►
A
A
A
A
A
D
D
We
only
need
to
refactor
a
bit
of
the
front
end
because
yeah
there's
some
redirecting
tango
going
on
there
a
lot
of
redirects
and
it
seems
like
the
front-end
angular
app
still
needs
to
be
modified
a
bit,
but
overall,
the
key
cloud,
the
tracking
day
the
whole
setup
seems
to
be
working
now
running
in
a
kubernetes
stack.
So
that's
good.
D
A
D
A
D
Yeah
so
the
project,
the
security
knowledge
framework.
So
basically
that
is
the
communication
and
learning
platform
where
we
will
help
developers
getting
the
right
security
requirements.
There
are
code
examples,
knowledge-based
items,
checklists
like
the
ascs
masvs
and
there's
also
this
capability
that
we
released
like
three
months
ago.
D
Also,
thanks
of
this
to
this
working
group
that
has
like
a
training
module,
so
people
can
do
a
self
learning
or
secure
coding
based
on
david
wheeler's
content
and
material,
and
also
that
api
hacking,
based
on
the
os
testing,
guide
and
infra,
and
basically
you
can
do
all
the
materials.
And
then
you
have
like
this
lab.
You
can
spin
up
and
you
can
also
do
the
practical
stuff.
A
I
posted
a
link
into
the
chat
we
have
a
couple
member
projects
of
which
glenn
helps
lead,
skf
and
think
of
that,
as
the
actual
hands-on
keyboard
of
learning
of
the
good
practices.
We
also
have
a
couple
classes
that
dr
wheeler
wrote.
We
have
the
cre
folks,
which
are
standards
in
code
formats.
We
have
a
couple
of
member
projects
that
you
can
take
a
look
at.
We
have
links
to
all
of
them
off
of
our
page
and
there's
an
amazing
diagram.
Some
genius
put
together
that
kind
of
shows
how
they
relate
a
little
bit.
E
A
You
might
want
to
check
out
their
project
to
see
where
they
are
going
to
be
opening
up
an
api
for
access
to
help
manage
they've,
had
the
scorecards
go
out
and
do
a
scan
of
about
a
million
open
source
projects
and
then
report
on
kind
of
a
risk,
posture
statement
of
kind
of
the
security
qualities
of
those
projects,
and
they
are
enabling
an
api
to
help
with
the
to
help
throttle
some
of
the
traffic.
So
that's
kind
of
exciting
news
from
them.
A
A
All
right,
let
us
hopefully
for
the
final
time
for
this
round.
Let
us
look
at
the
one-page
guide
for
developing
more
secure
software.
This
has
been
a
project
we've
had.
The
intention
is
to
create
a
one-page
resource
that
lists
off
some
of
the
best
most
impactful
practices
you
can
take
as
a
developer
and
as
a
project
and
then
provide
links
off
to
those
resources
on
how
to
do
the
thing
or
get
additional
context.
A
This
will
be
posted
as
an
artifact
as
part
of
our
get
repo
and
part
of
the
the
open,
ssf
body
of
knowledge,
and
we
think
we
are
very
close
to
finalizing.
It
looks
like
david
went
through
and
remediated
any
of
the
final
comments.
So
does
anyone
have
any
parting
thoughts
before
we
start
to
push
the
button
to
get
this
document
published.
A
And
this
is
intended
to
be
a
cheat
sheet
not
intended
to
be
to
replace
actual
training.
So
it's
supposed
to
provide
that
guide
stone
where
somebody
finds
this
and
can
go,
learn
more
about,
for
example,
how
to
implement
asvs
or
how
to
create
your
own
security
advisory,
for
example,
push
the
button
thanks,
dave.
B
F
Yeah
so
one
of
the
things
we
haven't
actually
publicized,
but
I'm
making
my
team
go
through
everything.
We
write
to
follow
the
best
practices
toward
anything.
We
release
getting
the
the
best
practices
badge
and
we
have
several
things
in
in
the
pipeline
to
make
this
happen
over
time.
Obviously,
it's
a
fairly
broad
scope
of
items,
so
we're
going
through
them
all
yeah.
We
can
certainly
do
some
of
this.
I
already
have
a
number
of
people
doing
number
one.
F
So
we
can.
We
can
take
a
look
at
it.
Some
of
this
will
be
harder
to
test
like
the
earning
the
best
practice
badge
as
I
just
mentioned,
but
we
can.
We
can
certainly
test
out
some
of
these
and
validate
a
number
of
them
like
14,
for
example,
we've
got
some
we're
doing
some
work
on
that
and
everything
we're
doing
is
based
off
of
the
salsa
framework
for
15.,
so
yeah.
We
we
can
take
a
look
at
it
and
certainly
get
some
feedback.
E
A
G
So
I
just,
I
think
that
there
are
certain
things
in
the
best
practices
badge
that
get
difficult
with
certain
projects,
and
I
just
wanted
to
bring
that
up
because
it
turned
into
a
whole
discussion
of
like
does
best
practices
even
apply
to
js,
which
was
kind
of
a
whole
thing.
As
you
know,
the
js
community
is
extremely
opinionated,
so
yeah
it
turned
into
one
of
those
things.
E
E
G
Returned
for
the
record,
there
is
static
analysis
tooling.
It
just
is
not
very
big
and
a
lot
of
efforts
that
have
tried
have
kind
of
just
stopped
and
failed.
It's
just
to
be
honest
with
you.
I
don't
think
the
js
community
really
values
their
that
type
of
tooling
as
much
as
some
of
the
other
communities,
but
there
are
projects
out
there
that
do
provide
static
analysis.
G
It's
just
like
one
hasn't
been
touched
since,
like
2018
and
like
another
one
hasn't
been
touched
since
I
think
2020
so
and
that's
the
thing
is
that
there's
it's
more
of
a
lack
of
updates,
and
I
just
and
the
other
thing
about
it
is
just
from
like
the
reaction
with
vite
and
just
the
reaction
of
a
lot
of
developers
like
the
thing
about
js.
Is
you
have
a
lot
of
young
developers
that
kind
of
feel
like
they
could
do
no
wrong?
G
There's
nothing
wrong
with
having
800
package
dependencies
and
not
being
able
to
audit
them
or,
and
one
package
is
from
like
hasn't
been
touched
since
the
early
2000s.
It's
just
a
lot.
I
think
a
lot
of
it
is
the
attitude
because
they're
not
open
to
like
they
don't
see
security
honestly
as
a
if
you
want
to
call
it
like
a
big
deal.
They
kind
of
see
it
as
they're
still
on
the
whole
js
kool-aid
train
of
hey,
look
what
I
can
do
on
js.
C
Stephen,
hey
yeah,
so
you
know
I'm
just
getting
a
first
glance
at
at
the
at
the
checklist
here
at
the
at
the
guide
and
I'm
happy
to
kind
of
socialize
that
around
you
know
the
developer,
advocacy
group
and
and
some
of
the
other
open
source
teams
here
at
microsoft,
but
my
first
just
my
first
impression
was
like
wow:
that's
dense
there
there's
a
lot
there
and
yeah.
My
just
from
you
know
previous
experience
with
with
guides
and
stuff
like
that.
C
It
feels
like
that
there
would
be
little
eyes
glazing
over
and
all
right.
That's
that's
too
much
to
tackle
feel.
I
think
that
it
looks
like
there's
a
bunch
of
excellent
resources
and
direction.
I'm
just
not.
I
I'm
happy
to
get
some
more
feedback
on
it.
My
first
impression
was
like
wow.
That's
that's
dense,
but
I
didn't
put
any
of
the
work
into
it.
So
it's
easy
for
me
to
come
in
and
come
in
and
comment.
You
know
afterwards.
A
Keep
in
mind,
this
is
a
first
step.
Once
we
have
the
list,
then
we
can
figure
out
a
plan
of
how
we're
going
to
evangelize
the
list
train
the
list
there
could
be
potentially
blogs
or
webinars.
We
have
a
whole
other
effort
focused
around
developer
education,
the
education
side,
which
is
the
best
thing
that
meets
tomorrow,
where
we're
talking
about
actual
implementing
training,
and
that
might
be
potentially,
this
artifact
could
be
passed
over
to
that
group
and
we
create
some
training
or
a
webinar
or
a
podcast
to
talk
through
it.
F
Quick
guide
would
be
one
of
the
the
questions,
so
maybe
some
deeper
evaluation
on.
If,
if
you're
doing
this,
you
know
if,
if
I
click
on
this
and
I
go
to
the
page-
is
what's
provided
by
the
github
project
page,
you
know
really
something
that's
easily
consumed
as
a
cheat
sheet
kind
of,
or
should
it
be
in
and
of
itself
a
document.
That
kind
of
clearly
shows
example
of
how
you
use
what's
in
the
github
project.
F
So
those
are
some
of
the
considerations
to
make
down
the
path.
You
know
what
is
the
use
case
of
actually
implementing
this
as
part
of
the
quick
guide
versus
here's,
just
the
documentation
on
how
this
works
and
then,
lastly,
you
know
should
should
this
be
named,
what
it
is,
is
it
really
a
one
pager,
or
should
it
really
just
be
called
the
cheat
sheet
for
developing?
F
F
But
you
know
all
of
the
relevant
information
on
each
bullet
point
is
somewhere
else
right.
So
it's
to
your
point
earlier.
It
really
is
more
of
a
cheat
sheet,
but
I
definitely
think
before
this
is
released,
it
need.
We
need
to
look
at
all
of
these
sub
links
and,
of
course,
I
I
volunteered.
Some
people
on
my
team
will
also
document
some
of
these
things
as
we
find
them,
but
those
are
initial
thoughts.
A
E
G
A
My
our
dear
friend,
xavier
from
github,
who
helps
shepherd
the
codeql
efforts,
has
some
automobile
trouble
today,
so
he
was
not
able
to
join
us,
but
yeah.
We've
talked
about
codeql
quite
a
lot,
and
that
is
something
we
probably
when
we
do
a
blog
or
whatever.
We
could
state
as
context
that
these
tasks
are
automatable.
If
you
leverage
github
as
your
source
code
repository.
A
A
So
before
we
move
on
to
the
next
item,
which
is
going
to
be
the
companion
piece
to
this
one
page
document,
which
is
a
quick
guide
for
evaluating
open
source
software,
we
had
a
proposal
in
one
of
our
calls
and
I
wanted
to
run
it
by
the
group.
Do
we
see
value
in
once?
We
finish
up
this
one
pager
and
then
the
evaluating
one
pager
would
a
next
good
project
be
writing
some
type
of
technical
paper
around
you
leveraging
multi-factor
authentication
for
projects.
I
see
vicky
liked
the
idea.
A
Okay,
if
you
want
to
you,
know,
drop
some
notes
in
our
meeting
agenda.
If
you
feel
you
like
the
idea
or
you
hate
the
idea
or
you're
tepid
on
the
idea,
we
will
probably
definitely
looks
like
probably
take
that
on,
since
we
also
own
the
great
multi-factor
distribution
project
as
one
of
our
sub
projects.
A
This
is
intended
to
be
a
companion
piece,
so
we
have
the
cheat
sheet
for
developers.
This
is
how
you
can
help
write
and
maintain
good
code.
This
artifact
would
be
focused
on
developers
pulling
in
dependencies,
possibly
or
consumers
of
open
source
software.
This
is
how
someone
could
understand.
Is
this
piece
of
software
good?
Does
it
meet
my
risk,
tolerance,
tolerances,
or
is
it
fit
for
use
for
my
project
so
I'll
give
you
a
few
minutes
to
look
through
the
much
shorter
list.
A
C
So
there's
a
bullet
point.
The
first
bullet
point
are
first
number
two,
a
where
we
have
determined
whether
the
default
configuration
interface,
api
and
simple
examples
are
secure
and
if
not
avoid
it,
do
we
define
what
makes
an
interface
api
or
default
configuration
actually
secure,
not
yet
or
or
provide
guidance
in
that
direction.
A
A
So
it
so
just
fun
fact:
it
took
us
like
two
and
a
half
months
to
get
the
one
pager
actually
down
to
a
one
pager
on
the
other
document
and
we're.
This
is
only
like
the
second
or
third
time
we've
talked
about
this
one,
so
this
will
probably
be
a
much
more
involved
process
of
collecting
feedback
and
links
to
help
refine
this
down
to
a
more
usable
document.
A
A
C
Yeah,
there's
the
because
you
have
the
balance
of
all
right.
If
I
re-implement
this
code
now,
I'm
responsible
for
its
security
and
maintenance
and
all
of
these
other
things
and
if
the
those
other
bits
are
already
being
checked
off
by
the
rest
of
that
list,
then
maybe
yes,
it
should
be
added.
But
it's
it's
sort
of
circular.
B
First
of
all,
I
am
completely
horrified
by
golang's.
A
little
copying
is
better
than
a
little
dependency
unless
that
copying
is
including
over
the
oh
copyright
and
licensing
statements,
because
otherwise
you're
just
stealing
literally
stealing
someone
else's
copyright,
I
don't
care
what
license
it's
under.
If
you
don't
give
them
credit,
so
someone's
gotta
have
a
little
sit
down
in
the
heart-to-heart
with
golang,
and
I
know
plenty
of
intellectual
property
lawyers
who
are
very
empathetic.
Who
can
help
with
that.
So
please,
let
us
not
ever
recommend
that
please.
B
I
love
a
dog
that
aside.
I
have
found
that
when
this
does
exist,
it's
almost
always
everyone's
rolling
their
own
internally
and
it's
usually
not
well
communicated
internally
and
it's
certainly
difficult
to
enforce
internally,
and
so
you
end
up
with
developers
just
grabbing
whatever
and
throwing
them
in
there,
which
ends
up
again
with
a
lot
of
compliance
issues
not
only
for
security
but
also
for
licensing.
So
I
would
love
it
if
we
could
find
a
way
to
have
a
single
source
of
truth
for
these
recommendations.
A
As
I
mentioned
to
stephen,
if
anyone
has
any
recommendations
on
good
resources
to
help
evaluate
the
security
of
a
project
or
an
api,
for
example,
our
friends,
the
scorecards
project
and
all
star
may
be
a
nice
criteria
for
something
like
this.
We
would
want
to
provide
links
to
that
they
are.
They
have
a
set
of
security
and
risk
criteria
that
they
advertise,
evaluate
and
then
advertise
periodically.
So
that
could
be
one
criteria,
definitely
to
help
evaluate
the
security
profile.
A
E
A
E
B
B
That
makes
it
difficult
to
do
anything
insecure,
whereas
number
three
is,
I
is
a
maintainer.
Is
there
evidence
that
I
am
doing
all
the
things
having
the
best
practices?
Aha,
I
know
where
they
can
get
badges
for
that
to
develop
this
in
a
secure
manner.
So,
as
the
consumer
is
using
it,
they
know
that
they're
not
going
to
get
into
a
log4j
situation
right,
and
so
these
are
distinct.
I
don't
think
they
should
be
rolled
into
each
other.
B
C
I
was
just
going
to
say
that
I
appreciate
vicky's,
restatement
of
that
and
and
then
the
reordering,
because
yeah
it's
hard
to
say
is
this:
is
this
usable
securely
and
is
there?
Is
there
a
secure
way
to
use
this
without
first
identifying
that
the
library
itself
is
built
with
security
in
mind
and
in
its
following
secure
practices
and
how
it
handles?
You
know,
data
and
connections
and
all
that.
So
I
appreciate
that.
E
D
D
A
D
A
H
I
do,
hopefully
you
can
see
me
and
hear
me
and
my
camera's
working
today-
that's
awesome,
yeah
and
and
and
you're
right.
We
can't.
We
can't
just
spend
these
meetings
going
through
these
documents.
We
do
need
to
have
input
outside
of
meetings,
but
perhaps
setting
up
a
a
road
map
or
a
timeline
as
to
when
these
reviews
or
periodic
reviews
will
take
place.
So
everyone
who
wants
to
have
a
comment
can
get
it
make
sure
they
get
it
in
by
a
certain
time.
H
E
A
A
E
E
E
A
And
I
guess
we
need
to
decide
as
a
group
looking
at
this
a
little
more
closely
like,
for
example,
number
four:
are
there
instructions
on
how
to
report
vulnerabilities
this?
The
list
appears
to
be
just
a
series
of
questions,
and
is
that
is
that
something
useful
for
a
consumer
just
to
have
a
list
of
questions
or
do
we
need
to
provide
actions
for
people
to
take?
So
I
guess
we
need
to
decide
what
the
the
goal
of
this
document
is.
C
B
Yeah,
I
think
because
this
is
a
decision
guide
as
as
steven
named
it,
which
is,
I
think,
a
really
good
place.
I
think
that
does
make
it
easier
to
consume
as
somebody
who
is
consuming
open
source,
but
we
do
need
guidance
on
you
know.
It's
not
just
the
questions.
The
questions
are
just
giving
you
kind
of
the
road
map.
B
B
And
we
don't
have
that
part
here
yet,
and
so
I
think
that
would
almost
be
a
two
parts.
The
two
parts
for
this
document.
It's
like
okay,
here
are
the
things
you
have
to
answer
and
now
here's
what
it
looks
like.
Let's,
let's
turn
this
frankly,
let's
just
turn
this
into
one
of
those
cosmo
quizzes
right.
You
answer
all
the
questions
and
then
you
get
scored
right,
honest
god.
E
H
A
And
then
I'll
also
add
in
the
chat
glenn
suggested.
Is
there
any
way
to
automate
this
and
that
made
once
we?
I
guess
we
decide
if
we
decide
on
a
scale
of
good
to
bad,
that
automation
might
be
able
to
help
generate
that
kind
of
a
scorecard
or
all-star
style,
or
maybe
even
potentially.
Maybe
this
is
something
we
pass
over
to
those
projects
to
see
for
inclusion.
You
know:
can
we
potentially
add
this
to
those
projects.
D
For
example,
if
you
look
at
the
output
file
the
example
you
know
there
are
actually
already
sort
of
criteria
in
it
right,
so
the
score
value
confidence
based
on
what
yeah
the
scoring,
even
in
the
end,
based
on
the
things
it
didn't
see.
It
also
gives
like
suggestions-
hey,
maybe
here
like
enable
lg,
tm
checks
or
code
grill.
This
is
how
you
do
it.
A
All
right
team
we're
coming
to
the
top
of
the
hour.
Does
anyone
have
any
fine
judy
agrees?
Automating
would
be
great.
Do
we
have
any
final
suggestions
before
we
close
our
call?
Today
we
have
some.
I
would
ask
everyone
for
homework.
Think
about
this
document,
how
we
can
improve
it,
how
we
might
be
able
to
automate
where
possible
and
provide
suggestions
on
how
we
might
shape
this
going
forward,
but
any
closing
comments
from
anybody.
A
Nice,
that's
excellent,
so
david
wasn't
too
far
off
the
mark,
all
right!
Well,
thank
you.
Everyone
for
participating
today,
great
conversation,
I'm
looking
forward
to
how
we
can
mold
this
into
something
a
little
more
useful,
it's
very
early
days
for
it,
and
thank
you
for
your
thoughts
on
the
first
cheat
sheet,
slash
one
pager
and
we
will
talk
to
everyone
in
two
weeks.
If
not
sooner,
thank
you
all
and
have
a
great
day.