►
From YouTube: Threat Management Team: Office Hours
Description
Open office hours for topics related to Threat Management groups - Secure:Threat Insights & Protect:Container Security
A
Welcome
to
the
threat
management
office
hours,
we've
got
a
pretty
good
group
here
today
to
talk
about
items
on
our
agenda,
which
I
think
are
fairly
empty
right
now,
so
this
is
going
to
be
ad
hoc,
so
hopefully
folks,
kev
or
dominic.
You
guys
have
questions
or
items
that
you
came
to
discuss.
A
One
bit
of
advice.
I've
gotten
from
folks
who
are
running
other
office
hours
is
that
in
the
future
it
would
be
beneficial
for
us
to
put
together
sort
of
a
you
know.
Here's
some
topics
that
we're
going
to
dig
into
and
ask
engineers
to
come
prepared
was
sort
of
an
overview.
Unfortunately,
we
haven't
had
time
to
do
that
coming
out
of
the
holidays,
so
I
will
work
with
thiago
and
the
team
for
the
upcoming
office
hours
and
mats
and
sam
to
try
and
provide
sort
of
a
base
level
of
agenda.
A
But
that
being
said,
we
don't
have
one
for
today
we
could
puzzle,
which
is
what
we
did
last
time,
and
I
think
that's
why
jonathan
came,
but
that
being
said,
kev
or
dominic
or
sebastian
or
jonathan
anyone.
C
Yeah,
do
you
there's
surely
issues
for
that,
but
can
you
speak
to
what,
like
the
security,
the
dashboard
and
not
the
not
the
report,
the
the
actual
dashboard
like?
What's
what's
in,
what's
in
in
store
for
that?
Where,
where
are
we
going
with
that
page
now
it
has
the
nice
little
graphic.
It
feels
a
little
naked
to
me.
I
was
wondering
like
what's
the
future,
for
that.
B
Sure
yeah,
I
don't
I'm
happy
to
to
share
this-
is
kind
of
like
draft
thoughts
right
now
so
caveat
that
this
is
only
I've
had
a
week
back,
just
kind
of
like
rearrange
things
after
two
weeks
off,
so
still
loading
some
of
the
stuff
up,
but
looking
at
what
we
did
last
year,
the
key
thing
was
to
start
splitting
apart
the
dashboard
into
the
separate
the
vulnerability
report
and
then
the
actual
dashboard
pages
themselves
and
you're
right.
They
do
look
very
sparse
or
naked
right
now,
because
there
were
two
things
and
now
there's
one.
B
What
I
I
think
I
would
like
to
see
happen
this
year
is
for
the
group
dashboard
in
particular
to
start
adding
between
three
to
four
we'll
call
them
like
high
high
value,
high
utility,
widgets,
visualization
widgets,
so
top
of
mind
things
for
that.
One
are
like:
how
long
has
a
vulnerability
been
open
so
you're
being
time
to
remediation,
so
you
can
kind
of
track.
How
you're
doing
in
terms
of
how
long
things
are
are
hanging
around
calling
more
attention
to
potential
trouble
spots
in
projects.
B
I
know
we've
got
the
the
project,
we
call
them
the
you
know
the
scorecard
or
the
letter
grade
that
they're
assigned
now,
but
making
those
more,
I
guess,
contextualized,
so
that
you
know
that
there's
something
beyond
just
you
know
these
projects
have
this
many
vulnerabilities
of
the
severity
calling
out
things
like
where
there
are
projects
potentially
are
not
configured
for
scanning
or
you
know,
have
never
been
scanned.
That's
a
gap
right
now.
B
Yeah,
so
we've
heard
a
lot
of
great
feedback
from
you
and
your
team
we've
had
several
requests
from
customers,
another
one-
and
this
is
more
kind
of
on
the
it's
part.
Compliance
in
part.
How
am
I
doing
is
show
me
what
I've
got
currently
in
all
my
projects
in
this
group
that
are
on
it
could
be
oaus
top
10
is
a
real
common
one
or
the
top
25
cwes
list.
B
That's
I
don't
have
the
issues
for
this
yet
because
this
is
kind
of
something
I
was
thinking
about
last
week
and
realizing
you
know
what
do
we
need
to
do
with
that?
An
interesting
insight
that
I
got
this
morning
is
so
I
track
page
views
and
usage
or
unique
usage
of
a
lot
of
the
areas
of
vulnerability
management.
B
I
would
say
the
security
centers,
so
the
personalized
dashboard
and,
interestingly
enough
project
level
are
they're
roughly
flat
over
the
last
six
months.
But
the
group
utilization
for
both
the
security
dashboard
and
the
vulnerability
report
have
been
steadily
increasing
for
many
many
months,
and
I
think
that
makes
a
little
bit
more
sense
to
me
in
the
context
of
having
now
a
little
bit
more
customer
feedback.
B
People
like
that
group
level
view
because
it
gives
them
more
kind
of
that
top
down,
and
so
I
think
that's
going
to
be
an
important
area
to
focus
on
more
some
of
the
things
that
the
project
level
may
make
sense
to-
or
I
said
the
other
around
group
widgets
to
put
on
the
project
dashboard.
But
I
think
the
group
is
where
we'll
see
the
most
potential
benefit
in
the
near
term.
D
B
Ones,
yeah,
I'm
not
sure
about
the
files
as
much
as
calling
attention
to
like.
If
you
have
a
group
that
says
you
know
dozens
or
maybe
even
some
of
these
folks
that
I
talked
to,
they
might
have
a
hundred
plus
different
projects.
Inside
of
like
one
really
large
group
right,
a
big
corporation,
it
might
be
an
entire
business
unit
or
something
and
then
all
their.
B
You
get
gitlab
org
there
you
go
so
just
being
able
to
have
a
rollup
view
of.
I
need
to
know
everything
that
I
care
about.
That's
got
a
critical
vulnerability
in
it
that
is
active
in
the
default
branch
right
now,
so
that
kind
of
you
know
that
quick
check,
but
then,
when
I
have
these
dozens
or
hundreds
of
projects
like
that,
I
need
to
know
if
something
has
gone
wrong
in
my
process
of
scanning
the
project.
D
Yeah
I
mean
thinking
about
this.
I
haven't
thought
about
it
much
myself,
but
you're
thinking
about
like
something
that
might
be
useful,
something
around
them.
Most
recently
found
vulnerabilities.
Like
you
know,
there's
a
list
like
these
are
the
top
like.
This
has
been
the
most
recent
found
top
five
top
ten
in
a
small
widget.
A
We're
still
working
on,
I
mean:
we've
got
the
the
age
right
now
or
we've.
D
Yeah-
and
I
know
that
we
have
a
lot
of
that
on
the
vulnerability
report,
but
you
know
I'm
thinking
just
the
top
ones.
Oh
hey
yeah
these
these.
This
is
new
or
oh
yeah.
We
haven't
had
anything
new
in
the
last
two
months.
I
mean.
I
know
that
we
can.
We
can
see
that
in
the
dashboard
as
well
as
like
what
did
we
introduce.
C
B
C
Did
we
improve
our
security
posture
around
authorization
bugs?
So
if
we
see
that
going
down,
we
can
get
a
feeling
that
something
we're
doing
works
right
now.
It's
like,
I
feel
like
we're
having
fewer
hacker
one
reports,
so
nice,
metrics
and
dashboard
would
make
also
great
great
material
for
the
sales
people.
I
think
like
when,
when
when
we're
doing
good,
just
like
hey
see
how
this
has
decreased
so
much
over
time,.
B
That's
a
really
great
point
about
the
our
own
performance.
I
think
what
you're
talking
about
there
is
is
really
in
line
with
some
of
those
like
the
top
25
cwes,
changing
that
a
little
bit
people
have
also
requested.
I
think
exactly
what
you're
saying
is
show
me
the
types
of
the
family's
vulnerabilities
over
time.
So
I
know
if
I
need
like
training
around
a
particular
area
like
I'm,
seeing
a
lot
of
cross-site
scripting
errors
and
they're
just
they're
not
going
down.
Maybe
I
need
to
go
talk
to
the
team
about
that
or
yeah.
C
E
B
Well,
that's
actually,
that's
probably
good
food
for
thought
for
jonathan
and
shubashish
as
you
kind
of
get
started
on
this.
The
question
of
how
we
map
in
between
some
of
these
different
types
of
information,
so
we
do
have
the
cwe
set.
Owasp
is
different,
but
there
are
mappings
between
a
lot
of
the
cwes
and
the
oauth
categorizations
and,
as
dominic
pointed
out,
there's
a
hierarchy
and
sometimes
the
scanners
will
give
you
the
highest
level,
most
generic
parent
other
times.
I
think
I
forget
how
many
depths
it
can
go
to
it's
like
three.
Maybe
six.
C
I'm
on
the
see
the
the
miter
website
and
you
have
as
generic
as
improper
and
neutralization
of
input.
So
that's
that's
like
injection
at
large
and
then
you
can
go
on
like
stored,
xss
or
like
just
a
bunch
of
it.
Even
you
even
have
like
xss
through
an
encoded
uri
scheme
in
a
web
page
like
super
precise,
so
yeah,
knowing
there's,
there's
too
much
granularity
at
some
point.
D
No,
I
I
think,
that's,
I
think,
that's
a
good
point.
I
mean
to
be
able
to
see
like
on
the
top
level
like
in
the
groupings
that
would
that'd
be
useful.
Even
the
the
scanner
types
on
the
front
page
I
mean
matt
is
do
we
and
I
was
thinking
this
dude
as
well?
Are
we
going
to?
Are
we
going
to
be
adding
more
ways
to
filter
this
vulnerability
over
time,
graft
graph
or
we're
just
going
to
kind
of
keep
it?
As
is
what
I
don't.
B
That's
actually
probably
a
good
thing
to
check
in
on
so
there
were
a
couple
of
additional
filters
that
we
had
deferred
at
the
time.
Just
so
we
could
actually
get
the
the
main
graph
out.
I
think
there
was
supposed
to
be.
I
think
the
only
thing
missing
is
potentially
setting
custom
time
windows
on
there.
D
D
D
Should
I'll
I'll
I'll
I'll
I'll
throw
I'll
throw
that
out
there
after
this
meeting
I'll
get
some
throw
this
out
and
also
you
know,
maybe
clicking
on
these
dots
to
do
something
just
looking
at
it
right
now,.
A
A
C
C
B
I
don't
want
us
to
be
in
a
position,
long
term
where
we
feel
like
we're
just
sort
of
a
widget
factory
where
we're
almost
like
professional
services.
So
I
want
to
really
try
to
focus
on
delivering.
There
are
there's
some
really
common
visualizations
that
you
see
across
basically
all
the
competitors
in
the
space,
because
they
make
sense
for
things
like
that.
So
these
vulnerability
trends
slas
any
you
know,
problem
spot
markers.
B
Ideally
we
would
end
up
with
somewhere
between.
You
know
four
and
six
of
these
out
of
the
box.
That's
your
preset
dashboard
and
then
one
of
two
ways
and
I'm
not
really
sure
where
this
is
going
to
go
but
long
term.
We
either
allow
people
access
to
the
data,
give
them
some
sort
of
simple
chart
builder
there
is,
I
don't
want
to
mention
the
name,
but
there
is
one
particular
competitor.
Who
actually
does
this
really
well?
B
And
you
have
your
limitations
like
you
can
pick
a
you
know,
you
want
a
line,
chart
a
pie
chart
a
bar
graph
here
are
the
facets,
and
then
you
can
kind
of
construct
your
own
visualizations,
but
it's
not
like
they've
recreated
a
bi
tool
right
you're
not
going
to
get
that
kind
of
thing.
The
other
side
of
that
is
we
just
give
everybody
the
data.
B
I
mean
we
have
open
graphql
apis
and
we
make
sure
that
they
have
access
to
that
and
then
they
can
pull
that
into
whatever
visualization
tool
of
their
choice,
and
I
know
we
actually
have
customers
that
already
doing
that.
I've
seen
some
pretty
impressive
dashboards
things
that
I
think
we
could
take
inspiration
from.
There
are
a
little
company
specific
for
our
purposes,
but
yeah
that's
that's
kind
of
where
my
head
is
right.
Now,
half
a
dozen.
C
Size
sense,
yeah,
dashboards
about
time
to
medications
and
our
yeah
when
which
issue
has
been
open
when
so.
If
you
have
like
this,
this
chart-
and
you
see
like
everything-
is
kind
of
condensed
towards
recent
times,
but
you
see
like
something
in
20
2016
that
just
pops
you're
like.
Oh,
we
have
this
old
thing,
laying
around
kind
of
makes
it
obvious
on
the
graph
that
you
have
this
thing
you
might
have
forgotten
or
something
like
that.
B
That's
a
great
place
to
start
digging
in,
and
it's
worth
mentioning
one
of
the
first
things
that
we'll
need
to
address
before
we
start
adding
more
than
a
couple
of
these
is
a
way
to
actually
like
basic
configuration
on
the
dashboard,
because
I
know
not
everybody's
going
to
want
some
of
these
things.
So
how
can
you
just
turn
things
on
turn
them
off,
maybe
even
basic
sword.
G
I
actually
have
a
question
because
when
I
was
last
working
on
the
security
dashboard
I
or
quite
a
while
back,
I
saw
that
the
security
dashboards
are
now
the
vulnerability
lists
and
the
security
dashboard
is
now
this
new
graph
that
that
you
got
and
but
we're
still
or
you're,
still
calling
it
a
security
dashboard
in
the
issues
and
in
the
code.
So
that's
yeah.
That's
a
little
bit
confusing.
A
G
Yeah
so
there's
one
project,
for
example,
there's
the
security
dashboard
and
the
vulnerability
list
and
the
worm
vulnerability
list
is
actually
in
the
code.
The
security
dashboard
and,
I
think,
there's
also
security
dashboard
label
because
it
was
called
security
dashboard
either
in
the
group
or
in
the
project.
Before
and
now
it's
renamed.
So
that's
a
bit
confusing.
F
Oh
yeah,
that
I
remember
when
I
was
creating
the
new
security
dashboard
with
all
the
charts
on
it,
which
is
now
technically
well.
I
guess
the
security
center
represents
all
the
pages
right
and
then
anyways
when
I
was
creating
that
security
dashboard
page
you're,
right
security
dashboard
was
already
there
and
I
didn't
think
I
should
rename
it
as
part
of
that.
Mr
so
I
just
called
it
security
charts
and
then
I
thought
I
created
an
issue
to
change
all
the
names,
but
I
I
did
not.
F
It
seemed
so.
I
should
go
back
and
do
that,
but
that
will
be
an
issue
coming
to
you
shortly.
A
Alexander,
I
know
we
still
have
some
work
around
getting
rid
of
the
term
first
class
vulnerabilities.
I
I
believe
we
still
have
an
issue
open
around
that.
I
know
that
kev
helped
us
with
some
improvements
to
our
folder
organizational
structure,
but
I
don't
think
that
takes
out
those
references
to
first
cross
bones.
Maybe
this
could
be
kind
of
wrapped
into
that
as
far
as
consistent
terminology
in
the
code.
F
E
G
I
think
there's
a
second
one,
if
I
recall
correctly,
I'm
not
sure
I
can
find
it
right
now,
but
there
was
one
for
the
full
destruction.
There
was
one
run,
one
for
organizing
something
else.
A
Yeah,
I
think,
that's
I
think,
we're
talking
about
the
same
one
so
directly
related
to
the
improvements
to
how
we're
organizing
our
files
and
what
we're
calling
our
folders.
There
was
one
about
removing
references
to
a
term
that
we
don't
use
anymore.
When
we
first
introduced
standalone
vulnerabilities,
we
had
a
term
first
class
of
vulnerabilities
and.
A
Cool,
I
will,
I
will
take
an
action
item
to
follow
up
and
add
a
comment
to
the
issue
about
the
first
class
vulnerabilities
with
this
feedback
from
kev.
F
Thank
you
kev
for
point
for
pointing
that
out
that
had
fallen
off
my
radar.
G
F
B
F
B
Makes
you
feel
any
better?
I
keep
going
back
and
like
looking
for
stuff,
I'm
like.
Oh,
when
did
we
change
the
name
to
vulnerability
reports
because
we
split
it
apart.
So
there's
like
all
the
information
talks
about
the
security
dashboards
up
until
like
november,
and
then
it's
the
dashboards
and
the
vulnerability
report,
it's
hard
renaming
things.
A
It
got
me
in
trouble
with
sid
in
one
of
the
like
two
times.
I've
ever
talked
to
him
in
iteration
office
hours.
Where
I
was
we
were
asking
about.
I
don't
remember
exactly
it
was
it
was
a
different
approach
to
how
to
break
up
these
dashboards
and
get
them
in
front
of
customers,
and
he
was
very
hung
up
on
the
terminology
of
security
center
and
why.
C
C
B
Hey
real
quick,
I
just
want
to
share
my
screen
and
share
something
to
go
back
to
part
of
our
earlier
conversation.
B
B
So
there
are
just
these
six
or
eight
nine.
I
can't
count
these
are
the
roots
and
then
it
goes
potentially
all
the
way
down
six
layers.
So
you,
you
can
kind
of
see
how
everything
is
connected,
and
this
is
what
I
was
talking
about
is
like.
Sometimes
a
scanner
is
going
to
give
you
something
like
this
interaction
error,
not
super
helpful,
but
it
could
also
give
you
something
you
know
drilled
down
to
one
of
these
more
specific
classifications.
B
So
it's
going
to
be
something
we'll
have
to
consider
is
like
how
do
you
make
that
association
to
say
you
know
a
416
really
rolls
up
to
this
435,
like
you
know,
as
a
potentially
a
manager,
or
you
know,
team
leader,
something
who's.
Looking
at
this
group
level,
trying
to
figure
out
where
my
trouble
spots
in
terms
of
types
of
vulnerabilities
being
introduced,
gonna
have
to
make
some
sense.
I
don't
know
I
almost
kind
of
wonder
if
this
is
like
one
of
those.
B
D
I
mean
we
almost
almost
need,
like
a
tree
structure
to
get
this
thing
kind
of.
B
Yeah,
the
visualization
is
going
to
be
a
challenge
for
sure
I
mean
fortunately,
this
this
is
a
tree
structure
yeah.
I
think
they
offer
like
xml
or
json
exports
of
this
entire
hierarchy.
G
G
Also
important,
if
you
want
to
graph
it,
you
don't
want
to
graph
use
after
free
and
sql
injection.
Maybe
you
want
to
graph
the
bigger
groups,
because
if
you
have
just
a
few
of
them,
you
could
just
get
a
very
tiny
graph,
which
you
can't
can't
use
and
can't
give
give
other
people
to
see.
C
There's
probably
one
layer,
that's
a
little
more
useful
than
the
rest
for
visualizations,
at
least
and
like
first
iteration.
If
we
don't
have
a
drilling
down,
maybe
the
second
layer
or
third,
is
the
sweet
spot.
Now
it
feels
like
the
second
from
this
view,
not
sure
about
the
more
web
oriented
stuff
at
the
bottom.
B
D
Yeah,
I'm
looking
at
this,
I'm
just
trying
to
make
sure
like
there's.
No
there's
no
like
there's
nothing
where
it's
duplicated,
where
there's
it'll
drill
down
to
like,
for
example,
like
something
in
the
third
layer,
doesn't
have
two
parents
like
it's
all.
C
B
Oh,
that's
really
great
insight
well
and
even
instead
of
a
drill
down.
Maybe
it
would
be
possible
to
actually
you
know,
just
if
you
just
had
a
drop
down
to
show
you
by
the
layers,
if
it
just
updated,
based
on
just
that
vertical
slice.
Instead
of
having
to
make
that
traversal
something
yeah,
I
think,
where
that's
going
to
be
a
little
bit
tricky
is
the
the
miter
top
25
cwes
I
haven't
done
it.
Excuse
me
a
deep
analysis
of
this,
but
I'm
pretty
sure
they're
sort
of
spread
through
the
different
layers.
C
G
D
B
That
I
don't
know,
I'd
have
to
go
and
look
at
that
again.
I
just
know
that
those
are
the.
I
guess
I
don't
know
how
often
they
reevaluate
it,
but
I
think
it's
the
25
most
commonly
made
mistakes,
basically
the
cwes
that
appear
most
frequently,
and
I
would
assume
that
they're
at
different
levels
of
the
hierarchy,
honestly
they're,
probably
pretty
far
to
the
right
they're
pretty
far
downstream.
I
would
think
because
they
would
have
to
have
that
level
of
specificity
to
not
get
into
that
problem.
B
B
People
ask
for
like
the
oauth
top
10,
the
or
the
cwe
top
25
show
me
how
I'm
doing
against
those
two
benchmarks,
because
there's
going
to
be
stuff,
of
course,
outside
of
those,
but
several
customers
that
I've
spoken
to
that's
how
they
measure
their
internal
success
to
their
clients
is
they'll.
Do
things
like
prove
that
they
have
nothing
in
the
os
top
ten,
for
instance,
but
they
may
still
want
to
know
that
they've
got
these
other.
You
know
potential
problem
areas
internally,
like
that.
F
Wouldn't
you
not
display
this
graph
then,
but
instead
like
have
a
widget
that
just
lets
you
toggle
between,
like
you
know
this
vendor
top
10
top
25
and
then
if
the
list
is
empty,
just
like
say
hey,
you
don't
have
anything
in
the
top
25.
But
then,
if
you
do
you
just
like
list
out
the
vulnerabilities.
B
Yeah,
I
think,
I'm
sorry
I'm
showing
this
not
that
I
think
we'll
use
this
as
a
visualization.
This
is
more
to
give
a
visualization
of
what
I'm
talking
about
with
this.
Very
I
want
to
say
complex
because
it's
not
it's
just
it's
very,
very
large
hierarchy
of
how
the
cwes
all
sort
of
map
up
to
each
other.
A
So
the
dominic's
point
earlier
about
being
able
to
look
at
trends
across
findings
across
categories.
Is
this
the
like
the
category
level
that
you
were
thinking
dominic,
at
least
like
you
were
saying
the
first
or
second?
That's
where
you'd
like
to
see
the
impacts
of
your
work
and
where
the
trends
are
changing
over
time.
C
Yeah,
like
in
proper
access
control,
it's
a
second
second
layer
thing,
it's
not
too
deep
and
it's,
but
it's
still
constrained
enough
to
have
to
be
useful,
like
we
we're
better
at
avoiding
authorization
errors
in
our
apis.
This
will
go
down
and
probably
like.
There
are
probably
other
issues
like
injections,
probably
another.
Second
layer.
C
B
B
If
there's
a
cve,
it
almost
always
will
have
a
seat
one
or
more
cwes
associated
with
it,
because
that's
part
of
the
application
process.
Some
of
them
are
using
alternate
systems
like
the
oauth
classifica
classifiers
for
things.
B
So
that's
going
to
be
a
really
big
challenge,
as
well
as
an
opportunity
for
us,
is
to
provide
sort
of
these
mappings
between
some
of
the
different
systems,
both
sort
of
side
to
side
in
between,
like
between
osp
and
cwe,
and
then
also
vertically.
Can
we
drill
up
and
drill
down
like
in
a
cwe
hierarchy,
because
I
don't
think
we're
going
to
have
a
whole
lot
of
choice,
especially
with
the
open
source
ones.
It's
kind
of
like
you
get
what
you
get
that
comes
into
the
feeds.
D
So
how
often
are
these
updated,
like
just
thinking
like
how
difficult
would
it
be
to
maintain
the
database
locally.
B
Probably
not
that
difficult.
If
you
look
back
at
the
cwe
history
that
mitre
publishes,
I
think
this
is
the
2017
version
they're
still
working
from
prior
to
that.
I
think
it
was
the
2013
version.
So
it's
like
it's
every
few
years
and
it's
not
like
they
throw
away
all
the
numbers
and
start
over
from
scratch.
I
think
you'll
see
there
will
be
some
additions,
probably
more
like
breaking
apart
things
and
more
granular
classification.
B
D
D
B
And
I
think
I
don't
know
this
for
sure,
but
I
believe
they've
left
some
gaps
in
some
of
the
numbers
in
places
where
they
can
actually
sort
of
extend
forward.
Instead
of
having
to
go
and
renumber
things,
I
think
that's
kind
of
how
they've
tried
to
carry
things
to
the
standard
so
that
you
know
improper
access
control
is
284.
B
That's
a
good
question,
though
one
thing
that
not
a
hundred
percent
on
this
but
cwe
feels
like
the
right.
We
call
it
system
of
record
or
way
to
measure
things
to
translate
into
in
between.
So
if
we
can
get
things
into
cwe's,
I
think
this
clear
hierarchy
makes
it
a
lot
easier
for
us
to
do
some
of
the
visualizations.
B
Some
of
the
you
know
correlations
or
grouping
on
the
dashboard
for
some
of
the
future
work
we
have
planned
for
this
year.
That
probably
makes
the
most
sense
to
use
as
kind
of
the
underlying.
How
do
we
classify
vulnerabilities
if
we
have
a
cve
we'll
always
show
that,
because
it's
the
most
specific,
but
the
cdbvs
in
general
is
kind
of
what
we're
dealing
with
since
hopefully,
most
of
what
we're
finding
outside
of
like
the
dependency
scanners,
are
unknown
vulnerabilities
out
in
the
wild.
So
that's
what
we're
going
to
get.
C
Oh,
it's
meant
it's
me.
It's
not
really
meant
as
a
competing
system
and
more
like
these
things
happen
all
the
time.
So
you
should
pay
attention
to
it,
but
like
the
the
the
number
one
is
injection.
So
this
is
super
super
wide.
But
surely
you
can
pick
a
few
a
few
of
those
second
or
third
level
cwcwe's
and
say
this
is
a
wasp
number
one
a1
and
I'm
pretty
sure
we
have
a
one-to-one
mapping
and
there's
no.
There
won't
be
much
grey
areas.
B
Yeah,
well,
that's
one
of
the
funky
things
with
the
owasp
and
the
cwes
is
they're
set
at
a
very
specific
level.
So
if
we
have
something
that's
more
granular
from
a
cwe,
you
would
actually
have
to
sort
of
go
up
the
hierarchy
until
you
get
to
the
cwe
that
maps
across
to
the
oauth
category.
If
you're
trying.
C
C
B
Gotcha,
sorry,
I
think
what
I
was
we're
saying
the
same
thing
by
what
I
was
trying
to
point
out
is:
if
we
have
the
mapping
of
that
2
61
to
a5,
but
we
actually
well,
if
it's
a
layer
below
that,
like
let's
say
that
we
you
know
we
come
over
here
and
what
if
it's
256,
is
what
we
actually
get
from
the
scanner.
We
may
have
to
map
that
back
up
until
we
find
the.
C
B
Yeah
I
get
it
yeah
ancestor
that
maps
to
the
a5.
That's
just
going
to
be
a
technical
computing
consideration
for
the
team.
Yeah!
That's
why
we'll
have
to
store
it
sort
of
like
we
have
two
different
mapping.
Well,
we'll
have
to
store
the
oasp
classifiers,
we'll
have
to
store
all
the
cwe
hierarchy,
we'll
have
to
store
the
mapping
of
the
cwes
to
the
oas
classifications
and
then
be
able
to
sort
of
move
up
and
down
as
we
need
to
yeah.
E
B
Yeah,
absolutely,
incidentally,
there's
a
there's,
an
open
source
working
group
on
it's
really
more
on
the
disclosure
side
of
vulnerabilities,
but
nicole
and
I
are
in
there
and
it's
like
my
head-
is
exploding
because
there's
so
many
different
standards
and
people
keep
showing
up
to
this
group
with
the
different
standards.
Somebody
has
tried
to
start,
and
these
are
people
that
have
way
more
experience
in
the
field
than
I
do
like
decades
and
they're
going
whoa.
I've
never
seen
that
one
before
so
pretty
quickly
came
across
the
xkcd
comic,
the
old
classic,
about.
B
B
G
C
A
We
haven't
made
any
use
of
our
wiki,
yet
I
would
say:
there's
been
some
discussion
about
when
it's
appropriate
to
use
the
wiki
and
when
it's
better
to
make
handbook
changes
or
use
issues
in
mrs
and
there
have
been
some
very
vocal
opinions
against
wikis
for
a
number
of
reasons.
So,
alexander,
you
look
surprised
so
you
know,
there's
wikis
are
less
discoverable
because
there's
not
a
lot
of
history
associated
with
them
and
the
search
doesn't
find
them
as
well.
That
was
the
feedback
that
I
heard
loud
and
clear.
G
Yeah
my
biggest
concern
that
I
wrote
was
that
you
can't
comment
there,
so
it's
really
inaccessible
kind
of.
A
Right,
I
do
see
some
items
under
container
security
and
to
your
point,
kev.
I
think
that
you
know.
In
most
cases
we
either
have
an
issue
or
a
handbook
page
and
with
habit
pages
you
can't
make
comments
which
doesn't
solve
that,
but.
A
Any
other
thoughts
on
that
jonathan
or
alexander
as
people
have
been
part
of
the
conversations
about
the
wikis
over
the
last
couple
of
months
with
us.
D
Is
that
in
the
handbook?
Where
is
the
wiki
anyway?.
D
A
D
Yeah,
I
I
I
don't
think
I
haven't
had
it
on
mine
that
we
had
this,
because,
because
we
have
we
have
stuff
in
the
handbook
we
have
stuff
in
the
docs
that
I
feel
like
you
know,
organization
process
stuff
is
in
the
handbook.
Any
kind
of
application
stuff
is
in
the
docs,
and
I
do
think
that
adding
a
third
level
of
documentation,
their
location
documentation,
would
be
challenging.
A
Yeah,
I
think
we'd
have
to
have
a
real,
strong
reason
to
put
it
here
versus
create
a
handbook
page
or
add
it
to
an
existing
handbook.
Page
alexander
is
someone
who's
been
working
in
container
security,
given
that
there's
some
content
hung
off
the
container
security
page.
Do
you
have
any
thoughts
on
whether
that's
been
useful
or
not?
Have
you
looked
at
it
at
all.
F
Yeah,
that's
a
great
question
because
I
was
I'm
about
to
embark
on
getting
the
container
security
part
of
the
application
working
locally,
which
requires
many
steps,
and
I
am
getting
ready
to
document
that
as
clearly
as
possible
and
was
wondering
where
that
should
go,
because
there
are
some
like
devs
specific.
F
So
I
think
resonating
with
jonathan
said,
there's
already
so
many
places
to
put
docks
beside
yeah,
and
I
added
a
third
one
by
saying:
there's
some
repos
that
just
have
markdown
files
that
have
instructions
in
them.
So
yeah.
I
think,
there's
not
a
good
case
for
a
wiki,
though
there's
still
there's
still
like.
F
I
know,
there's
a
bunch
of
snippets
floating
around
on
like
how
to
create
alerts
locally,
how
to
create
vulnerabilities
locally
and
like
where
do
those
end
up,
and
maybe
the
the
handbook
is
actually
like.
A
link
to
the
snippets
in
the
handbook
is
maybe
the
best
place.
D
No,
so
we
have
those
we
have
snippets
for
how
to
develop
with
like
work
with
then
locally
right
there.
I
would
think
some
of
that
stuff
should
go
into
the
gdk,
because
there's
there's
a
bunch
of
how-to
stuff
in
the
gdk.
D
I
feel
I
feel
like
some
of
that
stuff
would
be
useful
to
have
over
there,
because,
if
I'm
looking
for
how
to
do
something
locally
and
developing,
that's
usually
the
first
place.
I
look
for
it.
A
Thank
you
for
bringing
this
up
kev,
you
know
again.
I
know,
we've
had
this
discussion,
I
think
it
may
be
kind
of
got
lost
a
little
bit
over
the
holidays
and
we
can
revive
it
and
alexander.
I
think
you'll
have
a
good
opportunity
going
to
container
security
and
what
you're
planning
on
documenting
to
give
us
your
feedback.
F
There's
also
a
bunch
of
stuff
in
the
onboarding
issue
for
this
group
so,
like
I
have
that
saved,
because
that
explain
also
explains
a
lot,
and
I
know
the
onboarding
issue's
been
updated
to
include
a
lot
of
these
important
snippets.
A
How
can
we
share
that
information
easily
with
community
contributors?
Maybe
our
onboarding
issues
need
to
be
something
that
you
know
are
findable
on
the
handbook
or
something
along
those
lines,
or
at
least
the
information
that
we
find
to
be
valuable
to
getting
rolling
with
those
or
getting
you
know,
developing
with
those.
B
It
so
I
think
I
missed
the
discussion.
Was
it
kev?
Were
you
bringing
up
the
wiki
and
that
you
were
hoping
we
were
going
to
use
it
or
like
are
community
contributors?
Are
they
finding
the
wiki
and
then
kind
of
not
knowing
where
to
go
from
there
expecting
there's
information
that
we
have
other
places.
G
Yeah
well
so
I
think
lindsay
when
I
was
working
on
a
merger
request
sent
me
the
snippet
community
computer
faq
and
that
felt
a
bit
off
because
it's
not
really
discoverable
like
the
handbook
or
the
gitlab
docs,
so
yeah
I
was
asking,
maybe
that
it's
maybe
good
to
put
it
in
the
handbook
or,
like
you,
have
this
wikis,
that's
what
the
first
that
came
to
my
mind,
and
so
I
asked
about
that.
To
make
these
pages
like
more
discoverable
for
other
people,.
A
F
Yeah,
I
am
one
thing
that
I
wonder
about
is
like
the
runner
is
non-trivial
to
set
up,
and
so
every
time
a
community
contributor
pops
up
and
is
contributing
to
vulnerabilities
with
and
then
showing
screenshots
of
having
real
vulnerabilities
in
their
local,
I'm
always
kind
of
mystified
like
how
would
you
do
that?
G
A
G
Yeah
or
that
the
docker
container
can't
access
the
instance
like.
I
think
there
are
multiple
ways
how
to
get
there,
but
I
think
in
the
snippet
there's
something
now
and
I
think
that
works.
A
So
I'll
take
the
action
of
updating
our
wiki
to
add
links
to
the
snippet
and
then,
as
a
group,
we
can
continue
the
discussion
around
what
what
value
the
wiki
is
bringing
to
us
and
the
right
ways
to
use
it.
Alexander.
A
E
A
A
A
I
hope
everyone
else
agrees
with
that,
but
just
to
ensure
that
going
forward,
we
do
get
some
coverage
over
topics
like
what's
happening
in
container
security,
I'll
work
with
thiago
to
start
to
see
these
office
hours
with
some
areas
where
we
feel
like
maybe
we've
gotten
a
lot
of
questions
from
people
or
that
are
more
complicated.
That
people
want
to
learn
more
about.