 Hey Brandon, can you drop the agenda into the chat, you're on top of it. Yep, I was doing that while he was just saying that. Okay, so for those of you that are just joining us, check out the chat and has the link to the agenda document. Go ahead and list yourself in the attendance and we'll get started shortly. Great, so while everybody is going through and adding themselves, welcome to the first SIG Security meeting in December. We are going to go ahead and get started so we don't have very much on the agenda, so we'll probably just be doing a new member welcome. Kind of discuss a little bit about what the SIG does. Looks like I'm going to be the facilitator today. So what we're going to do is if you're new to the call, go ahead and click the link that Brandon posted in the chat. That is our agenda document. Add yourself to the attendance list. If you have an update and you're a previous member of the SIG, go ahead and just put it in the parentheses next to your name that you have an update or if you don't put no updates if you're a new member. Go ahead and click on the attendance list and if you're new, go ahead and introduce yourself and like, are you joining the SIG or what you're interested in? Brandon, did I miss anything? No, all good. I was curious who's Emily talking to on the phone and she's talking to us. I'm talking to you guys. I got new tech and I'm still working out some things with it. All right, so I'm Emily Fox on the co-chair or one of the co-chairs of the SIG security. I've got two awesome counterparts. JJ is one of them and Sarah is the other. I know JJ is on the call. I'm not sure about Sarah. My only update that I have today is that we had Cognitive Security Day during KubeCon and it was a huge success. So thanks to all of the program committee members that helped make that possible. As well as thanks to the CTF team for coordinating and running over 300 plus misconfiguring clusters in seven hours. That was really awesome. And the attendees of the Security Day had a blast at doing the CTF. So definitely planning on doing that next year for EU. There is an issue open for planning associated with that. We closed down the program committee. And I think there's like one other person I have to add to the CTF team. So that'll be closed out shortly. So keep an eye out for that. Mark, you had a brief update or announced. Sorry about the delay hourglass. Well, I'll go without video. Sorry about that folks. What I wanted to share was the, the NIST, what was the NIST big data group is morphing into analytics as a service. And they're preparing a presentation probably to this group. Really soliciting input to kind of framing up what the needs might be in this space. And just to get ideas from this group and, and then to get some steering to see if maybe that topic needs to be briefed elsewhere. The genesis for this was a Indiana university project called cloud mesh that's on GitHub. But that we're kind of reformulating to try to leverage analytics as a service use case that's of interest to me and probably other people in this group is analytics around information security and probably telemetry writ large beyond that. Stay tuned on that. They're talking about it for late in December. That's probably poor timing, but that's what they're looking at for now. I'll summarize that no need to make notes. I'll put it in the notes. Can you make sure that we have an issue associated with that presentation. So we're tracking it. We'll do. Okay. Brandon, you're the next one with the presentation or with enough. Yeah, so hi. I'm Brandon. I'm a T of it for security. So I just wanted to kind of have quick update I was chatting with someone from the red hat team. They are working on this new project they call Rico recall, I can pronounce it so I'm not going to try. But the idea is, it's a project that's a public. It's going to be a ledger kind of aim at Recording information about supply chain. So it's going to be a similar concept to certification transparency. As I said, it's going to be, you know, like supply chain versioning and signing transparency. So they, they started a project and I talked to them about coming to present to the six so that's something that probably will happen. It's going to be a mid mid to date January. Okay, thanks Brandon. Pop, you are new. And introduce yourself. Hello everyone on pop day and pop Andrea. I work for cystic and just wanted to join in say hello to everyone. Thanks and welcome. I know, I know some of these faces I know some of these names but those I don't know. Hello. Yeah, hi folks. I'm Matt Jarvis. I'm a developer advocate and sneak. As pop said there's quite a few folks who I know on this call already. Yeah, and just super interested to get more involved with what's going on in security across the whole ecosystem. This is the first kind of proper security focused role I've been in and, you know, opening my mind to learning. Awesome. Thanks for joining Chris Davis. Yeah, hi, I'm Chris Davis, my coworkers and pretty much everybody calls me Davis, which is why my zoom name is C Davis. I work for amazing IO, and we have a product lagoon which we have plans to try to donate to the CNCF. Eventually. So, I'm a security engineer there and I'm just trying to keep our product as secure as possible, and immerse myself in the security world at the same time. So, great, it's wonderful to have you. John. I'm sorry if I mispronounced your name. Yeah, no problem. It's Zola. Yeah, so yeah, so my name is John Zola. I am the CTO at a small security consulting company. And we work a lot in this space and I'm a Patrick supper foundation member and a big fan of open source, somewhat new to the CNN CNCF in general. But interested in getting getting more acquainted. Awesome. Great. Have you a look right. Yes. Hello, I am a low class I am from India. I am working as a security analyst at the non stack. And I am here to explore more about the security domain. Great to have you. I'll tell you. Hi, everyone. Sorry, I can't turn on my camera at the moment, but just wanted to introduce myself. I work for a company called security compass in Toronto, Canada, extensively involved in a number of different working groups and I know some of you here from this working group as well and I look forward to collaborating with you to help us extend the body of knowledge of security going forward. Thank you. Excellent. Thank you for joining Jacob. Hey, everybody. My name is Jake. I'm a DevOps engineer in Missoula, Montana. I have a little bit of background and security from several years ago. We're used to work at source fire. I was there for one Cisco did the acquisition thing. I'm going to be my data days just with DevOps and Kubernetes. I'm looking to for a back into the security space. So, Micah speak at AWS container day a couple weeks ago and he sort of put out an invite to join the SIG and curious that I want to check it out. So, thanks for having me. Awesome. Thank you for joining. Yeah, I've actually been through a few of these meetings, but go ahead and introduce myself again. I'm Tanner enough I run cloud native security architecture for Lowe's. So I'm responsible for all the public clouds all the Kubernetes services on the hyper cloud implementations all of our open source implementations. I've got a lot of my plates. So, but it'd be interesting to interested to get to know the guys that are actually creating the foundations that we're looking to use. Awesome. We're happy to have you back. Andrew Martin, do you have any updates for us? Andrew, I think your mic's on your head. I don't know if we can hear you. Thank you so much for joining me to interrupt the flow. Yes, just to say thank you to everybody who organized the cloud native security day. It was really a wonderful thing to attend and everyone who assisted with the CTF as well. It's it was a roaring success and contributed to by volunteers so just extending copious thanks everybody. Hi, yes, my name is Daniel Tobin. I'm currently security lead for a data layers startup called a Cyril. We've been working with OPA with our product and I've been in like security space for for a while so wanted to start joining this thing. So thank you. Finally, you're on mute. If you're talking. Oh, I think sounds like she's on the phone. I'll continue then. Diego, come on. Okay. Hi, everyone. I'm Diego. I'm here but I'm quite excited to try to contribute and get more involved in the CNCF by being working in cloud security matters and cloud native security for the last few years. Yeah, I'm working in a company called message work and which starts communications. Yeah, I'm happy to see everyone on certain places that I know already. Awesome. Great to have you. Ricardo. Hello. So I'm Ricardo. I'm Portuguese and I work in consulting company in Paris. This is called silence and I'm a cloud and the security architect for them. And I'm starting to work a lot with the cobernators and security and so on. So it's, it's my first time here so let's, I hope it's, I could help and I'm here to learn a lot, I think. So thanks a lot. All right. Amy, do you want to do your PSI? Maybe we'll see if everything works public service announcement is that the EU CFP closes December 13, which is much, much sooner than I think you all expect. And yes, my comment is basically like, yes, please get your CFP things in. That is a Sunday. Yes, and this is for KubeCon cloud native con Europe, not for cloud native security day Europe. Correct. There will be different calls for that. But wanted to be able to just quick note in for CFP is coming. So, Amy, is this virtual event? Yes, this is the virtual event. We are currently scheduled cross fingers everyone for an in person October event with virtual components. Awesome. Okay, next up Raj Shrestha. Hi, I'm Raj. I'm based in the Seattle area work for a company in East Coast Unices. And we started our cloud native journey two years ago, where I'm an architect leading our move to communities. I'm a cloud native stack. So excited to be here. I saw you guys at the coupon North America and was interested to join. Thanks for inviting. Awesome. So that's all the new members that listed themselves in the attendance. Was there anybody on the call that I missed? So please speak up. So for everybody that is a new member welcome. We have a new members page that has some information about being a member within security and some things that you can potentially get involved in. So I just want to recap a couple of things first. When you join a couple of meetings and you get involved in the group, you can do a PR and add yourself to the members list. Brandon posted the new members page in chat for those that are having trouble finding it. If you're interested in going through and doing a little bit more with this thing, we do have lots of issues that are open and several of them have a help one on them. And it's a great way to get familiar with the documentation that the group has some of the efforts that are working on. Brandon, would you be comfortable talking about the security assessment working group and kind of what goes on there. Yeah, so for those that let me do a quick introduction to those that knew about what security assessments are. So security assessments are a process that we go through with a couple of projects in the CNCF. The idea is we help the CNCF really evaluate what the security posture of a project is, provide some recommendations to the project as well as for the CNCF to what is the security state of the project in terms of it. It's moved from sandbox to incubation to graduation. We've done a couple of these over the past I would say a year and a half. And recently we decided to get together to kind of brainstorm and see what aspects that we can improve on, what aspects that we can change and kind of like optimize and document better. So we split into a brainstorming group and we came out with a couple things that we were targeting. So for those that are actually you know what I am going to share my screen that will probably be easier. All right, can anyone see my GitHub picture. So assuming that you can see this, if you go into the repo into assessments, there's a quick overview of what security assessments are, what we've been doing. And if you go into projects, you can kind of see a couple of examples of what we did. So for example, I think the most recent was the key curve one and it's briefly inspired. So if you go into this we can kind of see what the security assessment is in terms of this is the overview and kind of the recommendations that we come up with. And also that is a self assessment document which is really a nice overview of what are the projects about what are some of the security considerations and so on. So after doing a couple of these we decided to kind of see how we can improve it. So we got together and bring some and we have these issues here. So if you click into the security assessment label on the issues you see a couple of these. And that's like security assessment workgroup as a prefix in the title here. These are what we came up with. So for example, if we looked at getting more reviews for security assessments, we talked about some of the ideas that we came up with in the brainstorming. And, you know, these are, this is for example, good first issue to look at, you know, how can we attract more security reviewers to conduct security assessments because we are a volunteer. This is on a volunteer basis. And the idea is that if you're interested, you know, we'll put more information into the issues, and then you can create a PR to modify the documents or be able to create these incentives for reviewers. So that is a couple more that are out there. So, you know, there's some about improving the process, some about mapping it more to the TOC process. So then if you want to get involved with more the CNCS side of things, how do the activities relate to the CNCS talk and the general project process then this may be of interest. And that's a whole range of different activities, right. So if you are looking at, you know, naming a scope of assessments, whether we should include, you know, security court analysis, for example, then this would be an issue to look at. So this is a couple issues that we have today. So if, I would say, if you're interested, take a look through. And if any of them are of interest to you just, you know, put a comment the issue and then we can chat from that. Thanks Brandon. JJ, did you have anything that you wanted to talk about? I think most of it is covered. And again, thanks. Thanks to the team for pulling together the cloud native security day. And kudos to Emily for driving the whole thing for the people that are new. I do want to mention about the white paper as well, the effort that we did. It's available on the repo. There is a link, I'll post the link on the, on the scribe and link that's posted. I just put it there. So that is something that we've done. There's a lot more work there to be done. Vinay Aradhana and Brandon and Gadi has been phenomenally helpful in shepherding some of that, some of those things as well. Reach out to any of us. If you have anything that you feel like you can contribute there in addition to assessments. There's also policy working group that this is again for the people that are new. There's also a policy working group that's actually running in the shared time zone. And they have a bunch of interesting stuff that they are working on. It's currently primarily focused on Kubernetes security policy stuff. But that's again something that you can go drop in and listen and learn more. That's it. That's all I had. I had a quick question about the white paper. I thought it was a fantastic piece of work by the way, it was really, really good. Considering that like a living document that's going to, you know, change over time as opposed to something that's just been. Definitely. Yeah, so the white paper, as is currently written is considered a living document because technology is always subject to change as the security of that technology. So the white paper for those that haven't read it or have it is designed to be kind of a high level understanding of what you need to do for end end security for cloud native products applications and architectures. It is not intended to be a deep dive into any any particular technical area that the white paper which is on. So if there is particular subject area such as container encryption or image scanning or something else in that space, the community lacks clear documentation on best practices or how to move forward in that area. Those are all eligible to become independent documents that can be referenced back into the white paper. So we definitely see this as an evolving space. As we were going through and writing it we realized that there was quite a few areas where security was just still very young and we have a lot more work to do so as we identify those. Our research on the thing what products are already in the space and then creating additional documentation for it to better help the community. And a lot of the framework that's in the white paper as well as some of the topics that are touched on are going to be contributed into the CNCS landscape to help end users and customers and businesses and architects kind of navigate a little bit more about how these components work together. But if you if you've read through the white paper you'll notice that we purposely try to avoid calling out any single product to solve a particular space. And that's kind of where the landscape comes in. I had a quick question on the security policy working group. How do we integrate all the good work that they are doing there with this working group because obviously there's overlap right. Yeah there is definitely overlap it's a work in progress it's on. I have an open issue to figure out an integration path between them and us. I've been integrated way back from the repo standpoint and then they work goes on a living document. That's attached to that. But it's a work in progress that I'm working on. I have one more question in the white paper appropriate. Given the sources and Google Docs and if we want to keep that updated and easy to modify it but we want to turn that into restructure text or markdown check it in like take contributions there. Or do we want to do a new copy of Google Docs and that's like future version to what do we want to do there. So everything for now should be managed in markdown in the repo. So the most up to date version of the document is what's in our project in markdown. And as as we continue to add and modify and create more content for it will have some minor updates. I'm expecting after talking with the CNCF team that will be PDF Publishment on every release so when there's a significant content change to the document then we'll do a PDF first. And since I see a lot of new people I also also want to reintroduce our TOC sponsors for security is Justin and the studies. Justin, do you want to say hello to the. Hello, I'm Justin. It's just really nice to have lots of new people here and I'm ready. It's really exciting. All the things that we can do together. And Amy is sort of like the backbone for the entire of security that nobody sees but she's been instrumental in bootstrapping a lot of structure to the group as we got started. That's mostly what I have. Yeah, I am your friendly neighborhood program manager. Howdy. I can buy I do things. She makes magic happen. Yes, she does. So that's kind of like all that I had scheduled for our agenda today. I'm expecting in the next week we'll have a little bit more formal things to cover on the agenda some topics of discussion and maybe going through a few of the issues in the tickets. Or, I don't know if we have any presentations coming, but those are definitely always eligible. So if you've got something that you potentially want to talk about a future meeting, there is a proposed agenda topic section of the end the document. So just throw that up there. And if you have a particular date you're interested in talking about that also tag that in there. That's all I have anybody have anything else. I would say also if you are interested in anything. That's an issue if and in the positive people interested in the issue we've seen it kind of time to project on it. So now we will bring it into kind of discussions that we have during the meeting as well. Can I ask a question. And I'm sorry this might have been covered but is there any low hanging fruit or something like I just want to pick up something and help out the, you know, the group right so like where would I find that like hey here's something that we need help with, or anyone and then you know that's joining that's new. I would say if you go into issues and select the good first issues. I think that couple there out there and just like, or even if you know if you're new and you're reading through the documents and you see something in themselves like format thing or like things you think could be improved. You can just like create a quick PR and make some small corrections. I appreciate it. We're also in the process of assembling the crew for the belt pack security assessment. So if you want to join that, and you can join in different capacity, I am leading the charge from the review side, and you can decide how much put in if you want to be like full on reviewer or you just want to observe the process and like externalize from that document some of the things, or just like hanging around what we have meetings that is open. Is there a concept of shadowing because again I'm not comfortable taking the process, you know what I mean like is that the concept. Yes, there is. Okay, pretty much. That's what it is. So, welcome to do that and shadow and like you can shadow and a more active way and get feedbacks and ask questions of why why is this being done this way. And then gave a great overview that might have picked the interest of some people but you may want to learn more of like the inner workings of the assessment and what actually goes down so that's a great way to do it people have done it before. Awesome. That's definitely something I'm interested in. I'll speak to you, I guess in the channel, or whatever. Yeah, it's saying here that's something I'd be interested in getting involved with as well. I think the issue in the chat so you can just click on that. Yeah, I'm stoked to camp with extra extra hands of like capable like motivated people. So, right on. I mean, especially the cross section I mean you got Matt from snake and you got me from run from a runtime perspective you got everything you couldn't ask for a better, you know, group so I'm excited for this. Likewise. And for new members as you participate in some of the. And if we haven't gotten the assessment process updated yet your feedback is definitely going to be appreciated as newcomers and like a fresh set of eyes on these things. I will also say the supply chain security catalog. It's also something that could help if I think we are looking in themselves. New compromises and also we are kind of like lacking a section there on remediation. So just like types of attacks and then we're talking about mitigation says a lot about that. So if that's something that you're interested in that could also be something cool to work on. So the supply chain catalog for those that probably have not discovered it in the repo yet was an effort by one of our members as part of the in total assessment, I believe, and it's actually done a lot in that space. We've begun kind of analyzing a little bit more of supply chain attacks that are occurring in industry in different ways that teams and individuals can kind of mitigate mitigate or or resolve them when they occur. And a lot of the information that came out of that catalog collection was incorporated into the white paper for how do we kind of defeat some of these potential attacks from surfacing for organizations and teams. So it's still very young. There are a lot of attacks that have been happening. So if you're familiar with something that's not covered in the catalog, be sure to read through the definitions kind of get a better understanding of how the attack occurred and what the ramifications were. And the articles do an excellent job of breaking it down and sometimes they don't. So we kind of have to speculate a little bit about how it could have happened. Definitely, that's an excellent point Brandon brought up is that that that would love to have some attention from the community to kind of make that a little bit more robust and bring it up to 2020 timeframe. Well, late 2020. If nobody has anything else, I think that's it for today. Thank you very much. Yeah, I'll give everybody 24 minutes back. Enjoy your day and thank you all for coming. Thank you. Thank you. Thanks for writing it. Thanks everybody.