►
From YouTube: Secure::Static Analysis weekly meeting for 2020.10.19
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy
monday
again
so
they're,
so
we'll
go
ahead
and
jump
answers
for
a
couple
minutes
late,
but
we're
going
to
declare
quorum
as
well.
I'm
gonna
start
bringing
in
some
announcements
here
as
well.
That
way,
there's
a
place
for
things
where
we're
just
like
sharing
info,
but
it
does
not
necessarily
design
for
dialogue
for
lack
of
a
better
way
of
putting
it.
So
I
think
they're
useful
number
one
there's
going
out
of
office
just
so
you
don't
need
it.
A
Yes,
we
have
pto
ninja.
No,
this
is
not
intended
to
be
authoritative,
but
just
if
you're
looking
for
feedback
from
folks
this
is.
I
thought
this
was
a
nice
addition,
so
daniel's
out
till
thursday.
This
is
part
of
his
move.
I
am
out
thursday
and
friday
this
week
because
of
critical
mass
on
the
honeydew
list
that
needs
attention,
and
so
so
I'm
gonna,
I'm
gonna,
be
out
doing
that
and
digging
up
large
portions
of
my
yard.
A
So
that's
what
I
get
to
spend
weekend
doing
so,
there's
that
this
was
announced
on
friday,
secret
detection,
post
processing
work
starts
tomorrow.
A
So
we
need
to
get
everything
that
we
currently
have
in
flight
to
a
spot
where
you
can
set
it
down
today
at
the
end
of
work
today,
so
that
we
can
go
ahead
and
swarm
the
work
for
secret
detection
post-processing,
which
I
think
is
the
most
accurate
way
of
describing
what
we're
actually
going
to
deliver
and
so
that
epic
is
available
most
of
the
details.
In
fact,
I
was
airing
towards
this.
Almost
all
the
details,
for
it
are
in
the
discovery
issue
that
is
a
part
of
the
epic
itself.
A
So
if
you're
looking
for
details,
go
there
and
finally,
a
reminder
specifically
for
those
of
us
that
are
in
the
united
states,
open
enrollment,
it's
important
this
year,
you
got
two
weeks
to
decide
what
your
health
care
coverage
is,
and
you
have
to
sign
up
in
order
to
continue
health
care
coverage
in
the
new
year.
So
that's
why
I
keep
harping
on
it.
So
you'll
see
this
reminder
again
here
next
week
as
well,
and
so
those
are
the
announcements
ross
here,
sir.
B
Yeah,
so
for
for
the
mob
sf
analyzer,
there
are,
you
know,
there's
some
specific
stuff
which
it's
not
just
as
simple
as
hey.
You
have
an
android
app
it'll
run:
hey
you
have
an
ios
app
it'll
run.
B
There's
there's
some
additional
nuances
there
that
that
we
do
have
encoded
in
the
in
the
analyzer
itself,
as
well
as
in
the
template.
But
it's
not
completely
obvious
to
someone
just
reading
the
documentation
that
there
are
those
limitations.
We
might
have
some
for
some
other
analyzers
to
maybe
like
like
rails.
B
You
know
how
we
determine
if
we
should
run
the
rails
analyzer,
but
I
was
just
wondering
if
there
was
maybe
a
better
place
to
call
that
out
in
the
documentation
for
someone
looking
at
the
docs
as
opposed
to
needing
to
go,
read
somewhere
else,
that
this
is
or
isn't
going
to
run,
to
get
a
better
idea
sooner.
A
A
A
B
A
B
C
I
have
an
idea-
maybe
I
mean
so
on
the
on
that
link
that
thomas
posted,
if
you
click
the
mob,
sf
analyzer,
maybe
adding
this
to
the
readme
on
the
actual
analyzer
and
then
like,
maybe
putting
in
notes
like
in
the
same
section
of
that
sas
analyzers,
like
you
know,
if
you're
having
trouble
with
mob
sf,
you
know
running
on
whatever
you
know
pretty
much
just
explain
like
why
you
might
need
to
reference
this
additional
documentation,
but
it's
at
the
readme,
because.
B
Yeah
it
is,
it
is,
and
that
was
provided
to
us,
but
like
a
lot
of
our
readme's
for
analyzers,
aren't
they
don't
have
a
lot
of
information
in
them,
so
I
mean
I
mean,
and
that's
I
mean
that
that's
that's
a
valid
like
suggestion
of
let's
put
that
stuff
in
the
readme
and
call
it
out
more
clearly
in
the
readme
and
point
to
the
readme.
For
those
that
you
know,
it's
like
check
out
check
out
the
criteria
to
run
in
the
readme.
C
Like
another
yeah,
another
option
too,
maybe
is
to
create
like
a
sub
page
of
analyzers,
so
that
there's
you
know
sas
slash,
analyzer,
slash
bob
sf
and
have
you
know,
select
analyzers
have
their
own
kind
of
documentation
page
just
because
that
table
is
pretty
large
and
there's
a
lot
of
information
on
this
page,
and,
like
I
mean
we
wouldn't
want
to
like
from
your
comment,
I
don't
think
putting
all
that
information
into
just
the
sas
analyzer
documentation
that
root
page.
C
That
thomas
sent
would
look
good
because
it
seems
like
that's
just
it's.
It's
kind
of
analyzer
agnostic
and
it's
just
general
information
about
what
sas
analyzers
provide,
not
specific.
What
do
specific
sas
analyzers
provide
so.
A
I'll
run
I'll
run
into
it
monthly
I'll
go
hunting
after
the
fact.
Rather
than
make
you
wait.
While
I
go
find
it
so,
but
I'll
I'll
hunt.
B
A
B
A
Yeah
I'll
ask
my
orthogonal
questions,
so
all
of
our
all
of
our
detection
logic,
all
of
our
jobs.
Everything
else
is
analyzer
specific.
Should
we
flip
this?
Are
we
getting
to
the
point
where
we
need
to
flip
this
paradigm
so
that
it's
language
centric
so
within
the
jobs
and
then
that
invokes
specific
analyzers
after
the
fact?
Even
if
it
does
duplication
like
mob
sf
would
be
referenced
four
times
spot
bugs
would
reference
two
three
four
times.
C
A
Forth
would
the
duplication,
increase
traceability
and
maybe
that's
a
discovery
issue
unto
itself.
C
C
A
I'll
file
a
discovery
issue-
this
is
just
a
curiosity
of
mine
and
flavors
of
this
curiosity
come
up
about
once
every
four
months
for
me.
So
I'll
follow
an
issue
you
get
to
the
bottom
of
this
once
and
for
all
then
I'll.
Let
it
go
for
eight
months
and
then
I'll
forget
about
it
and
then
we'll
go
again.
I'm
kidding,
hopefully,
okay,
I'll
move
unless
there's
more
I'll
get
to
the
I've
got
the
next
couple.
A
Okay
item
three:
if
it's
not
an
issue,
it
doesn't
exist,
it's
a
strong
statement,
but
it
is
the
mantra
or
axiom
or
pick
your
appropriate
late
word
here.
If
you
get
a
wordsmith
hat
on
with
the
escalation
requests
that
are
coming
to
us
through
slack,
I
have
now
entered
now,
have
an
internal
kind
of
clock
that,
if
I'm
responding
to
somebody-
and
it
takes
more
than
one
to
two
responses
or
if
it's
taking
me
more
than
10,
to
30
minutes
to
to
figure
out
what
the
answer
is.
A
I
need
an
issue
and
I
need
them
to
file
it
rather
than
me
taking
trying
to
interpret
what
they're
asking
I
am
raising
that
here
so
that
everybody
knows
what
stance
I'm
taking
and
if
you
have
it,
I'm
not
trying
to
be
brusque
or
hard-handed
or.
A
With
folks,
but
if
you
want
to
take
adopt
a
stance,
I'm
just
letting
you
know,
this
is
what
I'm
doing
so.
It's
the
there
were
a
couple
of
examples
that
were
coming
through
last
week,
where
it
was
conversation
was
staying
in
slack,
which
cannot
be
a
single
source
of
truth
for
us
and
it
was
involving
additional
investigation,
and
so
that's
what
triggered
me
to
want
to
put
it
here.
Does
anybody
have
any
thoughts
on
this
or
questions
or
commentary
feedback.
C
C
A
Okay,
while
we're
on
the
subject
of
feedback,
the
epic
that's
linked
in
the
announcements
above
on
see
post-processing
for
leaked
secrets,
I
would
appreciate
feedback
on
how
that
is
the
how
that
discovery
issue
is
broken
down.
So
I'm
specifically
curious
about
how
what's
the
best
most
efficient
way
to
break
down
the
rails
side
of
the
of
the
of
the
work
that
we
need
to
do
because
there's
a
lot
of
little
work,
that's
spread
across
one
service
and
two
workers,
and
maybe
a
couple
of
other
places
as
well,
and
so
I
did.
A
My
initial
instincts
were
to
break
it
down
into
six
issues
which,
if
you
can
read
the
chicken
scratching
behind
me,
tells
you
what
it
was
which
had
three
rails
issues
and
the
more
I
looked
at
it.
The
more
I
talked
myself
into
one.
So
if
you've
got
feedback
on
how
we
need
to
break
it
down,
that
makes
it
more
efficient,
particularly
getting
it
through
maintainer
review.
A
I
would
appreciate
it,
and
so
so,
if
you've
got
real-time
feedback
great,
if
not
we
can.
We
can
certainly
take
it
to
the
fx
themselves
and
break
it
down
in
other
ways.
D
A
Implementation
issues
are
sparse
on
on
purpose.
By
the
way
we've
discussed
everything
ad
nauseum
with
on
the
technical
discovery,
I
did
not
want
to
fall
into
the
trap
we've
experienced
before,
where
we've
got
conversations
spread
across
two
three
four
five
issues,
so
I'm
going
to
be
working
pretty
hard
to
keep
commentary
either
on
the
discovery
issue
until
it
closes
and
once
it
closes
put
it
on
the
epic.
A
Okay,
feedback
appreciated,
so
if
you
have
it
I'd
pretty
much
like
to
hear
it
so.
E
E
D
E
Yes,
we
can,
for
now
we
can
specify
the
api
key
in
the
sas
template,
but
it's
not
secure
enough
to
somehow.
We
need
to
pass
the
api
key
secretly
to
the
analyzer,
so
we
know
we
know
the
key,
but
it's
it's
not
safe
to
save
that
key
to
sas
template.
E
I
I
I
need
to
investigate
why
we
need
that
key.
It's
calling
a
api
and
the
key
is
very
trivial.
Like
it's
not
complex
secret,
it's
very
trivial.
I
don't
know
why
I
I
need
to
investigate,
but
somehow
we
need
to
pass
that
to
the
analyzer.
That
is
the
best
solution.
Otherwise,
for
now
the
temporary
solution
is
that
we
need
to
specify
the
api
key
in
our
gitlab
ci
aml
file.
D
I
will
say
I
think
we
should
be
really
careful
about
this.
I
think
protected
variables
comes
to
mind
as
a
potential
solution,
but
let's
play
this
out
for
a
second
that,
through
logs
through
some
other
way,
people
sharing
ci
files.
They
don't
realize
the
sensitivity
of
that.
I
assume
you
could
take
that
api
key,
and
anybody
who
has
it
would
then
effectively
have
access
to
your
source
code.
Is
that
true.
D
E
A
E
I
I
just
noticed
that,
just
before
this
meeting
I
didn't
get
enough
time
to
say
but
looks
like
the
key
is
very
trivial
like
the
way
it
is
written.
I
mean
I
need
to
investigate
why
this
this
is
used,
how
this
is
used,
and
how
can
we
rotate
this
key
in
mobile?
I
don't
have
enough
information
about
that
ross.
Do
do
you
know
anything
about
this
game.
I
just
noticed
that,
just
before
this.
B
C
So
could
you
like
link
in
the
analyzer
where
the
key
is
being
used.
A
E
C
I
I
yeah
I
I
don't
know
I
mean
off
the
top
of
my
head.
That's
that's
kind
of
the
solution.
That's
coming
to
me.
E
E
C
So
wow
nevermind.
A
Yeah
all
right
conversation
to
continue
asynchronous.
It
sounds
like
at
a
minimum,
say
god
I'll
have
to
ask
you
for
an
issue
because
it
needs
to
exist,
and
so
we
can
move
our
commentary
there.
Okay,
yeah.
D
That
is
me
next,
so
I
put
these
in
slack
a
few
things.
The
release
post
preview
is
here,
of
course,
it'll
be
published
on
the
22nd.
Please
take
a
look
at
that.
Let
me
know
if
you
see
any
inaccuracies
or
anything
that's
wrong
with
it.
This
is
a
big
release
for
us
y'all.
It's
got
two
of
the
most
requested
features
from
customers.
D
Mobile
support,
as
well
as
our
custom
rule
sets
so
so
thrilled
with
the
team,
we're,
of
course,
in
the
headline
of
the
release
post.
This
is
a
a
giant
release
for
sast,
I'm
thrilled
I've,
gotten
customers
who
already
reaching
out
about
these
features,
I'm
a
little
scared
of
sales
finding
out
about
them
and
overwhelming
us.
So
do
know
that.
I
I
think
that,
with
these
features
coming
out,
we
will
see
an
increase
of
questions
and
interaction
between
the
sales
team
and
account
team
again
always
feel
free
to
point
them
towards
me.
D
Don't
feel
like
you
have
to
step
into
any
of
those
questions,
but
yeah
definitely
check
out
the
release
post.
Let
me
know
if
there's
anything
askew
also,
unfortunately,
our
friendly
customer,
who
is
the
mvp
of
this
release,
did
pull
their
blog
post
where
they
detailed
the
the
implementation
journey
they
went
through
with
their
analyzer,
so
I've
had
to
backfill
a
blog
post.
I've
made
it
very
generic
about
integrating
and
extending
via
community
contributions
to
get
lab
secure.
Take
a
look
at
the
blog
post.
D
Let
me
know
if
you
have
thoughts,
feedback
ideas,
I
don't
love
it
at
the
moment.
It
does
point
to
a
variety
of
different
open
source
contributions.
We've
had
so
let
me
know
if
there's
a
significant
one
that
I
missed,
but
overall
would
love
feedback
there,
but
again
really
thrilled
about
this
release.
We've
accomplished
so
much
and
I
think,
even
when
you
just
look
back
the
nine
months
that
I've
been
here
like
we
have
covered
so
much
ground.
Super
proud
of
this
team.
Amazing
work.
Everybody.
A
D
Yeah
yeah,
if
you
can
point
me
at
the
community,
mr
I'll,
get
that
added
in.
A
A
Then,
lady
and
gentlemen,
thank
you
very
much
for
your
time
and
attention
happy
release
week.
Let's
wrap
up
today
get
everything
to
a
place
where
we
can
set
everything
down
and
let's
turn
our
attention
to
secret
detection
post-processing
starting
tomorrow.
So
thank
you
very
much.
We'll
talk
soon
see.