►
From YouTube: Education SIG (March 8, 2023)
Description
Agenda – https://docs.google.com/document/d/18GBwvQJNcPnwxKrnp43DhBZC7K1JM0xzGkDoKh5mu8U/edit#
Slack – https://openssf.slack.com/archives/C03FW3YGXH9
Mailing List – https://lists.openssf.org/g/openssf-sig-education
Git Repo - https://github.com/ossf/education
A
C
A
D
B
C
A
A
All
right
folks,
it's
three
after
the
hour
I
put
the
link
into
the
agenda
in
the
chat.
Please,
let
me
know
if
you
have
any
items
to
open,
can
I
get
an
assistant
that
is
interested
in
helping
us
take
notes
today.
B
F
A
C
Hey
guys
I'm
Michael
I'm
from
a
company
called
deliria.
We
do
space,
lasers
and
yeah,
where
Google
spin
out
good
to
meet.
Everybody
welcome
welcome.
A
All
right
so
I
know,
we've
all
been
waiting
around
with
faded
breath
on
an
update
on
the
mobilization
plan.
So
I
am
pleased
to
announce
that
the
TAC
gave
us
enough
votes
to
recommend
the
plan
to
the
governing
board
and
the
we
are
now
currently
developing
the
process
of
how
the
governing
board
will
be
ingesting.
A
These
requests
so
I'm
working
with
Mike
Dolan
from
LF
legal
and
we're
going
to
have
someone
assigned
to
us
to
help
us
there's
gonna,
be
a
small
deck,
we'll
have
to
build,
but
very
excited,
very
good,
final
progress.
So,
ideally,
we
will
have
an
actual
potential
funding
statement
within
the
next
month
or
so
I
hope
fingers
crossed
our
friend
the
foundation
brought
on
a
gentleman
named
Sam
ramji
and
he's
been
kind
of
helping
facilitate
kind
of
process
and
strategic
things.
A
So
he's
helping
move
a
lot
of
these
things
forward,
so
we're
very
happy
for
Sam's
help
and,
ideally
we'll
get
in
front
of
the
potential
donation,
the
donators
very
soon
any
questions
about
that.
D
So
I'm
I
think
I
already
know
the
answer.
Because
of
how
many
times
you
couched
the
the
lack
of
process
in
place
right
now
but
I
it
is
it
safe
to
assume
that
the
TAC
approved
the
plan,
as
is
with
no
changes
to
be
presented
to
the
company
board.
A
The
yes,
the
tax
recommended
the
plan
that
the
governing
board
should
consider.
Okay
and
I
yet
again
asked
for
feedback,
because
feedback
is
a
gift
and
we
have
not
received
any
presence.
A
A
All
right
next
item
fun
fact:
the
US
government
released
a
cyber
security
strategy
last
week.
So
now
we
have
a
plan
to
do
something:
uh-ish
well,
a
fun
fact
section
4.6,
you
know
what
it
talks
about.
It
talks
about
developing
a
national
strategy
to
strengthen
our
cyber
Workforce
AKA,
more
education,
yay,
so
I
think
as
we
move
forward
talking
with
the
governing
board.
A
This
is
another
excellent
data
point
to
encourage
people
that
this
we
are
working
on
the
right
things
and
trying
to
help
make
things
better,
so
I
think
that's
just
going
to
be
excellent,
supporting
evidence
for
us
to
continue
forward
with
the
plan.
As
Sal
mentioned,
it
is
a
pretty
decently
written
Doc.
It's
a
focused
on
a
lot
of
U.S
stuff,
but
overall
it
echoes
things
that
emissa
and
other
entities
around
the
world
are
talking
about.
B
I
mean
it's
a
long
read.
It's
super
worth
the
time,
though,
especially
if
you
want
to
use
it
to
put
yourself
to
sleep,
except
for
this
section,
I
mean
there
were
a
couple
of
nice.
What
I
found
interesting
was
that
it
was
holistic
and
actually
understood
where
vulnerabilities
come
from
and
but
I
think
that
holistic
element
of
it,
and
particularly
this
focus
on
both
education
and
environmentalism,
that
I
didn't
expect
to
see
in
there.
B
A
If
that
I
don't
know,
if,
if
the
group
is
interested
in
more
explicitly
tying
itself
to
things
like
the
cyber
security
strategy,
that's
great
I,
just
I,
don't
know
we're
all
kind
of
in
limbo.
Waiting
for
someone
with
a
very
prestigious
title
to
hand
us
a
sack
of
money,
so
I
will
see.
I
know
they
also
talk
about
grants
and
scholarships,
which
is
again
something
that
was
part
of
part
three
of
our
plan.
A
So
that's
there's
another
potential
Avenue
that
we
could
pursue
for
funding,
we'll
see
if
people
are
interested
in
kind
of
strategizing
on
how
we
might
incorporate
some
of
that
I'm
glad
to
donate
a
little
time
to
that
either
today
or
in
a
future
call
or
an
asynchronous
call
for
Slack
or
email.
No.
A
Cool
cool,
any
additional
thoughts.
A
H
Oh
yeah
sure
thing
all
right.
Let
me
see
if
I
can
get
my
camera
on
here,
hey
folks,
it
turns
out
some
people
out.
There
have
already
open
source
training
material
who
knew
I
was
speaking
to
the
CEO
of
a
tech
company
about
how
he
on
boards
interns,
and
he
says
he
sends
them
to
this
website
called
roadmaps.sh
and
it
does
the
rest.
I
thought
I
gotta
check
out
those
websites.
This
guy
is
pretty
smart
and
it
is
a
fantastic
website.
H
It's
you
know
it's
it's
genuinely
an
open
source
set
of
trainings
I
think
it
does
two
things
really
really
well
one
is
that
it
curates
content
in
a
open
and
evolving
way,
everything's
hosted
on
GitHub
lots
of
links,
YouTube
videos,
you
know
tutorials,
but
the
thing
that
I
think
is
really
cool
about
it
is
that
it
actually
curates
these
kind
of
learning,
Journeys
that
structure
and
order
the
different
concepts
and
tools
and
Tech.
You
need
to
learn
to
claim
Proficiency
in
a
certain
area.
H
You
know
so
they're
front-end
developer
track.
The
first
topic
is
the
internet,
which
I
think
makes
a
ton
of
sense,
because
you
do
need
to
know
about
that
to
be
a
front-end
developer,
yeah
and
it
goes
through
CSS
and
a
bunch
of
framework
works
and,
like
all
good,
open
source
things,
it's
very
transparent
about
what
is
a
personal
recommendation.
What
is
an
alternative
vendor
or
Library?
H
You
know
things
are
kind
of
coded
on
that,
but
yeah
great
resourcing,
if
you're
working
with
you
know
with
with
people
who
are
new
to
to
certain
Technologies
or
you
are
yourself
like
I-
think
it's
a
great
resource.
There
is
specifically
a
a
cyber
security
track
on
there.
Let
me
just
double
check
what
it's
called,
because
there's
more
than
one.
H
Security,
so
it's
called
cyber
security
expert
and
I.
Think
that
means
that
there's
a
lot
of
little
boxes
on
there,
it's
basically
like
an
empty
like
taxonomy,
really
of
topics,
I
think
it's
quite
traditional
in
that
you
know
it
covers
a
lot
of
the
a
lot
of
it
is
around
kind
of
you
know,
networking
knowledge
cryptography.
You
know
different
attack
types,
it
does
get
a
little
into
kind
of.
H
You
know
cloud
and
platform
engineering,
some
of
that
stuff,
but
yeah
I
think
it's
a
really
interesting
taxonomy
to
look
at
I.
Think
there's
an
opportunity
for
us
to
to
contribute
to
it
to
link
to
it
in
some
way.
Perhaps
as
we
shape
out
our
training,
it
definitely
hasn't
already
done.
The
work
for
us,
fortunately
slash.
Unfortunately,
as
this
track
is
pretty,
is
pretty
unpopulated.
H
I
I,
definitely
yeah
recommend
looking
at
one
of
the
more
populated
tracks,
the
front
end
stuff,
the
the
react
stuff
is
is
kind
of
particularly
well
known
and
used.
H
Feel
free
to
ask
any
questions:
I
won't
have
the
answers
so
I'll
ask
you
a
great
question
which
is
kind
of
like
who's
behind
it.
My
understanding
is
that
it
was
initially
the
new
stack
so
yeah.
H
You
know
there
should
be
like
a
cloud
and
and
sort
of
devops
kubernetes
angle
so
which
is
pretty
cool,
but
yeah
specifically,
it
looks
like
there's
one
one
maintainer,
as
ever,
with
all
really
good
open
source
projects,
plugging
away
and
doing
the
vast
majority
of
the
work
he's
a
really
cool
guy
camera
and
Acme
has
a
bunch
of
good
YouTube
content
as
well,
so
yeah
recommend
checking
them
out.
A
And
one
thing,
I
noticed
when
I
was
cruising
around
the
road
maps.
He
addresses
personas
like
the
front
end
developer,
QA
engineer,
which
is
again
another
learner
we
were
thinking
about
talking
about
talking
to
I
I
think
this
is
really
interesting.
What
is
the
rest
of
the
group's
thoughts,
foreign.
B
Yeah
I
mean
my
point
of
view.
What
I
would
so
when
I'm
looking
at
these
learner,
Pathways
I'm,
sorry,
it's
very
loud,
but
what
I
want
to
be
able
to
do
is
have
my
personas
have
a
starting
and
ending
point
where
we
make
it
very
clear
what
it
is
that
we
are
able
to
perform
on
and
not
so
I
think
like
if
I
got
a
front-end,
Persona
I
want
to
point
them
towards
that.
Have
them
do
everything?
B
That's
filled
out,
I
think
there's
a
very
cool
opportunity
here
to
like
help
them
with
the
sub
box
of
open
source
security,
which
again
is
not
going
to
exist
in
their
curriculum
because
it
doesn't
exist
anywhere
right,
but
we
also
want
to
look
at
platforms
of
high
impact,
and
this
is
a
platform
of
high
impact,
so
I
love
the
idea
of
partnering
with
them
because
they
are
going
to
have
a
really
good
I
mean
they've
got
a
lot
of
experience,
communicating
to
the
average
GitHub
user,
which
is
ideal
for
us
I
like
it.
H
You
know,
I
think
that's.
That
will
be
a
really
interesting
way
of
doing
it.
Mapping
subsets
of
it
to
our
I,
guess
more
more
detailed,
personas
and
Learners
as
well.
A
Any
additional
initial
thoughts
or
comments
do
we
want
to
try
to
reach
out
to
this
fellow
and
maybe
have
a
chat
with
them.
H
I'm
happy
to
take
responsibility
for
doing
so.
Oh
I
have
some
potential
other
business
with
him
as
well,
so
yeah
very
happy
to
to
to
reach
out
it
feels
to
me
like
the
best
outcome
could
be
could
be.
Could
we
them
joining
the
group.
B
Yeah
I
was
going
to
say
Reach
Out
temperature
chest
how
much
anxiety
they
have
over
filling
out
this
entire
cyber
security
track
and
then
see.
If
there's
a
nice
relationship
there,
where
we
explicitly
State
the
shared
engagement,
because
I
think
I
think
most
of
this
information
exists
out
there
that
they've
got
Maps
just
has
to
be
filled
in,
but
there's
that
one
massive
spot
that
open
source
spot
which
could
fit
inside
of
ionics-
and
this
is
my
point
of
view
but
I'm
sick
of
having
to
patch
my
Engineers
all
the
time.
It's.
F
B
Every
single
Persona
that's
represented
here
they
got
to
understand
how
to
not
mistypen.
That
plot
live
on
me,
I'm,
so
tired
of
non-automated
vulnerability
ingestion
but
yeah
I
think
this
is
great
and
I.
Also
personally
I
really
like
the
layout
of
this,
and
this
might
be
something
to
sort
of
think
about
in
terms
of
those
visualizing
those
learner
Pathways.
As
we
look
at
skm.
H
I
didn't
really
put
together,
which
is
that
there's
no
open
source
best
practice
in
this
open
source
training
program
right
that
you
know,
there's
even
like
an
API
security
piece,
but
there
isn't
an
Open
Source
One
so
that
that's.
H
Different
aspects
to
open
source
right
from
how
to
structure
a
good
PR
through
to
how
to
engage
with
a
community
through
to
the
security
angle,
which
I
think
at
the
moment
is
you
know
the
Hot
Topic.
A
And
remember
that
we
had
our
one
of
our
goals
is
to
create
free
and
open
training
materials,
so
there's
definitely
an
opportunity
to
cross
collaborate
with
them,
as
we
will
be
ideally
generating
or
identifying
good,
open
content,
cool
good,
find
Max.
Thank
you.
A
So
now
that
we
are
starting
to
get
a
little
more
momentum
and
things
are
happening
in
the
world,
I
think
it's
not
a
good
time
to
start
to
potentially
pick
back
up
on
some
of
our
work
and
start
collaborating
on
some
of
these
things
that
you
know
don't
cost
anything,
don't
have
an
outlay
of
an
FTE
or
a
tool,
so
I
think
I
put
together
a
couple
suggestions.
A
Is
the
group
interested
in
trying
to
collaborate
on
any
of
these
three
areas
or
an
area
of
your
own
suggestion?
So
thinking
about?
Do
we
want
to
refine
our
personas
and
start
to
think
about
what
Journeys
they
want
to
travel
on?
Do
we
want
to
take
a
look
at
the
content
we
have
and
start
to?
A
Maybe
put
you
know
organize
that,
as
you
know,
enter
your
beginner
intermediate
expert
or
kind
of
put
them
into
boxes
for
the
personas,
or
do
we
want
to
start
looking
at
a
gap
analysis
right
now
we
we
know
we
have
we're
missing
some
things
out
of
the
gate
like
QA
testing
or
manager
training.
So
if
we
want
to
start
to
maybe
more
prescriptively
Identify
some
of
those
gaps,
what
do
we
want
to
do.
A
I
B
So
we've
got
this
list
of
Matrix,
which
was
meant
to
so.
This
is
our
Gap
analysis
that
we
did
initially.
It
could
use
right
now
and
especially,
there's
way
more
content
and
a
lot
more
awareness
than
there
was
six
months
ago
around
security.
So
we
might
get
to
update
this,
but
specifically
I
would
want
us
to
look
at
the
learning
personas
represented
here,
because
that's
how
we
made
our
original
decision
around
resources.
B
So
if
this
still
makes
sense,
then
we've
got
a
lot
to
work
with
here.
If
it
doesn't
make
sense,
let
me
know
fix
it.
B
But
I
think
this
needs
like
an
active
review
from
new
players,
because
I
think,
basically,
all
the
knowledge
from
anyone
that's
contributed
to
this
is
endless,
but
I
think
we
need
new
eyes
new
opinions,
new
resources,
if
we
can,
because
I
missed
what
Max
has-
and
that
would
have
been
great
to
put
in
here.
So.
J
B
As
we're
starting
to
get
this
because
this
is
just
a
little
bit
of
PR
but
also
useful
I
would
ask
that
we
go
back
in
and
review
the
learner
slash.
B
It
was
both
learner
and
then
professional,
personas,
I'd
kind
of
ask
I
think
it
makes
sense
for
us
to
write
up
a
three
four
sentences
of
each
professional
persona
prioritized
over
learner
Persona,
because
there's
no
difference
and
as
far
as
we're
concerned,
the
people
want
to
provide
the
funding
and
resources,
for
this
only
want
to
do
so.
If
they're
able
to
hire
so
I
think
we
can
much
more
clearly
Define
the
professional
personas
and
just
link
the
learner
personas
to
them.
B
A
G
A
K
The
professional
personas
would
it
be
possibly
useful
to
talk
to
some
of
the
job
boards
and
such
you
know
indeed,
and
so
on.
I
imagine
they've
already
got
some
pre-created
categories
might
be
useful.
J
A
A
Is
anyone
interested
in
tracking
job
board
contacts
down
peace?
B
A
And
I'm
trying
to
get
our
current
personas
visually
input
on
our
meeting
agenda
here.
H
When
I
look
at
the
learner,
personas
they're
all
like
absolutely
valid,
but
I'm
wondering
if,
if
we
can
group
them
in
some
ways
into
kind
of
new
to
you,
know
enterprise
software
development
right
I,
don't
think
it
necessarily
matters
if
someone
is
higher
ed
or
trade
school
or
you
know,
job
change
right
that
their
actual
learning
objectives
should
be
fairly
similar.
H
You
know,
otherwise
you
get
to
the
point
where
it's
like,
oh
negot,
this
boot
camp.
That
I
will
already
know
about.
You
know
SSH
agent
that
goes
to
this
boot
camp.
They
won't
I,
think
that
that
gets
pretty
tricky.
H
So
I
wonder
if
the
learner
personas
may
make
more
science
around
kind
of
entry
level,
specialization
and
management,
as
three
groups
like
when
I'm
looking
at
them,
that's
kind
of
how
I
group
them
and
when
you
scroll
through
the
the
check
boxes
against
the
the
different
thing,
there's
definitely
a
lot
of
commonality
between
you
know
multiple
of
the
personas
aligning
with
many
of
them.
So
I
wonder
if,
like
a
grouping
like
that,
could
could
help
just
to
to
rationalize
the
way
that
the
content
gets
lined
up.
B
As
far
as
I
understand,
we
can
actually
backtrack
and
see
where
the
specific
personas
are
bifurcating
and
creating
percentage
that
make
sense
it's
easier
to
do
it
that
way
than
the
other
way
of
having
15
personas
and
then
trying
to
de-scatter
that
signal,
and
it
also
makes
our
job
easier
right
now,
as
we
just
delineate
them
into
those
specific
types
yeah.
So
that
might
be
I
think
rather
than
reducing
the
complexity
is
a
good
way
for
us
to
step
forward.
I
agree.
J
I
also
think
that
it
salt
to
add
to
what
you're
saying
it
reduces
the
operating
overhead.
If
you
will,
because
that's
what
we've
been
talking
about.
A
lot
is
like
pick
your
battles,
because
you
can't
win
the
mall
and
it
gets
really
expensive
to
try
to
win
them
all.
J
You
say
even
I
as
far
as
like
the
SKF
platform.
Lf
would
rather
us
start
focusing
more
on
like
entry
level
content,
because
when
you
get
to
the
more
complicated
stuff
it
it
gets
trickier.
So
they
would
like
us
to
kind
of
like
we're
building
a
hierarchy
of
courses
for
like
outside,
like
a
the
SKF
framework.
If
you
will
and
we're
basically
saying
all
100
level
courses,
she
didn't
remain
free
open
source.
H
C
H
Foundational
content
is,
by
definition
the
low-hanging
fruit
here,
so
yeah,
definitely
a
plus
one
on
that
being
an
initial
Focus
area.
A
So
do
we
wish
to
refine
the
current
learner
personas
into
a
basic
intermediate
expert
style
grouping,
and
or
do
we
wish
to
focus
on
the
professional
personas
which
which
path
forward?
Is
the
group
interested
in
pursuing
right
now
or
both?
Nothing
is
we
have
a
lot
of
people,
nothing
to
say
we
can't
do
both.
H
A
So
the
vulnerability
disclosure
working
group
has
a
set
of
personas
around
coordinated
vulnerability.
Disclosure,
the
supply
chain
group
I
believe,
has
a
set
of
personas
around
supply
chain
stuff
and
those
are
the
only
two
I'm.
A
and
I
know
that
the
end
user
working
group
wants
to
make
some
personas.
A
Sorry,
so
no
one
is
looking
at
this
with
the
lens
of
Education
and
Training
right,
which
isn't
doesn't
mean
to
say
we
can't
borrow
the
salsa
stuff
when
we
get
into.
We
want
to
do
a
a
supply
chain.
Education
course
we
couldn't
borrow
from
there,
but
I
think
that's
probably
not
going
to
start
us
off
super.
Well.
If
we
want
to
look
at
you
know,
foundational
stuff.
C
H
My
agent
looking
at
the
the
content
here,
is
that
there
is
like
a
security
engineer,
kind
of
foundational
level
that
really
kind
of
bridges.
I
agree
a
lot
of
the
topics
that
are
out
there
and
I
think
you
know.
Security
engineering
is
a
thing
that
that
ties
most
closely
with
with
the
open
source,
appsec
side.
H
You
know,
as
opposed
to
going
hard
into
network
engineer
or
infrastructure
engineering,
or
you
know,
endpoint,
production
or
or
any
of
the
many
other
areas,
then
they're,
probably
all
represented
in
that
foundational
track
to
lesser
a
greater
extent.
But
I
do
I.
Do
wonder
if
there
is
a
professional
persona.
It's
like
entry
level
and
and
actually
the
personas
we've
got
here,
are
more
like
the
the
intermediate
level
sort
of
branching
out
from
from
entry
level.
E
I
guess
I
was
going
to
probably
plus
one
what
Max
said
and
one
of
the
things
that
you
were
gonna
thinking
of
doing
is
kind
of
like
contacting
the
job
boards,
but
I
guess
even
within
those
descriptions.
There
might
be
something
that's
like
a
common
denominator
for
some
of
the
personas
of
some
of
those
jobs
that
could
help
inform
what
should
be
like
the
basic
track
or
things
that
every
Persona
might
need
to
know.
A
So
it's
it's
sounding
like
the
group
is
thinking
about
this
kind
of
Kernel,
of
a
security
engineer,
foundational
role
that
you
would
eventually
build
up,
other
areas
of
specializations
and
other
trainings
from
do
you
think?
That's
a
good
approach.
We
want
to
think
about
that
foundational
role
first
and
see
what
we
need
to
do
to
help
serve,
that
learner.
H
The
argument
not
to
would
be
if
one
of
the
other
personas
had
more
impactful
skills,
Gap
right.
If
we
were
saying
the
the
real
problem,
is
that
there
is
no
training
for
open
source
project
maintainers
or
we
don't
have
enough
people
who
know
about
you
know
Cloud
security.
H
What
I'm,
seeing
from
all
of
the
the
reporter
and
I
mean
really
the
call
to
action
for
for
the
this
initiative
within
the
open.
Ssf
is
actually
it
is
at
the
entry
level.
You
know
it's.
It's
reek
in
terms
of
as
many
developers
as
possible
having
security
fundamentals
is
the
biggest
Gap,
but
I
think
we
shouldn't
be
close
to
the
idea
that
there
might
be
other
areas
that
are
more
important,
I.
Think
that's
probably
the
ongoing
assumption.
It
sounds
like
the
US
government
agrees
with
us
as
well.
A
At
least
my
personal
opinion
before
I
flip
over
to
Jay
is
that
I
don't
every
job
is
important,
but,
for
example,
Cloud
security
is
something
I
think
we
probably
could
back
burner,
because
there
are
other
groups
that
do
this,
and
probably
do
it
better
than
us
kind
of
pretending
to
be
Cloud
security
at
the
time
or
trying
to
build
those
relationships
and
I.
Think
focusing
on
that
core
competency
might
be
a
good
path
for
us.
I
yield
the
floor
to
Jay.
I
To
what
you
just
said,
because
I
was
getting
ready
to
say
the
exact
same
thing,
I
think
when
we
start
off
with
that
Foundation
I
think
we
got
a
lot
of
questions
to
ask
due
to
a
large
number
of
layoffs
that
happen.
Recently,
people
are
asked
to
do
a
lot
more
with
a
lot
less
so
so
what
does
a
foundational
education
look
like
today
versus
what
it
looked
like
six
months
ago,
right
You
had
a
lot
of
individuals
that
maybe
were
were
set
on.
You
know
helping
out
with
risk
assessments.
I
Well
now,
they're
asked
to
do
not
just
technical
risk
assessments,
but
administrative
risk
assessments.
Maybe
physical
risk
assessments
do
they
know
enough
about
physical
security
to
do
a
risk
assessment
because
that's
a
whole
other
animal
into
itself.
So
what
is
foundational
education
look
like
today
versus
what
it
looked
like
six
months
ago.
I
I
think
we
might
what
could
be
a
good
course
of
action
for
us
right
now,
maybe
a
survey,
maybe
we
reach
out
to
the
industry
to
see
what
exactly
they're
asked,
what
exactly
the
industry
is
asking
its
employees
to
do
now
versus
what
it
was
asking
them
to
do.
Six
months
ago,
I
mean
it's
and
then
the
break
off
of
what
crop
said.
That's
foundationally
that
Foundation
could
ease
that
foundation's
changed,
there's
a
crack
in
the
foundation.
Now
right
and
and
we've
all
experienced
it
across
our
different
organizations.
I
It's
a
huge
crack
now
and-
and
you
know
it
wasn't
just
in
one
area
or
the
other,
that
I
mean
that's!
That's
that
that's
my
two
cents
on
that.
A
And
I
I
agree
Jay
and
at
least
my
observation
is
with
all
these
major
tech
company
layoffs.
There
are
a
substantial
amount
of
jobs
in
regular
folk
places,
Banks
retail,
Insurance,
Health
Care,
not
necessarily
big
Tech,
and
that
is
a
slightly
different
skill
set
that
you're
going
to
be
forced
to
do
things
like.
Maybe
you
never
had
to
do
those
physical
risk
assessments
before
in
your
job?
Historically,.
I
I
Exactly
you'd
have
to
work
in
finance
to
understand
what
that
is,
but
that's
the
that
is
the
I
mean
they
say
the
de
facto
Finance
cyber
security
framework
right.
So,
if
you
don't
know
what
the
ffi
you
see
is
and
you're
going
to
be
a
security
professional
in
finance-
and
you
know,
there's
been
layoffs
happening
all
over
the
place.
Now
people
are
finding
jobs
in
these
very
these
very
Niche,
or
very
specific,
going
to
Health
Care
Finance
government.
I
There
are
different
rules
in
each
one
of
these
locations,
different
different
practices
and
Associates
these
locations.
You
need
to
know
at
a
foundational
level
right.
So
what
does
foundation
actually
look
like
today
and
then
what
new
skills
are
you
teaching
somebody
who
just
got
laid
off
from
a
tech
company
who's
now
finding
employment
in
these
very
specific
locations?
Right?
So
all
questions
we
need
to
ask.
A
So
I
feel,
like
we've
kind
of
landed
on
two
next
steps
is
defining
and
refining
our
engineer,
security,
engineer,
Foundation
and
trying
to
identify
what
skills
are
needed
there
and
then
Jay's
idea
of
this
survey
of
trying
to
pull
information
out
from
the
community
to
see
what
new
things
people
have
been
tasked
to
learn
or
you
know
what
new
skills
do
they
need
to
know?
Does
that
does
the
group
seem
to
agree
with
those
two
immediate
pass
forward.
H
Certainly
agree
here,
I
think
a
really
good
approach,
I've
seen
well
in
in
in
collection
with
doing
a
sort
of
a
survey.
It's
a
real
data
collection
is
just
to
do.
You
know
like
a
Delphi
method
method,
get
five
or
so
subject
matter.
H
Experts
together
and
you
know,
get
on
a
a
mirror
board
or
something
and
thrash
out
like
what
does
the
basic
knowledge
look
like
for
a
security
engineer,
time
and
time
again,
it's
95
correct
compared
to
when
you
go
away
into
the
the
real
research
I,
don't
know
if
it
might
be
worth
trying
to
collect
a
Delphi
Group
of
some
sort
from
from
you
know
within
our
group
here
or
all
the
wider
community,
and
do
that
kind
of
whiteboarding
session.
A
So
do
we
have
any
volunteers
to
help
us
lead
those
two
paths
forward
to
kind
of
be
a
kind
of
little
sub
project
leader
to
help
us
continue
our
momentum
on
these
two
areas,
I,
like
the
idea
of
the
the
conversation
with
us,
a
group
of
experts
to
help
kind
of
get
that
95
list
Jonathan.
G
I
have
a
question
yeah.
Thank
you,
the
Delphi
Group.
Is
this
like
security
at
the
time,
I
mean
I've
been
sitting
here
in
this
call,
and
maybe
I
missed
something
because
brain,
but
so
here
he's
a
massive
topic
right.
So
this
Delphi
Group
people
focused
on
app
set
because
this
group
dealt.
Is
this
group
focused
on
network
security?
Is
this
group
focused
on
like
there
are
so
many
aspects
of
security
that
you
could
come
away
with
a
like
just
massively
and
so
four
hours?
A
Our
primary
mission
is
application,
security
and
roles
that
kind
of
are
satellite
around
open
source
development,
so
kubernetes
management,
cyber
security,
developer
management,
that
type
of
stuff,
but
predominantly
we're
focused
the
core
of
it-
is
teaching
people
to
write
better
code
and
instill
better
security
practices.
G
I
am
available
to
be
a
resource,
but
I
do
not
have
the
Cycles
to
run
any
sort
of
initiative
in
this
department.
A
Was
anyone
interested
in
kind
of
helping
Champion
the
surveys
and
then
the
Foundation
pieces
for
us
just
to
help
coordinate
a
call
and
get
some
folks
to
have
a
little
chat.
A
I'll
send
the
note
out
to
the
full
list
after
this
call,
but
it's
something
I
would
ask
everyone
here
to
think
about
and
consider
just
to
volunteer
to
lead
a
couple
phone
calls
so
that
we
can
start
to
make
some
traction.
A
All
right
I
saw
that
we
had
one
more
thing
on
the
agenda.
Is
there
any
more
thoughts
on
these
two
paths
forward?
It
seems
like
we're
generally
in
agreement.
We
just
need
to
try
to
find
some
time
to
focus
on
them.
Any
objections
to
those
two
paths.
A
J
Yeah
I
removed
it
because
I
thought
it'd
be
better.
We
have
this
conversation
off
camera
or
off
our
recording,
because
yeah.
A
Okay,
well,
anyone
interested
in
an
exciting
conversation
about
SKF
in
the
next
day
or
so.
Let
me
know
and
we'll
set
up
something
yeah.
F
J
K
I
can
turn
the
recording
off,
but
I
don't
think
we
should
do
that
right
now.
So.
J
I,
don't
I,
don't
wanna
I,
don't
wanna
publicly
start
pointing
fingers.
I
mean
I
could
tell
you
in
a
nutshell,
like
we
are
in
the
process
of
receiving
and
organizing
SKF
funding
and
there's
a
lot
of
things
that
come
attached
to
that,
and
it's
a
conversation
about
kind
of
about.
You
know,
for
example,
LF
doesn't
want
us
to
duplicate
efforts
where
they
already
have
efforts
ongoing
and
stuff
along
those
lines.
So
yeah
well.
J
K
D
E
K
K
Well,
to
be
lf's
a
big
play
like
any
organization
education,
folks,
they
focus
on
the
mechanics
of
getting
of
of
helping
folks
get
through
courses,
not
the
course
develop.
Not
the
contents
of
courses,
that's
okay,
because
we
want
people
who
develop
content
of
courses
to
focus
on
be
able
to
focus
100
on
that
and
not
on
the
I
can't
log
in
how
do
I
fix
that
correct,
which
I
mean
somebody
does
need
to
do
that,
but
it
doesn't
need
to
be
the
same
person.
C
A
Well,
we
will
have
such
a
thing
at
the
appropriate
time,
any
additional
thoughts
or
topics
we'd
like
to
discuss
today
in
our
last
14
minutes
together
today,.
K
K
Accept
it
all
right,
this
is
just
a
replay
for
from
the
the
best
practices
working
group
also
there's
a
very
specific
thing,
involving
HTML
targets
and
security.
There's
a
section
in
the
current
course.
K
There
are
questions
about
whether
or
not
this
is
obsolete,
but
this
is
one
of
those
annoying
areas
where,
if
it
was
clearly
obsolete,
great,
let's
get
rid
of
it.
We
no
longer
have
to
you
know
something
we
don't
have
to
explain,
because
it's
handled
by
default
is
the
best
outcome,
except
that
we
haven't
been
able
to
confirm
that
it's
obsolete.
K
So
if
you
are
familiar
with
the
issues
of
HTML
targets,
yep
thank
you
I.
You
know,
and
it's
also
in
the
notes
I
would
love
to
hear
from
you.
I've
gotten
a
lead
in
on
somebody
from
the
Chrome
team,
but
it's
remarkably
hard
to
track
down.
Nobody
wants
to
admit
that
some
that
there
is
no
longer
a
problem
there
used
to
be
a
problem.
There
was
people
who
did
things.
F
F
I
also
commented
on
it:
David
I
also
had
it
in
my
trainings
actually,
but
I
removed
it
like
a
whole
year
ago,
because
yeah
when
I
was
doing
the
training,
it
didn't
work
anymore.
So
it
was
quite
funny
not
like
oh
look,
security
and
things
work.
Actually
they
do
solve
things,
but
yeah.
K
Yeah
the
light
we
still
talk
about
csrf,
but
it's
no
longer
the
problem.
It
used
to
be,
for
example,
you
think
yeah.
You
know
thanks
a
new
cookie
settings,
but
so.
F
K
No,
that's
actually
not
the
issue.
I
can't
reproduce
you
I
agree
with
you.
I
can't
reproduce
the
original
stated
example,
but
I've
been
burned
several
times.
In
fact,
several
there's
a
whole
bunch
of
people
that
fix
Oh.
Look
The,
Specific
code
that
you
use
to
demonstrate.
The
problem
no
longer
works.
Therefore
the
vulnerability
went
away
and
the
answer
is
no.
You
didn't
understand
the
problem,
change
these
two
characters,
the
problem
reappears
and
so
have.
F
F
Yeah,
to
be
honest,
I
think
in
this
case,
I
get
totally
what
you
mean
as
technically.
An
iframe
shouldn't
be
able
to
read
the
content
where
it's
iframed
in,
but
because
of
magic
and
and
whatever
that
we
don't
want
to
go
into
details
again
and
again,
it's
possible
and
every
browser
has
their
own
specific,
exploiting
way
to
craft
this
and
bypass
it.
And
what
so
I
do
get.
What
you're
saying,
but
in
this
case.
I
K
K
A
K
Yes,
I
have
not
but
I'd
love
to
I'm,
not
sure
who
to
contact
there.
I
do
have
one
contact
I'm
a
little
for
for
reasons.
I
don't
want
to
go
into
here,
I
I'm,
a
little
leery
of
doing
that.
So.
A
Well,
maybe
ping
Dan
applequist,
since
he
works
with
w3c
and
they
have
the
web
people.
So
maybe
he
might
have
a
contact
over
there
within
the
Firefox
team
that
we
could
talk
to
just
to
validate.
G
K
Yeah,
that's
a
cool
idea.
Yeah.
G
Yeah
I
I
had
as
much
as
an
aside
fun,
fun
Side
Story,
my
the
zoom
vulnerability
I
found
in
in
in
2019
I
reported
to
the
Firefox
and
chrome
team,
and
the
Firefox
I
didn't
give
them
the
details
of
who
like
what
who
was
impacted,
but
they
they
said
this.
This
is
not
a
vulnerability
in
Firefox.
This
is
just
a
known
standard
vulnerability
and
they
published
it
and
I'm
like
no.
You
can't
do
that.
This
thing
is
still
under
embargo
like
so
you
know
they.
G
A
All
right
any
additional
thoughts
or
comments.
A
All
right
team.
Thank
you
for
your
time
today.
I'm
excited
hesitantly
optimistic
about
our
progress.
Moving
forward
excited
to
see
us
finding
some
things.
We
can
start
to
continue
to
work
on,
and
we
will
talk
to
you
all
later
and
some
of
you
I'll
probably
talk
for
the
next
two
hours
with
cheers.
All
thanks.