►
From YouTube: End Users (November 10, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
B
Good
good
good
I
know
crowbe's
gonna
join
us
and
Glenn's
also.
A
Very
cool,
very
cool
we've
got
a
fairly.
E
F
A
And
yes
to
your
text,
let's
catch
up
at
some
point
be
a
great
great
to
talk
and
introduce
each
other
lovely.
A
So
I
dropped
the
link
to
the
notes
in
the
chat.
If,
as
this
tradition,
if
people
can
pop
in
and
add
their
name
to
the
attendees
list,
that
would
be
great.
F
G
We
did
probably
18
inches
wow,
yeah
and
right
now
it
is
a
complete
white
out.
The
clouds
are
just
settling
right
here
and
you
really
can't
see
much
of
anything
does.
H
Whereas
I
missed
it,
because
I
was
just
at
the
vulnerability
quadrilateral
Summit
in
Pensacola
Florida
and
we
were
out
on
the
beach
last
night,
so
yeah.
G
A
I
think
the
guys
from
JP
Morgan
were
going
to
join
and
just
eat.
He's
gonna
be
a
little
bit
late
as
well.
You
can
join
when
you
get
here.
A
It's
going
to
be
Abdullah
from
his
team
round
white
joint
as
well,
but
I've
I
used
to
work
with
Abdullah
in
London,
so
he's
gonna
join
as
well.
A
So
yeah
for
people
that
are
joining
if
you
could
just
take
a
look
at
the
notes
and
add
yourself
in
appreciate
it
and
Dan
thanks
once
again
for
agreeing
to
be
the
Scribe,
that's
the
first
agenda
item
and
minutes
the
likes
of
which
I've
never
seen
before.
So
it's
it's
impressive
thanks,
Dan.
C
F
A
Totally
agree
all
right,
look
we're
a
couple
of
minutes.
After
so
as
people
join
in,
we
can
go
through.
I
know
crops
joining
as
well,
but
look
let's
kick
off
perhaps
so,
as
is
usual,
we
ask
people
to
sort
of
introduce
themselves
if
they're
new
to
the
group,
so
does
anyone?
Would
anyone
like
to
introduce
themselves
any
new
new
players.
I
D
Excellent
welcome
only
okay,
I'll
jump
in
I'm,
Mitch
Ashley
and
then
with
texturon
group
might
not
have
heard
of
Textron,
but
we
are
the
creators
of
devops.com
and
Security
Boulevard
Textron
TV
number
of
sites.
So
you
might
have
read
articles.
J
H
I'm
Alan
I'm
from
the
government
I'm
here
to
help
so
one
quick,
General
process.
If
there
are
ever
things
you
want
to
talk
about,
and
you're
like
this
would
be
easier.
If
the
government
were
not
online
I.
Take
no
offense
I
encourage
people
to
just
say:
hey
Alan,
can
you
jump
off?
Have
him
do
that?
I
know
a
lot
of
you
I'm,
the
known
as
the
guy
who
doesn't
shut
up
about
s-bomb
and
various
related
things
like
Vex
and
csaf,
and
the
vulnerability
infrastructure.
E
Yeah
I
guess
then
that's
up
to
me.
So
my
name
is
Clinton.
Carter
I'm,
one
of
the
global
board
of
directors
at
all
wasp
I,
also
have
a
flagship
project
that
I
run
there.
The
security
knowledge
framework,
together
with
the
open,
ssf
and
I'm,
currently
also
busy
in
the
best
practice
for
open
source
developers
and
then
the
training
and
education
sake.
K
I
have
been
here
before,
at
least
once,
but
I
might
be
shy
for
my
Microsoft
I'm,
also
part
of
the
education
and
the
best
practice.
The
best
work
group
nice.
A
To
meet
you
all
done
all
right
thanks
very
much
so
I
saw
this
roll
in.
We
can
get
them
to
just
add
their
names
to
the
agenda,
we'll
crack
on
so
first
item
we
have
on
the
agenda,
which
is
in
the
notes
in
chat,
for
people
want
to
follow
along
is
the
proposal
we
had
for
a
supply
chain
initiative,
so
we'll
just
copy
that
into
champ.
The
sink
and
I
can
probably
also
just
show
my
screen
so
I'll.
Take
this
one.
A
Right,
so
this
was
what
we
were
discussing
last
time
and
it's
really
a
proposal.
We
were
going
to
make
as
a
group
to
the
attack
so
welcome
people's
commentary
and
feedback
on
that.
Thank
you
very
much
for
people
who've
already
contributed.
We
earned
a
lot
of
conversation
on
ad
hoc
meetings
over
the
last
couple
of
weeks
and
really
the
problem
statement
here
is,
as
we
look
at
supply
chain
and
the
supply
chain
problem,
it's
incredibly
complex
and
there's
no
real
understanding
of
how
the
different
mitigations
fit
together.
A
Even
within
the
OSF,
we've
got
a
mobilization
plan
which
is
heading
the
right
direction.
I
think
we'll
agree
that,
from
a
a
broad
perspective,.
A
But
there's
a
lot
to
it
and
it's
at
times
sort
of
perhaps
overbearing
a
little
bit
confusing.
We
also
have
multiple
different
best
practice
guides
and
it's
not
quite
clear
which
bits
they
cover,
which
bits
they
don't
and
there's.
Also
a
situation
where
perhaps
we
haven't
got
a
clear
understanding
of
the
threats
that
we're
facing
as
well.
So
all
told
when
end
users
and
consumers
come
to
this
space
and
try
to
figure
out
how
to
how
to
navigate
it
and
how
to
protect
themselves.
A
It's
just
a
little
bit
up
in
the
air,
so
the
proposal
we
came
together
with
was
really
to
establish
an
initiative
to
try
and
provide
a
holistic
program
that
really
demonstrate
how
to
align
those
threats
or
identify
those
threats
and
then
how
to
align
the
best
practice
guides.
Controls
where
salsa
fits
were
SSC
perhaps
fits
where
s-bomb
fits
and
also
allow
us
to
align
those
ossf
projects
against
that
as
well.
That's
kind
of
the
the
idea
behind
this.
A
So
if
we
move
down
to
the
high
level
approach
really
the
idea
is
that
picture
at
the
bottom.
So
what
we're
going
to
do
is
get
together
and
create
effectively
an
abstract
architecture
and
threat
model.
Probably
not
one
I
think
some
good
feedback
you
had
Randall
was
maybe,
let's
have
a
couple,
maybe
one
for
a
small
entity
or
end
user
one
from
a
medium-sized
one
month
from
a
large
one
sort
of
the
Goldilocks
approach
from
those
architectures
reference
architectures
then
create
a
threat
model
of
those
architectures
and
then
out.
A
So
that's
kind
of
the
the
higher
level
approach
that
that's
kind
of
the
high
level
approach.
Now,
there's
still
a
couple
of
questions
here
and
I
think
the
the
particular
ones
we
have
to
identify.
As
you
know,
if
this
is
still
the
approach
we
want
to
look
at,
how
do
we?
You
know
what
is
a
smaller
medium
and
a
large
consumer.
Look
like
you
know.
You
need
to
get
together,
I
think
as
a
group
and
identify
some
some
sample
ones.
I
think
Randall.
A
A
So
the
idea
there
here
is
not
someone
who's,
perhaps
producing
software,
but
someone
is
consuming
a
lot
of
software
and
what
is
there,
what
is
their?
What
are
their
threat
or
attack
surface
look
like,
and
how
do
we
mitigate
that
medium?
One
I
think
we
just
tossed
out
the
idea
of
perhaps
a
medium-sized
Hospital,
although
to
be
fair,
I'm,
not
sure
what
a
medium-sized
Hospital
would
look
like,
but
I
guess
that's
the
that's
the
rub
there
and
then
a
large
Enterprise
where
we
already
have
a
threat
model.
A
We
can
sort
of
attach
it
to
yeah.
So
definitely
up
for
debate
on
what
that
looks
like
the
taxonomy,
which
was
also
presented
a
previous
working
group.
We
already
have
one
of
those
but
I
think
it'll
be
good
to
see
how
the
threats
up
against
that
and
then
I
think.
We've
already
discussed
those
best
practices
that
have
been
presented
to
this
group
as
well.
We
can
look
at
identifying
those
gaps.
A
L
If
we
also
I'm
just
trying
to
figure
out
how
this
fits
because
I
don't
want
to
add
a
fourth
but
the
idea
of
a
regulated
of
regulated
environment
right,
so
not
necessarily
a
large
Enterprise
but
like
because
you
can
have
a
smaller
medium
Enterprise
and
if
they're,
regulated
or
part
of
the
the
div,
the
defense
industrial
base
like
it's.
They
have
a
different
set
of
concerns.
A
L
B
C
C
It's
an
additional
bit
of
information
that
we're
talking
about
here
rather
than
I,
don't
think
we
should
I
like
the
side,
the
the
the
Simplicity
of
the
three
sizes
that
you
have
here,
that
you
know
it's
as
a
kind
of
rubric
I
think
it
would
be
useful
to
also
mention
the
degree
of
Regulation
that,
because
every
company
has
to
work
in
some
in
some
degree,
in
a
regulated
environment,
I
mean
even
if
you're
a
even
if
you're
a
a
social
app
you've
got
to
comply
with
data
protection,
and
you
know,
regulation
and
stuff
like
that.
C
So
so
I
mean
I
think
that
the
degree
of
Regulation
is
kind
of
another
sliding
scale
somehow,
but.
G
Sorry
Andrew
go
ahead,
yeah
as
consumers
go
through
or
go
through
the
documentation
that
will
be
produced
here.
They
can
almost
take
a
menu-based
approach
and
Define
their
own
profile
from
the
artifacts
that
are
in
the
documents
and
and
the
characteristics
right.
So
if
we
create
something
that's
too
prescriptive,
then
we
might
lose
the
audience.
If
we
create
something.
That's
that's
a
little
bit
more
open
and
flexible.
They
can
go
through
the
documentation.
They
can
begin
to
see
who
they
are
and
and
describe
their
own
profile.
J
D
If
I
can
jump
in
and
I'm
the
Newbie,
so
this
may
be
really
dumb,
so
I
apologize,
if
it
is
I,
was
just
thinking
about
this
either
these
categories
could
be,
or
maybe
it's.
The
next
thing
to
look
at
is
more
of
a
Persona
based
right
in
a
smaller
company.
They
may
be
using
some
open
source,
but
that
they're
not
real
heavy
and
their
sophistication.
D
A
I
think
that
spot
on
to
be
honest,
I
I
love
it
I,
I
think
the
Highlight
that
I
just
put
there
is
really
on
the
idea.
Was
we
were
going
to
detail
the
assumptions
made
for
these
different
examples,
and
maybe
this
is
a
situation
where
we
Define
what
these
three
things
are.
Three
sounds
like
a
good
number
of
whatever
it
is,
and
then
we
State-
maybe
you
know
this-
is
a
low
comply,
a
low
regulatory
environment,
higher
regulatory
environment,
and
these
are
the
personas
that
are
used.
I
think
personas
are
great.
A
We
do
have
as
a
working
group
a
list
of
personas
that
we
need
to
work
with
the
other
working
groups
to
I
think
it
was
the
vulnerability
management
working
group
to
consolidate
that
report,
but
I
think
it
would
be
useful
when
we're
looking
at
these
three
examples
to
show
which
personas
are
involved
in
here,
because
they
might
be
different,
certainly
in
a
highly
regulated
one,
this
masses
of
different
personas
involved-
that's
probably
different,
so
I
think
we
should
add
in
your
point
Mitch
like
make
sure
that
we
associate
personas
to
these
things.
A
From
the
conversation
do
we
do?
We
take
out
small,
medium
and
large
and
just
suggest
there's
three
three
examples
and
they're
not
necessarily
go
into
the
definition
right
here
in
this
document,
what
they
are
and
have
that
as
a
as
a
takeaway
from
The
Proposal.
B
C
I
do
think
it
would
be
worthwhile
making
sure
that
we
are
clear
that
we
are
talking
about
that
small
companies.
Small
organizations
are
count.
Did
they
count
we're
not
just
talking
to
big
Enterprise
orgs
or
you
know
like
I'm,
just
thinking
about
just
eat,
for
instance,
I
mean
you
know
they
might.
Maybe
they
don't
view
themselves
as
a
small
organization,
but
like
this,
is
you
know
like
that
kind
of
that
kind
of
thing
I,
just
just
I
like
having
the
the
word
small
in
there,
but.
H
H
How
do
we
help
folks
below
the
security
poverty
line,
but
I
think
we
can
I'd
like
this
example
of
a
small
Logistics
business
where
right
we
can
make
some
assumptions
which
is
they're
smaller,
but
they
have
some
more
modern
tools
and
that's
why
we're
trying
to
reach
them
and
in
many
cases
it's
going
to
be
easier
to
provide
them
with
some
guidance
than
it
is
for
the
large
Legacy
business
that
has
resources
needs
to
change.
But
right,
you
know.
H
Large
tech
companies
are
still
struggling
with
basic
s-bomb
stuff
because
they
have
too
much
existing
Legacy
stuff
and
the
other
I
think
as
we
scope
it.
Thinking
about
the
regulation
side
that
is
supply
chain
relevant
because
right,
nerk
sip,
says
relatively
little
about
some
of
this,
but
HIPAA,
nothing
and
and
and
there
are
the
giant.
H
H
If
you
guys
need
someone
to
read
them,
I
can
probably
help
find
you
someone
or
they
can.
We
can
get
some
folks
to
come
in
and
talk
about
it.
Nist
161
is
the
let's
solve
all
the
problems
and
they're
called
special
pubs,
because
Pub
is
the
sound
it
makes
when
you
drop
it
from
six
inches
off
on
the
boardroom
table
and
similarly
there's
some
industry-led
work
that
the
national
Risk
Management
Center
is
doing,
but
a
lot
of
that
is
really
driven
by
the
I.T
sector,
coordinating
Council.
G
And
as
she's
recognize
it
that
the
profiles
and
the
descriptions
will
evolve
or
can
evolve,
but
we're
not
we're
not
trying
to
start
with
something
right
off
the
bat
that
is,
that
is
into
my
mind,
100
perfectly
defined
right,
as
as
the
group
evolves,
we'll
have
other
stakeholders
with
other
characteristics
that
they
want
included
in
these
definitions,
and
so
I
think
it's
good
for
us
to
have
a
basic
idea
of
what
we
want
to
put
together
but
recognize
that
the
the
the
profiles
will
evolve.
G
A
I'd
also
like
to
highlight
this
maintenance
item
down
below,
because
that's,
if
you
look
down
the
agenda,
there's
this
suggestions
on
how
we
maintain
this,
but
certainly
I,
think
as
this
initial
proposal.
As
we
Define
that
initiative,
we
set
out
the
architecture,
look
at
the
different
control
Frameworks
the
way
of
validating
and
maintaining
whether
this
is
any
good
is
to
look
at
the
or
the
idea
is
to
look
at
the
existing
data
on
supply
chain
exploits
and
how
those
attacks
would
would
impact
these
architectures
right.
A
So
there's
the
backstabbers
knife
collection
there's
the
inkytel
data
we
would,
as
far
as
this
proposal
run
through
that
list
to
identify.
You
know
if
we
got
everything
in
the
taxonomy
where
these
mitigations,
but
also
we
need
I,
think
as
part
of
this
process
have
that
maintenance
work
going
forward.
A
We
need
to
analyze
future
attacks
and
just
see
if
we've
missed
something
on
the
threat
model
missed
something
on
the
taxonomy
now
one
of
the
things
I
want
to
highlight
is
is
a
sort
of
way
of
automating
that
or
making
it
a
bit
more
formal,
but
I
just
want
to
highlight
this.
I,
don't
think,
is
a
a
one-and-done
thing.
A
I
think
it
would
be
useful
to
revisit
it
just
to
keep
ensure
that
we're
we
we
keep
tuning
Our
model,
because
what
might
be
great
today-
and
this
shows
where
all
of
the
ossf
mobilization
plans
fit
in
the
attack
surface
from
what
I
can
see-
seems
to
be
moving
around
so
at
the
end
of
next
year
it
might
be
slightly
different
and
similarly
our
mitigations
might
move.
So
that's
why
I've
added
the
maintenance
piece
at
the
bottom.
There.
A
Andrew
you,
you
added
that
as
well.
Hey
Andrew,
yep,.
A
E
Now
you
have
the
old,
a
tech
service
mapped
out
on
cases
that
we
actually
observe
right
based
on
the
previous
things.
That
happened.
Would
it
be
also
maybe
an
idea
because
I-
actually,
you
know,
don't
know
anybody
who
does
this
type
of
thinking,
but
would
it
be
an
idea
to
maybe
get
like
a
group
of
like
hackers,
and
you
know
when
we
have
an
idea
of
the
lands
they
escape
and
the
architectures
to
do?
You
know
from
a
real
hacker
mindset
point
of
view
like
hey
these
could
actually
potentially
be.
A
E
You
know
just
what
I
notice
in
the
different
areas
right,
that
there
is
a
lot
of
great
people
with
a
lot
of
security
knowledge
actually
helping
and
contributing
that
sometimes
we
forgot
to
you
know
invite
the
black
hat
hackers,
the
real
hackers
and
you
know
present
them
the
case
like
look
because
also
for
myself.
You
know
I
do
a
lot
of
hacking,
but
actually
yeah
I
never
really
did
research
or
like
hey.
If
I
have
this
scope
of
area.
E
What
would
be
interesting
points
right
and,
of
course,
the
whole
research
that
this
group
has
done
and
then
mapped
well,
a
lot
of
the
possible
threats
already
right.
That's
I
think
a
really
good
starting
point,
but
maybe
Through
The
Eyes
of
the
hacker
we
actually
maybe
miss
or
yeah
Overlook,
very
simple
cases.
J
A
A
Yep
all
right
and
then
I
was
going
to
go
to
you
Andrew.
You,
you
had
this
section
here
on
potentially
Persia
as
an
example.
G
Yeah
so
I
I
think
one
of
the
what
will
be
a
very,
very
useful
resource
for
any
any
of
the
the
audience
here
is
kind
of
a
landscape,
a
holistic
roadmap
or
landscape
of
how
open
ssf's,
Solutions
tools,
best
practices
and
so
on
will
help
them
address
the
threat
landscape.
G
We've
identified
it's
it's
really
complicated
and
for
new
people
coming
into
this
into
the
space
or
beginning
to
recognize
issue
wanting
to
address
supply
chain
security,
it's
a
very
overwhelming
and
confusing,
and
that's
just
within
the
open
ssf,
and
then
you
you
don't
and
and
then
you
have
the
broader
ecosystem,
so
I
think
one
identifying
what
open
ssf
clearly
is
trying
to
achieve
using
the
the
the
language
of
the
audience
that
we're
that
we're
appealing
to
how
and
where
it
fits
where
some
of
the
gaps
are
and
what
some
of
the
additional
Solutions
are.
G
You
know
for,
for
example,
I've
been
you
know,
I'm
at
The
Summit
here
I've
seen
some
really
interesting
presentations
about
companies.
You
know
one
bank's
going
to
be
open
sourcing.
A
new
tool
check
marks
is
doing
some
great
stuff
and
they're
going
to
be
open
sourcing.
Helping
create
a
a
certain
library
and
or
Labs
is
doing
some
things,
and
there
are
a
couple
of
others.
G
Some
is
going
to
be
within
the
openssf
jfrog
open
source
Persia,
but
for
some
reason
it's
in
the
CD
Foundation
right,
so
I
think
it
behooves
us
to
provide
the
audience
with
a
landscape
or
road
map
of
how
of
what
Solutions
can
help
address
this
issue
and
help
reduce
some
of
the
or
provide
limited
Clarity
to
to
what
is
becoming
and
more
and
more
complex
landscape.
A
Yep
I
I,
agree,
Andrew,
I,
I.
Think
one
of
the
big
things
here
is.
We
also
show
how
we
align
with
our
ossf
projects
right.
It's
really
ties,
in
my
view,
the
actual
threat
we
face
as
a
consumer
with
what
we're
going
to
do
about
it
in
simple
terms
right.
The
outcome
is
we
have
a
real
understanding
of
the
threat
and
how
we're
addressing
it
with
the
ossf
yeah,
and
perhaps
we
can
then
View.
You
know
when
we
where
we
can
focus
on
as
a
as
a
working
group.
A
You
know
if
we
identify
that
stream.
Two
nine
and
eight
are
the
ones
that
are
going
to
make
the
biggest
impact
and
biggest
value
for
us
as
an
end,
User
Group.
Then,
let's
go
and
ensure
that
we,
you
know,
put
our
but
I'll
influence
them
and
resources
behind
that
yeah.
A
Okay,
I
think
we've
gone
through
that
sort
of
a
reasonable
length,
so
does
it
make
sense
people
in
agreement
that
we
could
put
this
forward
to
the
attack?
I'm
sure,
there's
minor
wordsmithing
it'd
be
good
to
double
check
with
probe.
I
saw
him
on
briefly
I.
Don't
know
if
he's
still
on
the
call,
but
do
we
have
agreement
thumbs
up
that
this
is
reasonable.
More.
G
Well,
so
I
think
it's
reasonable
I
think
we
need
to
think
through
I
think
when
we
go
to
the
attack,
we
need
to
have
a
plan
as
to
how
it's
going
to
be
actually
implemented.
You
know
if
I'm
them
and
I
know
I
know
they'll
want
to
ask
some
of
these
questions
about.
How
are
you
going
to
get
this
done?
Yep
right,
so
I
think
we
should
think
through
that
too
agreed.
A
A
We
already
have
threat
models
and
such
but
I
was
gonna
suggest
we
take
it
on
as
a
working
group
effort,
the
the
bit
that
I
think
is
going
to
take
some
significant
investment,
though,
is
the
reach
out
to
the
different
working
groups
that
clearly
this
touches
that
that's
going
to
take
some
organization
yeah
but
happy
to
add
a
section
on
more
or
add
more
detail
on
the,
how
yeah
and
again
happy
to
work
with
others
on
that.
A
D
J
A
I
mean
just
for
the
good
of
the
record.
Is
this?
Do
we
get?
Did
we
get
thumbs
that
this
is
a
reasonable
approach
for
a
reasonable
solution?
We've
got
one.
A
And
we'll
set
up
that
separate
session
or
or
just
a
couple
emails
entry
to
to
add
more
detail
on
the
how
yeah
it's
good
to
me
very
good
thanks
good
discussion
but
I
think
as
a
working
group.
That's
a
decent
piece
of
work
there.
It
really
does
start
to
tie
in
those
threats
with
what
we're
trying
to
do
and
help
the
end
user
community
Dan
coming
from
you.
C
I
was
just
gonna,
say:
I,
don't
know
what
your
working
model
for
this
will
be,
but
if
you
need
or
if
you're
looking
for
an
editor,
I
could
certainly
or
a
co-editor,
not
a
singular
editor,
but
like
somebody
to
help
with
editing
the
document,
then
I'd
certainly
have
put
my
hat
in
the
ring
for
that
sold.
A
A
I
will
open
up
the
tool
whilst
the
net,
whilst
we're
at
it.
This
was
a
presentation
a
couple
of
weeks
ago,
a
couple
of
sessions
ago
now
where
we
were
presented,
a
taxonomy
which,
as
we've
just
shown
in
the
previous
proposal,
I
think
is
quite
key
to
it,
which
aims
to
solve
the
problem
of
when
we
discuss
supply
chain
attacks.
A
There's
multiple
different
names
used
for
the
same
thing,
it's
difficult
to
understand
what
we're
actually
talking
about
in
many
cases
and
when
we're
actually
trying
to
perform
some
analysis
on
where
the
threats
are
coming
from
it
quickly.
If
you
don't
have
a
taxonomy
you're
trying
to
categorize
these
things
against
you
end
up
in
in
trouble.
So
the
proposal,
long
story
short,
is
to
adopt
the
one
that
we
were
presented
some
time
ago
from
Henrik
and
piagio
pierogio
and
I
can
quickly
bring
up
a
tool.
A
Just
in
case
people
have
seen
it,
but
it
is
the
one
from
the
paper
entitled
taxonomy
of
attacks
and
open
source
software
Supply
chains,
which
I
think
people
may
have
perhaps
seen
in
the
past.
The
links
are
in
The
Proposal.
It
also
comes
with
the
attack
team
chain
tool
which
I've
been
using
pretty
extensively.
A
It
has
the
taxonomy
and
built
within
it.
Details
of
the
attack,
which
is
quite
detailed,
references
and
Associated
safeguards.
A
A
So
a
fairly
short
proposal
again
I
could
I
could
do
some
additional
editorial
expertise,
but
any
feedback
or
control
I
think
we
sort
of
decided
to
go
forwards
with
this
last
time.
This
is
really
just
putting
the
paperwork
on
it
thumbs
up
from
down
two
thumbs
thumbs
up,
yeah,
all
good
fantastic,
so
we'll
put
that
one
forward
too.
A
Right
next
item
was
the
work
group
list
so
again
last
session,
just
for
new
members,
one
of
the
things
that
we'd
look
to
do
as
part
of
the
working
group
is
to
participate
in
multiple
working
groups
as
an
end
user,
Forum,
there's,
obviously
so
many
different
working
groups
a
lot
of
interesting
work
where
I
think
they
would
benefit
from
having
an
end
user
Persona
working
with
those
different
teams
to
show
you
know
as
consumers,
of
Open
Source
software.
A
This
is
really
where
we
we
see
the
problem
problem
space
and
the
idea
effectively
was
to
put
together
the
The
Matrix,
identify
users
or
members
who
would
participate
in
those
those
groups
and
I.
Think
part
of
this
is
also
Outreach
as
well
to
ensure
that
we
can
reach
out
to
that
community
and,
as
we
have
every
week,
we'd
also
have
or
ask
people
to
provide
feedback
on
any
of
the
working
groups.
They'd
attended
right.
So
this
is
the
link.
A
Well,
the
link
is
in
that
document
other
additional
working
groups
that
as
members
we
we
just
want
to
call
out
right
now
that
we
we
want
to
add
to
this
list
or
indeed
members
that
want
to
go
in
and
add
their
names
to
the
to
this
list.
A
M
I
just
noticed
like
the
slides,
is
there
anything
on
specifically
from
the
Sunday
meetings
related
to
s-bombs
as
well,
because
I
can
see
salsa
effects.
J
M
But
do
you
want
to
add
ones
either
Cyclone
DX
or
any
other
ones
so
happy.
A
To
if
there's
a
specific
meeting
you're
referring
to
Sharif,
obviously
they
see
some
meetings.
Does
this
heavy
esplan
involvement
there
but
you're
referring
to
the
actual
detailed
meetings
on
cyclone
and
spdx
right.
K
H
Implementing
things
that
are
so
I
know
that
Cyclone
DX
is
has
started
to
say.
Well,
we
we're
including
stuff
but
I.
Don't
think
they've
thought
through
what
the
data
is
going
to
look
like
they've
just
created
a
whole
bunch
of
as
my
understandings
they
sort
of
kind
of
created,
a
bunch
of
wrappers
that
we
can
shove
arbitrary
data
into
and
I
think
spdx
is
trying
to
catch
up.
H
But
if
they've,
if,
if
they've
made
progress
on
the
supply
chain
side,
that's
wonderful
but
I
and
there's
no
reason
why
we
can't
add
more
things
list.
But
that's
sort
of
my
understanding
of
the
state
of
the
current
s-bomb
data
formats.
M
B
It's
it's
actually
tooling,
Jonathan,
tooling,.
B
M
B
A
Foreign,
are
we
missing
something
from
the
sheet
here
or
we
we
in
good
shape.
A
J
Got
it
I
would
say
both
groups
are
relevant
because
the
repository
group
is
also
discussing
s-bombs
as
part
of
and
signing
as
part
of
what
they
discuss,
maybe
to
a
lesser
degree
than
tooling.
That
I
think
it's
still
relevant.
A
H
As
this
group
comes
out
of
things,
I'm
comes
up
with
things
I'm
happy
to
feed
them
into
the
success
bomb
work
and
the
Vex
work,
because
I
think
yeah
again
they're
going
to
be
very
interested
to
what
comes
out
of
here.
In
fact,
the
on-ramps
and
adoption
group
is
explicitly
saying:
hey.
Should
we
revisit?
How
does
s-bomb
relate
to
all
these
other
things
in
the
ecosystem?.
G
Excellent
and
excuse
me
I
think
one
of
the
the
operational
items
we
discussed
is
that,
as
we
have
people
allocated
to
the
different
working
groups,
that
a
part
of
every
one
of
these
calls
would
be
an
update
from
from
each
of
them.
If
the
update
could
be
something
as
simple
as
no
update
but
I
think
that
needs
to
be
a
formal,
formal
part
of
our
governance.
A
Yeah
it,
it
absolutely
is
that
we
each
one
of
them.
We
have
the
any
additional
notes
from
working
group
section
which
we're
going
to
hit
next,
but
but
that's
definitely
the
continued
standing
meeting
element
for
that.
Let's
put
on
so,
if
there's,
if
there's
no
more
addition,
I
mean
you
might
want
to
do
a
call
out
Alan
for
your
multiple
great
working
groups.
Here,
we've
we've
identified
three
that
I
think
are
very
on
point
from
a
consumer
end
user
perspective.
Are
there
any
others?
You'd
recommend
that
perhaps.
H
The
there's
a
group
on
tooling
and
implementation,
which
is
trying
to
sort
of
categorize
and
standardize
and
formalize
some
of
the
tooling
ecosystem,
to
make
it
easier
for
consumers
to
understand
this
one
of
the
things
that
is
a
a
slight
tangent.
H
We
don't
have
a
lot
of
s-bomb
consumption
tools
today
and
I'm.
Okay
with
that
in
the
short
run,
because
until
recently,
no
one
had
s-bombs
and
in
fact,
we've
seen
sort
of
most
of
the
tooling
effort
is
going
into
the
development
side.
H
So
something
this
group
wants
to
start
putting
on
their
longer
term
agenda
is
how
do
we
actually?
What
are
we
going
to
do
with
them
in
an
automated
way
and
what
are
some
of
the
other
vendor
communities
that
we
should
that
you
guys
already
use
to
say:
hey?
Can
you
start
just
integrating
s-bomb
data
into
this.
M
Thank
you,
so
I
I
completely
agree
Alan,
and
this
is
just
a
side
thing,
which
is
one
of
the
things
that
can
be
maybe
a
little
bit
more.
Generic
is
how
they're
being
queried
or
if
you
have
a
series
of
them,
what
do
you
actually
look
for?
M
So
there
are
a
couple
of
virtual
querying
systems
like
Apache
drill
or
what's
Athena,
underneath
Presto,
where
you
can
just
run
General,
SQL,
queries
or
boilerplated
ones
that
can
help
people
to
to
leverage
that
and
they
can
use
whatever
tooling,
underneath
the
hood
that
can
help
them.
There
I
did
like
a
small
demo
and
I
realized.
There
was
a
bit
of
attention
for
it,
but
I
don't
know
to
what
extent
how
useful
this
is
for
others
as
well.
A
I
I
think
it's
a
great
point.
It's
like
it's
effectively.
What
do
we
do
with
the
S
form
and
how
do
the
different
personas
work
with
the
s-bomb
I
I?
Think
it's
a
I
well
I've
got
a
couple
of
blog
articles,
I'm
finalizing
to
to
discuss
that
we
can
distribute
as
a
group
but
also
there's
some
work.
We
at
City
are
working
on
to
open
source
in
this
area
happy
to
talk
about
that
at
a
later
date.
Also
Jason,
you
got
your
hammer.
L
Yeah
so
there's
an
area:
that's
over
the
past
two
weeks
become
increasingly
I,
don't
know,
I,
don't
know
how
to
say
this.
There's
something
that's
come
up
recently
and
become.
You
know
more
obvious
to
me
about
a
gap
in
in
the
ecosystem.
That's
related
to
this.
You
know
now
in
terms
of
like
areas
that
that
were
that
we're
looking
at
and
I'm,
not
totally
sure
where
it
best
fits,
and
it's
related
to
how
vulnerability
disclosures
actually
proceed
by
Major
vendors
right.
So
right
now
you
know
there.
L
There
is
this
standard
called
csoft
for
vulnerability,
disclosures
and
and
I
know.
There's
there's
also.
You
know
various
work
streams
looking
at
csap
for
vex
and
s-bomb
I'm,
not
talking
about
it
with
related
effects
right
now,
I'm
talking
about
it
for
its
original
purpose.
That
csaf
has
created
to
have
major
vendors
when
they
provide
their
vulnerability
disclosures
to
their
customers
and
to
the
public
to
have
a
common
machine
readable
way
for
those
disclosures
to
actually
proceed
right.
So
there's
this
thing,
csap
that
originally
came
from
so
it
was
originally
called.
L
Cvrf
came
from
my
Kazi
and
then
moved
to
Oasis.
Now
it's
called
seesaw
blah
blah
blah.
The
reason
I'm
bringing
it
up
is
the
adoption
of
this
and
of
any
machine,
readable
format
for
vulnerability.
Disclosures
is
very
low
right.
Most
of
the
vulnerability
disclosures
that
companies
put
out
like
Microsoft,
Google
Plus,
you
know
sales
for
you
name,
your
software,
vendor
they're,
they're,
publishing
a
website
and
and
a
brief
a
news
brief.
L
Sometimes
there's
an
RSS
feed
very
few
are
actually
publishing
a
machine,
readable
version
of
that
disclosure
right
and
every
and,
as
a
result,
everyone
kind
of
relies
on.
You
know
there's
this
expectation
that
I
can
go
to
nvd
and
get
it
from
there,
but
all
of
the
vulnerabilities
don't
end
up
in
nvp
right.
We
know
this
and
that's
why
you
know.
There's
this
other
effort,
like
the
Global
Security
database,
spinning
up
in
the
cloud
security
Alliance,
and
these
other
things
anyway.
L
The
reason
I'm
bringing
it
up
is
to
me
this
is
very
highly
correlated
to
what
we're
trying
to
achieve
with
us
bomb,
because
if,
if
the
vulnerabilities
that
are
coming
from
the
vendors,
if
the
vendors
aren't
being
pushed
hard
enough
by
their
customers
to
say
this
needs
to
be
machine,
readable
guys,
s-bombs
will
lag
like
the
problem.
L
Is
it
creates
this
huge
lag
right
and
sometimes
the
lag
is
infinite
because
the
the
vulnerability
gets
published
by
the
vendor
and
then,
if
it
doesn't
actually
get
a
cve
assigned
like
not
all
vulnerabilities
have
CDs
assigned,
and
if
it
doesn't
get
one
assigned,
then
it
doesn't
make
it
it's
not
going
to
make
it
into
that
spawn.
We
can't
do
any
of
the
traceability
anyway,
I'm,
not
totally
sure.
L
L
Useful
I
think
it's
a
gap,
I,
don't
think
anyone's
working
through
it
right
now
and
I.
Think
it's
I
don't
so
we
have
the
vulnerability
working
group,
but
it
hasn't
been.
So
this
is
new
I'm
in
that
working
group
as
well
and
I
just
haven't.
We
haven't
had
a
meeting
where
I've
had
a
chance
to
bring
this
up,
because
this
is
just
kind
of
coming.
My
radar
over
the
past.
A
A
All
right:
well,
let's
minute
it
and
I
think
maybe
bring
it.
Maybe
let's
discuss
it
also
on
on
slack
it.
A
Some
work
from
crowbe
on
this
too.
Are
you
starting
to
talk
to
about
this
one,
and
maybe
Circle
back
around
on
this
one
next
week
next
time
as
well?
Does
that
make
sense,
Jason.
L
A
Sounds
good,
pretty
cool
all
right
so
an
interesting
time
if
you
move
on
through
the
agenda
for
a
second
we're
now
going
to
come
to
the
bet
where,
in
each
session
we
do
review
additional
working
groups
that
as
members
we've
we've
gone
through.
Obviously
we
are
going
to
extend
that
with
this
list
going
forward,
but
as
it
stands,
Randall
you
you
have
a
couple
on.
How
do
you
insert
do
you
want
to
give
them
an
update
on
that?
For
the
group.
B
Sure,
I
on
the
notes,
I
added
a
link
to
the
spreadsheet.
If
anyone
wanted
to
add
any
educational
materials
for
consideration
on
our
education
platform
that
that's
where
you
would
add
them,
especially
if
you
have
data
that
is
open
data,
we
would
be
very
interested
in
taking
a
look
at
that.
B
And
then
the
other
update
is
if
your
business
has
a
cert.
B
We
would
also
be
interested
in
possibly
talking
to
them
and
kind
of
learning
what
type
of
pain
points
they
have,
because
we
are
working
on
our
own,
open,
ssf,
cert
process
and
we're
trying
to
Define
what
would
be
the
smartest
most
intelligent
way
of
implementing
something
or
so
that
we
don't
duplicate
efforts
or
step
on
anybody's
toes
which
I
know
is
a
tall
order
has
been,
might
not
sound.
So
yes,
and
those
were
the
two
updates
I
had
from
the
search
Sig
and
the
best
practices
and
education,
C,
okay
and.
J
B
F
M
B
I
A
H
H
So
the
original
thinking
for
vex
was
implemented
in
csaf,
Cyclone
DX
said
we
also
want
to
do
this,
which
meant
that
spdx
said
well.
We
will
do
it
too,
so
if
you've
ever
wondered
how
you
go
from
one
standard
to
three
standards,
yeah
the,
but
so
that's
the
vision
there.
The
next
steps
are
going
to
be
to
sort
of
frame
out
the
use
cases
and
also
ideally
provide
some
clear
guidance
on
what
a
product
security
team,
or
indeed
anyone
can
do
to
produce
a
Vex.
H
There
are
a
couple
of
online
tools:
they're
a
little
clunky.
Hopefully
we'll
get
some
more.
You
know,
take
easy
data.
Dump
it
in
and
out
comes
Json
the.
So
that's
the
Vex
side
of
things.
If
folks
aren't
familiar
with
Vex
that
want
to
know
about
it
habitat
more.
Very
briefly,
Vex
is
the
ability.
The
primary
use
of
Vex
is
to
say,
hey
we're
not
affected
by
this
vulnerability.
H
It's
a
negative
security
advisory
that
will
meet
the
needs
of
a
lot
of
folks,
especially
as
s-bombs
become
more
common,
because
you
can
say
this
is
in
my
s-bomb,
but
you
don't
need
to
worry
about
it.
So
right
s
bomb
turns
dashboard
lights
on
Vex
lets.
You
turn
them
off
the
other
thing.
So
we
have
a
working
group
that
says
hey
much
of
the
discussion
on
s-bomb
has
been
for
on-prem
software.
Very
few
people
have
come
to
me
over
the
last
several
years
and
said
you
know
Alan.
H
The
future
of
software
is
in
on-prem
software
right,
so
we're
asking
ourselves
what
does
software
transparency
mean
in
in
for
modern
software?
The
group
has
sort
of
three
things
that
they're
looking
at
the
most
so
I'll
sort
of
do
a
hierarchical
thing
and
then,
but
the
least
popular
one
is
just
saying:
hey,
let's
actually
talk
about
what's
different
between
right.
We
know
the
pace
of
change
is
different,
but
is
there
any
reason
why
someone
can't
ask
for
an
s-bomb
from
their
cloud
provider?
H
And
at
the
moment
we
don't
have
a
lot
of
customer
perspective.
So
a
lot
of
the
cloud
providers
like
no
one
wants
that
from
us.
So
folks
do
want
that.
We
would
love
your
perspectives.
H
The
second
says:
well,
in
addition
to
the
classic
gas
bomber,
maybe
set
from
the
s-bomb
I,
want
the
infrastructure
stack,
so
hey,
what's
what's
behind
this,
so
I
have
some
idea
of
what
the
what
the
broader
risk
is.
One
of
the
challenges
is
I.
Don't
think
anyone
has
a
Clear
Vision
of
an
existing
taxonomy
or
a
way
of
sort
of
characterizing.
What
are
the
pieces
of
arbitrary
application
stack
and
the
so
that
seems
like
a
very
heavy
lift.
H
The
thing
that
people
are
most
excited
about
is
the
idea
of
a
service
bomb,
which
is
to
say,
I,
don't
necessarily
need
to
know
my
software
dependencies
of
my
SAS
provider,
but
I
want
to
know
what
other
third-party
services
they're
using
because
I
have
an
SLA
with
my
direct
provider,
I,
don't
know
what
else
they're
using
and
so
talking
through
what?
What
are
the
use
cases?
What
data
do
we
need
to
do
that,
and
how
do
we
Implement?
H
That
that's
I
think
has
the
potential
to
be
a
big
new
thing
and
maybe
a
very
hard
thing,
maybe
a
feasible
thing:
you
have
to
figure
out
how
to
eat
the
elephant.
That's
the
sorry
I
was
a
longer
update
that
I
meant
to,
but
those
are
the
two
work
groups.
A
No,
it's
totally
great
and
we
do
have
those
two
on
our
work
group
lists
are
definitely
interested
in
anyone
else
who
wants
to
also
participate
in
that
because
I
I
think
those
two
specifically
I
I'm,
really
really
interested
in
and
I
think
it's
got
a
lot
of
impact
on
the
consumer
business.
So
if
people
after
hours
want
to
take
a
look
at
that,
I've
have
a
look.
A
Nothing
thanks,
Alan
right,
a
couple
of
minutes
left
one
thing:
I
wanted
to
bring
up
was
something
like
a
bit
of
feedback
on
which
I
sort
of
really
badly
named
supply
chain
total.
A
Really
it's
just
a
concept
that
I'd
like
to
bring
to
the
table
and
see
if
anyone
else
has
similar
interest.
I
I
think
there's
an
issue
at
the
moment
where
it
you
know
back
to
the
the
taxonomy.
In
that
architecture,
we
were
putting
together
where
it's
not
there's,
not
sufficient
understanding
of
the
threats
that
we
experience
not
in
real
time.
There
is
some
fairly
static
data
that
we're
we
have
available,
but
it's
quite
sporadic
and
it's
quite
sparse
and
what
I
was
thinking
of
was.
Wouldn't
it
be?
A
Wouldn't
it
be
useful
if
somehow
we
had
like
a
virus
total
but
for
supply
chain
security
right
have
the
ability,
where
we'd
collate
the
attacks,
that
we
see
in
the
wild
into
a
single
data
Lake
and
have
a
team
analyze
that
data,
so
that
we
can
start
to
pull
out
patterns
and
back
to
that
validating
the
threat
model
and
the
threats.
And
then
we
can
figure
out
the
mitigations
I
I
feel
we're
a
little
bit
blind
at
the
moment.
A
We're
kind
of
assuming,
though,
because
we've
got
lists
of
these
attacks,
but
I
think
there's
much
richer
data
to
be
had
if
we
had
sort
of
a
system
in
place
where
we
could
allow
people
to
raise
attacks
that
they've
seen
and
store
The
Source
Code,
perhaps
the
package
code,
and
then
he
metadata
with
it
for
offline
analysis
and
if
we
think
about
it,
you
know
I
think
that
some
of
the
package
managers
do
a
great
job
of
this
and
they
hold
it
within
their
systems.
A
But
we
don't
get
access
to
the
source
code
or
the
binary
after
it's
been
removed
and
I
think
if
there
was
a
Central
Storage
repository
where
we
could
host
that
that
sort
of
Corpus
of
material,
we
might
be
able
to
pull
out
additional
data
to
understand
how
these
attacks
are
changing
over
time
and
again
influence
some
of
our
sort
of
firewalls
and
controls
Downstream.
If
we
had
access
to
that
data
right,
so
it's
just
it's
not
even
a
proposal.
A
It's
just
a
thought
and
I
wanted
to
bring
it
to
the
table
to
see
if
any,
if
it
if
it
holds
purchase
for
people,
if
people
think
that's
a
reasonable
idea,
if
people
want
to
you
know
iterate
on
that
thought,
the
the
other
point
to
it
is
it's
going
to
cost
some
money
I,
don't
think
this
is
a
a
necessarily
a
volunteer
thing.
Unfortunately,
I
think
to
actually
put
something
together.
That's
going
to
be
useful
and
have
the
ability
to
analyze
that
data
and
provide
outcome
of
this
is
where
the
attacks
seem
to
be
going.
A
You
need
to
focus
in
that
particular
area.
I
think
that's
gonna
need
some
need.
Some
financing,
but
oh
I'll,
end
it
there,
but
you
know:
that's
just
wanted
to
open
that
up
for
a
discussion
if
people
think
that's
an
interesting
idea
or
get
any
feedback
on
that.
G
So
I
think
it's
interesting.
The
idea,
Jonathan
and
and
I
I
think
we
may
have
a
vendor.
That's
going
to
be
open
sourcing
this
this
database
in
the
relatively
near
future.
Here
at
the
Lewis
Foundation
Summit
I
heard
a
presentation.
Yesterday
was
the
day
before
by
check
marks,
and
this
is
something
that
they're
working
on
I.
Don't
think
they're
here
in
the
group,
but
this
is
something
that
they've
been
aggressively
working
on.
G
I
think
I
think
you've
been
working
with
them
too,
or
at
least
seeing
some
of
the
output,
because
this
is
they've
got
a
research
team
just
focusing
on
this
activity,
and
one
of
the
big
challenges
is
working
with
GitHub
npm
and
some
of
the
other
package
managers
to
preserve
once
malicious
code
is
identified
in
a
package,
is
to
actually
preserve
the
information,
because
what
happens
right
now
is
that
package
manager
is
delete
it
as
soon
as
it
as
soon
as
they
are
notified,
and
then
they
lose
the
information,
and
so
they
are
trying
to
work
with
them
to
preserve
that
information.
G
A
I
mean
if,
if
that
is
something
that
they're
actively
doing,
then
great,
let's
jump
on
that
button
going
and
if
they're,
providing
the
analytics
behind
it
in
an
open
manner,
then
also
great,
because
I
think
that's
a
that's
something.
We
really
need
so
that
we
can
start
to
figure
out
and
and
map
that
in
real
time,
well,
not
real
time,
but
certainly
more
up-to-date
than
a
moment
at
the
moment,
right
yep,
and
is
that
something
that
is
there
any
more
information
on
that
we
can?
We
can
start
to
pull
out
not.
G
The
exact
timing
I'm
I'm
happy
to
do
an
intro
to
the
gentleman
who's
here.
Maybe
he
can
you
know
we
can
I
know
he's
going
to
do
a
demo
for,
for
my
team
and
I'm
sure
he'd
be
happy
to
do
a
demo
for
this
group
or
a
short
presentation
that
one
of
our
one
of
our
upcoming
calls
on
what
this
is
going
to
look
like
what
the
tools
are,
that
they're
going
to
be
open
sourcing
and
so
on.
I'm
sure
you'd
be
happy
to.
A
A
All
right
so
with
that
we've
got
about
60
seconds,
less
left
anyone
any
other
business.
Anyone
want
to
raise
any
things
to
look
into
or
make
them
to
the
agenda.
G
Just
I
I
want
to
keep
going
just
for
a
second,
then
I'll
give
the
floor
to
anybody
else.
It's
been
a
fruitful
meeting
here
at
the
Olympics
Foundation
Summit.
The
open,
ssf
board
meeting
is,
is
on
Friday
that'll,
be
a
fun
seven
hours,
but
from
a
recruiting
perspective,
it's
it's
been
good.
I,
don't
know
if
there's
someone
from
from
JP
Morgan,
but
they
have
committed
on
the
call
today
but
Alan.
As
you
know,
they've
committed
to
participate,
Fannie
Mae
has
has
committed
to
participate.
G
Also
has
Uber
and
Boeing
Boeing
will
probably
be
a
month
or
so,
but
the
others
yeah
they're
all
probably
going
to
be
in
that
month
month
to
six
week
time
frame
so,
but
they
they're
all
they're
all
excited
about
what
this
group
is
trying
to
do
and
and
they
want
to
at
least
be
on
the
lurk
and
learn
side
for
a
little
while,
but
I
expect
them
all
to
join
pretty
soon.
F
Yeah
say
hi
from
Florida
hi
from
Florida
in
the
middle
of
a
it's,
not
even
a
hurricane,
but
the
Tony's.
You
know
in
a
conversations
before
this
right.
You
know
the
end
user
requirements
pushing
up
I'm
very
interested
into
and
and
the
whole
topic
of
attestation
self
attestation
being
accepted
in
contract
language,
but
I
know
we're
at
the
end
of
this
and
I
missed
the
first
part.
So
I'll
follow
up
next
time.
A
No
worries
thanks
for
joining
Chris
and
we'll
catch
up
later,
so
thanks
very
much
for
joining
quite
a
lot
of
proposals
going
out
at
the
moment,
thanks
for
a
lot
of
the
work
for
the
people
who
contributed
to
that
over
the
last
couple
of
weeks
and
months,
I
think
this
is
really
where
we
start
to
make
a
difference,
so
we'll
get
those
out
to
the
tank
and
we'll
report
back
see
how
we're
getting
on
with
them.
A
Thanks
for
all
your
assistance
and
if
you
can
read
through
the
material
that
we
presented
and
take
a
look
at
the
working
group
list,
add
your
names
to
it
and
let's
go
and
and
and
help
be
much
appreciated.
Thank
you
very
much
have
a
great
weekend
and
talk
to
you
all
soon,
thanks
everyone.
Likewise.
Thank
you.
Thank
you.
Thanks.