►
From YouTube: Secure Group Conversation (Public Livestream)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Already
I
see
it's
time
to
start
so.
I'm
I
am
your
host.
This
morning,
if
I
haven't
had
a
chance
to
meet
you,
my
name
is
Thomas
wood,
I'm,
an
engineering
manager
and
secure
stage
so
happy
Wednesday
I.
So
the
the
slides
and
agenda
are
available
within
the
within
a
meeting
invite
and
so
I'll.
Let
everyone
read
the
slides
and
I'm
gonna
go
ahead
and
start
answering
a
few
of
these
questions
that
have
come
in
before
we
started
so
and
so
I'm.
A
Seeing
that
I
need
to
go
ahead
and
vocalize
or
verbalize
the
first
one,
so
in
slide,
8
community
contribution
has
been
low.
I
do
other
groups
solicit
contributions.
Is
there
anything
marketing
can
do
here?
The
answer
to
this
I
think
and
I
will
be
happy.
If
others
have
have
any
insights.
This
as
well
is
that
the
the
license
for
which
secure
stage
features
are
aimed
at
is
the
ultimate
license,
which
means
that
we
have
quite
a
we
have
a
lower
usage
than
in
most
other
stages
or
all
other
stages.
A
A
A
Right,
Thank,
You,
Jenny
I'll
continue
reading
for
Cindy,
since
you
guys,
since
I'm
going
to
assume
that
everything
that
everything
that
she's
asked
in
advance
needs
to
be
vocalized
for
acute
labs.
Iterative
nature
expects
course,
corrections
have
we
course
corrected
for
secure
capabilities
based
on
customer
feedback.
A
I'll
give
my
perspective
and
I'll,
let
others
add
in
as
well
my
perspective
is.
We
already
have
started
course,
corrections,
and
that
is
evidence
based
off
of
the
number
of
customer
initiatives
that
have
been
prioritized
quite
highly
over
the
past
couple
of
releases,
and
so
I
would
expect
this
correction
as
we
take
iterative
steps.
I
would
expect
it
to
continue,
and
so
I
say
I
would
say
this
process
is
started
and
is
continuing
at
least
that's
well,
that's
where
I
stayed
from
a
prioritization
standpoint.
B
Yeah
and
I'll
add
that
you
know
I
think
we've
certainly
seen
as
more
and
more
customers
have
been
using
our
secured
capabilities
that
were
you
know
previously
in
minimal
state
that
we
needed
to
make
sure
we
got
them
to
what
we
call
viable
in
our
category.
Maturity
state
more
quickly
than
maybe
we
had
anticipated
I
mean
we
have
definitely
course-corrected.
B
A
B
And
I
first
didn't
crack
it,
but
I
think
Cindy
are
saying:
should
we
highlight
what
features
in
our
product
are
being
dogged
for
your
versus,
not
I,
think
that's
a
great
addition.
Certainly
in
the
product
organization,
we
have
a
high
emphasis
and
put
a
high
priority
on
dogfooding
and
the
value
of
an
internal
user
of
our
features.
So
yeah
I
can
be
happy
to
take
the
action
to
propose
an
mr.
We
have
a
section
in
the
product
handbook
that
at
least
says
from
a
product
perspective.
C
D
Yeah,
the
first
one
is
just
a
reminder,
and
it's
very
hard
for
the
community
edition
is
not
a
tear
and
it's
not
a
license.
So
if
you
talk
about
Moving's
that
things
down
in
the
TOC,
we
should
go
into
Community
Edition
talk
about
it
as
they
should
be
open
source
or
they
should
go
in
our
core
plan
or
corner
feed
plan
or
unpaid
plan
or
available
for
nonsubscribers.
There's
a
lot
of
things
you
can
use,
but
don't
use
distribution
because
a
lot
of
people
using
e
are
under
the
court
license
or
the
court
fund.
D
They
don't
have
a
license.
They
are
all
the
core
plan
and
we
gotta
make
sure
that
we
distinguish
those
two
things
and
then
this
the
question
was
what's
secure.
Features
reveal
the
source
we
have
in
our
stewardship
promises
that
every
single
part
of
our
scope
of
the
stages
we
have
in
get
map.
We
have
features
that
are
open
source,
I
notice,
not
the
case
for
secure
and
I
wonder
what
we're
gonna
do.
B
Yes,
I
know
Philippe
verbose,
but
I
I,
don't
know
who
wrote
that
initial
one
about
merge,
requests
and
keep
was
I,
think
that
was
you
said,
but
that
is
how
I
think
about
it.
You
know
we
are
pretty
crisp
on
exactly
how
we
should
think
about
what
tear
or
addition
or
whether
open
source
or
to
put
them
in
tears
based
on
buyer
persona
or
not
barb
Senate
user
tear
like
more
executive
who
would
want
a
dashboard
should
be
in
hi,
Oh,
tears.
I
think.
E
Yes,
especially,
it's
a
discussion
that
we
had
with
mark,
and
we
don't
know
if
Mark
is
with
us
today,
so
we
discuss
that
during
contribute,
and
that
was
a
great
discussion.
I
think
that's
really
personal,
but
I
think
there
is
not
much
value
in
the
the
scanners
and
the
analyzers.
The
value
that
Hitler
will
provide
to
our
customers
is
mostly
in
the
workflow
that
we
are
going
to
create
and
enable
the
large
customers
to
have
policies
reports
remediation
all
the
way
I
can
things
but
the
basic
reports.
It
should
be
open
source.
E
D
But
I
think
that
missing
out
on
contributions
from
the
community
well,
this
calls
us
to
go
slower.
So,
in
the
end,
at
all,
we
should
optimize
for
where
we
are
in
two
years
and
I
think
open
sourcing
it
earlier
allotted
a
lot
rather
than
later
will
do.
The
best
will
be
the
best
path
and
we
also
iterate.
So
we
could
also
do
analyzer
by
analyzing.
D
F
Yeah
I
would
definitely
like
to
explore,
like
SAS
would
be
a
relatively
easy
thing
to
move
over
or
container
scanning
one
of
the
they're
both
leveraging
mostly
open-source.
We
didn't
like
the
reports
and
things
in
the
viewing,
are
what
we
added,
but
you
know
it's
a
little
different,
gymnasium
old
stuff
that
now
the
dependency
scanner
we've
talked
about
open
making
that
available.
But
then
because
there
still
is
a
service
that
you
need
to
hit,
having
some
kind
of
registration
to
make
sure
that
you,
you
know,
register
and
then
you
get
access
to
those
results.
F
D
A
G
E
Yes,
so
we
should
explain
why,
doctor
in
doctor
first,
why
we
had
these
requirements,
so
we
use
doctor
in
doctor
to
be
able
to
run
more
doctor
containers
inside
the
context
of
a
job.
Why
are
we
doing
that?
Because
there
are
two
things
in
the
security
features
that
were
providing
the
first
one
is
the
engine,
and
second
one
is
data.
We
can
provide
with
you
in
a
single
darker
image
that
the
problem
is
when
it
comes
to
update
these
things.
E
If
we
want
to
update
the
data,
if
we
need
to
update
all
the
time
the
darker
image
and
if
we
have
a
single
image
where
we
have
everything
the
support
on
Java,
Python,
PHP,
etc,
it's
going
to
be
a
huge
image,
probably
larger
than
four
or
five
gigs,
there's
no
way
we
can
provide
at
all
users.
So
we
ended
up
with
a
soft
Orchestrator
and
sass.
It's
20,
just
an
empty
shell.
E
It's
going
to
detect
the
languages
and
frameworks
inside
the
the
project
and
then
don't
load
and
run
the
corresponding
Luminizer
so
that
we
have
one
in
the
riser
paralanguage
and
one
docker
image
per
language.
So
that's
why
we
introduced
the
darker
in
the
core
requirements
last
year,
because
it
was
easier
for
us.
It
was
a
shortcut.
It
was
working
great
but
at
the
same
I'm
introducing
requirement
that
is
blocking
some
deals
because
to
F
darkening
darker
in
get
up
CI
you
need
privileged
runners.
E
That
means
the
runners
will
be
able
to
access
some
part
of
the
posts
that
they
are
not
supposed
to
access
and
that's
a
security
issue
from
larger
companies,
especially
in
the
bank,
financial
industries
exit
rock.
So
we
need
to
get
rid
of
that.
There
is
a.
There
is
an
epic
that
I
can
share
with
you
she's.
H
E
Have
to
do
that
for
SAS.
We
have
to
do
that
for
dust
container
scanning
and
every
time
it's
going
to
be
a
different,
different
challenge
for
dust.
It's
already
done.
The
next
step
is
probably
SAS,
but
it's
going
to
be
a
lot
of
work,
especially
because
we
need
to
do
some
work
around
the
aggregation
of
the
results
Ray's
back
inside.
So
this
is
definitely
something
that
we
want
to
achieve
as
soon
as
possible.
Probably
this
quarter
acquittal.
D
A
I
Yeah
real
quickly,
I
think
a
reasonable
minimum.
Viable
change
here
would
just
be
to
have
a
shortcut
so,
instead
of
requiring
it
to
always
do
the
evaluation
of
what
languages
you're
scanning
it
once
it's
once
a
repo
is
set
up.
It
typically
wouldn't
change
from
one
language
to
another.
So
having
that
as
either
a
project
setting
or
just
something
that
you
put
in
the
auto
dev
ops
thing
right
off
the
bat.
If
that
would
eliminate
the
requirement.
I
think
that
would
be
far
easier
than
trying
to
re-engineer
how
the
detector
works.
E
We
don't
sort
it
out
as
well
to
us
if
you
don't
mind,
so
it
it's
actually.
Yes,
a
shortcut,
you
can
use
the
analyzer
instead
of
SAS
directly,
because
the
output
of
the
resource
is
exactly
the
same.
Output
of
the
sastra
SAS
is
doing
to
gather
all
the
outputs
for
Mali
on
the
risers
and
gather
that
into
a
single
file,
but
format
in
the
end
is
going
to
be
exactly
the
same.
E
The
problem
with
that
Miele
currently
is,
if
you
have
more
than
one
report,
the
passer
on
the
backend
rails
in
github
is
not
able
to,
for
example,
remove
the
duplicates.
So
there
is
still
some
logic
inside
SAS,
especially
when
it
comes
to
to
the
aggregation
of
vulnerabilities.
That
is
not
yet
ported
to
the
race
back
end,
and
we
need
to
do
that
before
same
to
our
customers.
You
can
use
directly
analyzers
and
actually
that's
probably
the
path
that
we're
going
to
follow
for
the
future.
E
We're
going
to
remove
these
tasks
at
this
soft
orchestration.
Sorry,
on
top
of
the
analyzers,
to
use
directly
the
vendor
complex,
instead
of
including
the
SAS
job
that
will
run
the
orchestrator.
The
job
is
going
to
run
all
the
analyzers
one
by
one
and
if
the
analyzer
doesn't
detect
anything
that
is
compatible
and
the
project
is
going
to
exist
very
old,
but
we
still
need
to
cut
this
small
parts
from
the
South
Orchestrator
to
the
race
bike
and
passer,
so
be
careful
loop.
So
it's
thought
it's
going
to
work.
I
A
Believe
the
answer
is
were
not
yet
we're
using
them,
but
we're
not
contributing
back
to
them.
We
have
the
ambition
to
do
so,
the
kepada,
but
we
have
not
yet
prioritized
capacity
to
contribute
back
at
this
time.
So
the
we
have
been
racing
to
improve
the
maturity
of
the
product
offerings.
We
have
as
well
as
expand
our
breadth
and.
H
A
K
J
Not
specifically
about
security,
but
there
was
a
report
that
came
out
from
across
github,
but
I
think
it
was
like
the
top.
You
know
contributing
companies
to
open
source
of
which,
of
course,
Microsoft
was
like
the
third
or
something,
and
we
were
nowhere
on
the
list
of
like
100.
So
that's
kind
of
a
complication.
Okay,.
A
C
It
sure
so
the
ask
was
around
whether
we
see
vendors
coming
to
us
trying
to
integrate
their
products
into
gitlab
and
kenny
has
provided
ample
feedback
bears
on
reviewing
those.
Now
it
looks
like
yes,
so
in
our
cube
being
of
the
integration
ty,
and
that
seems
to
be
getting
the
most
asks,
at
least
amongst
my
customers
and
one
that
were
having
conversations
with
now.
Are
there
any
others,
but
we
could
publicly
reference
or
talk
about
today.
B
Not
that
I'm,
aware
of
but
Phillipe
or
Cindy,
if
you
have
others
that
have
been
on
the
radar,
that
in
the
generic
integrations
issue,
that
was
kind
of
identified
as
the
first
target,
and
we
have
had
I
I
added
that
link
to
the
commentary.
We
have
had
like
direct
interaction
with
a
sonarqube
p.m.
interested
in
the
integration,
so
thread.
A
B
So
I
feel
like
that
should
be
a
question.
I
should
be
able
to
answer,
but
I
don't
know
if
I
can
at
the
moment,
I
guess.
I
know
that
we
have
maturity
targets
but
I
Cindy
I,
don't
know.
If
maybe
you
could
provide
some
baseline
from
what
we've
heard
from
analysts
in
conversations
today,
I
know:
we've
gone
through
a
number
of
you
know
as
conversation
reviews.
B
H
E
E
Third,
one
is
air
gapped
networks,
where
deep
lobby
is
a
self
hosted
inside
the
network
that
doesn't
have
any
access
to
the
Internet.
So
the
current
way
of
working
for
the
security
product
is
not
stated
from
that
because,
while
downloading
the
images
from
the
outside,
so
we
need
to
work
on
this
and
the
fourth
is
spits
between
the
birds
and
the
my
stays
again.
E
So
if
you
have
a
project
that
uses
Java
11
with
some
very
specific
to
Java
11,
it's
like
it,
it's
not
going
to
work
out
at
the
box.
The
same
goes
for
Python
the
singles
for
a
lot
of
things
work.
We
need
the
environment,
the
build
environment,
to
be
able
to
run
the
analyzer,
because
sometimes
we
need
to
install
more
dependencies.
We
need
to
run
some
targets
in
the
build
environment
and
the
best
way
to
do
that
is
to
reuse
what
the
user
has
configured
for
their
build
alignment.
E
But
we
can't
access
that
right
now,
so
there
is
a
gap
between
the
CI
CD
configuration
and
what
we
need
to
address
in
the
security
product.
So
we
need
to
fill
that
gap
in
the
future.
We're
going
to
work
very
closely
with
the
probably
the
very
fighting,
and
maybe
some
other
teams
to
be
able
to
reuse
this
build
disputes
that
we
don't
know
exactly
how.
E
But
we
have
a
very
large
customer
that
working
to
secure
that
as
exactly
this
kind
of
me,
they
have
some
item
jobs
that
are
failing
because
they
use
very
specific
dependencies
in
this.
This
project,
man
or
another
sort,
are
just
for
me
because
after
these
missile
defenses,
that's
for
the
engineering.
H
H
We're
yeah-
and
we're
mentioned
in
that
as
kind
of
an
adjunct.
We
didn't
qualify
for
it
this
year
because
we
didn't
have
meet
their
criteria
for
the
the
length
of
time
that
we'd
been
offering
it
and
the
revenue
targets,
or
you
know,
revenue
achievement,
but
we're
now
working
on
the
hype
cycle
getting
in
the
hype
cycle
so
that
we
can
get
into
the
Magic
Quadrant
for
next
year.
L
A
D
We
try
to
enable
things
by
default.
Our
full
dynamic
scan
wasn't
enabled
so
I
assumed,
there's
a
reason
for
that
and
I
see.
Philippe
said:
hey
we're
gonna!
Do
that
as
the
next
step
bye-bye
now
shipping
it
not
enabled.
Will
we
make
it
harder
to
enable
it
later,
because
I
find
that
a
lot
of
times
you
kind
of
if
you
make
it
configurable
people,
are
people
assume
that
that
you
won't
turn
it
on
by
default
later
on,
but
I
might
be
very
well
wrong.
I'd
love
to
hear
from
Philippe.