Thanks, this is a discussion point for the TOC but I think the reality will be a roll out in 2021 at some level. Also thank you Arun for pushing me to get this done in time for kubecon :) Please

Should we make it mandatory (which I think is a good idea), it would be useful to cross reference kubernetes who took the same approach for all leaders (I did the course as part of product security).

Chris, I just completed the course and it's extremely valuable. As already mentioned and noted for next TOC agenda, this should be a must for all leadership positions in CNCF. It took me > 1 hour to

Same! We would love a presentation! Shubhra please add itself to the agenda for an upcoming meeting in December. The Security SIG group meets every Wednesday at 10:00am PT (USA Pacific) Meeting

Add me as well. I am one of the maintainers on bandit (python ast based security linter) which hits around 25k downloads a day, so I have a fair amount of experience in what works / does not work well

Same, I'd be interested. ~Dave -- ~Dave

I would be interested in that. Justin

If this group is interested, my team would love to present the capabilities and limitations alike of the LFX security tool project. We are working on items like creating a SBOM policy management,

+1

This is a great initiative that also sends a message that security is part of the core functionality. Few suggestions: If we can ensure CNCF projects follow Container Image authoring best practices,

I'd be happy to join and help here. HUGE DISCLAIMER. I work at Snyk, which is the service powering the scans. I'm also a maintainer of Conftest as part of the Open Policy Agent project and know a

Liz, this is great! Having vulnerability scanning is a good thing, but looking into the results might be too many false positives (as you pointed out) and noise. In my experience, reviewing such a

This is awesome ! Well done folks ...

Buildpacks has been approved to move to incubation. (https://lists.cncf.io/g/cncf-toc/message/5385) +1 Binding 9/11 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/5392 Sheng Liang:

Thanks to everyone who worked so hard on this. Congratulations on shipping it, it will be very helpful. Justin

The CNCF Security SIG did an excellent job putting together a white paper around cloud native security:

Let's put it as a discussion item for the next meeting and consider rolling it out in 2021 +Amye Scavarda Perrin -- Chris Aniszczyk (@cra)

" Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)?" We have a graduation requirement around CII badging which

Liz, Love this. As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices. The last few assessments we've begun pushing more for

Hi TOC and SIG Security folks On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF)