►
From YouTube: Keynote: JavaScript Security Panel - Adam Baldwin, Jessica Wilkerson and Michael Dawson
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Sure,
thank
you.
My
name
is
Jessica
Wilkerson
and
I.
Currently
am
a
cyber
policy
adviser
for
the
Food
and
Drug
Administration,
where
I
work
on
cybersecurity
policy
for
securing
medical
devices
before
that,
and
particularly
relevant
to
this
group
I
was
the
cyber
security
research
director
at
the
Linux
Foundation
and
then
prior
to
that
I
spent
five
and
a
half
years
with
the
United
States
Congress,
looking
at
cyber
security
issues
in
healthcare
and
energy,
telecommunications,
pretty
much
all
over
the
map.
So
that's
me
thank
you.
C
All
right,
hey
everybody,
I
am
Adam
Baldwin
I
am
a
product
manager
focus
on
software
supply
chain
security
at
github.
As
you
see
him
sporting.
My
NPM
shirt
I
came
over
recently
in
the
MPM
acquisition,
where
I
used
to
at
NPM
run
security
operations
and,
as
let's
see
prior
I,
also
started
the
node
security
project,
which
many
of
you
may
be
familiar
with
as
well
and.
A
I'm
Michael
Dawson
IBM's
community
leaf
node.
Yes,
what
that
means
is
I
get
to
spend
a
lot
of
time
involved
in
no
GS
and
open
Jay
s
foundation,
participating
in
a
whole
bunch
of
the
different
working
groups,
including
ones
which
have
have
touched
on
security
and
so
forth.
So
Jessica,
one
of
the
things
that
really
interested.
B
Sure
it's
definitely
it's
a
it's.
A
huge
consideration
for
the
Food
and
Drug
Administration
in
particular,
and
for
when
I
was
at
the
United
States
Congress
in
the
oversaw
other
federal
agencies
who
have
stakeholders
in
in
critical
infrastructure.
Like
you
said,
cars
and
others-
and
you
know
certainly
everybody
on
this
panel
and
everybody
I-
think
who's
gonna
be
in
the
audience
knows
that
most
software
today
is
primarily
open
source.
You
have
open
source
software
and
everything
you're,
never
gonna
have
a
piece
of
software.
B
Nor
really
should
you
that
is
ins
built
with
open
source
and
so
open
source
security
is
critical
infrastructure.
Cyber
security,
that's
just
the
way
that
it
is
today
and
so
for
us.
We
are
working
currently
with
our
stakeholders
and
within
the
agency
itself,
to
figure
out
how
to
tell
what
a
given
product
is
built
out
of
so
software
build
materials
is
something
that
some
folks
may
be
familiar
with.
A
I
can
I
can
see
that
being
really
interesting.
In
terms
of
you
know,
some
of
the
things
we're
working
on
in
the
community
in
terms
of
say,
like
the
package
main
it's
working
group
wares,
you
know
some
packages
you
know
are
looking
for
more
support
or
struggling
to
keep
things
going.
If
that's
software's
being
used
in
some
of
that
critical
infrastructure,
it's
even
more
important
to
figure
out
how
we
get
the
businesses
which
are
using
them
involved
in
participating
to
collaborate
with
the
the
maintainer
support
them
financially
or
or
through
some
other
mechanism.
C
Yeah
I
definitely
love
to
see
more
support
coming
out.
Organizations
that
rely
on
open
source
I
have
often
said
you're
you're
responsible
for
what
you
require
right.
What
you
depend
on
and
that
risk
is
transferred
to
that
organization
and
a
lot
of
times.
We
hear
oh
well,
you
know
we're
just
consuming
it.
We're
not
we're
not
basically,
if
you're
not
supporting
it,
then
you're
sort
of
like
pushing
that
responsibility
onto
others
and
which
is
which
is
unfortunate.
B
Was
gonna
say
you
know
we're
at
the
Food
and
Drug
Administration
I
think
in
other
parts
of
the
government
we're
much
more
used
to
dealing
with
physical
supply
chains.
You
know:
we've
we've
known
how
to
do
that
for
a
long
time.
If
you
are
the
final
goods
manufacturer,
I,
think
I
think
the
term
is
final
goods,
assembler
or
a
car
or
something
you
are
responsible
for
anything
that
you
put
into
your
final
good
and
I.
B
Think
we
don't
necessarily
have
that
same
mentality
and
software,
and
nor
necessarily
should
we
but
I
think
essence
learned
and
best
practices
that
we
can
look
at
from
the
physical
manufacturing
space
and
certainly
transfer
over
to
software
I.
Think
if
we
don't
have
to
relearn
all
of
those
very
hard
lessons
you
shouldn't.
A
Yeah
definitely
like
in
the
package
maintenance
working
group,
we're
working
on
some
tooling
and
I.
Think
that'll,
be
you
know
important
things
like
the
the
NPM
audit
seems
to
have
helped
a
lot
in
terms
of
raising
the
visibility
of
vulnerabilities.
The
tooling
we're
looking
at
is
to
help
you
understand
the
packages
that
you
do
depend
on
what
level
of
support
they
provide.
What
kind
of
backing
there
is
behind
the
you
know
the
project?
Is
it
a
you
know
one
person
building
it
themselves
as
a
hobby,
or
is
it
actually
backed
by
a
commercial
company
I?
A
B
Yeah
I
think
there
there
probably
are
the
two
lean
I
think
is
an
interesting
question.
That's
something
that's
being
developed
in
parts
of
the
sector.
Right
now
for
many
folks
who
are
involved
in
ongoing
efforts.
Multi-Stakeholder
efforts
are
on
software,
build
materials.
That
effort
is
passed
to
certain
extent
that
one
the
idea
of
whether
or
not
it's
a
good
thing,
I
think
the
answer.
B
And
everybody
needs
to
be
doing
it
in
even
necessarily
what
it
looks
like.
There's
certainly
been
frameworks
proposed
for
if
you
were
going
to
do
software
build
materials
here
are
the
base
elements
it
needs
to
have
and
now
I
think
the
next
really
large
turtle
that
everyone
is
trying
to
figure
out
how
to
surmount
is.
B
How
do
you
possibly
do
that
much
a
site,
an
inventory
tracking
when
you
have
versioning
concerns,
and
all
these
other
things,
and
so
the
tooling
is
going
to
be
very
important
and
I
think
in
some
circumstances
it
is
unique
in
ways
that
physical
manufacturing
and
physical
goods
tracking
isn't,
but
certainly
there
are
enough
analogs
and
parallels
to
the
next.
It.
C
Seems
like
there'd,
be
a
lot
of
like
a
lot
of
things
that
we
can
adapt
kind
of,
pull
and
adapt.
There's
you
know,
there's
automation
for
food
processing
right
to
identify
a
bad
piece
of
fruit
and
to
automatically
you
know,
remove
it
from
from
going
yet
further
down
the
line
or
a
lot
of
that
is
processed
driven
right.
So
so,
luckily,
in
the
digital
space
we
can,
we
can
implement
those
things
in
a
lot
of
automated
ways.
Let's
go.
A
B
It
might
be
my
internet
I,
apologize
everyone,
but
I
think
one
thing
that
I
do
that
we
want
to
be
careful
on,
and
this
was
something
that
we
explored
when
I
was
still
in
the
United
States,
Congress,
Energy
and
Commerce
Committee,
and
it's
something
that
we
certainly
take
into
consideration.
Now:
open-source
software
developers,
in
some
cases,
they're
commercial
they're,
getting
they're
getting
paid
to
do
this
as
part
of
their
jobs
and
others
they're,
not.
B
B
I
think
one
thing
that
we
do
want
to
be
cognizant
of-
and
careful
of
is
we
continue
to
see
at
least
as
we
continue
to
reveal
more
open
source
usage
within
critical
infrastructure
is
to
be
careful
about
what
we
can
realistically
expect
those
developers
and
those
package
maintainers
and
others
to
be
providing
you
know,
depending
on
what
level
of
the
support
they're
getting
in
their
daily
walk
I'm
to
do
this
kind
of
development.
I
think
you
know
there
has
to
be
a
portion
ality
and
a
balance.
There's
that
we're
not
overloading
overloading
that
system.
A
Yeah
I
know
absolutely
one
thing
I,
you
know
the
conversation
has
has
made
me
think
a
little
bit
about
like.
Is
there
something
that
you
know
the
project
or
the
open?
J's
foundation
should
be
trying
to
do
to
bring
people
together
to
talk
about
this
particular
topic,
so
that
the
JavaScript
community
is
ready
to
continue
to
participate
in
in
those
areas
in
terms
of
the
software
being
used
or
or
is
it
that
you
know
the
the
larger
problems
will
be
figured
out
in
general
and
just
apply
to
JavaScript
as
well?
I.
C
C
You
can
still
vendor
better
things,
but
you
know
I
kind
of
look
to
what
JavaScript
has
done
is
as
definitely
a
leading
edge
in
terms
of
like
we
get
my
words
mixed
up
here,
but
yeah
I
mean
like
what
we're
doing
is
going
to
influence
I.
Think
a
lot
of
the
other
ecosystems
given
given
the
popularity
of
JavaScript.
A
Okay,
so
we're
kind
of
we're
kind
of
hopefully
already
doing
what
we
need
to
be
doing
just
need
to
continue
pushing
forward.
On
that
I
I
went
away.
Maybe
move
move
to
another
topic
based
on
what
Jessica
just
said
in
terms
of
expectations,
one
of
the
things
I
kind
of
seen
recently
flare
up
a
couple
times
is:
there
seems
to
be
some
tension
between
maintainer,
x'
and
vulnerability.
Reporters
and
you
know
some
discussion
around.
You
know
reporters
reporters
will
get
paid
through
bug,
bounties
or
through
some
other
way.
A
Meanwhile,
that
can
cause
a
lot
of
work
to
maintain,
errs
who
who
aren't
necessarily
getting
paid
and
that
the
existing
tools
don't
necessarily
help
out
in
that
you
know
if
they
revolt
that
they
report
a
vulnerability.
It
may
not
even
apply
to
up
to
a
particular
package
or
project,
but
they
still
end
up
having
to
go
through
a
fire
drill
to
to
address
that.
So
I
wonder
what
your
take
was
was
on
that
discussion.
C
Well,
you
can
kind
of
blame
for
the
the
NPM
audit.
If
you
want
to,
you,
can
tweet
me
it
Adam
underscore
Baldwin,
but
yeah
I
mean
we
started
that
pattern
a
long
time
ago
with
with
NSP
right,
like
sort
of
being
it
looks
like
okay.
This
is
this
package
as
a
known
vulnerability,
surfaced
that
and
it's
it's
wall.
It's
brought
attention
that
the
we
wanted
to
raise
awareness
of
that
it's
definitely
caused.
C
You
know
some
some
heartache,
some
chore,
some
frustration,
because
it
doesn't
it's
we're
using
the
same
tech,
we're
doing
the
same
thing
that
that
you
know
I
started
doing
eight
years
ago.
Right
like
it's,
not
it
hasn't
really
adapted
it
hasn't
we
haven't,
got
context
around
the
exploitability,
those
vulnerabilities.
Are
you
actually
calling
the
method
that
that
is
referenced
for
a
piece
of
vulnerable
code
and,
of
course,
that
brings
then
pain
to
the
the
maintainer
z--
right
like
that
brings
somebody
that
says
look.
C
This
is
a
bug,
and
you
know
the
maintainer
might
not
think
it
is,
but
security
researcher
thinks
it
is,
and
there
is
definitely
a
you
know
attention
there,
but
what
we
have
to
realize
is
that,
on
the
on
the
researcher
side,
they're
they're,
trying
to
help
there
they're
genuinely
in
in
in
most
cases,
trying
to
help
they're
trying
to
surface
a
problem
that
they
see
and
they're
trying
to
help
and
I
I
think
that
we
haven't
done.
You
know
what
what
we
need
is
to
facilitate
better
communication
between
those
between
those
worlds.
C
C
Following
that
curiosity,
there
are
also
trying
to
make
a
name
for
themselves
by
finding
these
things
and
ultimately
trying
to
trying
to
help
the
ecosystem
the
way
they
know
how
we
as
developers
and
as
that
eco,
some
have
not
invited
them
in
fully.
We
still
keep
them
kind
of
at
arm's
length.
We
report
things
here
and
even
though
that
tooling
is
not
not
that
great,
we
even
have
like
we
have
NPM,
we
have
github,
we
have
the
foundation.
C
A
I'd
agree
like
there's,
you
know
even
discussion
in
the
community
right
now
and
the
security
working
group
about
the
the
vulnerability
database
reporting
and,
like
you
know,
as
you
said,
things
have
changed
over
the
the
last
eight
years
and
so
it's
a
good
time
to
kind
of
figure
out
well,
should
we
have
these
different
vulnerabilities
databases?
Can
we
consolidate?
Can
we
can
we
make
it
easier
to
report
and
I?
Think
your
point
about
bringing
people
into
the
projects
more
closely
is
important.
Like
I
think
you
know
a
lot
of
the
time.
There's
friction.
A
That's
because
you
have
you
have
sort
of
what
feel
like
two
sides.
If
we
can
bring
the
the
researchers
and
the
project
closer
together,
hopefully
we
can
get
more
of
the
you
know
the
US
and
I
think
things
go
a
lot
more
smoothly
like
that.
So
you
know
maybe
that's
something
that
we
need
to
try
and
get
some
focus
on.
Sorry,
yeah,
Jessica,
I,.
B
Was
actually
gonna
say
it's
it's
interesting
because
I
think
you
know
in
government
we're
usually
a
couple
steps
behind
everybody
else,
but
I
think
in
this
it's
interesting
because
we
actually
have
developed
at
FTA
over
the
last
couple
of
years,
a
very
robust,
coordinated
disclosure
program,
so
not
necessarily
that
finders
of
bugs
and
medical
products
are
reporting
them
directly
to
us,
so
they
can
but
I'm
going
directly
to
the
manufacturers.
But
in
a
lot
of
cases
we
found
in
more
recent
issues
that
we've
had
we're
able
to
essentially
put
us
the
manufacturer.
B
Of
and
I
think,
the
the
part
that's
made
that
very
valuable
for
us
is
in
this
time.
Element
of
you
know,
you're
all
saying
sometimes
it's
very
difficult
for
these
maintained
errs
that
you
have
to
go
in
these
fire
drills
and
what
the
model
that
we've
sort
of
adopted
here,
where
appropriate
of
having
everybody
on
the
same
color
in
the
same
room.
B
The
manufacturer
can
just
ask
the
researcher
about
the
technical
details
and
the
researcher
can
provide
the
feedback
and
it
becomes
this
this
loop,
so
that
the
those
little
pieces
can
be
identified
and
be
ok.
This
isn't
part
of
this
vulnerability
and
we
don't
need
to
worry
about
that,
and
it's
not
something
that
the
the
manufacturer
in
our
case
is
tracking
down
in
a
vacuum
and
when
we
found
that
to
increase
the
speed
with
which
our
abilities
can
be
fixed.
A
Yeah
I
don't
want
that
almost
makes
me
wonder
like
today.
It's
kind
of
the
model
where
you
report
the
vulnerability
but
doesn't
necessarily
come
along
with
a
fix
I
think
it
would
be
a
lot
more
valuable
if
we
could
somehow
get
to
the
point
where
it's
like
either
you
know
what
the
fix
is
jointly
developed
or
along
with
the
vulnerability.
It's
like,
and
here's
a
way
we
can
fix
it.
A
C
That's
see,
that's
an
interesting
thing.
I've
been
on
both
sides
of
that
in
terms
of
I'm,
a
security
practitioner,
I
can
write
code,
but
I,
don't
write
very
good
code,
and
so
you
probably
don't
want
what
I
consider
to
be
a
fix
to
be
contributed
to
your
project
right
like,
but
I
can
certainly
find
and
in
point
that
flow'd
I
would
absolutely
love
to
see
more
security.
Practitioners
coding
I
mean
to
be
contributing
code.
C
I
think
that
if
they
were,
they
would
feel
more
empathy
for
the
other
party
on
the
other
side
of
what's
happening
here.
I,
don't
again,
I
think
that
sometimes
I
really
think
it
needs
to
be
a
collaborative
effort.
Iii
would
love
to
you
know,
obviously
getting
a
pull
request.
That
says:
hey
here's,
a
problem
and
here's
a
fix
like
that's,
that's,
absolutely
wonderful,
but
you
know
you
run
into
projects
that
are
like.
C
Well,
we
don't
have
any
test
coverage,
so
you
have
no
idea
what
you're
breaking
right
there's
a
lot
of
like
basic
hygiene,
things
that
could
be
done.
You
know
across
the
board
and
you're
talking
about
moving
thousands
and
thousands
thousands
of
developers
in
the
right
direction,
so
that
that
you
know
these
things
can
improve.
C
C
C
That
is
the
one
sort
of
like
method
that
that
we
have
to
sort
of
communicate.
That
is
put
that
in
your
project
and
say
you
know,
email
me
here
because
of
wonderful
things
like
gdpr
and
all
the
things
like.
We
don't
necessarily
make
all
that
data
like
how
to
contact
you
public
and
I'm
hopeful,
I'm
new
to
github,
but
I'm
hopeful
that
we
can
get
some
of
those
private
channels
to
maintain
errs
for
reports,
so
they
don't
show
up
in
public
issues
and
things
like
that,
but
but
basically
asserting
like
this
is.
C
A
Right,
okay,
so,
actually
you
know
time
fly
is
a
we're
almost
out
of
time,
so
I
just
want
to
give
you
each.
You
know,
30
seconds
to
you
know,
make
your
call
to
action.
What
would
you
like
people
to
be
thinking
about
or
doing
to
help
move
us
forward
on
the
the
security
front
for
JavaScript
Jessica?
You
want
to
start
sure.
A
A
Okay
and
I'll,
just
close
out
with
you
know,
we've
mentioned
a
few
times
that
collaboration
would
help
in
a
lot
of
areas
and
some
on
my
call
to
action
would
really
be
to
come
and
get
involved
in
that
in
the
JavaScript
community.
We've
got
a
proposal
for
collaboration
spaces
out
there.
You
know
we
could
make
security.
A
One
of
those
I
think
if
we
can
get
more
people
involved
to
figure
out
what
the
best
practices
would
be,
what
that
basic
maintenance
would
be,
it's
gonna
be
a
lot
easier
than
each
maintainer
having
to
figure
it
out
themselves
and
then
security
reporters
having
to
deal
with
different
approaches
and
so
forth.
So
that's
my
call.
This
is
for
everybody
to
you,
know,
hopefully
come
out
and
and
and
help
be
part
of
the
solution
by
getting
involved
there.