►
From YouTube: Secure::Static Analysis weekly meeting for 2020.12.07
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
happy
monday.
Once
again,
I
hope
everybody
is
continuing
to
have
a
good
start
to
your
week.
I'll
go
through
announcements,
and
then
I
will
see
the
floor
temporarily
so,
as
usual
out
of
office
this
week,
just
wanna
just
these
are
what
I
know
in
spite
of.
We
have
somebody
who's
not
supposed
to
be
working
here,
but
I
won't
mention
that
person's
name,
it's
just
because
they're
shamed
already
with
the
view
out
their
back
window.
A
As
a
reminder,
employee
engagement
survey,
that's
still
open
if
you
haven't
participated
yet
please
consider
doing
so.
These
are
very
useful
and
we
pay
attention
to
these
results.
So
it's
it's
helpful,
the
not
that
this
is
next.
One
is
news
to
anybody,
but
this
week-
and
next
week
represent
the
last
weeks
of
2020
in
which
we
are
all
working,
there's
a
lot
of
people
starting
to
be
out
follow,
starting
with
family
and
friends
day,
which
is
a
week
from
friday.
A
If
you
haven't
booked
it
yet
so
so,
if
you've
got
stuff
you're
working
on,
if
you
would
please
start
trying
to
get
that
towards
us
to
a
place
where
you
can
set
it
down.
For
a
while,
because
we
could
really
use
a
period
next,
we
don't
want
to
be
rushing
to
completion
at
the
end
of
next
week,
otherwise
you're
we're
guilty
of
committing
what
I
refer
to
as
commit
and
run
and
that
everything
blows
up
while
everybody's
away.
B
Yeah,
so
this
week
is
github
universe,
it's
their
annual
conference.
We
expect
them
to
announce
all
sorts
of
things
it
starts
tomorrow.
All
of
the
security
content
is
scheduled
for
the
eighth,
which
is
tomorrow,
so
definitely
look
at
the
sessions
feel
free
to
take
some
time
and
watch
them
if
you're
interested.
If
you
see
something
interesting
in
the
sessions
or
people
tweeting
or
reddit
or
wherever
else,
people
discuss
online,
definitely
share
us
we're
watching
this.
B
The
marketing
team
has
a
whole
lot
of
plans
trying
to
distract
people
from
announcements,
we'll
sort
of
take
things
as
we
learn
them
and
make
a
game
plan
from
there.
I
don't
think,
there's
anything
giant
that
we're
expecting,
but
certainly
who
knows
what
they
have
planned.
So
yeah
keep
your
eyes
and
ears
open
and
let
us
know
what
you
find.
C
Yeah
so
I've
I
updated
the
mr
coach
links
to
a
different
view
of
of
mrs
that
we
might
need
to
keep
an
eye
on,
and
then
I've
been
just
copying
and
pasting.
Those
links
into
my
stand
up
my
daily
stand
up
since
that's
what
I'm
working
on
it's
very
handy
to
just
have
those
links
right
there.
C
You
could
call
it
efficiency,
I
might
call
it
being
lazy,
but
that's
all
thanks
unto
you
thomas.
A
Sometimes
it's
hard
to
differentiate
between
efficiency
and
laziness.
I
prefer
efficiency
so,
but
anyway,
sign
of
a
good
engineer,
all
right
all
right,
so
I've
got
the
next
several
I'll
keep
going
through
this
all
right.
Let's
talk
retros,
so
one
of
the
things
we're
we're
codifying
or
starting
at
13.7
is
a
as
is
a
change
so
that
we're
not
doing
it
secure
wide
we're
actually
going
to
do
it.
A
We're
going
to
move
it
down
to
the
individual
groups,
so
we'll
have
our
own
retro
here
our
own
sync
session
here
and
then
and
then
I
will
take
that
up
to
the
sub
department
and
then
we'll
figure
out.
What
of
all
of
our
commentary
goes
up
to
the
company-wide
document,
calling
it
out
because
we're
not
going
to
change
the
tooling
in
mid-iteration
on
anybody
else.
So
we're
going
to
continue
to
use
the
13-7
secure
wide
issue
for
commentary.
A
We
can
also
move
it
to
this
document.
If
need
be,
it's
got
to
be
messy,
we'll
clean
it
up
in
thirteen
eight,
so
I
wanna
let
everybody
know
of
the
change
that
is
coming
given
holiday
schedules.
I'm
looking
to
do
this.
The
first
week
in
2021,
when
we're
all
back
so
I
will
have
that
shared
in
channel,
and
there
will
be
also
part
of
the
document
for
this
we'll
talk
about
as
far
as
schedule
in
the
next
week's
iteration
of
this
meeting
any
questions
about.
A
This
okay,
I'll
keep
going
part
of
one
of
my
points
of
emphasis
for
myself,
for
this
quarter
is
to
pay
a
whole
lot
more
attention
to
my
own
okr
issues
so,
and
part
of
that
to
me
is
bringing
what
I'm
doing
back
to
this
group
in
about
and
I'm
gonna
I'm
gonna
try
to
do
regular,
not
weekly,
but
at
least
regular,
at
least
monthly
updates
into
this.
So
you
all
know
what
I'm
chasing
number
one
office
hours
last
thursday.
I
thought
that
went
great,
especially
for
a
first
iteration
of
that
conversation.
A
Thank
you
to
everyone
who
showed
up
it
was
it
mattered
and
it
was
appreciated,
and
so
so
thank
you.
I
think
we
learned
a
fair
amount.
I
think
we
were
able
to
show
something
that
was
coming
that
was
needed
and
desired
with
with
no
with
monorepo
support,
node.js
scan
that
that
was
good,
and
I
think
we
were
able
to
make
sure
they
knew
that
they
didn't
have
to
do
what
they
thought
they
were
going
to
have
to
do
with
the
first
part.
A
So
I
thought
that
was
good
and
so
the
next
one
that
I'm
working
on
you'll
you've
probably
noticed
if
you
pay
attention
to
stand-up
reports
like
I
do
that
I've
been
talking
about
forking
or
mirroring
our
dependencies.
Well,
it's
part
of
the
okrs.
So
it's
time
we
actually
subject
the
scanners
that
we
depend
upon
to
our
own
features
and,
let's
see
what
we
find.
A
Notes
from
me
the
mirroring
feature
that
we
have
for
projects.
I
thought
is
quite
good
if
you
haven't
played
with
that
yet,
but
it's
I
think
it's
working
it's
doing
exactly
what
I
wanted
to
do.
However,
I
was
hoping
this
could
be
an
auto
devops
kind
of
scanning,
but
can't
because
of
a
few,
a
few
limitations
that
I've
run
into
the.
A
The
main
reason
that
I'm
having
a
trouble
with
auto
devops
is
that
I'm
trying
to
scan
the
versions
that
we
depend
on
which
are
tags
and
our
features
don't
run
against
tags.
They
run
against
branches
and
that
distinction
surprised
me-
or
at
least
I
forgot
about
it,
and
so
so
this
is
causing
me
to
do
a
little
bit
more
work
than
expected.
So
lucas,
I'm
jumping
ahead
of
your
questions,
but
did
I
answer
it
or
is
there
more
that
you
want
to
unpack
here.
A
Okay,
the
other
thing
that
I
ran
into
related
to
auto
devops
is
that
we've
got
we've
got
some
things
like
dependency
scanning
requires
a
lock
file
and
while
you
can
build
it,
that
build
step
does
not
occur,
and
it
is
a
part
of
ado
or
excuse
me,
auto
devops,
so
we're
going
to
if
we
want
dependency
scanning
and
some
of
these
things
we're
going
to
have
to
either
commit
a
either
bring
in
our
own,
build
build
plan
or
we're
going
to
have
to
or
or
we'll
have
to
do,
the
necessary
things
locally
and
then
have
it
scan
accordingly.
A
So
there's
it's
just
not
as
clean
it'll
get
cleaned
up,
but
as
a
first
pass.
That's
it's
it's
interesting
and
there's
a
couple
of
read-only
items
that
are
there,
and
so
all
the.
If
you
want
more
information,
let
you
go
get
into
the
get
get
it
get
into
those
any
questions
on
those
items
before
I
move
on
any
more
questions.
A
All
right
last
week
we
talked
about
doing
a
virtual
happy
hour,
the
friar
to
us
all
prior
to
the
holiday
season,
kicking
into
high
gear,
I'm
looking
at
next
wednesday,
relatively
late,
if
you're
east
coast
late
afternoon,
if
you're
on
the
west
coast
of
north
america
so
bring
your
own
beverage
of
choice,
maybe
I'm
brainstorming
here,
maybe
a
gaming
session
like
maybe
something
via
tabletop
simulator
or
something
else
of
something
else
that
you
guys
would
like
to
do.
A
I
would
love
to
just
want
to
play
just
want
to
have
fun,
that's
just
kind
of,
and
so
that's
that's
what
I
was
looking
to
do
during
this
time.
So
zach
I
see
you
mentioned,
which
I'm
not
familiar
with.
E
Yeah,
it's
a
it's
a
jack
box,
tv
game
and
I've
done
it
a
couple
of
times
with
like
erica
and
some
of
her
friends
just
all
on
zoom
and
it
worked
out
really
well.
So
that's
that's
something
I
don't
actually
have
vipbitch,
but
I
think
it's
like
ten
dollars
or
something
and
it's
it's
a
ton
of
fun.
You
basically
just
there's
a
bunch
of
it's
kind
of
they
give
you
a
prompt.
You
come
up
with
the
lie
and
you
try
and
trick
people
into
choosing
your
line.
E
Then
you
get
points.
So
it's
it's
a
fun
one.
F
A
A
All
right
that
sounds
like
fun,
so
let's
explore
that
and
if
people
have
some
options
that
you
think
would
be
entertaining,
I
would
love
to
love
your
thoughts
and
we'll
collaborate
on
this
through
the
rest
of
the
week.
A
Okay,
I'm
looking
at
4
30
p.m.
Pacific
time
next
wednesday.
I
know
that's
late
on.
If
you're
on
the
east
coast,
we
can.
We
can
iterate
on
that.
Why
4
30,
because
that
is
when
the
new
apac
weekly
meetings
wrap,
and
so
that's
that's.
That's
why
I
was
looking
at
that
time,
specifically
so,
but
I'm
open
for
suggestions.
A
The
the
new
weekly
meeting
schedule
means
that
I
move
what
I
move
my
my
work
night
since
we
started
that
apex
schedule
over
a
year
ago.
At
this
point
mondays
were
my
long
days
and
then
I
would
taper
off
through
the
rest
of
the
week.
Well,
I've
I
can
work
one
night
a
week,
so
I'm
gonna
move
my
work
nights
from
mondays
to
wednesdays.
B
Change:
okay,
release,
post
items:
it
is
that
time
again,
I
don't
know
how
it
just
keeps
coming.
I've
got
the
two
things
here
listed
the
improved
mr
widget
and
artifact
download,
which
niels
team
has
been
working
on
and
the
included
wider
roll
out
of
that
we've
got
the
monorepo
support,
I'm
going
to
come
up
with
some
great
way
to
not
use
the
word.
Mono
repo,
if
you
have
ideas,
feel
free
to
put
them
into
the
release
post
draft
that
I'll
create
later
today.
B
Think
about
it.
Let
me
know
this
release.
Post
cycle
is
bizarro
as
there's
a
friends
and
family
day
and
the
holidays
are
coming
up,
so
everything
is
happening
on
a
different
schedule.
This
go
around
so
I
think
everything's
a
day
earlier,
I
plan
to
have
the
draft
release
posts
by
end
of
day
today,
so
I'll
tag
y'all
on
those
feel
free
to
comment
on
them
and
then
I'll
check
in
probably
end
of
the
week
and
see
how
those
are
looking.
D
So
I
just
had
a
like
a
last-minute
addition
to
this,
since
I
was
watching
becca's
category
scorecard
video,
but
can
we
just
talk
briefly
about
how
that
scorecard
actually
affects
our
category
maturity?
For
those
of
us
not
super
familiar
with
the
process
is
completion
of
that
mean
it
is
moving
forward
or
is
it
mean
and
staying
where
it
is
or
what.
B
So
this
has
been
a
journey
becca
and
I
have
been
working
on
this
since
I
think
august.
We've
done
a
ton
of
internal
interviews.
We've
done
a
few
external
interviews.
Basically,
this
new
cms
process,
the
category
maturity
scorecard,
has
been
evolving
and,
as
we've
been
doing
interviews,
the
process
itself
has
been
actually
changing,
and
so
we've
kind
of
been
like
leapfrogging
back
and
forth,
where
we're
at
so
because
we
matured
all
of
our
categories
to
buyable.
B
Before
all
of
the
new
scoring
process
happened,
we
didn't
need
to
do
any
of
this,
so
we're
still
viable.
What
we
wanted
to
do
is
when
this
new
cms
process
with
a
scoring
scorecard
and
all
of
that
was
rolled
out.
If
you
look
at
the
maturity
page
on
the
website,
you'll
notice
that
some
of
the
icons
are
purple
and
some
of
the
icons
are
gray
gray-
indicates
the
old
pre
scorecard
system.
Purple
icons
mean
that
you've
got
a
scorecard
with
a
score.
B
We
now
have
a
scorecard
with
a
score
for
both
secret
detection
and
category
and
sas,
there's
an
mr
out
to
update
those
icons
to
turn
them
purple.
I
know
this
sounds
really
silly,
because
it
kind
of
is
we
basically
what
becca
and
I
wanted
to
do
was
get
ahead
of
the
process
of
getting
to
complete,
see
where
we
were
at
in
the
scorecard,
with
our
actual
number
score
to
see
how
good
or
how
bad
it
was
and
then
reconcile
any
of
our
to
complete
plans.
B
Surprise,
the
scores
came
back
really
good
in
many
cases
were
already
considered
complete
score
wise
now
I
will
say
that
those
scores
are
internal
folks
only
which
the
news
category
maturity
scorecard
process
for
viable
only
requires
internal
reviews
for
complete,
we'll
do
external
reviews,
which
we've
already
queued
a
few
of
those
up,
so
we'll
run
that
same
process
again
with
external
customers,
once
we've
finished
a
few
more
things
in
our
to
complete,
and
we
expect
that
we
will
get
scores
just
as
good
that
will
justify
us
to
move
to
complete
so
that's
kind
of.
B
What's
going
on
behind
the
scenes.
Frankly,
today,
based
on
the
scores,
we
could
probably
go
ahead
and
mature
to
complete,
but
I
think
you
all
know
and
probably
feel
the
same,
that
we're
not
quite
there.
Yet.
There
are
still
some
things
that
we
need
to
go
and
do
which
we've
already
got
planned
and
should
be
no
surprise
at
this
point.
D
Not
for
me,
but
that
was
super
helpful.
Thank
you.
B
It's
a
good
question
in
general
you're
supposed
to
do
the
scorecard
when
you're
looking
to
mature
maturity.
B
I
think
this
is
more
of
a
sort
of
ongoing
thing,
because
it's
tied
in
with
our
jobs
to
be
done,
which
have
all
been
redesigned
there's
now
the
the
ux
team
is
working
on
aligning
all
of
the
jobs
to
be
done
across
the
different
categories,
so
that
they're
standardized
that
we
were
sort
of
ahead
of
and
we
kind
of
helped
largely
shape.
What
those
look
like.
B
So
our
category
maturity
scorecard
was
based
on
those
new
jobs
to
be
done,
and
basically
what
becca
and
I
are
going
to
do
moving
forward
is,
as
we
happen,
to
talk
to
customers
for
whatever
reason
we'll
likely
run
them
through
some
of
those
scenarios
as
sort
of
a
touch
point,
especially
when
we're
releasing
features
and
functionality
that
we
expect
to
improve
the
score
for
a
particular
job
to
be
done.
And
then,
when
we
get
closer
to
april
or
march,
we'll
actually
sit
down.
A
C
E
And
ross,
I
bet
my
video
is
shorter.
It's
I
think
24
seconds
or
something
but
I'll.
I
can
also
demo
this
too
anyway.
Last
week
I
updated
get
leaks
to
version
seven.
E
It
was
kind
of
a
project
I
did
during
some
of
my
time
off
and
over
thanksgiving
and
I
it
was
pretty
much
a
rewrite
of
of
get
leaks.
The
only
things
that
stay,
the
same
were
the
like
configuration
and
the
options
like
those
structures
stay
the
same,
but
the
actual
like
scanning
the
way
that
the
code
was
organized
that
was
kind
of
all
ripped
apart,
and
it's
just
it's
cleaner
easier
for
me
to
maintain.
E
So
if
you
want
to,
if
you're
curious
about
how
the
code
looks
now,
I
encourage
you
to
take
a
look,
but
there
are
some
cool
new
features
that
I
demo
in
the
video,
and
I
can
also
show
so
let
me
share
my
screen.
E
Okay
sharing
this
okay,
so
I
guess
the
first
one
I'll
show
is:
there's
a
let's
do
get
leaks,
see
the
options.
So
I
added
and
I
changed
some
options,
but
one
of
the
new
options
is
no
get
so
you
can
now
run
git
leaks
on
any
file
you
want
or
any
directory.
So
I'm
hoping,
maybe
someone
might
make
a
plug-in
for
vim
or
ide,
because
it's
quick,
you
know,
and
you
can
just
run
git
links
on
it,
like
I
said,
specific
file
or
directory.
E
So,
for
example,
I'm
in
the
test
secrets
directory
and
if
we
want
to
run
it
leaks
on
that.
I
have
that
here.
So
I
found
the
leaks
and
this
is
treating
the
secrets
repo
as
just
a
directory,
so
it
ignores
the
dot
get
file
that
is
part
of
repos.
So
that's
that
feature.
Another
thing
that
I
added
another
feature
is
the
leak
url
field
in
the
report,
and
so
if
we
run
get
leaks
on
the
actual
like
remote
of
test
secrets.
E
So
let's
do
that.
We'll
see
that
we,
this
leak,
url
is
populated
and
if
we
just
go
to
that
link
we'll
see.
Oh
here's,
the
key
and
you
know,
boom
like
here's,
here's.
This
is
where
the
leak
is.
E
So
it
takes
you
to
the
correct,
commit
and
the
correct
line,
and
so
this
is
something
I
went
in
for
a
while,
and
this
is
something
I'm
hoping
that
we
can
introduce
into
our
secrets
analyzer
when
you're
on
the
security
dashboard
and
you
look
at
a
vulnerability,
you
want
to
be
able
to
just
click
a
link
and
go
directly
to
where
the
link
is
rather
than
having
to
open
up
a
commit
and
search
the
file
for
that
line.
So
this
is
just
one
step
closer.
You
know
it's.
E
So
yeah,
that's
those
are
kind
of
the
new.
The
new
things
that
I
wanted
to
show
off.
A
E
Yeah
yeah
yeah,
oh
I
I
forgot
to
mention
yeah
the
the
another
thing
to
do
before
so
prior
to
getting
seven,
I
was
kind
of
half
supporting,
git
league
or
sorry
git,
lab
and
github
integrations,
which
it
was
just
really
hard
to
maintain
and
that
felt
like
kind
of
a
half-baked
feature
creep.
E
So
those
are
those
were
removed.
So
you
know
my
my
goal
for
get
leaks
is
just
to
be
the
you
know:
quickest
most
configurable
get
tool
for
searching
repos
and
if
you
want
to
integrate
with
github
or
gitlab
by
all
means,
write
a
script
around
it.
You
know
it's
just
something
that
I
don't.
I
don't
have
time
to
support,
so
I
removed
it.