►
A
A
A
C
Hey
good
morning,
good
afternoon,
wherever,
wherever
you
all
are
in
the
world,
I'm
steve
marowski,
I'm
on
the
advocacy
team
at
microsoft,
focusing
on
cloud
native
and
open
source
and
looking
forward,
and
since
I
spent
a
good
bit
of
time
in
the
open
source
space,
I
thought
this
might
be
a
great
place
to
get
plugged
in
and
see
where
I
can
help
and
and
what
I
can
learn.
A
Yeah,
the
document
is
open
for
everyone
to
help
edit
and
comment
on.
So
please
help
out.
Do
we
have
I'd
like
everyone
to
note?
If
we
have
any
opens,
please
type,
those
underneath
our
project
updates,
we'll
talk
about
those.
A
We'll
start
off:
do
we
have
any
of
our
member
projects
that
wanted
to
give
an
update
on
any
milestones
or
exciting
things?
They're
working
on.
D
Well,
maybe
I
scared
them
so
we
actually
started
to
roll
out
the
sso
implementation.
We
already
did
a
lot
of
work
to
facilitate
it.
So
now
we
have
github
and
google,
it
seems
to
work.
D
We
only
need
to
refactor
a
bit
of
the
front
end
because
yeah
there's
some
redirecting
tango
going
on
there
a
lot
of
redirects
and
it
seems
like
the
front-end
angular
app
still
needs
to
be
modified
a
bit,
but
overall,
the
key
cloud,
the
tracking
day
the
whole
setup
seems
to
be
working
now
running
in
a
kubernetes
stack.
So
that's
good.
D
I
do
have
a
question
to
the
people
here
in
the
group
like
what
other
type
of
login
mechanisms
should
we
or
do
we
want.
I
mean
now.
I
just
picked
github
and
google
because
they
were
the
most
obvious
but
which
one
would
be
also
interesting
to
add
there
as
a
possible
method.
A
D
A
Has
any
suggestions
type
it
into
the
notes,
raise
your
hand
yell
out
at
glenn
or
look
out
for
an
email,
not
yell
at
glenn,
but
take
glenn's
attention.
A
Our
list
for
this
group
is
what
is
the
name
of
it.
I
have
that
one
second.
A
I
haven't
used
it
in
a
while
it's
going
to
be
open,
ssf
dash,
w
g
dash
best
dash
practices.
A
At
open,
ssf
dot,
I'm
sorry
I'll
type
it
in
right
here
give
me
a
second.
A
D
I
had
so
perfect.
D
Yeah
so
the
project,
the
security
knowledge
framework.
So
basically
that
is
the
communication
and
learning
platform
where
we
will
help
developers
getting
the
right
security
requirements.
There
are
code
examples,
knowledge-based
items,
checklists
like
the
ascs
masvs
and
there's
also
this
capability
that
we
released
like
three
months
ago.
D
Also,
thanks
of
this
to
this
working
group
that
has
like
a
training
module,
so
people
can
do
a
self
learning
or
secure
coding
based
on
david
wheeler's
content
and
material,
and
also
that
api
hacking,
based
on
the
os
testing,
guide
and
infra,
and
basically
you
can
do
all
the
materials.
And
then
you
have
like
this
lab.
You
can
spin
up
and
you
can
also
do
the
practical
stuff.
A
I
posted
a
link
into
the
chat
we
have
a
couple
member
projects
of
which
glenn
helps
lead,
skf
and
think
of
that,
as
the
actual
hands-on
keyboard
of
learning
of
the
good
practices.
We
also
have
a
couple
classes
that
dr
wheeler
wrote.
We
have
the
cre
folks,
which
are
standards
in
code
formats.
We
have
a
couple
of
member
projects
that
you
can
take
a
look
at.
We
have
links
to
all
of
them
off
of
our
page
and
there's
an
amazing
diagram.
Some
genius
put
together
that
kind
of
shows
how
they
relate
a
little
bit.
A
It's
a
very
stable
genius,
any
other
member
projects
here
today,
inventories
or
scorecard
that
wanted
to
give
an
update.
E
I
hi
everyone,
I'm
speedos,
I'm
the
inventory
guy,
I
I
don't
really
have
any
updates.
In
fact,
I
was
on
holiday
and
I'll
be
on
holiday
for
the
next
couple
of
weeks,
so
updates.
A
A
You
might
want
to
check
out
their
project
to
see
where
they
are
going
to
be
opening
up
an
api
for
access
to
help
manage
they've,
had
the
scorecards
go
out
and
do
a
scan
of
about
a
million
open
source
projects
and
then
report
on
kind
of
a
risk,
posture
statement
of
kind
of
the
security
qualities
of
those
projects,
and
they
are
enabling
an
api
to
help
with
the
to
help
throttle
some
of
the
traffic.
So
that's
kind
of
exciting
news
from
them.
A
A
All
right,
let
us
hopefully
for
the
final
time
for
this
round.
Let
us
look
at
the
one-page
guide
for
developing
more
secure
software.
This
has
been
a
project
we've
had.
The
intention
is
to
create
a
one-page
resource
that
lists
off
some
of
the
best
most
impactful
practices
you
can
take
as
a
developer
and
as
a
project
and
then
provide
links
off
to
those
resources
on
how
to
do
the
thing
or
get
additional
context.
A
This
will
be
posted
as
an
artifact
as
part
of
our
get
repo
and
part
of
the
the
open,
ssf
body
of
knowledge,
and
we
think
we
are
very
close
to
finalizing.
It
looks
like
david
went
through
and
remediated
any
of
the
final
comments.
So
does
anyone
have
any
parting
thoughts
before
we
start
to
push
the
button
to
get
this
document
published.
A
And
this
is
intended
to
be
a
cheat
sheet
not
intended
to
be
to
replace
actual
training.
So
it's
supposed
to
provide
that
guide
stone
where
somebody
finds
this
and
can
go,
learn
more
about,
for
example,
how
to
implement
asvs
or
how
to
create
your
own
security
advisory,
for
example,
push
the
button
thanks,
dave.
E
Marta
hello,
again
yeah,
here
again,
I
I
have
one
suggestion
to
actually
test
run
it
against
some
developers.
A
Fair
vicky
question
or
suggestion.
B
Yeah,
so
we
have
one
or
two
open
source
or
developers
here
at
wipro
and
kind
of
an
open
question
to
eric
here.
Could
would
it
make
sense
to
have
your
team
walk
through
this,
because
I
think
they'd
be
really
well
placed
to
provide
feedback.
F
Yeah
so
one
of
the
things
we
haven't
actually
publicized,
but
I'm
making
my
team
go
through
everything.
We
write
to
follow
the
best
practices
toward
anything.
We
release
getting
the
the
best
practices
badge
and
we
have
several
things
in
in
the
pipeline
to
make
this
happen
over
time.
Obviously,
it's
a
fairly
broad
scope
of
items,
so
we're
going
through
them
all
yeah.
We
can
certainly
do
some
of
this.
I
already
have
a
number
of
people
doing
number
one.
F
So
we
can.
We
can
take
a
look
at
it.
Some
of
this
will
be
harder
to
test
like
the
earning
the
best
practice
badge
as
I
just
mentioned,
but
we
can.
We
can
certainly
test
out
some
of
these
and
validate
a
number
of
them
like
14,
for
example,
we've
got
some
we're
doing
some
work
on
that
and
everything
we're
doing
is
based
off
of
the
salsa
framework
for
15.,
so
yeah.
We
we
can
take
a
look
at
it
and
certainly
get
some
feedback.
E
A
G
I
just
wanted
to
point
out
when,
when
I
was
because
we've
already
started
doing
the
best
practices
at
astro
and
we've
already
started
up
streaming,
that
to
solid,
because
we
have
a
very
good
relationship
with
solid
and
beat,
and
I
just
want
to
point
out
that
some
of
the
stuff
doesn't
necessarily
apply
to
js
and
apparently
that
gives
people
the
wrong
impression,
like
some
of
it
just
doesn't
apply
to
them.
G
So
I
just,
I
think
that
there
are
certain
things
in
the
best
practices
badge
that
get
difficult
with
certain
projects,
and
I
just
wanted
to
bring
that
up
because
it
turned
into
a
whole
discussion
of
like
does
best
practices
even
apply
to
js,
which
was
kind
of
a
whole
thing.
As
you
know,
the
js
community
is
extremely
opinionated,
so
yeah
it
turned
into
one
of
those
things.
A
Do
you
have
any
other
notes
that
we
could
share
back
to
david,
to
you
know,
improve
the
badges
program
to
account,
for
maybe,
if
this
didn't
a
warning
or
documentation
but
trying
to.
G
Really
I
could
put
something
together
and
if
you
can
share
with
me
your
email
or
david's
email
or
where
you
want
me
to
send
it,
I
can
put
that
in
an
email
together
this
morning
and
send
it
over.
E
G
Returned
for
the
record,
there
is
static
analysis
tooling.
It
just
is
not
very
big
and
a
lot
of
efforts
that
have
tried
have
kind
of
just
stopped
and
failed.
It's
just
to
be
honest
with
you.
I
don't
think
the
js
community
really
values
their
that
type
of
tooling
as
much
as
some
of
the
other
communities,
but
there
are
projects
out
there
that
do
provide
static
analysis.
G
It's
just
like
one
hasn't
been
touched
since,
like
2018
and
like
another
one
hasn't
been
touched
since
I
think
2020
so
and
that's
the
thing
is
that
there's
it's
more
of
a
lack
of
updates,
and
I
just
and
the
other
thing
about
it
is
just
from
like
the
reaction
with
vite
and
just
the
reaction
of
a
lot
of
developers
like
the
thing
about
js.
Is
you
have
a
lot
of
young
developers
that
kind
of
feel
like
they
could
do
no
wrong?
G
There's
nothing
wrong
with
having
800
package
dependencies
and
not
being
able
to
audit
them
or,
and
one
package
is
from
like
hasn't
been
touched
since
the
early
2000s.
It's
just
a
lot.
I
think
a
lot
of
it
is
the
attitude
because
they're
not
open
to
like
they
don't
see
security
honestly
as
a
if
you
want
to
call
it
like
a
big
deal.
They
kind
of
see
it
as
they're
still
on
the
whole
js
kool-aid
train
of
hey,
look
what
I
can
do
on
js.
C
Stephen,
hey
yeah,
so
you
know
I'm
just
getting
a
first
glance
at
at
the
at
the
checklist
here
at
the
at
the
guide
and
I'm
happy
to
kind
of
socialize
that
around
you
know
the
developer,
advocacy
group
and
and
some
of
the
other
open
source
teams
here
at
microsoft,
but
my
first
just
my
first
impression
was
like
wow:
that's
dense
there
there's
a
lot
there
and
yeah.
My
just
from
you
know
previous
experience
with
with
guides
and
stuff
like
that.
C
It
feels
like
that
there
would
be
little
eyes
glazing
over
and
all
right.
That's
that's
too
much
to
tackle
feel.
I
think
that
it
looks
like
there's
a
bunch
of
excellent
resources
and
direction.
I'm
just
not.
I
I'm
happy
to
get
some
more
feedback
on
it.
My
first
impression
was
like
wow.
That's
that's
dense,
but
I
didn't
put
any
of
the
work
into
it.
So
it's
easy
for
me
to
come
in
and
come
in
and
comment.
You
know
afterwards.
A
Keep
in
mind,
this
is
a
first
step.
Once
we
have
the
list,
then
we
can
figure
out
a
plan
of
how
we're
going
to
evangelize
the
list
train
the
list
there
could
be
potentially
blogs
or
webinars.
We
have
a
whole
other
effort
focused
around
developer
education,
the
education
side,
which
is
the
best
thing
that
meets
tomorrow,
where
we're
talking
about
actual
implementing
training,
and
that
might
be
potentially,
this
artifact
could
be
passed
over
to
that
group
and
we
create
some
training
or
a
webinar
or
a
podcast
to
talk
through
it.
F
One
of
the
notes
on
this
I
would
make
is
some
of
the
links
actually
go
to
other
documents
that
are
still
in
draft
format,
so
we
want
to
make
so
we
want
to
make
sure
that
we,
as
we
get
to
that
point,
that
all
of
these
are
cleaned
up
and
ready
to
go
themselves,
or
at
least
not
noted
as
draft
and
some
of
the
projects
that
they
go
to,
you
know,
go
to
get
and
then
github
you
end
up,
you
know,
are
the
pages
clear
enough
for
somebody
to
use
as
a
cheat
sheet.
F
Quick
guide
would
be
one
of
the
the
questions,
so
maybe
some
deeper
evaluation
on.
If,
if
you're
doing
this,
you
know
if,
if
I
click
on
this
and
I
go
to
the
page-
is
what's
provided
by
the
github
project
page,
you
know
really
something
that's
easily
consumed
as
a
cheat
sheet
kind
of,
or
should
it
be
in
and
of
itself
a
document.
That
kind
of
clearly
shows
example
of
how
you
use
what's
in
the
github
project.
F
So
those
are
some
of
the
considerations
to
make
down
the
path.
You
know
what
is
the
use
case
of
actually
implementing
this
as
part
of
the
quick
guide
versus
here's,
just
the
documentation
on
how
this
works
and
then,
lastly,
you
know
should
should
this
be
named,
what
it
is,
is
it
really
a
one
pager,
or
should
it
really
just
be
called
the
cheat
sheet
for
developing?
F
You
know,
because
it's
it's
really
that's
all
this
is,
as
it
gives
you
a
bunch
of
links.
You
know
a
very,
very
brief
description
of
what
it
is.
So
if
I
need
specifically
to
find
out
information
on
what
I
should
be
doing,
it
has
the
bullet
points.
F
But
you
know
all
of
the
relevant
information
on
each
bullet
point
is
somewhere
else
right.
So
it's
to
your
point
earlier.
It
really
is
more
of
a
cheat
sheet,
but
I
definitely
think
before
this
is
released,
it
need.
We
need
to
look
at
all
of
these
sub
links
and,
of
course,
I
I
volunteered.
Some
people
on
my
team
will
also
document
some
of
these
things
as
we
find
them,
but
those
are
initial
thoughts.
A
E
G
Some
of
this
is
already
automated
by
github's
code
ql,
which
is
actually
what
we
ended
up,
agreeing
with,
like
between
all
of
us,
to
share
a
code
ql
database
between
solid
astro
and
vite
v,
so
just
pointing
that
out.
Yeah.
A
My
our
dear
friend,
xavier
from
github,
who
helps
shepherd
the
codeql
efforts,
has
some
automobile
trouble
today,
so
he
was
not
able
to
join
us,
but
yeah.
We've
talked
about
codeql
quite
a
lot,
and
that
is
something
we
probably
when
we
do
a
blog
or
whatever.
We
could
state
as
context
that
these
tasks
are
automatable.
If
you
leverage
github
as
your
source
code
repository.
A
A
So
before
we
move
on
to
the
next
item,
which
is
going
to
be
the
companion
piece
to
this
one
page
document,
which
is
a
quick
guide
for
evaluating
open
source
software,
we
had
a
proposal
in
one
of
our
calls
and
I
wanted
to
run
it
by
the
group.
Do
we
see
value
in
once?
We
finish
up
this
one
pager
and
then
the
evaluating
one
pager
would
a
next
good
project
be
writing
some
type
of
technical
paper
around
you
leveraging
multi-factor
authentication
for
projects.
I
see
vicky
liked
the
idea.
A
Okay,
if
you
want
to
you,
know,
drop
some
notes
in
our
meeting
agenda.
If
you
feel
you
like
the
idea
or
you
hate
the
idea
or
you're
tepid
on
the
idea,
we
will
probably
definitely
looks
like
probably
take
that
on,
since
we
also
own
the
great
multi-factor
distribution
project
as
one
of
our
sub
projects.
A
This
is
intended
to
be
a
companion
piece,
so
we
have
the
cheat
sheet
for
developers.
This
is
how
you
can
help
write
and
maintain
good
code.
This
artifact
would
be
focused
on
developers
pulling
in
dependencies,
possibly
or
consumers
of
open
source
software.
This
is
how
someone
could
understand.
Is
this
piece
of
software
good?
Does
it
meet
my
risk,
tolerance,
tolerances,
or
is
it
fit
for
use
for
my
project
so
I'll
give
you
a
few
minutes
to
look
through
the
much
shorter
list.
A
There's
only
seven
things
we're
recommending
so
far,
but
cruise
through
that
for
a
moment
and
we'll
start
talking
about
each
of
the
items
in
a
second.
A
C
So
there's
a
bullet
point.
The
first
bullet
point
are
first
number
two,
a
where
we
have
determined
whether
the
default
configuration
interface,
api
and
simple
examples
are
secure
and
if
not
avoid
it,
do
we
define
what
makes
an
interface
api
or
default
configuration
actually
secure,
not
yet
or
or
provide
guidance
in
that
direction.
A
Then
this
will
be
in
the
style
of
the
first
cheat
sheet
where
we
would
provide
links
to
if
someone
had
a
great
resource
guide
that
helped
people
evaluate
that.
So,
if
you
have
some
ideas
or
contributions,
that
would
be
wonderful.
A
So
it
so
just
fun
fact:
it
took
us
like
two
and
a
half
months
to
get
the
one
pager
actually
down
to
a
one
pager
on
the
other
document
and
we're.
This
is
only
like
the
second
or
third
time
we've
talked
about
this
one,
so
this
will
probably
be
a
much
more
involved
process
of
collecting
feedback
and
links
to
help
refine
this
down
to
a
more
usable
document.
A
A
E
Yeah
thanks,
so
I
know
from
the
go
community:
they
have
this
proverbs
section
where
they
say
a
little
copying
is
better
than
a
little
dependency
or
something
along
those
lines,
and
I
like
this,
you
can
remember
it
quite
nicely,
not
sure
if
they
have
guidelines
along
like
how
would
you
decide
how
much
to
copy,
but
that
might
be
a
good
resource.
C
Yeah,
I
I
think
that
kind
of
comes
down
to
the
heart
of
you
know:
re
reuse
versus
reimplant
right
like
like
build
versus,
buy
type
discussions,
and
I
don't
know
if
I
don't
know
if
you
can
answer
that
question
first,
without
answering
a
number
of
the
questions
underneath
it
right
like.
C
Yeah,
there's
the
because
you
have
the
balance
of
all
right.
If
I
re-implement
this
code
now,
I'm
responsible
for
its
security
and
maintenance
and
all
of
these
other
things
and
if
the
those
other
bits
are
already
being
checked
off
by
the
rest
of
that
list,
then
maybe
yes,
it
should
be
added.
But
it's
it's
sort
of
circular.
B
First
of
all,
I
am
completely
horrified
by
golang's.
A
little
copying
is
better
than
a
little
dependency
unless
that
copying
is
including
over
the
oh
copyright
and
licensing
statements,
because
otherwise
you're
just
stealing
literally
stealing
someone
else's
copyright,
I
don't
care
what
license
it's
under.
If
you
don't
give
them
credit,
so
someone's
gotta
have
a
little
sit
down
in
the
heart-to-heart
with
golang,
and
I
know
plenty
of
intellectual
property
lawyers
who
are
very
empathetic.
Who
can
help
with
that.
So
please,
let
us
not
ever
recommend
that
please.
B
I
love
a
dog
that
aside.
I
have
found
that
when
this
does
exist,
it's
almost
always
everyone's
rolling
their
own
internally
and
it's
usually
not
well
communicated
internally
and
it's
certainly
difficult
to
enforce
internally,
and
so
you
end
up
with
developers
just
grabbing
whatever
and
throwing
them
in
there,
which
ends
up
again
with
a
lot
of
compliance
issues
not
only
for
security
but
also
for
licensing.
So
I
would
love
it
if
we
could
find
a
way
to
have
a
single
source
of
truth
for
these
recommendations.
A
So
any
additional
thoughts
on
number
one
before
we
move
on
to
number
two,
which
is
equally
amorphous
and
vague
david.
A
As
I
mentioned
to
stephen,
if
anyone
has
any
recommendations
on
good
resources
to
help
evaluate
the
security
of
a
project
or
an
api,
for
example,
our
friends,
the
scorecards
project
and
all
star
may
be
a
nice
criteria
for
something
like
this.
We
would
want
to
provide
links
to
that
they
are.
They
have
a
set
of
security
and
risk
criteria
that
they
advertise,
evaluate
and
then
advertise
periodically.
So
that
could
be
one
criteria,
definitely
to
help
evaluate
the
security
profile.
A
E
A
Oh,
there
are
oh
hold
on.
Let
me
continue
previously
numbering
there.
We
go
how's.
That
is
that
better,
I'm
talking
about.
E
Because
it
looks
like
the
the
second
two,
which
is
number
three,
was
expanding
on
this,
what
it
means
to
use
securely-
or
maybe
it
was
just
my
understanding.
E
A
It's
unlike
david,
rarely
uses
such
open
language.
B
I
I
would
say
that
two
is
distinct
from
three
there's:
a
difference
between
using
it
and
developing
the
thing
itself,
and
that
seems
to
be
what's
going
on
here.
Number
two
is:
is
it
easy
for
me,
as
a
consumer,
to
use
this
in
a
secure
manner
right?
Does
it
give
me
the
guard
rail
such
that?
I'm
not.
B
That
makes
it
difficult
to
do
anything
insecure,
whereas
number
three
is,
I
is
a
maintainer.
Is
there
evidence
that
I
am
doing
all
the
things
having
the
best
practices?
Aha,
I
know
where
they
can
get
badges
for
that
to
develop
this
in
a
secure
manner.
So,
as
the
consumer
is
using
it,
they
know
that
they're
not
going
to
get
into
a
log4j
situation
right,
and
so
these
are
distinct.
I
don't
think
they
should
be
rolled
into
each
other.
B
Yeah
definitely
switching
the
order.
I
think
okay.
B
A
All
right,
let's
focus
in
stephen.
C
I
was
just
going
to
say
that
I
appreciate
vicky's,
restatement
of
that
and
and
then
the
reordering,
because
yeah
it's
hard
to
say
is
this:
is
this
usable
securely
and
is
there?
Is
there
a
secure
way
to
use
this
without
first
identifying
that
the
library
itself
is
built
with
security
in
mind
and
in
its
following
secure
practices
and
how
it
handles?
You
know,
data
and
connections
and
all
that.
So
I
appreciate
that.
E
D
D
Yeah,
okay,
because
if
we
are
at
a
point
that
we
say
okay,
this
looks
reasonable
yeah.
Then
I
would
say:
maybe
it's
also
a
good
idea
for
my
own
open
source
project
to
go
over
the
list
and
try
to
do
it
because,
like
the
practice,
the
badge
and
stuff,
I
did
it
it's
hanging
on
97.
A
D
Exactly
because
yeah,
if,
if
it's
not
quit,
then
we
should
just
call
it
guide
for
evaluating.
D
A
And
dave
russo
has
a
comment
in
the
chat,
as
we
should
endeavor
to
shorten
that
timeline.
A
I
welcome
everybody's
participation
outside
of
this
every
two
weeks
hour
to
contribute
to
the
document
the
more
feedback
we
get
outside
of
this
meeting
and
collaboration
we
get
outside
of
this
meeting
the
quicker
we'll
be
able
to
publish
the
second
document.
A
We
can
move
as
fast
as
we
have
contributors,
otherwise
it'll
be
very
slow
of
me.
Reading
the
document
every
couple
weeks
dave
you
want
to
raise
your
hand.
H
I
do,
hopefully
you
can
see
me
and
hear
me
and
my
camera's
working
today-
that's
awesome,
yeah
and
and
and
you're
right.
We
can't.
We
can't
just
spend
these
meetings
going
through
these
documents.
We
do
need
to
have
input
outside
of
meetings,
but
perhaps
setting
up
a
a
road
map
or
a
timeline
as
to
when
these
reviews
or
periodic
reviews
will
take
place.
So
everyone
who
wants
to
have
a
comment
can
get
it
make
sure
they
get
it
in
by
a
certain
time.
H
Otherwise,
they're
certainly
welcome
to
comment
on
the
next
version
of
whatever
artifact
we're
working
on
that
might
help
move
things
along
a
little
bit
more
quickly.
I
think
you
know
I.
I
think
that
the
one
pager
is
is
in
good
shape.
E
A
Great
yeah,
so
I
agree,
it's
would
be
much
more
fruitful
use
of
our
time
to
have
a
little
more
process.
So,
if
dave,
you
can
help
us
with
that.
That
would
be
amazing.
A
All
right
since
we're
here
looking
at
the
current
number
three,
is
there
evidence
that
this.
A
E
E
E
Maybe
some
more
subsets
of
others,
for
instance,
the
cci
bullet
seems
to
be
a
part
both
for
ossf
and
the
cii
badge
right.
So.
A
And
I
guess
we
need
to
decide
as
a
group
looking
at
this
a
little
more
closely
like,
for
example,
number
four:
are
there
instructions
on
how
to
report
vulnerabilities
this?
The
list
appears
to
be
just
a
series
of
questions,
and
is
that
is
that
something
useful
for
a
consumer
just
to
have
a
list
of
questions
or
do
we
need
to
provide
actions
for
people
to
take?
So
I
guess
we
need
to
decide
what
the
the
goal
of
this
document
is.
A
All
right
steven.
C
I
mean
because,
like
is
four
questions,
yes
and
something
no
okay,
right
like
like.
What's
the
you
know,
what
what's
the
what's
the
impact
of
each
of
those
questions.
B
Yeah,
I
think
because
this
is
a
decision
guide
as
as
steven
named
it,
which
is,
I
think,
a
really
good
place.
I
think
that
does
make
it
easier
to
consume
as
somebody
who
is
consuming
open
source,
but
we
do
need
guidance
on
you
know.
It's
not
just
the
questions.
The
questions
are
just
giving
you
kind
of
the
road
map.
B
B
And
we
don't
have
that
part
here
yet,
and
so
I
think
that
would
almost
be
a
two
parts.
The
two
parts
for
this
document.
It's
like
okay,
here
are
the
things
you
have
to
answer
and
now
here's
what
it
looks
like.
Let's,
let's
turn
this
frankly,
let's
just
turn
this
into
one
of
those
cosmo
quizzes
right.
You
answer
all
the
questions
and
then
you
get
scored
right,
honest
god.
B
I
think
that's
the
sort
of
thing
that's
just
going
to
make
it
so
much
easier
to
use,
and
you
know,
obviously
it's
like
here's
our
suggestion,
but
you
do
you
honey
right
if
you
still
want
to
use
this,
that's
fine,
but
here's
our
suggested
score
as
far
as
vulnerability
or
risk
risk
assessment,
type
thing
right,.
E
H
A
And
then
I'll
also
add
in
the
chat
glenn
suggested.
Is
there
any
way
to
automate
this
and
that
made
once
we?
I
guess
we
decide
if
we
decide
on
a
scale
of
good
to
bad,
that
automation
might
be
able
to
help
generate
that
kind
of
a
scorecard
or
all-star
style,
or
maybe
even
potentially.
Maybe
this
is
something
we
pass
over
to
those
projects
to
see
for
inclusion.
You
know:
can
we
potentially
add
this
to
those
projects.
D
For
example,
if
you
look
at
the
output
file
the
example
you
know
there
are
actually
already
sort
of
criteria
in
it
right,
so
the
score
value
confidence
based
on
what
yeah
the
scoring,
even
in
the
end,
based
on
the
things
it
didn't
see.
It
also
gives
like
suggestions-
hey,
maybe
here
like
enable
lg,
tm
checks
or
code
grill.
This
is
how
you
do
it.
A
That's
anytime,
we
can
automate
something
and
take
the
hands
out
of
a
slow
human
and
put
it
in
the
hands
of
a
fast
computer
to
decide,
I
think,
is
useful,
especially
as
developers
automate
more
and
more
and
more.
A
All
right
team
we're
coming
to
the
top
of
the
hour.
Does
anyone
have
any
fine
judy
agrees?
Automating
would
be
great.
Do
we
have
any
final
suggestions
before
we
close
our
call?
Today
we
have
some.
I
would
ask
everyone
for
homework.
Think
about
this
document,
how
we
can
improve
it,
how
we
might
be
able
to
automate
where
possible
and
provide
suggestions
on
how
we
might
shape
this
going
forward,
but
any
closing
comments
from
anybody.
E
Folks,
oh
yes,
please
please
look
at
the
at
the
program.
That's
exactly
that's
exactly
the
step.
A
Nice,
that's
excellent,
so
david
wasn't
too
far
off
the
mark,
all
right!
Well,
thank
you.
Everyone
for
participating
today,
great
conversation,
I'm
looking
forward
to
how
we
can
mold
this
into
something
a
little
more
useful,
it's
very
early
days
for
it,
and
thank
you
for
your
thoughts
on
the
first
cheat
sheet,
slash
one
pager
and
we
will
talk
to
everyone
in
two
weeks.
If
not
sooner,
thank
you
all
and
have
a
great
day.