►
Description
Meeting minutes: https://docs.google.com/document/d/1Lt8uGpiMFfgws8VF36xtTMaJAeHufha-7Dqz1tjrPGY/edit#heading=h.naeeah7jeanr
B
B
Please
go
also
to
our
meeting
notes
and
agenda
notes
to
mark
your
presence
as
well
and
Market
black
for
some
I
already
did
because
I
see
them
for
others,
I,
don't
yeah
all
right,
perfect
yeah!
Do
we
have
any
new
friends
I,
don't
think
so.
It's
probably
the
same
Usual
Suspects
as
always
right,
yeah,
all
right.
B
B
Currently
we
are
covering
and
who
already
have
like
the
Java,
node.js
Andy
Python,
and
what
we
have
is
actually
the
explanation
of
vulnerabilities
and
we
also
have
the
exploits
how
to
do
actually
the
exploits
for
it.
Currently.
What
we
do
not
have
yet-
and
this
is
actually
a
question
that
I
wanted
to
ask
here-
are
also
the
correct
implementations
for
that
specific
functionality
or
vulnerability.
B
In
the
past,
what
we
do
and
what
we
decided
was
actually
not
to
include
also,
you
know
the
fixes
so
take.
For
example,
cross-site
request,
forgery
python.
So
here
we
have
the
average
space
the
explanation
of
what
is
the
vulnerability.
What
is
the
issue
give
any
more
background,
then
we
have
a
chapter
of
exploitation.
So
what
is
actually
wrong
and
working
on
a
hacker
do
and
Achieve
with
this
stuff,
but
I
feel
we
might
also
want
actually
to
include
like
the
secure
implementations.
As
as
what
should
a
developer
do
in
the
past.
B
C
B
D
B
A
I
would
I
would
say
that
this
would
like
it's
difficult
because,
like
for
there's,
some
of
them,
that
we
don't
have
implementations
in
multiple
languages.
So
this
reality
is
that
we
would
have
to
like
guide
people
like
point
it
out
like
how
would
you
go
about
like
fixing
the
lab
like?
This
is
how
we
would
go
about
fixing
the
lab,
so
I
think
that
we
could
do
that.
I
think
the
idea
is
great.
B
A
C
E
A
On
the
other,
you
know
and
I
know
that
that
that's
very
impractical
and
that's
like
bad
user
UI,
ux,
whatever
like
so
I,
know
that
that's
something
that
okiki's
trying
to
present
some
ideas
on
what
potentially
could
happen
and
how
we
could
organize
this
so
that
you
have
it
like
side
by
side
and
that's
what
I'm
saying.
I
think
that
this
is
what
we
were
talking
about
like
if
you
did
want
to
have
guidance
like
if
you
did
want
to
have
like
the
UI,
where
you're
pointing
out
and
you're.
A
Like
click
this
button,
you
need
to
be
in
control
of
that
UI.
So
I
think
that
it's
a
good
idea.
I
just
think
that
and
I
think
it
should
be
done,
but
I
think
a
it
has
to
be
guided
because
we
don't
have
implementations
in
every
single
language
yet
and
even
if
we
did
even
if
we
did
I,
think
the
big
question
would
be
like
how
much
more.
Are
you
really
gaining
from
some
of
these
basic
examples?
A
B
Yeah,
we
could
also
say,
depending
on
I,
don't
know
the
the
profile
and
the
what
stream
one
is
actually
doing.
We
could
say
we
only
present
like
a
part
of
the
edible,
the
content
material.
If
you
say
hey,
my
profile
is
I'm
an
advanced
person
yeah
then
you
maybe
only
get
like
this
first
part
right
or
right,
because
the
medium
one
then
type
of
person
you
get
a
post
and
a
second
part
or.
A
You
are
right,
abishay,
we
are
building
and
we're
trying
to
fit
everything
in
a
graph
database,
but
then
there's
the
question.
So
a
graph
database
has
nodes
right
and
basically,
what
we're
we're
our
graph
database
is
cataloging
different
pieces
of
knowledge.
However,
the
question
that
I
would
like
to
open
up
for
this
group
that
relates
to
this
is
okay,
so
before
the
lab,
could
we
pull
up
like
Glenn
like
an
entry
of
a
or
wstg
like
like
4.1.1
like
the
just
the
basic
one,
because
basically
a
node
is
a
single
knowledge
object.
A
So,
for
example,
you
would
have
like
an
entry
from
wsdg
I
I
I
could
send
an
example
if
you'd
like,
but
basically
how
are
we
gonna
split?
That
up
is
the
question
because
it
is
a
standard,
it
is
an
entry.
It
is
a
thing.
You
know
it
is
a
concept.
It
is
a
core
concept
like
any
of
those
any
like
four
anything,
that's
like
chapter
or
section,
four
yeah,
but
you
see
exactly
like
that,
so
you
have
like
summary:
you
have
how
it
works.
A
A
Because
this
can
be
saved
as
like
a
single
data
object
so
where
you
basically
just
have
you
know
like
the
the
ID
and
just
the
the
name,
and
this
and
that's
it,
you
know-
or
we
could
split
this
up
where
each
entry
will
have,
for
example,
a
summary
or
a
description
and
then
maybe,
like
you
know,
a
demonstration
piece
or
so
I.
Don't
know
I'm
just
talking
on
my
rear,
but
you
got
my
point
ideally
ideally
I.
Imagine
that
we
would
want
to
break
them
down,
but
then
it's
then
it's
a
question
of
okay.
B
But
the
question
is:
how
are
all
the
other
materials
structured
right?
How
do
we
indeed
break
those
down
again
because
we
can
make
an
approach
for
this
one,
but
it
feels
then
that
we
need
to
have
a
sort
of
different
approach
for
all
the
different
type
of
materials
that
we
are
going
to
and
before
we
continue
Christine.
You
have
your
hand
up
sorry.
C
E
C
E
I
was
wondering,
if
have
you
ever
had
a
chance
to
actually
interview
or
folks
who
are
actually
consuming
the
content
and
see
what
they
might
wish,
like.
Maybe
interviewing
different
types
of
folks,
maybe
like
the
folks
who
are
trying
who
are
new
to
security
and
just
get
a
sense
of
what
they
are
looking
for.
Have
you
had
the
chance
to
do
that
in
the
past.
B
That's
a
good
question.
So
actually
you
know
because
currently
you
know
I
work
at
a
company
where
we
are
using
this
platform
already
for
like
more
than
three
years,
we
have
like
I,
don't
know
like
three
four
hundred
people
actually
trained.
You
know
in
a
secure
development
using
these
labs
and
the
feedback
that
we
dare
get
it's
a
bit
like.
B
Indeed,
Randall
was
saying
the
more
senior
people
they
like
to
play
around
and
figure
it
out
themselves
yeah,
but
we
do
see
that
indeed
for
the
more
Juniors
yeah
they're
struggling
and
then
you
know,
sometimes
we
see
that
they
would
go
to
a
stack
Overflow
or
whatever
copy
a
piece
of
snippet
there
and
then
try
to
embed
that
to
see
if
it
solves
the
issue
and
yeah.
So
it
is
a
bit
both
right
then
yeah.
A
Another
thing
I
want
to
point
out.
Another
thing
that
we've
or
I've
kind
of
observed
is
that
you
really
have
like
multiple
levels
or
different
types
of
security
training,
depending
on
like
what
generation
you
were
taught.
So
that's
another
big
thing
for
us
because,
like
the
new
people
that
are
just
coming
in
they're
being
told
a
lot
of
crazy
stuff
to
not
call
it
something
else
of
like
oh
security,
doesn't
involve
any
coding,
you
don't
have.
You
could
be
allergic
to
coding
and
be
in
the
security
business.
A
That's
a
hundred
percent
fine
and
we're
talking
like
top
universities
that
are
telling
this
to
students
and
I'm,
not
saying
that.
Maybe
there
is
a
version
now
of
security
where
you
don't
have
to
code
or
you
be
like
not
knowing
how
code
works
is
okay
but,
like
still
you
know
what
I
mean
because,
like
I'll
be
honest,
I
do
I,
have
had
a
lot
of
Engagement
with
brand
new
graduates
and
they're
allergic
to
command
line.
E
A
E
A
And
to
add
context,
I
think
that's
the
direction.
We
need
to
move
it
because
in
reality
for
like
seasoned
people
like
so
I,
don't
know
if
you
know
this,
but
SKF
has
its
own
operating
system
called
hack,
OS.
So
for
seasoned
people
you
could
just
like
give
them
hack,
OS
and
be
like
go
figure
it
out
and
for
seasoned
people.
That's
fine
for
older
people,
that's
fine,
but
for
somebody
new,
that's
like
what
do
you
want
me
to
do
like
there's,
no
Arrow
or
flashing
button.
B
A
It's
like
it's
like
Christine
I,
don't
know
if
you
know
the
I'm
sure
you
know
about
Kali
Linux
and
how
a
lot
of
people
think
that
everyone
that
works
in
this
business
uses
Cali
and
it's
like.
No,
that's
a
learning
tool
that
just
is
meant
for
you
to
look.
Learn
it's
not
like.
You
really
are
going
to
have
this
operating
system
with
a
bunch
of
exploits
installed
and
using
that
on
a
daily
basis,
that'd
be
terrible.
A
There's
just
a
lot,
they
said,
there's
just
a
different
level
of
expectation
in
different
generations
and
I
think
that
that's
something
we
also
have
to
be
aware
of
too,
because
there's
also
different
learning
styles,
you
know,
there's
the
people
that
need
the
Hands-On.
You
know
there's
other
people
that
learn
better
with
lecture.
You
know
which
we
don't
even
have
at
all
in
SKF.
A
C
F
F
And
then
start
developing
more
advanced
use
cases
for
more
advanced
and
selective
users
and
user
full
Journeys.
In
that
respect,
and
by
targeting
you
know
the
common
denominator
that
nobody
no
security,
regardless
of
how
well
you
are
in
coding,
and
then
it
allows
us
to
actually
create
a
more
holistic
structure,
God
put
it
out
to
the
end
user
and
it
would
help
create
a
more
holistic
experience
for
them
to
learn
through
as
well.
But
I
was
just
want
to
also
say
it's
like
a
lot
of
this.
F
My
opinion
comes
down
to
how
we
disseminate
the
information
that
we
have
presently
from
there.
We
have
a
better
idea
of
how
we're
going
to
transport
that
information
outwards
to
the
end
user
and
how
we
can
then
dress
that
up.
Like
Randall
said
you
know,
there's
already
some
exploration
by
okay
here
into
how
this
can
be
done
and
bringing
it
into
the
one
user
experience
instead
of
making
it
multiple
would
definitely
help
them.
That's
in
that
respect
as
well
foreign.
A
I
think
that
is
a
worthwhile
addition
to
what
we're
doing
is
to
add
the
the
solutions.
I
just
think
that
delivery
has
to
be
thought
about,
but
I
think
delivery
has
to
be
thought
about
overall,
so
I'm
sure
that
we
might
be
able
to
continue
this
discussion
once
we
have
our
delivery
stream
a
little
bit
more
solidified,
because
right
now
we
are
limited
by
what
we
have.
B
D
B
So
what
we
currently
have
you
know
the
security
knowledge
framework
is
a
bit
more
than
only
Labs.
Actually,
it's
also
for
security
requirements
gathering
at
the
checklist
from
the
asvs,
for
example.
So
that's
the
other
thing
what
we
can
do
when
you
have
these
vulnerabilities,
yeah
and
examples,
you
can
also
correlate
them
to
security
requirements
and
the
security
requirement
is
also
telling
you
a
bit
like
hey.
What
should
you
do,
but
again
it's
a
very
yeah,
not
a
detailed,
step-by-step
level
right,
but
anyhow.
So
what
we
have
currently
is
the
labs.
B
The
lab
section
is
more
about
offensive
security,
where
you
can
really
train
and
practice
both
the
vulnerabilities
and
do
them
in
a
real
application
without
doing
anything
harmful.
So,
basically,
you
can
spin
up
one
of
the
the
labs
and
you
have
it
over
here
then,
where
you
can
actually
do
your
hacking
whatnot.
B
So
this
is
a
local
file
inclusion.
You
have
a
menu,
for
example,
that
you
can
go
and
say,
like
okay,
cool
all
the
labs.
The
idea
is
that
it's
very
minimal
only
one
function,
that's
learnable
because
then
also
later
on,
when
you
want
to
fix
stuff,
you
actually
know
where
to
look
and
not
learn
the
whole
platform.
This
is
built
in
like,
for
example,
python,
the
flask
API
or
in
Jaffa
the
spring
boot.
You
want
to
make
it
as
easy
as
possible.
B
So
here
you
see
a
full
path
through
a
tour
file
and
of
course,
when
there's
a
bad
security,
you
can
just
actually
put
in
anything.
You
want
and
read
files
locally
from
the
server,
so
that
is
the
lab
environment.
Normally
you're
able
to
play
with
this,
and
do
it
yourself
and
figure
it
out.
But
again,
if
you
have
issues
you
can
click
right
up
which
language
do
you
want
to
see
it
Python
and
then
here
you
have
actually
yeah
the
right.
B
The
one
I
just
showed
you,
and
so
this
is
really
for
I,
say
it's
offensive.
Where
we
created
this
stuff,
then
we
have
the
other
one.
That
is
the
hack
operating
system,
so
we
have
it
for
python
Java.
We
also
have
one
for
node.js,
because
those
are
the
three
languages
that
we
currently
have
and
support,
and
here
indeed,
is
more
the
idea
that
you
have
like
a
a
full
environment,
heck
OS
yeah.
Maybe
it's
a
wrong
word,
but
it's
basically
everything
included
in
this
yeah
operating
system
in
a
browser
right.
B
Let
me
think
you
can
also
say:
I
have
a
text
editor
like
Sublime
of
Visual
Studio
code,
and
here
you
can
also
access
all
the
the
folders
actually
right,
all
the
labs,
for
example.
So
we
can
go
again
to
the
local
found
inclusion,
this
one
we
just
did
open,
and
now
you
can
also
hack
it
and
start
it
here,
locally,
yeah
or
you
say
like
no
I
already
hacked
it.
I
want
to
actually
fix
it.
B
So
then
you're
focusing
on
these
four
lines
of
code,
because
that's
where
the
the
issue
is
and
actually
make
sure
that,
when
you're
going
to
call
this
dangerous
thing,
this
open
function
that
actually
the
attacker
cannot
select
random
files
anymore,
but
only
the
ones
that
are.
You
know
Allowed
by
the
application.
B
You
know
the
other
thing
why
we
have
this
environment
because
of
course,
you
can
just
spin
off
your
own
Firefox,
where
you
can
access
the
lab.
The
other
thing
why
it
is
well
I
would
say
more
interesting,
because
we
can
also
have
like
command
line
tooling
or
other
type
of
tooling
like
zap,
so
we
can
also
give
them
zap
to
run
locally
in
this
box
against
the
local
application
that
they
fixed
and
started.
B
You
can
run
code
ql
over
it,
for
example,
how
to
do
the
static
analysis
and
again
this
should
also
help
them
in
yeah
verifying
the
fix
they
do,
but
yeah
if
they're
really
stuck
or
as
you
also
know,
the
tools
are
sometimes
lacking
context.
Lacking
rules,
so
maybe
the
fix
they
did
is
actually
not
really
good.
But
these
automated
tools,
actually
yeah,
cannot
really
find
it
right.
So
there
you
also
might
want
to
have
like
a
pro
proper
code,
snippet
or
guidance
like
hey.
C
B
B
B
And
now
the
app
is
also
running
here.
This
is
by
the
way,
the
the
old
styling
just
that
you're
not
confusing,
but
again
the
similar
application
and
the
cool
thing
is,
you
can
now
start
also
fixing
it
and
directly
see
what
you
actually
are
doing
right
and
then,
ideally,
if
you
have
fixed
it
correctly,
you
can
say
hey:
let's
do
an
automated
Zep
scan
on
it
and
see
if
I
actually
solved
it
correctly.
B
So,
as
you
see
here,
yeah,
you
have
a
lot
of
freedom
to
play
to
well
use
the
same
type
of
tools
and
environment
that
you
normally
would
also
do
as
a
as
a
developer
or
as
a
hacker
want
to
know
more
about
also
fixing
and
securing
stuff.
And,
as
you
can
see
here,
it's
now
actively
scanning
and
doing
a
check
on
the
vulnerable
application.
B
Yeah
and
ideally
here
in
the
alerts,
you
should
get
a
thought
reversal
there,
because
this
lab
is
actually
about
a
local
file.
Inclusion
and,
as
you
can
see
here,
the
dynamic
application
security
testing
tool
was
able
to
also
I
said.
Do
the
local
found
solution
vulnerability
and
find
it
that
it's
vulnerable
right.
B
B
A
F
B
Yeah,
because
another
thing
that,
for
example,
here
is
not
yet
I
would
say
that
visible,
but
the
other
thing,
of
course
Zep
is
like
an
HP
interceptor
and
for
some
of
the
vulnerabilities
are
like
header
injections
or
whatever
yeah.
You
also
need
to
be
able
to
intercept
HTTP
traffic,
so
all
the
traffic
that
we
are
actually
doing
here
in
our
browser.
We
actually
also
need
them
to
Tunnel
it
up
to
your.
F
B
B
Is
of
course,
I
have
one
tool,
then
we
have
a
codeql,
we
have
Sam
grab,
we
have
dependency
Checker.
We
have
all
type
of
open
source
security
tools
that
we
would
want
to
also
make
available
here
in
this
box,
then,
on
the
infrastructure
security,
because
that's
also
part
of
the
the
scope
there,
you
will
need
to
use
like
different
type
of
tools
like
I,
don't
know
Hydra,
for
example,
for
some
brute,
forcing
and
stuff
like
that,
nmob,
so
yeah.
F
Map
out
the
journeys
and
be
able
to
map
out
where
our
content
fits
together
and
then
not
only
that
also
means
that
applying
the
content
becomes
a
lot
easier
as
well.
We
can
make
that
workflow
a
lot
easier
so
when
it
comes
to
creating
and
designing
new
labs,
that
would
be.
You
know,
part
of
the
overhaul
of
the
the
workflow.
A
We
would
have
to
figure
out
is
how
they
would
basically
end
up
looking
like
in
the
graph
in
order
for
us
to
come
up
with
a
stable
budget
of
like
what
like,
for
example,
it
would
cost
to
index
a
lot
of
these
things.
That's
that's
kind
of
what
we're
hoping
to
get
we're
hoping
to
get
done.
What
we
currently
have
by
Friday
so
I
think
the
intention.
As
far
as
us
is
once
we
have
what
we
currently
have
mapped
out.
A
B
Yeah,
because
you
know
what
I
would
also
recommend
that
we
will
do
date.
For
example,
we
have
already
data
sets
that
is
going
in
there
right,
for
example,
the
wsdg,
the
ASG,
the
security
fundamentals
from
David
I
would
also
just
you
know,
because
we
have
here
also
lost
webinar
and
podcasts
I'll
also
just
grab
some
random
blogs,
yeah
about
security
and
and
podcasts
and
and
YouTube
videos
and
see
you
know
how
that
would
be.
C
B
C
C
B
C
B
So
yeah
then
at
least
we
know
where
we
have
coverage
and
at
least
a
good
thing
about
when
we
do
it
for
and
have
coverage,
for
example,
from
the
testing
guide,
point
of
view
and
asvs,
then
I'm
sure
that
a
lot
of
the
personas
that
stream
one
has
identified.
We
actually
can
reuse
a
lot
of
that
artifacts
and
materials
which
we
would
you
know
need
to
do
the
bare
minimum
actually
to
actually
make
that
course
for
that
or
that
learning
path.
For
that
specific
persona
easier
to
implement
right.
A
Correct
now
coming
back
to
David's
course.
This
is
what
I
was
talking
about
at
the
beginning.
Okay,
so
how
are
we
going
to
split
that
up?
Is
it
just
split
up
in
sections
or
how
do
we
want
to
go
about
that?
Because,
like
yeah
yeah
there's
a
there's
gonna
be
overlap
there
eventually,
I.
Imagine
there's
going
to
be
overlap
between
courses.
A
So
that's
one
thing
that
I
have
I'm
trying
to
figure
out
is
like
how
would
we
split
up
David's
course
into
like
Concepts
chapters
sections,
because
the
more
granular
we
can
be
with
the
inner
information,
the
easier
it
is
to
enrich
with
things
like
glossary
terms,
and
you
know
podcasts
and
videos
and
all
sorts
of
jazz,
so
yeah?
That's
that's
the
big
question
that
I
have
is
if,
if
there's
a
big
course
or
like
I,
don't
want
to
call
it
a
big
course,
but
essentially
David's
course
is
kind
of
the
singular
object.
B
B
A
I
don't
know
if
there
is
an
optimal
way
of
doing
it.
I
just
think
that,
consistent
whatever
we
end
up
doing
I
think
that
consistency
is
key
and
I.
That's
why
I
do
agree
with
you
that
I
think
that
the
librarian
of
all
of
this
should
be
within
SKF
operations,
because
essentially
it's
really
more
than
optimal.
It's
really
a
matter
of
consistency.
I
would
argue
exactly.
B
A
C
F
F
Ontologies,
you
know
small
into
taxonomical
groups.
We
can
better
relate
this
information
from
the
likes
of
David
wheeler
from
different
partners
that
can
grow
in
time.
Blake
we've
spoken
about.
You
know
it's
like
that
part
of
the
workflow
we
we
could
really
leverage
off
the
graph,
the
graph,
the
graph
frame,
I'm,
sorry
The,
graft
database.
A
F
A
Yeah,
we
would
have
to
establish
the
relationship
between
the
two
yeah
which,
like,
for
example,
David
Wheeler's
course
is
oriented
towards
developers,
so
that
would
be
like.
So
there
would
be
different
ways
of
filtering
it
right
through
the
graph,
because
some
things
will
be
oriented
towards
developers
and
some
stuff
will
be
oriented
towards.
You
know:
Network
people
and
I.T
people
and.
F
B
C
B
C
A
Great,
but
now
Glenn,
you
see
what
I
mean
also
about
the
the
taxonomies
of
actually
adding
things.
It's
it's
like.
It's
a
lot
easier
to
add
things
in
a
graph
database,
but
still
you
have
to
think
about
how
you're
adding
stuff,
because
in
order
for
the
data
to
work
like
the
taxonomies
need
to
work
with
whatever
data
that
you're,
adding,
if
not
you're,
basically
just
adding
another
node
in
the
middle
of
nowhere.
C
A
But
he
is
right
now
and
to
answer
your
question:
fuzzy
I,
don't
think
our
intent
is
to
necessarily
draft
a
bunch
of
information.
I
think
that
our
intent
is
to
try
to
cattle
catalog
tag
and
organize,
what's
already
out
there
and
try
to
do
it
in
such
a
way
where
a
reader
could
basically
get
the
whole
scope.
F
And
yeah
and
it'll
allow
us
to
build
and
map
out
these
the
labs
you
know
so
it's
like
referring
back
to
what
we
were
talking
about.
I
was
trying
to
do
with
the
holistic
learning.
Experience
is
like
through
the
power
of
the
knowledge
graph
is
like
we
could
devise,
Better,
Learning
experiences
and
Journeys
for
our
users,
correct.
F
A
C
A
I
would
say
Glenn
for
next
time
we
will
try
to
bring
kind
of
a
sample
of
what
the
graph
database
is
looking
like,
and
what
the
graph
database
will
look
like
with
stream
three
or
stream
twos
and
stream
ones.
Proposal
of
the
editions
I
know
that
there's
podcasts
videos,
webinars
blog
posts,
I'll
I'll,
go
through
it
and
I'll
and
I'll
and
I'll
kind
of
bring
that
next
time
and
distribute
that
through
the
education
sync.
So
that
way,
we
could
finalize
our
estimates
and
resources
based
off
of
that.
B
C
A
And
then
I
I
need
to,
and
we
need
to
ask
you
next
in
the
next
meeting
about
that
about.
If
the
spreadsheet
is
ready
to
go,
if
it's
ready
to
go,
we
can
do
2.2.
There
was
an
action
item
to
make
a
request
for
out
or
other
educational
material
yeah
exactly
so
that
that
can
be
done
if
the
spreadsheet's
ready
to
go.
E
A
A
C
B
Then
I
would
say:
Let's
leave
it,
as
is
here
for
now
we
will
get
working
on
this
week,
so
we
have
something
to
present
next
week
as
well
in
the
global
sea
yeah,
and
so
it's
a
bit
more
clear
and
how
it
will
look
like
and
how
we
also
can
consume
and
then
link
and
reference
and
use
all
that
artifacts
right.
Those
notes
that
we're
creating
them
yep
yep,
agreed.