►
From YouTube: Secure::Static Analysis weekly meeting for 2020.11.16
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy
monday,
everybody
welcome
back
hope.
You
had
a
good
weekend,
I'm
going
to
rifle
through
announcements,
it's
all
about
pto,
so
we've
got
some
folks
that
are
out
this
week.
We've
got
a
lot
of
folks
out
next
week
with
american
things,
with
united
thanksgiving
in
the
united
states,
there's
a
family
and
friends
day
coming
up
next
week.
So
if
you
happen
to
be
not
taking
all
of
next
week
off
and
haven't
marked
that
off,
please
to
please
take
advantage
of
that
and
the
other
one
is.
A
I
finally
got
around
to
writing
my
q4
okr,
so
check
top
of
document
you'll
see
what
I'm
chasing
as
far
as
what
the
objectives
are
and
key
results.
So
a
little
bit
different
this
time
and.
B
A
A
All
right,
I'm
seeing
me
and
yes,
which
means
yes,
wins
so
therefore
it's
gone
I'll
I'll,
remove
it
as
soon
as
we're
done
here.
Taylor
floor
is
yours,
sir.
A
All
right
item
four
on
the
agenda,
so
there
is
a
big
conversation,
that's
floating
up
between
todd
and
engineering
managers
on
if
we
should
mix
up
how
we
do
retrospectives
we're
looking
at
two
things:
we're
looking
at
a
drop
of
feedback
coming
into
the
issues,
we're
also
looking
at
a
drop
in
attendance
as
far
as
the
wheat,
as
far
as
the
synchronous
calls
that
are
happening
on
mondays,
so
we're
wondering
if
it's
time
to
shake
things
up
a
little
bit,
there's
an
issue
for
this.
A
It
was
supposedly
due
last
friday,
but
I
forgot
to
bring
it
up
this
past
last
week,
so
I'm
bringing
it
here
this
week.
So
there
is
no
consensus
yet
as
far
as
what
we're
going
to
do.
This
is
to
make
sure
you
know
that
we're
talking
about
it.
This
there's
there's
a
few
opportunities
that
are
available
here
and
I'll
pause
for
questions
in
case
people
have.
A
D
E
Ahead,
I
I
think
splitting
up
the
retro
might
might
make
sense
kind
of
limit
the
focus
a
little
bit,
but
at
the
be
when
you
announce
this,
you
mentioned
something
about
this:
switching
up
the
retro,
but
also
decline
in
attendance
of
the
secure
weekly.
I'm
just
I'm
not
sure
how
they're
related.
A
A
A
A
I
I
will
fully
admit
that
when
I
wrote
this,
I
had
what
to
do
with
a
problem
like
maria
from
the
sound
of
music
playing
in
my
head,
and
so
there
is
a
serious
question.
That's
coming
up!
If
you
start
looking
at
common
with
being
a
shared
custodial
ship
project-
and
there
I
mean
we
use
it-
composition
analysis
use
it.
The
new
container
security
group
is
going
to
is
using
it.
A
There's
conversations
about
whether
browser
which
is
now
part
of
dynamic
analysis
is
going
to
use
it
there's
a
question
whether
or
not
fuzz
testing
is
going
to
use
it.
That's
a
lot
of
chefs
in
one
kitchen.
This
is,
I
know
we
talked
a
little
bit
about
this
this
morning
as
far
as
loosening
up
the
approval
rules,
so
that
it's
not
quite
so
onerous,
but
this
is
very
much
a
big
and
open
topic
that
we
should
participate
in.
So
if
you
have
opinions
on
what
we
need
to
do
here,.
A
Issue
I'll
move
on
just
because
I'm
looking
at
the
clock-
and
I
know
where
we've
got
a
few
things
left-
that
might
have
a
good
bit
of
conversation
item
six.
There's
a
handbook
update
that
I
filed
late
last
week.
So
this
is
an
fyi.
It's
an
openmr
related
to
us.
Specifically,
you
can
see
there's
the
the
three
big
categories
it
changes
two
are
related
to
us.
A
One
is
related
to
how
we
engage
with
our
with
our
friends
over
in
the
front
end
team,
since
they
are
supporting
four
groups
at
once,
as
opposed
to
just
having
to
deal
with.
A
To
deal
with
us,
so
so
I
wanted
to
make
sure
that
you
all
knew
what
was
happening.
This
is
directly
related
into
one
of
the
retro
items
from
thirteen
four
any
questions.
F
It's
probably
worth
me
saying
something
in
this
regard.
Thank
you,
thomas
for
creating
these
mr's
yeah.
I
think
we
identified
there's
a
lot
of
disconnected
pieces
that
makes
it
hard
to
to
manage,
especially
across
four
groups
and
right
now
we
have
like
10
active
projects
and
I'm
learning
about
new
ones
like
by
the
minute.
It
feels
like
new
large
projects
are
rolling
in
which
is
super
exciting,
but
it's
just
so
much
more
to
manage,
and
so
that
thomas-
and
I
discussed
this
a
lot
last
week
and
determined
lead
time
was-
was
the
main
thing.
F
If
we
can
improve
how
we
introduce
notice,
how
much
lead
we're
given
across
all
groups
and
front
end,
you
know
everybody
it'll
really
really
help.
So
that's
what
the
focus
is.
F
I
will
say
that
sassed
is
is
quite
clear
right
now.
I
think
we've
had
a
tremendous
amount
of
alignment
with
mark.
You
know
florian
being
involved
with
sas
front
end
work.
So
there's
a
ton
of
transparency
happening,
and
I
think
that
continuity
is
is
really
really
beneficial.
We
don't
have
that
as
much
on
other
groups.
A
A
So
this
is,
if
we
think,
we've
got
something
that's
ready
for
if
we
think
we
need
support
from
front
end,
that's
to
call
it
out
early,
even
if
it's
a
fault
signal
the
even
if
it's
just
no,
even
if
it's
a
false
positive
signal
having
the
signal
is
good,
because
this
will
allow
us
to
start
asking
the
questions.
A
All
right
and
now
that
taylor's
on
camera,
we'll
back
up
to
item
three
now
and
apologies
for
going
out
of
order
here.
C
Noise
thanks
for
the
patience
so
we're
at
the
end
of
13
6.
I
wanted
to
check
in
and
see.
Is
there
anything
we
need
to
do
with
the
aws
team
in
particular
I'll
mention
my
morning
has
been
crazy
because
of
this
particular
project.
C
I
think
thomas
has
shared
with
a
couple
of
y'all
there's
some
press
folks
digging
around
in
a
thread
on
twitter
about
comparing
us
and
github
secret
detection,
it's
very
square
in
the
area
that
we're
focused
on
right
now
of
doing
post
detection.
Revocation,
we
wrote
up
a
statement
for
them
this
morning,
which
I'll
link
in
here
in
just
a
second.
If
I
can
find
it
there,
we
go
so
that
you
can
see
that.
C
But
I
wanted
to
make
sure
that
with
us
coming
up
to
the
end
here
and
with
us
having
now
some
press
folks
watching,
I
wanted
to
make
sure
that
we
have
this
sort
of
fully
buttoned.
C
G
About
the
whitelist,
I
think
it's
already
recorded
in
the
issue
that,
where
they're
implementing
the
sr
srs
service
yeah
in
that
issue-
and
the
remaining
work
is
like
there
are
two,
mrs
that
we
need
to
merge
from
our
side
the
rails.
Then
we
can
call
the
sr
srs
service
api,
and
we
have
also
got
the
estimated
volume
of
the
request
that
we
are
going
to
make
from
the
secret.
C
C
We
do
have
a
sync
with
the
aws
team
on
thursday
afternoon,
if
there's
anything
that
you
all
want
me
to
follow
up
with
the
aws
team,
about
it'll
largely
be
talking
about
where
we're
at
how
we're
going
to
roll
this
out
and
then
potentially
pivot
into
a
marketing
conversation.
Now
that
we're
starting
to
get
some
press
inquiries
about
this
and
figure
out
how
we're
going
to
handle
that
any
other
thoughts
about
the
aws
api.
G
G
If
the
api
goes
down
so
then
on
our
end,
we'll
get
a
error.
There's
a
side
to
job
that
job
will
retry
20
times.
C
Awesome:
okay:
I
think
that
answers
my
questions
with
the
aws
api.
A
Let
me
translate
the
question
I
didn't
hear
taylor
ask:
this:
is
a
dot-com
sas
only
not
sassed
sas
only
feature,
which
means
we're
not
trying
to
necessarily
we're
not
bound
by
packaging
in
the
omnibus
to
release
this
there's
a
release
post
and
a
whole
lot
of
other
stuff
that
are
tagged
at
thirteen
six.
Are
we
concerned
about
that.
A
H
It's
it's
in
progress,
okay,
so
taylor.
I
I
want
to.
G
Clarify
another
thing:
so
on
our
site,
we'll
retry,
20
times,
that
means
we
are
talk
so
on
the
rails
is
talking
to
src
service
that
is
developed
that
that's
been
developed
by
automation
team.
So
we're
talking
to
the
automation
anything
happens
to
that
api
call
any
any
error
on
our
site,
we'll
try
it
20
times.
C
Yeah
I'll
check
in
with
them
I'm
less
concerned
about,
like
it
actually
triggering
the
aws
thing,
that's
on
them.
I
more
want
to
make
sure
that
we
don't
end
up
in
a
blocked
state
with
a
weird
error,
with
secret
detection,
failing
because
it
couldn't
revocate
or
whatever.
I
would
just
make
sure
that
we
handled
it
gracefully
on
our
side.
C
Okay,
I
think
that's
good
for
now
feel
free
to
post
any
questions
in
the
slack
channel
we're
at
the
end.
Thank
you
all
for
your
focus
on
this.
I
suspect
this
will
end
up
taking
off
with
press.
C
The
thought
is
that
this
press
inquiry
may
turn
into
others,
and
then
once
this
actually
gets
published,
I
think
it'll
end
up
attracting
a
good
amount
of
attention
which
is
kind
of
different
than
what
our
initial
plan
was,
but
we're
just
gonna
sort
of
roll
with
it
as
the
market
and
press
react
to
it
and
discover
things
so
I'd
say
the
only
other
thing
to
be
aware
of
is
know
that
people
are
looking
at
our
issues,
and
so,
let's
be
just
cognizant
of
what
we're
putting
out
there,
because
press
is
likely
snooping
around
on
these
issues
and
particularly.
B
So
to
to
just
quickly
touch
on
what
thomas
raised
earlier
is:
are
we
not
considering
marketing
this
feature
as
something
that
is
available
to
instances
at
present,
or
rather
byo
relocation?
Api
as
a
feature.
C
I
don't
think
it's
worth
doing
right
this
moment
for
this
initial
release.
We
only
have
one
aws
one
cloud
vendor
integrating
with
us.
I
don't
think
that's
a
very
compelling
story
for
the
amount
of
effort.
It's
one
that
if
self-hosted
instances
come
to
us
and
they're
interested
we'll
talk
them
through
it,
but
it's
definitely
not
the
primary
story,
because
I
think
it's
just
a
little
convoluted.
C
C
I
think
we'll
very
soon
have
many
of
those
just
completely
gone.
My
suspicion
is
that
the
big
holdout
is
actually
gitlab
is
becca,
pointed
out
in
the
slack
thread.
That's
linked
there
so
fascinating
way
to
look
at
data
and
see
how
our
jobs
are
transitioning.
A
Okay
text
items
number
nine
and
then
we're
caught
up
we're
not
going
out
of
order
after
this
one.
So
thank
you,
everybody
for
your
patience
in
the
sub
department
wide
weekly
this
earlier
today
we
were
talking
about
the
there's,
a
whole
thing
about
workflows
and
epic
workflow
versus
sub
issue
convention,
and
everything
else
and
todd
made
it
known
that
he
was
looking
for
a
group
to
volunteer
to
try
this
out.
A
There
was
a
workshop
that
david
hosted
a
while
ago.
I've
pulled
up
the
presentation
as
far
as
how
issues
and
ethics
are
intended
to
be
organized,
as
well
as
the
agenda
document
from
that
from
when
it
was
presented.
A
I'll
be
honest,
I
like
this
better
than
the
sub
issue
convention,
because
it
keeps
us
working.
It
enables
us
to
work
within
the
get
lab
application,
as
opposed
to
trying
to
bolt
on
sub
issues
into
gitlab,
which
we
don't
support
and
that
which
clutters
up
issue
boards
and
what
we're
trying
to
release
so
I'd
like
for
us
to
try
it
and
I'm
seeing
if
anybody
objects.
A
D
I
was
just
had
a
couple
questions:
do
we
have
meaningful
work
to
be
organized
in
this
fashion
and
when
are
you
looking
to
run
the
test.
A
I
need
to
talk
with
taylor
first,
I
went
ahead
and
put
this
on
the
agenda
without
talking
to
him,
so
I'm
going
completely
out
of
order.
I
see
him
smiling,
which
means
that
I
am
in
trouble
and
so
we'll
so.
A
Current
timing
to
me
dictates
that
this
is
not
thirteen
six.
This
is
probably
not
thirteen
seven,
which
means
thirteen.
Eight
start.
As
far
as
I
would
be
concerned,
it's
too
close
to
13
13
6
is
wrapping
up.
13
7
is
about
to
start
yeah.
We
can
react
fast,
but
do
we
really
need
to.
B
I
think
that
there's
definitely
things
that
we
need
to
figure
out
still
from
it,
which
are
some
of
the
valid
concerns
olivia
raised
before
things
like
epics
aren't
assignable
and
the
epic's
relations
to
each
others
can
be
a
bit
convoluted,
so
there
there's
bound
to
be
dragons.
I
don't
know
if
any
are
direct
blockers
to
getting
started,
but
I
guess
that's.
The
point
was
trying
it
out.
C
But
that's
my
biggest
concern
is
that
I
think
there
are
still
limitations
with
what
epics
can
do
with
that
said,
I
think
we
are
largely
operating
in
this
fashion
today.
Let's
take
the
post
secret
detection,
epic,
for
example,
like
we
had
a
technical
discovery
issue
which
created
an
epic
with
all
of
the
sub
issues
linkedin.
So
I
think
we're
using
this
pattern
today.
C
We
also
will
end
up
running
into
the
epic
nesting
limitation,
which
I
know
the
plan
team
has
on
their
radar
and
it
just
keeps
getting
punted
a
release.
I
think
it's
now
13.7
we'll
see
if
it
gets
punted
again
but
yeah.
I
mean
it's
a
learning
curve,
but
I
think
we're
already
operating
this
way
today
and
I'm
certainly
trying
to
organize
things
moving
forward
with
this
sort
of
structure.
A
F
Neal
your
turn,
sir
thanks
so,
and
I'm
a
thumbs
up
on
epics
by
the
way
front
end
loves
them.
We
just
want
to
make
sure
we're
working
with
the
group
in
the
best
way
possible.
So
it's
your
discretion.
The
next
three
topics,
the
first
two
are
more
thank
yous.
I
know
scicat
and
ross
are
jumping
on
some
work
to
get
us
caught
up
on
the
allowing
core
users
to
use
our
mr
widget
for
security
scans.
F
I
don't
know
if
there's
anything
to
discuss
other
than
yes,
I
can
I'm
not
exactly
sure
when
you
free
up
from
the
work
you're
doing
right
now,
it
would
be
nice
to
just
have
an
india
for
the
timing
is
just
because,
like
I
release
post
things
like
that,
maybe
depend
on
it.
G
G
I
I
think
mark
has
already
created
an
mr
before
long
before
related
to
moving
those
apis,
but
for
some
reason
it
didn't
work.
I
can
follow
his
changes
and
see
what
how
how
can
we
make
it?
Mr,
with
all
the
specs
pass.
F
Yeah,
I
think
it
seems
like
a
user
tier
type
of
logic
yeah
following
the
threat,
at
least
so
no
thank
you
again
so
yeah
just
so.
We
have
an
understanding
of
when
this.
This
might
continue
and
then
ross.
I
know
you
abiel
has
some
pto.
She
was
working
on
an
initiative
to
aggregate
our
artifacts
so
that
you
can
download
them
in
one
request
rather
than
the
kaluji
system.
We
have
now
she's
on
pto
through
wednesday.
I
think
she
returns
thursday,
but
I
know
ross
you're
jumping
in
to
get
keep
that
moving.
F
C
Yeah
I
do
want
to
take
a
moment
and
just
say
that
this
is
a
very
impactful
project,
both
the
mr
to
core
experience,
as
well
as
the
upcoming
configuration
page
to
core.
This
is
the
first
time
that
we'll
have
an
in
product
in
context,
upgrade
experience
for
customers
and
that
directly
ties
static
analysis
to
upgrade
revenue,
which
is
how
I
get
us
loved
by
everyone
in
the
organization
I
already
know
and
have
data
to
show
that
we're
encouraging
people
to
upgrade
to
ultimate.
But
this
will
give
us
that
explicit
data
tracking.
C
A
A
I'm
seeing
nods
yes,
so
I'm
determining
that
I'm
correct,
so
we
we
need
to
wrap
that
up,
as
I
mean
so
if
we
can
finish
that
first,
while
ramping
up
on
this,
that
would
be
the
preferred
order.
B
B
F
F
Cool,
so
this
is
a
heads
up,
so
we
did
some
fantastic
work
on
enabling
sas
through
the
ui.
Our
first
phase
of
that
was
a
button
just
enable
vimr
which
behind
the
scenes,
creates
an
mr.
I
think
rossi
did
the
bulk
of
this
work
and
it
creates
an
mr
and
then
we
just
navigate
the
user
to
that.
Mr
page,
so
there's
no
like
real
user
interaction
aside
from
clicking
a
button
and
then
submitting
the
mr.
F
We
have
dependency
scanning,
so
composition,
analysis
has
dependency
scanning
and
then
one
of
the
other
scan
types
in
the
future
are
going
to
be
leveraging
the
same
exact
experience
so
we're
currently
breaking
down
that
work
ross.
I
just
cc'ed
you
on
this
issue
for
your
thoughts.
I
think
the
biggest
discussion
item
right
now
is
that
work
was
done
before
we
did
everything
in
graphql.
So
it's
still
a
normal
rest
restful.
I
think
it's
very
much
in
the
sas
code
base
as
well.
F
E
I
will
I
will
take
a
look
just
shooting
from
the
hip,
though
definitely
lots
of
hard-coded
sass
stuff.
That
will
have
to
be
addressed.
That's
for
sure,
but
I
think
we
have
moved
away
from
the
rest.
Api
like
we
are
doing.
Everything
in
graphql
just
needs
the
there.
There
was
some
cleanup
that
needed
to
be
done.
I
think
to
just
before
we
got
rid
of
the
graph,
the
rest
stuff,
so
I'll
check
on
that
async.
So
cool
thanks,
yeah.
C
Yeah
this
is,
we
met
last
week
and
we
made
sort
of
the
same
decision
for
secret
detection
rather
than
moving
to
build
the
config
ui
for
secret
detection.
That
we'd
start
with
this
simple
straight
to
mr
button.
I
think
that's
a
great
iterative
improvement,
especially
when
you
add
it
to
the
config
page
to
core.
It
gets
us
something
faster
to
help
customers
get
secret
detection
turned
on,
so
I'm
really
happy
with
that
outcome.
D
Yeah,
I
know
we
don't
have
much
time
here
now,
just
mentioning,
though
I've
got
friday
off
and
next
week
off,
but
I'm
gonna
be
working
hard
to
try
to
help
get
a
disabled
rule
disablement
through
the
ringer
today
or
this
week.
So
we've
got
a
common,
mr
we
gotta
get
polished
up
and
through
and
then
bump
common
across
all
analyzers
and
then
as
well
as
a
couple
secrets
and
mob
sf
need
full,
mrs
for
support.
D
So
a
little
bit
of
work
left
to
do
here,
but
it'd
be
great
to
get
this
buttoned
up
so
that
it's
ready
to
go
for
the
release
so
just
wanted
to
make
that
call
out
and
might
need
some
help
on
some
of
these,
mrs
lucas
was
there
anything
else
we
wanted
to
add
to
that.
B
I
think
the
only
other
thing
was
around
the
documentation,
which
I
think
there
is
a
placeholder
release
post
for
this,
but
this
might
be
empty.
I
don't
quite
remember,
but
if
that's
blocked
on
the
documentation,
I'll
start
working
the
documentation
today
or
tomorrow,
so
we
can
at
least
have
that
in.
We
can
merge
the
rest
of
our
analyzers
all
the
way
up
till
the
21st
at
midnight,
but
not
the
documentation
stuff.
So
is
this
going
to
make
13
six.
B
Odds
are
good
yeah.
C
B
Yeah,
so
the
the
mr
that
enables
it
in
common
was
done,
but
a
bug
was
discovered
which
is
currently
under
review
and
approved
from
our
side
and
waiting
on
one
review
from
software
composition.
Analysis
which
should
come
in
tonight,
I'll
poke
at
him
as
soon
as
he's
online.
B
A
Yeah,
that's
a
wrap,
that's
everything
we're
at
time,
even
if
we
had
more
to
discuss
on
call
time.
So
thank
you
everybody.
This
is
we'll.
Let's,
let's
have
a
good
week.
Let's
get
everything
wrapped
up.
Thank
you
for
everything.
You're
doing
we'll
talk
soon,
see
ya.