►
From YouTube: Education SIG (March 8, 2023)
Description
Agenda – https://docs.google.com/document/d/18GBwvQJNcPnwxKrnp43DhBZC7K1JM0xzGkDoKh5mu8U/edit#
Slack – https://openssf.slack.com/archives/C03FW3YGXH9
Mailing List – https://lists.openssf.org/g/openssf-sig-education
Git Repo - https://github.com/ossf/education
A
C
A
D
B
C
A
A
B
F
A
C
A
All
right
so
I
know,
we've
all
been
waiting
around
with
faded
breath
on
an
update
on
the
mobilization
plan.
So
I
am
pleased
to
announce
that
the
TAC
gave
us
enough
votes
to
recommend
the
plan
to
the
governing
board
and
the
we
are
now
currently
developing
the
process
of
how
the
governing
board
will
be
ingesting.
A
These
requests
so
I'm
working
with
Mike
Dolan
from
LF
legal
and
we're
going
to
have
someone
assigned
to
us
to
help
us
there's
gonna,
be
a
small
deck,
we'll
have
to
build,
but
very
excited,
very
good,
final
progress.
So,
ideally,
we
will
have
an
actual
potential
funding
statement
within
the
next
month
or
so
I
hope
fingers
crossed
our
friend
the
foundation
brought
on
a
gentleman
named
Sam
ramji
and
he's
been
kind
of
helping
facilitate
kind
of
process
and
strategic
things.
D
A
A
A
All
right
next
item
fun
fact:
the
US
government
released
a
cyber
security
strategy
last
week.
So
now
we
have
a
plan
to
do
something:
uh-ish
well,
a
fun
fact
section
4.6,
you
know
what
it
talks
about.
It
talks
about
developing
a
national
strategy
to
strengthen
our
cyber
Workforce
AKA,
more
education,
yay,
so
I
think
as
we
move
forward
talking
with
the
governing
board.
A
This
is
another
excellent
data
point
to
encourage
people
that
this
we
are
working
on
the
right
things
and
trying
to
help
make
things
better,
so
I
think
that's
just
going
to
be
excellent,
supporting
evidence
for
us
to
continue
forward
with
the
plan.
As
Sal
mentioned,
it
is
a
pretty
decently
written
Doc.
It's
a
focused
on
a
lot
of
U.S
stuff,
but
overall
it
echoes
things
that
emissa
and
other
entities
around
the
world
are
talking
about.
B
I
mean
it's
a
long
read.
It's
super
worth
the
time,
though,
especially
if
you
want
to
use
it
to
put
yourself
to
sleep,
except
for
this
section,
I
mean
there
were
a
couple
of
nice.
What
I
found
interesting
was
that
it
was
holistic
and
actually
understood
where
vulnerabilities
come
from
and
but
I
think
that
holistic
element
of
it,
and
particularly
this
focus
on
both
education
and
environmentalism,
that
I
didn't
expect
to
see
in
there.
B
A
If
that
I
don't
know,
if,
if
the
group
is
interested
in
more
explicitly
tying
itself
to
things
like
the
cyber
security
strategy,
that's
great
I,
just
I,
don't
know
we're
all
kind
of
in
limbo.
Waiting
for
someone
with
a
very
prestigious
title
to
hand
us
a
sack
of
money,
so
I
will
see.
I
know
they
also
talk
about
grants
and
scholarships,
which
is
again
something
that
was
part
of
part
three
of
our
plan.
A
A
H
Oh
yeah
sure
thing
all
right.
Let
me
see
if
I
can
get
my
camera
on
here,
hey
folks,
it
turns
out
some
people
out.
There
have
already
open
source
training
material
who
knew
I
was
speaking
to
the
CEO
of
a
tech
company
about
how
he
on
boards
interns,
and
he
says
he
sends
them
to
this
website
called
roadmaps.sh
and
it
does
the
rest.
I
thought
I
gotta
check
out
those
websites.
This
guy
is
pretty
smart
and
it
is
a
fantastic
website.
H
It's
you
know
it's
it's
genuinely
an
open
source
set
of
trainings
I
think
it
does
two
things
really
really
well
one
is
that
it
curates
content
in
a
open
and
evolving
way,
everything's
hosted
on
GitHub
lots
of
links,
YouTube
videos,
you
know
tutorials,
but
the
thing
that
I
think
is
really
cool
about
it
is
that
it
actually
curates
these
kind
of
learning,
Journeys
that
structure
and
order
the
different
concepts
and
tools
and
Tech.
You
need
to
learn
to
claim
Proficiency
in
a
certain
area.
H
You
know
so
they're
front-end
developer
track.
The
first
topic
is
the
internet,
which
I
think
makes
a
ton
of
sense,
because
you
do
need
to
know
about
that
to
be
a
front-end
developer,
yeah
and
it
goes
through
CSS
and
a
bunch
of
framework
works
and,
like
all
good,
open
source
things,
it's
very
transparent
about
what
is
a
personal
recommendation.
What
is
an
alternative
vendor
or
Library?
H
You
know
things
are
kind
of
coded
on
that,
but
yeah
great
resourcing,
if
you're
working
with
you
know
with
with
people
who
are
new
to
to
certain
Technologies
or
you
are
yourself
like
I-
think
it's
a
great
resource.
There
is
specifically
a
a
cyber
security
track
on
there.
Let
me
just
double
check
what
it's
called,
because
there's
more
than
one.
H
Security,
so
it's
called
cyber
security
expert
and
I.
Think
that
means
that
there's
a
lot
of
little
boxes
on
there,
it's
basically
like
an
empty
like
taxonomy,
really
of
topics,
I
think
it's
quite
traditional
in
that
you
know
it
covers
a
lot
of
the
a
lot
of
it
is
around
kind
of
you
know,
networking
knowledge
cryptography.
You
know
different
attack
types,
it
does
get
a
little
into
kind
of.
H
You
know
cloud
and
platform
engineering,
some
of
that
stuff,
but
yeah
I
think
it's
a
really
interesting
taxonomy
to
look
at
I.
Think
there's
an
opportunity
for
us
to
to
contribute
to
it
to
link
to
it
in
some
way.
Perhaps
as
we
shape
out
our
training,
it
definitely
hasn't
already
done.
The
work
for
us,
fortunately
slash.
Unfortunately,
as
this
track
is
pretty,
is
pretty
unpopulated.
H
A
B
Yeah
I
mean
my
point
of
view.
What
I
would
so
when
I'm
looking
at
these
learner,
Pathways
I'm,
sorry,
it's
very
loud,
but
what
I
want
to
be
able
to
do
is
have
my
personas
have
a
starting
and
ending
point
where
we
make
it
very
clear
what
it
is
that
we
are
able
to
perform
on
and
not
so
I
think
like
if
I
got
a
front-end,
Persona
I
want
to
point
them
towards
that.
Have
them
do
everything?
H
H
B
Yeah
I
was
going
to
say
Reach
Out
temperature
chest
how
much
anxiety
they
have
over
filling
out
this
entire
cyber
security
track
and
then
see.
If
there's
a
nice
relationship
there,
where
we
explicitly
State
the
shared
engagement,
because
I
think
I
think
most
of
this
information
exists
out
there
that
they've
got
Maps
just
has
to
be
filled
in,
but
there's
that
one
massive
spot
that
open
source
spot
which
could
fit
inside
of
ionics-
and
this
is
my
point
of
view
but
I'm
sick
of
having
to
patch
my
Engineers
all
the
time.
It's.
F
B
Every
single
Persona
that's
represented
here
they
got
to
understand
how
to
not
mistypen.
That
plot
live
on
me,
I'm,
so
tired
of
non-automated
vulnerability
ingestion
but
yeah
I
think
this
is
great
and
I.
Also
personally
I
really
like
the
layout
of
this,
and
this
might
be
something
to
sort
of
think
about
in
terms
of
those
visualizing
those
learner
Pathways.
As
we
look
at
skm.
A
A
A
Maybe
put
you
know
organize
that,
as
you
know,
enter
your
beginner
intermediate
expert
or
kind
of
put
them
into
boxes
for
the
personas,
or
do
we
want
to
start
looking
at
a
gap
analysis
right
now
we
we
know
we
have
we're
missing
some
things
out
of
the
gate
like
QA
testing
or
manager
training.
So
if
we
want
to
start
to
maybe
more
prescriptively
Identify
some
of
those
gaps,
what
do
we
want
to
do.
A
I
B
So
we've
got
this
list
of
Matrix,
which
was
meant
to
so.
This
is
our
Gap
analysis
that
we
did
initially.
It
could
use
right
now
and
especially,
there's
way
more
content
and
a
lot
more
awareness
than
there
was
six
months
ago
around
security.
So
we
might
get
to
update
this,
but
specifically
I
would
want
us
to
look
at
the
learning
personas
represented
here,
because
that's
how
we
made
our
original
decision
around
resources.
B
B
But
I
think
this
needs
like
an
active
review
from
new
players,
because
I
think,
basically,
all
the
knowledge
from
anyone
that's
contributed
to
this
is
endless,
but
I
think
we
need
new
eyes
new
opinions,
new
resources,
if
we
can,
because
I
missed
what
Max
has-
and
that
would
have
been
great
to
put
in
here.
So.
J
B
It
was
both
learner
and
then
professional,
personas,
I'd
kind
of
ask
I
think
it
makes
sense
for
us
to
write
up
a
three
four
sentences
of
each
professional
persona
prioritized
over
learner
Persona,
because
there's
no
difference
and
as
far
as
we're
concerned,
the
people
want
to
provide
the
funding
and
resources,
for
this
only
want
to
do
so.
If
they're
able
to
hire
so
I
think
we
can
much
more
clearly
Define
the
professional
personas
and
just
link
the
learner
personas
to
them.
B
A
K
G
A
K
J
A
B
H
H
So
I
wonder
if
the
learner
personas
may
make
more
science
around
kind
of
entry
level,
specialization
and
management,
as
three
groups
like
when
I'm
looking
at
them,
that's
kind
of
how
I
group
them
and
when
you
scroll
through
the
the
check
boxes
against
the
the
different
thing,
there's
definitely
a
lot
of
commonality
between
you
know
multiple
of
the
personas
aligning
with
many
of
them.
So
I
wonder
if,
like
a
grouping
like
that,
could
could
help
just
to
to
rationalize
the
way
that
the
content
gets
lined
up.
B
As
far
as
I
understand,
we
can
actually
backtrack
and
see
where
the
specific
personas
are
bifurcating
and
creating
percentage
that
make
sense
it's
easier
to
do
it
that
way
than
the
other
way
of
having
15
personas
and
then
trying
to
de-scatter
that
signal,
and
it
also
makes
our
job
easier
right
now,
as
we
just
delineate
them
into
those
specific
types
yeah.
So
that
might
be
I
think
rather
than
reducing
the
complexity
is
a
good
way
for
us
to
step
forward.
I
agree.
J
J
You
say
even
I
as
far
as
like
the
SKF
platform.
Lf
would
rather
us
start
focusing
more
on
like
entry
level
content,
because
when
you
get
to
the
more
complicated
stuff
it
it
gets
trickier.
So
they
would
like
us
to
kind
of
like
we're
building
a
hierarchy
of
courses
for
like
outside,
like
a
the
SKF
framework.
If
you
will
and
we're
basically
saying
all
100
level
courses,
she
didn't
remain
free
open
source.
H
C
A
So
do
we
wish
to
refine
the
current
learner
personas
into
a
basic
intermediate
expert
style
grouping,
and
or
do
we
wish
to
focus
on
the
professional
personas
which
which
path
forward?
Is
the
group
interested
in
pursuing
right
now
or
both?
Nothing
is
we
have
a
lot
of
people,
nothing
to
say
we
can't
do
both.
H
A
So
the
vulnerability
disclosure
working
group
has
a
set
of
personas
around
coordinated
vulnerability.
Disclosure,
the
supply
chain
group
I
believe,
has
a
set
of
personas
around
supply
chain
stuff
and
those
are
the
only
two
I'm.
A
and
I
know
that
the
end
user
working
group
wants
to
make
some
personas.
A
Sorry,
so
no
one
is
looking
at
this
with
the
lens
of
Education
and
Training
right,
which
isn't
doesn't
mean
to
say
we
can't
borrow
the
salsa
stuff
when
we
get
into.
We
want
to
do
a
a
supply
chain.
Education
course
we
couldn't
borrow
from
there,
but
I
think
that's
probably
not
going
to
start
us
off
super.
Well.
If
we
want
to
look
at
you
know,
foundational
stuff.
C
H
My
agent
looking
at
the
the
content
here,
is
that
there
is
like
a
security
engineer,
kind
of
foundational
level
that
really
kind
of
bridges.
I
agree
a
lot
of
the
topics
that
are
out
there
and
I
think
you
know.
Security
engineering
is
a
thing
that
that
ties
most
closely
with
with
the
open
source,
appsec
side.
H
You
know,
as
opposed
to
going
hard
into
network
engineer
or
infrastructure
engineering,
or
you
know,
endpoint,
production
or
or
any
of
the
many
other
areas,
then
they're,
probably
all
represented
in
that
foundational
track
to
lesser
a
greater
extent.
But
I
do
I.
Do
wonder
if
there
is
a
professional
persona.
It's
like
entry
level
and
and
actually
the
personas
we've
got
here,
are
more
like
the
the
intermediate
level
sort
of
branching
out
from
from
entry
level.
E
I
guess
I
was
going
to
probably
plus
one
what
Max
said
and
one
of
the
things
that
you
were
gonna
thinking
of
doing
is
kind
of
like
contacting
the
job
boards,
but
I
guess
even
within
those
descriptions.
There
might
be
something
that's
like
a
common
denominator
for
some
of
the
personas
of
some
of
those
jobs
that
could
help
inform
what
should
be
like
the
basic
track
or
things
that
every
Persona
might
need
to
know.
A
So
it's
it's
sounding
like
the
group
is
thinking
about
this
kind
of
Kernel,
of
a
security
engineer,
foundational
role
that
you
would
eventually
build
up,
other
areas
of
specializations
and
other
trainings
from
do
you
think?
That's
a
good
approach.
We
want
to
think
about
that
foundational
role
first
and
see
what
we
need
to
do
to
help
serve,
that
learner.
H
H
What
I'm,
seeing
from
all
of
the
the
reporter
and
I
mean
really
the
call
to
action
for
for
the
this
initiative
within
the
open.
Ssf
is
actually
it
is
at
the
entry
level.
You
know
it's.
It's
reek
in
terms
of
as
many
developers
as
possible
having
security
fundamentals
is
the
biggest
Gap,
but
I
think
we
shouldn't
be
close
to
the
idea
that
there
might
be
other
areas
that
are
more
important,
I.
Think
that's
probably
the
ongoing
assumption.
It
sounds
like
the
US
government
agrees
with
us
as
well.
A
At
least
my
personal
opinion
before
I
flip
over
to
Jay
is
that
I
don't
every
job
is
important,
but,
for
example,
Cloud
security
is
something
I
think
we
probably
could
back
burner,
because
there
are
other
groups
that
do
this,
and
probably
do
it
better
than
us
kind
of
pretending
to
be
Cloud
security
at
the
time
or
trying
to
build
those
relationships
and
I.
Think
focusing
on
that
core
competency
might
be
a
good
path
for
us.
I
yield
the
floor
to
Jay.
I
To
what
you
just
said,
because
I
was
getting
ready
to
say
the
exact
same
thing,
I
think
when
we
start
off
with
that
Foundation
I
think
we
got
a
lot
of
questions
to
ask
due
to
a
large
number
of
layoffs
that
happen.
Recently,
people
are
asked
to
do
a
lot
more
with
a
lot
less
so
so
what
does
a
foundational
education
look
like
today
versus
what
it
looked
like
six
months
ago,
right
You
had
a
lot
of
individuals
that
maybe
were
were
set
on.
You
know
helping
out
with
risk
assessments.
I
Well
now,
they're
asked
to
do
not
just
technical
risk
assessments,
but
administrative
risk
assessments.
Maybe
physical
risk
assessments
do
they
know
enough
about
physical
security
to
do
a
risk
assessment
because
that's
a
whole
other
animal
into
itself.
So
what
is
foundational
education
look
like
today
versus
what
it
looked
like
six
months
ago.
I
I
think
we
might
what
could
be
a
good
course
of
action
for
us
right
now,
maybe
a
survey,
maybe
we
reach
out
to
the
industry
to
see
what
exactly
they're
asked,
what
exactly
the
industry
is
asking
its
employees
to
do
now
versus
what
it
was
asking
them
to
do.
Six
months
ago,
I
mean
it's
and
then
the
break
off
of
what
crop
said.
That's
foundationally
that
Foundation
could
ease
that
foundation's
changed,
there's
a
crack
in
the
foundation.
Now
right
and
and
we've
all
experienced
it
across
our
different
organizations.
I
A
And
I
I
agree
Jay
and
at
least
my
observation
is
with
all
these
major
tech
company
layoffs.
There
are
a
substantial
amount
of
jobs
in
regular
folk
places,
Banks
retail,
Insurance,
Health
Care,
not
necessarily
big
Tech,
and
that
is
a
slightly
different
skill
set
that
you're
going
to
be
forced
to
do
things
like.
Maybe
you
never
had
to
do
those
physical
risk
assessments
before
in
your
job?
Historically,.
I
I
Exactly
you'd
have
to
work
in
finance
to
understand
what
that
is,
but
that's
the
that
is
the
I
mean
they
say
the
de
facto
Finance
cyber
security
framework
right.
So,
if
you
don't
know
what
the
ffi
you
see
is
and
you're
going
to
be
a
security
professional
in
finance-
and
you
know,
there's
been
layoffs
happening
all
over
the
place.
Now
people
are
finding
jobs
in
these
very
these
very
Niche,
or
very
specific,
going
to
Health
Care
Finance
government.
I
There
are
different
rules
in
each
one
of
these
locations,
different
different
practices
and
Associates
these
locations.
You
need
to
know
at
a
foundational
level
right.
So
what
does
foundation
actually
look
like
today
and
then
what
new
skills
are
you
teaching
somebody
who
just
got
laid
off
from
a
tech
company
who's
now
finding
employment
in
these
very
specific
locations?
Right?
So
all
questions
we
need
to
ask.
A
So
I
feel,
like
we've
kind
of
landed
on
two
next
steps
is
defining
and
refining
our
engineer,
security,
engineer,
Foundation
and
trying
to
identify
what
skills
are
needed
there
and
then
Jay's
idea
of
this
survey
of
trying
to
pull
information
out
from
the
community
to
see
what
new
things
people
have
been
tasked
to
learn
or
you
know
what
new
skills
do
they
need
to
know?
Does
that
does
the
group
seem
to
agree
with
those
two
immediate
pass
forward.
H
G
I
have
a
question
yeah.
Thank
you,
the
Delphi
Group.
Is
this
like
security
at
the
time,
I
mean
I've
been
sitting
here
in
this
call,
and
maybe
I
missed
something
because
brain,
but
so
here
he's
a
massive
topic
right.
So
this
Delphi
Group
people
focused
on
app
set
because
this
group
dealt.
Is
this
group
focused
on
network
security?
Is
this
group
focused
on
like
there
are
so
many
aspects
of
security
that
you
could
come
away
with
a
like
just
massively
and
so
four
hours?
A
A
J
A
F
J
J
I,
don't
I,
don't
wanna
I,
don't
wanna
publicly
start
pointing
fingers.
I
mean
I
could
tell
you
in
a
nutshell,
like
we
are
in
the
process
of
receiving
and
organizing
SKF
funding
and
there's
a
lot
of
things
that
come
attached
to
that,
and
it's
a
conversation
about
kind
of
about.
You
know,
for
example,
LF
doesn't
want
us
to
duplicate
efforts
where
they
already
have
efforts
ongoing
and
stuff
along
those
lines.
So
yeah
well.
J
K
D
E
K
K
Well,
to
be
lf's
a
big
play
like
any
organization
education,
folks,
they
focus
on
the
mechanics
of
getting
of
of
helping
folks
get
through
courses,
not
the
course
develop.
Not
the
contents
of
courses,
that's
okay,
because
we
want
people
who
develop
content
of
courses
to
focus
on
be
able
to
focus
100
on
that
and
not
on
the
I
can't
log
in
how
do
I
fix
that
correct,
which
I
mean
somebody
does
need
to
do
that,
but
it
doesn't
need
to
be
the
same
person.
C
K
K
K
There
are
questions
about
whether
or
not
this
is
obsolete,
but
this
is
one
of
those
annoying
areas
where,
if
it
was
clearly
obsolete,
great,
let's
get
rid
of
it.
We
no
longer
have
to
you
know
something
we
don't
have
to
explain,
because
it's
handled
by
default
is
the
best
outcome,
except
that
we
haven't
been
able
to
confirm
that
it's
obsolete.
K
So
if
you
are
familiar
with
the
issues
of
HTML
targets,
yep
thank
you
I.
You
know,
and
it's
also
in
the
notes
I
would
love
to
hear
from
you.
I've
gotten
a
lead
in
on
somebody
from
the
Chrome
team,
but
it's
remarkably
hard
to
track
down.
Nobody
wants
to
admit
that
some
that
there
is
no
longer
a
problem
there
used
to
be
a
problem.
There
was
people
who
did
things.
F
F
K
F
K
No,
that's
actually
not
the
issue.
I
can't
reproduce
you
I
agree
with
you.
I
can't
reproduce
the
original
stated
example,
but
I've
been
burned
several
times.
In
fact,
several
there's
a
whole
bunch
of
people
that
fix
Oh.
Look
The,
Specific
code
that
you
use
to
demonstrate.
The
problem
no
longer
works.
Therefore
the
vulnerability
went
away
and
the
answer
is
no.
You
didn't
understand
the
problem,
change
these
two
characters,
the
problem
reappears
and
so
have.
F
F
Yeah,
to
be
honest,
I
think
in
this
case,
I
get
totally
what
you
mean
as
technically.
An
iframe
shouldn't
be
able
to
read
the
content
where
it's
iframed
in,
but
because
of
magic
and
and
whatever
that
we
don't
want
to
go
into
details
again
and
again,
it's
possible
and
every
browser
has
their
own
specific,
exploiting
way
to
craft
this
and
bypass
it.
And
what
so
I
do
get.
What
you're
saying,
but
in
this
case.
I
K
K
A
K
A
G
G
Yeah
I
I
had
as
much
as
an
aside
fun,
fun
Side
Story,
my
the
zoom
vulnerability
I
found
in
in
in
2019
I
reported
to
the
Firefox
and
chrome
team,
and
the
Firefox
I
didn't
give
them
the
details
of
who
like
what
who
was
impacted,
but
they
they
said
this.
This
is
not
a
vulnerability
in
Firefox.
This
is
just
a
known
standard
vulnerability
and
they
published
it
and
I'm
like
no.
You
can't
do
that.
This
thing
is
still
under
embargo
like
so
you
know
they.
G
A
All
right
team.
Thank
you
for
your
time
today.
I'm
excited
hesitantly
optimistic
about
our
progress.
Moving
forward
excited
to
see
us
finding
some
things.
We
can
start
to
continue
to
work
on,
and
we
will
talk
to
you
all
later
and
some
of
you
I'll
probably
talk
for
the
next
two
hours
with
cheers.
All
thanks.