 Good. Good. So let's go ahead and start to kick things off. I think our first thing we need to do is to go ahead and pick a couple of scribes for meeting to have any volunteers. It's a pretty easy process. You just kind of type a little bit about what you hear. Ideally we like to have two people do this so that there isn't any problem if one of our scribes won't just go and talk. I'll go ahead and post the link also to the Google doc here. Please go ahead and add your name to the Google doc as well just to kind of let us know that you're here. I'll add my name right now. Ash is here. That's great. Super. Okay. So Ash is volunteer described. Can I get one more? Somebody, anybody? Oh, okay. Lakshmi. Awesome. Thank you. All right. So we'll go ahead and kick it off. As before, we will start with our introductions. We have some discussion on the list about whether or not we should move away from everybody doing intros but since that hasn't been settled yet, we'll start. I'll go ahead and start first and then I'll be going by the order of the names inside the Google doc. So once again, please do add yourself there so that I can get an update. So this week has been pretty busy for intoto tough things like this. We've discussed like moving from up to graduation for tough and moving up to incubation for intoto and had some conversations around that and we've had some other good things happen with adoption that unfortunately I can't talk publicly about yet. So I think next here is Justin Cormack. Yeah, so I've been working out, yeah, trying to put together a small group with Steve Lasker on making reworking nature. We've had some conversations over the over the months with it about reworking nature to be a registry native protocol. So if anyone's interested in that, can they ping me? This is basically so that the natural metadata is stored in a container registry rather than as a separate store, which means it's portable to move around from one place to another, which is a large requested thing from a lot of people around usability of containers in lots of situations where you're using multiple registries. So if you're interested in that at all, please come and talk to me or Steve Lasker if you know Steve and we should be putting together some meetings starting next week hopefully. Great, I know I'm certainly interested so I look forward to joining. Awesome, okay, lots. Hi, nothing to report on security this week. Okay, thank you. Ash? So I've addressed some of the comments in the OPA assessment talk. I think as for your recommendation Justin, so if everything looks okay, I've addressed like regarding the GitHub issues for the points in the recommendation, I've tried to consolidate those into a single issue. If you think we need separate issues for each point, just like if it warrants that, we can do that too. But yeah, just let me know what you guys think about it. Okay, I think a good way for us to perhaps go forward with this would be for you and I and Sarah to have a call because I've been talking quite a bit with her about things because she really was leading a lot of the in total assessment and we're trying to you know, make that all be fairly uniform. So why don't we set up a time to do that? Yeah, sure, sounds good. Yep. All right, thanks. Radu? Is the plan to present that one of these meetings once we finalize it? Yes. So the plan is that at one of the TOC meetings when Six Security gives an update, they'll talk about what their findings were from the OPA assessment. Okay. And the way this happens is somewhat TBD. I was under the impression that we would need to present that earlier, like a week or so ago, but later on it was discussed that we would probably do that at a later time. So yeah, I was like waiting on September 3rd for an OPA update, but it didn't happen. So I thought what, what, what, what went wrong there? So yeah. Yeah, sorry about that. I think it was, I was reading too much into an email that was sent that there were two conflicting email chains. So anyway, but let's, let's move on. So Radu? Hey everyone, I'm working on integrating tough and in-toto with the CNAP project, and I'm also interested in the RMX project and the advancements. So I'm working on specifically integrating both tough and in-toto in a go project and also interested in running the verification process in a container for reproducible verification. So yeah. Thanks. Excellent. Yeah. I think that'll be of interest of a lot of people here. And obviously don't, don't hesitate to reach out to myself or others if you have any questions or stumbling blocks or things like that. Thanks. Locke to me. Yeah. So I addressed Sarah's comments on a new member space and that is not merged. The PR is not merged. Okay. Awesome. Thanks. Christian. Hi there. Actually, I have nothing to report on the security side, but I did attend a webinar that brought up a pretty good point about default configurations. And I was wondering if we have a list of insecure default configurations for a lot of popular open-source softwares that my, my take would be to put it into some of our learning docs to make sure that when we present to students, you know, it's something that we say, hey, this is not secure. Let's make sure to customize it. So I was wondering if we have anything like that in the security? I don't hear anybody else jumping in. I'll say I'm not aware of it, but I think we should have it. And I think this is a great, this would be a great thing to create an issue about and to start a discussion on. I think this is an excellent observation. There was some conversation at one of the conferences I was at recently about working with open-source projects that in their docs, that they are to provide a secure configuration point or point out areas in their default configuration that are not necessarily known to be insecure, but if there was a more secure option and why somebody would want to do it. So I don't know if that effort went anywhere, but that was one of the points of topic that we had. Yeah. Is this like Emily Moxie-Foxie, whatever your username is? Yes, that's me. All right. Sorry, just trying to put a, just trying to put a name to the voice. Sorry, go ahead. Oh, yeah. Actually, one of the points in that webinar too was that some of a lot of projects do, one of the things that they identified were like AWS and Google, they had recommendations, but the tendency was that users would tend to just blow through those and unfortunately go in with insecure configurations. It's pretty interesting, not a lot of content, but pretty interesting. Great. Yeah. I think that would be a good thing to discuss on an issue. Mark. Hey guys, nothing new on this side? For those of you that are interested in the privacy side, I thought I would just mention there's a public comment period that just started for the NIST privacy document, if that's of interest. So pop in and offer your opinions. Is it from me? Great. Great. Thanks. Carlos. Sure. Well, pretty much we continue working on this Docker technology and we need some help with Docker content trust and Docker notary. I don't know if the guys from Docker are on the forum, if you can just send me a couple of names. Yes. That's me, Justin Komak. Okay. I can talk to you in a couple of minutes or send you via email my questions and we can talk. Thank you, Justin. Awesome. Okay. Brandon. Hey, so mostly been working on continuing encryption stuff. We've been working Red Hat to integrate it with the stack too and we've started trying to see whether all the registries are kind of up to date if the OSI images and stuff like that. So that's going well. Actually, so Radu, don't mind if I send you a message after that. I'm kind of interested in the CNEP stuff and this is kind of semi-related to Justin, the discussions that I wanted to have on Monday as well. So yeah. That's it from me. Okay. Great. Emily. So some great news regarding Security Day. We have 66 registrations as of yesterday. 22 submitted CFPs and another 18 that are in progress. We also now have a total of three diamond sponsors and one gold sponsor. Sponsorship sales are going to close on September 20th. So let Kathy or Amy know if anybody else is interested in sponsoring and you can drop that into the SIG Security Events channel. That's about it for updates. Wow. And that was fantastic news. Terrific. Okay. Christian Kemper. Hi there. I'm Christian and I work for Google Cloud Security. Nothing new to report for this group for this week. Okay. Thank you. Avinav. Hey guys. I'm from Frame.io. Nothing new to report on security side rather than working on cell call on Kubernetes. Okay. Thanks, John. Nothing to note at this time. All right. JJ. Hey, I think I think the security, SIG Security Event, Emily gave an update. We do have regular sync with Joe and Liz where we get the directions from for some of the prioritization and work. I'll keep you posted on that. We have one that's coming up. So for the next meeting, I think I'll basically be able to bring some information back. But it's also going to be good to get what the group wants as clarity from TOC as well. That's about what I have. I do have an agenda item to discuss at the end. Hope we can get to it. But I added it in the agenda. Okay. Sounds good. Yeah. We'll get to those later. Okay. Erica. Hey there. Ben. In the updates from the Kubernetes Policy Working Group, we are a couple items. We have progress we've made on some formal verification for the policy configurations starting with the RBAC access controls. Kind of have a plan and we're starting with some of the modeling for that. The proposal you can see was merged into this SIG Security repo under policy. So check it out if you're interested in that. Some other related work with we're kind of just keeping tabs on OPA and its gatekeeper project, which is moving, I think they're making plans to kind of get it towards a GA stance. It's investigating its possible use as a recommended replacement for pod security policies. And also, I guess, KubeCon North America in San Diego in November, the schedule was announced. We will have, I think, in the contributor summit. We're looking to do a workshop with some of the verification work. Great. That's me. Awesome. Okay. TK, I think you're the last one who's put their name down. The last one, but I don't have anything new to put. So, three of my ancient items. Thanks. Well, thank you. That explains why no one was answering. I said, okay, thanks. And has anybody been missed? Anybody whose name is not here that I accidentally skipped? Let's give an update. Okay. So now that we've completed the initial check-ins, now we are supposed to have check-ins from partner SIGs and working groups. So does anyone from Kubernetes SIG auth want to say anything? Okay. I can only report on some of the discussion we were talking about with the pod security policies. Okay. Can you post a link to that in the meeting note? Because I can't actually, I couldn't actually find it. I tried to find it in three and two minutes, but I couldn't immediately. I can also add links to the meeting notes and related issues. I'll go find them. Thanks. Okay. Okay. Right. The policy working group. So, I guess, Erica, would you like to talk about that? Or would someone else? Yeah, I think it's basically the same as what my personal update was. That was kind of it. Okay. How about the Kubernetes security audit working group? I'm not personally familiar with that myself. I don't believe. Okay. We had one of the people in here a few weeks ago, but I think I don't know. Okay. How about this big data working group? Yeah. So, we are working on the overview document for that. We have a tech writer who got assigned for that. Probably not be too much interest to this group at this point, but you'll just make it easier to read the eight volumes of that when it finally gets out of NIST review later this year. Okay. That'll be good bedtime reading. I'm sure. Awesome. Okay. How about the now it's time for the PSA for meeting facilitator. JJ, I think you're going to leave this off. Yeah. So, I mean, first of all, thank you for the few of the people that raised their hand to be the meeting facilitator. So, it's tremendously useful both for the person facilitating and for the team to get a broader understanding. So, main idea is to create become a full-on distributed system. So, anybody should have the context around the meeting at any time eventually, but I think we do need some form of guidance in that aspect. So, there'll be a few people running this. The other agenda item that I had, should I go over that as well? Justin? Yeah, yeah, sure. Do you want to, so the three, there's three facilitators who Brandon, May, and Jerry have volunteered so far. If anyone else? Yes, and I'm somehow the first one doing it. I don't mind. You should add Jeff's in the stairs. Yeah, I should probably be added there. I think you should open up a full request. Justin? We'll do it. Yes. So, there's a list of, if anyone wants to become one, there's a list of criteria to check off. And I think it's rather straightforward set of things that you've participated in, in the processes of the group, so you know what's going on. Yeah. But yeah, JJ, do you want to go through your agenda item? Sure. So, one of the things that I, this relates to the initial comment that Kappos is making as well in terms of scrapping the early intro. So, one of the things that I noticed in our group is there are people with varying expertise in different areas of security. So, I was thinking if, as a team, if we had a page where we could basically list our name, the subject matter expertise that each one of us have and our willingness to be approached for that area of expertise, whether it's questions, comments, or injecting them into like a review process during that area. If that can be specified, then it helps all of us tremendously in terms of just being efficient at getting stuff done. So, that was a thought. I just wanted to bounce that idea off. What this allows us to do is also skip intros because at any given time people will know who people are and then we don't have to keep doing the intro every single time we meet. So, that was an idea that I just wanted to bring it up to this team to see if, what we think, A, what we think about it, B, if there is someone who's passionate, it's not going to happen, but if there is someone who's passionate in driving that effort to completion. I definitely think knowing what people have expertise in is really useful if you want to find someone to help you with something or for people to ask if people need to understand an issue or something like that. I think it is definitely helpful to have a go-to kind of list of what they're doing because often it's difficult and especially now there's quite a few people and people have difficulties. If people are not around constantly, they won't necessarily remember who it was at the meeting who was interested in X that they were also interested in. So, I'm just wondering because I was thinking that if someone would be interested or wants expertise in something, should we say that they should create an issue and then we can have a discussion on that so you know multiple people can chime in. Also, because it seems like the SIG Security Slack channel might be... Sure, yeah. I think it's good to have the list that you're suggesting, JJ, that's useful. But I think the stand-up is not just the introduction, it's more about what people are doing and I think that's great as well. So, having both could be useful but replacing the stand-up for the list that would not need to be helpful, that's what I think. I mean maybe we just need to streamline the stand-up so that people put their names down on the list if they've got something to say before the start of the meeting rather so it's just quicker and more efficient. Yeah, okay. So, yeah, I mean I think both would be, I mean I obviously think both would be useful but any volunteers for getting the initial list on our site which basically means work involved in sometimes pinging people, getting a page in place where people can come and add stuff. So, I have kind of a question about this. I'm imagining stepping in so what sort of email look like? Like how do people talk about what it is they've done without just, I mean like linking to their LinkedIn or their Wikipedia page or whatever it is? Good question. So, that's another thing that when we were discussing that came up also is there a should we be prescriptive about a category of things that we would want people to say like this, I'm expert at this or should we want to let it like free flowing in terms of like describe what it is in which case you can put your Wikipedia page, LinkedIn page, LinkedIn post but the more specific it is, the easier it is for us to tap into somebody for help. The more generative it is, the more descriptive it is, it's just not going to be effective to say, say for example security audit and I want to get guidelines for audit then CAPOS, I can ping you versus like going and looking at the Wikipedia and then to figure out CAPOS may be able to help me with the security audit question. So, good question. I mean like I don't know, I just want to hear people start out. Yes, so you triggered something that I've been thinking about which is we have this landscape and we have these notions of projects and since you know maybe one way to do this would be to have people signal that they're interested in things related to either projects or gaps in the landscape where we hope to one day have a project because then it pretty naturally falls along the guidelines of the group here which is all at least allegedly you know cloud native interested. Yeah, yeah. Now I'd like to, yeah, I'll shut my mouth now and wait for others to listen to others in terms of what they feel. I agree with, I mean I agree with that suggestion, I think that makes more sense, that's a bit more prescriptive and more meaningful and very contextual. Yeah, maybe it needs to be in the sort of size of sub-projects, I mean say the example of that that Brandon's working on encrypted container images is useful in the short term while he's working over the year or so while he's working on that whatever and other people might be interested. That's not a project per se but it's an area of focus within a project or a couple or more than one project and things like audits is a kind of cross cutting thing or supply chain security is a cross cutting thing that you might want to say you're interested in separately from projects. Yeah, so what if like like JJ you may already have this you define like these 10 things that you need expertise in and you can subscribe to those categories that'll be much that you can just say I care about audits or I don't know security something whatever 10 categories and people can then say okay my expertise is audits BCD whatever it is that could be helpful too if you define like the high level categories for the expertise that you're interested in. Yeah, I mean I'd be happy to since you're right since you sort of raised your hand I can sort of ping you to create that category with you and go back with the Kappos. Sure yeah okay yep I think I can follow I mean Kappos if you want if you're taking the lead I'll be able I'll definitely be available to help but if you want me to just let me know. Sure yeah go ahead it's your idea I'd rather see your vision and help to make it a reality than pose mine. All right so so we can follow through on this offline and slack and issues then I'll spin off an issue. Awesome okay so do we have any other items here on the agenda doesn't I don't spot anything is anything that we missed or anything someone wants to discuss? I have a quick question related to how SIG security works with other CNCF-SIGs so there's a newly formed CNCF-SIG app delivery and we're very early in the process of defining everything that the SIG is working on but essentially it's working on the lifecycle of a cloud native application everything from definition to deployment and rollout automation platform and I'm wondering what's the relationship of SIG security with other CNCF-SIGs with respect to how they either recommend security measures or anything related to how they operate together how they work? I think we don't really know yes it's the kind of straightforward answer because we were the first SIG and we haven't interacted with SIG storage so I think we need to work this out still. Specifically I'm asking because there are a bunch of various that are interconnected there's the security story for the artifact project there's the security story for CNAP and most of them are in the same space and I'm really looking forward not to duplicate efforts in all of these projects. We can definitely do reviews of those projects because that's something that we are doing so if you want if we want to prioritize having a security review of those things but if they I don't know if they for the bits where they're being designed I don't know if we want to have it I mean obviously I'm interested and other people are interested in the work that's going on but I don't know if it makes sense for SIG security to have an official role working on that or whether just the people some of the people involved want to work on that. That also makes sense I just wanted to I don't know JJ what do you think? Sorry can you repeat that? I was just saying that we haven't officially had any working relationships with other CNCF SIGs because they're all quite new compared to us so we could obviously do audits of projects that SIG apps are interested in having audited because that's something that we definitely do but I'm not sure if we have any way of kind of way of having any other kind of working relationship other than people in this group who are interested to work with them I don't know if there's any official way we should work together or could work together. So when we started this group one of the ideas that we had floating around was like people from our group representing in their meetings and then trying to approach somebody like there was an active portion happening from their meeting to take scope on ours it only it's not scalable model by any means right and I think it's just gonna involve a lot more on people than on process. So short answer is it's a good idea I don't have a good way to make that happen. In the TOC meeting we could try and bring that up in terms of like if they have any suggestions to allow collaboration between between different SIGs but it's yeah it is it's good if that doesn't happen I see your point if that doesn't happen I get more and more divisive and more and more isolated within the CNCF. I would encourage you to raise this as an issue on the email thread to CNCF because it's pretty valid and I think Liz at least might have some inputs and suggestions on this. I'll chime in I definitely chime in based off of our understanding on that but it'll be good for you to bring this up to the broader CNCF. Speaking of this different categories and such I brought up an issue a while back never heard much of the comments on that that was that has to do with the edge security whether we should be concerned from the CNCF perspective whether the edge security should be part of our scope and if so how do we deal with it I think I referred a Linux foundation that addresses the the edge security at that time and I was wondering whether we have collectively we feel like we should be aliasing with those folks my understanding on the last time that I met with them in a conference that they haven't done very much but they are concerned about their edge security they would be very receptive I suppose in that perspective. Anyone has any comments? They just released a white paper which was posted in our Slack about 10 minutes before this meeting so I had a quick chance to look at it. I mean I'm interested in edge security because we're working on various issues of it but it's a kind of niche interest I guess a lot of people are not interested in that. Yeah unfortunately I'm not here joining this Slack group probably I missed out on that comments or anything but I personally feel that they're more and more interest on the edge processing and many different from many different technology perspectives so that's kind of coming to the ecosystem regardless of where we decide it it will exist the question is whether we are we do have the capability as well as the interest to you know include that as part of our at least concern or something that we should be looking for because it's very difficult I think getting very difficult to put a demarcation line as prominent to to make it you know completely segregated from each other from cloud versus the edge especially from a security perspective. Well maybe what we can do is it feels like this is an issue that should be this Boston subgroup that's that's interested and focused on edge. You know I am a person who is interested in this but I can imagine that others on the call may or may not be. So maybe what we can do is is move that to a side discussion and arrange other meetings for it and have have more follow-up there. Is there any other there are also potentially some edge projects that we might be interested in and see and see if I guess I'm certainly aware of some down the road potentially. Yeah that would be great. We definitely moving further into that purview I think would make sense. I don't know that you know maybe maybe I'm being premature with it but it feels like right now we shouldn't probably dive too far into that into that rabbit hole on the call. Is there are there other agenda items that people want to discuss in this meeting. This one that I wrote down it's kind of I think it's more clarification for myself. I wasn't sure I may have missed a meeting on what was happening with the current security assessment with key club and Velco without we kind of just pushing key club back and then are we doing teleconnects. I think we're waiting for guidance from the TSE which JJ is hopefully going to give us next week. Okay. On how they want us to prioritize things. Okay all right this sounds good. Yeah I think I missed a discussion. All right anything else for this meeting. Don't forget to submit your talks before Friday first. Yes and promote that the more we get the better it is. Thank you so much. All right sounds good everybody. Enjoy your 20 minutes of time back and talk to everybody next week.