 I think this is on. Okay. Whoa. All right. We're not doing the lav mic today taking a risk Decided gonna try the little handheld So, okay, you right there. What's your name? Jake Jacob, okay, Jacob. You're like lasered in on me right now so If at any point I start like getting way too quiet or like way too loud I'm looking at you you need to like wave and be like bro. Okay, Jacob. You're my guy This is what was on the agenda The quest for CNCF ecosystem security did anybody come in here because you saw quest and you thought that sounded really cool You're like, I want to know about the quest Okay, good. I'm not gonna disappoint you guys CNCF ecosystem security was that interesting to anybody is that why you guys came in here? Okay. All right. All right. Okay, you guys may not leave disappointed hopefully During the course of this we are going to give out some awards to projects that have Participated over the last month in improving their ecosystem security. Well their project security thereby increasing the Security of the entire CNCF ecosystem. So we are extremely excited about that That's where I need you to help me out because my volume levels may increase the more excited I get We're gonna do a couple things I'm gonna introduce a couple people that are going to help me talk about the security slam and the different Security efforts that we've been doing within CNCF Marina's gonna come up for that number two right there I'm gonna come back up talk for a little while for number three Mike's gonna come up and share a little bit from Argo and then we're gonna go through the wild mess of Presenting awards to the most significant Increases in security hygiene that we've seen over the last month So let's do number one I'm any night. I work for sona type Software supply chain security is our whole thing. That's what we care a lot a lot a lot about We don't only ship some of the most established software on that topic But we are very very active in different so open source ecosystems just trying to work with projects and see The supply chain security get improved at this source. That's something we really really really heavily believe in Marina and Michael don't have the microphone So they don't get to give as in depth of introductions for themselves But Marina is a tax security chair, right? Oh big big big big big Okay, no actually applaud for that because it's kind of a huge role in the ecosystem And Michael has forever had a huge role as a maintainer of Argo CD. So don't clap for him They don't listen to me Mike But they're gonna come up here in just a second to share a little bit about that the vision For the security slam is also the vision for ecosystem security It's something that we all know is important on an intellectual level But we're constantly trying to find better ways to pursue and achieve this ecosystem security I was stoked Ryan Patrick major Ryan Patrick gave us a quote just for this He wrote this down just first put it on this specific slide because the US Space Force is one of the Larger more prominently known consumers of CNCF projects and so we were able to take some feedback from the US Space Force and several other different organizations and Pass that feedback on two different projects to help folks know These are things that are important to the end users and this is why your security hygiene improvements are actually making a significant change in the world This is just a little peek at the end user Feedback perspective that we know and I'm gonna come back and talk about this a little bit more in just a second Marina is going to share about how tag security is doing this throughout the year Not just in the one month that we're focusing on with this security slam Yeah, thank you. So tag security is one of the technical advisory groups within the CNCF And we have members from across the CNCF that come together to talk about security related issues within This ecosystem So the vision of of tag security is to provide protection of cloud native systems while providing needed access To provide common understanding and common tooling to help developers meet security requirements And finally to create some common tooling for audit and reasoning about system properties So in practice what this means is that we have a lot of different initiatives that People from the community come together on to help improve the security of all of us And so there's some of these efforts focus on awareness things like our white papers where we take look at good ideas Insecurity that have been created by other people in the community And we kind of highlight those and share them with the broader community to help and help everyone to improve their security You have a catalog of supply chain compromises for folks interested in you know, what threats are out there as well as some other Awareness for new projects and other other areas We also have some awareness through efforts where we really collaborate with CNCF projects To help them improve their security There's a security palace project right now that's ongoing where we're getting a big group of Volunteers to help projects do self-assessments. So this is a process where CNCF projects Go through and evaluate for themselves Their security posture which then leads into the joint assessment process where members of tag security actually help projects Improve their security and there'll be a whole talk just about this Process later today, and I'll have info about that on the next slide and finally we build our community Only way to make cloud native secure is to do it together And so we collaborate with other tags within the within the CNCF as well as with groups outside of the CNCF Things like the open SSF that focus on open source security more generally We have initiatives like the cloud native security CTF, which is gonna be happening next door Tomorrow with some intros today Which I definitely encourage you all to check out if you're interested in getting some hands-on learning about about security As well as security conferences and villages like where you're all today where we can talk about security and How we can make it all better together This is the information about that talk later today we can learn more about the tag security assessment process from some other members of the tag and I will and yeah, and if you're interested in getting involved Please get involved. This is and you know, this is how we can improve the security ecosystem We have our publications those include all those white papers I mentioned a mailing list which is somewhat active where we talk about some stuff in security a very much more active Slack channel as well as weekly meetings in a couple of different time zones to hopefully Get some broader participation So thank you and I'll hand it back to Eddie to talk some more about the security slam initiative All right Switching back take a picture of this This is actually really really important if you want to know more and get more involved with the tag security Stay up-to-date with the things that are coming out of tag security These are resources that you should be taking advantage of thanks again Marina We are at the point in my presentation where I don't remember what slides come after this So those of you who know me should be clenching your butt cheeks Security slam That's what we're here to talk about looks like the ghost stole the colors from all of the different Logos there not cool ghosty ghost is the Google open-source security team So technically we have the Google logo on here twice, but they are the sponsors who provided the funding For prizes and swags that way we can make this event possible last year in this year They sponsored it and so the the open-source security team has just been a huge huge huge Boon on the entire ecosystem not just the CNCF ecosystem with the open-source Ecosystem so I can't shout out to them enough and just huge. Thanks for For their ability to to step up and provide this is anybody from Google in the room And here no, okay, so no waving from Google today But it's it's been really really awesome to have the ghost team involved in Slack Supporting the different projects in increasing their security. So it's just been really really really fun also tin and myself spent a lot of time from January until so this is the schedule from February we started And we started working through things and tin was actually on board all the way through September So tin can you wave somewhere? You were in the room 10 seconds ago. She knew I was gonna call her out That's what happened. All right. Well huge. Thanks to ten and Katie I didn't make your picture on a slide But Katie picked up after tin here in October and November to help make things happen And so the different swag that we have and things like that are possible because Katie was actually doing the heavy lifting of Organizing and dealing with vendors and things like that. So huge. Thanks to Katie and tin for for bringing us this far But I put this slide up here to tell a story the security hygiene improvements that we've done have been to To try to organize things to where we have a special month That's just focused on this to where we start getting a lot of people having the same conversations at the same time So that different projects in the ecosystem can learn from each other and do things alongside each other We saw a huge success from this last year and it was repeated again this year The theory was that would be repeated again. So that's why we started all the way back in in February Trying to figure out the the goals and the concepts What do we want to be doing with the next security slam because every single year? It's a fresh slate completely clean slate no solid commitments No contracts that we're gonna do it again the next year But kind of a vibe that you know we probably should do this again And so we started in February and we did some announcements at KubeCon Europe and we thought that was enough We thought hey we did some social posts. We did some videos at KubeCon Europe in Amsterdam this year Spoiler alert that wasn't enough early messaging to let projects know so I didn't make a whole like lessons learned slide explicitly but right there during that announcement phase that is something that we've learned that we need to do better next year is That just doing that initial announcement to tell projects that it's coming. It was not sufficient this year So we're gonna need to improve that and keep that pink line just going all the way through to make sure that projects know that this is coming And avoid the project saying hey this seems really cool But but we're just now hearing about it now that was just an absolute tragedy and devastation on my soul When we heard that so so we're gonna need to avoid that next year when we plan this again the next thing that we did was setting the event metrics and so we had several different people from the community that Said please don't name me, but I'm gonna name you anyway Who helped us set the event metrics and set up some goals? For the next year and the way what we decided when we talked about was that there are several different things that projects could be doing to go Beyond the standard that we said last year and so we decided hey We'll give people the same prize we gave last year if they do the same thing they did last year But let's give them four more options And so the so we spent a couple months working through what those options should be and how we should Incentivize and pursue those things as a community across multiple projects part of that was that we needed to Give people the option to read more about these things that we are saying they should be doing and so we worked with the Linux Foundation training and certification program to Create three different express learning courses. There's a fourth that got paused and it'll probably be released Sometime next year, but we created multiple different LF express learning courses that take an hour to walk through some of the core concepts such as open assessor scorecard What does it mean to make a or what? What does it mean to make a self-assessment and the quickest way to do that and Colin what was the third one? automating s-bombs and provenance was the third one that we did and then we jumped into a launch and execution but before we did that we went back and Solicited end user interest. We said hey To a few people in the in the community in the end user community. We said hey Could you tell us what projects you're using in your? Ecosystem if we promise not to tell people, you know You can tell us whether or not we can share your name and your details and things like that and several different people said Yeah, you can you can share my name you can tell these projects that I'm using those and and that was hugely hugely hugely Valuable to the projects actually more than we expected So another lesson learned was that projects loved hearing about what their end users were doing and what their end users wanted to see It was a huge resounding success and I had multiple people DMing me saying can I talk to the US Space Force like no I'll try next year. We did not arrange that as part of our agreement But this was hugely successful where we we took the the input from all these different end users brought it in through a survey and Consolidated it into feedback actually wrote a set of scripts to to like auto generate a message that I then shared out onto a bunch of Different projects. I think I dropped four on Argo because they have four different projects That being said I told you I was gonna call these guys out by name. So Michael Crenshaw right here. You're gonna hear from him in a minute Jm, can you wave? playing koi back there and Mike Lieberman Mike, are you in the room? Oh? He's giving a talk somewhere else So all these guys were super super super helpful in creating these metrics and we came up with five different Goals that could be pursued for For projects. So the first one we called it the cleaner the second one we called the Mechanizer the third one we called it the defender fourth only called it the inspector and the fifth only called it the chronicler and we felt that these five goals these five metrics Would significantly elevate when I say we feel based on our research and the conversations and the arguments that we had This would be a way that if product that projects could significantly elevate their Security and so just a huge thanks to these guys for taking time and putting a lot of thought Into forming these metrics that projects could use because we're definitely going to be using these same standards next year Just maybe not in the same way. So Thank you gentlemen For education Aaron Linskins my colleague is a technical writer at sonotype helped out with some of the education materials But also Colin Griffin is in the room because he helped author the course which name I forgot You can see all three of these courses on the LF training portal They're free they take about an hour to work through and they are really useful for helping Understand how to secure your own project security. So Colin, please wave while everybody awkwardly claps and says thank you for making educational resources now We have insight from Argo That's the part where I forgot Are there URLs for those resources an intelligent person would have provided those for you No, let's let's get together after that if if there's anything I've referenced that you guys want to see more of Get with me and I'll make sure that we we get you guys that information You can also find it on their The Google for like Linux foundation training and certification program you can type in their free courses that kind of stuff Yes, absolutely So Argo, you know what I'm not gonna segue to you. Please just take the mic Hey everyone, so I'm Michael again, I do Argo things They're kind of four and a half Argo projects workflows event CD rollouts and Helm which JM You saw earlier Helps maintain so I'm on the CD part. I get one little slice of that pie And I've been working on security slam stuff with Eddie for a couple of years now And I really love the security slam because as a maintainer it gives me a moment to sort of take a breath and Just refocus on some of the things that the industry is Promoting his ways to make your project more secure and maybe I haven't caught up on so it's it's a really helpful Helpful event for myself and my team I do want to know before I go into sort of Argo's experience with security slam How many folks here maintain an open-source project any not even just CNCF so a few and how many folks contribute? To open-source projects in any way docs, whatever. Okay, so I'm very maintainer-brained So what I'm about to tell you about Argo's experience with security slam is from the perspective of someone who is trying to Help my project serve our customers our users better and Improving our software, but I also want you all to kind of picture yourself and how you can fit into that process because Anybody can help a project really Make the security slam a real success for for them each year So What we learned with Argo is you kind of need three key ingredients in order for security slam or any effort like this to improve Your security to go well The first thing is you probably need some kind of champion whose job it is to like make this their deal for a few weeks maybe a couple months and as a maintainer something I've noticed about open-source contributors is There's sort of an ebb and flow to how much time people have Argo has been very lucky over the past two security slams to have some folks who like right as it started We're starting to have some more free time had some energy for open-source and really took on that champion role So for the last slam it was Justin Marquis He was working independently as a contributor to Argo and he was interested in making Argo run better on his arm Home lab so he was already in our CV CI pipelines and he was interested in salsa three compliant builds He dove in and rewrote our entire build pipeline over the course of like two weeks a bunch of stuff that I didn't understand about Providence generation Signing images, etc. And he built an Extremely high-level security build pipeline for us And the only thing that I had to do was be this second role someone who could look at the PR Do a sanity check and get it merged for them Just get out of the contributors way and let them do cool stuff So that's the second thing you need someone who can merge PRs The second time around so this security slam someone who just happened to have some time was Anton Gilger And he popped in and was writing security insights documents for our different Argo repos and You know, it's important to identify those people and help get out of their way and get things merged JM was the person who is the PR merger for our Argo helm improvements That you know, we're like hey, we got a PR. It's gonna improve our CLO monitor score Can we please get a review get it in and JM just very quickly got it done that keeps people energized? It keeps up momentum And it just helps get things done and Finally, maybe the most important part of any security slam effort is celebrate your wins Doesn't matter how small they are after we got our build pipeline for Argo CD rewritten and salsa level 3 compliant We bragged about a little bit. We had some social media posts And speaking of salsa 3 compliant stuff. There's the person who wrote it all for us Justin Marquis We bragged about it and we said open source community. This was a lot of effort. This is really cool just know that Argo did this and Lo and behold the CNCF comes along and asks chain guard to audit our new build process and confirm that it was salsa level 3 compliant And then there's a big CNCF blog post about that So brag about your wins. Make sure that other people know what you're doing and that just helps build energy and And get sort of the security hygiene stuff done As a maintainer, I can't think like sonotype Google Eddie Katie all these folks who make this event happen enough It's you know open source. It's it's sometimes difficult to get the resources you need This provides me a point to say, you know Intuit managers people in the open source community This is something we can rally behind and really make a difference for the users of the different Argo products In terms of how secure our software is So really appreciate them. Thank you Eddie and thank you all for letting me kind of describe how the security slam has gone for Argo All right, so we are on the next point and I told Michael not to run off because it's awards time I'm excited about this Jacob's excited about this. Oh I put Yeager as the first award slide but Okay, you know what if an if a Argo word comes up in a second, then I'll grab it. I was supposed to have oh, oh Okay, here we go. This is extremely helpful So we made an award for Argo to recognize their contributions not just to their own project, but to the entire ecosystem So I can't scream loudly enough about this Because the Argo project has paved the way for countless other projects to make their own improvements to their projects Justin Markey's code is copied into a bunch of CNCF projects So just really really want to thank you for your leadership. Thank you Okay, now the next one is Yeager. I don't know if we have anybody from Yeager here. What they asked me to do was Present the award to a gopher plushie and I didn't find a gopher plushie Does anybody happen to have a gopher anything the go gopher you guys know what I'm talking about none of us have it Yeah, I don't have it So I'm just gonna like take a picture like this There we go award has been presented to Yeager So the Yeager they managed to get the mechanizer and the cleaner badges so the mechanizer is the award for Automating provenance and s-bomb generation at build time, which is the necessary time for every release That's huge. The cleaner is an indirect security hygiene and set of improvements Which we are also recognizing and so the prizes for them are gonna be some swag some patches We're just gonna figure out how to get it to them Next up is artifact hub. Did Sergio or Cynthia make it up here? No, because they have their own duties being with CNCF Artifact hub also made some really cool improvements So the defender badge is the new one that's showing up there is for getting a hundred percent C.L.O. Monitor score on 100-cent C.L.O.M on the security checks, so that's super cool. Let's just just got a picture of it. All right And KGB these guys are all European, but they said we're gonna present it to a community member after oh, yes Please come Right, so Marina's helping take pictures if you don't mind coming all the way Got a climb. Yeah. All right. This is Bradley from upbound. So wait, let's how do we shake hands while doing this? It's a left-handed right. Oh, right-handed handshake holding this. Here we go. We got this And by the way for those of you guys who completed patches Katie is going to help get patches swag stuff like that afterward. So don't run off without that Capsule Capsule said that they're gonna be here late today. So once more we're gonna take a picture right now And then I'll take a picture with them later on when we say capsule Capsule blew me away. So so you notice we've gotten more and more badges here So the cleaner badges that I told you about the mechanizer badge the defender badge This one up here is the inspector badge So capsule was the first project participating in the security slam that did a full not stub not incomplete not partial full Security self-assessment and so it was really really really huge because self-assessing the security of each project on a complex level Is one of the things that reveals all of the other downstream improvements that are possible that are unique to a particular project So this is really really really huge that that one was completed And you know who else did it open FGA? Open FGA was a dark horse Andres come on Open FGA was a dark horse. So it turns out Yeah, yeah, yeah everybody come up come up come up come up turns out that open FGA Saw all the security slam stuff happening not by watching the security slam channels but by watching claw monitor and seeing all these different changes that have been happening and We just reached out and said hey, do you guys wanted some credit and prizes for all these changes? And so you guys what went above and beyond you guys added extra stuff after that What was what was the extra stuff that you guys did? We did the provenance thing And we merged the security Self-assessment that was mostly done but not merged and we used Argos some of Argos artifacts We used some of Argos artifacts as inspiration for that So again, just thank you Argo and the people that were involved in that that kind of paved the way that was That made it really easy for us. So Thanks open FGA Yeah, let me get out of the way. You guys take a picture like please do it Do you guys want to stand in front of your slide up there while we got it up? You can do that, too It's a big it's that logo is a lot bigger But that brings us to a close for the presentations for today the last few minutes that we have slotted off Go back one. Oh my goodness stand in front of the slide. He says All right, thank you guys. Thank you So Katie's gonna help you guys get information for awards So every single one of those badges is a gift card from the ghost team $200 gift card each so you guys can choose what to do with that for your guys's project Maintainers contributors whatever it is to do what's best for your community and we also have a bunch of swag We made a ton of socks. So this is kind of a pre celebration for next year So I encourage you guys to pop over to the site over here In these last couple minutes that we have to get some socks if you're a maintainer that completed badges get your patch So you can we've got iron-on patches for you guys to put on a hoodie a t-shirt a backpack Whatever the case is but everybody everybody everybody grab some socks to remind you We're doing this again. Thanks guys appreciate you coming out