 just to try to start us off because we're all here and I think it'd be a shame to sit around and wait. So why don't we start with these real things. If you haven't already added yourself to the meeting notes in terms of attendance, please do so. I'll go ahead and post a link here in chat and so you can see. It looks like Sarah's on now. Sarah, are you there? Yes, I am here. Cool. Okay. Thank you for taking us off. I was wrapped up in GitHub issues. So do we have scribes? Nope. We were just about to get to that. Great. So maybe we could have volunteers. So I thought we have a, I now have access to the CNCF service desk in our ongoing process news. It's coming together. And we have some logo ideas from the artist, which is great. And so I thought as part of our check-in before I share those images, which were just kind of a brainstorm based on some notes that I kind of verbally conveyed. And so there's a bit of telephone. I thought it might be nice as part of our check-in if people would, if you're so inclined, share any visual imagery you think of or things that we would want to embody in our, you know, communication presence, because we're doing a little microsite about cloud native security. And which is like the idea is that the repo is about the workings of the SIG. And that's like where we have, like if you're working, all of the in-progress stuff is more surfaced and the process stuff is more surfaced. Whereas on microsite is more about like our outputs and what people come and learn from the microsite without necessarily being involved in the SIG. So anyhow, so the logo would be for like, you know, for us to put wherever and then eventually on materials and things. So do we have scribe? Sorry, I've lost my window. If somebody has some notes up, if you can shout out if we manage to have some volunteers. I'm here. Yay. Thank you, Jonathan and Ash. So we don't, I'm going to do some, we're going to do, we're going to have a working session and we'll do some agenda making. So we're going to start with attendance stand-up with ideas about, about representing cloud native security. And then we'll have agenda making. Because we have a number of issues that need discussion where we're moving towards this proposal process. So I thought we could do some agenda making and talk about the things that are currently proposals and things that we would like to have proposals for and start following our process. So my name's Sarah Allen. I am a co-chair of this working group. Dan may be able to join us. JJ sends us regrets. And I have been working on getting our PR count to zero. Thank you, Brandon and Emily and other people. Robert, different people who've been chiming in with PRs and on issues. Really appreciate that. So that's been my news for the week. Lots. I'm just going to go down the attendance list and then we'll see if we missed anybody or Moots. Okay. Hi, my name's, sorry. Okay. My name is Lutz Bink. I work for Figo and I'm a very crappy network. If you can't hear me, then I'm sorry. I hope I'll make it through the meeting. Oh, great. Oh, and then I forgot to say my imagery's of cloud native security. So one of the things that I, like I kicked off the whole logo thing is because they're a lock. I kind of appeared on our thing and it's been a lot of discussion that it's not like locked versus unlocked. It's, you know, risk reduction. And so I shouted out on Slack ages ago that like maybe like a secret agent emoji, like somebody, we're all like trying to figure things out. So I don't know whether you, Lutz, have any imagery around cloud native. You want to add to your stand up? Shield and sword. Shield and sword. That's a good one. To protect and just strike down those that might attack us. Nice. Justin, cap us. Okay. So I don't have any imagery. So I'll just skip that part. This week, the automotive tough version obtained. We officially voted for I triplet ISO certification of standardization of the 1.0 version for that. The project also is going to be joining the Linux foundation, not under the CNTF. So we've started that process as well. That'll happen in mid July. And in total is officially has the sponsors and everything it needs is on the docket for the July 9th vote. In addition to that, I've been trying to wrap things up with OPA, which has meant that Ash and I have been mostly Ash and I have been playing tag on a few GitHub issues. And I will be tapping a few other people who are involved on the shoulder a little more aggressively so that we can finally get that done. Great. Thank you. And congratulations to Intono and Tough. I assume it's going into the automotive side is not as cloud natively, which is why it's going to Linux foundation or? Yeah. Uptane is going to be under some new thing that is housing specs in the Linux foundation, which Tough and other things like Spiffy and others may also end up under as well. It's not like the CNTF. It's not like we sort of leave where we are to go there. It's just sort of an additional resource we can use in the CNTF, much like we might decide to use their social media marketing or not decide to use it. It doesn't change whether we're in the CNTF or the other. Great. That's good to know. So I'm just back from vacation. I looked at the OPA assessment doc. It looks pretty good. I just had a couple of small comments with Justin addressed. So that's pretty much it. And as far as the low-wiss concern, I agree with large something like a shield and SWAT would look really nice. Yeah. That's good. Thanks. Carlos. Hey, my name is Carlos. I'm working right now in order to collect a couple of use cases that maybe need security assessment. Well, put it back on the site in order to start the discussion there. That is pretty much what I'm trying to achieve this week. Wait, so is that for the FALCO assessment? Yes. Emily. Do we have Emily on? She may have grabbed off for a sec. She's having phone issues. Yeah, she's right under there. Feel free to include notes in the chat. And we'll get back to you. Craig. Hi, I'm Craig Ingram from Salesforce, and I'm on the Kubernetes security audit working group, which is wrapping up. Most of the findings and things have been added to the product security group for Kubernetes. And we're kind of just wrapping up reports and things like that and a couple of issues under embargo until product security handles that. But that's exciting to have that wrapping up. Imagery. I like the shield and the sword or some type of armor type thing instead of the lock. That sounds pretty cool. Great. Thanks, Craig. Jonathan. So I've been working on some threat modeling work around Kubernetes and reaching out to Justin Cormack and potentially any others within the security group to take a look at that. And I chair the financial users group. And this is some work that we're looking at contributing back to the community from within that group. So obviously looking for security guidance on that. Great. Thanks for joining us. Michael Ducey. I'm one of the FALCO project leads and can't get my Bluetooth to work for whatever reason. I like the shield and the sword. You could probably extend it further and just, you know, a night or something like that. The thing I've been working on this week is to get the installation docs for FALCO rewritten, which that's been submitted via pull request. And then the other thing we kicked off our security audit with the cure 53 people. And so making sure that trying to get some things to get those people up to speed and working and productive. Great. Thanks Michael. Brandon. Hi, I'm Brandon from IBM Research. So what's new? We are starting to push the work on image encryption into OCI spec. We already issued a KEP for the feature, which kind of gets me curious into, you know, how we can get whether these things are going to be part of the security assessments that we do as well. But that's far be a discussion for another time. Also, kind of just a shout out if you're going to be a coupon China next week, comment on the issue that's open and we can probably meet up with imagery. So I like this all in the shield thing also, but I kind of something that I would see kind of cute is like if you had the CNCF logo with the shield as well. Yeah. Great. Christian, welcome back. Yeah, thanks. Yeah, I've been out on vacation. I just came back on Monday. So I don't have a lot to report. My mental image is we used a an uniformed officer checking a passport for one of our products for a while. Not sure if uniformed officer is the right thing, but checking a passport, maybe a night checking a passport or something like that to go with the shield theme that we have. And I'm still interested in discussing the whole platform implement our persona that I brought up a couple of weeks ago. I had schedule in conflict, so I couldn't make it for the last couple. Yeah. So maybe we could have a, let's, I'm going to pick up a note on the agenda. I created an issue for it. Yeah. Can you add the issue into the agenda? Sure. And we can tape, we can like, we'll collect a whole bunch of things. Some of them might leak over to a future meeting. But then we can take a look at it in any case. TK. I don't have anything, any other updates today, actually. So I think on the imagery, I'll give some thoughts if I come across anything different or let you know. All right. Great. Amy. Hey there. I'm just here to listen in today. Can you say who you are for the new people? Oh yeah, sure. I'm the CNCF program manager that helps with all of the SIGs. So if you have other ideas about logo, please let me know. So, and I actually created an issue so that we can gather all the things in one place so then people can chime in on that issue and then everybody can hear everybody's thoughts. Thanks, Amy. Roger. Maybe Roger's having phone issues. We'll skip to Emily who, thank you for putting yourself further down on the list. Do we have audio? I'm Emily Fox. I'm from the National Security Agency and I've been doing a couple of PRs trying to get those governance and a lot of the documentation up to date and integrated and trying to provide more foundations for all of that. And I vote anything that is not a security lock I'd be happy with. Yes. Sorry, I was so obsessed with being sure my mic was on. I didn't notice that I was muted. So, Roger, you're up next. Yeah. So I've been kind of pulled, most of my time, pulled by where we are in the release process plus the fact that we just had some reorg that was actually very good for me but means that I'm bringing other people up to speed. So that's been a bit of a distraction but I agree with the anything but a lock and I think it should be a thing I like about Sword and Shield is that it can be very simple. I think we should use imagery that can work at icon or sticker size as well as website size. And so I think, you know, things that can be very, very simple in design are really useful. That said, one of the things I would really like to do that I brought up in Barcelona is starting with ride along and then maybe getting more involved in future assessments. I had volunteered my security engineer who promptly left the company two days after I put him forth and I think we're not going to get to replace him for that. That is a security guy on the Kubernetes distro team till probably next quarter. So, but anyway, I would still very much like to ride along and be able to carry some stuff over to dealing with our projects internally as well. Justin, do you have any like so I think chiming in on the issues when there's one open and then you'll hear about them on like the on the meeting so that we welcome people shadowing and Justin Kapos, do you have anything more to add about is there a process that you envision for that or do you want people to just join the channel and help? There's a there's somewhere a document or an issue or a thing that says who signed up for which assessments and what they do that a few people got added to and I wish I had a we should probably link that somewhere prominently off the site and people can add themselves. I know I added a couple people and who reached out to me and a few people added themselves so there's at least an exist like there's a proof it's somewhere but we do need to link it better. Cool. Yeah, I somehow I will search. I probably have access to that somewhere but don't know where it is. Um, so yeah, it would be great if you could link that or at least great just you can find it. All right, did it and did we miss anybody? All right. Hey, it's Mark. I just want to get my image in. Hey, so my image is a data center with a guy sitting or a girl sitting with accountant shades on with CNCF on the cap and the reason is for this is that I think it's really not about these traditional award defense kind of things. It's more about risk and the people we that the public associates with risk is accountants. So that may be wrong but anyway, there's there's an alternative image to think about. I like it. Thank you for me today. Super. So I'd like to do a little agenda making next and so if you have a issue project proposal or thing that isn't yet written up and is an issue that you know feedback from the group would be valuable or you know awareness. If you can put it under here we have the proposed or I guess we can put it here. There it is. Thank you. If you can put we'll just take a few minutes and I just put the logo here and Christian put in platform and implementer and does everybody if you don't have access to the notes but you have access to the chat you can say it in chat and I will share my screen and maybe Michael do see if you can put in the SIG security day issue. Yeah, I just have to rearrange my screen so that I have everything in one place. Sarah did you lose audio though? Unmuting. Sorry I was typing while somebody else was talking and I muted myself. Thank you. I think we already sort of covered Shanghai on the agenda. And we should probably touch on the process so I'm going to put process first and and just go over that which is that we have now here actually before I dive into that we'll have these I think SIG security day is time sensitive I'm going to put that first I'm going to touch on process so that we cover any questions or proposals and so far and and then any sort of in progress proposals or proposed proposals and then I think you didn't have a urgency Christian right on the platform implementer roll up with that I think it'd be good for everybody to have a chance to read that and queue it up for next week unless we have a bunch of time at the end but I think we'll be busy any any other things to add to the agenda we're going to go for some process we'll talk about SIG security day we'll talk about the other proposals touch on the logo and because I think we have some imagery that I saw on one of my channels Amy do you have access to the images which I thought were in the service desk account but I don't see them there I'll dig them up while we're covering the other things so so just quickly I just wanted to show everybody if you now if you go to issues and you say new issue you can make a proposal have a security assessment or make a suggestion I wish these were in a different order because it makes it seem like security assessments are the thing you do after a proposal but I think they're in alphabetical order so so generally we are steering people towards the governance model where proposals mean that you want to take the lead or participate in driving something forward and you're you're kind of volunteering with the proposal suggestions are either it's like you're not really sure what it's going to be so you're not quite ready to volunteer and you want feedback or you think it's a good idea but you're not going to work on it right and generally we've prioritized things that have enthusiasm for people who stand up and say that they're going to work on it because this is all driven by people who step up and do the things so so any questions on our kind of issue process time in and interrupt me and so in now if you go to issues we have this proposal tag which then have there are two proposals where we really should have like something that goes from proposal to like and whatever the noun is for it's actually an accepted proposal although the internet has a long history of course with request requests for comments becoming specs while still being called rfcs so maybe you know there's a precedent to leaving things as a proposal and i think sig security day is also in that category so i'm going to assign a label um because i think that this so now if you use one of those templates it auto labels it which is pretty nifty um but then i'll make this a proposal and then um if you see something that should be a proposal and isn't labeled that way just shout out on the triage channel or put a note on it and um with whatever information is missing and then we'll um we will uh we have a few triage volunteers who can help have the the permissions to label things um so uh michael should we go first to sig security day although i don't think this covers the proposal format so i will it's okay we can um we can just cover the quest why don't you go over what it is in general and then we'll cover the kind of the open questions in terms of what's missing from the template format and i'll pick up the template and add it yeah um we had talked about this a couple weeks ago on the on the call so i'll just bring it back up for anyone who wasn't on it uh the idea is to create a day that's focused on security so um so i can step back so every every kube con and claud native con before they have this day of add-on events um this is typically used by vendors as a way to create um you know a vendor specific you pull in their vendor specific community and pitch product uh it's also been used like for the kubernetes contributor summit is held that day um and then last uh edition of kube con at barcelona the security folks got together i think almost pretty much like six storage got together and had a claud native security day um it was ran and organized by the vendors of that community however it was still a very community driven and community oriented uh day and so the idea is can we create something similar in the security world uh under security mainly to kind of address the fact that security is getting kind of bifurcated or at least that day is getting bifurcated with security vendors deciding to do their own things and then sometimes doing things that uh it isn't obvious that it's a vendor branded event that you're going to um because they just use very generic terms um so what i want to do is create the definitive claud native um security day that pulls in everybody from the community so that we can have conversations around some of the topics that are proposed the idea is that it would be a mix of speakers and i really want to try the open space ideas because um on the call where we brought this up somebody had mentioned that the the most valuable time that they often find is talking to people in the hallway and having conversations around things um and open space is really kind of enable that and provide that functionality for people um it's a well proven path in the world of dub ops days conferences and things like that um and other conferences as well so um i would like to see if we could incorporate open spaces in some way uh as well as traditional kind of speakers and talks like that i think it would have to be a single track event just to get started um and then eventually it could probably grow into something multiply track if we really wanted to put the effort behind it yeah i don't know if anybody else has gone to um the internet identity workshop um that is it's been going on for like 20 years they have it twice a year and they use open space um where the people who show up make the agenda and it's it's actually very related to security and i wonder whether we could get kalia hamlin she doesn't actually facilitate it anymore but she facilitated the first like you know 16 of them herself and um she's an incredibly experienced facilitator who is also an identity expert um so uh that would might be uh something to explore and if we had a space which had a bunch of different rooms we could potentially you know have likes maybe some opening panels or things that we arranged and then some some of the day be open space yeah we um we'll have to see what so we submitted this as a proposal to the cncf and i don't know and maybe Amy can help us understand if there's special dispensation for sigs about adding on one of these events and then since we're actually technically a cncf sponsored sig does the cncf provide the funding for that or do we need to go find sponsors to provide the money um into that um you know sissy is happy to sponsor because you all are so new at this point um but i don't think we've even thought about that yet so let me go back to like the team and kind of let them know that you're interested in this and see what we can do around that okay i know there's a bunch of emails running around um and i'll i think this is the first time we run into this so thank you okay and i think that one of the things to consider um michael and we you know like i think there's probably have to be some research outside of this call but there's two at least you know like as currently is on the like i read through all of their materials and kind of there's the if you want to do if we want to do it like on site at the conference center then it has to be classroom setting and there's there's no flexibility with how the room is arranged yep and if but we can be in the registration right like we can be like you just sign up for it and then we could get something if there's something available like a few blocks away like we sort of yeah they also have off site which um um is just in the marriott next door oh and that has more flexible space yeah yeah oh okay so there's one other related thing i'd like to mention which is that nyu every year hosts in early november i think it's six to ninth this year we host a one of the biggest security like events in the world this thing called seesaw and it has people from industry and academia and government and and we have something like 20 000 students participate in at least the initial rounds and there's been interest from some of our sponsors on having some kind of security event that they would pay for to have people come and do this so one of the things i thought of was to have something i think quite similar to what's being described here and possibly try to get uh some folks from a lot of the cloud native projects that have a security ban to folks from sick security and things um especially those in the area but of course you know hopefully a few people to come in and check it out is there interest in this as well or is it something that would be a lot less interesting because you'd actually have to go to um the the cultural and uh financial capital of the world and hang out there for a few days in new york city i was you mean in doing a i so would this kind of understood like go ahead michael just oh sorry no i was saying i kind of i either cut out or i misunderstood what you were proposing justin there's a conference at there's a conference at nyu it's a big security conference we have sponsors that want to host some kind of cloud-ish workshop there the idea would be to do something effectively this and uh would some people be interested traveling out to do this this is uh this would be going to new york in november six to ninth time frame and getting to see like massive um you know i think it's something like rsa or something like that with less of a kind of commercial feel so you get the best students in the world that are uh participating in ctfs there's embedded hardware challenges you get research presentations there's a dozen or so different events that happen there that are capture the flag or trivia quiz high school forensics challenge it's it's really a need event so i'm wondering if since the sponsorship aspect of that seems to already be figured out from our side if there would be interested interest in people in this community to come and attend and participate if we you know which would have no charge other than possibly the charge of going to new york although i can try to see if we can cover some of that cost so let's um so i think that so are you in lester proposing this instead of doing it at cube con i wonder whether we should i mean we can take quick feedback from people like i'm trying to figure out like are you asking would this conflict because it's around the same date and then there's some uncertainty about some aspects of this about this proposal about sponsorship and do we have to charge people and can we get space and how does all that work and then i'm wondering if or at least you know certainly for people that are in new york i would hope that they would be interested in attending um this event if it sounds interesting but i'm hoping we can put on a show like a program where we would get presentations with folks from like spiffy spire falco um you know and is to go related projects and and have a workshop that sounds very much similar to what is being described here i don't want to kind of like um steal the thunder or change you know change what's happening here if this is kind of a done deal but i want to just mention that we don't have you know we may have some of the logistics also here sorted and perhaps there's another way you know there's another option here if there's problems with you know we'd have to get sponsors and we have a hard time or you know these the problem with the cnc f events is they're really oversubscribing there's a million things to do and a million people to talk to and you get pulled in 87 different directions so this might be another option where um you won't have 87 things you have to go to anyway just throwing it out there yeah they they sound both like they're separate things but they're both really interesting um the new york event uh to me sounds like the audience i could be wrong but sounds like the audience uh will be you know folks that go to nyu and other universities new york um as the actual audience and then this is more you know the the folks that come to kubecon um i think the initial thing that michael said was for the kubecon thing in san diego currently what we have today is there are security events the day before but their vendor they're championed by vendors and so you don't actually get a good picture of what you know the community wants and you know some of the work that we are doing as a stick and i think that's kind of what i think that's what we're trying to champion with this pre-day event yep exactly yeah i i i think um i mean we do have thousands of people come in from out of town for this event but it does have uh and it does have academia and government there in much greater force than you'll see at a kubecon but there's also an you know a fair amount of industry but you won't have the kind of people that are coming in to go to a talk on storage and oh hey the security thing looks good it's going to be security people from industry security people from academia security people from government all there um but i i i get the i get the point here it's it's less it's yeah it's less broad industry only participation oh i got you my uh justin i didn't realize that i thought it was just like uh new europe um you know nyu event but uh no i think it sounds cool uh just from like a conference perspective uh and from you know content perspective on security i think there's a lot more that all of us could be doing to actually be talking about stuff uh in general yeah i'd be happy to participate uh with anything with seesaw but i think it would be a uh in addition to what we want to try and do at kubecon mainly because our audience and our end users are there at kubecon versus well you might have end users there at seesaw you definitely have a much greater concentration of end users that in san diego yeah and i think the additional goal of trying to um take some of the air out of the vendor days um on security is a really good goal um it doesn't feel to me like it should be something that you know you basically direct how the day goes for security by throwing money at it i say this of course is a vendor that doesn't have much money to throw at it but well and i'd say this from the point of view of a vendor as well but um you know vendors are necessary but i just feel like the cncf bills themselves as an open source community and which it is and i i just think that we need to we need to help them emphasize that i agree and stay true to that mission yeah i was i was largely joking about that but yes i agree from a mission from mission perspective which is the important um i'm trying to write up this i think the impact statement like that this format is actually really helpful because it like it helps us maybe like frame this difference between this event and what just described and it sounds like people don't think that there's a issue with having these two close together because there are people who live in new york and it would be easy for them to go to the new york thing or people who have reason you know where they're traveling all the time and that might be fine um so it's it sounds like there'd be enthusiasm or at least interest in um just in writing up the uh the the potential for the um uh new york event here i'll do that thanks okay um so we want to say like there's a lot of vendor focused events on monday and having a and which um risks like sort of basically splitting the community i think splitting is a bit strong but um yeah like about you know losing focus of the open source i think that's good or something like that who's got the smoke detector whose battery is about to die because this was happening on the last call and it made me think that it was a smoke detector in my house i think it's tk and i it's happening always so i i don't think it's a smoke detector i think it must be the plug in that he's he's right he's right it was i'm the guilty party i think i have one of those things and i gave up on the i apologize but i gave up on changing batteries and those things it just you know almost i muted up myself completely from those that thing it's like a noise to me um the reason i unmuted myself i was wondering is the whole purpose of these things on this cube con and so forth is it to promote certain ideas that we are going to be proposing as a security group or is it just to have some open dialogue where we are collecting information from different vendors and somehow that would be a contribution towards our goal whatever that might be at the final form in the security group i'm trying to understand and clarify something so that you know so that we have we have a similar goal as a whole group that's what what is actually happening in this group at the end so you're asking about the the day being sort of a whether it's a productive security like no i'm not quite you know picking on the day per se but i'm thinking about you know the purpose of these proposals on a security day that we designate or we suggest as to what do we project to the outside of this community that what are we doing and how this is related to this particular uh group whether are we going to take these as an input and try to massage them or incorporate them in our final publication whatever that might be i heard before that we're not creating a standard that's what i heard i'm still trying to get a handle on this are we creating a guidelines are we creating a recommendation and somehow how this day event is late or does relate to that goal typically in an unconference this is mostly about an exchanging of ideas right so you have the different people coming together and discuss arbitrary things right and it could be that some people get together and decide to come up with a new project or they come get get together and decide you know maybe we should have a standard document of some form right so i don't think this is because you mentioned that earlier i don't think this is about vendor interaction i think this is typically about community interaction right here anybody can propose any i assume this is similar to an unconference right i took a brief look but i think that we're um where that's exactly like kind of like what this proposal like the the proposal is do the day and then um one of the to-dos is figuring out the format and so the proposal is that there be a mix of like speakers right there might be a kickoff right with speakers and panels and then some of it is open space and that's you know that's kind of the topic of discussion and i think that what tk brings up is what are we trying to achieve with this day because what we're trying to achieve then determines this like like you say christian like if what we're trying to achieve is well whoever shows up like like knowledge sharing amongst ourselves right and and just kind of furthering the like what the individuals and we together want to do then the open space format we're not very directive about that right but we could say even in the open space format we could say we're seeking like presentations in this area right where people aren't going to be you know teaching knitting they're going to be doing things around security and policy and so forth so we we can frame the open space thing um so i think that going back to tk's question the you know this is the objective of our group right to discover and produce resources that enable secure access policy control and safety and then we have like a big long charter that does that that elaborates on that um where you know like we're basically kind of i think the vision actually captures it best which is like which is that there exists a future where we're we have all the tools we need to make secure systems and when we talk to each other there isn't a great deal of confusion about what we're talking about and and that after we get through the basics of explaining to each other in the world in a common way what is what do we mean by cloud native security anyhow and what are the things that people are doing today that um at least i've talked to most most people in this group that i've talked to one on one believe that there actually are a lot of gaps right now and there are a lot of there's a lot of DIY security which everybody's like i'd rather not be building all this myself um and you know this this so actually security risks from just like oh yeah i just decided to invent this thing that i wish i had this thing that you know like other people use so so like we're just working through this and um we'd like to find standards rather than create them and i think the key thing that this to answer tk's question about what exactly are we doing here um i think the the key thing about the first a bunch of people who created the cncf um seem to believe that the word that being a standard body implies that you make only one standard and then you require everybody to conform to that standard right and so that's not what we're doing we're not saying we're going to invent something that then we set a requirement on all cncf things right that's what it means by we're not making a standard but we can like the cloud events folks like the serverless working group created a cloud event specification says hey if you're doing cloud events and you specify and you follow this specification then it's interoperable and it's more like this is a way that we can all work together um does that help tk yeah i was just wondering i that definitely helps what you just clarified no question about it but i was just wondering whether can we reach to a point where we agree and say okay we are at least trying to get to a document that will serve as a recommendation perhaps or a guideline even though that might include multiple standards from the industry that might exist that we will pick and choose and so forth but it will serve the purpose of anyone that is trying to develop something that will reside in a cloud native format from the perspective of the security so in other words someone will get some benefit from by reading these things or following this documentation saying that well here is the guidelines this is what we are going to follow if we want to reside in the cloud native um environment and we're going to be able to sufficiently secure ourselves based on cnc of six security groups recommendation so i think this is a this is a big i think it would be actually really helpful to have this as its own discussion because this is kind of feeds into the like i think that this is one of our challenges right that we have a white paper in a landscape and we have a lot of questions about like we're not all making this just because we're all doing cloud things doesn't mean they're all the same thing right if i'm making a hosted deployed system that's not the same as i'm making built software that somebody else deploys and um you know libraries versus web services so um but i think that where we veered off of the topic of sick security day and i think that um i don't think that we're going to finalize i think that i think what i'd like to do is send this back to you michael which is that like the goal of the day is um like maybe this isn't um the question to you is after this day are you expecting that something like what will have been different what what will have been accomplished at the end of the day like is there is there anything that like that the output of the end of the day that you would want to articulate i i would argue that the security day should provide the community with an opportunity for education information sharing collaboration and cultural shift with regards to security in cloud native environments if i was going to that day i would expect to walk away with a ha that's how this organization is doing it in our cloud native environment or i never thought of of integrating security into dev ops in that particular fashion more of like an information exchange in a collaboration like how do we improve the space like we talked about all the time whenever we get to these conferences like this doesn't exist why doesn't exist maybe do like a hackathon or recommend that in a hallway track and then set that up as like sponsored out of sig security or in supported by sig security to do this hackathon thing at the next i don't know conference event i like i'm expecting this to be identifying gaps in the space enabling people to find each other and to work together to achieve security in cloud native environments but it's it's not just the technology and the tooling it's the processes and the culture and the practices that go with it yep and it's the the the takeaway from the day is getting all of those people in the room with those questions and those ideas and those concerns so that everyone can come together in one common location to talk about these things so so would it be fair to say that this should be a tool to collect broader industry experts you know viewpoints as well as suggestions and inputs to be taken into this sig security group and to make something out of it as a recommendation or guideline i mean how how does this relate to this group that's what i'm getting at because it relates to the group because we're providing a resource as per our first sentence of what the charter is for the group or the vision and that we're providing a resource for this area of information exchange and like-minded people getting together to discuss these issues now if we want outputs of this hold on just one second um i'm sorry i forget your name um so if we want specific outputs the open spaces can give us specific outputs because if we do open spaces they're supposed to be a scribe in the open spaces and then we can have notes of that conversation that actually took place in that open space and have that as an output that could come back to the group is that emily also yeah it was me um i exactly what michael said if there is conversations and open spaces that are going on this scribe should be recording that and that could be one of those archived documents or one of those archived discussions that have gone on and providing a centralized document for best practice and this is and doing security in the cloud is like way way too broad of an area i think that and it's kind of outside of the scope of this sig in my opinion in that we're reviewing the open source projects or the cloud native projects that are coming in to look at how they're doing security and inform the community in a centralized fashion this is the way that they're doing things and here's here's our recommendations back to this individual projects and efforts about how they could potentially do it better because security is it's not a like follow all of these check boxes and you're secure it's a do what makes sense in your environment and what your organization is has a risk tolerance and risk appetite for accomplishing and that's one of those cultural and process kind of practice things so generating a single document as the output of a security day i don't think is is within scope of that effort it's more of providing that opportunity like michael said back to the community to learn from each other and to gain potentially better exposure do the appropriate kind of networking to find out how other people are doing things and how they can take it back and leverage it within their own environments make it better and then contribute back out i'd second that that's what i'd like to get out of that sort of thing if i was to attend yep third it i think that um like i think that the um i'd like to still see something that i like i i that's what i want showing up there i think it would also be neat to think about whether they're um kind of the way that there's a conversation going on about the presentations and use cases that that frame the is there some way to frame this such that it is more likely that at the end of the day whatever artifacts are produced are useful outside of the from the outside of the people who show up right and so um i think it might be neat for um i think emily you had volunteered to help michael on um kind of framing the the agenda i did thank you um but yeah if you could maybe kind of firm up the the how it's framed so that um so that maybe there would be some like at least to be clear what the outputs would be i mean maybe this the day is just for the people who show up right but i like the idea that at least some of it would be the notes or the whatever is produced there would be useful after and i think um like crisping that up a little bit would um you know i think make the day more successful yeah and then there's there's nothing preventing us from recording these any of the talks or anything like that yeah but i do think it's like it's very different if we're recording something that is like this meeting today right which is like meh yeah you can watch it but no no i'm talking about presenters right so i think like you know sort of like delineating which parts of it are really just hallway track you know they're they're more for the people who are there right and which parts of it are things that it's kind of producing content or resources which could be useful afterwards and um and you know like as you finalize the format um so do you have it so i have i kind of have a draft of this change um michael i'm i'm basically this is dot dot dot um cool i think it's not delete everything that i just had written there no i so this is so i i'm kind of inclined to send this to you in an email and not committing it because i i don't think i deleted the only word i deleted was discuss okay sorry i thought you were deleting that whole bullet list no i was going to move it to the bottom like so what i did here i'm going to just email this to you i'm not going to commit it because it's not done but um like if we say that this is the proposed format right and the goal so then there's like a little checklist about how far we are through it and you can edit this okay i had an oh i had this uh issue open for a while and when i opened the issue there were no yeah i know this was i i totally get it um and if you want to move some of this to a google doc or whatever it's useful that would be good um but uh but yeah if you know we're retroactively conforming to our new process so that's it's all good but i haven't committed this i'll just send you an email and you can use it or not or whatever um all right so it's 11 o'clock thanks everybody i guess we needed a whole session on six security get day um michael do you if you need any other do you need any other inputs from the group or we can also like follow up with slack right after this or have a quick check in for the on the logistics but it sounds like people are very enthusiastic i think michael dropped because he said he had a call all right okay so um and then feel free to chime in on the logo i will brainstorm with the person who does the logo usually they have ideas about how to kind of converge on decisions that are structured but right now i think we're we're ideating on imagery and um and so uh so yeah we'll get some of the notes into the um anybody should feel free to chime in now all right thanks everybody and we'll see y'all next week thank you thanks y'all