2019 NA Cloud Native Security Day (aka SIG-Security day) at Kubecon

[mfdii]

Description: SIG-Security Day at the upcoming Kubecon/CloudNativeCon. The goal of the day is to bring together the broader Cloud Native security community in a community oriented space to discuss and share current challenges (and solutions) in Cloud Native security.

Discuss:

• Practical application of the security tools and features in the Cloud Native ecosystem.
• Role of red teams and blue teams in Cloud Native architectures.
• Practical security policies and procedures in Cloud Native.
• Common attack patterns in Cloud Native.
• Latest vulnerabilities in Cloud Native platforms.

Impact: there's a lot of vendor focused events on Monday, which risks losing focus on open source community, this creates single place where people involved in cloud native security community can gather together in vender-neutral place

Scope: TBD

• SIG Chair: @pragashj
• Team members: @mfdii @TheFoxAtWork

slack channel: #sig-security-events

For more details see: Public Trello board for planning of SIG Security Day

TO DO

• [x] Website: @TheFoxAtWork will generate some content for the Event Website that covers the items in the trello ticket. We'll use the sig-security-events repo as a collection of SIG events moving forward
  • [x] Amye will submit a ticket to get DNS entry for the site name.
  • [x] align with the look and feel of the current co-located events (with Emily Ruf)
• [x] CFP: DONE: Amye provided comments in the CFP form to confirm dates. Amye is working on promoting the CFP.
• [X] Retrospective: doc

Proposed Format

I'd propose that the day be a mix of speakers (invited or selected from CFP), and open spaces. Given the logistical challenges and because this is the first time this day is being offered, the day would be single track.

Time	Content
9:00 - 9:15	Opening remarks
9:15 - 12:15	Presentations
12:15 - 1:15	Lunch
1:15 - 3:15	Open Spaces
3:15 - 3:45	Anchor presentation
3:45 - 4:00	Wrap up comments
4:00 - 5:00	Happy hour

The CNCF has offered to provide financial support for this event and then recover the costs through selling sponsorships. However, the presence or requirement for sponsors shouldn't imped the community focused nature of the event (No badge scanning, No raffels, No gaudy signage, No expectation of a speaking slot, etc).

This is event would be similar to what the Cloud Native storage community did at Kubecon EU 2019.

KubeCon 2019 - NA in San Diego, Tues, Nov 19, 2019 to Thurs, Nov 21, 2019

[mhausenblas]

However, the presence or requirement for sponsors shouldn't imped the community focused nature of the event (No badge scanning, No raffels, No gaudy signage, No expectation of a speaking slot, etc).

+1

Also, we need a PC. I volunteer to help reviewing and putting together a program .

[mfdii]

Yes, we do need a program committee (PC) and probably a few other roles.

I'm happy to handle the event logistics regarding securing space, sponsors (if needed), food and beverage, etc.

[mhausenblas]

Awesome. As mentioned above, I can contribute to the PC or, if no one else wants to, even chair it. 12+ years in academia have prepared me for everything, LOL

[karthequian]

+1 on this effort @mfdii. I'm happy to help with this because I think you're thinking a similar model to devopsdays and I help run devopsdays austin. Probably need to figure out all our roles- get a papercall or something in place for a CFP, get a 👍 on agenda as you've posted, logistics, etc.

[pbnj]

This is an awesome idea. I would love to help out here as well.

[hannibalhuang]

the problem is that we already had two cloud native security related co-loacated events for KubeCon EU, if we add another one people will be confused

[mfdii]

@hannibalhuang Yes, there was a Twistlock workshop and a "Kubesec Enterprise Summit". Both a vendor driven events, paid for and supported by the vendors. They are not community focused events, open to everyone.

We are trying to create an alternative to these vendor events that is more in line with the charter of the CNCF and sig-security (promoting community and open source).

[TheMoxieFox]

@mfdii I tagged you in slack with a few items to add to the agenda, where are we posting the draft agenda?

[hannibalhuang]

@hannibalhuang Yes, there was a Twistlock workshop and a "Kubesec Enterprise Summit". Both a vendor driven events, paid for and supported by the vendors. They are not community focused events, open to everyone.

We are trying to create an alternative to these vendor events that is more in line with the charter of the CNCF and sig-security (promoting community and open source).

But the content are mostly open source focused, it is just sponsored by vendors which the proposal will also count on. It is not a bad thing that there are companies sponsoring these events.

Therefore content wise, i'm still a bit struggling what the proposal offers would differ from existing ones. It would be nice to combine event tho, say we just have one cloud native security-policy day, with companies like twistlock, aqua security or others sponsoring and help with logistics. Sponsors could have some lightening talks in the morning, and we have unconference type of work session in the afternoon

CFP I would suggest we utilize github issue, it will be more transparent if people just submit a issue and got reviewed in the open, instead of a committee. Final decision could be decided on the sig conf call with consensus.

[TheFoxAtWork]

@mfdii For the agenda perhaps doing 4 break outs with fewer key notes in the morning? An offense/defense panel/game - simple cloud native web app for a online store. Offense decides the attack, defense counters, discussion ensues.

[TheMoxieFox]

Current rough framework for security day (please comment)

1hr welcome reception/networking (table tents covering security concerns so similar minds can meld)

Welcome 10 mins 4-5 keynotes with 1 break in between

• 25 min each

Lunch break

Breakouts: 2-3 tracks?

• Offense: hacking cloud native
• Defense: securing cloud native
• Culture: managing culture shift in security and towards security

3-4 sessions per breakout?

Closing keynote/ lightning talks?

[ultrasaurus]

thanks for writing this up @TheFoxAtWork !

For afternoon breakouts, I like the idea of doing full-on open space -- we could suggest these themes, but also allow anyone to propose session that they want to lead.

Love the idea of evening lightning talks. Maybe 1 keynote + panel in the morning? (personally prefer more time for small group stuff)

[solrac901]

Please let me know when the CFP site its ready some of the guys that are working on stacks are interested on submit their contribution.

[mfdii]

@TheFoxAtWork @ultrasaurus updated the issue to follow the proposal format. Also I added in a sample program format. I would like to do tracks but I don't think we will have the space. If we do open spaces, I'd recommend we have a strong closing presentation after the keynotes to keep people around. It's been my experience that attendee attrition can be high when doing open spaces.

[TheFoxAtWork]

@mfdii love the new format. I think we should go with this. I definitely love the open spaces - providing topic pre-placement can help get people thinking about other topics to propose/sign up for. having one or two can drive a "track" mentality and cover both bases. No matter what - a strong closing presentation (or two) should definitely happen.

Also a moderator for the largest open space topics? I worry about 40 people signing up for the same topic and one person crashing the whole thing - or worse a sales vendor capitalizing on an unsuspecting group b/c they had a click bait title

[ultrasaurus]

FYI -- here's the notes I took in the meeting where we discussed some potential edits to the description to address what we're doing here. Below is unfinished. I remember people wanting to clarify expectations of what outcomes were expected (e.g. is it just community-building, knowledge-sharing for the people who show up? or is there an additional goal that there would be some output which would move the larger mission forward in some way)

Description: SIG-Security Day at the upcoming Kubecon/CloudNativeCon. The goal of the day is to bring together the broader Cloud Native security community in a community oriented space to....

discuss:

• Practical application of the security tools and features in the Cloud Native ecosystem.
• Role of red teams and blue teams in Cloud Native architectures.
• Practical security policies and procedures in Cloud Native.
• Common attack patterns in Cloud Native.
• Latest vulnerabilities in Cloud Native platforms.

Impact: there's a lot of vendor focused events on Monday, which risks losing focus on open source community, this creates single place where people involved in cloud native security community can gather together in vender-neutral place

Scope:

TO DO

• [ ] SIG Representative
• [ ] Project leader(s)
• [ ] Goal
• [ ] Format

Proposed Format

I'd propose that the day be a mix of speakers (invited or selected from CFP), and open spaces. Given the logistical challenges and because this is the first time this day is being offered, the day would be single track.

Depending on the cost the CNCF is required to pass on to the sig-security group for event space, sponsors may be required. However, the presence or requirement for sponsors shouldn't imped the community focused nature of the event (No badge scanning, No raffels, No gaudy signage, No expectation of a speaking slot, etc).

This is similar to what the Cloud Native storage community did at Kubecon EU 2019.

KubeCon 2019 - NA in San Diego, Tues, Nov 19, 2019 to Thurs, Nov 21, 2019

[mfdii]

@ultrasaurus I took what you sent me and edited the original issue to match the proposal format. What do you feel is still missing? The take-aways?

[ultrasaurus]

@mfdii oops -- didn't see that you did update the format. Thank you! the remaining thing is really this point...

"I remember people wanting to clarify expectations of what outcomes were expected (e.g. is it just community-building, knowledge-sharing for the people who show up? or is there an additional goal that there would be some output which would move the larger mission forward in some way"

[TheMoxieFox]

Notes from 03 JULY 2019 Security Day event planning/meeting: Attendees: @ultrasaurus, Emily Ruf, @Amye, Jennifer Posphishek, @TheFoxAtWork , @pragashj

tl;dr - So what we're planning: Next week we'll learn more about unconference. We'll be sourcing for presenters/panelists. JJ prefers one or the other. Formal or Informal.

Sarah Allen (@ultrasaurus ), co-chair of SIG-Security: the "glue" handing off the torch to one of the other co-chairs (JJ) Chair of the project is to make sure no blockers, and lets things run smoothly, keeps it moving forward. Delegate to the project lead(s) (@mfdii @TheFoxAtWork )

Jennifer runs events marketing for Sysdig, wants activities around KubeCon that are good for the community. Not about Sysdig, but about the community. Runs all Sysdig tradeshows and hosted events. Happy to support!

Amye CNCF program manager

Emily Ruf managing registration, A/V, sponsorships, etc.

Emily Fox, project co-lead

JJ, started SAFE turned into SIG-Security very excited for a neutral way to talk about cloud security, getting everyone talking about cloud native security. Happy to help out in any formal capacity.

CNCF doesnt have much of a structure for this so Amye jumped on it as a SIG thing, CNCF managing finances etc.

• Decisions framework/ division of labor? Emily Ruf - Standard: CNCF paying and hosting as a co-located event. Pick size 100-200 assigned a room, anything outside of that needs budgeted for. Emily will put together a budget, includes all day beverages, anything else is additional cost and will need sponsorships. Lunch sponsorship etc.
• Co-located event or un-conference? Onsite is only one option - liability covers the convention center. Emily Ruf is going to look at options for layout/seating for creative engagement. Potential leverage a lounge sponsor?

What JJ's hopes and dreams are: open collaboration and use cases about cloud native security accomplishments and roadblocks. Multi-objective and multi-constrained problem space spanning many areas. Pretty much everything falls into security, from identity management, to storage solutions. Get people connected that are passionate about this. Source vendor neutral folks.

Question about the open space. many of them have multiple time slots. concern about people getting a chance to do many things. trying to ensure content isnt random, all presenters or discussions are from there.

Consideration for lunch hack discussions in addition to the open spaces. Open to considering more informal presentations. people have experience with problems, talk about them to share that information with everyone. we want to ensure there isnt any pressure for someone to talk.

Share the CFP process - formal/curated talks and informal talks and lighting talks are all on the table. If we are doing a CFP process, CNCF has a tool online. schedules announced around mid august. we expect more people to sign up earlier this yr. then we'd receive the spreadsheet or log into the system to go through and perform the reviews.

Is there a framework or recommendation for performing reviews? 5-6 people reviewing is plenty, usually about 1-2 calls to layout the agenda. type of session they want to apply for.

JJ: less worries about filling the time slot, worst we can do is be halfway there.

How rigid do we want this to be? Sourcing non-vendor stories. War story sharing, epic, well done. the experience of security in the cloud.

Formal morning means setting the tone for the day "birds of a feather" area (open space). Promotion of the event for what they will get out of the event with primary topics. To meet expectation for August, for consideration in Agenda, outline of what they will learn, what they will get for the day, etc. Rough schedule registration and grading, etc.

Sarah is going to have time next week set up for explaination of IIW/unconference. How do we communicate this out to everyone? get people a feel for the kind of people that would be there.

Having people well known that are involved somehow will get people to show up more.

[ficcaglia]

more real world case studies is my hope. let me know if you are willing to discuss yours and I'll volunteer to organize a round table type prez if there is interest. maybe followed by a "ask the operator" session where those who are looking for answers can ask specific questions of the "panel"?

[solrac901]

+1

El sáb., 13 de julio de 2019 8:00 a. m., ficcaglia notifications@github.com escribió:

more real world case studies is my hope. let me know if you are willing to discuss yours and I'll volunteer to organize a round table type prez if there is interest. maybe followed by a "ask the operator" session where those who are looking for answers can ask specific questions of the "panel"?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cncf/sig-security/issues/209?email_source=notifications&email_token=ADZIQHW2QCY5XD3HBY2V37TP7HGYTA5CNFSM4HZLEJDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ3RILA#issuecomment-511120428, or mute the thread https://github.com/notifications/unsubscribe-auth/ADZIQHSYBCIFBIFJAONJCM3P7HGYTANCNFSM4HZLEJDA .

[garethr]

Just started joining the SIG and think this sounds like a great idea. Happy to help in any way.

[TheMoxieFox]

I havent seen any posts about a preference or decision on whether we do a unconference style or a more formal layout of the day. I'll bring this up on the call today, given the limitations of the space available to us i am leaning towards a CFP and next year we can spend more time exploring the unconference style.

[ultrasaurus]

Room can be set up as classroom, rounds or theater. "We have a room on hold that can accommodate 200 in classroom." If the group wanted unconference style, we could limit to 100 people and set up with round tables for discussions.

[mfdii]

Notes July 31st meeting:

• Everyone is agreed on proposed format as is in the issue description.
• Frame Roles & Responsibilities
  • Outcome: since project is small, tasks are better than R&R. Ducy and Emily both contacts for questions. JJ helps with bias issues. Sarah needs visibility into work, and accountability up.
  • Action: Create trello board to track tasks (Ducy).
• Frame Milestones for Event
  • Need to understand dates and requirements of what needs completed by when (Trello will help)
  • CFP Deadline (Using CNCF suggested time line)
• Other requirements:
  • Tools to execute the day (Track in trello)
  • Website
    • Emily to tell Emily Ruf we need a event website
    • Open Spaces explanation on website
    • Open Spaces explanation in attendee emails
• Define take aways, outcomes of the day
  • Each open space will have a scribe
  • Need to discuss recording of any talks
• Need regular status checks with SIG Chairs.
  • Weekly on Sig-Security main call, 5 minute status update on event.

[dankohn]

SIG-Security should use whatever tools it wants, but could I please give a quick pitch to create a second GitHub project board https://github.com/cncf/sig-security/projects/1 instead of Trello. It works really well and is very convenient to have all of the data in one place.

[TheFoxAtWork]

Update:

• Public Trello board for planning of SIG Security Day
• Website: @TheFoxAtWork will generate some content for the Event Website that covers the items in the trello ticket. Amye will submit a ticket to get us a better DNS entry for the site name.
• CFP: DONE: Amye provided comments in the CFP form to confirm dates DONE (due today). Amye is working on promoting the CFP.

[amye]

Update: Working with Emily Ruf on an event website so that it aligns with the look and feel of the current co-located events; we'll use the sig-security-events repo as a collection of SIG events moving forward

[ultrasaurus]

thanks @amye and @TheFoxAtWork -- updated description at top so folks can easily reference trello board and see progress!

/cc @mfdii @pragashj

[mfdii]

Schedule is live.