►
From YouTube: End Users (November 10, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
E
F
A
F
G
G
A
A
C
F
A
Totally
agree
all
right,
look
we're
a
couple
of
minutes.
After
so
as
people
join
in,
we
can
go
through.
I
know
crops
joining
as
well,
but
look
let's
kick
off
perhaps
so,
as
is
usual,
we
ask
people
to
sort
of
introduce
themselves
if
they're
new
to
the
group,
so
does
anyone?
Would
anyone
like
to
introduce
themselves
any
new
new
players.
D
J
H
I'm
Alan
I'm
from
the
government
I'm
here
to
help
so
one
quick,
General
process.
If
there
are
ever
things
you
want
to
talk
about,
and
you're
like
this
would
be
easier.
If
the
government
were
not
online
I.
Take
no
offense
I
encourage
people
to
just
say:
hey
Alan,
can
you
jump
off?
Have
him
do
that?
I
know
a
lot
of
you
I'm,
the
known
as
the
guy
who
doesn't
shut
up
about
s-bomb
and
various
related
things
like
Vex
and
csaf,
and
the
vulnerability
infrastructure.
E
Yeah
I
guess
then
that's
up
to
me.
So
my
name
is
Clinton.
Carter
I'm,
one
of
the
global
board
of
directors
at
all
wasp
I,
also
have
a
flagship
project
that
I
run
there.
The
security
knowledge
framework,
together
with
the
open,
ssf
and
I'm,
currently
also
busy
in
the
best
practice
for
open
source
developers
and
then
the
training
and
education
sake.
K
A
To
meet
you
all
done
all
right
thanks
very
much
so
I
saw
this
roll
in.
We
can
get
them
to
just
add
their
names
to
the
agenda,
we'll
crack
on
so
first
item
we
have
on
the
agenda,
which
is
in
the
notes
in
chat,
for
people
want
to
follow
along
is
the
proposal
we
had
for
a
supply
chain
initiative,
so
we'll
just
copy
that
into
champ.
The
sink
and
I
can
probably
also
just
show
my
screen
so
I'll.
Take
this
one.
A
Right,
so
this
was
what
we
were
discussing
last
time
and
it's
really
a
proposal.
We
were
going
to
make
as
a
group
to
the
attack
so
welcome
people's
commentary
and
feedback
on
that.
Thank
you
very
much
for
people
who've
already
contributed.
We
earned
a
lot
of
conversation
on
ad
hoc
meetings
over
the
last
couple
of
weeks
and
really
the
problem
statement
here
is,
as
we
look
at
supply
chain
and
the
supply
chain
problem,
it's
incredibly
complex
and
there's
no
real
understanding
of
how
the
different
mitigations
fit
together.
A
A
But
there's
a
lot
to
it
and
it's
at
times
sort
of
perhaps
overbearing
a
little
bit
confusing.
We
also
have
multiple
different
best
practice
guides
and
it's
not
quite
clear
which
bits
they
cover,
which
bits
they
don't
and
there's.
Also
a
situation
where
perhaps
we
haven't
got
a
clear
understanding
of
the
threats
that
we're
facing
as
well.
So
all
told
when
end
users
and
consumers
come
to
this
space
and
try
to
figure
out
how
to
how
to
navigate
it
and
how
to
protect
themselves.
A
It's
just
a
little
bit
up
in
the
air,
so
the
proposal
we
came
together
with
was
really
to
establish
an
initiative
to
try
and
provide
a
holistic
program
that
really
demonstrate
how
to
align
those
threats
or
identify
those
threats
and
then
how
to
align
the
best
practice
guides.
Controls
where
salsa
fits
were
SSC
perhaps
fits
where
s-bomb
fits
and
also
allow
us
to
align
those
ossf
projects
against
that
as
well.
That's
kind
of
the
the
idea
behind
this.
A
So
if
we
move
down
to
the
high
level
approach
really
the
idea
is
that
picture
at
the
bottom.
So
what
we're
going
to
do
is
get
together
and
create
effectively
an
abstract
architecture
and
threat
model.
Probably
not
one
I
think
some
good
feedback
you
had
Randall
was
maybe,
let's
have
a
couple,
maybe
one
for
a
small
entity
or
end
user
one
from
a
medium-sized
one
month
from
a
large
one
sort
of
the
Goldilocks
approach
from
those
architectures
reference
architectures
then
create
a
threat
model
of
those
architectures
and
then
out.
A
So
that's
kind
of
the
the
higher
level
approach
that
that's
kind
of
the
high
level
approach.
Now,
there's
still
a
couple
of
questions
here
and
I
think
the
the
particular
ones
we
have
to
identify.
As
you
know,
if
this
is
still
the
approach
we
want
to
look
at,
how
do
we?
You
know
what
is
a
smaller
medium
and
a
large
consumer.
Look
like
you
know.
You
need
to
get
together,
I
think
as
a
group
and
identify
some
some
sample
ones.
I
think
Randall.
A
A
So
the
idea
there
here
is
not
someone
who's,
perhaps
producing
software,
but
someone
is
consuming
a
lot
of
software
and
what
is
there,
what
is
their?
What
are
their
threat
or
attack
surface
look
like,
and
how
do
we
mitigate
that
medium?
One
I
think
we
just
tossed
out
the
idea
of
perhaps
a
medium-sized
Hospital,
although
to
be
fair,
I'm,
not
sure
what
a
medium-sized
Hospital
would
look
like,
but
I
guess
that's
the
that's
the
rub
there
and
then
a
large
Enterprise
where
we
already
have
a
threat
model.
A
We
can
sort
of
attach
it
to
yeah.
So
definitely
up
for
debate
on
what
that
looks
like
the
taxonomy,
which
was
also
presented
a
previous
working
group.
We
already
have
one
of
those
but
I
think
it'll
be
good
to
see
how
the
threats
up
against
that
and
then
I
think.
We've
already
discussed
those
best
practices
that
have
been
presented
to
this
group
as
well.
We
can
look
at
identifying
those
gaps.
A
L
If
we
also
I'm
just
trying
to
figure
out
how
this
fits
because
I
don't
want
to
add
a
fourth
but
the
idea
of
a
regulated
of
regulated
environment
right,
so
not
necessarily
a
large
Enterprise
but
like
because
you
can
have
a
smaller
medium
Enterprise
and
if
they're,
regulated
or
part
of
the
the
div,
the
defense
industrial
base
like
it's.
They
have
a
different
set
of
concerns.
A
L
B
C
G
Sorry
Andrew
go
ahead,
yeah
as
consumers
go
through
or
go
through
the
documentation
that
will
be
produced
here.
They
can
almost
take
a
menu-based
approach
and
Define
their
own
profile
from
the
artifacts
that
are
in
the
documents
and
and
the
characteristics
right.
So
if
we
create
something
that's
too
prescriptive,
then
we
might
lose
the
audience.
If
we
create
something.
That's
that's
a
little
bit
more
open
and
flexible.
They
can
go
through
the
documentation.
They
can
begin
to
see
who
they
are
and
and
describe
their
own
profile.
J
D
If
I
can
jump
in
and
I'm
the
Newbie,
so
this
may
be
really
dumb,
so
I
apologize,
if
it
is
I,
was
just
thinking
about
this
either
these
categories
could
be,
or
maybe
it's.
The
next
thing
to
look
at
is
more
of
a
Persona
based
right
in
a
smaller
company.
They
may
be
using
some
open
source,
but
that
they're
not
real
heavy
and
their
sophistication.
D
A
I
think
that
spot
on
to
be
honest,
I
I
love
it
I,
I
think
the
Highlight
that
I
just
put
there
is
really
on
the
idea.
Was
we
were
going
to
detail
the
assumptions
made
for
these
different
examples,
and
maybe
this
is
a
situation
where
we
Define
what
these
three
things
are.
Three
sounds
like
a
good
number
of
whatever
it
is,
and
then
we
State-
maybe
you
know
this-
is
a
low
comply,
a
low
regulatory
environment,
higher
regulatory
environment,
and
these
are
the
personas
that
are
used.
I
think
personas
are
great.
A
B
C
I
do
think
it
would
be
worthwhile
making
sure
that
we
are
clear
that
we
are
talking
about
that
small
companies.
Small
organizations
are
count.
Did
they
count
we're
not
just
talking
to
big
Enterprise
orgs
or
you
know
like
I'm,
just
thinking
about
just
eat,
for
instance,
I
mean
you
know
they
might.
Maybe
they
don't
view
themselves
as
a
small
organization,
but
like
this,
is
you
know
like
that
kind
of
that
kind
of
thing
I,
just
just
I
like
having
the
the
word
small
in
there,
but.
H
H
How
do
we
help
folks
below
the
security
poverty
line,
but
I
think
we
can
I'd
like
this
example
of
a
small
Logistics
business
where
right
we
can
make
some
assumptions
which
is
they're
smaller,
but
they
have
some
more
modern
tools
and
that's
why
we're
trying
to
reach
them
and
in
many
cases
it's
going
to
be
easier
to
provide
them
with
some
guidance
than
it
is
for
the
large
Legacy
business
that
has
resources
needs
to
change.
But
right,
you
know.
H
Large
tech
companies
are
still
struggling
with
basic
s-bomb
stuff
because
they
have
too
much
existing
Legacy
stuff
and
the
other
I
think
as
we
scope
it.
Thinking
about
the
regulation
side
that
is
supply
chain
relevant
because
right,
nerk
sip,
says
relatively
little
about
some
of
this,
but
HIPAA,
nothing
and
and
and
there
are
the
giant.
H
If
you
guys
need
someone
to
read
them,
I
can
probably
help
find
you
someone
or
they
can.
We
can
get
some
folks
to
come
in
and
talk
about
it.
Nist
161
is
the
let's
solve
all
the
problems
and
they're
called
special
pubs,
because
Pub
is
the
sound
it
makes
when
you
drop
it
from
six
inches
off
on
the
boardroom
table
and
similarly
there's
some
industry-led
work
that
the
national
Risk
Management
Center
is
doing,
but
a
lot
of
that
is
really
driven
by
the
I.T
sector,
coordinating
Council.
G
A
I'd
also
like
to
highlight
this
maintenance
item
down
below,
because
that's,
if
you
look
down
the
agenda,
there's
this
suggestions
on
how
we
maintain
this,
but
certainly
I,
think
as
this
initial
proposal.
As
we
Define
that
initiative,
we
set
out
the
architecture,
look
at
the
different
control
Frameworks
the
way
of
validating
and
maintaining
whether
this
is
any
good
is
to
look
at
the
or
the
idea
is
to
look
at
the
existing
data
on
supply
chain
exploits
and
how
those
attacks
would
would
impact
these
architectures
right.
A
So
there's
the
backstabbers
knife
collection
there's
the
inkytel
data
we
would,
as
far
as
this
proposal
run
through
that
list
to
identify.
You
know
if
we
got
everything
in
the
taxonomy
where
these
mitigations,
but
also
we
need
I,
think
as
part
of
this
process
have
that
maintenance
work
going
forward.
A
We
need
to
analyze
future
attacks
and
just
see
if
we've
missed
something
on
the
threat
model
missed
something
on
the
taxonomy
now
one
of
the
things
I
want
to
highlight
is
is
a
sort
of
way
of
automating
that
or
making
it
a
bit
more
formal,
but
I
just
want
to
highlight
this.
I,
don't
think,
is
a
a
one-and-done
thing.
A
I
think
it
would
be
useful
to
revisit
it
just
to
keep
ensure
that
we're
we
we
keep
tuning
Our
model,
because
what
might
be
great
today-
and
this
shows
where
all
of
the
ossf
mobilization
plans
fit
in
the
attack
surface
from
what
I
can
see-
seems
to
be
moving
around
so
at
the
end
of
next
year
it
might
be
slightly
different
and
similarly
our
mitigations
might
move.
So
that's
why
I've
added
the
maintenance
piece
at
the
bottom.
There.
A
E
Now
you
have
the
old,
a
tech
service
mapped
out
on
cases
that
we
actually
observe
right
based
on
the
previous
things.
That
happened.
Would
it
be
also
maybe
an
idea
because
I-
actually,
you
know,
don't
know
anybody
who
does
this
type
of
thinking,
but
would
it
be
an
idea
to
maybe
get
like
a
group
of
like
hackers,
and
you
know
when
we
have
an
idea
of
the
lands
they
escape
and
the
architectures
to
do?
You
know
from
a
real
hacker
mindset
point
of
view
like
hey
these
could
actually
potentially
be.
A
E
You
know
just
what
I
notice
in
the
different
areas
right,
that
there
is
a
lot
of
great
people
with
a
lot
of
security
knowledge
actually
helping
and
contributing
that
sometimes
we
forgot
to
you
know
invite
the
black
hat
hackers,
the
real
hackers
and
you
know
present
them
the
case
like
look
because
also
for
myself.
You
know
I
do
a
lot
of
hacking,
but
actually
yeah
I
never
really
did
research
or
like
hey.
If
I
have
this
scope
of
area.
E
What
would
be
interesting
points
right
and,
of
course,
the
whole
research
that
this
group
has
done
and
then
mapped
well,
a
lot
of
the
possible
threats
already
right.
That's
I
think
a
really
good
starting
point,
but
maybe
Through
The
Eyes
of
the
hacker
we
actually
maybe
miss
or
yeah
Overlook,
very
simple
cases.
J
A
A
G
You
know
for,
for
example,
I've
been
you
know,
I'm
at
The
Summit
here
I've
seen
some
really
interesting
presentations
about
companies.
You
know
one
bank's
going
to
be
open
sourcing.
A
new
tool
check
marks
is
doing
some
great
stuff
and
they're
going
to
be
open
sourcing.
Helping
create
a
a
certain
library
and
or
Labs
is
doing
some
things,
and
there
are
a
couple
of
others.
A
Yep
I
I,
agree,
Andrew,
I,
I.
Think
one
of
the
big
things
here
is.
We
also
show
how
we
align
with
our
ossf
projects
right.
It's
really
ties,
in
my
view,
the
actual
threat
we
face
as
a
consumer
with
what
we're
going
to
do
about
it
in
simple
terms
right.
The
outcome
is
we
have
a
real
understanding
of
the
threat
and
how
we're
addressing
it
with
the
ossf
yeah,
and
perhaps
we
can
then
View.
You
know
when
we
where
we
can
focus
on
as
a
as
a
working
group.
A
A
Okay,
I
think
we've
gone
through
that
sort
of
a
reasonable
length,
so
does
it
make
sense
people
in
agreement
that
we
could
put
this
forward
to
the
attack?
I'm
sure,
there's
minor
wordsmithing
it'd
be
good
to
double
check
with
probe.
I
saw
him
on
briefly
I.
Don't
know
if
he's
still
on
the
call,
but
do
we
have
agreement
thumbs
up
that
this
is
reasonable.
More.
G
Well,
so
I
think
it's
reasonable
I
think
we
need
to
think
through
I
think
when
we
go
to
the
attack,
we
need
to
have
a
plan
as
to
how
it's
going
to
be
actually
implemented.
You
know
if
I'm
them
and
I
know
I
know
they'll
want
to
ask
some
of
these
questions
about.
How
are
you
going
to
get
this
done?
Yep
right,
so
I
think
we
should
think
through
that
too
agreed.
A
A
D
J
A
A
And
we'll
set
up
that
separate
session
or
or
just
a
couple
emails
entry
to
to
add
more
detail
on
the
how
yeah
it's
good
to
me
very
good
thanks
good
discussion
but
I
think
as
a
working
group.
That's
a
decent
piece
of
work
there.
It
really
does
start
to
tie
in
those
threats
with
what
we're
trying
to
do
and
help
the
end
user
community
Dan
coming
from
you.
A
A
I
will
open
up
the
tool
whilst
the
net,
whilst
we're
at
it.
This
was
a
presentation
a
couple
of
weeks
ago,
a
couple
of
sessions
ago
now
where
we
were
presented,
a
taxonomy
which,
as
we've
just
shown
in
the
previous
proposal,
I
think
is
quite
key
to
it,
which
aims
to
solve
the
problem
of
when
we
discuss
supply
chain
attacks.
A
There's
multiple
different
names
used
for
the
same
thing,
it's
difficult
to
understand
what
we're
actually
talking
about
in
many
cases
and
when
we're
actually
trying
to
perform
some
analysis
on
where
the
threats
are
coming
from
it
quickly.
If
you
don't
have
a
taxonomy
you're
trying
to
categorize
these
things
against
you
end
up
in
in
trouble.
So
the
proposal,
long
story
short,
is
to
adopt
the
one
that
we
were
presented
some
time
ago
from
Henrik
and
piagio
pierogio
and
I
can
quickly
bring
up
a
tool.
A
Just
in
case
people
have
seen
it,
but
it
is
the
one
from
the
paper
entitled
taxonomy
of
attacks
and
open
source
software
Supply
chains,
which
I
think
people
may
have
perhaps
seen
in
the
past.
The
links
are
in
The
Proposal.
It
also
comes
with
the
attack
team
chain
tool
which
I've
been
using
pretty
extensively.
A
A
So
a
fairly
short
proposal
again
I
could
I
could
do
some
additional
editorial
expertise,
but
any
feedback
or
control
I
think
we
sort
of
decided
to
go
forwards
with
this
last
time.
This
is
really
just
putting
the
paperwork
on
it
thumbs
up
from
down
two
thumbs
thumbs
up,
yeah,
all
good
fantastic,
so
we'll
put
that
one
forward
too.
A
This
is
really
where
we
we
see
the
problem
problem
space
and
the
idea
effectively
was
to
put
together
the
The
Matrix,
identify
users
or
members
who
would
participate
in
those
those
groups
and
I.
Think
part
of
this
is
also
Outreach
as
well
to
ensure
that
we
can
reach
out
to
that
community
and,
as
we
have
every
week,
we'd
also
have
or
ask
people
to
provide
feedback
on
any
of
the
working
groups.
They'd
attended
right.
So
this
is
the
link.
A
J
A
K
H
Implementing
things
that
are
so
I
know
that
Cyclone
DX
is
has
started
to
say.
Well,
we
we're
including
stuff
but
I.
Don't
think
they've
thought
through
what
the
data
is
going
to
look
like
they've
just
created
a
whole
bunch
of
as
my
understandings
they
sort
of
kind
of
created,
a
bunch
of
wrappers
that
we
can
shove
arbitrary
data
into
and
I
think
spdx
is
trying
to
catch
up.
H
M
B
M
B
A
J
A
H
As
this
group
comes
out
of
things,
I'm
comes
up
with
things
I'm
happy
to
feed
them
into
the
success
bomb
work
and
the
Vex
work,
because
I
think
yeah
again
they're
going
to
be
very
interested
to
what
comes
out
of
here.
In
fact,
the
on-ramps
and
adoption
group
is
explicitly
saying:
hey.
Should
we
revisit?
How
does
s-bomb
relate
to
all
these
other
things
in
the
ecosystem?.
G
Excellent
and
excuse
me
I
think
one
of
the
the
operational
items
we
discussed
is
that,
as
we
have
people
allocated
to
the
different
working
groups,
that
a
part
of
every
one
of
these
calls
would
be
an
update
from
from
each
of
them.
If
the
update
could
be
something
as
simple
as
no
update
but
I
think
that
needs
to
be
a
formal,
formal
part
of
our
governance.
A
Yeah
it,
it
absolutely
is
that
we
each
one
of
them.
We
have
the
any
additional
notes
from
working
group
section
which
we're
going
to
hit
next,
but
but
that's
definitely
the
continued
standing
meeting
element
for
that.
Let's
put
on
so,
if
there's,
if
there's
no
more
addition,
I
mean
you
might
want
to
do
a
call
out
Alan
for
your
multiple
great
working
groups.
Here,
we've
we've
identified
three
that
I
think
are
very
on
point
from
a
consumer
end
user
perspective.
Are
there
any
others?
You'd
recommend
that
perhaps.
H
H
So
something
this
group
wants
to
start
putting
on
their
longer
term
agenda
is
how
do
we
actually?
What
are
we
going
to
do
with
them
in
an
automated
way
and
what
are
some
of
the
other
vendor
communities
that
we
should
that
you
guys
already
use
to
say:
hey?
Can
you
start
just
integrating
s-bomb
data
into
this.
M
M
So
there
are
a
couple
of
virtual
querying
systems
like
Apache
drill
or
what's
Athena,
underneath
Presto,
where
you
can
just
run
General,
SQL,
queries
or
boilerplated
ones
that
can
help
people
to
to
leverage
that
and
they
can
use
whatever
tooling,
underneath
the
hood
that
can
help
them.
There
I
did
like
a
small
demo
and
I
realized.
There
was
a
bit
of
attention
for
it,
but
I
don't
know
to
what
extent
how
useful
this
is
for
others
as
well.
A
I
I
think
it's
a
great
point.
It's
like
it's
effectively.
What
do
we
do
with
the
S
form
and
how
do
the
different
personas
work
with
the
s-bomb
I
I?
Think
it's
a
I
well
I've
got
a
couple
of
blog
articles,
I'm
finalizing
to
to
discuss
that
we
can
distribute
as
a
group
but
also
there's
some
work.
We
at
City
are
working
on
to
open
source
in
this
area
happy
to
talk
about
that
at
a
later
date.
Also
Jason,
you
got
your
hammer.
L
Yeah
so
there's
an
area:
that's
over
the
past
two
weeks
become
increasingly
I,
don't
know,
I,
don't
know
how
to
say
this.
There's
something
that's
come
up
recently
and
become.
You
know
more
obvious
to
me
about
a
gap
in
in
the
ecosystem.
That's
related
to
this.
You
know
now
in
terms
of
like
areas
that
that
were
that
we're
looking
at
and
I'm,
not
totally
sure
where
it
best
fits,
and
it's
related
to
how
vulnerability
disclosures
actually
proceed
by
Major
vendors
right.
So
right
now
you
know
there.
L
There
is
this
standard
called
csoft
for
vulnerability,
disclosures
and
and
I
know.
There's
there's
also.
You
know
various
work
streams
looking
at
csap
for
vex
and
s-bomb
I'm,
not
talking
about
it
with
related
effects
right
now,
I'm
talking
about
it
for
its
original
purpose.
That
csaf
has
created
to
have
major
vendors
when
they
provide
their
vulnerability
disclosures
to
their
customers
and
to
the
public
to
have
a
common
machine
readable
way
for
those
disclosures
to
actually
proceed
right.
So
there's
this
thing,
csap
that
originally
came
from
so
it
was
originally
called.
L
Cvrf
came
from
my
Kazi
and
then
moved
to
Oasis.
Now
it's
called
seesaw
blah
blah
blah.
The
reason
I'm
bringing
it
up
is
the
adoption
of
this
and
of
any
machine,
readable
format
for
vulnerability.
Disclosures
is
very
low
right.
Most
of
the
vulnerability
disclosures
that
companies
put
out
like
Microsoft,
Google
Plus,
you
know
sales
for
you
name,
your
software,
vendor
they're,
they're,
publishing
a
website
and
and
a
brief
a
news
brief.
L
Sometimes
there's
an
RSS
feed
very
few
are
actually
publishing
a
machine,
readable
version
of
that
disclosure
right
and
every
and,
as
a
result,
everyone
kind
of
relies
on.
You
know
there's
this
expectation
that
I
can
go
to
nvd
and
get
it
from
there,
but
all
of
the
vulnerabilities
don't
end
up
in
nvp
right.
We
know
this
and
that's
why
you
know.
There's
this
other
effort,
like
the
Global
Security
database,
spinning
up
in
the
cloud
security
Alliance,
and
these
other
things
anyway.
L
Is
it
creates
this
huge
lag
right
and
sometimes
the
lag
is
infinite
because
the
the
vulnerability
gets
published
by
the
vendor
and
then,
if
it
doesn't
actually
get
a
cve
assigned
like
not
all
vulnerabilities
have
CDs
assigned,
and
if
it
doesn't
get
one
assigned,
then
it
doesn't
make
it
it's
not
going
to
make
it
into
that
spawn.
We
can't
do
any
of
the
traceability
anyway,
I'm,
not
totally
sure.
L
L
Useful
I
think
it's
a
gap,
I,
don't
think
anyone's
working
through
it
right
now
and
I.
Think
it's
I
don't
so
we
have
the
vulnerability
working
group,
but
it
hasn't
been.
So
this
is
new
I'm
in
that
working
group
as
well
and
I
just
haven't.
We
haven't
had
a
meeting
where
I've
had
a
chance
to
bring
this
up,
because
this
is
just
kind
of
coming.
My
radar
over
the
past.
A
A
A
L
A
Sounds
good,
pretty
cool
all
right
so
an
interesting
time
if
you
move
on
through
the
agenda
for
a
second
we're
now
going
to
come
to
the
bet
where,
in
each
session
we
do
review
additional
working
groups
that
as
members
we've
we've
gone
through.
Obviously
we
are
going
to
extend
that
with
this
list
going
forward,
but
as
it
stands,
Randall
you
you
have
a
couple
on.
How
do
you
insert
do
you
want
to
give
them
an
update
on
that?
For
the
group.
B
B
We
would
also
be
interested
in
possibly
talking
to
them
and
kind
of
learning
what
type
of
pain
points
they
have,
because
we
are
working
on
our
own,
open,
ssf,
cert
process
and
we're
trying
to
Define
what
would
be
the
smartest
most
intelligent
way
of
implementing
something
or
so
that
we
don't
duplicate
efforts
or
step
on
anybody's
toes
which
I
know
is
a
tall
order
has
been,
might
not
sound.
So
yes,
and
those
were
the
two
updates
I
had
from
the
search
Sig
and
the
best
practices
and
education,
C,
okay
and.
J
B
F
M
B
I
A
H
So
the
original
thinking
for
vex
was
implemented
in
csaf,
Cyclone
DX
said
we
also
want
to
do
this,
which
meant
that
spdx
said
well.
We
will
do
it
too,
so
if
you've
ever
wondered
how
you
go
from
one
standard
to
three
standards,
yeah
the,
but
so
that's
the
vision
there.
The
next
steps
are
going
to
be
to
sort
of
frame
out
the
use
cases
and
also
ideally
provide
some
clear
guidance
on
what
a
product
security
team,
or
indeed
anyone
can
do
to
produce
a
Vex.
H
There
are
a
couple
of
online
tools:
they're
a
little
clunky.
Hopefully
we'll
get
some
more.
You
know,
take
easy
data.
Dump
it
in
and
out
comes
Json
the.
So
that's
the
Vex
side
of
things.
If
folks
aren't
familiar
with
Vex
that
want
to
know
about
it
habitat
more.
Very
briefly,
Vex
is
the
ability.
The
primary
use
of
Vex
is
to
say,
hey
we're
not
affected
by
this
vulnerability.
H
It's
a
negative
security
advisory
that
will
meet
the
needs
of
a
lot
of
folks,
especially
as
s-bombs
become
more
common,
because
you
can
say
this
is
in
my
s-bomb,
but
you
don't
need
to
worry
about
it.
So
right
s
bomb
turns
dashboard
lights
on
Vex
lets.
You
turn
them
off
the
other
thing.
So
we
have
a
working
group
that
says
hey
much
of
the
discussion
on
s-bomb
has
been
for
on-prem
software.
Very
few
people
have
come
to
me
over
the
last
several
years
and
said
you
know
Alan.
H
The
future
of
software
is
in
on-prem
software
right,
so
we're
asking
ourselves
what
does
software
transparency
mean
in
in
for
modern
software?
The
group
has
sort
of
three
things
that
they're
looking
at
the
most
so
I'll
sort
of
do
a
hierarchical
thing
and
then,
but
the
least
popular
one
is
just
saying:
hey,
let's
actually
talk
about
what's
different
between
right.
We
know
the
pace
of
change
is
different,
but
is
there
any
reason
why
someone
can't
ask
for
an
s-bomb
from
their
cloud
provider?
H
H
The
second
says:
well,
in
addition
to
the
classic
gas
bomber,
maybe
set
from
the
s-bomb
I,
want
the
infrastructure
stack,
so
hey,
what's
what's
behind
this,
so
I
have
some
idea
of
what
the
what
the
broader
risk
is.
One
of
the
challenges
is
I.
Don't
think
anyone
has
a
Clear
Vision
of
an
existing
taxonomy
or
a
way
of
sort
of
characterizing.
What
are
the
pieces
of
arbitrary
application
stack
and
the
so
that
seems
like
a
very
heavy
lift.
H
The
thing
that
people
are
most
excited
about
is
the
idea
of
a
service
bomb,
which
is
to
say,
I,
don't
necessarily
need
to
know
my
software
dependencies
of
my
SAS
provider,
but
I
want
to
know
what
other
third-party
services
they're
using
because
I
have
an
SLA
with
my
direct
provider,
I,
don't
know
what
else
they're
using
and
so
talking
through
what?
What
are
the
use
cases?
What
data
do
we
need
to
do
that,
and
how
do
we
Implement?
H
A
No,
it's
totally
great
and
we
do
have
those
two
on
our
work
group
lists
are
definitely
interested
in
anyone
else
who
wants
to
also
participate
in
that
because
I
I
think
those
two
specifically
I
I'm,
really
really
interested
in
and
I
think
it's
got
a
lot
of
impact
on
the
consumer
business.
So
if
people
after
hours
want
to
take
a
look
at
that,
I've
have
a
look.
A
Really
it's
just
a
concept
that
I'd
like
to
bring
to
the
table
and
see
if
anyone
else
has
similar
interest.
I
I
think
there's
an
issue
at
the
moment
where
it
you
know
back
to
the
the
taxonomy.
In
that
architecture,
we
were
putting
together
where
it's
not
there's,
not
sufficient
understanding
of
the
threats
that
we
experience
not
in
real
time.
There
is
some
fairly
static
data
that
we're
we
have
available,
but
it's
quite
sporadic
and
it's
quite
sparse
and
what
I
was
thinking
of
was.
Wouldn't
it
be?
A
Wouldn't
it
be
useful
if
somehow
we
had
like
a
virus
total
but
for
supply
chain
security
right
have
the
ability,
where
we'd
collate
the
attacks,
that
we
see
in
the
wild
into
a
single
data
Lake
and
have
a
team
analyze
that
data,
so
that
we
can
start
to
pull
out
patterns
and
back
to
that
validating
the
threat
model
and
the
threats.
And
then
we
can
figure
out
the
mitigations
I
I
feel
we're
a
little
bit
blind
at
the
moment.
A
But
we
don't
get
access
to
the
source
code
or
the
binary
after
it's
been
removed
and
I
think
if
there
was
a
Central
Storage
repository
where
we
could
host
that
that
sort
of
Corpus
of
material,
we
might
be
able
to
pull
out
additional
data
to
understand
how
these
attacks
are
changing
over
time
and
again
influence
some
of
our
sort
of
firewalls
and
controls
Downstream.
If
we
had
access
to
that
data
right,
so
it's
just
it's
not
even
a
proposal.
A
It's
just
a
thought
and
I
wanted
to
bring
it
to
the
table
to
see
if
any,
if
it
if
it
holds
purchase
for
people,
if
people
think
that's
a
reasonable
idea,
if
people
want
to
you
know
iterate
on
that
thought,
the
the
other
point
to
it
is
it's
going
to
cost
some
money
I,
don't
think
this
is
a
a
necessarily
a
volunteer
thing.
Unfortunately,
I
think
to
actually
put
something
together.
That's
going
to
be
useful
and
have
the
ability
to
analyze
that
data
and
provide
outcome
of
this
is
where
the
attacks
seem
to
be
going.
A
G
So
I
think
it's
interesting.
The
idea,
Jonathan
and
and
I
I
think
we
may
have
a
vendor.
That's
going
to
be
open
sourcing
this
this
database
in
the
relatively
near
future.
Here
at
the
Lewis
Foundation
Summit
I
heard
a
presentation.
Yesterday
was
the
day
before
by
check
marks,
and
this
is
something
that
they're
working
on
I.
Don't
think
they're
here
in
the
group,
but
this
is
something
that
they've
been
aggressively
working
on.
A
I
mean
if,
if
that
is
something
that
they're
actively
doing,
then
great,
let's
jump
on
that
button
going
and
if
they're,
providing
the
analytics
behind
it
in
an
open
manner,
then
also
great,
because
I
think
that's
a
that's
something.
We
really
need
so
that
we
can
start
to
figure
out
and
and
map
that
in
real
time,
well,
not
real
time,
but
certainly
more
up-to-date
than
a
moment
at
the
moment,
right
yep,
and
is
that
something
that
is
there
any
more
information
on
that
we
can?
We
can
start
to
pull
out
not.
G
The
exact
timing
I'm
I'm
happy
to
do
an
intro
to
the
gentleman
who's
here.
Maybe
he
can
you
know
we
can
I
know
he's
going
to
do
a
demo
for,
for
my
team
and
I'm
sure
he'd
be
happy
to
do
a
demo
for
this
group
or
a
short
presentation
that
one
of
our
one
of
our
upcoming
calls
on
what
this
is
going
to
look
like
what
the
tools
are,
that
they're
going
to
be
open
sourcing
and
so
on.
I'm
sure
you'd
be
happy
to.
A
A
G
Just
I
I
want
to
keep
going
just
for
a
second,
then
I'll
give
the
floor
to
anybody
else.
It's
been
a
fruitful
meeting
here
at
the
Olympics
Foundation
Summit.
The
open,
ssf
board
meeting
is,
is
on
Friday
that'll,
be
a
fun
seven
hours,
but
from
a
recruiting
perspective,
it's
it's
been
good.
I,
don't
know
if
there's
someone
from
from
JP
Morgan,
but
they
have
committed
on
the
call
today
but
Alan.
As
you
know,
they've
committed
to
participate,
Fannie
Mae
has
has
committed
to
participate.
F
Yeah
say
hi
from
Florida
hi
from
Florida
in
the
middle
of
a
it's,
not
even
a
hurricane,
but
the
Tony's.
You
know
in
a
conversations
before
this
right.
You
know
the
end
user
requirements
pushing
up
I'm
very
interested
into
and
and
the
whole
topic
of
attestation
self
attestation
being
accepted
in
contract
language,
but
I
know
we're
at
the
end
of
this
and
I
missed
the
first
part.
So
I'll
follow
up
next
time.
A
Thanks
for
all
your
assistance
and
if
you
can
read
through
the
material
that
we
presented
and
take
a
look
at
the
working
group
list,
add
your
names
to
it
and
let's
go
and
and
and
help
be
much
appreciated.
Thank
you
very
much
have
a
great
weekend
and
talk
to
you
all
soon,
thanks
everyone.
Likewise.
Thank
you.
Thank
you.
Thanks.