►
B
C
C
D
My
name
is
dan
applequist,
I'm
just
joining
sneak
and
I'm
here,
because
I
really
really
think
developer
education
and
best
practice
is
like
the
key
important
topic.
But
what
do
I
know?
I'm
the
new
guy
so
yeah,
that's
kind
of
me,
oh
by
the
way,
I
also
have.
I
also
participated
in
a
lot
of
activities
around
web
standards.
So
if
you're
familiar
with
w3c,
you
may
have
seen
my
name
around.
C
C
All
right
well
again
welcome
dan
we're
looking
forward
to
having
you
in
our
little
family
here
first
off.
Does
anyone
have
any
opens?
They
want
to
add
all
right.
So,
let's
touch
on
those
after
I
talk
about
a
couple
things
here,
my
prop.
We
have
some
petitioners
that
are
interested
in
joining
our
group.
C
E
A
C
Is
and
for
a
little
more
context,
mr
wheeler
and
I
have
talked
with
these
folks
a
couple
times-
a
nice
group
of
folks
and
we
initially
thought
well.
How
does
this
compare
to
salsa
and
salsa
is
more
focused
on
those
that
maintain
ci
cd
infrastructure,
whereas
the
the
new
proposed
framework
is
focused
more
on
consumers,
helping
them
evaluate
it
was
assault.
Was
software
made
properly?
C
Did
they
follow
good
security
practices
so
again,
we'll
have
them
come
in
and
talk
and
see
we'll
see
if
it's
a
good
fit
here
or
not,
or
if
we
want
to
steer
them
more
towards
a
supply
chain,
but
this
is
definitely
not
a.
This
is
more
of
a
complementary
piece
of
work
to
salsa
than
would
be
a
competitor.
E
Something
we
should
keep
in
mind
is
that
there
is
a
new
nascent,
little
baby
fledgling
metaphor
working
group
for
end
users
specifically,
and
this
might
be
the
sort
of
thing
that
would
make
sense
there
or
at
least
be
a
collaborative
effort
on
that
side
as
well.
So
I
will
bring
that
up
in
the
end
users
call
later
this
week
and
see
whether
we
can
at
least
get
some
of
them
to
show
up
to
our
call
next.
C
E
E
C
Yep,
that's
one
of
the
requirements
as
you
need
to
have
so
many
participants,
and
so
many
contiguous
calls
so
cool
that
it
is
not
lauren
as
she
mentions
it's
not
in
the
calendar
yet,
but
hopefully
we'll
be
very
soon
and
again.
I
will
encourage
jay
and
that
crew
to
come
here
to
present
to
us
to
see
if
we
think
it's
a
fit
or
not
or
if
we
have
a
suggestions
for
him
as
well.
F
C
D
B
So
if
I'm
correct,
you
see
the
format
of
the
old
labs
that
we
have
right
now.
Yes,
so
initially,
we
hope
that
we
could
just
to
search
and
replace,
because
somebody
helped
us
with
the
designs,
but
as
it
turned
out
that
wasn't
the
deal.
So
we
had
to
do
this
copy
casework
for
270
laps,
but
at
least
we
did
it
in
a
way
that
if
we
want
to
refactor
it
the
next
time
that
we
can
do
search
and
replace
so
we
fix
that.
B
Oh
sorry,
on
the
skf
labs
repository
on
the
separate
branch,
and
we
will
probably
merge
that
somewhere
this
week
and
then
all
the
labs
are
updated
and
then
well.
We
have
this
nice
new
format
for
all
the
labs.
So
now
that
it's
changed
to
this,
this
suddenly
looks
really
old,
really
funny
how
quick
that
goes.
B
B
So
what
we
did
pretty
much
is
we
created
an
app
that
has
a
bit
more
functionality
than
normal
labs
would
have
normally
a
lab
would
have
just
one
problem
case
like
a
cross-site
scripting
across
that
request
forgery,
whatever
this
has
a
couple
of
problems
in
it.
So
this
one
has
cross-site
scripting
cross-site,
request
forgery.
B
It
has
insecure
randomness
when
generating
password
reset
tokens.
It
has
a
sql
injection,
hidden
somewhere
and
all
that
good
stuff.
So
we
have
the
app
right
here
and
what
we
did
around
this
lab,
and
we
will
also
put
this
in
the
right
tip.
Is
we
also
for
this
use
case
created
like
used,
face
or
fake
use
stories
and
that
you
can
dive
into
like
hey,
there's
a
description
as
a
registered
user?
You
want
to
be
able
to
authenticate
yourself
and
then
also
add
in
a
couple
of
sequence,
diagrams
that
you
can
use
for
the
threat.
B
Modeling
a
wireframe
because
it
looks
nice
and
then
guides
people
through
how
to
do
list
centric,
based
threat,
modeling
approaches
and
ideally
then
well
use
skf
and
the
asps
with
this
to
generate
the
right
security
requirements
that
we're
also
looking
at
using
kpec
somewhere
somehow
in
this,
but
I'm
still
not
really
sure
on
how
I
want
to
do
this
because
we
started
recently
working
on
it.
So
you
have
like
the
the
use
stories
here.
B
B
It
can
read
and
write
some
notes
and
then
we
put
for
the
use
cases,
some
abuse
cases
and
we
try
to
correlate
them
but
yeah
and
then
also
guide
you
through
the
whole
process
and
how
you
would
use
something
like
skf
to
derive
the
right,
asps
requirements
for
your
news
stories
that
you
see
here
so
yeah
long
story
short.
That's
what
we've
been
working
on,
because
I
kind
of
wanted
to
give
the
threat
modeling
training
for
our
software
developers.
B
Internally,
where
I
work
and
I
found
like
yeah,
it's
not
really
anything
that
I
can
just
grab
from
the
internet
and
use.
As
is
that's,
why
we
decided
like
hey,
let's,
create
an
app
and
also
make
the
use
stories
for
create
some
fancy
diagrams
that
people
then
can
later
again.
Then
later
we
use.
If
you
want
to
do
the
same
thing
or
also,
if
you
want
to
learn
about
it
and
then
go
through
the
the
write-ups
that
we
have.
C
B
That
would
be
perfect,
really
awesome.
So
if
we
could
make
this
extensive
enough,
it
could
even
be
a
separate
training
track
in
the
learning
paths,
so
that
would
be
brilliant,
but
I
first
wanted
to
have
something
at
least
something
you
know,
and
then
we
have
something
to
to
create
good
discussions
around.
C
C
B
F
Yes,
hi
everyone,
yeah
jeff
and
I
have
been
working
on
the
npm
best
practice
document
with
a
focus
on
supply
chain.
So
not
not
how
you
implement
proper.
You
know
javascript
code,
but
more
like
how
do
you
handle
dependencies
and
what
the
best
practices
are
around.
You
know
dependency
management,
so
I
I
put
a
link
in
the
doc.
It's
the
final
pr
that
will
finally
tag
the
document
as
v.
F
1.0
we've
had
a
lot
of
help
from
people,
especially
from
you
know,
people
who
know
about
npm
and
node.js
better
than
we
do
so
yeah.
Thanks
a
lot
to
them.
We
we're
preparing
a
small
blog
post
to
announce
it.
I
hope
in
the
next
two
weeks
we
should
be
able
to
get
it
out
if
you
have
any
ideas
of
what
we
should
write
in
the
blog
post
yeah.
Let
me
know
I'm
not
the
best
at
writing.
So
yeah
any
help
is
welcome.
C
C
G
Alrighty,
so
we
have
it's
really
hard
to
talk
about
this
guide
without
talking
about
the
other
guide,
which
is
about
how
to
develop
secure
software,
because
each
document
refers
to
the
other.
But
let's
talk
about
the
evaluating
the
concise
guide
for
evaluating
open
source
software
first,
so
let
me
quickly,
I'm
gonna
repost
in
the
chat,
a
link
to
the
google
doc.
G
C
I
would
propose,
since
no
one
has
shown
up
and
shared
any
materials.
Yet
that
means
that
that
is
not
a
blocker
for
our
existing
work.
We've
been
toiling
away
at
this
for
a
while
now,
so
I
don't
want
to
impede
it
like
david.
I
think
it's
better
to
get
a
80
complete
product
out
there
and
used,
and
then
we
can
refine
it
in
the
future,
and
so
I
would
not
wait
for
something
that
may
or
may
not
occur.
The
group
might
say
this
is
something
supply
chain
or
end
user
group
is
more
applicable.
F
A
David,
I
I
agree
with
with
that
statement.
In
fact,
I
suggest
that
we
put
a
plan
together
for
at
least
the
timeline
for
this
document,
so
we
can
have
some
milestones
and
dates.
Try
and
finish
it
up.
The
the
one
pager
is
is
great,
a
lot
of
good
content
there.
It
took
a
long
time
took
a
long
time
for
us
to
get
there.
We
have
a
lot
of
good
feedback
on
this
document
as
well.
G
A
G
I
have
left
things
unchanged
if
somebody
put
in
a
comment,
I
just
left
it
as
a
comment,
if
I
have
tried
to
only
add
suggested
text
so
that
people
can
decide
whether
or
not
they
approve
it
as
opposed
to
just
making
changes
to
the
doc.
But
if
we
went
over
and
just
didn't,
accept
all-
and
I
think
most
of
this,
I
I
need
to
walk
through
all
the
comments,
because
I
don't
know
if
all
of
it,
I'm
hoping
that
most
of
the
comments
have
since
been
resolved,
probably
need
to
walk,
do
a
pass
through.
G
C
G
G
G
C
G
G
G
G
Yeah,
I
guess
the
other
issue,
probably
the
one
of
the
first
comments.
This
is
by
vicki,
which
I
think
is
is
worth
discussion
here
is
aren't
maybes
covered
by
the
developing
secure
software
one
pager
a
number
of
these
are,
I
think,
it's
worth
highlighting
a
few
of
them
as
especially
important
for
the
evidence
that
developers
work
to
make
it
secure.
So
my
theory
was
let's
list
someone
some
that
are
especially
important
and
then
link
to
the
other
document
that
doesn't
make
it
the
right
solution.
G
A
C
E
E
For
things
that
we
would
like
to
do
in
the
future,
rather
than
adding
them
as
notes
to
the
meeting
notes,
agenda
move
them
from
the
document
to
an
issue
in
our
repository
in
our
github
repository,
so
we
can
then
track
them
and
work
on
them
there.
For
instance,
if
somebody
says
this
would
make
a
great
blog
post
awesome
whip
up
a
quick
issue
open
it
up,
we
can
track
that.
Oh.
E
G
E
E
C
G
Yeah,
so
maybe
we
need
to
have
a
deadline.
Pens
down,
let's
see
here
if
we
can
have
all
proposed
changes
by
next
week.
Seven
days
I
mean
this
thing's
been
open
for
a
while.
So
it's
not
like.
You
only
have
seven
days
to
write,
but
you
know
if
we
can
get
all
proposed
changes
in
by
next
week.
The
problem
is,
I
don't
want
to
just
unilaterally
make
decisions.
I
really
do
want
this
to
be
a
group
and
I'm
sure
crow
feels
the
same
way.
We
want
this
to
be
a
group
decision.
C
G
E
G
G
So
let's
get
those
folks,
especially
you
know,
whoever
you
are,
let's
take
that
last
pass
and
and
then
we'll
have
two
docs
and
you
know
what
it's
okay,
if
later
on,
there's,
I
would
not
expect
there
to
be
no
changes
in
either
these.
I
would
expect
these
to
be
updated
and
improved
and
frankly,
the
first
time
we'll
release
it.
We'll
get
a
whole
bunch
of
suggestions
and
that's
so,
let's
get
that
process
started.
H
G
C
G
G
Crook,
okay,
so
let's
move
on
because
they're
really,
in
my
mind
at
least
they're
a
pair,
so
the
the
key
thing
about
the
one
page
guide
is,
I
mean
really
it's
been
mostly
done
for
a
while.
There's
a
couple
comments
and
comments
in
there,
but
really
the
the
big
challenge
here
has
been
figuring
out.
The
order
of
the
suggestions,
I
think
part
of
the
problem
is
that
people
have
disagreed
on
how
we
should
order
things
eric
tyson's
had
a
number
of,
I
think
very
helpful
comments
and
is
eric.
Are
you
here?
I
I
just
wanted
one
quick,
quick
note,
since
you
called
me
out,
I
did
have
my
development
team
go
through
all
of
this.
Oh
okay,
they
all
agreed.
It
was
very
helpful.
They
didn't
have
any
major
updates
other
than
order
similar
to
what
I
had
but
yeah.
Overall,
they
found
it
to
be
a
very
good
initial
guide
to
help
them
out.
G
Oh
fantastic,
all
right,
so
I'm
trying
to
deal
with
a
technical
limitation
and
that's
that
in
google
docs
you
can
easily
suggest
you
know
word
changes,
but
it's
kind
of
hard
to
track
order.
Changes
they
just
kind
of
happen.
I
mean
you
can
leave.
You
know,
leave
all
the
ordering
changes
and
suggestions,
but
what
you
get
is
a
whole
bunch
of
line
outs.
It's
not
at
all
obvious
where
things
moved.
G
So
I
don't
know
if
it
was
the
best
way
to
handle
it.
But
what
I
did
is
I
just
copied
the
items
below
and
then
tried
to
reorder
them.
Eric
tyse
suggested
that
I
actually
probably
should
ask
you
to
to
just
complain,
but
I
interpret
it
as
put
the
more
focused
easily
done
items
first
and
then
later
either
the
more
general
or
you
know
harder
to
do
for
various
reasons
later.
G
I
No,
I
think
the
reality
is
in
certain
points
with
that
within
it.
There
are
things
that
are
precursors
like
when
you
mention
tooling,
and
then
you
mention
you
know,
package
managers
and
other
things.
You
know
if
you're
fairly
new
to
this,
if
you're
not
as
an
experienced
developer,
you're,
not
as
familiar
with
the
the
the
different
areas
that
are
being
brought
up
in
this
document,
it's
helpful
to
just
kind
of
nudge
them
into
it.
Not
everybody
who's
going
to
be
using.
This
is
going
to
be
a
senior
developer.
I
G
Okay-
let's
see
here
it,
I
think
the
main
change
in
the
or
so
we
we've
been
busting
around
with
the
ordering.
It
looks
to
me
like
one
of
the
main
questions
left,
is
moving
seven,
eight
and
nine
between
three
and
four
in
the
second
list.
So
basically
it
would
be
use
a
combo
of
tools
to
evaluate
your
pipeline
and
then
evaluate
software
before
selecting
it
use
package
managers,
use
automated
tests
and
then
monitor
for
known
vulnerabilities
is
that
is
that
a
reasonable
reorder?
G
G
Okay,
I
will
take
on
the
job
of
making
the
actual
test
above
text
above
matt
below,
but
there's
just
you
know
sorry
about
this
weird
thing
of
handling
order,
but
I
just
couldn't
figure
out
a
better
way
of
making
it.
So
people
could
see
what
was
being
changed
while
it
was
be
see
the
proposal
without
just
having
it
happen.
G
G
Okay,
yeah
so
basically
yeah,
so
the
list
shows
up
this
one
page
guide:
it's
listed
twice.
The
first
is
the
actual
text
and
the
second
is
just
the
proposed
reordering
all
right.
So
in
fact,
we've
already
done
two
of
those
all
right,
so
I
will
take
on
the
task
of
making
it
one
big,
happy
family
and
I
think
we're
pretty
close.
I
mean
we
can
always
make
improvements,
but
I
think
we're
getting
pretty
close
for
this
one
page
guy
we've
been
beating
on
it
for
a
while
marta.
H
H
I
summarized
that,
as
this
guide
for
them
looks
more
like
an
integration
guide
and
less
as
a
guide
for
for
the
developing
on
its
own.
So
the
thing
they
don't
missing
is,
for
example,
code
reviews,
doing
code
reviews
and
doing
code
reviews
from
security
experts
or
security-minded
people
from
the
project
to
improve
the
general
quality.
G
C
F
C
H
G
G
Right
right,
complete
security
code
how's,
this
complete
secure
security
code,
audit,
slash
review
at
least
to
internal,
consider
doing
an
external,
but
I
think
the
problem
is
no
matter
what
it's
going
to
be
two
lines:
yeah.
Well,
that's,
okay,
but
I
would
like
that
case.
We
may
as
well
have
in
separate
bullets,
because
I
think
adding
the
internal
review
is
going
to
happen
long
before
you
do
the
external
I
I
wouldn't.
C
D
Hi,
sorry,
I
am
the
new
person,
so
I'm
going
to
be
very
prone
to
asking
stupid
questions,
but
one
thing
that
occurred
to
me
when
I
was
reviewing
the
one
pager
here
is
that
you're
talking
about
scanning
for
known
dependencies
you're
talking
about
creating
a
security
advisory
on
github,
in
particular
around
secure
scanning
for
dependencies.
I
know
this
has
been
a
sensitive
point
in
sneak
where
people
are.
F
D
Towards
dependable
and
there
and
I've
seen
a
lot
of
discussion
internally
about
wanting
to
ensure
that
openssf
language
is
vendor
neutral,
so
yeah,
I'm
probably
that's
what
I
ought
to
be
inputting
or
pushing
out
there.
I
don't
know
how
to
make
that
better,
neutral,
obviously
being
a
member
of
the
community.
I
know
this
is
valuable
advice,
but,
but
also,
I
I
do
think,
maybe
there's
some
way
that
it
could
be
made
more
vendor
neutral
without
necessarily
listing
all
different
products
that
somebody
might
use.
C
That
is
absolutely
one
of
our
goals
and
how
we've
been
operating
dan.
We
typically
will,
if
there's
a
good
exemplar,
we'll
say
here's
the
practice
as
an
example.
If
you're
in
github
here's
dependable
achievements,
so
we
try,
we
do
try
to
do
that.
We
may
have
missed
reading
normally
aza
from
github
is
the
harshest
critic
there
is.
He
wants
us
to
be
as
neutral
as
possible,
but
he's
not
here
today
to
yell
at.
G
F
G
G
F
G
G
All
right,
so
I
will
try
to
work
out
a
scheduled
doodle
poll
I'll
I'll
try
to
work
out
a
doodle
poll,
everybody
comments
by
next
week.
This
time
the
title
should
be
locked
and
then
we
will
try
to
wrap
this
up.
So
the
goal
is
by
two
weeks
from
today
next
meeting
to
have
final
versions
as
final
of
these
things
ever
again,.
C
Yeah
and
in
parallel,
referring
to
the
awesomest
new
issue
in
our
git
lab
number
71,
if
anyone's
interested
in
starting
to
compose
a
blog
that
talks
about
these
and
why
they're
these
guides
are
important.
Please
kind
of
raise
your
hand
to
start
to
collaborate
on
that.
So,
ideally,
as
we
get
ready
to
publish
these,
we
might
have
the
supporting
marketing
material
ready
as
well.
F
E
E
C
So
we've
had
that
item
out
and
ignored
it
for
a
very
long
time
we
need
to.
I
want
this
group
to
democratically
decide.
Do
we
want
to
ada,
be
a
big
brother,
big
sister
to
the
microsoft
people
for
their
proposal,
and
then
I
also
need
to
propose
to
the
group.
I
want
to
give
people
the
ability
to
express
their
opinions
on.
Are
they
happy
with
how
the
group
is
being
led?
Do
they
want
to
make
any
changes
there?
I
want
to
give
us
some
structure
on
that.
E
E
E
C
E
C
A
C
E
I
F
C
C
C
All
right,
thank
you
all.
I
really
appreciate
all
the
help
on
these
two
concise
guides
very
excited
to
see
those
almost
done
and
we're
looking
forward
to
talking
to
you
very
soon
have
a
great
day
and
if
anyone
wants
to
help
with
the
blog
issue,
71
just
note
that
and
I'll
set
up
something
to
a
straw.
Man
for
that
blog
thanks,
see
everybody.