 Hey, hey Hey, I know you what are you doing here? I know you you're that famous hacker You're that other famous hacker who I work with hey, who's Greg? No, hi Greg. Hi Matt. I'm great. I'm at is Justin gonna be here. Hey Wow, there's quite a few people Hello everybody Hang on I'm just getting JJ who's the sig chair to come in. There's a lot of people that joined. Hey everybody How's everyone doing? You can turn your video on and say hello. We'll use the chat This is awesome though, there's a lot of people here now. Is this working now? Yes, so hey Justin good. Hey, sorry I had I was really freaking out. I was like, oh, no, I'm not gonna have to run this thing now Yeah, yeah, it's Yeah, zoom seems to have new and interesting ways to Have issues from every time I I use it. I don't use it very often other than this meeting really But yeah, it took over a minute to let me click the button to set up my audio for some reason All the time in Yeah Well Great, how's everyone else? Yeah, good Hey Daniel. Hey JJ. All right. I think JJ is just screenchilded himself. My bad I am also in I mean So I didn't Justin, can you I Can't you sound very robotic and understand anything you're saying Oh, he asked that. I'm pretty sure. I don't know. I can sort of talk robot I think JJ asked to be added to the calendar. You're really badly breaking up JJ So it's good to see you all my social promotion got some new faces in you. Anyway, I I Recognize a lot of you. Oh, hey Andreas. Wow. Hey, man. Thanks for coming in Thanks for having me mate. Andrea's from Red Hat here the man himself Not even half as famous as you make it sound Well, no, you're a pretty cool guy who doesn't afraid of anything So A lot of you haven't actually joined one of these meetings before Do you kind of want to give an intro Justin to what what we do? Sure so This is the security focused SIG that's part of the cloud data computing foundation Which is the the biggest part of the Linux foundation So this focuses on all the sort of cloud based technologies and think that dockers kubernetes and so on have a particular influence in the community and About maybe three years or so ago a group of people got together JJ Sarah And a few others and forms SIG security as as a group they got some interested people together and It's kind of grown from there to Have a lot of participants. I don't know exactly how many but probably in the I would guess in the hundreds of Participants have come to a meeting and done things There's It's it's a very welcoming a very nice community within that Community there are also a few people that in addition to being things like chairs. There are a few people that are what's called tech leads Which I'm one of those where It's basically somebody who's done a lot of work in the community and drives initiatives and issues. So I Created the way that like the first cut at how we do security assessments for projects And try to give the TOC and the projects themselves like good security feedback for if they're doing the right things and so on And I've also worked on a bunch of other initiatives related to supply chain security and stuff like that and I also have I Created two of the CNCF projects the tough project and the in-todo project And I've just been active overall in the Community with like this Biffy Spire folks and lots of other folks in there and I moved to Shanghai in September and so as part of Me being here. I'm no longer able to make the normal meeting So I'm excited that we've been able to start to get some people together Because we'd always talked about trying to have a meeting at a time that was more convenient for people And it's sort of like Chinese Australia that timeframe and I'm like Chinese Australia We call it Asia pack Asia pack, all right Awesome. No, me too. I'm stoked to have more people here. Um, should we do like some introductions for the new folks? Hi, I'm I'm Matt since I'll just go since I was talking already I actually work with Andrew who's on this call at a company called Accelera We do cloud native security and DevSecOps and help help other companies realize that Yeah, maybe maybe someone else can go now Hmm. Hi, I'm Andrew Originally from New Zealand. I Do some cloud native consulting work with Matt at Accelera and also run Morningstar security and like to create open source security tools jump in Daniel also originally from New Zealand. I've been in Melbourne about nine years Work for Seek currently kind of the container and Kubernetes Security SME as part of the security team here Just variously involved in Open source bits and pieces and kind of wanted to formalize that a bit more and it's sick like this made a lot of sense to me I've been in the last couple of meetings. I think from our inception Yeah, hi, I'm I'm Andreas. Thank you, Daniel I'm Andreas. I work for Redhead and I was found or thought security is very boring to be honest And then Matt told me about a capture the flag event that he wants to run and so I got more into that And then I started to check out based on Matt's recommendation the Seek security as well And you know, I joined the Slack channel and I work on these current supply chain White paper as well that we are running under I think it's issue 510 on GitHub And yeah, it's just just great to be part of that and learn a lot to be honest And yeah, I started off reading the cloud native security white paper and that sort of got me on track and I found it quite interesting So yeah, that's me. Thank you Hi, my name is Frederick. I'm from India. I've been working on the soft side and the blue team side of things Now I'm getting into the open source and the cloud security, the security and I'm supporting the infrastructure security side of things Today another mat here My background was mostly on-prem stuff and a little bit of cloud and I've taken a new role where it's all cloud So I had a general interest in security, but I want to take that a bit further now Okay, hi, I'm Dean Wari. I'm I live in Japan. I had cloud native security at checkpoint And I'm in charge of obviously working to evangelize cloud security, but also on all the You know all the security for containers serverless and everything else. So Look forward to see how we can, you know Add stuff in the in this sec. So I'm excited to have a signal a pack for the first time It's been typically in the US in the cube cons and everything else. So sounds excited I don't know if you can hear me. This is JJ Like what Justin was saying like we few first started the Started a group to just start Discussing about some of the security stuff early on It was originally called safe we started follow the ghanu moniker of secure access for I mean safe access for everyone was safe, but And then that got transitioned over to six security Over time and then Now we have it here. It's a pretty wide variety of group and People from NIST people from Cloud security alliance and a bunch of people participate in sharing information and knowledge. That's actually widely widely practiced in industry and some of it is some of it is still in research. So I'd highly encourage you to like drop in or take a look at like some of the videos that for the EMEA Sessions as well because there's a bunch of stuff that goes on. So we'll try and cross-pollinate as much as possible Matt's been pretty active On this and I appreciate All the effort he's done so far to get us into this zone Yep, that's me. Thanks. And then the scale that Joe frameworks told the acronym side Yeah No, it was it was fun. That was a fun thing. I think we still probably have like some documents that face safe But I don't know cool. So that's all I had. I'm happy to be part of this group I didn't answer any questions and like what Justin said contributions are Super awesome. Welcome There is also to see updates that happen Tuesday first Tuesday of every month where as a Group we consolidate every activity that's going on within the group and then give an update Which is like a one-slide version of what's going on with this group So That is also something that I think people should pay attention to if you want to know like a summary We were what's going on say for example in this Version we sort of presented that we took We converted the security white paper somebody Volunteer to convert this white paper to Chinese and that got merged and then it's finally available on the github consumption we also had We also had Additional members join like 56 different organizations or something so we show some stats around the membership count as well there So bunch of good stuff there. So if you want to Drop in and listen you'll probably get a lot more information there. We also did form Secure supply chain working group Justin, I think you might know about it if you want to give an update Yeah, I Don't I haven't been tracking it too closely because it's it's async with what's happening here, but my Santiago Torres at IS who Was my PhD student and his professor Purdue now he founded the He's he started Collecting all these materials and put together and I know that they've kind of spun off into its own Sort of sub entity that has a bunch of momentum while they're tracking this they have I don't know 80 or so different documented supply chain Attacks that they've looked at and things and I think that they're still looking for people to Participate in and help in that area. I know some of the more recent efforts have also looked at mitigations because I think there's There's a tendency From a lot of especially kind of vendors in the space to over claim and so I think people are trying to Like this working group is trying to help to You know avoid the problems that we had for many years with people with firewall and antivirus vendors and everybody Overclaiming and oh, you know, I use antivirus. I don't need anything else like I use a firewall Of course, you know, we just keep all the bad folks out. There's no problem But I think, you know, those are kind of laughable now, but in the supply chain space. I think there's still a lot of You know a lot of people that that say they have these magic products that that don't really have them in practice Yeah, so one other thing I want to mention about this Sorry, go ahead. If you have something else you want to say you step in go ahead You know, so a couple of other updates also carrying it from EMEA is Serverless security white paper is being kicked off. There is an effort and there is GitHub issue for that or there is a dog for that. It's right now in a closed Form will start opening it up Once it gets a little bit more traction There is another effort that Brandon is working on which is issue 551 Which is to put together a security map of all the projects In think of it as what white paper is for concept Security map is more of an implementation of which projects do you use to solve which parts of paper so Brandon is working on that if anyone's interested in this will be super happy to take help from any of you Those are those are kind of the updates they had Okay, can I ask a question on that? Yeah, so because I made a comment in the software supply chain Security white paper and I said it would be good to have actually to call out a project an open source project that delivers against that Recommendation and there's now basically a discussion going on We don't want to make it a tools sort of conversation and and I understand that and I don't want to make it a tools Conversation either, but I also didn't want that white paper to be just theoretical You know saying all this is what you should do and then there's nothing out there that actually can help you accomplish that and Just wanted to get your view on how to tackle that Here if that's cool, I only just found out about it I'm curious but in relation to the cloud native security white paper at least as a cloud native security map It's been worked on and it directly links to the theoretical Components of the white paper against what's going to be in the map Which is you know practical ways of implementing a particular thing. So, you know container scanning for example with with a Variety of tooling such as aqua tribute or something else Okay, so that's a CNCF approach is it that be cool if you do this generally for any white paper Yeah, I would say it's a slippery slope. I mean to be against you I mean, I think if you want to talk about scanners, you can talk about the differences and our coverage and Let them let people figure out which one they want to try Because scanners obviously the thing with scanners is people kind of they don't understand how it works So especially with supply chain. I mean do you cover malware CVCWs? How do you find the share signatures and so forth? If we start suggesting about trivia and everything else, then you're publishing aqua and various vendors and I think we should stay vendor neutral So let's focus on education rather than promoting tools in my opinion No, that was That was out of the motivation keeping the white white paper to be sorry tools agnostic Being choppy I'll just basically stop talking and just listen So I'm looking at the CNCF list of supply chain security compromises And it looks like there isn't really much and labels for the types of compromise I mean, they've got like a column for the type but it's really broad like df tooling or malicious maintain it Um, so I think some more work could be done and identifying the types of attacks First and then later that could be used to update the the other Lists of tools and techniques Maybe like a kind of I think there's a cloud native Attack framework that might be useful for that Sorry, does that make sense? I think so one one thing I'll say overall is The group is very good about being welcoming of people's ideas and suggestions and The best thing to do is to reach out To the folks that are involved in this I think there's probably a like a sub slack channel or something like this specifically for the supply chain things to reach out and then and then Make these kinds of suggestions Because there's no one here in this room who sort of had or in this virtual chat room that has ownership of the Of any of these are really has a strong guiding hand Often there's a person who kind of emerges who helps to shape it into their vision, but Getting all us all of us to say yeah, that sounds great is is helpful, but It may be better to get To get the people that are responsible for it and have had their vision on this particular document or thing a move forward That all being said one other thing I'd like to stress is that The way that things like the security assessment guidelines came about wasn't It wasn't that I wouldn't ask someone for permission or whatever. It's that I saw people were struggling To get something together. There was sort of this designed by committee thing that really wasn't making any progress And so I basically just sat down and said I'm gonna do it and I came back and produced something and people said yeah, this is pretty good and Then they used it as a sort of 1.0 version that they're now Revising into a better improved 2.0 version. So You know, I think you shouldn't be afraid to kind of grab your own space and do do things with it But if people are actively kind of working on it on something then You know trying to talk with them first is is probably a better Better path forward. Okay. Thank you Sounds good. So does anybody working on the serverless security white paper? Yeah, there is there is active work going on If you are interested might I can connect you with the other than I was leading that effort Yeah, no, no, I already connected with her. I'm actually reviewing the white paper at the moment was this canvas You just thrown it out. Oh, perfect. Anyone here was was involved. Yeah Hey, is anybody following the name collision vulnerability that Microsoft mentioned recently where You can have a project that course containers from two different sources, maybe a public one and an internal Docker Hub and Some people have figured out that if they can guess the names That are being used internally and then register them on let's say Docker Hub, right then they can own things Yeah, so we've been pretty active as part of the notary b2 redesign and the issue here the reason why this is a Problem deals with the way that they're sort of doing namespacing in that area and we're That probably sub Discussion is probably the right place to have it unless there's going to be a big fragmentation but but tough address is this there's something in tough called I Think it's tap for is is the right one, but there's a augmentation proposal for tough that deals with multiple repository Situations and how you do namespace mapping when you have them and so this directly addresses that I Can post a link in the chat just to say yeah, I mean just as an education if Anybody is interested in presenting the problem itself, but that'll be a good way to Get engaged with the community and get them up to speed Come people would be more than open to In one of the following sessions we can probably have like a 10 or 15 minute presentation about this Let's tell the folks to understand but if you want to do that If anybody is interested in doing that, we should just create an issue line them up as a Talk in one of these sessions and then in that process, I think you can also talk about like the ways to address that as well What do you think just you Yeah, I mean we could do that To actually address it with existing tools you as an operator can't really do very much Your tool has to sort of support it because of the way it works Yeah But but the good news is is that at least the assuming that the Notary V2 design takes the tough approach with this which looks pretty Likely I guess I don't know likely is the right word, but looks looks like it hopefully should happen Then this this will be a bit of a moot point But we'll see we'll see what happens there's there's some I don't know There's some issues in that group with Getting people to appreciate that security is as important as it should be at times But for the most part, I think they're gonna come to the right conclusion. So I have faith Tooling is actually an interesting topic because if you work in the software supply chain best practices The more the more security tooling you introduce in the organization the The bigger the attack surface for your software supply chain becomes Well, it it can be I mean you certainly have more things that one can attack, but there's also the question of So if you do it appropriately and yours you add something like another scanner if your scanners are not able to Modify the artifacts that would come out, right? If it's effectively a box you give your pre-built package or your your built software or your source code or whatever to and It can't modify that thing. It's given and put, you know modified version back in the pipeline then You you may have additional risk of disclosure, but you don't necessarily have a risk that your clients are going to have Compromise by adding that kind of security tooling So I think one of the you know, not to to name drop tools too much, but the the in-toto Project here, you know, it's it's focus is on making sure that you don't have those Unintended modifications that thing actually do run through all the steps They're supposed to and so on and to provide that cryptographic proof of all that So if you're using things like that then adding security tools is in general should provide you with Strictly better Security at least security towards things like modification of your code Yeah Are you guys working on any Feature specification for the next minor versions was a part of what the group does Sorry Dean. You mean specifically like Kubernetes versions Yeah, yeah, sorry. Yeah, community is minor versions here. I think 121 122 are we involved in those things or just what the group? Contributes as well. I believe there might be some crossover, but not too briefly. I think JJ or Justin might Okay, thank you For the most part the individual projects are very disjoint from what our group does other than when we do security assessments or Do things like try to put things into the landscape or a mapping or something like that? but we just don't have the depth of expertise to take Dozens of very diverse very different projects and like Try to be involved in the you know Daily recommendations for the next versions of whatever is happening they tend to have their own subgroups and then they come and will sometimes talk to us or occasionally ask people to ask for some advice or ask, you know Ask us to do an assessment update, but we don't In real time, we're not embedded in all the different groups for the most part as far as I'm aware Justin just on the note of assessments Andrew Horton here I brought along Him and I work together and have done between ourselves a lot of assessments and I'd be pretty keen to get him in Involved with some of the work you've done the like the V2 assessments if you if you'd be willing to spend a couple of minutes Going over where that's that And what you need help with I Would be very happy to have you to participate When I left to go to the APAC region I Sort of turn that over Because I Not being able to be in the meetings. It's hard to wrangle people to get them to participate and so on and also when they were doing the kind of V2 redesign of the things like the original thing I had done I intentionally stepped back because I didn't want to kind of Overly influence You know like like be the voice Because I found when I would talk about things and they would suggest things if I said, oh You know, I think coke sounds better than Pepsi than everyone was like, yeah, we all like coke too. So I sort of let that community go and do it and so I I intentionally am not that up-to-date, but certainly when I did it we always needed people and Especially people that have had experience doing it Will be most welcome Well, it's nice to be welcomed I've been having a look through some of the Google Docs like the CNCF cloud native security map vanilla and Of course the meeting notes which has all kinds of great links and an interesting projects but Is there anything that you want people to come and join in particular? That's a real minefield out there. I think you kind of just evaluate what's interesting to you and just get involved Yeah, honestly, that's that's the best thing to do Is just start talking to people on issues and try to find things It's It's also possible that there's something in an entire thing missing like this whole Discussion around the landscape in the map We I had a conversation With Brandon about this like early on and we started something about maybe a year and a half ago or something like that and He's just kind of gone and taken this and done amazing things With it that is way beyond the way I sort of thought of it But at the same time we had other folks like Emily who's one of the co-chairs Emily Fox and a few others that had a sort of different perspective coming more from a policy side and so We talked and we created almost like semi-competing things that eventually we found out a good way to separate out And so that's why you have the thing that's the neutral white paper now and you're having something that's going to end up being more of an actual map that that does actually have Projects and things on it because I think we saw those as a each is separately valuable and a way to keep Some measure of neutrality while still promoting CNCF projects, which is what We're obviously supposed to do This is promote like good security practices, especially related to CNCF projects I'll show you a few links Andrew with the assessments anyway, I think you'd find them pretty interesting Like this there's been there's been some work done already with existing projects That's probably a good where I've started at least is just checking out the format and structure of how those Assessments were actually performed Yeah Yeah, sure, it's in it over I've been skimming through a lot of the lengths. I've been pulling off the previous meeting notes While we're talking and this keeps a really good content here That's the hacker. I know just brain dumping all the info Google hey, yes from my side. I've um, I'll just give you guys a bit of an update. Um, I've I've Been spending the last probably four weeks just familiarizing myself with the repository um I spoke to brandon this morning and also last week like brandon lump. Um, he's been really really helpful um, I'm As per him On my combo with him. I've started looking into the landscape like the b2 landscape the cloud management security map like it's like the 20 page document or whatever then making some notes there and and um I started on the serverless security research white paper too, but I wasn't really sure where that Where that was going like it's only kind of six pages So I'm just waiting to chat to a radner and and see because she's leading that initiative By the way, thanks JJ for getting me in contact with her. That was great um Yeah, um, I'm sure a lot of you guys saw I've been heavily promoting this um Organization on on socials like the devops slack and on linkedin and stuff So for those of you who joined through the remote promotion. Um, thanks so much I really I hope you guys are actually interested in this and want to contribute because I don't know. I'll tell you from personal experience when I started looking at this was like Whoa, oh my god. This is so cool. And then it was like, well, oh my god There's so much information. Where the hell do I start? So if you're like a bit overwhelmed like I was I'm just too afraid of ping me on slack and I'll try to help you Understand what I know which isn't much, but I'm happy to help Yeah, so I'm kind of new to this um Six security too. So I was wondering like how how to like start Contributing and stuff. So I'll probably get in touch with you Yeah, man, I'm happy to help as Justin said and made just before like kind of skim through the github issues um, a good place to start is just Understand the repository that that's what took me a bit of time Um, understand what the open issues are then you'll understand where the health's actually needed and where you can contribute and um, yeah, just find something that's interesting to you. I think that's really important. Um, because if you're passionate about it, then you'll be more compelled to Contribute Yeah, man, feel free to ping me on slack. I'm um, I'm black beard on slack. I'm not matt flannery black beard There you go. Oh, okay. Okay And Matt, is this the first APAC meeting for the single? I think it's the second or third one. Um, yeah, like just to be clear again I'm not an expert here. I'm learning but if I if I can help any of you guys know what I've learned already That'll just help me as well and we can learn together. So that's cool So, um, yeah I was just gonna say this is definitely the most active meeting before this we had Uh, I think four participants or so this is I think our third meeting and it's mostly been how to get more people to show up So good to see matt taking charge and obviously bringing all a lot of fresh Excited faces is terrific Yeah, my problem. Um, just on that note like I've been following this security for over a year now. Um And The biggest issue for me was the time zone difference You know, if you can't if you can't join the meetings you it's just too hard to really contribute to be honest because you just have no feel for what's going on and Just for your information brad and everyone else here. This is a regular cadence So pop it into your calendar. It happens every every second Tuesday At 1 p.m. So at the same time. So if you can try and block out this time um, attend the meetings We can build up a bit of a regular cadence and um, you know, look, it's it's something you have to do in your own time. So You know, I understand everyone's got day jobs and families and stuff Maybe, you know, I read an interesting article about how to start contributing to open source recently Um, just, you know, spend four hours a week, you know, if that works for you and Even that would be super appreciated. Um, personally me my motivations are I've been an advocate for dev sec ops for years like I started the dev sec ops sydney Meet up like three years ago. I've been preaching about container security since Docker existed Um, so this is just a natural kind of fit for me. Um, and you know, it's a way that I can Um, get involved with a community of people that are like-minded and have similar interests and just, you know Loan more really. Um, so you're really really happy to see all you guys here and um looking forward to to working together with you Yeah, thanks for boosting it. I'll um boost it and then and that next week as well Great man, that'd be really cool Great. Um, I'm gonna have to drop for another meeting in a few minutes. Um But you are welcome to continue to talk if there's more is there anything else as if we should all discuss Um, I think I think we've probably covered everything. Justin. I think as you said man Just to start off with let's try and get some more people and um as these guys, you know familiarize themselves with the issues Um, we'll have something to talk about Sounds good, I hate you. It's just a suggestion Matt, uh, excellent meeting by the way, uh, maybe we can do some sharing of presentations. Maybe if you could Maybe somebody could start with that introductory how to use the resource Maybe I don't know. This is not just an idea There's this type we Yeah, we can do that. So typically there's two types of meetings that we have a sick security. We have um Like the working sessions, uh, and then we have ones that have some kind of presentation um And we could definitely do one where we have uh, this meeting by the way We labeled as a working session, but we could do one in the future where we have um some sort of presentation that tries to give I can Overview or something like that. Um, if JJ we're still here Since I think he's able to make both sets of meetings He would really be an ideal person to do this I I feel like since I can't make the other meeting and haven't made them for months now I I wouldn't be the right person to do this, but maybe JJ or emily or somebody could stop by and do that um, so I don't want to promise them for the next meeting, but um We can we can reach out and see if one of them can do this sometime soon Hi Um, I I also um run a community group for the same serve as well. So if there's any like so Side events or or friends doing a run we can monitor that as well If we need to if it doesn't go through the sub channel Okay, well just on that note um andreus and andrew Are they are they the right directions? I know I'm probably on a different like little picture here But anyway on my computer. I pointed to them Those two guys are actually working with me on a like a capture the flag event I know this is unrelated, but it's got something to do with cloud native security at least. Um But then we've got it like a um a number of challenges have been developed around um showcasing vulnerabilities um and flaws within kubernetes as in Either default or misconfigured implementations or outdated implementations. And so, you know, if if you'd be interested in Promoting that it That'd be great Make a draft for you today if you want and then we can just keep working on it and promoting it Cool, man. I'll tap to offline about that then. Yeah, sure sick sick, all right. Well, I'm gonna hop off too. So um Who's gonna follow up with um jj Justin about that. I'll do that. I'll do that. All right, and um Uh, yeah, thanks man for coming because as I said if you didn't come I don't know how to run these No, you did great. Um I'll say less. I'll say less next time You just I'll let you take over it sounds good. Um, and you know what you're doing then All right, sounds good. All right. We'll take care. See everybody in two weeks. All right. Thanks. Yeah Bye