►
From YouTube: TAG Security General Weekly meeting
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yay
it
worked
today,
nice
I
trusted
it
a
cup.
One
hour
ago
almost
looks
like
there
is
a
Zoom
YouTube
connectivity
issue
where,
basically,
if
you
would,
if
you
don't
have,
if
you
already
connected
Zoom
with
YouTube,
you
have
to
remove
that
first
and
then
try
to
connect
again
and
that
seemed
to
have
worked
today.
So
we
are
back
on
YouTube
live
stream,
which
is
great,
I'll
start
sharing
the
agenda
notes.
Please
add
yourself
in
the
attendance
box
right
here:
oops,
okay,
right
here.
A
Nice
I
don't
know
if
people
have
noticed
this,
we
can
see
the
zoom
chat
from
last
meeting
in
this
meeting.
Also,
it's
kind
of
an
infinite
chat.
History
now
looks
like
on
Zoom,
which
is
nice
because
it
used
to
be
ephemeral
before
I.
Don't
know
if
it's
just
me,
because
I'm
admin
I
can
see
it
or
everybody
else
can.
A
Interesting:
okay,
nice
all
right,
cool
I
learned
something
new.
Anyone
knew
who
would
like
to
introduce.
While
we
are
getting
started.
C
Yeah,
hey,
my
name
is
Ryan
I'm
a
little
new
to
cnco
tag,
just
trying
to
get
involved
with
more
open
source
activity.
I
could
currently
work
at
Apple,
one
of
the
lead
Engineers
here
in
Lincoln
observability
side
kind
of
crossing
bridge
into
the
security
board.
So
just
happy
to
be
here.
A
Well,
welcome
Brian
I'm,
one
of
the
co-chairs
for
security
Tech.
We
have
some
other
usual
members
in
the
meeting
as
well.
This
is,
like
you
said
great
place
to
get
familiar
with
all
things:
Cloud
native
security.
A
We
typically
have
different
types
of
meetings,
check-in
presentations
working
sessions,
so
this
one
is
a
check-in
meeting
where
we
check
in
with
other
groups
that
work
on
different
things,
and
then
we
have
a
agenda
item
where
one
of
the
groups
actually
created
a
draft
document
that
we
wanted
to
do
sort
of
live
review
with
everyone.
So
we
don't
have
to
you
know
be
with
people
being
everyone,
including
me
being
so
busy.
A
C
A
Thank
you
all
right
cool,
so
I'll
share
the
screen.
Now,
hopefully
you
have
the
link
to
this.
If
not,
I
can
share
again
just
put
my
name
in
the
chat
and
I'll.
Look
at
your
ping.
We
we
definitely
need
scribes
as
usual.
Scribe
is
basically
anyone
who
wants
to
take
notes
for
the
meeting
and
we
have
a
general
list
of
topics
in
the
agenda
where
people
can
jump
in
share
the
summary
of
it.
A
A
B
I
have
a
question
because
in
my
case,
I
come
and
go
to
these
meetings.
Not
so
often
because
I
I
have
difficulties
finding
dime
and
I
know
there
was
a
project
for
mapping
for
mapping
compliance
security,
compliance,
Frameworks
standards
to
different
security
tools,
or
something
like
that,
but
I'm
I'm
unable
to
to
locate
the
link
of
the
information
about
it.
Maybe
I'm
not
looking
in
the
right
place.
If
anybody
can
help
me
with
that
and
share.
A
Yeah
I
think
that's
a
controls,
catalog
and
I.
Think
I
can
share
that
with
you,
but
I
forgot
an
important
reminder
for
me
as
a
facilitator,
so
I'll
just
do
that
quickly.
This
is
a
reminder.
This
meeting
is
being
recorded
and
streaming
on
YouTube
already.
Your
participation
in
meetings
is
in
agreement
or
part
by
Cloud
native
security
code
of
conduct,
which
can
be
found
in
the
repo.
We
ask
why
we
talked
about
scribes
and
for
existing
members
and
working
group
reps.
A
B
Because
it's
related
to
another
project,
we
are
working
on
in
the
Phoenix
Foundation
that
is
starting
and
also
have
a
friend
at
all
wasp.
That
is
also
interested
that
he
will
join
these
meetings
because
I
told
about
this
this
initiative
and
they
are
looking
into
a
similar
thing.
So
maybe
we
will,
you
know,
join
efforts
and.
A
A
Looks
like
there
are
different
phases
of
the
controls
catalog
project
in
general,
so
there
is.
B
A
All
right
cool,
no
worries
so
going
back
to
the
agenda
any
updates
from
last
time's
email
meeting.
We
don't
we
did
not
have
earlier
meeting
in
the
day-to-day
because
we
will
alternate
every
other
week.
So
probably
no
updates
today,
no
new
updates
from
last
time
on
TUC
meeting
any
project
updates.
People
would
like
to
share.
A
D
That
probably
should
yeah
Okay,
so
Cube
Edge
is
interested
in
participating
in
an
assessment.
They've
done
a
bunch
of
work
ahead
of
time
as
and
are
kind
of
ready
to
go.
So
if
anyone
is
interested
in
participating
in
that,
please
go
ahead
and
sign
up
for
the
issue.
I
was
just
poking
around
right.
Now,
let's
see
what
I
have
on
my
clipboard.
If
this
is
it
yep?
Okay,
so
here's
the
issue.
D
If
you
want
to
go
and
add
yourself
in
to
it
and
participate,
but
they've
already
done
a
lot
of
the
work
and
we
should
be
able
to
move
pretty
quickly
to
actually
doing
the
assessment.
D
I
am
also
open.
If
there's
someone
who's
participated
in
assessments
before
who
wants
to
lead
this
assessment.
I
am
perfectly
fine
not
doing
it.
I
led
the
last
two
assessments
we
did.
I
shouldn't
lead
all
of
them,
so
you
know
if,
if
someone
else
who
has
experience
is
interested,
then
please
also
reach
out.
A
Okay,
great,
if
a
folks
have
any
more
interest,
like
always
reach
out
on
slack
I.
Think
Justine
already
has
a
slack
thread
created
for
this
on
the
channel,
so
feel
free
to
use
that
this
is
a
great
opportunity
for
anyone
who
loves,
cut
modeling,
assessing
project
space
to
really
on
from
a
perspective
of
security.
So
keep
take
a
look
and
hit
us
up
if
you're
interested
anything
else
from
any
other
projects.
A
All
right,
good,
so
I
did
want
to
so
this
is
going
to
be
like
a
shorter
meeting
than
usual,
because
it's
generally
check-in
meetings
are
short.
John
did
share
this
last
week
and
I
know
we're
looking
for
feedback
on
this.
So
one
of
my
suggestions,
unless
people
have
other
topics
that
they
would
like
to
discuss,
so
if
you
do,
let
me
see
if
there
is
something
mentioned
here.
A
We
haven't
covered
Okay
cool,
so
yeah,
so
assuming,
if
you
have
a
topic
in
mind,
feel
free
to
raise
your
hand
or
ping
or
shout
out
on
the
meeting,
but
otherwise
one
of
the
things
I
wanted
to
spend
time
on
with
everyone
is
looking
at
this
draft
and
maybe
John.
If
you
can
share
a
bit
about
this
in
terms
of
some
context
for
folks
who
will
read
it
and
after
that,
the
way
I'm
I
wanted
to
see
if
we
could
do
is
all
of
us
basically
turn
off
our
cameras.
A
Read
this
for
15
minutes
or
so
I.
Think
it's
like
three
four
pages
long
and
then
add
your
comments
there
and
after
we're
done,
we
come
back.
Look
through
all
the
comments
we
discuss
it
together
as
a
group
and
then
hopefully
that
makes
the
document
better.
So
yeah
with
that
John
any
context
we
can
use
that
you
can
share
that
might
be
helpful
before
we
start
reviewing
this.
E
Yeah
so
I
think
the
the
context-
that's
that's
useful,
is
looking
back
at
the
some
of
the
previous
work.
The
supply
chain
working
group
had
done.
There
was
the
best
practices
guide
and
software
Factory
paper.
They
really
represented
ideal
states
of
supply,
chain
security,
and
we
all
know
it's
much
harder
to
get
to
that
ideal
state
from
where
we
are
today,
and
one
of
the
things
that
we've
heard
kind
of
continually
from
people,
not
necessarily
in
the
security
space,
is
an
oversimplification
of
the
problems
with
supply
chain
security.
E
There
would
never
be
false
positives,
those
types
of
things,
so
we
wanted
to
create
a
higher
level
document
for
executives
to
better
understand
why
they
should
be
funding
supply
chain
security
issues
that
it's
going
to
take
time
and
effort
and
energy
to
fix
this
and
probably
more
than
they
expect
so
that's
kind
of
the
high
level
intent
we
we
tried
to
keep
it
really
brief
and
short,
given
the
like
the
the
executive
level
Target
at
the
same
time.
E
Kind
of
the
expectation
is
to
to
try
and
hook
the
executive
enough
in
the
first
paragraph
or
so
that
they
send
it
off
to
their
Architects
or
their
security,
people
or
somebody
else
to
to
read
this
and
and
then
maybe
take
a
look
at
some
of
the
other
reference
documents.
So
yeah.
A
I
think
that
makes
sense,
I
think
sharp
is
the
key
here,
with
the
time
Executives
will
have
and
I'm
I'm
already
liking.
The
fact
that
we
have
references
for
folks
to
go
deeper
if
needed
at
the
end
of
the
document.
So.
A
Yes,
yes,
I'll
share
it
on
the
YouTube
chat,
one
more
time.
It's
also
on
slack.
If
folks
want
to
pick
it
from
there.
A
All
right
cool,
so
I'll
stop
sharing.
Hopefully
everyone
has
a
link.
Let
me
know
if
you
don't
it's
10
15
right
now.
How
about
we
look
at
the
document
at
comments.
There
suggestions
also,
of
course,
welcome
as
well,
and
let's
come
back
here
in
at
10
30..
You
can
all
be
in
the
meeting,
but
mute
yourself.
Stop
your
video.
If
you
like
and
then
I'll
come
back
at
10
30,
ask
if
folks,
one
more
time
and
if
not,
we
can
continue
describing
it
all
right,
cool,
okay,
so.
D
C
A
You
have
a
question.
We
are
doing
a
silent
read.
So
that's
why
we
are
all
quiet
in
the
meeting,
but
I
can
fill
you
in
if
you
joined
a
bit
late.
Yes,
all
right
cool.
Are
you
new
to
the
group
by
the
way?
By
any
chance?
Sorry,
if
I've
not
seen
you
before
yeah
yeah.
A
Oh
perfect,
all
right
so
yeah
welcome.
This
is
our
meeting
where
we
have
three
types
of
meetings.
Generally,
it's
presentation
working
sessions
and
check-in
I'm,
one
of
the
co-chairs
one
and
there
we
have
another
one
who
is
based
in
Europe
today
we
did
a
quick
check-in
about
five
minutes
back
and
we
have
a
document
that
we
are
doing
a
silent,
read
about
which
we
will
come
back
from
in
10
minutes
and
if,
if
you
are
interested,
you
are
welcome
to
take
a
look
at
that
as
well.
A
At
these
suggestions
comments
you
have
we,
we
have
a
10
minutes
more
to
go
for
folks
to
share
more
and
also
quick
heads
up.
This
meeting
is
recorded
and
live
streamed
on
YouTube.
A
A
Okay,
we
got
five
minutes
more
I
got
I,
see
a
note
from
John
thanks
all
for
great
feedback.
I
have
to
drop
for
another
call,
but
we'll
go
through
comments
tomorrow
during
the
supply
chain,
working
group
meeting,
Okay
cool.
So
let's,
let's
give
everyone
four
or
five
minutes
more
and
then
we
can
come
back
on
this.
A
All
right,
it's
10
40.,
let's
come
back!
If
you
haven't
already,
do
we
have
anyone
apart
from
John
who
had
a
major
role
to
play
in
the
document
that
we
that
could
represent
John
and
others
yeah
I
mean
I
can
at
least
take
notes
back
to
the
group
tomorrow,
so,
okay,
perfect
yeah?
That
would
be
fantastic
and
we'll
have
the
recording
so
folks
who
want
to
share
your
feedback
on
the
document
but
cannot
join
the
next
meeting,
use
this
meeting
for
the
remaining
18
minutes.
A
D
One
General
comment
also
is
I,
think
it
kind
of
badly
needs,
like
edit
paths
mm-hmm,
because
I
think
a
lot
of
the
problems
in
the
document
are
just
writing
based
and
then,
after
that,
more
of
the
sort
of
technical
issues
I
think
will
come
through.
But
just
like
any
of
the
I
don't
know
like
I
have
a
hard
time,
sometimes
seeing
the
forest
through
the
trees,
when
the
trees
are
a
little
a
little
messed
up
in.
D
Could
be
improved
so
that
that's
just
my
general
feedback
to
the
to
the
group.
A
Yeah
yeah
I
agree
and
as
exactly
like
what
Justin
is
doing
any
high
level
feedback.
Everyone
has,
let's
start
with
that
and
as
time
permits,
we
can
look
at
the
comments.
Sequentially.
B
Yeah
I
will
I
will
also
like
to
add
that
it's
difficult
not
to
try
to
put
more
and
more
security
concerns
here,
so
it
becomes
like
everything
about
security
because
it's
you
know,
supply
chain.
It's
also
everything
about
how
software
is
built,
and
it's
mostly
everything
about
security,
so
just
bear
in
mind
where
your
boundaries
are
for
what
you
are
defining,
what
you
are
not
defining
as
a
service
Place,
Jane
security,
but
I,
don't
have
a
specific.
You
know
thing
that
I
would
say
this
is
bad
or
I.
This
is
not
there.
B
I
have
done.
I
have
placed
comments
in
the
in
the
document,
but
just
a
generic
idea
that
I
have
in
mind.
Where
do
you
want
to
to
stop
for
the
recommendations
and
also
about
what
Justin
just
said?
Maybe
it's
worth
after
that,
edit
that
I
I
agree
with
with
him
that
it's
we
don't?
It
should
be
thought
about.
B
A
Yeah
yeah
I
think
that
makes
sense,
so
somebody
is,
we
need
to
con,
make
the
scope
concrete.
So
we
know
where
the
boundaries
are.
The
editing
on
the
language
and
work.
Legibility
of
the
document
would
be
great
and
purpose
of
the
document.
If
it
is
even
more
clear
would
be
good
and
the
last
one
was
do
we
want
to
assume
how
much
people
know
who
are
reading
this
about
supply
chain.
Security
did
I
cover,
most
of
it.
A
All
right,
cool,
I
think
for
in
my
review,
I
feel.
A
If
the
document
can
convince
an
executive
to
sponsor
a
supply
chain
initiative
in
their
organization,
I
think
that
will
be
that
will
serve
like
the
best
purpose
of
the
document,
whereas
many
times
it's
harder
for
engineers
kind
of
to
convince.
We
are
not
sometimes
great
at
sharing
the
value
of
what
we
are
doing,
because,
inherently
intuitively,
because
we
are
so
deep
in
some
things
it
makes
a
lot
of
sense,
but
for
somebody
at
an
executive
level,
it
is
difficult.
A
So
I
think
that
is
I
feel
would
be
a
great
outcome
and
if
we
can
strive
towards
that
which
we-
which
this
document
is
doing,
but
if
we
could
do
more
of
that,
I
think
that
would
be
helpful.
B
I
think
that's
that's
an
excellent.
You
know
objective
for
the
document
and-
and
maybe
it's
worth
having
like
a
a
previous
page
like
explaining,
like
the
general
explanation
about
this
document,
yeah
with
the
internet
audience,
and
that
thing
you
just
said,
I
think
it's
perfect.
It's
like,
for
example,
level,
to
explain
to
them
what
should
be
done
like
in
very
succinct,
Manner
and
also
the
benefits
and
the
and
the
problems
they
will
face
if
they
don't.
B
If
they
don't
do
this,
and
maybe
maybe
over
the
products,
for
example,
they
have,
there
are
good
mentions
there,
but
other
the
security
part
is
done
like
a
bullet
point
list
way.
Maybe
the
promise
can
be
also
done
by
that,
like
bullet
points
of
things
that
can
happen
like
like
there
is
mention
for
the
executive
order
here.
This
is
a
requirement
also
the
the
the
mean
the
mean
time
to
solve
and
the
and
the
loss
of
opportunity
for
software
to
be
not
working
the
way
I
expected.
B
A
Yeah
yeah,
I,
agree,
I,
think
look
bullets
of
the
risk
of
not
doing
this
or
investing
in
this
would
be
definitely
helpful.
I
agree
any
other
thoughts
from
folks
who
haven't
spoken
so
far.
A
C
Yeah
I
think
the
big
thing
for
for
us
here
at
Apple
right.
We
generate
as
bombs
and
things
of
that
nature
today,
but
what
is
or
action
is
being
done
on
them
after
the
fact
you
know
so,
I
think
one
of
my
comments
were
like
how
do
you
solve
this
is
maybe
getting
more
metrics
or
insights
around
the
S1,
not
at
time
or
generation,
but
continuously
as
well.
C
Right,
I,
don't
know
how
many
times
we
ship
things
to
production
and
then
forget
about
them
four
years
later,
and
it
was
a
really
good
thought
here
from
Emily
Fox
when
she
was
here
before
she
left
to
Red
Hat
surrounding,
like
you
know,
as
we
push
containers
to
a
kubernetes
environment-
and
you
know
we
tend
to
forget
about
them
over
time,
whether
they're
just
that
good
of
services-
or
we
just
you,
know,
they're
just
part
of
the
critical
path.
We
don't
rotate
them
that
much.
C
How
do
we
provide
that
level
of
EU
on
running
containers
as
well
so
like?
How
do
you
look
at
your
s-bombs
and
and
how
do
you
continuously
drag
the
work
that's
already
running
as
well,
and
not
so
much
at
cicd
right?
We
all
believe
that
we
can
rotate
and
do
deployments
every
day
multiple
times
a
day,
but
in
reality,
especially
with
you
know,
monolithic
applications.
C
It
doesn't
work
the
way
that
we
anticipated
to
so
I
think
it
would
be
really
cool
to
add
some
level
of
support
or
like
something
saying
to
an
executive
like
Hey
we're
not
just
going
to
be
doing
this
at
a
cicd
layer.
How
do
we
also
shift
it
to
when
it's
already
running
in
production
and
it's
stable,
but
we
need
to
go
back
and
track
it
so
I
think
that's
where
some
of
my
thoughts
are
coming
from,
but
yeah.
B
Yeah
I
agree
and
I
made
and
I
made
the
Saxon
commenting
in
one
of
the
comments
I
made
for
checking
during
runtime,
because
you
know
the
what
is
on
whenever
the
databases
changes
and
if
you
just
trust
the
scan
you
did
when
you
build
a
asset,
you
are
not
seeing
if
there
is
any
new
discovery
on
it
and
also
having
some
kind,
not
explaining
too
much,
because
it's
a
whole
different
topic,
but
mention
it
at
least
runtime
security
as
a
way
of
checking
for
deviations
from
the
S1
if
they
happen,
but
obviously
that's
a
whole
chapter.
B
A
A
Let's
also
make
sure
we
are
focusing
on
what
is
actually
running
in
production
and
as
long
as
we
look
at
that
as
a
subset
of
all
the
software
bill
of
materials
that
we
have
generated
with
CI
CD
and
focus
on
that
I
think
that
would
be
like
maybe
priority
number
one,
and
if
you
can
secure
that
a
bit
earlier
than
everything
else,
that
makes
it
a
compelling
use
case
in
terms
of
like
if
executives
are
not
sure
they
can
say
Okay
phase.
A
B
Yeah
I
think
you're
right
and
also
a
this
again
can
be
its
own
document,
but
potentially
obviously,
as
you
are
saying,
because
you
are
saying
what
what's
the
use
of
an
aspen
after
it's
been
been
done
and
obviously
we
should
check
for
vulnerabilities.
We
should
check
for
everything
that
is
there,
but
we
have
to
establish
what
is
the
policy
of
what
we
will
accept
and
are
we
going
to
accept
a
an
asset
that
has
a
critical
vulnerability?
B
Is
in
it
obviously
not,
but
maybe
High
you
may
have
said,
or
if
there
have
the
you
know
the
score
Vector
in
the
CV,
if
it's
something
that
will
not
be
accessible
by
the
internet
or
there's
mitigation.
So
if
there
is
no
known
fix,
there
is
a
whole
way
of
setting
what
is
acceptable
or
not
yeah,
at
least
mentioned
that
you
have
to
decide
a
policy
of
what
you
will
accept
investment
and
then
apply
that
verification.
Each
time
you
are
faced
with
an
exponent
or
updating,
what's
the
situation
with
them,
whatever
it
is,.
A
Okay,
cool
any
other
things
that
just
going
through
the
comments
quickly.
B
I
would
just
say
that
any
document
you
shared
with
people
for
feedback
is
going
to
be
full
of
comments.
So
yeah
people
just
should
you
know,
be
patient
and-
and
you
know
all
the
comments
are
done
in
the
in
the
face
of
improving
and
then
do
something
better,
because
it's
not.
A
F
I
brought
up
a
excuse
me
I
brought
up
an
issue,
but
I,
don't
know
how
the
community
feels
about
it.
My
feeling
is
that
the
one
solution
never
fits
well
with
everything
or
everybody,
and
the
security
is
no
exception,
so
everything
has
a
cost
to
touch
to
it
and
for
certain
applications.
F
Let's
say
free
news
or
free
opinion
blogs,
and
things
like
that
that
people
publish
how
critical
is
it
that
your
software
has
to
be
as
rigor
as,
for
example,
the
software
that
might
be
used
for
a
just,
for
the
sake
of
example,
on
a
very
precise
equipment.
F
It
probably
is
not
and
that's
why
the
supply
chain,
though
it
needs
to
be
improved
continuously,
and
there
should
be
a
basic
platform
that
that
much
made
but
I
think
the
degree
of
how
far
do
you
go
in
terms
of
spending
money
in
making
that,
as
rigor
as
the
critical
applications
type
of
software
that
you
might
be
using
is
probably
an
Overkill
and
in
those
cases
people
do
have
to
make
some
judgmental
decision
as
to
what's
right
for
their
particular
application.
So
in
reality,
I
think
we
might
see.
A
Yeah
I
see
so
like
if
I
try
to
summarize
and
to
understand
what
you
said,
the
tech
stack
can
be
really
deep
like
we
can
go
all
the
way
to
Hardware
processors
and
all
the
way.
Also,
on
the
other
side,
too,
the
web
server
that
we
are
running
our
front
end
on.
So
how?
Where
do
we
focus?
How
deep
do
we
go
is
really
a
good
discussion
to
have
with
all
the
leaders
in
your
engineering
work
figuring
out?
F
Right,
especially
from
a
company's
product
perspective,
if
your
product
is,
as
I
said,
you
know,
as
nebulous
is
probably
just
publishing
people's
opinions.
How
critical
is
it
that
an
opinion
might
be
tempered
on
on
something
a
little
bit
and
it
doesn't
I
mean?
Obviously,
nobody
wants
to
see
anything
but
I
think
it's
not
as
as
the
same
degree
as
probably
a
precise
equipment,
say:
medical
equipment
that
you're
manufacturing
yeah.
B
D
B
Is
not
it's
not
as
fast
but
maybe
included
at
the
beginning,
something
about
a
risk
assessment
about
how
deep
you
want
to
go
for
the
kind
of
systems
you
are.
You
are
analyzing
because
this
document
strives
for
the
best
practices
that
you
can
put
with
full-fledged
past
this,
and
and
maybe,
if
your
resistance,
it's
not
high,
you
you
don't
need
so
much
yeah.
A
C
A
Right,
noise,
yeah,
so
slack
is
open.
24
7.,
if
folks
want
to
discuss
this
more.
Please
add
your
comments
in
the
talk
or
reach
out
to
folks
on
Slack.
Thank
you
for
doing
this
with
me
and
the
rest
of
the
crew.
I'm
sure,
like
the
working
group,
appreciates
all
the
feedback
and
the
whole
intent
of
all
of
us
meeting
is
how
can
we
make
things
that
we
produce
better
quality
and
useful
for
the
community?
So
that's
what
we
did
I'm
happy
for
it
and
thankful
for
it.
A
Your
contributions,
so
until
next
time
hope
you
have
rest
of
good
rest
of
the
day
and
rest
of
the
week
and
see
you
next
week.
Thanks.