, I'm new to this space in terms of Kubernetes at least and CNCF. I wanted to surround myself with the community because I think there's a lot of design patterns and learnings in a way that applications are deployed and modeled and so forth using CNCF projects that help security. And so I kind of just trying to surround myself and try and absorb as much as I can and contribute back from my own learnings in my career experience. Great. Sorry. I thought I was the opposite. I thought I was muted the whole time, so yeah, so one thing I can tell you a little bit about and you may know, I mean, how much do you know about the CNCF projects? A little, not I would say a huge amount, but I guess this is where a lot of the incubation projects like Spiffy and Spire interest me a lot. Yeah, and kind of just trying to do a couple. Yeah, but I think that's these upcoming things I'm not really an expert on Spiffy and Spire, but I did do a security assessment for them along with some of their engineers. So I understand it well, but I haven't really, like I haven't used it operationally. So it's a little bit, you know, it's kind of different knowledge, but it seems to be, I think a very solid project. It handles a secure introduction problem. How do you take an ephemeral thing and give it keys and identities and stuff like that without, you know, having to worry about, you know, a man in the middle, you know, malicious parties doing a bunch of things. It has a bunch of really strong parts. It has some areas dealing with federated trust that they're working out now. Like how do you federate multiples, Spiffy servers, Spiffy Spire servers together. It used to be the case that effectively if the server was compromised, you really lost all security in the system. And with Federation, I haven't really looked to see how they're containing it. I've been a little swamped with other things, but I think that's like a kind of interesting touch point to look at. Other projects you should probably be aware of in this space that you may know about. I'll name drop some, some I know more about than others. But like Harbor. So, yeah, tough. I'm, you know, notary in Toto. Let me think about what else. Those are, I think, once it comes to mind and full disclosure, like I'm the creator of the tough project and one of the creators of the in total project. So, yeah. But then obviously, I don't know if you know notary is an implementation of tough that also has some other functionality in it to integrate better into cloud native environments. So I sort of have like a little bit of a, well, I have a dog in the race to kind of say it, you know, politically, but in general, the tough notary thing is likely something you just enable correctly at your provider rather than a real decision you make. In total, something you need to do a little bit of work with, but once you set it up, it's transparent and it's really effective. Harbour is interesting in that it takes a bunch of things like tough notary and a bunch of other technologies and kind of stitches them together. And we did a security assessment for them, I think. I don't remember whether I was just part of it or whether I led it, but like the problem I, or the concern I had about Harbour is it's a lot of very complicated things that are all kind of glued together. And I think it where the seams connect, there's a lot of potential for things not living up to all the security guarantees they want. But in general, it's better than you trying to glue stuff together yourself. And in general, it really, you know, the complexity you have there, someone like smart groups like a nation state actors or something like that would likely have to, or I don't know, at least reasonable hackers would have to spend a fair amount of time doing a deep dive. And then they can probably find all, my guess, I mean, once again, I could be wrong, but my guess is they could probably find a variety of different issues of different severities in how like technology stitch. But I think overall, I think it provides like pretty good security guarantees out of the box. And so if you're not likely to be a serious target, it's like quite an excellent project. And I think if you're, wouldn't be stitching it yourself, then it's still, I think it's worth doing. But I wouldn't trust, you know, $10 million in Bitcoin to a system protected by Harbor. So just to roll back a bit, what's the main focus of each Harbor tough and notary? I kind of like. Yeah. Harbor. Okay. So I'll let, I don't want to sort of misrepresent Harbor, but it's kind of everything with the registry, with delivery, it sort of is like the amalgamation of, of like how you, how you store and get software places. I don't really, to be honest, I haven't used it as a user. So I also feel like I don't know all the use cases for Harbor and how people do it, but it's, it's sort of the registry side plus a bunch of other stuff. Tough and notary, it's basically making sure that, that you get software delivered from a registry. And even if the registry is hacked, it doesn't mean sort of game over for you in terms of security for all your containers. So tough has a very serious threat model that the assumption is an attacker will compromise your registry. They will steal some signing keys from some of your developers. They will be a man in the middle. Right. And the goal of tough is to provide you the best security possible in any of those type of environments while so have like a graceful degradation of security. So for instance, if you, if a man in the middle controls all your network traffic, they, you know, should be able to stop you from downloading an update by just, you know, failing to deliver the bits, but they can't put malicious software in an update or do something like that. If they take over the registry, they may be able to convince you that a slightly older version of something is the most current version, but they shouldn't be able to give you a significantly older version and they shouldn't be able to do things like, you know, give you something that isn't signed with the correct keys that wasn't produced by your developers. Right. If you're doing things. So, right. And that's, that's the general idea behind notary and talk. Okay. And then in total is is software supply chain security. So basically when you make your software, you sign, get commits, check them into a repo. You run it through a build farm. You have maybe a CD pipeline. You do testing. You package it. You container, you know, whatever you're doing, containerize it, you go and you deliver it. And in total produces cryptographically signed metadata and checks through all the steps that occur there. And so you'll know something like you'll know if the build server manipulated your files and added something in, or if, you know, someone didn't actually run the tests and they pushed something. And it's all like cryptographically signed and verified. So it's assumed that those boxes on your network are not perfectly trusted. And so there's been a lot of interest in this because of the whole solar winds attacks and the things related to that because in total is basically the only thing that really has a hope of protecting against something like that. We work and integrate very closely into technologies that along within total things like reproducible builds and stuff like that, that if you use like reproducible builds and then verify the cryptographic metadata within total from that, you have a reasonable hope of being able to protect against something like solar winds and similar attacks and things like that. So do in total and tough work together in any way? So you've got kind of like, you know, the left side of the registry and the right side of the registry if you will. So I guess it kind of seems like those two products could work very well together. Yeah, they do. They integrate well. Datadog did a deployment with them. And we've also really in total goes as far right as tough and even actually further right also. It's like more overarching. But like Datadog actually put out a nice blog post where they talk about how they did their tough and in total combined integration along with a bunch of stuff with get signing and stuff like that. And we actually, we found a bunch of design flaws in the way get signing worked and got them to change the way that they do tag signing over to our architecture about four years ago or something like that. So we've been kind of pushing at different points in this like software supply chain for better words of it for the last, I don't know, for a long time and slowly kind of securing them and making them better and better. We still have a little more work to do. We didn't get our complete architecture into get yet. But if you're signing get tagged, you're using my student Santiago's code and he's the lead of the in total project and you know, he's just done an amazing job with with everything. Yeah, there's yeah, so that's that's the basic overview of those bits and pieces that I know pretty well. I'm trying to think if there's anything else and I'm sure that if if other people from security watch this call, which they make, it's recorded that some of them will be screaming at the screen like, oh, you didn't talk about this or you didn't talk about that. I feel like I'm forgetting stuff, a bunch of important things, but that's that's their fault for not being on the call, I guess. That's quite all right. Yeah, it's good to just start off with something somewhere in space and I can go away and research that and see how that could work for us. And likewise, how I can contribute back. Is a, in terms of these general meetings, is there anything else that goes on or is there anything expected of members that participate? People just talk about efforts that they want to do. We're creating a kind of security landscape document where you can look at what happens and in as like a company and decide like what products with like what types of technologies and things you'd want to employ different places to get different security properties. And, but really everything here, it's mostly somebody says, I think this would be a good idea. We need a white paper on this or we need to create a document on this or we need to do this. And then they rally interest around and they start it. It's not like a, you don't have to have a motion to have a document created to do this and do that. There's no like, there's not like high overhead in doing things. People just tend to do them and if they get momentum, then they tend to be really successful. So, yeah. And we'll have more discussion about that. In fact, I think if you watch the meeting about, it was two meetings ago, we talked about a lot of that. And I didn't watch the video from last meeting, but that should have had some as well. So, and then the relationship with the other six security meeting, which I guess is more US time based. Is it kind of like this session is a catch up of what's gone on there as well? Yeah, I mean, you have some of that, but the problem, sorry, the problem is that this, there's only usually one or two people that overlap the two meetings because they're in semi time zones. And so sometimes we do have that spillover. JJ is, I think he's one of the chairs. He's been to both meetings a couple of times and Emily Fox is a chair and she was in the meeting last time that I wasn't able to make it to. So yeah, so we'll, it'll happen from time to time. Good. Well, it was really nice meeting you Richard. Likewise. I will try to figure out what the heck is going on here. Meetings, but I expect that we'll have a bigger group on the 13th. Cool. All right. All right. Have a good day. Take care.