 Hello everyone. It's my audio coming through. Loud and clear. Excellent. I just put the notes in the chat. Perfect. And I'm going to screen share for people who are on their phones. Find the right window. Thanks Erica. And Erica while we're waiting for people to just get started. Erica, I thought it'd be nice if you would be willing to just kind of give an intro to what the policy group is and what you've been talking about, you know, maybe in the last few months just to, because I think we've got a lot of new people who haven't necessarily heard about what that group's doing. Would you be up for that today? And then we're following the briefer check-in format, which is that people annotate your name if you're new or if you're the lead of one of the projects and so that we can make sure that the people who are active leaders in the group introduce themselves and new people. Or if you have security related things that may or may not be interested to the group that you want to report or work that you've done as part of SIG Security in the last week to give updates on, that would be fabulous. And then can we, do we have some volunteers who are willing to describe since I'm facilitating? It would be great if we can have someone who's not me be scribe. And then I'll just put in the notes again for people who might have just gotten here. All right. So, oh, sorry, Emily, I put that on the wrong column. So I'm just going to dive in with a little bit of, oh, we don't have, we need some scribes, volunteers. Kristin, welcome back. It's been a while. Are you willing to scribe? Sure, I can do that. I'm just trying to find the document at the moment. Here, it's in the chat. Justin Kappos, would you be willing to help scribe if you're in front of a computer? Oh, Ash. Ash is volunteered. Thank you, Ash. So, Kristin and Ash will be scribes. Fabulous. Really, really appreciate that help there. So, I'm going to add to the agenda. Or we'll just do it as part of introductions, Erica. You can, unless you want to, if we have extra time, you can kind of go deeper into things, but I just think an overview of what you've been doing would be great. And then, and maybe you can prep to put your, the doc, you have a great running doc of meetings, and you can have that when we get there. So, diving in, my name is Sarah Allen. I'm one of the co-chairs of SIG Security, and we are in the new year doing every other week a working session presentation-ish. We, sometimes the presentation scheduling can, can, you know, like needs to be moved around a little bit. So, we will kind of on balance, try to have half working group, half presentations. But the next week, Jonathan Meadows is going to be presenting some open source curricula that he's been involved in developing around teaching cloud native security. I think it's specific to Kubernetes. And, and I'm excited that he's on deck. And then, the weekend, the week after that, we will have provided there ready one of presentation, I believe, from the Spiffy Spire Security Assessment. And so, this is our second working session in a row, but we have some topics on the agenda. If we run out of things to say, we'll end the meeting, but we'll start with check-ins. So, Erica, can you introduce yourself and a little bit about the policy team? Hi, I'm Erica. I work at Red Hat via the Coral X team. Anyone who's going through acquisitions, I know for, but, but yeah. So, I'm part of the Kubernetes Policy Working Group, which kind of works with policy in general for cloud native security. The policy is a kind of large thing that everyone cares or needs and cares about and thinks is really boring. But I happen to think it's very interesting of how we govern our clusters and our cloud in a secure and automated way that works for this cloud native era. So, Howard and Robert and the other co-leads, we meet every other Wednesday. So, not this Wednesday, but next week at, I'm going to get the time right one of these days. I messed up last week. I believe that that should be 3 p.m., which is, yeah, 3 p.m. Pacific time. Here, do you have the notes that can give some of the projects kind of we're looking at? We like to have it kind of overviews of various policy related projects, some active work. We're going up policy violations, custom resource to unify some of the policy kind of plugin projects. They kind of first start. So, we're discussing that as well as kind of have some other investigative kind of trying out different, some formal verification methods for verifying policy configurations and various tools. And then just more mundane discussions of what's going to happen with cloud security policies and the like. Here are our notes. I actually just copied them into the notes, Erica. You're interested in policy and geeking out about it. Please come join us. And we would just love to have more participants always. Great. And I hadn't heard that Robert was co-leading the group as had joined your leadership team. So, please submit a PR to because we have some PRs like in crossing each other. So, I last week added the policy team to the root repo. So, yeah, feel free to PR in Robert or Robert if you're here, PR yourself. And so, that we keep this up to date so that just spread awareness of the great work you're doing. And so, for the folks who are new, we consider to be policy essential for security because how can we secure things if we don't know what we're trying to do? And so, that's why the policy working group is part of SIG Security. And then at the moment, it's the same group of people that does Kubernetes policy. So, that's why it's kind of one group. One group of people to structural groups. But it's efficient because we have a small set of awesome people focused on policy. Is that a good summary, Erica? That works for me. Okay, great. And so, I hear from Justin Capos is intermittently online. He's going to skip the update for now because of connectivity issues, but he is our security assessment facilitator. So, think of him on Slack or if you have questions about security assessments. Next, Emily Fox. Just introduce yourself as one of the leads of Cloud Native Security Day. And then we'll cover your agenda item later. I am here talking for both myself and Michael Ducey, who's not on the call because he's traveling. I am one of the co-leads for the Cloud Native Security Day Amsterdam 2020. And I do have an agenda item update, but I wanted to let everybody know the website is now live for CFP submissions. So, that's very exciting. And if you have someone capable of potentially sponsoring, Prospectus is also on the site. So, that's all I have for now. Great. And I don't know if you have connectivity to type and give us the URL that I don't have handy, or we can dig it up right afterwards. I'll pull it up from last time. Oh, super. Thank you so much. So, I think that those are all of the official updates. And so, we'll dive into the, if I just wanted to have check-ins in case we, do we have anybody from, we covered the policy working group. Do we have anybody from SIG-Auth or any of the other working groups that wants to give an update? So, our agenda, sorry I'm finding it. Emily, we're going to talk about, there's some chatter on the group about Cloud Native Security Day and whether we want to, what the agenda is. So, you want to dive in? Sure thing. So, we usually meet on Tuesdays at around one o'clock and yesterday I believe was our last just a co-lead session. So, we'll be opening it up to the rest of the folks that have kindly volunteered to assist us. So, one of the things that we're talking about and kind of need feedback from everybody on is typically Amsterdam or any of the KubeCon, Cloud NativeCon, European instances of the conference are a smaller audience. And when we did this security day in North America, we had a open spaces kind of forum and there were a fair amount of people that knew what it was and really enjoyed it. A lot of people didn't know what it was, were exposed to it, also enjoyed it and there were some people that were still kind of confused and didn't get it. So, we felt that there was good conversation going on with that, but this space was constrained so it didn't necessarily allow itself to be the best that it could be. Now, fast forward to Amsterdam, we are having space lamentations, so we cannot do a capture the flag and an open spaces, but we could do an open spaces or all briefings or a capture the flag in the afternoon. So, that's kind of the time block that we're looking at. So, there are some pros and cons to each. It was talked about that doing briefings in the afternoon creates a full day of briefings, which is just like some of the other activities that go on at KubeCon, Cloud NativeCon, and one of the things that makes this different is that we don't do the full day of briefings. But still, they're easily accessible for the larger audience. Everybody has the same expectation for what's going to happen. Then there is open spaces. This would be our first time doing security day in Europe. So, there's a new audience, new folks showing up that may or may not be familiar with the open spaces concept, and just getting people involved in like how to have those dialogues and leading them along. So, there's that. And then capture the flag. So, this has been brought up a lot by the community, potentially doing a capture the flag activity. And for those of you that don't know what it is, basically it's when you have teams working or individuals working together on teams against each other to capture and defend their snippet of code or a particular file. And there's more information online. Just Google, capture the flag security, a whole bunch of websites come up. So, we had some folks express interest in running a capture the flag in the afternoon for security day. We believe that they are still interested. But there is concern about how technically involved that is from an audience perspective. Not everybody coming to security day has a security researcher or hacking background. There's that concern. But we figure we can offset that by making sure that they're on teams where individuals with those technical skills work can give them that level of exposure so they can see how to think about things differently. There's also the logistics of setting it up. The space that we have only sits about 150 people, so breaking up the teams. Benefits are it gets more security folks coming to a typical developer conference and giving them that cross pollination of ideas back and forth between the two communities that typically are very disparate. And Ian Coldwater has talked about this a lot. Or, yeah, Clearwater has talked about this a lot in some of their presentations about how security and development communities are very different and they don't usually talk. So, there's a lot of pros and cons. There's a conversation going on in the Slack channel that I'd like everybody to kind of respond to with their opinions. That way we actually have it documented and can update the ticket and then the websites with what the decision is. I guess I'm sad that I didn't see that discussion on Slack, so I'm going to go and check that out right now. But, you know, having run a couple of these types of things, you know, at a security conference, it seems that you get 10 to 15% participation. And so, if we're talking about a much more developer focused sort of thing, then, yeah, I agree with everybody who's concerned about whether we can get the right draw. And if it's sort of mandatory fun, then something that is as freeform as a CTF, yeah, seems like it's going to turn people off. Whereas something that's more like a walkthrough, but something that's more like a walkthrough you wouldn't want to do for everybody having to be there. So, if there's more than one track, I think that a walkthrough, a CTF-ish walkthrough kind of demo, like what was initially proposed a while ago could be really good. But if it's single track, then maybe it's a cool idea that's just not right. It was my thought to hear anybody else's too. And that's just a reminder. Is because the space is so small, we don't have access to other areas to do multi-track, which is what we would really love to have. So, doing this kind of event in Amsterdam is probably not going to be possible, but we want to have the conversation and explore it and see what other ideas are being generated around us. We did get feedback that folks wanted something a little bit more hands-on. Are there other people who have thoughts on this? Both people who have done CTF activities before and maybe have a perspective about what it's like to have people with less experience doing that. And people who've never done a CTF before who capture the flag before who might enjoy it or find it like, I probably won't go because of it. So, hi, I've never done one before, but it sounds like a really interesting idea. Yeah, and it's based on the pros and cons list that we already have. It seems like people are really putting a lot of thought into it already. So, personally, if I were there, I would find this interesting. I can see why others would also find it interesting and enjoy having a hands-on thing to do. It does feel a little tangential to the work that the group does on a regular basis, but it is highlighting some things that are good to know about security. So, that is nice. And just as a chair, I don't think that what this group is doing on a regular basis at any point in time should necessarily influence what we would do in the future, because I think we're kind of going through a bunch of different projects. And just because we're doing a lot of writing things down and providing written materials, doesn't necessarily mean that that's what this group does from my perspective. So, go ahead. I was just going to say that I see where you're coming from and we can, as the sort of central group thinking about the subject for CNCF, we're basically providing a venue for people to have this kind of event. So, other perspectives from the group? Yeah, hi. This is Ricardo. So, I've never done a CTF before. So, I think it might be a good idea if you had two different tracks. I mean, I know it might be hard because the space is not that big, but some people might want to have a beginner type of CTF and then some other people who are more experienced and done it before, they might want to just do something else or be on a different track. Yeah. So, I divide the people who want to participate in different groups. Yeah, that is a good perspective. One idea from organizing things, like I went to a diversity training once where they, at the beginning of the breakout session, they did like a spectrograph, which is like wherever you ask a question and everybody lines up according to their answer. Where people were like, how familiar are you with diversity stuff? And on one side of the room was, this is all new to me. I'm here to learn. And on the right side was, I could teach this class. And everybody lined up with where they were on that spectrum. And then they divided the groups by the people who were next to each other. So, that was really great because I was somebody who was like, oh my God, I have to take a one-on-one diversity class as a manager of training. And I teach things like this. And I kind of am like, I appreciate it, but I'm kind of tired of the intro stuff. And then I was with like super experienced people, right? And then the novices work together, right? So, that's an idea for Emily if we can move forward with that as a way to like divide people. And also I'll just chime in. Like, I've never done a capture the flag because I'm more on the developer, you know, the creator of things and trying to build things that are secure rather than attacking things to make sure they're secure. And I just think it would be really neat. Yet, I would be reluctant to just dive into one with the professionals with no experience. You know, so I think this would I would be super excited personally separate from the show thing. So, one of the ways that we had initially discussed potentially breaking it up to make it more manageable for those that aren't super technical or haven't done a CTF before was going through and probably like every 15 or 20 minutes of the activities, talking through where folks are, what should be happening, what they should be seeing, why it's important, those kinds of things to kind of help if they're not actively hands on the keyboard participating, we're reinforcing the concepts of what's going on. And then for those that haven't completed challenge one, two, three, whatever it is, providing them with the mechanism or the instructions to get them past that challenge. So, that was some of the other stuff that we talked about, but it's a real balance between we don't want to turn people away, we want to try this new idea, how do we make that work? And I think dividing up the teams based off of experience is important, but we'll need to figure out how do we do that either day of or at some point before then to ensure that we have the right mix of experience, because if we only have four or five people that have done CTF before feel really confident in their skills and we've got 145 other people that is not going to work. Yeah, another thing, another idea is if there are people with the time to prep is to have like something that is more like some written material that's more like a tutorial on how to use the tools with a little CTF thrown in, that some of the groups could really be doing more of a step-by-step thing, even if we don't have a separate room, right? We could have be like, oh, Groups A, B, and C are learning how to use the tools and walking through tutorials together and basically kind of a walk through near each other with a knowledgeable person on the team. What is the goal of the CNCF Security Day? What do we want to convey to the people that participate? I think that is important to decide on how we want to do it. That seems to be unclear to me. Is it to talk about what the CNCF does? Is it that security is important? Is it about what specific security tools are available to them to address the I guess the threat to Jure? What is it? Have we decided? That's it. Go ahead, Emily. The goal of the day is captured in the ticket number 305, which I have linked in the notes. The goal of the day is to bring together the broader Cognitive Security Community and a community-oriented space to discuss and share current challenges and solutions in Cognitive Security. We've been really pushing that open collaboration and communication. We did this last year through the Open Spaces paradigm in the afternoon. We also combined presentations from the community with that to talk about stuff. I believe we had at least one talk about the Kubernetes security audit, and we had several other great ones. Doing, adding the CNCF capability into Security Day and Lou of Open Spaces changes how that collaboration and that community involvement can happen from a different perspective. Instead of forcing people to sit around a table and talk about a particular topic of interest to them, we're exposing them to a different avenue related to security when it comes to cloud-native products, be it them getting a more hands-on technical exposure through doing it themselves or shoulder surfing with another individual who's talking them through what it is that they're doing and why they're doing it, but also to provide them that community involvement, that they're meeting new people, that there are different skills associated with this, and that we're not leaving them to like, you guys are beginners, you stay over here, and these are security experts, and they're going to be over here, and you guys will never talk to each other. We don't want that to happen. We want sharing to happen. So building the community. Yes. Open Spaces is an unconference style, right? So you need multiple rooms. Is that what it is about? Yeah, and that's why we had trouble last time is because we didn't really have the multiple rooms. We divided the room up, and it got loud. People had trouble hearing. Not to say that it wasn't a success. A lot of people really enjoyed it, but it did make it very difficult for navigating the room and trying to have a dialogue. And with CTF activities, it's been a while since I've been to one, but they're either really loud or extremely quiet, depending on the team dynamics. So with that large room and 150 people, even if we were to divide the room in half and say half of the folks that want to do the CTF over here and the other half of you that want to come over here, having somebody present or do a talk can be distracting to the activities that are going on in a CTF. So I have a question in here. One thing that is striking me about the description of CTF is that it doesn't sound like you're required to actually be in the same physical space. Has anyone ever done a virtual capture the flag? A couple of folks aren't going to be doing a virtual capture the flag on Twitter in Kubernetes land this Friday. Cool. Okay. So I'll watch for that. Mostly because I'm looking up, realizing like we've got a lot of space in the calendars between March and November, which is our next gigantic gathering of things. So maybe we can look towards being able to say, if we don't want to be able to do this in person directly, maybe we do something over the summer virtually. That's not a bad idea. I've done a couple of CTFs, primarily at re-invent, and they have actually a few different CTFs. And for one of them, the CTF that sort of goes on throughout the conference, they actually have two separate locations. They have like an official area and then a sort of lounge area. And it was trouble finding them. You run across sort of two issues or I came across two issues with the virtual. One is you had to go to a location in order to get like the room code or whatever, which is certainly manageable, but something to be aware of if you're trying to not have it completely open to the world. But from a more practical standpoint, the issue was if there were announcements of how do you make sure that people who were aware of it or if you are handing out awards, what's going to be the process. I've been to a few other CTFs where it was completely online and you were expected to just be in a Slack channel where all the announcements were made. So you could potentially do something like that or hybrid to try to mitigate some of those issues or concerns. So before we just dive into the, I like that, thanks for Amy for the suggestion and whoever was just on the phone for like a little elaboration on the virtual stuff. I want to go back to like, it sounded like, I mean, it's certainly technically possible for us to do it on site. And I think that we've heard some people who like, so if there are, to Christian's question about the goal of this, when we did it before, the initial planning of the one for San Diego, I had at least thought that the majority of people who came would be from our SIG. And so it would be more an extension of the work that we're doing in the SIG to build community within the SIG. And then it turned out that there were, it was oversubscribed with a lot of people who were new to KubeCon or new to, had never heard of the SIG. And the content was all, just it was about cognitive security. And so I think that, and we do have, I'm not sure that everybody knows, we have two slots during the KubeCon, CloudNativeCon conference, one for an intro presentation and one for a deep drive, which those are really about the SIG itself. Although we have had some conversations that maybe those should have more, a little more CloudNative security content, because we have also people coming to learn about CloudNative security. So I think we could do a better job with those descriptions, but just wanted to let everybody know that this is one of three things that the SIG is doing at CloudNativeCon in Amsterdam. So are there people who haven't spoken up who have ideas or thoughts or feedback or how would you personally enjoy or not so excited about this thing? I have spoken up, can I still say something? Please! So there are two other methods of unconference side that I'm aware of that I'm not sure if you have discussed in one of the previous meetings. One is World Café that we have done before, where you have separate tables. Each table has a host and people rotate through the tables. I've seen that work very well at an internal conference here at Google and it worked surprisingly well. So that might be an option. It's called World Café, there's a Wikipedia page for it. I actually just had to look it up because I forgot how it was called. And the other one was I think called a fishbowl, where people sit, you have a number of people sit in front on the stage and somebody that has something to say can join and somebody else drops off and so you rotate through. It's a little less participatory but you get different people to speak up. You need people to be relatively comfortable to be in front, so that may not be the best. But I think for the community share at World Café, I've seen work very well. Yeah, thanks for those suggestions. Go ahead. Who is this? Yeah, sorry. I was going to say for the onsite capture the flag, probably a good compliment is to have a proctor that's a member of sick security. That to keep in mind that there may be a lot of outsiders, a lot of newcomers, but it also makes sure that all teams make similar progress. Whether the team is balanced or there's mixed experiences and backgrounds, that way the proctor or facilitator can make sure they all have the same take-aways, they all get the same experience, make sure everyone, if someone is weak on the keyboard, like kind of supplement for that or just keep it balanced, just having a dedicated tutor in a way. Another similar approach to dealing with the skills gap is if you have built into the CTF of there's the challenge, and then there's a number of hints that you can choose to unlock. And if you take a hint, then you just get fewer points. But the idea is that you're still learning and you're still achieving it, but you aren't necessarily degrading the overall for the higher achievers who are able to get it, they can get full points. But hopefully everyone is still learning and in a sort of self-service model because A, if you have virtual people joining in, relying on proctors may not be practical, as well as if there's a lot of people it can be hard to make sure everyone's getting their questions answered at the same time. The other thought sort of going back on what Sarah was saying about splitting people up by skill level, I was going to say another CTF that I've gone to at the outset of the CTF, they sort of put people in similar lanes of are you an expert, medium, completely new, and instead of grouping people together by that, they actually forced a mix of different experience levels into groups. So you would have one experience or really experience and a few medium or less knowledgeable people and try to even it out. The challenge with that is a not necessarily conducive for virtual and I think Emily mentioned before concerns about heavily waiting if we have lots and lots of new people and only a few really experienced people that can be hard to even out. So just another approach with its own pros and cons there. Thanks for those ideas Steven. We do have a via chat we have another agenda item so I want to just open the floor for feedback and then we can follow up on Slack and the organizing team can take the feedback and do something and I want to emphasize to everybody we consider this to be a continued experiment so just because we like if we do that this time that doesn't necessarily set a pattern where we would do it every time. Right and to pick you back off of Sarah's comment there is a thread in Slack since the SIG security channel not the events channel. So if you have an idea or you kind of want to reinforce something that you said on the phone go ahead and post it on that thread and then the events team for security day will pull all of them together and discuss them at our next meeting and hopefully by the end of the meeting we'll have a decision on what it is that we're going to do and we'll share that with everyone. Great any other comments on this topic? I guess the one tradeoff is how much infrastructure can we build versus how scrappy and informal the dictates how much time we can put in versus reality when the date is. All right so yeah everybody chime in on Slack and we'll move on we have some bookkeeping to do on the cloud custodian issue it's a cloud custodian self-assessment where I've linked issue number 307 to the agenda and I think we do have somebody from cloud custodian and maybe you can just give us a little context by letting us know where you are at with your self-assessment. Hi yeah this is John Mark um yeah we've had a couple of reviewers sign up we um we were going through the self-assessment we were adding some threat modeling information um I think one thing that we one question we had was getting a lead reviewer assigned so that we can once we get everything assembled we can actually push through the review so I'm hoping that you know sometime this month we can like get through most of the requirements. Yeah um so um we have so thanks for that and the self-assessment is it linked from in here? It is linked in the issue I believe at the very top one of the links looks goes to it. Okay great right and when we we have some more information that we're going to add there we just haven't updated that document yet but we will do so shortly. That's true and thanks for flagging this because we basically the first step is um the lead reviewer will take a do a step of what I will just for now call naive questions right I don't know your project I'm reading this and I don't understand these things so that when the security team does a security review right probably half of the body of the self-assessment is just preamble like this is how the thing works um and so then then they can focus more on you know they can just come up to speed and focus more on the security stuff rather than the clarity of the narrative so um Ash I think is on the call Robert I don't know if you are if I was wondering if one of the what we wanted somebody who's participated in a security review before be willing to do the lead so that they understand the process um so I was wondering if anybody on the call happens to want to step up and be a lead reviewer otherwise I'll I think Justin was having communication issues so I can volunteer to rabble rouse offline rabble rouse um yeah somebody mentioned Erica but I don't want to like yeah I am willing to step up but I don't haven't done it before so if I would prefer to have someone who has been involved that makes sense to me and I would love to therefore you know step into the normal reviewer I think it might be that I don't know if those people who have the experience don't have the time so um Erica I think it'd be really high value if you were a normal viewer because we're a normal on the security review team um what we're trying to do and I have a to-do item to go and clarify the docs because the there's like a this conflict review thing where um I did I'll just give a quick update on the conflict reviewer question because we've worked very hard to write that down clearly and in retrospect it's not clear at all um but I checked in with at least Dan and um Shah who's one of our co-chairs and um the intent was that only if there was an actual conflict would we have a two-thirds chair review of it so I we need to clarify what do we mean by a conflict because one of the soft conflicts is which doesn't prevent anything is um I'm contributing to the project and so what's not clear is we do want someone on the team to have some experience with the project if that's at all possible but we just don't want everybody on the team to be understood like insider so that's what I want to clarify and then we'll sort of catch up on the review of that but Erica since you have um you know experience in the cloud in the um policy space it would just be amazing um to have you on the team and then I'll just check in with people who've been through it before because the lead reviewer's primary role really is to keep the process moving so that sounds excellent to me because I was a little bit like near the headlights um and definitely will feel better next round having you know gone through it as a regular reviewer super no worries all right so um go ahead so I'll catch up with you I guess I don't know a couple of days is the yeah if you don't hear from me in the next couple of days ping me on slack and that'll um uh nudge me or um I will I can do that nudge other people again so that'd be great thank you um so are there any other announcements or things that people want feedback from the group on all right so then I think I will end the meeting and give you all back 15 minutes please chime in on slack and get hub issues and um thanks all for coming to our working session and see you next week for Jonathan metas presentation goodbye everyone have a great day