►
From YouTube: Secure::Static Analysis weekly meeting for 2021.01.11
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
Okay,
all
right
a
reminder:
family
and
friends
today
is
friday
and
mlk
day
is
a
week
from
today.
So
this
is
a
four-day
work
week
for
everyone.
So
please
please,
plan
accordingly,.
A
A
That
was
meant
that
was
mentioned
in
last
week's
weekly.
In
that
there's,
a
brand
new
retro
project,
that's
been
spun
up
for
each
of
the
projects
that
have
been
spun
up
for
the
individual
groups.
So
there's
a
link
to
the
static
analysis,
retro
project.
There
is
a
13
8
issue
that
is
already
created
and
is
available
for
for
feedback,
and
so
we'll
we'll
be
using
that
going
forward.
A
So
with
that
being
said,
let's
let's
go
ahead
and
get
into
the.
A
A
A
So
the
way
that
I
was
planning
to
handle
this
is
by
looking
for
commentary
that
came
from
this
group
specifically
and
then
we
could
I'll
be
willing
to
if
y'all
want
to
talk
about
anything
beyond
that,
I'm
happy
to
happy
to
discuss
that
here,
while
we're
at
it.
So
I
see
one
that
I
would
like
to
discuss,
in
addition,
but
I'll
bow
to
the
group
think
and
I'm
going
to
share
screen
to
so
there
so
that
we're
all
following
along.
B
Yep,
so
this
came
up
when
testing
the
token
revocation
work,
but
testing
and
production
is
not
the
same
as
testing
elsewhere.
So
there
is
some
race
conditions
that
we're
experiencing
with
job
executions,
namely
we
had
a
service
that
relied
on
scanning
the
job
reports
to
determine
if
there
are
tokens
to
be
revoked,
namely
aws
ones
that
relied
on
the
report
being
stored.
So
if
the
two
job,
the
report,
job
that
kicks
off,
does
not
occur
before
the
job
scanning
for
tokens
be
revoked,
nothing
gets
revoked
because
that
report
doesn't
exist.
B
Sorry,
but
sometimes
that
doesn't
happen
because
background
jobs
are
fickle,
so
we
don't
really
have
an
environment.
C
B
A
I'm
going
to
share
my
ignorance
with
a
question
but
I'll
lead
with
with
with
my
assumption
and
and
an
assertion
that
desperately
needs
to
be
challenged.
A
Scale
and
traffic
affect
latency,
and
so
so
I
get
why
this
wouldn't
be
shown.
Why
this
way
this
particular
behavior
would
not
be
shown
in
development
because
there's
just
not
inherent
latency
within
the
development,
local
development
environments.
A
A
D
I
think
I
don't
know
whether
we
have
a
similar
environment
in
qa.
D
D
Yeah
first
first
thing
is:
this
is
very
hard
to
track
like
I
need
to
I
needed
to
take
help
from
infrastructure
team
who
has
access
to
production
log.
We
do
not
have
production,
but
we
do
not
have
access
to
production
log.
Actually,
we
have
sorry,
not
production
log,
the
res
console
in
production.
So
it's
hard
to
see
what's
going
on
how
this
race
condition
is
hem
like
we
are
seeing
this
this
condition.
A
D
A
C
I
I
guess
the
only
I
mean
we
talked
a
bit
about
staging
the
only
other
and
not
offering
any
solutions
here
but
like
stuff
gets
deployed
to
staging,
and
then
it's
not
on
staging
very
long
before
it
goes
to
production.
So
it
gives
us
limited
value
in
in
testing
something
on
staging.
Unless
we,
you
know,
have
it
behind
the
feature
flag
so
that
it
doesn't
immediately
roll
the
production
live.
B
Yeah,
in
this
case,
we
we
do
actually
have
a
separate
configuration,
so
it's
possible
to
separate
those
two
if
we
separated
it
correctly,
which
I
think
we
did,
but
it's
it's
I.
I
guess
that
actually
does
remind
me
of
something
here,
though,
which
is
while
there
is
a
feature
flag
in
place
around
the
instance
level
configuration.
B
I
don't
know
if
we
have
that
strong
of
an
understanding
of
the
entire
background
job
life
cycle
of
this
part
of
the
code
base,
namely
after
build
finish
worker
fires.
It
triggers
this
work
which
triggers
this
worker,
so
you
kind
of
have
a
chain
of
background
jobs.
Some
of
that
is
feature
flagged
behind
the
configuration.
Some
of
that
is
not
so.
B
D
D
So,
in
this
case,
our
best
attempt
to
resolve
these
issues
is
to
make
the
code
and
make
the
code
as
deterministic
as
possible,
just
by
just
looking
at
the
code
base
or
source
code
yeah.
For
now
that
is
the
best
we
can
do,
because
whenever
you
create
a
sidekick
job,
all
the
sidekick
jobs
are
asynchronous,
and
you
cannot
say
that
there's
a
chain
of
execution
of
there
is
no
order
of
execution
of
sidekick
jobs.
D
Is
generic
as
possible
or
is
deterministic
is
possible
and
deterministic
means
not
yeah
synchronous
that
yeah
synchronous
like.
A
A
All
right,
thank
you,
gonna
make
a
call
out
seems
any
so.
Hopefully,
everybody's
had
a
chance
to
be
in
this
issue.
Is
there
anything
folks
would
like
to
any
other
items
folks
would
like
to
discuss,
because
that's
the
only
bit
of
commentary
that
came
from
this
from
this.
This.
A
A
All
right
silence
means
nothing,
so
I
will
call
out
one
item
that
I
will
reference
in
slack
and
invite
us
to
think
about
and
potentially
talk
about
in
this
issue
and
other
issues
to
come,
and
this
is
the
one
from
mark
about
moving
features
to
core
it
can
take
longer
than
expected.
This
has
taken
time.
It's
taken
a
it's
taken,
a
good
bit
of
time,
and
I
there's
I.
A
This
is
really
inviting
us
to
start
thinking
about
why
I
have
some
opinions
about
what
is
what
the
problem
is,
but
I'm
not
going
to
state
them,
because
I
don't
want
to
influence
people's
response
or
thinking
about
it
just
yet.
So
I
would
very
much
like
us
to
think
about
this,
because
not
only
is
it
taking
time
to
move
things
to
core,
but
you
can
very
much
imagine
a
need
for,
or
at
least
have
had
discussions
about
us
needing
to
have
a
graduated
experience
for
lack
of
a
better
way
of
putting
it.
A
Because
there's
a
lot
of
there's,
there
are
licenses
between
core
and
ultimate.
So
do
we
need
to
start
thinking
about
exposing
some
features
at
premium
or
silver
and
then
even
more
up
at
ultimate,
so
that
you
get
more
and
more
as
you
pay
more
as
an
example.
So
that's
something
that
I
see
this
is
a
recurrent
topic
for
us
in
the
near
future.
A
That
was
the
only
retro
item
that
we
had
for
13.7
and
I
get
it
I
get.
Why
that
we
made
the
change,
and
it's
also
that
we
were
in
the
we
were
in
the
midst
of
holiday
time,
so
I'm
gonna
make
so
hopefully
we'll
have
more
to
discuss
with
our
team
eight
and
we'll
we'll
we'll
go
from
there
anything
else
before
we
call
out
that
top
close
out.
That
topic.
A
All
right,
I'm
moving
on
I've
got
the
next
two
numbers,
so
I'm
on
number
three
we
own
what
we
ship.
A
This
is
something
that
has
been
merged
in,
and
this
is
there's
been
a
number
there's
been
a
few
conversations
that
I've
had
in
private
related
to
this
topic
and,
interestingly
enough,
there
have
been
multiple
people
thinking
about
this.
That
I
think,
have
come
to
that
up
here.
A
To
come
to
the
same
conclusion,
I
the
way
we
are,
and
so
the
my
conclusions
on
this
is
that
me
taking
on
dependency
updates
and
I'm
not
talking
about
every
being
the
single
dependency
that
we're
taught
that
we
have
I'm
talking
about
the
primary
dependencies
that
we
rely
on,
like
spock
bugs
or
security
code
scan
or
bandit,
and
the
like
me
taking
that
on
as
a
maintenance
chore
on
a
monthly
basis
which
I'm
happy
to
do,
takes
away
the
opportunity
for
everyone
to
get
it.
A
What
it's
what
it
does
is
it
sends
a
signal
that
you
really
don't
have
that
we,
as
a
team
really
don't
have
to
care
what
the
underlying
tool
does
and
how
up
the
changes
in
behavior
of
the
underlying
tool
are
not
don't
mean
anything
to
us
and
we
need
to
get
out
of
that.
I
would
get
out
of
that
particular
pattern,
and
so
that
was
the
that
was
the
motivation
behind
making
this
behind
this.
Mr,
going
into
the
handbook
for
us
the
practical
implications
of
this
is
that
this
we
need
to
start.
A
A
But
there
is,
there,
have
been
there's
been
some
instances
that
I
can.
I
don't
remember
exactly.
I
don't
have
exact
instances
in
mind,
but
there
are
instances
that
come
to
mind
of
where
we
come,
that
a
question
comes
to
us
and
we
respond
with
well,
that's
in
the
that's
in
the
open
source
scanner.
So
that's
not
our
problem.
A
A
That
takes
a
lot
of
effort
and
it's
not
something
that
one
person
can
do,
and
so
what
I'm
looking
to
change
is
who's
looking
at
our
open
source
scanners
and
also
creating
it
so
that
people
own
our
relationship
as
a
group
to
those
open
source
communities,
so
that
we
are
being
we're
becoming
active
participants
in
those
open
source
communities
and
contributing
back
to
them.
Whether
it
is
changes
that
we
need-
or
it
is
security
vulnerabilities
that
we
detect
and
they
should
patch
or
it
should
be
patched
within
those
projects.
A
And
yes,
security
scanners
have
security
vulnerabilities,
which
is
interesting,
and
so
what
I'm?
Looking
to
do
is
distribute
out
so
that
everybody
is
looking
or
owns
the
a
few
scanners.
We
have
13.
A
That
doesn't
divide
evenly
by
five
or
by
any
number
since
it's
since
it's
a
prime
number.
However,
what
I
was
looking
to
do
is
reflect
some
of
the
natural
patterns
that
we
have
as
a
group,
in
that
we
have
a
staff
engineer
that
we
all
lean
on
quite
heavily
with
questions
and
making
sure
that
that
staff
engineer
is
not
overwhelmed
with
with
their
own
work
and
it
can
remain
a
resource
for
everybody.
Should
you
need
the
help,
so
that
means
four
engineers
times
three
equals
twelve.
A
I'm
deliberately
not
saying
how
we
do
this,
I
am
willing
for
it
to
be.
First,
come
first
serve.
I
am
willing,
for
you
to
say,
give
me
priority
order.
I
want
this
one,
the
most.
I
want
this
one
next
most
and
I
want
this
one,
the
least,
and
I
can
dole
it
out.
I
can
do
it,
however.
You'll
want
to
do
it.
So
is
there
any
questions
about
this
particular
change
and
how
we
can
go
about
realizing.
C
E
Sure
yeah
I
mean
for
me
this
is
just
really
exciting,
because
we're
about
to
start
caring,
a
lot
more
about
vulnerability,
research
and
how
that
actually
works
rules,
how
we
detect
various
vulnerabilities.
So
to
me
this
is
an
opportunity
for
us
to
really
kind
of
roll
up
our
sleeves
and
see
how
other
tools
do
this,
so
we
can
take
those
learnings
into
vet
and
our
proprietary
engine.
So
I'm
excited
about
this.
E
In
fact,
this
is
a
point
later
on
about
exploring
vulnerability
data
trying
to
see
just
what
everything
these
tools
are
emitting
is
and
by
the
way,
it's
a
mess,
as
you
would
think
so.
Yeah
I'm
excited.
I.
I
think
this
is
a
great
change
for
us
and
will
give
us
much
more
hands-on
control
and
experience
with
what
the
tools
we're
leveraging
or
doing.
C
Okay
thanks,
I
I
was
also
thinking
about
it
along
the
lines
of
that
and
like
if
we
think
ahead
to
that,
it
would
probably
make
sense
to
divide
these
up,
how
we
might
divide
up
future
vet
work,
because
you're
gonna
have
a
deeper
understanding
of
it.
I
also
think
it
might
be
good
to
have,
like
you
know,
a
primary
and
a
a
a
secondary
in
case.
Something
comes
up
while
you
know
someone's
out
on
vacation
or
something
like
that,
so
not
spread
too
thin.
A
I
hear
you
we'll
think
about
this
for
that,
but
at
the
but
at
the
risk
of
too
tightly
coupling
this
for
future
work
and
we're
still
figuring
out
what
future
work
looks
like.
A
Yes,
this
can't
inform
how
we
go
about
debt
front
ends
and
the
like,
but
let's
speak
specifically
about
what
we
have
right
now
would
be
my
request.
I'm
hearing
I
I'm
reading
zack's
comments
like
biking
the
rank
idea.
So
seeing
that
as
the
what
came
in
first
everybody
dm
the
press
preference.
I
strongly
recommend
you
send
me
five,
knowing
that
you're
going
to
get
spun
you're
going
to
get
it
signed
out
to
three.
A
Please
do
that
because
that
gives
backups
as
far
as
what,
as
far
as
what
your
preferences
are
and
I'm
not
sending
any
threats
on
this,
but
I
will
tell
you
a
story
from
my
younger
brother
who
just
who
was
who
went
to
med
school
through
the
air
force
and
for
him
coming
out
of
residency.
A
He
got
the
if
you
haven't
done
active
duty
military
before
what
happened
was
he
was
asked
to
to
stack
rank
15
bases
with
hospitals
where
he
would
like
to
be
assigned
he
put
in
five
and
the
air
force
took
the
liberty
of
filling
in
the
other
ten
for
him
and
putting
them
at
the
top
of
the
list.
A
So
all
right!
So
that's
how
he
ended
up
in
alaska
when
he
had
his
residency
in
in
biloxi
mississippi,
and
that
was
a
little
bit
of
a
challenge
in
changing
climate.
Let
me
just
put
it
that
way:
no
threats,
but
please
give
me
five.
If
you
would
all
right
interest
of
time,
I'm
moving
on
so
I've
got
an
mr
that
is
currently
in
that
is
currently
be
open.
That
is
finally
articulating
in
the
handbook
how
we
work
within
static
analysis.
A
A
I'm
asking
for
you
to
weigh
in
give
me
your
thoughts
commentary
and,
if
you've
got
any
additions,
changes
or
questions
to.
Please
engage
on
that,
mr,
so
that
we
can
get
this
move
through
and
emerged
in.
So
this
is
my
response
to
number
one
through
codifying
exactly
how
we
work
here.
I'm
hopefully
this
shouldn't
be
a
surprise
and
to
the
end,
it's
in
response
to.
We
are
dropping
the
secure
overrides
to
product
development
flow
and
third,
that
there's
been
some
changes
to
the
company-wide
workflow.
B
B
F
Lot
something
that
we
should
add
to
that
lucas,
which
I
can
do
that
now,
is
the
changing
the
secret
detection,
jobs
and
consolidating
them
into
one
like
we
talked
about
on
that
anymore.
E
B
I
I
think
that
list
is
pretty
lofty
too.
I
don't
know
if
I
would
consider
those
refined,
deprecations
or
just
spitballed
ideas
right
now,
so
I
guess
worst
case.
Can
we
say
we
deprecate
something
and
then
change
your
minds.
E
E
A
B
E
E
I,
I
don't
think
it's
realistic
and
I
think
there
is
still
a
very
easy
transition
plan
where
we
still
have
all
of
the
original
scanners.
So
I
don't
see
it
as
like
a
critical
do
it
by
14.00
thing.
That's
my
like
immediate
reaction
to
it,
but
yes,
you're
right!
That's
a
thing!
That's
gonna
happen
sooner
than.
B
Later
so
I
guess
your
question
thomas
or
or
your
philosophical
quantity.
I
think
that
build
split,
build
phase
is
the
only
one
that
is
that
ephemeral
and
I
I
don't
know
if
we
want
to
play
hot
potato
with
composition,
analysis
on
who
owns
that,
but
it's,
I
think,
that's
a
stretch.
If
anything,
the
other
ones
seem
more
straightforward.
E
E
I'll
run
through
this
real
quick,
so
we
now
have
vulnerability
data
in
sizes,
it's
very
fun
to
play
with.
I
was
looking
at
it
last
night.
I
needed
to
pull
a
list
of
all
of
the
types
of
vulnerabilities
that
we
support,
which
is
non-trivial
and
kind
of
just
turned
into
me,
listing
keywords
from
scrolling
a
list
of
6
000
vulnerabilities.
E
It
is
really
fascinating
to
look
through
there's
a
few
examples
of
what
I
did,
which
was
ranking
by
volume
and
severity,
there's
also
an
alphabetical
one,
which
I
use
to
try
to
group
together,
similar
vulnerabilities,
it's
just
fascinating
I'll.
Tell
you
to
scroll
through
the
list
of
6000
to
see.
If
you
know
what
things
are
I
enjoyed
that
last
night
at
11
o'clock?
Maybe
you
will
if
there
are
other
things
that
you
want
to
see,
let
me
know,
and
I
can
build
out
some
charts.
E
E
So
if
you,
if
you
recall
that,
let
me
know
and
then
I
know
we're
at
time,
I
can
quickly
run
through
the
forester
wave
stuff
if
y'all
want,
or
we
can
pump
that
to
next
week
up
to
y'all.
A
Why
don't
we
do
it
quickly
I'll
go
ahead
and
stop
the
recording
and
that
way
we
can
go
through
it.