 And yourself, Gareth. Excellent. So we'll start down the attendance and just ask people to check in, say who you are. I'll go first to give an example and then I'll go down the list that's written in the attendance. My name's Sarah Allen. I am one of the co-chairs of security. And this week, or in the last session, since the last meeting, I outside of my role as co-chair, I helped one of our members escalate a security issue to Facebook through the time-tested channel of sending email to random people I know. So would welcome feedback on offline, outside of this group. We specifically said we are not serving that role of being on deck for actual security vulnerabilities. The focus of this group is to look at how to prevent future security vulnerabilities, because we don't really have, we're all volunteers, and we're not really in a position to be on deck for a problem and ready to respond quickly. So that was pretty exciting. And I think that helped. And then I'm thinking a little bit about audio-video security, and how do we know that audio-video streams aren't tampered with and stuff like that, because in my day job, I'm looking at audio-video streaming. So that's my non-SIG update, but interesting little notes about security. And on the SIG, I started a little set of repo highlights. So helped Brandon land the conflict of interest guidelines by nudging my co-chairs and various people to review and give feedback. So, Brandon, thank you so much if you're on the call for making that happen, even if he's not on the call. Yay, Brandon. So that was a little long update from me. Everybody feel free to give a update that involves a SIG or not. Other security-related things in your life, because that's always interesting to members of the group. Next, Justin, Kapos. Yes, so in the past week, so Santiago presented a paper in Toto, which of course we all heard about and reviewed and did things like that, a assessment of. At using security, it was very well received. We also have been talking a lot with folks at, I don't want to break out an emitting case. I'll just say one of the big five tech companies, multiple product teams that look like they're starting to integrate it. So more to come on that soon. Now, on the tough side, tough is going in for graduation quite soon. So I've reached out to a few people to ask them if their company is using tough to please go ahead and just post something on the issue. And I would appreciate it if you could give us what we would appreciate it if anyone here knows folks at Oracle, Cloudflare, DigitalOcean, VMware, are I think some of the big companies that I know that we're missing. I've put a note for the poll request here, but I got folks from the automotive space and I have folks from Microsoft and Datadog that have already said that they'll post something. So yeah, hoping to see more of that kind of support for the graduation PR for time. Great, thanks, Dustin. And my thoughts. Guys, quick update on security day. Mike and I had our call in yesterday and we're kind of waiting on a couple of things to happen. We're guarding the security event. We need some more information about where we stand with sponsors, getting access to the CFP so we can see if anybody's going in. We're also looking to get a response about CNCF potentially doing a Twitter post about the CFP that went out for it. There's a couple of action items that are dropped in the SIG Security Events Channel and we're just waiting on a response. I did submit the PR that was merged in for the security day website content, but it doesn't look like the website is done yet. So we're kind of in a holding pattern until we get some more information about where we're at and what's going on before we can continue to move forward. So that's about it for me. I did update the supply chain issue and we're gonna talk about it a little bit later regarding a new article that came out. So I was hoping everybody's gonna pay attention to that and chime in. Great, I put that on the agenda. Thanks, Emily. And then Michael put the CFP in the chat. So I wanted to touch on that a little bit and I put that on the agenda too so we'll circle back. Mark Manning. Hey, this is Mark Manning. I work for a company called NCC Group doing some security audits and we have an internal team that is gonna try to be more involved in this group to see if we can't help out doing more security related stuff before it becomes an issue in Kubernetes. So this is the first time I've been on one of these meetings and kind of excited to see where you guys are going. But yeah, that's about it for me. Welcome, Mark. Christian. Hi there, Christian, Lexina here. I work for RxM. We're a collaborative training company and consulting and one of the things I'm mainly here for is to get a good sense of what's going on on the Kubernetes security front and hopefully see if we can get some of those updates into our course material or see what we can do to push along the training side of security. Great, thank you. Wei Zeng. Hi, this is Wei. I'm from the Unfinancial, the child company of Alibaba. And this is the second meeting for me and I'm reading all the GitHub issues and all the documents in the security report and trying to get involved. Great, welcome, Wei. Also, for new members, there's a PR on we're working on actually having some documentation for new members. So we'd love anybody, new-ish folks, to look at that PR that's in progress. Okay, I'll take a look at it. Michael Ducey. Yes, so as Emily already updated you primarily on the cloud native security day in regards to sponsorships, it sounds like we have two diamond sponsorships sold, at least one gold sponsorship sold. So we're meeting the requirements of CNCF needed us to promote financial obligation perspective. So that's good. I need to probably talk to Sarah and JJ at some point because it sounds like there might have been a third diamond sponsorship sold. And that means there's another five-minute spot taken up on the agenda. But I don't want to cover that on this call, we can take it offline. I just want to know, bring it to your attention. And then the other thing is deep in the realms of trying to figure out how we rebuild the thoughtful container images. So how we make them as small as possible and reduce kind of the attack surface of what we're shipping in our container images. So it's kind of an interesting project for me right now. Super, thanks Michael. Next up is Anjo, if I was saying that correctly. Anjo? Is it me? Yes. Oh yeah, An-J-O. Yeah, can you hear me now? Oh no. Yes. Microphone issues. So yeah, this is also my first time. I'm an interlabs researcher and I have recently presented also using security, a technique to securely and efficiently protect sensitive data within the same memory outer space. And Justin Kapos at some point during the conference suggested that I also get in touch with you guys to see if there is some interest in using it. We're basically looking for people to apply it to their workloads. But yeah, for now I just wanna see what you guys are up to and listen. Yeah, and if you wanna drop a link to, if you have a paper or a link to information in the chat in case people are curious, that'd be great. Sure. Chris Nova. I'm muted. Can y'all hear me? Check. Yes. Okay, sorry, yeah. So hi, this is my first security call. I hope everybody's having a great day. I'm gonna be joining Cystic. I'll be working on Falco. And one of the first items of business that I was planning on doing is moving our entire engineering cycle into open source. So starting next week, we're gonna be doing all of our Falco planning and all of our feature working feature discussions in open source. So there's a mailing list in the Falco repo now. If you wanna go check it out, if you wanna get involved, you would love to have it. And of course, we want to be as involved as possible in this thing. So, nice to meet everyone. Welcome, Chris. Thanks. Jack Lidford. Hello. I'm also a security consultant at NCC Group, working on applied cryptography protocols, memory corruption, that sort of stuff. Just want to join and contribute to the group. This is also my first meeting. Thank you, Jack. Welcome. And Gareth. I think this week, I've been doing a bunch of things. One of them that I don't think I'd mentioned before, so I'll mention now, is folks who I presume, well, I think most folks are now familiar with open policy agents, mainly in the context of Kubernetes. It's a CNCF project. It's actually super general, but most of the users and users have been around Kubernetes admission controllers or policy there. For a little while, me and a few of the folks have been hacking on a tool to make that more about a CLI tool or something that you can use for like unit testing or NCI versus something you use in production called Colftest. We've shipped a new version of that this week. That actually allows you to use the rego of policy agent stuff to test. Terraform code or any arbitrary YAML or any arbitrary JSON or INI files. So you can use it for Terraform code. We've got a pull request out for Docker files. So starting to build up libraries of rego of security rules for all of these different formats with the idea that like there's one tool that we can use to assert policy around configuration. And not just in Kubernetes land, but actually for any of like config formats. So a bunch of work on that this week. Great update. Thanks, Terra. That sounds fabulous. And definitely drop links in the notes if they're not there or in the chat. Next, Martin. Hello again for me. I'm not sure if I mentioned before, but currently I'm working on Clare open. Okay, I'm working at VMware in their open source team and in their security sub team. And currently I'm working on Clare open. This is an open source project which aims to make static analysis for vulnerabilities in Docker images and also containers. So yep, I'm working on to support more base images for Clare. You can look at the project if you're interested. Yeah, definitely dropping a link to the project that sounds great. And definitely needed. Then next is John Menorick. Hi, John Menorick from Ford Motor Company. And yeah, lurking around in GitHub and providing feedback and relevant items. In addition to can't wait for the key club audit because it's really needed in all the different already identified vulnerabilities that nothing publicly exposed. In addition to all the other interesting work that we're discussing here as well. So hi everyone. Super, thanks John. Deborah, Deborah Shans. Maybe you're muted. Are you on the phone perhaps? All right, we'll come back to Deborah. Christian Kemper. Hi there. I work on Google's cloud security team and I'm looking at the platform implementer persona. So I finally met with some of the internal teams at Google that are basically representing that persona. And that was a pretty interesting meetings. And they pointed me at more people. So I'm chasing down people throughout the company that are part of that. I need to at some point reply to some of the comments on the PR. I haven't had the time to do that yet. Right, yeah. If you're interested in that platform implementer persona, take a look at the PR. Or if you might be on the call and are a platform implementer. I think Christian would love to have more voices from different companies who play that role. Exactly, exactly. I don't know what this to be Google specific. I think most of the stuff is generic, but it could be that stuff creeps in. Great. Yang. Yeah, this is you. I'm from on Spanish. And this is my second time to attend the meeting. And in the past weeks, I just read the issues from the repo and talk in the program. And I just want to follow up and find a way to get involved. Great. Welcome, Yang. Welcome back. Brandon. Hi. So I guess quick update on the K-Club stuff. I think some of you may have saw both Pingdas back and he mentioned that they seem to be short of stuff a bit more than they thought they would be. So he said he's going to get back to us. But I'm guessing if it looks like they have to delay this, I'm not sure. Maybe we don't want to bring Falco up to the next one. I guess we can have a discussion about this once he gets back to us. Other than that, I've been working on looking at where we're collaborating with NIST to create a reference architecture for a Kubernetes architecture over a hardware rule of trust. So we've been staying around a lot with the TPM 2.0 stuff, the asset tags and stuff like that. We're trying to basically provide a reference way to create, to bind the hardware rule of trust to the container level. So if anyone's interested in talking about that, I'd be more than happy to chat about that. That's something that we're still flashing up. Great. Jonathan Meadows, I think you're on the phone. Yep, I've been out of the office this week on all day, so nothing security related this time. Thanks for joining us. And do we have Deborah? Maybe she had to step out. So scrolling down to our agenda, I didn't hear anybody particularly from the partner sigs, so I'm going to skip that part unless somebody wants to shout out. And we should actually have on our template the switching this to the new member link when we have it. But if you've been attending the calls and you're not on our member list, you can PR yourself in as a member to our repos linked for the notes. And I wanted to, I don't think Robert's here today. I didn't hear him check in. So we'll skip the next item. Dan said that there was a discussion last week on this envoy issue, but it had to be cut short. So we'll carry that over next week. And I wanted to touch quickly on Cloud Native Security Day and just specifically ask Michael and Emily, what are the things that this group can do to help or win? I don't think there's anything. There's just a few things that are blocked with. Well, let me replace that. There is something. We need people to promote the CFP. We're kind of blocked on the website, and we're trying to get that through with the CNCF. Hopefully, we can get that done by the end of the week. But I dropped the link into the chat. And so the more that we can spread the CFP among our networks, the better. So to clarify, even though the website isn't up, it's where we should just sort of contact on the CFP side so people can submit. So people should tweet about that. Tell your colleagues, specifically invite individuals who you think would make great presentations. Yeah. And just to call out to anyone, and especially anyone on the call who is in this space, like practical guidance and user stories tend to go over really, really well. And then I would also like to see some things more on the cutting edge. And then I think the supply chain stuff would be really interesting to incorporate as well. So practical guidance, cutting edge, supply chain, all kind of topics that come to mind right off the top of my head. Right. I think Michael's not on the call. Michael, whose name is not springtime. Hasselblass. Yes, Hasselblass, who's working on the microsite. And I'm very passionate about also getting that old content highlighted in some way that would inform, like highlight to the rest of the community, the good work that's happened here, which is sometimes hard to find amidst all of our less riveting updates that happen day to day, week to week. So I had this, I missed last week's presentation. And I thought maybe a neat way to do the work of describing the presentations would be to have a movie night where we could just, even if it was just a few of us, it'd be fun to have company listening to or re-listening to things from the archives and then writing up a little summary or having a little discussion about it. So if anybody would be interested, please chime in on the website channel or shout out if you have ideas about how to structure that. OK, we'll just have a conversation on Slack. If anybody was interested in watching old episodes that Dan and I pulled together a while back of presentations from last year or last week's presentation. So. Sarah, could we have a pinned message or something with the other Slack channel? It's kind of in the main Slack channel. Oh, yeah, that's a great idea. That's a great process improvement. Then next up, Supply Chain Resources Catalog. I think there was a bit, there was a thread on the issue about some discussion there, but I didn't have a chance to completely catch up. I think, Emily, maybe you could lead that discussion slash whatever part of that needs to be talked about. So really, I was just going through, I had somebody send me that article that I had posted about supply chain attacks are on the rise. And I don't know if anybody had a chance to skim through the content of it, but they're going in and they're targeting the vendors themselves, the trusted sources for which we are starting to get all of our content. Made me think about this particular ticket, not getting updated in a while. So this started off as a proposal from Santiago about creating a catalog for software supply chain compromises, best practices related tools for securing them. This is a growing problem space with almost no solutions available. There are a couple of posts in the comment about some work that MITRE has been doing with their KPIC and their attack areas, but nothing specifically about here are the known supply chain attacks that exist. This is the types that exist. This is the way that we've been experiencing them or that the community is experiencing them. And here's a recommendation for protection against it. And it's especially important as we start and review more and more open source products that come into CNCF or start graduating from CNCF. What are they doing to secure their supply chain because we want everybody to be cloud native and cloud agnostic and be flexible in their cloud environments? And if we're pushing and promoting CNCF tools, product services, we want to ensure that they have some level of security, preferably robust, about where they're getting all of these projects from in the libraries that they're using for it. So I wanted to bring the group's attention to this particular project. There was a lot of discussion about it a while ago, but I haven't seen any movement on it. And I wanted to jog everybody's memory about where we're at. So I was hoping we could kind of kick it off, maybe. Yeah, I think it would be great. Well, we have Justin Cormac and Santiago Torres-Harias were going to take the lead on this. And they're not on this call. And so maybe we can have, I think it would be great if to have any highlights of the things that have been recently posted to just kind of get people engaged about the things that they maybe could read in preparation. And then let's queue up a call where we, at least one of them, are going to be there and have it be the subject of the meeting. Because I think this is something that a number of people in the group have expressed interest in. A bunch of people have read up on. And we could have a whole meeting about it. But in the meantime, I don't know if you can see the screen. I'm sharing the issue. And OMG Clouds linked to the MITRE definition. And is there anything like, does anybody want to chime in on the recent postings to the? Sure. OMG Clouds, i.e. John Vanerke. Yeah, it's interesting. Because there's nothing new about quote unquote supply chain tax. You can see my talk at DEFCON on the subject, or also look at Kim and What's His Name I Forgot when they were over at Blackberry and later on before they went over to Microsoft on this very same challenge as well. There's really nothing new. I mean, the only thing that's relatively new, so to speak, is people are using those third party breach databases to spray and pray across NPM and everything. And why you see it now as of late, ignoring the journalistic page views is solely because the author and controller, so to speak, the account behind the rest API library forgot he even had the account a decade plus. And then of course, you know, spray and pray they got access in from there. To reality, there's nothing really new about any of this. I mean, sure, we talk about deterministic builds of all the CNCF projects. And as one would imagine, this would come up during the quote unquote security assessment of each and every one of these different things. Now, the hard part is, where do you draw that line turtling all the way down? To say G-Lib C, for instance, because you're going to find yourself turtling all the way down to even the hypervisor or more specifically, the BIOS or equivalent microcode. So there's a whole bunch of stuff to be discussed there. I look forward to helping that out once we, as you guys allude to, get that project kicked off. Yeah, and I think that, like, as you point out, like, yeah, we've had a software supply chain as long as we've had software that was made by multiple companies or organizations. Why this feels very relevant to Cloud Native is, to me, and this came up in the ATOTO assessment, is that this is, while this is kind of this area where, while it pertains to stuff outside of Cloud Native, it is particularly critical in Cloud Native because we need to have more automated systems as we take advantage of Cloud and virtualization and things spin up unattended by humans. Whereas in the old world, there were more frequently systems which had human gatekeepers because you had a physical machine to set up and a human has to take the machine out of the box. So I think that's where this gets to be more critical in the Cloud Native land. And it also could contribute to why these attacks are on the rise because more of us are using these, automating our supply chains. Yeah, it's definitely interesting. I have over 20,000 typo third-party libraries where we just went for typo off the main library. And I get roughly three to four million downloads a month of which those you have to imagine most of them are as what you allude to, CICD pipelines, grabbing, pulling, building, tear down the environment. So it's interesting that, yeah, you're absolutely right, especially when there's no human review, much less the freedom versus responsibility discussions they have over at Netflix companies. So it gets interesting when you also end up getting just a solicited defects being asked of you saying, hey, can you help me debug this? And you're like, sure, if you rev up to this version, I can live debug with you, but obviously you can't do that or you'll get, let's call it legal contributor requirements or documents from IBM or in Silver Lord's group saying, hey, can you sign off on this legal declaration? So yeah, it's gonna be a fun project once we figure that out. Well, I don't know if people saw the REST client, Ruby instance, like literally just yesterday, they broke. Again, people turned up, there was a version of the REST client, really popular Ruby gem, published Ruby gems. There's no tag on GitHub. People opened an issue saying, hey, is what's up here? Turned out that the person who owns that gem, that account had been compromised, someone had uploaded a malicious library. I think what's happening in a bunch of cases as well is in fashion, technology is quite fashion-ish. So people join one language community, build things that are useful, then move on. Those libraries are increasingly not, they're popular, they're stable, but they're subject to attack. And the maintainer doesn't notice because they're not working on it every day. In fact, they've not worked on it for months or years. Yeah, we track a bunch of them at work and report them. But yeah, that certainly popular, previously fashionable ecosystems are where they're mainly cropping up at the moment. That's a good point. And then, yeah, I mean, I think that that's, that is, we are working with the security assessments to try to, it's more about how do projects even deal with this, right? And some projects are like, check, we got that. And then other projects are like, well, we should do that. And I think that's also an area where this group can contribute. I think we have an open issue on best practices, like let's have some, yeah, there's so many things that are, there's not enough conventional wisdom about what should we do when we can't do everything at once, right? Other highlights from Emily or go ahead. I think another thing that is interesting is to raise awareness of this outside of the security community, right? I think it's, we all know that these attacks happened and have happened in the past, but some other people that are only now adopting cloud native stuff want to make sure what can be done about that, you know? And I think it's important that forums like ours educate people on that. Yeah, and I think that one of the things that came out, when we were talking about the EnTodo assessment, like part of the reason this came out of the assessment is that, in defining the edge of EnTodo, right? Like EnTodo, we want to support a project in doing one thing that it does and it doesn't have to take responsibility for everything it touches, right? Just because it's frequently, you know, installed with something else, it doesn't mean it has to do that. And so kind of what came up in conversation is that we have this knowledge, right? In this community about, oh, one should do this, but it's hard, right? But do people know what they should be doing or why? Or if it's hard, can we give feedback? Do the vendors who are responsible for the things that people are finding difficult even know have gotten that feedback? So hopefully this discussion can unearth some of that. Any other thoughts on this issue? It has an introduction for, I'll try to see if I can schedule it for next week. Otherwise, I'll just have like a couple of DMs with different people and then update the issue with when we'll have that bigger group discussion. Yeah, I think it'd be interesting as well. I think John, you obviously have a lot of experience in this area if there was some, or you did have some links around best practice information and advice that was already out there that you can perhaps put into the PR request on this to educate the rest of us so we can start putting together that guidance. Now, there's a lot of information about the actual attacks and details on how that was put together and maybe we can collect that information and those links. But I think it'd be good to go into that conversation where we've already got a common knowledge on it. So I guess it's just updating up. I'll be happy to do that once we get the whole thing kicked off, certainly. Yeah, or you can drop a minute ahead of time if it's stuff that people might find useful to read in advance. So, yeah, because it's kind of our habit to try to collect the information just as comments on the issue in preparation for discussions. Super. So that's all of our agenda items. I wanted to kind of open the floor if there was something that we touched on quickly that people wanted to follow up on and discuss more or we can always end early if there isn't, it seemed like we had a really busy agenda and then things went quickly because we don't necessarily have all the folks here to talk about specific things, but I want to open the floor for anybody who wants to follow up on the things we discussed or other topics. I just, can I just, for people, so I had a few people who reached out to me to be a chat about the Kubernetes, or I'm sorry, the Cloud Native Security Day. So it's the day before QCOM. So I'm gonna say that's November 18th. It's called Day Zero Events that the Cloud Native Computing Foundation hosts. And one thing you need that we're gonna do that might be interesting to members of this group is we're gonna host about two, two and a half hours of open spaces where you can bring topics to discuss and then find like-minded people to discuss those topics. Much like kind of like a birds of a feather, but it's kind of held in line during the conference. So if that intrigues you and you're headed to QCOM, I might be something interesting that you add on to your registration. Yeah, and I think registration is open. So- Yes, it is. And if the dollar fee is a hardship for anyone, there will be, we have an opportunity to have scholarships to that. So the main thing is the dollar fee. It does help defray the costs, but it's also to help avoid no-shows. So we wanna have some fee. And so the CFP is up, but, and I think the registration is- The registrations tied to the QCOM registration. So when you register for QCOM, you get the option for the Day Zero Events and you can have those on in the normal registration workbook. So yeah, so if you've already registered, there's probably a way to- Yeah, if you just go in and edit your registration, you can have in the Day Zero Events. Great. And why did we settle with the, like we have room for about a hundred? I wanna say it was around a hundred. We'll have to see with the sponsorships being sold because they get so many tickets. And so like we don't wanna have a situation where like we sell 40 tickets via sponsorship and then we got 40 people that are registrants. Not that there's anything wrong with sponsors as I work for one. Yeah, we wanna make sure that we have that. We wanted an opinion from the community, not an opinion from Fenders all day long. There's also generally diversity sponsorships for QCOM. So if you think about people who are security experts, you know, who might not plan to go to QCOM, partly, you know, if budget may be an issue and you think that their voices should be represented, then I think you're just brainstorming about that to yourselves, thinking about, you know, are there minority voices, you know, whether it's minority demographics or because they work for a smaller company, but their expertise would be really valuable. You can think about that. Are there other highlights, other questions about Cloud Native Security Day from the group? We have an issue with, in the repo that has details on it, if anyone, oh, by the way, I don't know. It's an issue 209 and updated in the notes from Michael. So also, if anybody, I don't know if anybody noticed, I changed the test roadmap format to be named project traffic tracking board, where this is, this may not be complete, but this tracks the bigger things, the bigger sort of longer and duration things that we're working on, that have like kind of multiple people involved. And so, basically where we, things that kind of require coordination, we're gating to have not too many happening at once. And so, the Cloud Native Security Day is linked here. And I'll just open the issue so everybody can see it, who's seeing the screen. And this has a nice overview of kind of what's going on and a proposed format and all of the links. So, if anybody has questions and wanna follow along, this is a great issue. It's weird to say a great issue, a really good record of the happenings of the group. Open the floor again for other topics. Hi, this is Abhinav from Frame.io. Nice to meet you, Sarah. One question is that around what we are doing as a community to, especially in the Kubernetes security or in general in the cluster security area. I know Kubernetes has different ways of securing cloud security policy, metal security policy and so on. But are we looking into projects or new projects that are trying to find some way to the actual use or we are doing brainstorming what we are doing additionally that what we have? Well, I think that there's a, just to give an overview because I think there are a lot of new people and even people who've been here a lot may kind of lose track of a big picture. I think that's a great question. So, I'm just bringing up the project tracking board as a way to kind of visualize some of the current activities. So, we are a volunteer group. So, there's a lot of things that we could possibly do to make the world a safer place for cloud native technologies. And we are a mix of things that the TOC has encouraged us to do and things that are led by our wisdom insight, enthusiasm for individuals in the group who want to spearhead topics and take care of things. One activity that's being facilitated by Justin Capos is the security assessments, which is looking at specific projects. So, that is like, it'll take a long time before that, you know, sort of touches everything, but that is bubbling up things that the group is taking care of like the supply chain stuff we talked about. And that this group isn't Kubernetes specific, but those projects tend to work with Kubernetes. So, that is one thing in the Kubernetes world that we touch on. And then the other thing is our policy subgroup is really co-located with a superset of the Kubernetes policy subgroup. So, there's a lot of cross filtering there in policy. And so, that group meets Howard Huang, lead tech group who is in China. So, that meets in the afternoon on Wednesdays. So, people should feel free to join that. And we should make, I think there's an issue open actually to make sure that's documented on the repo. And then the other thing that we're doing, which is not Kubernetes specific, but also covers Kubernetes is we're trying to do a better job of echoing out the, what we discover, right? Which is really this microsite. So, the idea is our repo is really for us, right? It's for the security experts who are, it's like a lot of things are works in progress. And it's for people to engage in the work of, making security, making the world a more secure place to be using shorthand there. And then this microsite will be more of a, what are the things that are really more finished or presentations that we've had so that the rest of the community who may not be, who may need to be knowledgeable about this, but isn't going, doesn't have the bandwidth to be engaged in the SIG or the expertise could consume some of the outputs of the SIG. So, and then a bit in the backlog, but also kind of in progress before we had more of a bigger group and a more rigorous backlog, is a security overview white paper, where what we're finding in a bunch of the presentations and the discussions, and I think Kubernetes is aware of and they've got subgroups working on, is that people don't really understand what the big picture is and where Kubernetes and other things fit in that picture. And so a lot of the security vulnerabilities, I've observed happen because somebody assumes Kubernetes or something else. And I think Kubernetes is the most commonly comes up, maybe because of its widespread use, but also I think people getting into cloud, I'm hearing they're like, oh, get on Kubernetes. And then they make some assumptions about it's gonna take care of a number of things, which are outside of its scope. And so there's just, there's a lot happening there. And so our hope is that this white paper will help frame where like how to reason about security and stuff that is common wisdom in this group could become then more sort of echoed out. And then a sort of companion piece is the policy white paper where there is analogous confusion and about like what is policy anyhow? And that that's a more developer centric piece that there's a draft, but it's some, I think other things have just been queued up above that along with the landscape where that we decided to pause where, which is another way of looking at kind of visually work by categories, looking at what different things people are working on and how they relate to each other and which things are like either or which things are, you should have one of each, and I think are the kinds of things that people are trying to reason about. I don't know if that helps answer your question, but also invite other people to chime in on what is this group doing about, maybe if we articulate your question. No, I mean, I think that's a good overview of the mission. It's just that, I mean, I am big for as for the CNC, CNC is concerned on a big user of Falco. So that's a Michael and I talk a lot on how Falco can help us or help the community. When you go to CNC's site, there is not a big push for security if you browse the websites, right? I mean, you see that a lot of people are representing different aspects of cloud and security is not properly presented. So I just wanted to understand the mission of this group and how to bring security at the forefront of CNCF. Yeah, I think that we think that the first one of those things is really what the, well, it's sort of like we don't, I think we don't, we haven't quite curated enough stuff to feel like we can put forth, this is what security is, this is how you should like reason about it. And there's a, there's definitely a need and it's just a work in progress still. Cool, thanks. And you and I should talk Sarah sometime offline. We are, I'm in Frame.io and Frame.io is a video region collaboration platform. So we do a lot of on video security, watermarking and everything. So given that your background in audio and video security, we should chat sometime. Sounds great. Anybody else want to chime in on the, you know, kind of ecosystem stuff and what we're doing, stuff I might have left out? Great. And then back to the agenda. Are there open the floor again if there's other topics or questions to bring up? There was a discussion before about the idea to have, while you're doing the, while we're doing the security assessment that there will be more experienced folks in the group who, you know, who will have some kind of, who will mentor, mentor, how can I say it? Like who will mentor not so skilled people? And I wanted to ask if that's, is that the case, if there's a discussion about it and what is, how can I join? How we all can join in this program? And if there's something like this? I will turn this over to Justin Capos and I'm gonna bring up the assessment reviewer to talk about the shadowing, which I think is like a great opportunity. I've certainly like, I've done a lot of, I've played the role of security reviewer where most of my expertise is receiving security reviews because I've led a lot of development teams and, you know, have 30 years of experience being security reviewed, rather than serving in the security department. And so Justin, maybe you can talk a little bit about, so I just wanted to say, it's really an opportunity to participate in this reviews and learn from other people with different perspectives. Is Justin Capos on the line? Maybe he dropped off. So I will go over this, or Brendan could too, because you have recently contributed to the guide. Yeah. Mm, that'd be, do you wanna do it? Okay, I'm, you can chime in. So yeah, so basically I have it up the, so the, aside from the fact that we're jump-starting this right now, and so of course the first couple of reviews include people who had not done a previous NCF security review, so we're in a little bit of a bootstrap process because we're working on wrapping up number two, which is OPA, and kicking off number three, which might be Falco. But then I think we have enough of a crew that we want to make sure that one of us who have been involved in the prior reviews participates in the next review and then we'll be leveling up this process. And so that the first requirement is just that you've done it before, where shadowing, right, can then bootstrap that. And then it's preferred that you have previous experience performing formal or informal security audits or assessments. And that's where by participating in the shadowing effort, and you can just, by shadowing, you can, it can be as easy as you just jump into one of the channels and start reviewing the documents and asking questions. And noticing the questions that people ask, which turns out to be like this really interesting informative thing because we have a process where, and I'll just skip over to the process because I think that this kind of helps illustrate the point where we, in the steps, like the first step is that the project leads somebody who is a primary contributor or maintainer to the project. Usually the actual primary maintainer, but it could be somebody who is, is just part of the team with an interest or knowledge of the security of the project or wants to learn about it, writes this assessment. And so there's an initial assessment, self-assessment of the project. And then we have, we kind of inserted a initial review where, which is not actually detailed here where there's a like dumb question phase because we've realized that often the project doesn't know what they should say and what is known about them versus not known. And so usually, so the lead reviewer will like spend a little time pre-bedding it and make sure that it all has the content that everybody else needs. And then there's a period of time where we don't, we all read it separately so that we all have a chance to have like kind of beginner mind and think about things that maybe the other person not have all of our questions informed by other people's questions. And so there's always this kind of moment which, you know, we're trying to get this whole thing to be able to happen in two weeks. We haven't yet done that, but we're iterating to try to get it to be a little tighter. So that there's like a clear, you know, I think week or five days or something when you get a chance to read it without seeing everybody else's questions. So in shadowing it, I think it'd be great to like challenge yourself. Well, what could I come up with here? What can I just think about that is something, a threat that maybe hasn't been articulated well enough for a question I have about how they handle the security and then have a chance to see what everybody else says. And then, you know, and also chime in with your questions. So I think the format is a great training about how to think about security and think about risks. And there's been some really good discussion. We had a great presentation from someone from the security team at Google that Christian looked in that checklists are actually can be a problem, right? That we do wanna have, we all have our mental checklists but there's also value in not having a checklist so that people are really encouraged to think about the security because the security of each project is different and the biggest risks are the ones we don't consider. And so that's why we've taken this approach where we have an outline, which is kind of a checklist but it's more, these are the different things you should be thinking about, right? And then the security and everything around this is about how you think about these things, how you like have the background material, right? What you need to know in order to do a security analysis and the core of the write-up is really this part, right? And we're, instead of having a checklist like these are the security things you should implement instead we have a checklist of you think about attacker motivations, you think about what are the preconditions to this software running and so forth and so on. So this is the process we're iterating through and this is sort of a long-winded way to answer the question which is to get involved you chime in on this security issue and then just can join a channel. Yeah, that's the security issue. We also opened a new file called the assessment matrix. I think- Can you put that in the chat? Yeah, one second. So the assessment matrix is kind of a table what are the upcoming reviews that we have and then we have people sign up whether they wanna be reviewer. We also have, I think someone also had this, you can bracket, you wanna observe us, I think we had a column for that. Let me paste it and- Yeah, I got it. Oh, you got it, someone got it, okay. Somebody did it, thank you. Yeah, so yeah, I think if you're interested in just looking at one of these for the project that you're familiar with or want to interest you just like create a PR, we just merge it in. Like Sarah said, I think like looking at a lot of the past reviews, I think if we can put some things to the old Slack channels, I think it should be okay to be public, right? I don't think there's anything there. Yeah, actually that's a great idea because then people can like kind of review what kind of discussions there were in questions. Yeah, and also I think that the presentations that happened at the end of the reviews, those were really helpful as well. It's kind of just see the types of questions. If you have any questions of that, I personally will be open to answer questions about that if you have questions on that. Thank you again for the long, for the extensive answer and I will contact you on Slack with more questions. All right, sounds good. All right, so that's a wrap for today and we'll see y'all on Slack or on the email list and see you next week. Bye everybody. Bye bye. Bye bye.