►
From YouTube: Secure Backlog Refinement Office Hours 2020-04-16
Description
Session on backlog refinement for weekly secure planning office hours
A
A
This
was
a
card
that
got
passed
a
Ross
that
I
was
working
on
and
I
think
I
about,
haven't
refined
and
I
double-checked
with
him
on
slack
the
moment
ago
that
he
doesn't
mind
me,
you
know
waiting
it
and
adding
group,
basically
working
through
the
description
and
updating
it
with
what
we
decided
in
our
comments.
So
I
can
do
that
after
this
meeting.
I
don't
think
we
need
a
synchronous
call
to
do
that,
but
I
will
do
that
today.
A
Get
that
one
over
then
the
next
one
that
doesn't
have
anybody
on
it
was
this
standardized
security,
analyzer
lockers.
So
that's
why
I
jumped
in
here
and
I
saw
that
this
seemed
very
similar
to
something
Zack
was
already
doing
over
here
in
this
M.
Our
common
logger,
but
I
saw
that
he
pulled
himself
off
so
I
was
asking
him
what
he
thought
but
I'll.
Let
you
vocalize
what
what
you
said
in
slack
exactly.
B
Format
for
laundress,
and
so
basically
what
we
need
to
do
is
go
through
all
the
analyzers
and
see
where
we're
logging
with
format
prints
and
replace
it
with
a
actual
logger.
So
all
you
need
to
do
is
I.
Think
I
have
in
that,
mr
an
example
of
how
you
would
use
it.
So
you
just
need
to
import
log
heiress
and
the
common
log
you
tell,
then
you
can
set
the
formatter
to
the
default
and
then
just
go
the
code
and
replace.
B
C
So
I
feel,
like
I've,
been
getting
burdened
by
this
exact
conversation.
A
lot
in
that,
like
I've,
been
doing
deprecation
notices
for
us,
but
then
all
of
Secours
like
hey,
can
we
expand
to
all
secure
and
then
like
oh
yeah,
by
the
way,
auto
dev
ops
and
all
the
other
configuration
templates.
So
my
my
thought
is
yes
start
with
us,
but
maybe
check
and
see
if
it's
logical
to
either
get
the
work
coordinated
with
other
groups
or
if
we
care
enough
about
it
to
go
ahead
and
just
do
it
ourselves.
D
Yeah
I
think
that
largely
I
completely
agree
with
Taylor
I
think
that
it's
a
big
part
of
that
is
level
of
effort
for
something
like
changing
line
of
logging.
It's
probably
a
pretty
simple
change.
The
other
thing
that
I
think
is
worth
addressing
is
not
all
security
products
are
created,
equal
or
rather
or
not,
that
different,
so
dependency
scan
is
a
store,
obviously
very
tied
in
together
the
analyzers,
so
those
two
should
probably
be
treated
more
similarly
than
say
license.
Management
and
des
is
always
off
doing
its
thing
container.
A
D
B
That
we
could
do
because
so
Victor
he
created
the
the
Golant
issue
that
I
was
working
on,
and
so
we
could
just
copy
all
those
analyzers,
because
all
those
are
go
and
then
just
apply
the
same
thing
here.
Just
update
them
walking
for
for
those
analyzers
number
for
those
projects
which
I
think
that
would
just
be
SAST
and
DAST.
B
B
D
A
B
B
B
Bloggers
but
I
like
that
other
folks.
A
D
If
I
recall
correctly,
they
didn't
care,
so
I
would
say
just
do
it
and
again,
it's
mostly
abstracted
away
in
a
common
util.
So
I
think
that
it's
a
fairly
simple
change
to
move
forward
later.
But
standardization
is
good,
so
standardized
there
and
then,
if
we
do
things
cool,
but
it's
not
like
unless
someone
invents
a
new
logging
level
this
month
now
we
need
to
use
mm-hmm
I,
don't
imagine
it's
a
concern.
Yeah
I
agree.
A
E
So
I
just
took,
and
not
this
one
yeah
so
I'm,
trying
to
understand
the
scope
of
this
issue
brings
a
spook
or
can
anybody
please
elaborate
on
this
like
this
is
completely
new
thing
for
me,
like
I'm,
trying
to
understand
why
we
need
to
move
it
to
core.
That's.
Why
I
just
I'm
trying
to
read
this
one
like
this
issue.
C
C
There's
an
active
discussion
right
now
of
leadership
about
is
that
a
care
that
we
have
or
not,
you
probably
saw
the
blog
post
of
us
open
sourcing
or
moving
down
18
features
to
core
that
effectively
already
exposes
the
license
check,
so
it's
one
we're
kind
of
like
if
they
did
it.
Let's
also
do
it
so
I
think
we
may
go
ahead
and
move
this
forward
in
13.0
I'm
meeting
for
a
final
approval
on
that.
So
now
that
we
might
get
moving
very
quickly
on
sassed
core,
ok.
E
D
So
if
you
look
at
like
the
the
entire
lifecycle
of
how
this
works,
we
have
a
analyzer
run
in
a
job
that
produces
an
artifact
that
gets
uploaded
to
the
rails.
Up
to
I
could
to
render
it
in
a
merge
request
and
eventually
gets
rendered
in
the
security
dashboard.
That's
a
full
lifecycle.
Security
dashboard
is
an
ultimate
feature,
so
that
is
not
going
to
change.
So
that's
fairly
easy.
Just
don't
show
that
item
in
the
sidebar,
and
you
know
permissions
and
stuff.
D
D
D
We
don't
currently
distinguish
between
any
of
our
analyzers.
In
that
way,
we
just
check,
if
sassed
as
a
feature
and
run
the
analyzers,
so
I'm,
not
sure
that
it
makes
sense
to
break
down
break
these
down
per
analyzer,
with
a
lone
exception
being
whether
secret
detection
is
separate
which,
based
on
the
title,
this
it's
not.
E
Oh
I
forgot,
so
what
I
meant
like
there
are
similar
issues
in
the
breakdown
I
saw
this
just
only
says
to
court.
There
are
other
analyzers
to
call
I
saw
I,
don't
know
whether
that
is
related.
E
D
A
Had
a
couple
more
clarifications
now
that
I
better
understand
how
we're
working
through
this,
so
in
the
DA
in
our
Google
Doc
Lucas,
you
mentioned
it
to
ignore
container
standing
for
the
logging
issue.
That's
actually
a
go
repository
that
uses
common.
Should
we
Clark
should
we
actually
include
that
and
just
ignore
license
management
and
DAST
I.
D
Like
I
forgot
that
Claire
actually
uses
common,
yeah
I
should
probably
be
included.
Then
okay,
cool
car.
B
Though
I
forgot,
who
who
is
who
I
was
talking
to
about
that,
but
they
they
implemented
something
I,
think
they
have
their
own
kind
of
loggers,
Oh
implementation.
So
let
me,
but
but
it's
it's
specific
to
declare
it
doesn't
live
in
common,
so
I
mean
the
way
I
seriously.
We
should
have
it
standard
across.
You
know.
If
you're
using
common,
you
should
use
a
common
law.
B
A
A
In
the
issue,
it
actually
says
something
about
documentation,
and
it's
talking
about
documenting
the
longer
it's
documentation
here.
Does
that
make
sense
like?
Are
people
going
to
be
able
to
modify
the
level
of
logging
or
what
kind
of
documentation
would
we
want
to
be
seeing
added
here
as
a
part
of
this
issue,
I.
D
A
A
Okay,
that
makes
sense,
but
in
terms
of
Wow
sorry
kind
of
lost
here
there
we
go
nope
where'd
you
go
there.
It
is
this
documentation
task,
I,
don't
see
what
do
you?
What
do
you
all
think
that
should
be
I
think
this
probably
goes
away?
We
probably
do
want
to
add
a
checklist
to
our
readme
to
our
M.
Our
template
is
out.
This
is
assuming.
A
D
Added
a
link
in
the
dock
to
the
the
page,
I
was
looking
for,
which
I
can
I
don't
know
where
this
is
linked
to,
because
I
can
never
find
it,
but
security
scanner.
Integration
document
M,
which
I
think
is
it's
primarily
and
a
third
party,
is
generating
scanners.
Agreeing
with
us
I
think
that's
probably
where
that
would
go.
Okay,
cool.
A
Do
we
want
documentation
on
each
of
the
analyzers
read
meas
regarding
it,
or
it's
probably
clear
enough
to
have
it
in
code
right,
okay,
I'm
thinking,
I'll,
probably
just
drop
this
whole
little
section
of
documentation,
then
we'll
have
one
for
the
I.
Don't
know
what
would
be
put
in
the
project
template
readme,
though,
what
would
the
does
this
go
away
to
what
kind
of
documentation
really
want?
I.
D
D
You
go
back
to
the
project.
Is
there
a
go
mod
file
in
here?
Okay,
no
good!
This
is
a
template
for
security
products.
I,
don't
know
I,
don't
I'm.
Trying
to
remember
I
made
this
like
a
year
ago.
I
never
touched
it
so
I'm
trying
to
remember
if
there
was
a
template
for
analyzer
projects,
which
would
actually
be
the
one
we
be
interested,
yeah
I,
don't
think
it's
necessary
honestly.
So
I'm.
A
A
A
D
A
Right
on
yeah,
but
as
long
as
it
has
group
static
analysis,
then
it'll
show
up
on
our
board
and
will
grow
well,
refine
it
at
some
point:
okay,
cool
yeah,
cuz,
there's
I,
know
one
card.
We
stoped
tighter
and
I
need
to
create
a
couple
issues
to
create
new
QA
test
projects
and
so
curious
where
I
was
gonna,
do
with
them
so
make
sense.