►
From YouTube: Best Practices for Open Source Developers (May 10, 2022)
A
Is
three
after
the
hour
post
another
link
to
the
agenda?
I
am
traveling
today,
so
I
don't
have
access
to
all
my
screens,
so
I
am
going
to
flip
over
to
the
document.
I
won't
be
able
to
see
all
of
your
smiling
faces.
So
if
somebody
needs
to
speak
up,
please
don't
it
won't
be
rude.
Just
go
ahead
and
work
your
way
in
because
I
won't
be
able
to
see
your
hand
raised.
Okay,.
B
C
And
if,
if
you
haven't
already
either
undone
or
typed
your
name
by
the
way,
one
challenge
with
the
way
the
the
font
thing,
I
don't
know
if
that
translates
to
markdown
at
all.
We
might
want
to
stop
doing
that
and
just
let
people
type
it
in.
Oh,
the
colors,
the
attendees
list.
C
Yeah,
you
know
what
I
think.
That
is
a
jury
question,
so
I
will
dump
it
on
poetry,.
C
F
For
the
open
source
security
for
the
open
source,
the
event
in
in
texas,
you
need
a
badge
that
says
something
along
the
lines
of
like.
A
There
you
go
I'll,
be
bringing
my
amazing
hat
for
that
that'll
be
fun
all
right.
So
if
you
could
mark
your
attendance
in
the
agenda
do
and
if
you
have
any
opens,
please
go
ahead
and
put
those
on
the
agenda.
A
If
I
could
beg
assistance
in
scribing
some
notes,
it
can
be
a
team
sport
just
so
we
keep
track
of
what's
said
and
done
yes
david.
I.
C
I
will
but
of
others
would
also
that
would
be
great
awesome.
Yeah.
B
A
B
A
Go
team
open
source.
We
have
any
new
friends
that
have
joined
us
for
the
very
first
time
that
wanted
to
introduce
themselves
today.
A
All
right
do
we
have
go
ahead
and
add
your
opens
david.
Do
you
want
to
briefly
cover
your
couple
updates,
yeah.
C
So,
first
of
all,
on
the
updates,
you
know:
we've
we've
had
a
number
of
folks
contribute.
Thank
you.
The
links
there
is
actually
two
one
pagers.
One
challenge
is
that
brian
and
I
have
been
totally
overwhelmed
primarily
prepping
for
the
white
house
meeting.
C
There
was
also
a
death
in
the
lf
family
I
mentioned
later
so
my
plan
is
to
go
back
to
that
and
try
to
wrap
up
on
some
of
that
and
try
to
turn
turn
all
those
ideas
into
something
that
looks
like
a
final
product
for
a
further
review.
The
next
two.
In
fact,
if
you
don't
my
macro,
I'm
just
going
to
keep
going.
C
So,
no
nothing
new
to
say
about
the
best
practices
badge
I
mean
there
was
a
library
update
with
a
vulnerability,
no
big
deal.
We
do
that.
All
the
time
fundamentals
course
couple
things
open.
Ai
has
agreed,
it's
gonna
be
okay.
To
use
the
dolly
two
images
generated
images
in
the
fundamentals
course
I
sent
out
the
email.
Basically,
if
we
don't
charge
for
it,
they
say
it's
fine.
I
have
already
applied
to
their
wait
list.
I
have
no
idea
when
we
get
through
the
wait
list.
C
If
there's
somebody
here
who
has
some
sort
of
inside
contact,
you
got
a
friend
in
open
ai.
That
would
be
awesome.
Let
me
know
I'd
like
I
don't
know
how
long
that
wait
list
is,
but
if
it's
super
long
I'd
like
to
get
a
little
faster,
but
that's
not
my
call.
So
if
it's
somebody
else's
call,
please
let
me
know
on
openssf
day
I
do
plan
to
talk
about
education
and
training.
C
I
hope
to
have
a
secret
announcement,
but
I'll
tell
you
on
that
day,
I
gotta,
I
basically
I
wanna
have
something
to
share.
That's
that
we
can
wait
for
on
that,
but
the
goal
would
get
more
access.
E
Announcements
can
be
a
tricky
dribble
in
open
source.
Indeed,.
C
Indeed,
so
I
don't
know
how
to
do
this
because
I
want
to,
I
want
to
have
a
surprise
and
I
want
to
share
and
be
transparent,
and
this
is
hard
I
I
will
I
so
maybe
what
I
should
do
is
you
know
the
problem
is
if
I
post
the
mailing
list,
it
becomes
public
instantaneously.
C
So
I
don't
know
how
to
do
this.
B
B
D
B
D
A
C
So
yeah
so,
but
nothing
untoward
it's
just
simply.
We've
got
some
ideas
on
how
to
get
the
materials
that
we've
developed,
distributed
more
widely.
Enough
said
all
right,
let's
see
and
who's
next,
do
we
have
anybody
from
the
skf
team?
I
know
several
were
not
able
to
be
here
today.
I.
A
B
E
So
I
wanted
to
get
the
group's
opinion
on
so
we've
got
training
available
that
the
linux
foundation
has
graciously
made
available
for
no
charge,
including
the
certification,
and,
I
believe,
that's
approximately
12-
to
18
hours
of
training
depending
upon
the
individual's
ability
to
absorb
the
material,
and
I've
heard
some
requests
or
suggestions
from
a
couple
of
different
audiences.
That
developers
just
may
not
take
advantage
of
that,
because
that's
a
non-trivial
time
commitment
that
they'll
look
at
and
go
too
long,
not
going
to
read
it
got
to
keep
moving.
E
I've
got
features
and
functions.
To
add
to
my
code
today
right
and
you
know
we're
developing
a
one
pager
which
is
great,
but
that
one
pager
is
substantially
points
to
training,
that's
hours
and
hours
of
training.
E
Is
there
a
bite-sized
amount
of
welcome
to
open
source
security?
You
kg
developer,
you,
you
don't
want
to
miss
this,
and
it's
only
two
hours
of
your
time
is
there
a
way
to
develop
something,
that's
more
consumable
and
a
lower
hurdle
for
the
average
open
source
developer
to
step
over
rather
than
have
to
get
a
running
leap,
or
is
that
just
so
inconsequential
that
it's
not
worth
the
baby
step.
C
This
question
I
I
have-
I
have
yeah
discussion.
I
actually
have
done
such
things
in
the
past.
I
actually
went
over
to
I've,
given
several
such
presentations.
In
fact,
I
gave
one
probably
the
largest
group.
My
larger
group
I
remember
was
over
in
europe,
trap,
there's
a
larger
conference
that
happens
in
the
university
no
anyway.
I
I
have
done
such
things,
so
we
don't
have
such
material
today
it
such
could
be
developed.
C
As
with
all
such
things,
there's
a
trade-off
shockingly
in
an
hour
or
two.
You
cover
a
whole
lot
less
than
you
can
cover
in
about
16.
C
Yes,
there
we
go:
okay,
yeah
and
and
yeah.
We
we
intentionally
did
the
the
16-hour
impart,
because
you
know
we're
we're
asking
there.
There
is
a
fundamental
challenge.
I
have
an
engineering
degree
I
had
to
spend
years
of
my
life
learning.
You
know
the
expectation
that
in
developers,
it's
okay
to
have
an
hour
and
then
you're
ready
for
intelligent
adversaries.
C
You
know
we're
we're
sending
them
out
a
lot
less
prepared.
You
could
make
the
same
argument
for
the
16
course
our
course
too,
by
the
way,
but
so.
C
Right,
so
could
we
do
that?
Absolutely
I,
you
know
to
be
fair.
The
the
course
materials
are
based
on
work
that
I've
done
over
years
and
years,
which
is
building
up
and,
and
I
can
easily
we
can
easily
subset
shorten
and
nothing
else.
What
I
would
say
is,
if
you're
doing
it
a
one
or
two
hour.
What
you're,
probably
focusing
more
on
is
awareness.
C
With
the
white
house
thing
yep,
yes,
I
I
think
we
should.
Maybe
we
should
make
that
part
of
the
opens.
So
in
fact
I'm
gonna
make
this
discussion
part
of
the
opens
now,
so
we
know,
maybe
we
should
create
it's.
A
D
A
A
We
want
to
share
nothing
formalized
yet.
Do
we
want
to
talk
about
some
of
the
specifics
of
the
proposal?
David.
B
C
How
do
I
summon
I
mean
the
the
quick
summary?
Is
education,
good
ignorance,
bad?
You
know.
Basically
we
don't
have
you
know
most
most
developers
don't
have
have
little
or
no
actual
training
on
how
it
develops
offer
and
that's
whether
or
not
they
go
to
a
university
and
learn
computer
related
courses
or
not.
You
know
boot
camps
and
so
on.
C
A
May
I
share
sure
all
right,
so
the
open
ssf
is
having
a
summit
later
this
week
with
some
government
officials
to
talk
about
some
proposals
to
help
improve
open
source
security
and
it's
based
off
of
a
lot
of
the
work.
That's
already
existing
and
finding
ways
to
augment
and
amplify
that,
and
one
of
the
areas
as
david
mentioned
is
a
focus
on
education
and
we
brainstormed
a
lot
of
different
ideas
and
ultimately,
it's
gonna
come
down
to
do.
A
We
have
experienced
and
willing
people
that
are
interested
in
contributing
to
develop
some
of
these
new
methods.
A
One
of
the
ideas
is
to
take
in
david's
existing
classes
and
trying
to
transform
that
into
like
a
boot
camp
file
thing
you
can
provide
at
developer
conferences,
you
know
use
nyx
or
those
types
of
things.
A
Other
ideas
were
approaching,
creating
webinars,
creating
a
podcast
that
you
could
potentially
focus
in
on.
You
know
today's
podcast
is
what
is
sql
injection
and
how
to
avoid
it.
A
We
can
think
about
many
different
ways
to
deliver
this
content
and
then
we're
looking
to
try
to
find
folks
that
are
interested
in
helping
provide
education
developers
in
a
lot
of
different
areas
and
exactly
we're
looking
to
influence
high
school
and
college
curriculums
work
in
try
to
get
this
training
out
to
groups
that
are
historically
not
included
in
these
types
of
conversations.
A
So
like
girls
who
code
the
historically
black
colleges
and
universities,
these
types
of
things
on
technical
schools,
so
we're
just
brainstorming
on
different
ways
and
different
avenues.
We
can
deliver
this
content
and
my
personal
intention
was
is
to
we
have
an
amazing
group
of
people
that
are
very
interested
in
open
source
security
for
developers,
and
we
potentially
could
leverage
this
group
to
help
create,
give
or
at
least
generate
ideas
on
how
to
get
this
content
out
to
the
masses.
E
And
see
rob's
a
great
straight
man,
because
on
that
work
stream,
I
also
shared
that,
as
some
folks
may
be
aware.
As
part
of
the
initial
cyber
security
meeting
at
the
white
house
mid
last
year,
the
ibm.
E
Initiative
that
ibm
was
going
to
undertake
to
support
cyber
security
education,
engaging
with
the
top
20
hvcus
to
help,
educate
and
create
the
next
generation
of
cyber
security
experts,
and
that
focus
is
more
on
the
sort
of
the
reactive
side
of
the
equation
and
interested
in
aligning
on
the
more
proactive
side
of
helping
to
get
the
developers.
So
I'm
sure
that'll
come
up
as
a
topic
during
the
meetings
later
this
week,.
A
Before
I
jump
to
eric
to
address
sparrows
first
question
initially,
this
will
be
u.s
focused
because
there's
a
meeting
this
week
already,
but
there
are
many
governments
around
the
globe,
especially
in
emea
that
are
also
very
interested
in
this
topic.
So
I
think
this
will
very
quickly
branch
out,
and
our
intention
always
was
to
try
to
make
this
as
as
widely
available
as
possible
as
neutral
as
possible
and
there's
even
some
plans
like
in
the
longer
term,
to
try
to
get
some
of
the
content
that
exists
localized
into
different
languages.
A
So
now
I'll
turn
over
to
eric.
And
then
we
can
talk
through
the
rest
of
spyro's
questions.
G
Yeah,
just
generally
is
part
of
this.
This
group,
you
know
as
we're
talking
about
best
practices
and
other
components
I
mean.
Certainly
the
training
aspect
is
a
huge
part
of
that
and
chopping
it
into
smaller
kind
of
a
series
of
webinars
and
other
components
is
one
great
way
to
do
this,
but
one
of
the
things
to
consider
right
is:
it
has
to
start
at
that
developer
level
and
traditional
cyber
security
is,
is
really
more
focused
on
the
network
and
infrastructure,
rather
than
somebody
learning,
java
or
c,
plus,
plus
or
cobalt
or
whatever
language.
G
The
given,
you
know,
probably
don't
teach
cobol
in
college
anymore,
I'm
a
little
removed
from
that,
but
you
know
just
in
general
yeah.
Well
I
mean
it's
yeah
I
mean
it
too.
You
have
to
learn
it
yeah.
You
have
to
take
history
classes
right,
but.
G
Yeah
yeah,
I
mean
I
started
my
career
in
cobol,
so
I
could
make
those
jokes,
but
you
know
it's
in
this
conversation
point
where
you
know
that
development
level
of
of
coding
aspect
is
really
the
the
key
kind
of
discussion
point
here.
G
You
know
that
a
lot
of
people
don't
really
think
as
much
about
you
see
it
on
tv
and
a
lot
of
people,
kind
of
dismiss
them
as
certain
kind
of
things,
and
that's
just
not
not
how
it
should
be.
But
generally
you
know
how
do
we
set
up
a
best
practice,
documentation
and
a
series
of
webinars
outside
of
this
broader
discussion
this
week?
G
That
is
just
sets,
you
know
and
again
such
kind
of
a
standard
for
what
needs
to
happen
for
any
development
project.
As
far
as
best
practices
and
one
of
the
big
areas,
I
think
that
needs
to
be
developed
out
is
what
the
the
actual
use
cases
are
for.
All
of
these
you
know
defining
very
clearly.
You
know
what
are
what
are
you
trying
to
achieve?
You
know
we
have.
G
We
have
a
a
charter
and
all
of
the
other
components
around
what
we're
trying
to
achieve
at
a
high
level,
but
actually
practically
showing
them
how
you
apply
these
practices
at
each
stage.
G
You
know
an
incorporation
with
things
you
know,
I'm
a
big
fan
of
the
salsa
framework,
but
I
mean
just
incorporation
of
of
how
a
developer
actually
leverages
these
best
practices,
rather
than
just
a
nebulous
training
exercise
at
a
high
level.
It
really
needs
to
be
contextualized
to
fit
various
cases
which
I
think
should
be
a
focus.
My
opinion
should
be
a
hard
focus
on
some
of
the
material
we
provide.
A
And
that
was
our
intention
with
the
newbies
view
of
a
future
project.
We
were
hoping
to
eventually
start
work
on.
We've
never
had
the
time
to
get
around
to,
but
that's
that
was
sort
of
the
intention.
Eric
is
to
map
out
different
tasks
or
learning
paths
or
stages
in
an
sdlc
and
dive
in
and
identify
training,
documentation
tools
that
help
in
those
particular
areas
david
and
then
we'll
mark
down
the
question
from
chat.
C
Yeah
so
a
couple
quick
notes,
first
of
all,
in
the
defense
of
poor
jeff
burke,
the
lf
actually
has
a
course
on
how
to
develop
cobalt.
A
vast
number
of
people
won't
get.
Co,
won't
get
their
payroll
checks
without
cobalt,
so
yeah.
E
No,
I
I
mean
no
defense,
there,
that's
yeah,
it's
the
it
echo
system
is
broad
and
inclusive,
and
the
good
thing
that
creates
job
security
for
everyone
is
that
as
much
as
our
end,
clients
adopt
new
technologies,
they
rarely
unplug
old
ones.
G
Yeah-
and
I
understand
that
just
just
as
a
key-
you
know
defense
back
against
that.
As
I
started
my
career
in
cobol,
I
know
the
value
of
it
and
a
lot
of
companies
still
use
it.
It's
just
shocking
to
me
that
it's
something
that
you
know,
kids
nowadays
are
still
learning
in
college,
because
it's
not
not
the
preferred
new
technology
for
a
lot
of
of
20
somethings
right.
So
it's
it's.
E
Not
not
a
lot
of
people
roll
out
of
bed
in
the
morning
thinking
boy,
what
kobo
applications
am
I
going
to
write
today
all
right
again,
having
said
that,
I'll
bring
some
sparklers
to
the
next
meeting,
you'd,
be
surprised
in
the
statistics.
C
So,
regarding
the
cyber
security
education,
not
focusing
on
developers,
I
think
that's
absolutely
right,
but
we
do
need
to
do
the
whole
shift
left
thing.
I've
commented
that
a
lot
of
cyber
security
today
is
essentially
turning
knobs
on
the
insecurable,
hoping
that,
if
you
turn
the
knob
just
the
right
way,
it'll
suddenly
become
secure.
It
hasn't
worked
for
several
decades.
I
don't
know
why
we
think
it's
going
to
start
now.
I'm
not
opposed
by
the
way
to
you
know
applying
systems.
Thinking,
I'm
thinking
absolutely
applied
system.
C
Thinking,
try
to
eliminate
you
know,
vulnerabilities
or
reduce
privileges
where
you
can,
but
you
know,
starting
from
the
beginning,
is
a
better
long-term
goal.
One
of
the
comments
was
about.
How
do
we
get
you
know
not
just
high
level
show
how
it
applies.
This
is
a
real
challenge,
especially
when
you
talk
short
term.
You
know
here,
here's
one
hour.
I
want
you
to
show
me
exactly
how
to
do
all
this.
Oh
and
tell
me
everything
and
you
have
an
hour
something's
gonna
have
to
give
it's
okay.
C
To
do
you
know,
here's
a
bra
brush
or
here
we're
going
to
focus
on
one
specific
thing:
we're
here
we're
going
to
do
both
and
we're
going
to
spend
some
time
but
we're
you
know
any.
I
I
think
we're
going
to
need
multiple
presentations
and
other
materials
for
different
situations,
because
you
know
I
I
don't
know
I
go
back
to
my
engineering
experience.
I
didn't
you
know
I
didn't
get
a
double
e
degree
in
an
hour.
C
A
And
just
think
about
how
long
glenn
has
been
adding
labs
to
skf
and
those
are
more
hands-on
and
it
takes
time
and
as
we
move
forward
on
this
journey
together
and
trying
to
figure
out
ways
to
get
this
education
and
awareness
out,
you
know
kind
of
the
sky's
the
limit,
and
you
know
all
patches
are
welcome
so
to
yotam's
point.
If
you
know
practical,
hands-on,
training
is
great.
A
If
you
have
some
ideas
or
if
you
are
interested
in
trying
to
put
some
material
together,
we're
not
going
to
say
no,
I
think
everything
is
useful
and
different
learners
are
going
to
learn
different
ways.
Jonathan.
F
Please
forgive
me,
I'm
driving
be
careful
the
yeah,
I
know
I
know
one
of
the
things
that's
I've
been
kicking
around.
My
head
is
and
like.
How
does
you
know
it's
how
to
scale
security,
research
or
knowledge,
how
to
scale
security,
knowledge
better
right
and,
and
you
can
train
a
million
people
or
you
can
just
you
know,
encode
the
knowledge
that
you
need
to
have
in
an
automated.
You
know
one
of
the
things
you
know.
F
First,
the
knowledge
being
out
there
is
really
important,
but
how
do
you
encode
the
knowledge
into
a
system
that
can
automatically
apply
that
knowledge
in
a
way
that
is
useful?
And
so
one
of
the
things
that
I'm
I'm
working
on
collaborating
with
is
the
project
like
open,
open
rewrite
which
I'm
trying
to
encode.
For
example,
there
are
security
vulnerabilities,
they
follow
these
common
patterns,
here's
how
to
rewrite
the
source
code
in
your
project
to
fix
those
vulnerabilities.
F
I
know
that
the
open
rear
project
is
currently
targeting,
I
believe,
cobalt
code,
because
there's
a
lot
of
cobalt
applications
out
there
that
have
never
been
touched,
because
there's
a
lot
of
risk
around
touching
those
applications
and
potentially
breaking
these
very
old
systems
that
nobody
knows
how
to
fix,
and
so,
if
you
can
throw
a
recipe
that
is
okay,
you
need
to
update
the
newest
version
of
cobalt,
here's
a
bunch
of
stuff
that
broke,
but
we've
already
written
an
automated
tool
that
will
refactor
all
your
code
to
know
to
get
you
updated
to
the
newest
version,
and
you
may
need
to
make
a
few
tweaks
here
or
there,
but,
like
your
risk,
is
going
to
be
much
lower
because
this
sort
of
recipe
has
been
applied.
F
A
lot
before
to
solving
this
problem,
you
can
you
can
take
that
knowledge
that
is
and
encode
that
in
in
these
tools
to
help
assist
people
make
those
leaps
security.
I'm
not
just
thinking
about
security
vulnerabilities.
I'm
also
saying
like
just
getting
people
to
update
right,
update
their
tendencies,
update
their
tools.
That's
a
big!
You
know
that
can
be
a
big
lift
and
a
big
engineering
burden,
regardless
of
the
security
risk
and
the
awareness
of
the
risks.
F
C
Silent
thoughts,
well,
they
weren't
silent
on
my
end,
all
right,
so
I
actually
agree
with
jonathan
that,
where
we
can,
we
should
absolutely
automate
what
we
can,
but
I
don't
think
it's
an
a.
I
think
it's
an
e.
I
think
it's
a
have
to
have
both
the
reality
is
not
everything
can
be
put
in
a
tool,
and
probably,
more
importantly,
is
we
need
to
have
developers
cooperating
with
the
tools
and
using
them
in
sensible
ways.
You
know
I
you
know
hey.
C
I
see
this
rewrite,
but
I'm
going
to
reject
it,
because
I
liked
my
code
and
yours
looks
weird.
I
can't
tell
the
number
of
times
that
I've
seen
people
who
don't
understand
what
the
tool's
doing
and
as
a
result,
the
tool
is
completely
ineffective.
A
Read
so
now,
as
we
move
forward,
I
hope
to.
A
B
Thanks,
I
wanted
to
add
one
point.
One
of
my
biggest
difficulties
I
have
is
passing
after
some
securities
researchers
have
shown
people
how
to
develop
a
secure
software,
so
they
have
given
them
a
lot
of
specs
and
stuff
and
those
they
cannot
use
so
the
people
they
said
it's
not
for
them.
They
are
not
going
to
do
it
and
trying
to
fix
that
issue.
A
It's
going
to
take
a
lot
of
efforts
at
a
lot
of
different
levels,
and
I
think
approaching
this
from
different
angles
is
going
to
make
us
more
successful.
You
know
talking
to
researchers
talking
to
developers
talking
to
suppliers.
A
Maybe
we
need
to
some
of
the
larger
companies
that
actually
contribute
a
lot
to
open
source,
but
you
need
to
help
them
kind
of
put
it
as
part
of
their
regimes,
understanding,
secure
coding
practices
as
well
a
lot
of
different
ideas.
We
have
a
half
hour.
What
would
we
like
to
work
on
today?
We're
going
to
know
for
david?
F
Follow
up
on
that
really
quickly.
One
of
the
things
that
trying
to
teach
people
to
write
secure
code
is
a
really
great
endeavor,
but
I
one
of
the
things
that
I
rail
against
quite
a
bit
is
the
amount
of
effort
and
energy
that
is
regularly
spent
to
try
to
teach
people
how
to
write
secure
code
instead
of
making
it
so
that
the
defaults
are
sane
and
secure
by
default.
C
F
The
open
jdk
and
the
extra
the
xml
parsers
in
this
entire
java
standard
library
are
all
vulnerable
to
xd
by
default
like
why,
right,
let's,
let's
make
the
defaults
secure.
Instead,
right,
let's
go
like,
I
was
looking
through
the
python
standard
library.
The
tar,
the
thing
that
unzips
tar
files
is
is
insecure
by
default
and
vulnerable
to
vip
flip
right,
like
why?
F
C
C
Yeah
jonathan,
can
I
respond
with
an
answer:
the
reason
that
they're
the
reason
that
they're
making
the
insecure
one
the
default
is
because
we
haven't
educated
developers
to
make
the
default
the
secure
option.
It's
it's
both.
This
is
not
one
of
those
the
we
must
choose,
one
of
the
other.
We
must
choose
both,
but
in
fact,
in
the
in
the
fundamentals
course-
and
I
assume
this
is
also
in
the
skf
for
folks.
C
Of
course,
I
haven't-
I
guess
the
skf
folks
have
now
pulled
in
the
other
course
so
by
by
at
least
one
measure,
it's
in
there.
The
the
fundamentals
course
specifically
talks
about
the
requirement
to
make
the
default
approach
the
secure
one-
and
I
think
that
that's
at
least
in
part,
the
answer
is
every
time
you
make
a
new
api
and
we're
all
making
new
apis
pretty
much.
You
know
the
vast
majority
of
time.
When
we're
writing
new
software.
C
But
if
we,
if
we
don't
teach
people
that
we're
you're,
just
gonna
fight
that
bottle
after
they've
already
fixed
the
api
and
it's
hard
to
change
now
and
the
next
person
creates
a
new
api
they'll
do
exactly
the
same
thing
again,
because
we're
not
reaching
them
we're
we're
fixing
the
problem.
Afterwards,
we
want
to
go
as
left
as
we
can
in
the
timeline.
D
Have
kind
of
a
new
topic
if
you're
open
to
that.
D
B
D
D
Yes,
would
it
be
helpful
for
someone
to
recruit
some
early
stage
developers
and
put
this
in
front
of
them
and
get
their
comments
on
it
to
make
sure
that
what
we're
developing
is
legitimately
useful
for
the
target
audience,
because
what
we've
got
here
are
a
whole
bunch
of
people
who
know
this
stuff
already
frankly,
and
it's
kind
of
an
echo
chamber-
and
we
are
moderately
experienced
with
talking
to
other
people
about
it.
D
So
we
have
a
pretty
good
idea
of
what
people
need
to
hear,
but
I
want
to
make
sure
that
what
we're
doing
is
the
most
effective
way
to
do
it,
and
then
you
know
in
the
future
we
can
talk
about.
How
are
we
now
going
to
promote
this
and
get
in
front
of
people?
You
know
make
it
as
easy
as
possible.
D
One
click
there's
the
thing
right,
even
a
micro
site
right
anything
like
that,
but
thankfully
we've
got
a
new
marketing
person
for
open,
ssf
jennifer
who
can
help
us
with
that
sort
of
stuff?
So
do
you
mind
if
I
take
that
on,
I
will
need
we'll
need
to
open
up
the
document,
so
people
can
add
their
comments
to
a
google
doc.
C
It's
already
opened
if
you've
requested
it.
I
I
do
have
a
suggestion,
though,
though
the
one
pager
isn't
quite
ready,
so
vicky,
I
would
say,
recruit
people,
but
don't
stick
them
on
it.
Yet,
because
the
sausage
is
only
half
made
okay
but
but
start
start
recruiting
people
now
and
then
tell
them
we're
we're
in
the
process
of
getting
a
dock
ready
once
it's
more
ready,
we'd
love
to
get
your
feedback,
and-
and
you
know
what
I
I'm
expecting.
The
initial
comment
is
gee.
This
isn't
the
final
doc.
C
I
have
to
read
other
things,
that's
kind
of
the
point
yeah
you
know
I
I
I
am.
I
am
always
concerned
about
the
folks
who
say
I
want
to
be.
I
want
to
know
everything
I
have
half
an
hour.
D
Yeah
that
I'm
also
rather
skeptical
of
something
like
that
so
yeah,
I
can
start
gathering
some
people
and
see
whether
we
can't
get
a
pool
of
maybe
max
five.
We
don't
want
to
overload
anyone.
D
D
C
Yeah,
I
think
two
weeks
at
the
earliest.
I
mean
really
I'm
not
going
to
get
to
look
at
this
till
next
week
and
I
suspect
the
same
is
true
for
others,
but
I
think
anywhere
from
two
to
four
weeks.
Two
weeks
may
be
a
little
ambitious,
but
four
we
should
certainly
be
able
to
do
yeah.
D
Yeah,
okay!
Well
then,
I
will,
I
don't
want
to
recruit
people
and
then
put
them
on
hold
because
then
I'll
lose
their
attention.
So
once
we
get
more,
we
get
closer
to
it
being
done
in
a
couple
of
two
three
weeks
we've
got,
you
know
a
few
things
going
on.
Aside
from
that,
then
I
will
start
to
recruit
some
additional
people
and
eric
has
volunteered
his
team.
D
I
know
he's
got
a
bunch
of
folks
who
could
give
a
lot
of
good
feedback
as
well,
so
we'll
try
and
get
a
broad
yes,
mr
krobser,
well.
A
Another
idea
we
do
have
an
awesome
siri,
a
virtual
flotilla
of
linux
security
conferences
coming
up
in
june
all
in
one
week
and
if
anyone's
going,
that
might
be
a
nice
place
to
mention
hey.
Do
you
have
five
minutes
to
take
a
survey
after
this
call
after
this
meeting
I'll
be
there?
So
if
you
want
to
give
me
the
questionnaire
I'd
be
glad
to
ask
people,
but
you
know
they'll.
C
Yeah,
I
I
would
suggest,
do
the
five
focus
group
and
then
take
their
fixes
and
then
bring
it
out,
because
you
know
just
it's
easier
with
a
smaller
group
first
and
let's
fix
those
issues
before
we
send
it
out
to
a
larger
group.
But
I
like
the
idea.
A
All
right,
so,
let's
circle
back
spyros,
you
mentioned
a
mia
and
that
definitely
is
an
area
we
don't
want
to
overlook,
and
then
you
talk
about
what
it
makes
sense
to
provide
security
tools
to
dev,
to
make
it
easier
to
integrate
and
consume.
So
absolutely-
and
that
is
one
of
the
ideas
that's
mentioned
in
the
stream's
work.
We
talked
about
that.
A
We
talked
later
this
week
with
the
government
officials,
so
that
that
is
an
option
is
to
provide
developers
easier
access
to
tools,
and
there
are
some
companies
that
do
that
today
and
hopefully
we
might
be
able
to
influence
others
to
be
more
open-minded
for
open
source
developers
to
allow
open
source
users.
A
So
in
our
last
20
minutes,
let's
talk
about
what
scenarios
we
would
like
to
focus
on
for
this
newbies
project,
what
types
of
tasks
or
learning
paths?
What
types
of
things
we
want
to
start,
focusing
our
training
on
so,
for
example,.
A
G
Yeah,
well
I
mean
the
obvious
first
answer
is
always
going
to
be
all
of
the
above,
but
you
know,
as
we
kind
of
start
working
through
this,
you
know
I
think
code
signing
is
definitely
something
a
lot
of
developers
either.
G
Don't
know
anything
about
or
kind
of
peripherally
have
heard
about,
but
you
know
always
think
that's
kind
of
the
operations
guys
problem
so
diving
into
you
know
the
the
tools
like
sig,
store
and
kind
of
giving
practical
example
of
not
just
a
walk
through,
but
actually
you
know,
potentially
something
they
can
step
through
themselves
with
an
actual
task,
accompanied
maybe
by
a
video.
G
But
you
know,
everybody
uses
and
this
ci
cd
becomes
a
little
more
complicated
because
you
just
have
to
pick
one
right,
there's
so
many
variant
tools
out
there
and
which
ones
are,
are
slightly
more
popular
currently,
but
I
think
doing
something
like
just
how
simple
it
is
to
incorporate
snick
or
some
of
these.
You
know
us,
and
this
should
be
a
series,
because
if
we're
gonna
do
the
ci
cd,
it
should
be
well,
you
have
a
jenkins
pipeline
or
you
have
github
actions.
G
This
is
how
you
can
secure
that
you
know
by
incorporating
a
vulnerability
tool
we'll
start
with
snake.
Now
you
took
this
other
series,
one
of
sig
store
well,
if
you've
taken
that
this
is
how
you
incorporate
that
into
you
know
following
this
previous
series.
This
is
how
you
incorporate
that
into
your
your
ci
cd
pipeline.
G
Until
you
know,
the
series
takes
you
through
these
components
and
configurations
if
you're
like
tools
like
blue
bracket
or
other
things,
until
you've
built
out
a
complete
salsa,
compliant
kind
of
ci,
cd
or
sdlc
right,
so
a
series
that
kind
of
takes
them
through
the
you
have
no
idea
what
you're
doing
with
this.
G
Here's
the
simple
task
of
incorporating
this
tool,
and
then
this
one
and
this
one
now
you've
got
a
fully
functional,
secure,
ci
cd
pipeline,
because
you
followed
the
series
of
each
one
of
these
individual
things
of
which
has
a
hands-on
element.
Not
just
a
you
know
follow
the
powerpoint,
because
I
I
personally
don't
learn
too
well
from
just
following
a
powerpoint.
I
need
to
actually
get
my
hands
into
it.
To
do
that,
and
I
think
a
lot
of
developers
are
the
same.
G
You
know
they
can
yeah
follow
the
concept,
but
you
know
won't
really
learn
anything
until
they
play
with
it.
So
that's
my
opinion.
I
think
it
should
be
a
series
at
that
kind
of
you
know,
lower
level
single
tool
at
a
time,
but
that
it
all
incorporates
into
a
larger
series
that
gets
them
fully
over
time,
gets
them
kind
of
fully
capable
of
doing
end-to-end,
sdlc
security.
D
I
really
like
the
idea
of
using
salsa
as
kind
of
a
framework
and
a
basis
for
you
know
this
when
we
know
done,
is
for
a
first
pass
on
this.
It's
like
okay.
Now
you
know
how
to
make
something
salsa
compliant,
but
you
still
need
to
start
somewhere.
You
need
a
first
step
right
and
so
I'd
be
interested
in
hearing
from
perhaps
jonathan
and
david,
as
far
as
what
is
the
most
common.
D
What's
the
lowest
hanging
fruit,
what's
the
thing
that
we
can
teach
people
about
relatively
quickly,
that
is
more
likely
to
solve
problems
I
mean.
Is
it
access
control?
Is
it
I
mean
what
is
so?
What
is
that
lowest
hanging
fruit
and
the
people
who
do
this
all
day?
You
know,
I
think,
are
going
to
have
that
insight.
D
I
don't,
but
to
me
it
would
be
something
like
access
control,
but
I
know.
C
C
You
know
I
think,
for
the
out
there.
I
didn't.
I
didn't
mention
ops
more
because
on
the
opposite
side,
there's
a
lot
more
stuff.
Already
there
I
mean
you're,
you
never
have
enough,
there's
always
things
you
need
to
do,
but
it's
the
development
and
distribution
parts
that
I
think
get
shorter
shrift
on
the.
If,
on
the
strictly
development
side,
the
oauth
top
10
for
web
application
development
and
the
cdb
top
25
is
a
darn
good
place
to
start.
C
If
you
look,
you'll
see
things
like
sql
injections
and
buffer
overflows,
they're
boring,
we
all
know
about
them.
Well,
we
mean
the
people
who
are
in
this
in
this
particular
meeting.
Joe
developer
or
joanna
developer,
has
no
clue
and
won't
tomorrow
either.
No
one
tells
him
a
darn
thing.
This
comes
back
to
jonathan's
point
about
making
it
easy.
Everybody
knows
how
to
do.
String
concatenation,
that's
easy!
C
That's
how
we
get
sql
injections
yay
and
you
know
what
tomorrow
screen
concatenation
is
still
going
to
be
easy
and
it's
still
going
to
have
sql
injections
and
you,
if
jonathan's
driving,
so
let
level
go
to
try
to
not
cause
him
to
have
an
accident.
I
won't
see
jonathan
no
accidents,
please.
I
don't
want
to
see
that
on
the
cam,
but
but
the
the
challenge
isn't
that
it's
not
hard
to
use
things
like
prepared
statements.
The
problem
is
developers
have
no
clue
that
those
exist
or
why
one
might
use
them.
C
So
we've
made
it
fairly
easy,
but
we
still
need
to
educate
the
developers
to
use
them,
and
we
also
need
to
make
sure
that
they
have
the
tools
to
use
and
jonathan
has
his
hands
up.
So
please
no
accidents,
but
please
carry
on.
F
I
I
am
close
to,
I
know,
there's
a
bunch
of
effort
going
on
with
the
openstar
security
foundation,
around
code
signing
and
I
see
the
value,
but
it's
not
the
way
that
people
are
primarily
getting
pwned.
You
know
right.
C
F
It's
that
the
owasp
has
been
very
clear
for
the
past
several
years
that
the
biggest
risk
to
open
start
to
to
like
application
security
is,
and
it
continues
to
be
on
the
list.
The
top
ten
is
using
components
with
known
vulnerability,
right
right.
B
F
Where,
where
do
we
tackle
that
problem,
I
you
know
speaking.
B
F
The
perspective
of
gradle
gradle's
story
around.
B
F
Dependency,
updating
both
from
the
side
of
like
here's,
how
you
do
it,
but
also
like
hey
here,
gradle
or
here
github
here
is
you
know,
100
200
000
go
solve
this
problem,
for
you
know
these
tools,
because
these
tools
don't
have
the
support
and
they
need
it
in
order
to
solve
this
endemic
well
understood,
well-known
problem
throughout
open
source.
Let's
just
solve
the
dependency
updating
story
and
then.
B
F
F
I
mean
you,
don't
really
want
to
do
a
wasp's
job
because
they're
already
doing
it
pretty
well,
I
think,
but
you
know
that
that
list
of
like
here
are
the
top
vulnerabilities
the
ways
that
applications
get
owned
like
these
are
the
things
that
you
as
a
developer,
should
understand
and
know.
That
would
be
a
good
resource
to
tackle.
B
F
Mean
I
I
just
think
that
it
would
you
know
I
yeah
I
want
I
I
just
you
know,
I'm
trying
to
figure
out.
I've
been
kicking
around
my
head
like
okay.
Where
do
I
find
like
a
couple
hundred
thousand
dollars
just
throw
at
github
or
or
or
microsoft
or
sorry,
not
microsoft,
github
or
gradle,
or
you
know
to
to
go
finish?
The.
C
Yeah,
if
I
can
quickly
respond,
you
know
I.
I
agree
that
well
clearly
using
known
vulnerable
components
is
a
big
deal
and
you
know
we
have
we.
We
have
depend
about
and
so
on,
but
we
need
to
get
folk,
those
in
the
various
systems.
I
think
people
are
talking
at
least
about
trying
to
integrate
those
into
say
the
package
manager.
So
you
get
warned
automatic.
You
know
the
more.
We
can
put
those
warnings
in
front
of
folks
and
ideally
push
the
button
and
accept
this
pull
request.
That'll
fix
it.
C
A
D
D
F
I
stopped
yeah.
I
was
popping
over
to
drop
my
phone
in
my
hand.
No,
I
agree
yeah,
I
that,
to
your
point
right,
getting
dependenbot
to
work
right
like
those,
I
think
it's
enabled
by
default
on
new
github
repositories
now,
but
it
you
know
it
is
still
doesn't.
I
think
so.
I
know
that
github
has
made
a
bunch
of
moves
in
that
area.
The
the
I
mean,
I
think
the
problem
that
still
exists
is
that
it
it
doesn't
support
everything
right.
It's
trying
to
get
the
coverage
of
those
tools
and.
A
F
Example,
one
of
the
problems
with
gradle
is
that
gradle
ecosystem
is
not
really
well
set
up
for
dependable
as
a
tool,
and
so
I
spent
much
time
before
when
I
was
working
for
gradle
trying
to
solve
the
problem
of
like
okay.
How
do
we
get
these
tools
to
integrate
better
with
what
we
want
to
do
like
the
way
that
we
have
dependencies
declare
like?
C
Yeah-
and
I
will
say
if
you
integrate
with
lfx,
you
also
get
dependency
analysis
as
well,
but
the
point
your
point
still
stands
and
there's
a
huge
number
of
challenges.
Even
with
that
things
like
hey,
I
could
update,
but
it
breaks
something
else.
The
the
which
maybe
is
a
broader
educational
issue,
which
is
we
need
to
somehow
get
developers
when
they
update.
Don't
please
don't
break
the
apis
a
lot
of
folks.
Oh,
I
want
to
rename
I'll
just
make
everybody
rename
everything
I
mean.
How
hard
is
it
to
rename
everything?
C
Well,
I've
got
a
million-line
program,
actually
really
a
pain
in
the
butt,
especially
in
dynamic
language
where,
yes,
it
may
have
the
same
as
some
as
12
other
methods.
F
There
is
an
effort
undergoing
so
part
of
the
open
rewrite
project.
Is
this
idea
this
high-level
idea
that,
when
developers
want
to
break
their
apis,
they
can
also
ship
rewrite
recipes
with
their
apis
to
allow
the
end
user
developer
to
apply
patches
that
will
automatically
get
applied
during
the
update
process?
Is
that
I
still
think
that's
kind
of
a
like
pie
in
the
sky
sort
of
dream
like
long-term
dream,
but
it
does
aim
towards
the
direction
of
it.
F
We
could
aim
to
shift
the
industry
around
not
just
breaking
apis,
but
also
supplying
the
like
here's:
how
to
rewrite
your
code
to
fix
that.
D
C
Yeah
I
was
gonna
follow
on
you
know.
I
I'm
one
of
the
survivors
of
the
python
two
to
three.
Basically,
I
I
have
opinions
the
python
2-3
transition
was
a
disaster
for
its
first
seven
years
and
really
we're
still
feeling
the
effects.
You
know
lots
of
companies
have
easily
spent
tens
of
millions
of
dollars
for
what
was
a
mostly
you
know,
yeah
with
what
didn't
help
them
very
much.
C
The
python
developers
for
several
years
thought
that
hey
I'll
just
deliver
this
python,
2-3
translation
tool
and
yeah.
The
fact
that
I
changed
all
the
interface
is
not
a
problem.
We'll
just
do
it.
Well,
it
turns
out
that
python
isn't
a
statically.
C
Isn't
you
know,
doesn't
pre-declare
all
the
variable
types,
so
it
was
essentially
impossible
to
write
a
tool
that
automatically
rewrote
the
code
because
it
didn't
have
enough
information
to
do
it
properly,
and
I
think
that's,
although
you
know
in
cases
where
you've
added
type
information,
you
have
a
better
fighting
chance,
but
it
is
still
challenging,
and
you
know
I
I
would
challenge
you
to
rewrite
code,
large
code
bases
in
python
or
ruby
or
javascript
if
they
don't
have
type
information,
even
with
type
of
information.
It's
a
challenge.
C
So
jonathan,
I'm
not
opposed,
of
course,
to
having
rewrite
rules
that
help
you
but
past
experience
has
not
been
kind.
People
have
done
this
before
and
shown
how
it
doesn't
work
much
more
than
they
have
shown
that
it
works
for
a
lot
of
languages.
You
just
don't
have
the
data
necessary
to
do
the
job.
Well,
so
new
topic,
vicky.
D
Yeah
briefly,
because
we've
only
got
four
minutes
so
just
want
to
throw
the
idea
out
there
not
don't
need
to
debate
it
today,
but
I'm
a
technical
advisor
for
pragmatic,
bookshelf,
the
publisher,
and
so
really
what
we're
discussing
is
writing
a
curriculum
and
resources,
for
you
know
how
to
do
secure
software.
Why
don't
we
actually
just
write
it
and
get
it
published?
Do
you
want
me
to
run
it
past
pragmatic
and
see
whether
they'd
be
willing
to
work
with
us
on
this?
D
There
would
be
complications
as
far
as
you
know,
you
know
payments
and
stuff
like
that.
Maybe
that's
something
we
can
figure
out
how
to
wave,
but
getting
these
in
the
actual
book
form,
even
as
just
they
have
a
lot
of
these
short
digest
books.
Now
that
they're
publishing
that
gives
us
another
way
to
get
it
out
in
front
of
people,
and
it
makes
it
easier
for
professors
and
other
teachers
to
put
it
in
front
of
their
students.
D
If
they've
got
this
collection
of
books.
Okay,
we're
working
through
these
now
is
that
worth
pursuing
in
the
future,
not
necessarily
today,
but
I'm
willing
to
help.
If
so,.
C
I'm
not
sure
yeah,
I
I
I
mean
I've
written
two
books.
I
I
do
know
the
process.
You
know
I
I
I
honestly
I'm
not
sure
how
effective
in
the
cr
in
the
current
world,
but
I
mean
we
can
certainly
talk
about
it.
I
I
would
not
commit
to
a
particular
publisher
right
now.
I
would
kind
of
let's
let's
talk
about
what
that
would
cover.
I
mean
heck
the
found
the
fundamentals
course
could
be
trivially
turned
into
a
book
right
now.
It's
it's
a.
C
If
you
want
to
do
it
that
way
in
a
reformat,
the
the
question
is,
is
effectiveness
and
so
on,
but
yeah
I
I
wouldn't
commit
to
the
publisher.
First,
let's
first
talk
about
what
we
would
publish
and
then
go
from
there.
I
know
I
I
was
approached
by
several
publishers
way
back
when
on
my
secure
programming
book,
but
it
wasn't
clear
how
effective
that
mode
was
today.
C
A
Yeah,
no,
I
I
think
well,
let's
not
count
it.
That
is
a
potential
avenue
and,
let's
you
know,
write
it
down
and,
as
we
start
to
gel
and
aggregate
all
this
material,
we
can
see
what
best
avenues
we
have
to
get
it
out.
Yeah
all
right
folks,
any
little
closing
thoughts
as
we
approach
the
top
of
the
hour.
C
D
Oh,
no,
I
certainly
wouldn't
commit
anything
there.
I
know
them
all
personally,
so
you
know
I
can
just
bounce
some
ideas
off
of
them
and
nothing
else.
If
it's
not
a
good
fit,
they
might
know
where
some
additional
alternatives,
because
they've
been
investigating
a
lot
of
that
stuff
themselves.
Right.