►
From YouTube: Secure::Static Analysis weekly meeting for 2020.12.14
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Happy
monday,
it's
a
it's
like
everything's
the
same,
and
everything
is
new
all
at
once.
That
seems
to
be
my
theme
for
the
day,
so
I'll
get
into
I'll
go
through
the
announcements
reminder
of
family
and
friends
day
is
this
friday,
so
I
know
a
lot
of
folks
have
already
cleared
it
off,
but
know
that
we're
closing
gitlab's
doors.
Last
week
we
were
talking
about
scheduling
the
happy
hour
for
this
coming
wednesday.
A
A
All
right-
and
this
is
an
fyi
though
we
may
need
to
talk
about
it-
we're
gonna
do
an
experiment
this
week
tomorrow
for
24
hours.
Turning
on
a
security
approvals
within
the
analyzer
projects
not
get
lab
wide.
A
This
was
a
cover.
This
is
something
that's
been
discussed
several
times
in
staff
meetings,
and
I
haven't
brought
it
here
yet
because
it
was
still
are
we
doing
it?
Are
we
not
doing
it?
What
are
we
going
to
do
so?
It's
the
approvals,
go
to
engineering
managers
and
appsec,
so
nikhil.
A
If
todd
were
here,
he
would
be
part
of
the
approval
group
as
well.
So
this
is
just
a
let's
turn
the
feature
on.
Let's
see
if
it
behaves
the
same
way
as
we
remember
it
behaving
over
a
year
ago
and
record
that
as
a
part
of
an
okr
and
see
what
happens
from
there,
so
fyi
disruption
is
coming.
All
I
ask
is
lean
into
it.
Let's
see
how
let's
see
how
either
good
or
bad
or
what's
changed,
or
if
it's
even
workable.
So
let's
not
shy
away
from
things.
B
So,
just
to
vocalize
mine,
I
was
asking
who
to
ping
my
understanding
of
the
current
status
is
that
they
will
not
be
notified
just
because
you're
an
approver,
you
are
not
notified,
so
we
need
to
explicitly
ping
and
ask
for
approval
from
ems
or
nikhil.
Okay.
So
that's
that's
our
current
strategy
right
now.
A
Alrighty
I'll
move
on
so
this
so
next
week
is
the
beginning
of
the
end
of
year
festive
period,
I'm
out
the
next
two
weeks.
A
lot
of
people
are
out
next
week
and
some
of
the
following:
should
we
just
go
ahead
and
cancel
the
next
two
weeks
of
this
meeting?
C
Taylor,
welcome
all
right,
so
if
you
haven't
definitely
check
out
sid's
latest
investor
update,
it
should
be
in
your
email
inbox.
If
you
don't
happen
to
check
that
frequently,
some
highlights
mobile
apps
that
got
shouted
out
in
it
as
part
of
our
13.6
release.
13.5
release,
there's
also
some
language,
basically
around
the
success
of
secure
as
a
stage
and
growth
of
ar
from
our
top
accounts,
with
gold
and
ultimate,
as
well
as
our
number
of
customers,
paying
us
more
than
a
hundred
thousand
dollars.
C
What's
particularly
interesting
for
us
is
that
sas
is
a
large
part
of
that
story.
The
way
I
like
to
put
it
is
sast
is
the
gateway
drug
of
security
scanning.
It's
generally,
what
customers
are
going
to
start
doing
before
they
advance
into
more
sort
of
additional
scan
types,
dast,
fuzzing,
etc.
So
we're
directly
impacting
the
growth
here.
I'm
super
proud
of
what
we've
accomplished
this
year.
We've
moved
a
lot
around
and
I
I
think
we're
really
seeing
that
success
from
our
customers.
C
So
truly
fantastic
work
this
year
and
we've
got
lots
of
things
planned
moving
forward.
So
yeah
definitely
take
a
look
at
that
investor
update
any
questions
on.
C
B
So
the
biggest
blocker
currently
for
splitting
common
into
sub
packages
is
naming.
So
please
contribute
to
that
issue.
If
you
would
like,
we
need
to
name
a
namespace
and
stick
things
under
it,
and
common
is
not
our
best.
One.
D
D
Oh
missed
my
q
yeah.
I
was
wondering
if
there's
a
process
for
team
members
to
suggest
new
scanners
or
analyzers
and
maybe
share
a
basic
proof
of
concept
for
those.
A
Basically,
file
an
issue:
it
needs
to
be
more
than
just
my
humble
request
is
it
needs
to
be
not
just
integrate
this
thing.
It
needs
to
be
along
what
capability
it
provides
yeah.
It's
it's
the
response
to
the
issue
that
will
determine
what
the
thing
is.
It's.
What
are
we
trying
to
do
with
this
thing?
This
is
it's
the
business
driver
that
determines
that
it
that
helps
inform
prioritization,
or
at
least
that's
the
way
that
I
look
at
this.
D
C
C
We
don't
hear
that
often
enough,
so
when
it's
a
language,
that's
not
widely
used
or
that
we
don't
have
a
large
number
of
customers
using,
it's
probably
not
going
to
get
prioritized
now.
I
think
this
is
where
we
get
into
sort
of
these
unofficial
integrations.
I
know
there's
a
number
of
them
that
have
happened.
C
Sonar
cube
comes
to
mind,
there's
been
a
few
others
that
I
can't
think
of
off
the
top
of
my
head,
but
basically
that's
kind
of
where
we
get
into
that
unofficial
integration
territory.
I
do
I'm
very
interested
when
customers
want
to
do
that.
Integration
work
or
when
our
essays
or
tams
want
to
do
it
as
well.
C
I'm
never
going
to
stop
y'all
from
writing
unofficial
integrations,
but
we
just
need
to
be
very
careful
about
how
they
get
posed
to
a
customer
that
we're
not
officially
supporting
them
that
it's
not
part
of
our
product,
that
it's
purely
on
them
to
run
and
integrate
with.
In
terms
of
your
question
about
what
about
do,
they
need
to
support
json
export
or
a
json
output.
I
think
largely.
Yes,
if
there's
any
chance
that
we're
going
to
pull
that
into
an
official
integration,
it
needs
to
work
the
way
the
rest
of
our
scanners
do
so.
C
This
is
where
anytime,
I
see
these
sort
of
ad
hoc
unofficial
integrations
forming.
I
try
to
steer
them
towards
the
integration
framework,
because
that
is
the
best
chance
of
us.
Picking
that
thing
up
and
turning
it
into
part
of
the
product
and
in
fact
a
great
example
of
that
is
the
heb
contribution
of
mob
sf.
C
We
worked
with
them
to
make
sure
that
they
were
following
our
integration
guidelines
and
then
we
sort
of
picked
that
up
and
moved
it
forward,
so
that
that's
kind
of
my
advice
as
you
see
these
new
areas
or
want
to
go,
try
building
integrations.
I
think
one
additional
thing
that
I
would
like
to
see
personally
is
for
us
to,
rather
than
just
keeping
those
integrations
off
on
some
hidden
branch
or
some
name
space
for
an
essay.
C
D
All
right
very
helpful.
Thank
you.
Oh
and
I
see
I
got
a
whole
bunch
of
helpful
links.
Thank
you
for
adding
those.
Oh,
I
guess
yeah
one.
One
final
question
is
in
the
sas
office
hours
last
week
we
were
discussing
scanning
infrastructure
as
code
for
security
vulnerabilities
and
it
kind
of
seemed
to
blur
the
line
between
a
linter
and
some
something
that's
actually
scanning
an
application.
D
A
A
B
I
so
I
I
I
agree
with
that
in
theory,
but
to
describe
the
current
state.
We
don't
do
a
good
job
of
that.
There
are
certain
we
we
don't
even
do
the
good
job
on
secret
detection,
where
gosek
actually
has
one
rule
that
checks
for
hard-coded
tokens.
B
So
if
we
wanted
to
be
purists
about
it,
we
would
actually
exclude
some
of
the
existing
rules
in
our
sas
tools
that
are
relevant
to
secret
detection
or
dependency
scanning,
but
we
don't,
theoretically,
that
should
just
be
filtered
out
by
the
vulnerability
dashboard
by
doing
some
deduping
of
cves,
but
we
don't
currently
enforce
that
very
strictly
now
others
of
our
linters
are
just
linters.
We
just
use.
We
filter
the
linter
rules
by
security,
specific
rules,
which
is
basically
what
we
do
for
eslint.
E
Do
do
we
have
a
plan
for
supporting
sas
for
infrastructure
as
service
in
the
next
year?
Do
we
have
that
in
the
roadmap
recently.
C
We've
got
an
issue
open
for
infrastructure
scanning.
It's
definitely
something
that's
on
my
mind
and
we're
starting
to
see
customers
express
interest
in
it.
I
know
this
is
an
area
in
particular
that
sam
white
is
looking
into
as
part
of
protect,
so
I
I
suspect
our
ambitions
with
growing
our
protect
revenue
will
probably
cause
us
to
do
some
integrations
on
the
sas
side
for
infrastructure
scanning,
but
I
don't
think
we
have
a
hard
plan
for
that
at
this
moment,.
A
If
we
were
to
use
static
analysis,
weeklies
is
a
barometer
of
how
complete
a
year
is.
Congratulations.
You
have
completed
2020,
since
this
is
the
last
meeting
of
the
year
in
this
series.
So
so,
hopefully
everybody
has
a
chance
to
to
catch
a
break
over
the
end
of
your
festive
period.
Hopefully
folks
can
join
us
in
the
in
happy
hour
later
this
week
and
we'll
talk
soon
so
see
ya.