►
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
B
What
we've
been
doing
is
we've
using
this
diagram.
We've
been
talking
through
the
red
lines
that
those
flows
there
and
just
confirming
that
that's
how
we
wanted
to
represent
them,
and
then
eventually
we
will
take
the
threat
text
of
the
supply
chain
threat,
taxonomy
that
Pierre,
Giorgio
and
Heinrich
put
together
and
apply
that
to
this
to
see
how
we
can
break
it,
which
I'm
very
excited
to
see.
B
A
A
Giant
blob:
oh
oh
yeah!
That's
that
common
goal,
I'm
not
really
a
like
I,
don't
go
to
the
the
the
the
Gulf
Coast
that
much
so
yeah
I,
don't
even
know.
B
A
Yeah,
it
happens
from
time
to
time,
yeah
I
would
say.
If
you
depend
on
where
you,
when
you
come,
you
can
come
right
now.
You
might
want
to
I
know
you
have
enough
clothes,
but
some
people
come
in
shorts
and
find
is
that
your
code
here
in
the
summer
sometimes.
A
C
A
So,
as
you
already
know,
I'm
a
new
to
security,
and
so
this
type
of
end
user,
related
security
meeting
is
probably
the
proper
for
me,
so
that
that
exercise
has
been
done.
Several
in
the
past
two
weeks
has
been
pretty
useful.
For
me,
one
thing,
I,
probably
it'll,
be
helpful,
for
someone
like
me
to
understand
is
the
scope.
For
example,
when
you
and
and
Henry
talking
about
the
the
graph
and
all
the.
A
For
a
new
you'll,
be
like
me,
I
I,
don't
know
the
so-called
attacked
Library,
so
if
I
know
so
so
we
also
decided
that
the
scope
it
doesn't
include
like
Hardware
firmware
or
things
like
that
right.
So
what
is
if
we
have
a
a
Tech
Library,
that's
in
scope
that
will
help
someone
like
me
to
someone
sometimes
even
pitch
in
to
see
okay.
This
is
in
the
like
attached,
like
attack
library
and
it's
not
being
discussed.
So
that
might
be
something
that's
yeah.
Okay,
you'll
have
one
yeah.
B
We
posted
it
in
so
Heinrich
and
Pierre
Giorgio
and
a
few
others
have
done
a
paper
and
that
actually
came
into
the
end
user
working
group
where
they're
talking
about
their
taxonomy
okay
and
for
another
for
a
talk.
I'm
I
did
and
I'm
doing
again
in
the
fall,
I
used
it
and
it
was
quite
useful
to
kind
of
illustrate
here's
how
a
supply
chain
works
and
how
the
different
attacks
that
can
be
conducted
against
it.
So
our
exercise
we're
doing
here
in
this
group.
B
It's
focused
on
consumers,
so
end
users,
so
think
about
a
bank,
a
manufacturer,
an
insurance
company,
anyone
that
does
some
form
of
software
development
that
uses
open
source
components.
So
we're
not
necessarily
we're
not
looking
at
Upstream
things
that
happen
like
at
kubernetes
or
openssl.
B
This
is
the
diagram
on
slide,
four
think
of
that
as
kind
of
the
Four
Walls
of
a
company
and
we're
applying
that
taxonomy
and
we're
just
looking
at
software
attacks
we're
not
looking
at
Insider
threat,
we're
not
looking
at
the
kind
of
physical
attacks,
we're
not
looking
at
a
lot
of
other
kind
of
infosec
style,
cyber
security
style
threats.
We're
just
focused
on
the
software
piece
for
now,
and
the
goal
is
to
educate
these
types
of
Open
Source
consumers.
These
are
things.
B
It
does
it
does.
It
has
all
the
listed
attacks
that
they
documented
I
found
it
very,
very
useful
and
they've
they've
been
talking
to
like
I
know.
The
cncf
has
a
like
a
similar
effort.
I
believe
they've
talked
with
those
folks
and
kind
of
harmonized,
some
of
it.
So
there's
if
you
had
any
feedback
on
the
paper
like
if
you
had
ideas
of
other
types
of
attacks
that
might
not
be
documented,
or
you
know
you
had
another
paper
that
you
found
useful
but
we'll
feed
that
to
Heinrich
and
Pierre
Giorgio.
A
Yeah
one
thing
I
find
because
I
I
I
also
joined
those
cncs
meetings.
Most
of
them.
C
A
One
thing
I
have
found
is
because
I'm
a
database
guy
so
so
anything
database
related
security
has
not
been
gone
in
depth,
at
least
so.
I
even
talked
to
Dustin
in
NYU
Professor.
C
A
Yeah
he
he
also
yes
acknowledged
that
that
there's
not
as
much
in-depth
analysis
on
that.
So
that's
that's
where
I'm
pretending
to
be
expert
because
I
did
did
it
security
a
long
time
ago,
actually
as
part
of
the
Enterprise
security
advert,
so
one
area
I
feel
that
for
the
for
this
diagram,
that's
being
worked,
there
is
a
concept
of
zero
trust.
So
so,
when
we're
describing
on
the
actual,
you
know
the
basically
threat
modeling
we're
doing
right.
So
is
there
any
opportunity,
anywhere
in
this
process
to
say?
Okay,
for
example?
A
A
For
Network,
we
know
if
we
do
micro
segmentation,
that's
basically
a
big
step
towards
your
trust,
so
in
this
stock
we're
doing
for
Enterprise
application
software.
Where
can
we
do
similar
things
so
that
you
know
people
don't
have
to
worry
about
each
individual
threat
instead
of
just
focus
on
make
the
the
design
safe
basically
go.
What
is
called
shift
left
right,
yeah,
I.
B
I,
don't
think
that
you
know
what
you're
talking
about,
but
you're
not
going
to
see
that
in
the
patterns
that
they
have
in
the
paper,
but
I
think
ultimately
our
work
product
is.
We
want
these
end
consumers
to
be
safer
and
have
higher
levels
of
assurance
of
their
software,
and
if
there
are
techniques
like
micro,
segmentation,
Mutual,
authentication,
zero
trust.
B
All
these
types
of
things
I
think
we
definitely
need
to
put
that
kind
of
in
our
final
work
product
saying
these
are
compensating
or
mitigating
controls
that
you
also
need
to
consider
outside
of
how
you're
managing
software,
because
that's
you
need
to
have
that
kind
of
the
whole
picture
of
your
security
program.
B
I
agree
that
the
database
is
something
to
me.
It's
kind
of
a
Witchcraft
and
a
dark
art.
I've
had
I've
worked
a
lot
with
dbas
in
my
career,
but
it's
never
something
I've
ever
learned,
and
normally
it's
always
you're
glossed
over
yeah.
There
isn't
a
lot
of
literature
that
I've
read:
Around,
securing
databases
and
whatnot
outside
of
you
know,
encrypt
things
at
rest,
encrypt
and
transport
and
Christian
use.
If.
A
You
look
at
the
one
of
the
nist
is
that
this
was
that
there's
actually
a
zero
trust
white
paper
and
like
they.
B
A
Yeah
I've
actually
using
that
as
a
base
to
follow
one
thing,
I
find
so
but
I
think
there
are
two
kinds
of
data
security
actually
there's
a
data
content.
So
so
what
what
I
should
describe
in
there
I
actually
recommend
that
paper
for
this
group,
probably
because
what
they
mentioned
is
like
classification
of
information
right.
C
A
To
do
that
and
and
then,
which
one
Higher
security
and
all
that
so
that's
more
related
to
application
security,
but
there
also
so
the
database
curly,
which
is
basically
the
container
of
the
database.
That
I
don't
mean
that
the
you
know
kubernetes
container,
just
like
the
the
box
of
the
data
right,
where
the
data
lives
yeah
that
that
security
is
actually
different
from
you
know,
data
classification,
security
and
all.
B
Yeah
I
I
think
that
would
be
a
great
topic
to
bring
in
here.
I
think
it'd
be
excellent
feedback
and
I.
Don't
know
that
they
talk
about
concepts
of
like
data
labeling
for
to
to
do
make
decisions
off
of
so
I
think
that
again
would
be
good
feedback
to
help
make
our
final
product
when,
as
we
get
rolling
better.
B
No
I
meant
the
pure
Giorgio
and
conrades
paper.
B
It's
again,
it's
focused
on
the
on
how
you
can
break
software,
build,
build
and
deploy.
So
it's
it's
again
focused
a
little
bit
differently
than
the
to
see
someone
yeah,
but
I
think
that
again,
I
think
that
would
be
excellent
to
kind
of
augment
our
work
here.
If
we
kind
of
consider
these
outside
things.
B
B
No,
my
friend
Khalil
probably
pinned
it
on
a
date
like
the
20th
of
every
month,
as
opposed
to
the
last
Thursday
of
a
month.
Something
like
that.
Fair
all
right
I
was
just
making
sure
yeah
I'll
ask
him
to
make
some
cleanup.
B
Well,
I'm
sure
our
next
meeting
will
be
amazing,
that'll
be
the
week
after
the
summit,
so.
C
C
B
That's
gonna
be
great
yeah!
Well.
Gentlemen.
Thank
you.
Sorry,
I
wasn't
a
more
productive
call,
but
at
least
we
got
to
have
some
interesting
perspective
from
Victor
I
think
some
future
directions
for
us.
So
thanks
all
and
enjoy
the
rest
of
your
hour.