►
From YouTube: CHAOSS.Risk.April.27.2020
Description
CHAOSS.Risk.April.27.2020
A
A
B
A
A
Ok,
giving
anyone
in
this
business,
so
we
can
notice,
is
not
enough
time
so
remind
me
Kate
what
we
were
going
to
talk
to
Dave
about
I
I.
Think
it's
the
static
analysis,
dynamic
analysis
tool
set.
C
C
B
D
A
B
C
C
B
Just
to
clarify
them
out,
I'm,
not
sure
what
you
mean
by
going
after
risk,
cuz
like
Timmy's,
N
and
Zephyr
our
projects
that
are
developing
things
developing
software,
but
the
space
is
kind
of
the
context
that
these
projects
work
in
is
a
risk
related
context.
So
that's
just
where
these
projects
work,
but
something
like
SP
DX.
C
Got
one
of
the
variables
or
the
variables
we
would
want
to
consider
for
risk
yeah
and
it's
evolving
to
have
more
variables,
we'll
be
wanting
to
consider
for
risk
measured
from
it
so,
for
instance,
pedigree
provenance,
informations
ie,
where
the
code
is
flown
from
who's
created
it.
What
process
is
reused
in
the
creation
and
so
forth?
All
of
those
are
things
that
might
influence.
Do
your
decision
as
to
whether
or
not
you
want
to
use
it
so
in
some
senses
risk
is
you
know
what
you
know?
What
do
we
want
to
be?
C
A
C
A
A
C
D
C
B
Can
I
ask
a
process
question
to
you
Kate,
so
we
have,
we
have
open
chain
right
and
Toyota
is
a
member.
As
an
example.
Toyota
is
a
member
of
open
chain.
We
have
automotive
grade
Linux.
C
B
Toyota
is
also
a
member
of
a
lot
of
next,
so
what
so,
from
a
kind
of
a
process
perspective
when,
as
an
example,
an
organization
is
thinking
about
risk
and
they
have
membership
and
a
variety
of
these
different
kind
of
risk
projects
or
risk
related
projects?
How
does
that?
How
does
that
work
so,
like
does?
Does
an
organization
contribute
open
chain
hoping
to
see
the
way
that
work
is
specified
kind
of
in
the
open
chain
space?
Do
they
hope
to
see
that
work
deployed
in
an
automotive
grade,
Linux
I'm.
B
C
D
C
Instance,
Toyota
was
one
of
the
founders
of
Alisa
safety-critical.
They
were
also
you
know
very
strong.
You
know
participant
in
automotive
grade
Linux
yeah
as
part
of
the
automotive
grade
Linux
stuff.
They
were
doing
a
fair
amount
of
work.
You
know
helping
to
promote
open
chain
and
they
also
promoted
open
chain
into
Alisa.
Okay,.
D
D
C
That's
up
not
how
I
read
it.
Okay,
and
so
you
know
between
us,
PDX
and
open
chain
and
between
act
right,
automation
of
compliance,
tooling,
stuff,
that's
emerging,
you
know
how
do
we
get
all
of
these
tools
to
interact
and
communicate
effectively?
Well,
that's
kind
of
where
some
of
these
you
know,
standards
like
open
chain
and
SP
DX
come
in
okay,.
C
C
You
know
yeah,
there's,
certainly
various
levels
of
engagement
in
various
projects,
depending
on
who
the
participants
are,
it's
all
people
at
the
end
of
the
day.
You
know
it's
people
in
management
objectives
and
you
know,
is
there
a
KPI
associated
with
something
and
that
someone
saw
someone's
motivation?
Make
things
happen.
A
C
A
I'm
also
like
when
I
see
the
SPD
X
open
chain,
ELISA
s,
I'd,
SPD
X,
twice
their
integration
I,
that's
sort
of
the
that's
something
to
think
about
as
we
develop
metrics
and
yeah.
C
C
B
B
D
B
C
C
B
C
What's
effectively
going
to
go
into
base
want
to
say,
has
it's
been
tampered
with
right
and
there's
an
element
of
integrity?
Checking
that
needs
to
come
into
play,
I
think
that's
likely
to
be
the
base
and
then
from
that,
what
will
probably
end
up
doing
is
building
up
from
there
in
terms
of
okay.
Well,
the
automotive
manufacturers,
for
instance,
and
people
are
doing,
safety
are
going
to
need
to
know
who
did
the
builds?
D
A
Where
this
PDX
right
now
is,
excuse
me
I'm
trying
to
sneeze
it,
it's
really
a
an
enumeration
of
the
things
that
are
in
a
package
or
set
of
packages,
and
it
sounds
like
the
processes
that
go
along
to
assemble
a
package
or
set
of
packages
are.
This
is
that's
the
significant
and
add
to
the
3.0
version
of
the
specification
am
I
getting
that
right.
D
C
For
instance,
we
still
don't
have
a
good
safety
story
sitting
there
right,
that's
another
dimension
about
not
safety.
Sorry,
security
story,
s
words
Monday
morning,
the
security.
You
know
what
vulnerabilities
do
you
know
about
at
a
point
in
time?
There's
a
risk
story,
yeah
safe
for
me
to
deploy
this
or
not.
What
follow
are
known-
and
you
know
from
my
understandings
of
talking
to
people
over
the
last
couple
of
years.
C
There
is
an
insurance
industry
that
cares
about
this
sort
of
thing,
and
so,
when
people
decide
to
deploy
something,
they
may
or
may
not
get
insurance,
and
they
need
to
know
the
state
of
something
and
so
being
able
to
articulate.
Oh
well
right
now
we
have
us
like
CPEs.
We
can
go
query
the
database,
okay,
you
know
what
points,
but
we've
got
no
way
of
recording
what
that's
known
at
a
point
in
time,
right
so
adding
that
dimension.
C
B
Can
I
make
a
comment
here,
so
it
would
probably
try
to
think
of
how
what
you
think
the
best
approach
is
in
terms
of
trying
to
gain
understanding
from
these
variety
of
communities.
So
I
think
I
can
jump
on
SPD
X
pretty
quickly
and
get
my
bearings
pretty
fast
on.
What's
going
on,
see
I
I
I've
had
some
familiarity
with,
and
it
sounds
like
it's
kind
of
getting
a
reading.
C
B
B
C
You
mean
yeah
and
I
think
having
so
we're,
probably
gonna
be
forming
some
workgroups
in
these
areas
on
the
SPD
exercise
to
him.
You
know,
that's
I
want
to
close
this
one
and
I
want
to
quite
frankly
get
some
of
the
talk
with
like
the
reproducible
builds
in
the
compiler
folk
can
get
that
side
of
it
going
so
that
we
can
get
an
articulation
accurate,
a
fairly
good
agreement
on
these
are
the
fields
we
will
try
to
get
build
things
to
create.
So
the
evidence
is
there.