►
From YouTube: Secure::Static Analysis weekly meeting for 2020.10.26
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy
monday,
so
welcome
back
good
to
see
you
all
again.
I've
got
the
first
couple
of
items
and
I'm
expecting
a
fair
amount
of
conversation.
So
we'll
go
ahead
and
jump
in
it.
You
can
see
the
announcements
starting
with
that
office.
That's
really
the
big
announcements
of
zack
south
this
week,
I'm
out
at
the
end
of
this
week
continuing
to
work
through
the
honeydew
list
to
make
it
so
it's
no
longer
a
critical
mass.
A
After
next
weekend,
right
now,
it's
not
impressive.
Just
a
big
muddy
mess
backyard.
All
right!
First,
next
item
really
room
for
me-
is
post-processing
league
secrets.
I
know
we
got
into
it
last
week
and
we're
continuing
to
work
on
it
this
week.
Is
there
anything
we
need
to
talk
about
while
we're
all
here
like
anything,
we
need
to
escalate
anything
that
we
need
to
push
on
and
look
so
you
had
one
in
here,
but
I
was
wondering
if
anything
else
had
popped.
C
And
I'm
speaking
from
a
point
of
I
I
don't
know
if
this
is
still
the
case
last
I
saw
the
issues
it's
the
case,
so
psychotic.
I
think
you're
a
bit
closer
to
this,
but
my
understanding
is
that
we
still
haven't
gotten.
We
still
haven't
quite
coordinated
with
abstech
in
terms
of
a
common
contract
between
their
api
and
ours.
D
Okay,
yeah
I'll
check
with
him
again
today,
but
I
haven't
got
any
reply
from
him
yet
so
yeah.
That
is
a
blocker
for
now,
for
that
there
is
a
service
that
we
are
going
to
create
for
this
work.
The
service
depends
on
the
end
point
calling
the
end
points
from
so
we
have.
We
don't
know
the
current
status
of
the
work
for
the
implementation
of
those
endpoint.
Yet.
D
E
I'll
verbalize,
my
my
question
so
lucas
great
the
discovery
issue
and
there
was
a
nice
diff
patch
in
there
that
I
that
I
used
to
start
the
mr,
but
I'm
I'm
working
on
adding
some
specs
and
I
was
just
wondering
if
like
it,
was
all
supposed
to
work
kind
of
as
is
or
if
there's
other
stuff
that
needs
to
be
written
and
and
whatnot.
Okay,
I
didn't.
C
E
E
C
E
E
C
Think
we
have
time,
depending
on
how
long
annual
reviews
will
be
to
discuss
but
I'll
see
if
I
can
like
the
thread
or
suck
out,
if
you
still,
if
you
have
a
handier
link
to
that,
but
we
talked
about
that
in
an
issue.
There's
kind
of
like
two
things
that
revocable
keys
would
mean:
one
is
the
actual
keys
to
be
revoked
and
then
the
other
is
a
collection
of
potential
revocable
types.
C
C
C
Yeah,
I
guess
that
depends
on
how
so
there's
the
configuration
for
the
application,
which
is
just
the
basically
the
raw
url,
the
actual
service
that
is
executing
to
do.
The
relocations
will
need
to
figure
that
out
whether
or
not
we're
passing
those
relocations
to
the
service
or
just
saying
here's,
the
entire
job
or
artifact
you
figure
out
which
keys
need
to
be
revoked
within
it.
I
think
it's
it's
up
to
y'all
in
terms
of
how
you
want
to
implement
that
okay.
D
A
I
will
go
ahead
and
risk
stating
my
instincts
on
a
recorded
call.
So
since
it
looks
like
the
request
for
more
information
went
out
on
friday,
I'm
willing
to
wait
till
wednesday
for
for
them
to
respond,
and
if
they
don't,
I
think
my
proposal
is.
We
inform
them
that
this
is
what
the
api
contract
will
be.
We
implement
that
and
if
they
don't
like
it,
they
can
re-implement
it.
A
A
C
This
isn't
a
blocker,
but
I
have
pinged
daniel
on
this
issue,
but
just
to
verbalize
this,
because
there's
a
lot
of
issues
with
a
lot
of
different
threads.
We
previously
had
to
worry
about
the
aws
access
key
and
the
aws
secret
access
key.
We
no
longer
need
to
worry
about
the
latter,
so
we're
just
relying
on
the
existing
secret
that
is
detected
in
git
leaks.
C
C
Yeah,
you
know
really
really
quick
description
of
that.
The
we
have
a
source
code
extract
that
extracts
the
secret
from
the
report
or
from
the
repo
and
includes
in
the
report
now
to
report
to
the
rails.
App
there
is
a
the
regex
is
that
we
have
to
capture
certain
secrets
within
get
leaks
capture
around
something.
So
if
something's
like
really
ill-defined
like
it's
just
an
alphanumeric
string,
then
it
does
something
like
look
for
the
string,
twitter
and
an
equals
sign
and
then
something
after
it
and
say:
that's
probably
a
twitter
league
secret.
C
A
A
All
right,
it's
annual
review
season,
mountain
of
links
available
for
you,
so
there's
a
handbook
page,
there's
a
template
that
is
b
there's
a
templated
document
that
we're
going
to
be
using
for
annual
reviews.
It's
going
to
feed
into
this
particular
process,
and
there
is
the
working
issue
that
todd
has
spun
up
for
all
the
engineering
managers
and
secure.
So
that
is
the
and
the
one
other
link
that
I
have
not
included
was
that
there
was
a
training
session
for
engineering
managers
last
week.
A
The
the
intent
of
this
ultimately
is
we're
going
into
a
structure
that
you'll
hear
colloquially,
referred
to
as
a
nine
box,
which
or
potential
performance
potential
matrix
is
a
is
the
long-form
way
of
talking
about
it.
We're
looking
at
performance
this
year,
it's
kind
of
it
roughly
equates
to
what
we've
been
doing
the
previous
years.
A
As
far
as
I'm
concerned,
like
the
compo
groups,
but
it's
it's
instead
of
four
there's
three
and
and
the
way
that
we're
going
about
bringing
information
is
not
mapping
into
the
worksheets
that
we've
had
last
year
and
that
you
would
that
we
would
and
that
I've
that
that
I've
seen
for
a
whole
lot
of
purposes
we're
going
to
these
documents
that
are
here
that
gets
into
it's
a
different
set
of
data
that
we
need
for
everybody.
The
time
frames
for
these
are
starting
very
quickly.
A
So
what
does
this
practically
mean
for
everybody?
Here?
It's
the
end
of
the
quarter,
which
means
it's
time
for
us
to
do
yet
again,
another
quarterly
career
framework
with
you.
So
I'm
going
to
get
those
scheduled,
I'm
not
going
to
schedule
them
for
this
week,
they're
going
to
be
the
second
half
of
next
week
in
the
week.
That's
following.
A
This
is
not
something
we're
going
to
implement
this
time
around,
because
part
of
my
commitment
to
you
is
that
how
we
do
these
quarterly
reviews
stays
locked
for
a
year.
So
what
we're
going
to
do
is
change
the
next
time
so
for
january
february,
that,
instead
of
it
being
is
it
not
is,
is
this
instead
of
getting
the
four
rate
the
the
four
ratings?
A
Now
it's
going
to
be
where,
when
you
get
to
exhibiting
strength
and
exhibiting
excellence,
where
it's
a
comparison
to
your
peers,
now
the
reviews
that
you're
gonna
get
now
the
feedback
you're
going
to
get
on
the
career
matrix
reviews
is
going
to
be
what
I've
always
referred
to
as
a
three-state
bullying.
And
yes,
these
do
exist
in
computer
science.
We
can
talk
about
it.
If
you
disagree.
A
But
it's
all
about
your
performance.
Are
you
doing
this
consistently
not
consistently
or
not
at
all,
and
then
on
top
of
that,
giving
prose
feedback
in
the
areas
that
you
see
listed
below
there?
This
is
adding
a
lot
of
work
on
my
preparation
for
each
one
of
these,
but
I
see
this
is
information
that
you
need,
because
I
see
this
is
the
direct
input
that
we
need
for
things
like
360
review
feedback
coming
from
me
also
performance
reviews.
A
So,
and
the
other
part
of
this
is
that
the
output
of
these
quarterly
meetings
stay
the
same.
It
all
goes
back
to
the
one-on-one
templates.
It's
all
about
points
of
emphasis
and
making
sure
that
it's
you're
getting
the
feedback
that
you
need
that
it's
tied
into
what
we're
talking
about
weekly,
and
you
know
exactly
what
I'm
going
to
be
saying
when
we
get
into
these
big
conversations.
A
A
A
A
A
A
All
right,
I
was
expecting
a
lot
of
questions
about
this,
but
I'll
move
on
and
stop
delivering
the
point
so
anyway,
please
be
thanking.
This
is
important.
This
is
where
the
work
of
the
career
framework
reviews
comes
into
the
conversations
that
matter,
so
I
want
to
make
sure
that
you're
informed
and
know.
What's
coming
sorry,
taylor
I'll
see
the
floor.
G
All
right,
so
there
is
a
new
lean
feature
proposal
template
that
has
a
few
of
the
commonly
unfilled
out
sections
removed.
I
will
say
there
is
more
discussions
happening
about
making
it
even
more
lean,
so
you're
welcome
to
start
using
that
just
know.
There
may
be
more
templates
that
appear,
there's
currently
thoughts
about
like
do.
We
need
a
major
feature:
template
a
minor
feature,
template
that
reduces
all
of
the
required
fields.
G
I
still
stand
by
the
point
that,
if
you
don't
think
a
section
is
relevant,
just
delete
it
so
know
that
there's
some
work
happening
there.
So
there's
that
and
then.
Secondly,
as
mentioned
in
the
earlier
stage
meeting,
you
can
see
the
customers
varicode
comparison.
I
went
ahead
and
pulled
their
pdf
into
a
spreadsheet
so
that
I
could
look
at
it
filter
it
sort
it
etc.
It
is
more
readable
than
their
pdf.
So
definitely
take
a
look
at
it.
G
I
think
the
things
that
stood
out
to
me
when
I
was
reading
through
it
basically
is
that
in
the
places
where
we
win,
we
win
very
big
in
the
places
where
well,
in
the
singular
place
that
we
are
not
as
great
in
terms
of
scanner
quality.
We
don't
lose
by
much.
So
I
I
would
be
scared
if
I
were
vera
code,
as
we
know
we're
going
to
be
focused
on
that
scanner
quality
piece.
G
G
The
results
are
a
little
bit
all
over
the
place,
depending
on
the
role
and
what
you
skate
or
what
task
they're
walking
through.
But
I
think
it
speaks
a
lot
to
what
comes
out
in
this
framework
here
that
when
you
talk
about
the
integration,
the
ease
of
setup,
the
developer
workflow,
those
scores
are
very,
very
high.
It's
only
when
we
start
getting
into
some
of
the
scanner
quality.
G
G
So
it
just
goes
to
say
that
I
we
are
building
something
that
customers
understand
the
direction
and
the
vision
that
we're
building
and
it
is
a
testament
to.
I
think
you
know
the
success
that
we're
having
we're
rapidly
maturing
all
of
our
features
and
that's
directly
because
of
the
work
that
y'all
are
doing
so
fantastic
job,
and
it
really
is
something
to
be
celebrated.
I
I
think
you
know
when
you
look
at
the
amount
of
revenue
that
secure
drives,
it
is
non-insignificant.
G
G
A
G
But
yeah,
that
goes
to
say,
like
we've,
accomplished
a
lot
this
year.
I
really
want
you
all
to
take
some
time
during
the
holiday
season.
It's
time
to
plan
those
things
I
will
also
be
taking
some
time
off,
so
please
don't
hesitate
to
do
that.
We're
not
stressing
about
what
we've
got
we've
accomplished
so
much,
and
I
really
just
want
us
to
to
have
a
moment
recoup
recover
because
we're
gonna
do
it
all
again.
Next
year.
D
D
G
G
I've
got
a
few
other
customers
that
I
know
are
very
interested
in
mobile
scanning,
so
now
that
it's
available,
I'm
waiting
for
them
to
start
using
it.
So
once
we
have
some
signals
from
customers
that
they're
using
it
it's
working,
it's
finding
the
right
things
that
will,
I
think,
inform
how
quickly
we
mature
it.
I
know
one
thing:
that's
on
my
mind
is
binary
scanning,
so
scanning
the
apks
and
the
I
p
a
w
files.
G
A
There
are
some
use
cases
where
we
could
use
some
more
rigorous
evaluation
for
things
like
mob
sf,
the
the
two
that
immediately
come
to
mind.
I
know
we're
auto
devops.
Are
we
ready
for
that
integration?
The
other
one
that
we
absolutely
need
to
put
some
scrutiny
on?
It
is
for
offline
environments,
just
making
sure
we've
got
documentation
ready
to
go
for
that
and
that
we
know
that
this
will
work
in
that
setup.
A
B
F
G
F
G
A
Yeah
industry
analyst
things,
at
least
in
my
experience-
are
things
we
need
to
be
aware
of.
We
need
to
be
aware
of
our
trajectory,
but
they
take
care
of
themselves
as
long
as
we
continue
to
deliver
so
we're
doing
great
this.
This
is
this
is
the
fun
part.
I
think
I've
said
to
many
people
here.
This
is
where
the
we
know
disruption
is
coming.
We
know
that
we're
going
to
be
the
cause
of
it,
and
nobody
knows
what
to
expect.
This
is
the
fun
part
so
to
me.