 Hello. Okay, I'm going to give everybody a few more minutes to get dialed in before we get started. Make sure that you are putting yourself on the attendance list and either no update next to your name if you don't have any updates or if you do just a quick 1 or 2 words about what it is and we'll get you added into the agenda. Just a reminder, I do still need scribes. It's Mark, I'll try to scribe today. It's about my turn. Thanks, Ray. Thanks, Mark. I'm going to give folks about 1 more minutes. All right, let's go ahead and get started. If you go ahead and please add yourself to the attendance. If you are just joining us, I've linked the meeting stock in the chat. If you're a new member and you have an update or if you have an update, please provide your name in the document and a parentheses next to your name. If there's no update or if you do have one, just a brief 1 or 2 words about what it is. If you're part of a working group, please make sure that you provide your update at the time that we do the round robin check in. If there are any specific issues or tickets, put them next to your name in the attendance list and we'll go through them all. So I've got two facilitators, Mark and Ray today. Thank you both for volunteering. We appreciate it. So I'm going to go through the attendance list and start calling on folks. Mark, go ahead. Hey everybody. This is going to be a really quick thing. We had an interesting scenario involving GitHub and wondered if folks had any corporate enterprise rules around the use of GitHub in either direction, you know, taking content from there and using it in local repos or uploading content and that would include documents, not just code snips. How do you mean like general contributions or use of free and open source products. Yep, all of the above. So, you know, the concern is leakage of intellectual property or code snips or accidental release of pipeline artifacts that might have credentials in them. So, you know, the usual approach to this is some kind of DLP policy lockdown, but GitHub is kind of special in this respect. Yeah, I mean, from what I know, I think many organizations have gone through this and some have formed their own policies and GitHub actions, like post hooks to scrape through either the source code or the documentation that's getting checked in to figure out if there is any confidential information. As far as I'm aware of there isn't any push from GitHub itself to say like, okay, this is this is a quote unquote a compliant repository that I'll basically make sure that it checks because obviously the cost of providing that is going to be huge. There is, and so even we use that there is a scanning tool. So this this is as far as like passwords getting checked in everything as far as the scanning for any open source libraries for vulnerabilities and stuff there is there are tools that do that that you can possibly incorporate in your build chain when you pull the content in that is as much as GitHub consumption that I know that exists and the rest is all like still a work in progress. Right, thanks. Thanks. We are less concerned about vulnerability scanning because we can always do that in the local repose it's more, you know, accidental leakage of code that reveals something about apis that is proprietary or involves content that we are under third party legal agreements not to disclose but the developers don't know about it. And then there's also kind of design information that might be tied to covenants for intellectual property and you know it's sort of developers being grown up stuff to some extent but it became clear when we looked into this that you can't just write a DLP policy for it and and call it done. Well, Mark, you know, a couple things. So, you know, a couple instances where where I encountered this and, you know, still trying to triangulate, you know, the problem of it. So, you're working with a major tax prep company, you know, help them set up a release pipeline and one of the ways that they chose to control anything going out of the house to GitHub to public GitHub is, you know, basically, you know, systems or it is the sole holder of the keys to publish on behalf of the corporation to the public GitHub individuals contribute but you know there's, you know, control step before things go out the door. Is that the problem set or is it data location and, you know, validating, you know, kind of the opposite of what Black Duck does in terms of code identification and, you know, locating those assets on, you know, the public and I guess eventually the dark web. Yeah, right. Yeah, I think it's mostly the former I hadn't thought of having a fewer number of logins that's, that's certainly an option we could look at I'm not sure how we could control that exactly but they're my idea to do that. So that's, yeah, that's pretty good with so Black Duck, you know, it's the more we thought about this. The concern is, you know, developers that are just out of school want to use this. This is a something that's integrated into their kind of ethos about how to do development right so we kind of don't want to discourage that but on the other hand, some of the best work there even when we voluntarily want to contribute to get hub we kind of need to know about that from an enterprise. I'm saying we hear about I'm trying to, you know, paint this in the broadest stroke possible because, you know, thinking about this as potential contributors to cloud native content, or consumers of it or trying to build new products that either leverage intellectual property that's kind of revealed in the public space. And that's an important line you always want to continue to kind of draw. But then there's just sort of the management of the pipeline right which is probably needs to be including documents not just the code pipeline. Right, right. My opinion, not my corporate experience is that, you know, corporate leadership doesn't fully understand what it has to govern so therefore you can't control it. Right. Until until you are able to, you know, have an index and complete purview of what's going on, then you can't, you know, manage it out of the house. You know, a friend of mine went to work with a major construction company that was, you know, in charge of large scale, you know, private and public buildouts and they, for example, leveraged box to basically bag and tag all the assets and through, you know, box as the cloud network, they were able to say, All right, these assets with this signature are, are, you know, tagged as secret. And, you know, anytime they show up in any one system, you know, they are, you know, instantly deleted. But you need, you know, control of the system, like you would have in a deployed, you know, cloud infrastructure, like box would provide to be able to architect that. You know, once, once that goes out of the house, you know, can you reliably fingerprint and, you know, get the signature on that. You know, I haven't seen it yet. It's probably technically possible. But again, you know, I would go back to you have to be aware to control. Yeah. I would, this is a really good and fascinating problem set that I think a lot of organizations have. I would like you to actually create a thread and the channel that way we can open it up to more folks to provide comments and feedback on because I don't believe that this is unique to one organization. There's a lot of different ways that you can resolve this problem or at least buy down the risk a little bit. So definitely I create a thread in the Slack channel to get some more feedback. Sure. And, you know, just to round this out, the sort of bottom up what evidence management that one encounters here is the high end tools that some enterprises acquire will scour these repos for will just say items of concern keys references to the brand. Certain things like metadata that might be a local to the build process and so these things that get escalated as alerts through the security teams who have very limited insight generally to the developer stack that couldn't be involved in it so it's something that Scott both and I don't know that thinking about the developer chain is top down exactly but the learning system is definitely bottom up and the top down part of it is really managing through process as well as the organization probably so okay yeah I'll see I'll try to open a thread to cover this as a general topic because we we kind of want to encourage this right the code sharing and contribution process but there's what their boundary conditions that we want developers to be aware of developers in in commenters to probably this is one of the big existential challenges that we have in terms of security. We're architecting, you know, the security of the system, but then there are the bits that, you know, we are responsible for, and, you know, it's going to be hard. Yeah, yeah. Great JJ. Thanks again Mark and thanks again Dan so if you're following along with that conversation Mark is going to drop a thread in the Slack channel to help open up the dialogue about that. So JJ you're up next. Emily thanks. So I just want to give this is JJ I just want to give an update on all the all the effort that people have done on white paper so far and bring bring some attention to that from all of you folks. Emily has been shepherding a lot of weight. We are in the process of like breaking down the white paper into into consumable chunk that should happen in the next three weeks. So right now we have somewhat of a reference. We call it reference architecture but it's more of a more of a frame to think through in terms of cloud native security infographics that's been done as well. I would, if you do have time I think it's there is a channel for six security white paper. If you want to join there and there is conversation happening there that you can follow along and leave comments feedbacks as we go through this process. Thank you for joining me. All right, thanks JJ. Dan you're up next. Awesome. Well, you know, today actually tomorrow. Officially ends my term as chair. It's been a long journey. We started, I think at this point, nearly three years ago with what was at the time the safe working group secure access for everyone is the acronym there. Then the safe working group became the sort of guinea pig in first. SIG in the CNCF. So fantastic to work with JJ and Sarah to take that sort of seed idea and bring that into the CNCF and really begin to define how we do special interest groups here in the CNCF with all the other groups that were affiliated and partner with bringing that up to the level of the CNCF was fantastic. It's been a year. This last year has been brutal for all of us with the pandemic, but also, you know, particularly challenging for our small team of chairs. And, you know, I had a three months extension to sort of help fill those gaps. And, you know, I've been able to find, you know, a really worthy replacement. We're still, you know, in the process of ratifying that. So, you know, kind of hold that for next week and we'll share that out officially. I'm just, I will be moving into emeritus status as chair. I still plan on staying active and being involved in the working group, though I will, you know, take this opportunity to sort of ratchet down the amount of time that I'm spending on the SIG. I'm, you know, kicking off, you know, already begun working on a new startup, but, you know, this will enable me to dedicate more of my time and effort to that. You know, real quick, you know, what I'll be doing there. So, with the new startup effort, you know, I've, I come more from the application space than, you know, kind of cloud and infrastructure space decade of bringing no jazz into the ecosystem and, you know, commercializing that. You know, kind of working backwards from the needs of the ecosystem and, you know, helping organizations that are looking to, you know, cement the key bits and pieces of, you know, the underlying application implementation that are, you know, not secret sauce that are, you know, really what we'd like to call solve problems, but oftentimes they're not. And we'll be starting with identity as a service. So, you know, lots of fun, sort of heads down time in the next few months. And, you know, getting that out. You know, we expect to have initial sass in Q1 2021. And if you know anyone who is in, you know, kind of mature stage series B to C company that needs, you know, technical leadership, my co founder and I are both experienced CTOs and we're helping folks sort of, you know, land that maturity stage CTO oversight and involvement and while we're continuing to build out that infrastructure. So exciting times ahead. New leaders coming and, you know, I see such a bright future for this group and, you know, I'm happy and honored by everything that we've accomplished so far and look forward to, you know, everything that the leaders and all of you all will be producing in the years to come. Yeah, I mean, I want to take a moment to thank and express. And I think we all should express our gratitude to what Dan has done for this group. And I think he hasn't done enough justice to say how impactful he was to having this group bootstrapped and kickstarted. So it was way back like what Dan said. Three years back, there wasn't, there was just me, Dan, and then Sarah, and this group wasn't, wasn't the thing and safe working group we went and we had some core values and philosophies with which we wanted to form this group and then we all carried forward that as a value in terms of trying to make it more neutral more informational, more educated for the entire of the ecosystem. And all the values that Dan carries from his prior experience of trying running an open community and then having people collaborate in a constructive way has shaped the culture of this group significantly, as you can see, in terms of like how this group's run. So I do want to take the time or all of us to take time to basically appreciate and I don't think appreciate is enough of a thing for what Dan has done, but I'm not good in like good in my own way that express how much of a, how much of an impact Dan had in this whole group so thank you Dan. Thank you today. Yeah, go ahead. Who else wants to lead to this we're going to pilot on here. Yeah, let's do it. There's no better way to do this. So Dan, you've been really fantastic to work with in this sake, and I cannot express to you enough, how awesome it is to see you enter and JJ working together to make the sake what it is today. I remember when I first heard about the CNC have sick security. It was at a presentation at cube con probably about three years ago at this point. I had no idea what I was getting involved in at the time, but I do have been with like my first issue and my very first PR was with this group, so I especially want to thank you and Sarah and JJ for putting in all the hard work all the love and all the time to make this what it is today and I would feel comfortable speaking on behalf of all of the attendees to any of the security day events that would not have been possible, had this group not existed in the first place in the culture that you all have instilled within this group. So thank you. Thank you. One add Dan is this, one of the things I say a lot to the folks in the day job is that security is both broad and deep. It's becoming hyper specialized. One person that's going to know all the tools, everything from cryptography to code vulnerabilities to how to handle incidents in real time. It's too much and yet at the same time, wind the clock a little bit back and you've got Kubernetes wasn't even on the landscape, you know, and now it's a, it's a threat vector right. So that's the horizontal space that continues to move out at the same pace and what I thought your leadership really brought to this is an ability to see a big picture and the minutiae of important details at the same time. And that's what tech leadership has to do because coding and building systems that work involves both kinds of vision and, you know, I've really appreciated that kind of leadership and this kind of group. Thank you, Mark. Anyone else want to gosh over Dan. Gosh. I could keep going. I'm going to start crying. That's okay. This is a safe space. So we have a new member to SIG it's a it's a I apologize if I mispronounce. It's fine. Thank you. It happens all the time. My name is it I actually let me turn on my webcam just a sec. Hi, everyone. So I just wanted to introduce myself, because this is the first time I'm joining the call actually have been listening to the recordings for for a while so I don't feel that this is my first time but the first time I'm not joining live and I do intend to start joining live going forward so just a quick introduction. My name is it I I work in the Aqua security on open source security stuff. Maybe you've heard about the cube hunter cube bench trivia Tracy so on so this project comes up to my team. And I've also been involved with the CNCS security related stuff like the CKS exam now and keep going I've been a culture of the security track so I've been involved with CNCS security related stuff. I never really involved with security so I want to fix that. And so I am looking for ways that I can contribute and be involved more with this group. So, just saying hi, showing my face here. And nice to get to know everyone face to face. Welcome, welcome. I can make a suggestion we actually cube bench came up on this morning's policy work group discussion so if you will put I'll post the link to that discussion but that might be a natural subgroup for you to join into as well we tie. Welcome. Yeah, I actually have been working on the WG policy group as well so feel free to put me into any discussion. I appreciate it. Fantastic. All right, are there any more updates from anyone. This is Robert I'll just put up the weekly call for volunteers on the cloud custodian assessment. We still would like to get a few more reviewers on the Google Doc that to fill in team have provided. So either just add to add yourself to the GHI and I'll reach out or add yourself to the slack channel for the assessment. It's a sec assessment sec dash assessment that's custodian. And there's lots of details posted there. But would love to get a few more eyes on the drive on the Google Drive document that could fill provided. I can have that. Can you just elaborate what kind of assessments are you requiring. Yeah, definitely. And the documentation of our assessment processes is in the GitHub repo, but just in brief, you know, projects for sure those who are in sandbox or beyond submit a document describing their security posture, a risk assessment and controls that they may have implemented. And then this volunteer group will review that documentation and then make suggestions recommendations, or in specific cases, you know, maybe concrete recommendations for improvements and then review that. We will review that first with this group. And I think Emily mentioned that there's a presentation next week for key cloak. Is that correct. Yes, there is. I actually just dropped the link to the assessments in the chat. But it's also in our repos anything that you would like to know about the assessments how they work roles and responsibilities kind of expected timeframe and time commitment. That's all there. And next week we do have the security assessment for click key cloak being presented. So if you're interested and learning what the outcomes of them look like, I definitely dial into that one. Okay, cool. I'll reach out over slack just the person who just answered me I only see your phone number so if you could just give you give me your name so I can reach out. Yes, this is, this is Robert for Calia, and I'm on the SEC assessment custodian. Unfortunately, I lost my zoom internet. So I have to dial back. Okay, Robert. Okay, great. Thanks. I'm like before you move on. You know, I'd like to jump in. It's I'd love to get your, your feedback on what we call our security assessment process given your background. This is much more lightweight and less technical than, you know, the traditional assessment process that you're going to go run something through technically it's a bit closer to a peer review and a sort of community, you know, gathering and assimilation of context. It's, you know, the mechanism in which, you know, here in the CNCF we have all these sort of member companies and member projects, and you know, they're going through their, you know, incubation and graduation process, you know, and it's our responsibility as the SIG responsible for security to have awareness and help them succeed in the CNCF process. So, you know, we call it an assessment. You know, along the way, it's, you know, a little bit more self assessment and, you know, more peer review. So, you know, both in terms of, you know, how we're delivering this and and even, you know, if after you've gone through and you've seen the workflow, you know, if we can sort of nudge that naming into, you know, naming is hard, you know, nudge that naming into something that is, you know, both meaningful and, you know, doesn't have an existing meaning. I think that would be, you know, helpful in the long term, but absent a better suggestion, you know, were, you know, that's what it's called today. Yeah. Um, so that was one of the questions I had. Hi, this is Michelle Traberca and I've contributed to the cloud custodian assessment, but I feel a little, I've done assessments in the past and application security assessments. I mean, that's been my role in the past. And I'm a little uncomfortable with it being referred to as a security assessment. Because it the criteria isn't clear. And that's fine. I mean, you know, given the CNCF's role, but it's not really, I think it could be misinterpreted by being called a security assessment in that. I mean, that's a special thing. It has specific criteria. I don't want to be pissy about it, but No, it's a thing. My absolute. We've, we've constantly had the course correct and sort of You know, correct misunderstandings that folks have it because of the moniker. And, you know, it ultimately if we land on a better name. It serves everyone's purpose, what we're doing, you know, is better described and You know, the value that folks get, you know, it's it's its own thing. Not necessarily, you know, that thing that they're, you know, probably going to have to do anyway. We open you on this particular thing that way we can incorporate more folks in the discussion. There's not very many people on the call today. And I know that there are several individuals who are really involved in the existing assessment process that we have that would love this kind of feedback and a chance to engage in the conversation. So I don't know if Michelle that's you or someone else to start that issue, we can bring it up at maybe another meeting and highlight it as well as have the dialogue through the comments. Does that work for everyone. Plus one that yeah, create, create them as a GitHub issues that commenting on them, not on a slack channel so that the trail stays and then we'll be able to see the discussion. Yeah, and once the tickets created just drop a link to the ticket and the channel and that way everyone's aware of it. That would be great. So Michelle. Do you take the AI for creating that Wait, I work in finance. Does that put me on the hook for this is everybody going to be mad at me now. You know what anybody mad at you. No, we do. I mean, like, we argued about several of these things before. And it is a, it's one of the traits of this group that Nothing's personal. Yeah, my goodness. I understand that like the CNC upset, you know that groups hesitation and and I mean I totally get it but I think it can be misleading because you know having like participated in one. I mean I was a little bit I had a little bit of I was frozen. I'm like, Well, wait a second. Do you want me to security assessment because I can do that but that's not what this is reading like, I mean so Yeah, I, I don't even know how to. Okay, I'll try to come up with a coherent sentence about this. We actually have another ticket, kind of related to this because this was brought up in the past if you're not the only one to bring it up. To talk about how we could potentially take what it is that we're doing, and actually turn it into more of a lightweight friendlier actual assessment. We're going to track down what that issue number is, and what the status of that is and link them together, but you're not alone this is something that's been brought up in the past and something that we've talked about so I thank you for bringing it up. And I'm really happy that we're going to actually create an issue on it so that we can formalize the dialogue around it. Yeah, you know, just add a little bit additional context there we're right at the point. You know when we created this workflow and the processes around it. We set a goal to have five assessments complete before we sort of ratified it. We've completed that now and we're at the point of ratification. So now is the perfect time to go in and sort of tease out. All right, like what are we going to call this and how do we make this, you know, approachable to everybody. I think the thing that bothered me. And I don't see Kapil here but so I won't keep it a secret like I work at Capital One right and Cloud custodian came from Capital One and it I felt a little uncomfortable the separation of duties part of me felt really insincere and inauthentic in, you know, sort of self assessing, you know, and not being a third party and then I because I'm a big fan of the committees, a trail of bits work. I mean I like, like, I worship those guys I'm like, it's such a good body of work. And, you know, I'm like, so where that seems like a really radically different level of rigor, and, you know, I'm not calling out specifically as a custodian but I'm wondering, is there going to be a set of criteria is there like a level of, are there levels established based on, you know, criticality or something of the project, you know, I don't know but some I just feel like the process person I mean wants to see more specific criteria to sort of create a path of process flow for this, it just, it just felt a little informal to me and considering that people might see that and go, Oh, well it had a security assessment. You know, I'm sorry it's, it's a little, I don't mean to be Michelle you're fantastic. I'm sorry. In building open community that's, you know, entirely volunteer base. It's an interesting challenge to, you know, to build, you know, opportunities and, you know, direct, you know, intent and interest. While at the same time balancing, you know, formalization and processes when you have every expectation that, you know, folks may not be available and, you know, may completely go away. You know, as you have no, you know, control with the exception of the processes that you put in place. And those need to be accommodating enough that, you know, the community members that are responsible for doing it feel accommodated and comfortable. So, you know, part of that is also formalizing. So, I think we're, we're at that point where we need to formalize it and, you know, someone with your expertise is going to be, you know, really important for us to be able to define that. Thank you, Michelle. Okay, I didn't want to come off blasé or overly critical. It is, but I think the second you go from an open source project to one that's sort of backed by an organization like this then the level of rigor, the requirements change. In my opinion but Yeah, Michelle mark here. One of the things that would be useful in the thread that that is referenced here in the chat is if you can talk about I'm not going to call them assessments I'm going to call it the opposite like interviews or, you know, a peer review kind of stuff that is, you know, about as far away from red teaming kind of black box testing that you might have, you know, some sharing about experiences like that that are more lightweight would be helpful in the past in the same context I've discussed the interview process that we do, which is a sort of a triage thing for projects that are in early stages. That's a pretty maybe too lightweight thing. So the other another approach is embedding knowledgeable people in the in the standups and in some relevant scrums or you can do it when there's certain checkpoints and releases so there's a big continuum there I think it's useful for us to all hear about some of the other lightweight approaches that are being taken, even if we don't pick one of those. So Zilla rapid risk assessment. That, that's one that I remember we utilize that as a framework when we didn't want to do a full threat model at another financial institution where it worked. And we translated that into an RTA rapid threat assessment but I'm, I'm sure people are. Is everyone familiar with that. The Mozilla are a casually. Yeah, yeah, you can, I mean, you can try to do MITRE, there's, you know, these other frameworks are helpful you can look at NIST. You know, I'm an advocate for that but there's always going to be what boundary conditions around which you kind of want to have other informalities. You know, as security itself becomes more of an SDLC as we automate stuff. We're now authoring scripts whether they're chef scripts or test engineering scripts in the CI CD pipeline. These are now, it's not like we can stand off at a distance and just do black box testing and throw packets at software and really do a very good job at it so the landscape is shifting underneath us and this problem of finding an appropriate place on the continuum is, is a real challenge and doing it in open source kind of adds yet another wrinkle to this right. I don't know if Ash is on but when we went through the OPA assessment I will say they didn't have trailer bids but they had had that cure 53 do an assessment. But yet we still found an identified process and other issues in that in the SIG assessment so I think they're complimentary, but I agree the nomenclature is perhaps incorrect for what it is. Yeah, I'm sure Michelle knows this more deeply probably than I do but there's a real dangerous precedent set by the people who think of security as vulnerability scanning. It really does a disservice to the breadth of what needs to be done in any kind of assessment whether it's lightweight or, or red team depth and the frameworks are helpful for that so you're at least going through checklist like you this is shown in the efficacy of checklist in operating rooms for example. So I, although we've debated in this venue, the value of checklist I think there is a reason to do that in opposition to the vulnerability scanning approach that's generally taken in this space. So I think a lot of this is going to be more theoretical work and more sort of soft work, if you will, relating to maybe more like threat modeling because it's outside of an operational environment right so you can't. So we are going to be focused in my opinion on business logic. You know, the implementation approach, not so much in an environment where you might utilize techniques like that. Yeah, try to get this into thread Emily. Yeah, definitely. Like, as everyone can tell this is a, this is a good topic and it's something that we've been discussing in the past and is especially relevant like Dan said as we as we come up on that time frame where we really need to start formalizing these processes. So, Michelle, if you could go ahead and create that issue, and definitely tag a few of us in it if you think that we've said something here that you would need. So if you could go ahead and create that issue, feel free to go ahead and tag us. I've linked the other issue about a hands on assessment within within the chat here it's issue number 394. I'll cross link that once you post what the new issue is. Anybody have anything else to add. Okay, um, I didn't see anything else on the agenda for the day and I think everybody's given their updates. Any last words. Don't go away Dan. I get to escape. Last words we love Dan. Thanks everyone. It's been great and I look forward to sharing some of the sort of unique takes the, you know, the last decade have, you know, taught me in terms of bringing things forward to standardization and where we are collectively as organizations looking for, you know, standards and sort of the right middle grounds. I'm going to, you know, be taking some passes that you know changing some of the dynamics around that. And hopefully it's interesting. Well, thanks everybody for joining today. Thank you Dan for serving as co chair. As always, check out this slack channels and Mark's going to drop that thread about the GitHub security question that he posted earlier. Michelle is going to work on that new issue for changing what we're calling our assessments to be more accurate and reflective of what the actual process is. And if I missed anything, check out the notes, which are linked through our repo. That's everything. Have a wonderful day everyone. Thanks everybody. Thank you.