►
From YouTube: Secure:Threat Insights Group Discussion 2021-03-16
B
Should
we
get
on
with
the
agenda
and
if
math
comes
yeah
right
so
follow
up
from
previous
discussions?
I
added
something
there.
Oh
it's
my
good
how
convenient!
B
So
if
I
remember
correctly,
we
now
have
an
epic
for
this
and
just
as
a
refresher,
this
came
up
because
we
were
trying
to
add
a
comment
to
the
state
changes
and
then
we
found
out
that
we
couldn't
add
comments
to
all
the
state
changes.
Just
just
some
of
the
transitions
supported
it.
B
E
Yeah,
I'm
not
sure
if
this
I
don't
want
to
derail
the
work
that
started,
but
it
kind
of
it
also
kind
of
changed
after
matt
said
that
there
has
to
be
some
auditability
to
this
work
right,
but
we
were
exploring
new
designs
that
would
decouple
the
commenting
from
the
status
change
so
almost
like
how
we
do
it
in
issues
today,
where
you
see
activity,
you
know
ads.
Labels
removes
labels
all
this
stuff
and
then
comments
intermixed
between
that
so
kind
of
free
form.
E
Commenting
is
somewhere
where
we
want
to
go
with
vulnerabilities
and
we
might
not
need
to
necessarily
tie
those
to
the
direct
action
of
so
and
so
change.
State
comment
below
we
really
kind
of.
I
guess
like
backed
into
that
as
a
way
to
it's
a
forcing
function
for
users
to
comment
on
the
status
they
are
changing
without
having
the
ui
component
of
that
comment:
field
accessible
on
the
vulnerability
details
page
so
that
was
kind
of
like
the
history
of
that
component.
So
the
audibility
thing
makes
this
tougher
all
right.
So.
B
We
we
did
look
into
notable.
I
made
that
suggestion
and
jonathan
and
shibashi's
were
on
the
call,
so
either
one
can
give
a
brief
overview
of
why
we
didn't
do
the
notable.
D
B
Well,
we
have,
we
haven't
done
any
extra
work
yet
and-
and
we
had
already
done
the
the
comment
using
the
feedback
record
anyway,
so
that
work
was
already
done,
so
we
could
still,
we
could
still
revisit
the
epic
if
we
think
it's
worth
it.
It
just
means
that
whatever's
already
been
done.
The
comment
field
for
the
for
the
transition
that
they're
supported,
which
I
think
is
the
dismissed.
B
E
Okay,
I
wonder
if
it
would
be
helpful
to
identify
the
solution
to
this
problem
specifically
around
what
customers
expectations
are
in
terms
of
the
auditability
of
vulnerabilities
and
what
information
they
want
to
see
right.
Is
it
that
the
dismissal
reason
alone,
like
dismiss
false
positive,
that
feature
that
we'll
be
working
on?
Is
that
enough,
or
is
like
an
articulated
comment
from
a
human
as
to
why
this
was
dismissed?
E
E
So
maybe
there's
some
problem,
validation
that
would
help
steer
the
direction
of
these
like
larger,
back
end
changes.
B
If,
if
we
can
validate,
if
we
have
more
certain,
it's
probably
better,
these
things
are
complicated
as
it
is
yeah
and
right
now
we
have
a
nice
path
to
clean
up
the
the
problem.
With
the
feedback
model,
we
can
always
refactor
it
to
to
split
the
comments
back
into
notable.
If
that's
what
we
decide
to
do,
I
I
don't
know
what
what
do
what's
chuba,
shuba,
shibashi's
and
jonathan.
A
I
I
think
the
the
whole
discussion
was
came
from
correct
me.
If
I'm
wrong
jonathan
came
from
like
it's
there,
there
were
other
issues
as
well
like
from
the
feedback
and
vulnerability
models,
things
and
what
we
can
do
to
we.
We
can
make
it
one
model,
that's
the
can
get
rid
of
the
feedback
model
that
will
get.
We
will.
The
ripple
effect
effect
will
be.
We
will
get
rid
of
other
problems
that
can
see
what
we
were
discussing
in
the
videos
as
well,
so
we
were
taking
this.
A
This
is
as
an
opportunity
to
work
through
this
and
it
will
solve
both
problems
and
also
the
I
just
want
to
add
on
the
audit
issues.
The
audit
issues
itself
is
like
what
we
proposed
in
the
videos
or
like
in
the
epic.
It's
pretty
easy,
like
it's
a
small
model
which
will
only
track
where
it's
coming
from
that's
part
is
not.
I
think
the
bigger
issue
in
the
epic
is
like
whether
we
are
getting
rid
of
feedback
model
or
not
and
creating
the
vulnerability
itself.
D
D
No,
I
was
no.
I
was
actually
going
to
just
say:
you
know
that
that's
pretty
much
it
yeah,
that's
different,
because
the
feedback,
because
the
feedback
model
does
not
do
everything
we
need
to
do
or
at
the
moment,
because
it
only
works
for
certain
states.
B
On
top
of
that,
andy
you'd
be
happy
to
know
that
we
resurfaced
the
one-to-one
one-to-many
vulnerability
versus
finding
discussion.
E
B
Oh,
we
would
you
also,
as
part
of
this.
This
thing
was
was
great
because
it
triggered
all
these
other
discussions.
We
as
part
of
the
that
we
also
talked
about
instead
of
only
flagging.
This
is
on
the
default
branch
or
not
on
the
default
range.
We
we
thought
about
the
concept
of
a
source,
vulnerability
source.
Where
did
it
come
from
or
it
came
from
a
branch
all
right?
Which
branch
did
it
come
from?
Oh,
it
was
the
default.
No,
it
was
another
branch.
No,
it
didn't
come
from
a
branch.
B
B
This
is
coming
a
little
bit
from
container
security,
because
if,
when
you
scan
a
container
in
a
in
an
environment,
that
container
doesn't
necessarily
correspond
to
the
default
branch,
it
doesn't
correspond
to
other
bra
it
might
not.
It
might
correspond
to
to
any
other
point
in
the
reference
and
the
dust
on
demand.
Scanner
can
correspond
to
any
website
on
the
internet.
That
you
authorize
to
scan
so
it
doesn't.
E
B
It's
not
even
yeah
so.
E
B
Just
taking
notes
was,
did
we
cover
your
second
point?
Did
you
wanna.
E
Basically
saying
I
redesigned
it,
decoupling
it
so
ignore
that
I'll
move
some
pixels
around.
It
would
be
nice
to
support
general
commenting
on
the
vulnerability
details
page,
but
that
can
be
done
separate
and
then
perhaps
in
a
the
model,
a
new
model
potential
model.
E
We
could
hear
this
idea
of
open
closed
versus
kind
of
the
myriad
of
statuses.
We
have
we're
closed,
would
be
the
things
that
need
to
be
audited
right.
Why
was
this
fixed.
B
E
Was
it
fixed?
Why
was
this
dismissed?
Why
you
know
as
then,
the
open
is
like
these
things
are
open.
They
have
open
issues,
they're
being
worked
on
et
cetera,
et
cetera,
and
then
we
have
a
lot
more
flexibility
in
the
ui
to
present
kind
of
a
default
list
like
we
do
today
of
open
vulnerabilities,
which
is
just
the
pre-filtered
state
of
detected
and
confirmed.
B
C
So
we've
identified
that
there's
a
need
to
update
the
e-charts
library,
that's
being
used
in
git
lab
ui
that
could
resolve
some
of
these
bugs,
but
overall,
we
believe
it's
adding
value.
So
it's
it's
staying
up
as
is,
and
savage
is
also
working
now
on
the
additional
issue
which
is
around
adding
the
the
date.
D
C
C
C
Well,
that's
what
I
was
chatting
with
savash
about
in
our
one-on-one
this
morning.
That
came
up
in
part
of
the
review
with,
I
think,
was
ezekiel
the
maintainer.
So
I
was
we're
gonna
look
to
see
what
that
effort
would
be.
You
know
it
could
be
as
easy
as
just
updating
it
and
there's
no
breaking
changes,
but
the
testing
on
that
could
be
hard.
So
I
asked
matt
if
he
was
okay
of
us
taking
a
little
bit
of
time
out
of
one
of
the
next
couple
of
milestones
to
take
on
some
of
the
debt.
E
You
can
get
ui
polish
credit
for
the
next.
E
C
And
dave
is
not
here,
but
this
is
about
the
the
issue
for
planning
breakdown,
so
we
were
talking
yesterday.
I
think
this
might
have
gone
just
as
easily
under
the
other
discussions,
but
we're
all
there's.
A
lot
of
people
focused
right
now
on
the
generic
security
report
schema,
which
is
fantastic.
C
It's
the
top
priority
on
matt's
list
right
now
and
dave's
question
is
around
testing,
so
he
can
mock
the
data
until
he's
blue
in
the
face,
but
is
we
should
put
together
a
plan
as
a
team
on
how
we're
going
to
generate
some
test
data
exercise
the
various
cases?
This
may
be
something
we
want
to
pull
in
other
secure
groups,
for
I
know
that
cameron
swords
has
already
been
helping
dave
out
a
little
bit
with
like
here
are
the
the
higher
priority
items
that
we're
looking
to
use
more
immediately,
so
we're
prioritizing
those.
B
Not
only
that
cam
cam
has
actually
picked
up
the
the
back
end
issue
for
us,
so
he's
implementing
it
super
stoked
about
that,
and-
and
he
might
have
a
suggestion
on
how
to
test
this
locally,
because
I
saw
a
comment
of
his
in
the
merge
request
offering
help
to
the
reviewer
to
say:
hey
if
you
want
to
run
this
locally,
you
can
do
this
this
and
that
so
he
and
dave
are
in
the
same
time
zone
if
they
want
to
sync
up,
he'll,
probably
get
what
he
needs
from
from
cam.
C
So
I
know
that
we've
got
another
issue:
that's
in
progress
right
now
around
generating
that
schema
for
the
front
end
to
consume.
I'm
assuming
that
that
back
end
issue
is
going
to
run
into
these
same
questions
as
well
around
you
know,
in
getting
all
that
data
into
the
database,
you
know
or
like
getting
scanned
results
to
consume
into
the
database
to
exercise
the
full
end
to
end
there.
B
B
So
he's
he's
got
it
already.
The
mr
is
up,
so
he
has
already
run
that
locally,
so
he
definitely
has
a
way
of
consuming
that
and
we're
done
anyone
for
any
more.