►
From YouTube: Secure::Static Analysis weekly meeting for 2020.10.26
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy
monday,
so
welcome
back
good
to
see
you
all
again.
I've
got
the
first
couple
of
items
and
I'm
expecting
a
fair
amount
of
conversation.
So
we'll
go
ahead
and
jump
in
it.
You
can
see
the
announcements
starting
with
that
office.
That's
really
the
big
announcements
of
zack
south
this
week,
I'm
out
at
the
end
of
this
week
continuing
to
work
through
the
honeydew
list
to
make
it
so
it's
no
longer
a
critical
mass.
A
After
next
weekend,
right
now,
it's
not
impressive.
Just
a
big
muddy
mess
backyard.
All
right!
First,
next
item
really
room
for
me-
is
post-processing
league
secrets.
I
know
we
got
into
it
last
week
and
we're
continuing
to
work
on
it
this
week.
Is
there
anything
we
need
to
talk
about
while
we're
all
here
like
anything,
we
need
to
escalate
anything
that
we
need
to
push
on
and
look
so
you
had
one
in
here,
but
I
was
wondering
if
anything
else
had
popped.
C
And
I'm
speaking
from
a
point
of
I
I
don't
know
if
this
is
still
the
case
last
I
saw
the
issues
it's
the
case,
so
psychotic.
I
think
you're
a
bit
closer
to
this,
but
my
understanding
is
that
we
still
haven't
gotten.
We
still
haven't
quite
coordinated
with
abstech
in
terms
of
a
common
contract
between
their
api
and
ours.
C
D
Yeah
so,
as
we
talked
about
like
we
have
now
two
endpoints
one
for
getting
the
token
type
supported,
revocable
tokens,
I
asked
ethan,
but
I
haven't
got
any
reply
from
him
that
whether
they
have
already
anything
that
we
can
use
any
api,
any
endpoint
for
testing
this
stuff
do
do
you
know
they
have
created
any
endpoint
for
this
work
or
not
any
idea.
D
Okay,
yeah
I'll
check
with
him
again
today,
but
I
haven't
got
any
reply
from
him
yet
so
yeah.
That
is
a
blocker
for
now,
for
that
there
is
a
service
that
we
are
going
to
create
for
this
work.
The
service
depends
on
the
end
point
calling
the
end
points
from
so
we
have.
We
don't
know
the
current
status
of
the
work
for
the
implementation
of
those
endpoint.
Yet.
D
E
I'll
verbalize,
my
my
question
so
lucas
great
the
discovery
issue
and
there
was
a
nice
diff
patch
in
there
that
I
that
I
used
to
start
the
mr,
but
I'm
I'm
working
on
adding
some
specs
and
I
was
just
wondering
if
like
it,
was
all
supposed
to
work
kind
of
as
is
or
if
there's
other
stuff
that
needs
to
be
written
and
and
whatnot.
Okay,
I
didn't.
C
E
Sure
no
yeah
yeah
that
that's
great,
that's
great
yeah
and
then
so
like
there's
revocable
keys.
That,
like
is
supposed
to
be
off
of
the
reports,
is
that
something
that
still
needs
to
be
defined
in
code.
E
C
E
I
don't
want
to
take
over
this
whole
meeting
to
go
over
that,
but
if
there's
a
thread
we
can
point
to
that's
great,
I
mean,
if
you
want
to
talk
about
it,
that's
great
too.
I
just
I
don't
want
to
like
take
over
the
meeting.
E
C
Think
we
have
time,
depending
on
how
long
annual
reviews
will
be
to
discuss
but
I'll
see
if
I
can
like
the
thread
or
suck
out,
if
you
still,
if
you
have
a
handier
link
to
that,
but
we
talked
about
that
in
an
issue.
There's
kind
of
like
two
things
that
revocable
keys
would
mean:
one
is
the
actual
keys
to
be
revoked
and
then
the
other
is
a
collection
of
potential
revocable
types.
C
So
the
the
former
would
be
the
actual
key
present
in
the
repository
and
the
other
would
be
something
like
aws
secret,
key
and
gcp
token.
So
we
need
to
get
the
ladder
from
the
relocation
api
and
the
former
is
a
filtered
list
from
the
from
the
report
itself.
C
So
one
is
informed
by
the
endpoint
that
we
may
or
may
not
have
at
this
point,
which
is
what
we're
talking
about
before
by
appsec
and
the
other
one
is
we
need
to
filter
the
report?
Findings,
identifier
by
that
list,
so
they're
kind
of
both
intertwined
and
we're
still
a
bit
blocked
on
that.
E
And
the
the
one
you
mentioned
as
the
former
that
that
should
be
part
of
my
mr
then
like
making
that
part
work.
C
Yeah,
I
guess
that
depends
on
how
so
there's
the
configuration
for
the
application,
which
is
just
the
basically
the
raw
url,
the
actual
service
that
is
executing
to
do.
The
relocations
will
need
to
figure
that
out
whether
or
not
we're
passing
those
relocations
to
the
service
or
just
saying
here's,
the
entire
job
or
artifact
you
figure
out
which
keys
need
to
be
revoked
within
it.
I
think
it's
it's
up
to
y'all
in
terms
of
how
you
want
to
implement
that
okay.
D
It
would
be
great
if
we
can,
you
know
like
get
the
structure
of
the
endpoint
like
how
does
that
output
look
like
for
after
calling
the
there
are
two
endpoints.
So
how
does
the
structure
of
the
output
for
the
endpoint
response
yeah?
We
need
to
sync
up
with
ethan
on
that.
D
We
can
take
it
offline
yeah.
I
I
also
don't
want
to
spend
too
much
time
in
this
meeting
for
this.
A
I
will
go
ahead
and
risk
stating
my
instincts
on
a
recorded
call.
So
since
it
looks
like
the
request
for
more
information
went
out
on
friday,
I'm
willing
to
wait
till
wednesday
for
for
them
to
respond,
and
if
they
don't,
I
think
my
proposal
is.
We
inform
them
that
this
is
what
the
api
contract
will
be.
We
implement
that
and
if
they
don't
like
it,
they
can
re-implement
it.
A
A
Okay,
so
my
request
for
you,
since
you're
closest
to
this-
if
you
would
start
thinking
about
what
kind,
what
the
api,
what
it,
what
you
would
like
the
api
to
look
like,
and
we
can
start
working
that
way,
assuming
that
they're
not
gonna
and
if
they
respond
with
that
or
something
different,
then
we'll
adapt,
but
we'll
basically
give
them
until
wednesday
and
since-
and
I
will
I'll
I'll
respond
in
this
issue,
informing
them
that
we're
blocked
and
and
we
we
need
an
answer
by
wednesday.
A
Otherwise
we'll
go
ahead
and
to
find
something
to
start
implementing
towards
it.
So
I'll
I'll.
Take
that
okay.
C
This
isn't
a
blocker,
but
I
have
pinged
daniel
on
this
issue,
but
just
to
verbalize
this,
because
there's
a
lot
of
issues
with
a
lot
of
different
threads.
We
previously
had
to
worry
about
the
aws
access
key
and
the
aws
secret
access
key.
We
no
longer
need
to
worry
about
the
latter,
so
we're
just
relying
on
the
existing
secret
that
is
detected
in
git
leaks.
C
Currently,
we
probably
should
double
check
that
that
regex
matches
the
one
that
they
gave
us,
but
we
no
longer
need
to
worry
about
the
more
ill-defined
one
which
we
had
a
couple
spin-off
issues
from
around
like
updating
capability
within
git
leaks.
So
the
scope
has
been
reduced.
C
Yeah,
you
know
really
really
quick
description
of
that.
The
we
have
a
source
code
extract
that
extracts
the
secret
from
the
report
or
from
the
repo
and
includes
in
the
report
now
to
report
to
the
rails.
App
there
is
a
the
regex
is
that
we
have
to
capture
certain
secrets
within
get
leaks
capture
around
something.
So
if
something's
like
really
ill-defined
like
it's
just
an
alphanumeric
string,
then
it
does
something
like
look
for
the
string,
twitter
and
an
equals
sign
and
then
something
after
it
and
say:
that's
probably
a
twitter
league
secret.
C
We
don't
need
the
capability
of
extracting
the
thing
after
the
twitter
anymore
with
the
capture
group,
because
we
don't
have
to
worry
about
those.
We
can
just
rely
on
the
ones
that
start
with
like
akia,
which
is
going
to
be
a
lot
easier
to
find.
F
That's
really
great,
okay,
so
thomas,
do
you
want
to
think
about
it
later
or
should
I
put
that
card
back
down
or
sorry
issue
back
down
and
we'll
move
it
to
the
back
vlog
or
what
would
you
like
to
do.
A
A
All
right,
it's
annual
review
season,
mountain
of
links
available
for
you,
so
there's
a
handbook
page,
there's
a
template
that
is
b
there's
a
templated
document
that
we're
going
to
be
using
for
annual
reviews.
It's
going
to
feed
into
this
particular
process,
and
there
is
the
working
issue
that
todd
has
spun
up
for
all
the
engineering
managers
and
secure.
So
that
is
the
and
the
one
other
link
that
I
have
not
included
was
that
there
was
a
training
session
for
engineering
managers
last
week.
A
I
will
add
that,
when
we're
done
here,
that's
something
I
meant
to
get
to
before
before
we
started
here,
as
has
happened
for
the
previous
five
years,
that
gitlab's
history-
and
this
is
me
speaking
from
what
people
have
told
me
that
were
here
three
years
before
me-
the
review
process
is
changing
yet
again,
so
the
where
and
further
engineering
is
doing
something
different
than
the
rest
of
the
company.
A
The
the
intent
of
this
ultimately
is
we're
going
into
a
structure
that
you'll
hear
colloquially,
referred
to
as
a
nine
box,
which
or
potential
performance
potential
matrix
is
a
is
the
long-form
way
of
talking
about
it.
We're
looking
at
performance
this
year,
it's
kind
of
it
roughly
equates
to
what
we've
been
doing
the
previous
years.
A
As
far
as
I'm
concerned,
like
the
compo
groups,
but
it's
it's
instead
of
four
there's
three
and
and
the
way
that
we're
going
about
bringing
information
is
not
mapping
into
the
worksheets
that
we've
had
last
year
and
that
you
would
that
we
would
and
that
I've
that
that
I've
seen
for
a
whole
lot
of
purposes
we're
going
to
these
documents
that
are
here
that
gets
into
it's
a
different
set
of
data
that
we
need
for
everybody.
The
time
frames
for
these
are
starting
very
quickly.
A
So
what
does
this
practically
mean
for
everybody?
Here?
It's
the
end
of
the
quarter,
which
means
it's
time
for
us
to
do
yet
again,
another
quarterly
career
framework
with
you.
So
I'm
going
to
get
those
scheduled,
I'm
not
going
to
schedule
them
for
this
week,
they're
going
to
be
the
second
half
of
next
week
in
the
week.
That's
following.
A
I
will
do
my
best,
especially
for
those
that
are
in
the
united
states,
to
stay
well
clear
of
election
day
and
the
day
that
follows
the,
and
so
I'm
going
to
be
relying
on
that
to
provide
a
lot
of
the
input
that
is
necessary
for
the
for
for
these
sessions
for
this
activities,
the
activity
that
comes
immediately
after
this
is
what
is
affectionately
being
referred
to
as
a
calibration
session,
which
is
where
we're
where
we're,
where
it's
a
discussion
of
where
everybody
is
and
how
they
fit
into
these
three
groups,
the
developing
or
the
performing
or
the
overperforming.
A
A
The
other
things
not
directly
related,
because
I've
been
thinking
about
this
for
a
few
a
couple
of
months
now
is
that
there
needs
to
be
a
change
to
how
we
do
these
quarterly
reviews.
A
This
is
not
something
we're
going
to
implement
this
time
around,
because
part
of
my
commitment
to
you
is
that
how
we
do
these
quarterly
reviews
stays
locked
for
a
year.
So
what
we're
going
to
do
is
change
the
next
time
so
for
january
february,
that,
instead
of
it
being
is
it
not
is,
is
this
instead
of
getting
the
four
rate
the
the
four
ratings?
A
Now
it's
going
to
be
where,
when
you
get
to
exhibiting
strength
and
exhibiting
excellence,
where
it's
a
comparison
to
your
peers,
now
the
reviews
that
you're
gonna
get
now
the
feedback
you're
going
to
get
on
the
career
matrix
reviews
is
going
to
be
what
I've
always
referred
to
as
a
three-state
bullying.
And
yes,
these
do
exist
in
computer
science.
We
can
talk
about
it.
If
you
disagree.
A
But
it's
all
about
your
performance.
Are
you
doing
this
consistently
not
consistently
or
not
at
all,
and
then
on
top
of
that,
giving
prose
feedback
in
the
areas
that
you
see
listed
below
there?
This
is
adding
a
lot
of
work
on
my
preparation
for
each
one
of
these,
but
I
see
this
is
information
that
you
need,
because
I
see
this
is
the
direct
input
that
we
need
for
things
like
360
review
feedback
coming
from
me
also
performance
reviews.
A
All
of
this
is
directly
tied
into
specifically
this
framework
that
we're
moving
into
for
this
year,
and
I
think
that
this
is
going
to
be
sticky
and
that
we
should
expect
this
format
to
be
with
us
for
quite
a
while,
and
we
not
have
changes
in
annual
reviews
or
big
changes
in
annual
reviews
going
forward.
A
So,
and
the
other
part
of
this
is
that
the
output
of
these
quarterly
meetings
stay
the
same.
It
all
goes
back
to
the
one-on-one
templates.
It's
all
about
points
of
emphasis
and
making
sure
that
it's
you're
getting
the
feedback
that
you
need
that
it's
tied
into
what
we're
talking
about
weekly,
and
you
know
exactly
what
I'm
going
to
be
saying
when
we
get
into
these
big
conversations.
A
A
A
A
Feedback
is
a
gift.
This
is
information
you
need.
I
want
you
to
have
it
it's
a
lot
of
work,
but
to
me
it
pays
dividends.
So
this
information
you
get
back.
A
A
All
right,
I
was
expecting
a
lot
of
questions
about
this,
but
I'll
move
on
and
stop
delivering
the
point
so
anyway,
please
be
thanking.
This
is
important.
This
is
where
the
work
of
the
career
framework
reviews
comes
into
the
conversations
that
matter,
so
I
want
to
make
sure
that
you're
informed
and
know.
What's
coming
sorry,
taylor
I'll
see
the
floor.
G
All
right,
so
there
is
a
new
lean
feature
proposal
template
that
has
a
few
of
the
commonly
unfilled
out
sections
removed.
I
will
say
there
is
more
discussions
happening
about
making
it
even
more
lean,
so
you're
welcome
to
start
using
that
just
know.
There
may
be
more
templates
that
appear,
there's
currently
thoughts
about
like
do.
We
need
a
major
feature:
template
a
minor
feature,
template
that
reduces
all
of
the
required
fields.
G
I
still
stand
by
the
point
that,
if
you
don't
think
a
section
is
relevant,
just
delete
it
so
know
that
there's
some
work
happening
there.
So
there's
that
and
then.
Secondly,
as
mentioned
in
the
earlier
stage
meeting,
you
can
see
the
customers
varicode
comparison.
I
went
ahead
and
pulled
their
pdf
into
a
spreadsheet
so
that
I
could
look
at
it
filter
it
sort
it
etc.
It
is
more
readable
than
their
pdf.
So
definitely
take
a
look
at
it.
G
I
think
the
things
that
stood
out
to
me
when
I
was
reading
through
it
basically
is
that
in
the
places
where
we
win,
we
win
very
big
in
the
places
where
well,
in
the
singular
place
that
we
are
not
as
great
in
terms
of
scanner
quality.
We
don't
lose
by
much.
So
I
I
would
be
scared
if
I
were
vera
code,
as
we
know
we're
going
to
be
focused
on
that
scanner
quality
piece.
G
But
I
think
this
when
I
look
at
it
feels
right
with
what
we
see
from
our
customers,
and
I
think
this
is
also
a
plug
for
the
work
that
becca's
doing
right
now.
We're
doing
additional
category
maturity,
scorecard
validation
calls
with
internal
security
and
developer
personas.
G
The
results
are
a
little
bit
all
over
the
place,
depending
on
the
role
and
what
you
skate
or
what
task
they're
walking
through.
But
I
think
it
speaks
a
lot
to
what
comes
out
in
this
framework
here
that
when
you
talk
about
the
integration,
the
ease
of
setup,
the
developer
workflow,
those
scores
are
very,
very
high.
It's
only
when
we
start
getting
into
some
of
the
scanner
quality.
G
The
number
of
issues
false
positives,
that
we
start
getting
lower
scores,
so
this
all
sort
of
checks
out
for
us,
as
I
think
I
I
mentioned
before,
we
are
looking
at
what
our
maturity
is
and
if
we
need
to
mature
that
faster
in
terms
of
updating
the
listing,
not
us
moving
faster,
I
think
we're
seeing
a
lot
of
positive
moves
from
the
market,
as
david
mentioned
earlier
today,
like
this
really
is
a
huge
accomplishment.
G
I'll
say:
I've
got
another
customer
or
prospect.
I
should
say
in
the
the
pipeline
that
looks
very
similar
to
the
same
customer
they're
also
potentially
interested
in
contributing
to
our
roadmap.
G
So
it
just
goes
to
say
that
I
we
are
building
something
that
customers
understand
the
direction
and
the
vision
that
we're
building
and
it
is
a
testament
to.
I
think
you
know
the
success
that
we're
having
we're
rapidly
maturing
all
of
our
features
and
that's
directly
because
of
the
work
that
y'all
are
doing
so
fantastic
job,
and
it
really
is
something
to
be
celebrated.
I
I
think
you
know
when
you
look
at
the
amount
of
revenue
that
secure
drives,
it
is
non-insignificant.
G
It
is
in
fact,
about
a
quarter
of
our
revenue,
so
yeah
lots
lots
of
great
work
this
year.
I
think
I'll
close
this
by
saying,
as
we
look
towards
the
end
of
the
year,
I
think
we've
accomplished
a
lot.
Thomas
me,
david,
have
chatted
about
what
the
end
of
the
year
looks
like
and
we
think
it.
G
A
G
But
yeah,
that
goes
to
say,
like
we've,
accomplished
a
lot
this
year.
I
really
want
you
all
to
take
some
time
during
the
holiday
season.
It's
time
to
plan
those
things
I
will
also
be
taking
some
time
off,
so
please
don't
hesitate
to
do
that.
We're
not
stressing
about
what
we've
got
we've
accomplished
so
much,
and
I
really
just
want
us
to
to
have
a
moment
recoup
recover
because
we're
gonna
do
it
all
again.
Next
year.
D
So
I
have
a
question
for
taylor
so
mob
sip.
We
released
as
a
experimental
feature
so
towards
the
end
of
this
year.
What
is
our,
how
do
we?
How
do
we
want
to
look
it
as
a
mature
feature
like
we
need
to
remove
the
experimental
feature
option
right?
D
So
when
do
we
decide
like,
after
after
you,
our
after
using
this
by
our
customers,
sometimes
or
we'll
judge
on
that
like,
depending
on
developer's
judgment
like
we
have
unit
test
integration
test
and
everything
looks
fine,
we
cannot
just
release
it
as
a
standalone
feature.
What
do
you
think.
G
G
I've
got
a
few
other
customers
that
I
know
are
very
interested
in
mobile
scanning,
so
now
that
it's
available,
I'm
waiting
for
them
to
start
using
it.
So
once
we
have
some
signals
from
customers
that
they're
using
it
it's
working,
it's
finding
the
right
things
that
will,
I
think,
inform
how
quickly
we
mature
it.
I
know
one
thing:
that's
on
my
mind
is
binary
scanning,
so
scanning
the
apks
and
the
I
p
a
w
files.
G
A
There
are
some
use
cases
where
we
could
use
some
more
rigorous
evaluation
for
things
like
mob
sf,
the
the
two
that
immediately
come
to
mind.
I
know
we're
auto
devops.
Are
we
ready
for
that
integration?
The
other
one
that
we
absolutely
need
to
put
some
scrutiny
on?
It
is
for
offline
environments,
just
making
sure
we've
got
documentation
ready
to
go
for
that
and
that
we
know
that
this
will
work
in
that
setup.
A
So
there's
some
things
where
we
need
to
put
some
scrutiny
on
it
to
make
sure
that
we're
supporting
the
full
breadth
of
deployment
paradigms
that
we
have
to
support
and
then
once
we've
done
and
we've
got
the
integration
and
test
coverage.
So
some
unit.
B
F
I
had
two
questions
really
into
what
you
were
talking
about
taylor.
First
off,
you
did
well
to
say
customer
good
job.
Did
we
have
said
competitor
instead
of
error
code
or
is
this?
Is
that
fine
to
be
public
knowledge.
G
F
G
A
Yeah
industry
analyst
things,
at
least
in
my
experience-
are
things
we
need
to
be
aware
of.
We
need
to
be
aware
of
our
trajectory,
but
they
take
care
of
themselves
as
long
as
we
continue
to
deliver
so
we're
doing
great
this.
This
is
this
is
the
fun
part.
I
think
I've
said
to
many
people
here.
This
is
where
the
we
know
disruption
is
coming.
We
know
that
we're
going
to
be
the
cause
of
it,
and
nobody
knows
what
to
expect.
This
is
the
fun
part
so
to
me.
A
All
right
anything
else
here
should
we
move
on
to
well
we're
at
time.
A
So
I
would
argue
we
hold.
I
I
see
lucas,
I
see,
you've
got
one
on
augmenting
severities.
Do
you
mind
if
we
hold
that
for
next
week?
Sure?
Okay,
let's
hold
that
one?
Unless
anybody's
got
parting
commentary,
we'll
we'll
wrap
up.