►
From YouTube: End Users (July 21, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
Henric
there's
a
message
in
the
chat
room
that
has
a
document
we're
using
for
the
minutes
today,
and
we
also
got
a
attendee
list.
If
you
want
to
take
a
look
at
that.
B
Yes,
I
already
updated
it
and
put
oh,
you
did
a
proper
link
to
the
paper,
a
proper
link
to
the
tool
and
as
well
the
list
of
attendees
so
yeah.
No,
it's
good
from
Market
perspective,
hello,
hi.
Everyone.
C
Do
we
have
a
Google
doc
or
something
to
sign
in
attendance?
We.
A
A
A
I'm
not
sure
if
those
two
first
agenda
items
came
from
Probe
speak
of
the
devil.
A
Thank
you
very
much.
Dan
I
appreciate
your
help
with
that
you
you
produce
some
of
the
finest
finest
minutes
of
any
meeting
I've
ever
seen,
and
that's
not
just
because
you've
volunteered.
That
is
genuine
praise,
hey
Jack,.
A
Okay,
so
thanks
Dan
for
agreeing
to
be
the
Scribe
just
drop
the
agenda
back
into
the
chat
there.
If
people
are
joining,
if
they
can
just
add
their
names
to
the
list
list
of
attendees
and
as
is
customary,
if
we
could
go
through
and
welcome
any
new
friends,
anyone
want
to
say
hi
who's
attending.
For
the
first
time.
B
So,
yes,
maybe
I
can
say
yeah,
so
my
name
is
Henry
platter,
yeah
I'm
working
with
endolets,
where
I
would
like
to
yeah
continue
the
works
on
open
source
security
that
I
started
many
years
back
at
sap
right
and.
B
A
few,
maybe
just
a
little
bit
of
on
the
on
the
work,
maybe
that
you
know
in
the
past,
like
two
or
three
years
back,
we
were
working
together
with
a
university
of
fun
on
this
backstabbers
knife
collection.
Maybe
some
of
you
have
read
that
paper
and
before
that,
with
the
Serena
Ponto
who's,
I
think
also
in
the
call
from
sap,
we
were
working
on
Eclipse
study,
which
is
basically
an
open
source,
vulnerability
scanner-
maybe
also
some
of
you
know.
G
Can
you
hear
me
now
it's
better
now:
okay,
thanks
so
I
was
saying
I'm.
My
name
is
Peter
juladiza
and
I'm.
A
PhD
student
at
sap
I
was
a
formerly
a
PhD
student
from
Henrik
and
now
I'm
below
the
supervision
of
Serena,
in
collaboration
with
the
University
of
France,
and
the
topic
of
my
PhD
is
open
source
software
supply
chain
attacks
and
yeah
and
I'm
a
co-author
of
the
paper
of
about
the
taxonomy
of
Open
Source
software
supply
chain
attacks
with
with
Henrik
and
the
University
of
Fran.
H
D
H
I
D
Yeah
and
Tom
over
trying
to
Independent
security
can
supply
chain
security
consultant
and
working
a
lot
with
s-bombs
now
and
with
the
ntia
and
now
Sissa.
Initiatives
and
I
was
quite
pleased
when
Jonathan
told
me
about
this
group,
because
those
ntia
and
since
I
have
been
both
very
lacking
on
focus
on
end
users,
and
you
know
so
I'm
really
glad
to
see
this
group
operating.
A
Excellent
thanks
for
joining
Tom
anyone
else,
I've
missed
most
people
have
been
here
before
I.
Think,
okay
right!
So,
let's
head
through
the
agenda,
so
CPD
guide
for
OSS
consumers,
invulnerability
disclosure
group
who
wants
to
take
that
agenda
item
I,
think
it's
somewhere
between
Randall
and
Crowe.
E
J
I'm
probe
I
have
the
opportunity
to
work
in
46,
000,
open,
ssf
working
groups,
and
one
of
those
working
groups
is
the
vulnerability
disclosures
team.
We
are
focused
on
educating
the
world
and
maintainers
and
the
ecosystem
around
good
coordination
and
vulnerability
sharing
practices
we've
historically.
J
In
the
past
we've
written
two
guides.
One
guide
focused
on
Open
Source
maintainers
on
good
practices
they
could
adopt
in
their
projects
on
how
to
intake
triage
and
then
communicate
vulnerabilities.
And
then,
most
recently,
we
published
a
guide
around
focused
on
security
researchers
on
how
they
can
best
engage
with
open
source
communities
and
projects
to
report.
C
J
Idea
and
then
the
we
thought
this
group
might
be
a
wonderful
community
that
would
have
some
ideas
about
about
that
topic
and
might
be
willing
to
collaborate
on
a
shared
guide
together.
A
Cool
thanks,
Rob
I
mean
just
looking
at
the
just
looking
at
the
deliverables
and
the
missions
and
goals.
We
did
actually
mention
this.
We'll
put
this
down
as
one
of
our
initial
deliverables.
Just
read
them
from
the
list.
It
was
develop,
guides
white
papers
and
materials
focused
on
strategies
and
solutions
for
better
software
supply
chain
and
open
source
software
targeting
end
users
in
the
phase
one
we
had
on
the
list
was
identify
which
guides
material
is
missing
from
the
existing
I
guess,
Corpus
of
materials
it
sounds
like
it
would
be.
A
A
good
fit
and
I'd
certainly
be
interested
in
doing
that.
Yay
doing
it
doing
a
defer
to
Dan,
though
I
know
you
see,
you've
got
a
hand
raised.
F
In
the
options
yeah
I
just
wanted
to
clarify:
do
you
mean
specifically
in
the
area
of
vulnerability,
you're
talking
about
specifically
in
the
area
of
vulnerability?
Disclosures
have
vulnerability
disabilities
work
demystifying
that
space
from
or
those
who
are
consuming
open
software
that
end
users,
just
as
we
described
them.
J
F
Really
explains
the
forensic
nature
of
these
kinds
of
vulnerability.
Disclosures
to
people
that
are
not
used
to
working
in
that
way
would
really
be
valuable
for
this
kind
of
group
that
we're
talking
about
this.
This
target
audience
because
I
know
it
is
a
very
different
way
of
thinking
about
things
when
it
comes
to
disclosure
of
information
yeah,
but
it's
so
valuable,
so
yeah
yeah,
definitely
I.
Think
it's
a
good
idea.
A
Yeah
I,
second,
that
I'm
just
thinking
that
we,
you
know
as
part
of
that
deliverables,
one
of
our
mission
objectives.
This
sounds
like
one
one
Gap.
We
should
probably
get
together
and
identify
the
other
ones
so
that
we
can
start
to
distribute
it
and
for
people
who
have
interest,
because
I
think
this
is
one
and
even
just
things
such
as
policies
of
ingestion,
perhaps
other
ones
or
how
people
think
about
ingesting
software.
A
From
an
end
user
perspective,
I
often
talk
to
people
and
they
they're
looking
at
s-bombs,
but
they
don't
really
think
about
the
policy
they
need
to
put
in
place
to
think
about
what
they're
ingesting
of
my
Nest
form.
You
know.
Are
you
ingesting
software
with
high
vulnerabilities?
Do
you
have
a
policy,
or
do
you
have
any
capability
of
preventing
that
anyway?
A
So
there's
probably
some
guidance.
We
need
to
write
there
as
well.
I.
Think
there's
a
bit
of
a
takeaway
there
to
map
out
that.
A
That
list
so
maybe
I'll
in
some
of
the
off
sessions
that
we
have
try
and
pull
that
together
and
raise
it
for
review,
but
to
crop
to
your
earlier
Point.
Yep,
definitely
I
think
you've
got
support
from
the
group
on
helping
with
that
one
to.
J
The
consumption
Point
fun
fact
I
get
to
work
with
another
group
of
folks
that
put
together
a
concise
guide
for
evaluating
open
source
software.
This
was
primarily
focused
on
open
source
developers,
kind
of
looking
at
their
dependencies
and
as
they're
selecting
code
to
ingest
in
their
own
internal
projects
that
very
easily
could
be
augmented,
expanded.
Just
a
more
General
things
to
do
at
ingestion,
so
I
think
it
would
be
a
good
starting
point.
A
Please
don't
stop
from
doing
that
and
try
stopping
raising
the
hand
let's
keep
both
hands
in
the
wheel.
Definitely
well.
This
is
even
worse
all
right
jack.
Thank
you.
Next.
I
I'll
never
forget
that
facial
expression,
yeah
I,
see
we
have
Jay
White
and
I
would
say
that
there's
a
pretty
good
match
up
with
what
is
currently
called
SSC
for
the
role
of
helping
folks
think
through
policies
for
ingestion,
so
I
think.
Definitely
we
can
continue
to
weigh
in
on
that
topic.
There
I
will
add
my
voice
to
the
chorus
I
think
this
is
a
fantastic
idea.
I
I
am
still
vague
on
how
coordinated
vulnerability
occurs
for
me,
usually
I
I
learned
through
the
most
official,
the
most
Sanctified
and
sort
of
culturally.
I
Is
he
is
going
to
say
Twitter
hashtag,
the
joke
was
too
obvious,
so
yeah
having
having
some
idea
of
how
how
the
sausage
gets
made
would
be
very
useful
for
me.
A
A
Jay
I
see
you
there
on
the
call.
We
should
probably
get
together
as
a
group
to
think
about
feedback
on
the
SSC,
because
I've
got
like
10
pages
of
feedback
and
I've
been
starting
to
go
through
with
with
the
team,
but
I
know
that
others
have
got
a
lot
of
feedback.
I.
Think
there's
a
Sig
that's
been
set
up,
but
I
wonder
if
we
have
a
Consolidated
effort,
because
people
want
to
get
together
as
a
Consolidated
group.
A
We're
join
the
cig
and
do
it
there
or
both
open
to
suggestions
on
that.
One.
C
Yeah
and
I'm
willing
to
meet
so
we
we've
been
we've
been
meeting
with
with
with
John
and
he's
his
points
are.
His
points
are
amazing.
I'm
willing
to
do
you
know.
I,
oh
well,
God
with
within
the
within
within
my
bandwidth.
I'm
willing
to
meet
with
and
Adrian
is
as
well
I
mean
we
can
meet
with
as
a
in
in
the
seek,
because
I
believe
in
the
Sig
we're
going
to
be
more
focused
on
there's
a
couple
of
items
here.
C
One
of
them
would
be
getting
it
in
the
proper
format,
proper
formatting
for
for
specification
purposes,
and
we'll
be
thinking
about
that.
I
I
like
to
think
what
we
come
out
of
the
working
sessions
will
be
stuff
that
gets
put
into
and
we'll
be
trying
to.
You
know
close
PRS
and
and
and
close
issues
and
all
those
kind
of
things.
So
a
lot
of
the
stuff
that
we
do
needs
to
get
put
in
to
issues
in
in
PR,
so
they
can
get
properly
addressed.
C
I
I
think
that
might
require
a
few
separate
meetings
so
that
that
the
sick
meetings
can
concentrate
on
you
know
ratifying
any
any
kind
of
and
anything
out
there
PR
or
issue
wise
and
then,
of
course,
governance,
governance,
their
rent,
so
so
I'm
willing
to
do.
You
know
I'm
willing
to
have
any
any
meetings
that
are
suggested.
A
Cool
thanks,
Jay,
maybe
I'll,
take
an
action
that
I'll
set
up
a
couple
of
different
times,
we'll
put
out
doodle
poll,
see
who's
interested
in
contributing
to
that
feedback.
We'll
get
together,
provide
that
feedback
in
whatever
film
that
you
see
appropriate,
again,
PRS
or
whatever
we'll
take
that
out
offline
cool
all
right
thanks,
Jay
and
thanks
Crow
for
that.
A
good
agenda
item
Moving
Straight
on
to
the
next
one.
A
E
E
No,
no,
this
is
well
kind
of
sort
of,
but
this
is
more
about.
If
anyone
has
any
educational
material,
we
don't
have
end
users
in
the
educational
like
priorities,
but
it
can
be
added.
I
think
it
depends
on
if
any
one
has
anything
to
add
so
yeah
I
know
that
you
were
working
on
a
guy,
John
and
I
know
that
Dan
might
have
guides
that
sink
sneak.
I
can
never
pronounce
your
company's
name.
I,
keep
forgetting
I'm.
Sorry
fake,
sneak,
yeah
yeah.
A
A
So
maybe
let
let's
send
through
me
I
think
let's
do
asynchronously
send
through
onto
slack
perhaps
any
additional
guide
so
that
we
feel
are
missing
and
perhaps
We'll
add
that
into
one
of
the
sessions
that
we've
got
going.
Yes,.
A
E
I
I
also
I'll
send
a
link
to
the
spreadsheet
Chrome
set
up
a
spreadsheet
on
slack.
So
you
could
see
what
we
have
so
far
and
feel
free
to
add
anything
that
you
think
fits.
A
Is
there
a
whistle
on
the
line,
or
is
it
just
my
headphones
nope
just
my
headphones?
Okay,
keep
going
so
next
item
on
the
list
is
from
Pierre
and
Henrik
and
asked
them
to
come
and
present
the
taxonomy
that
they've
put
together
based
upon
the
backstabbers
knife
collection,
which
is
a
paper
that
I
think.
A
lot
of
us
have
read
a
lot
of
good
detail
in
there.
A
So,
first
of
all,
congrats
on
that
paper,
I
think
there's
a
great
body
of
work
and
really
helpful
for
for
end
users,
particularly,
but
over
to
you
and
Rick
and
yeah.
B
G
B
I
I
already
included
the
link
to
the
paper
that
you
started,
seeing
on
the
screen
and
also
a
link
to
the
visualization
tool
that
is
on
GitHub,
that
you
can
that
you
will
also
see
in
just
a
few
minutes,
so
just
a
quick
introduction.
B
So
this
work
is
indeed
something
that
we
started
round
about.
I
would
say
middle
of
2021,
it's
a
continuation
to
some
extent
what
we
have
been
doing
before
with
this
backstabbers
knife
collection.
B
So
here,
if
you
remember,
for
those
who
have
read
it,
there
was
already
an
attack
tree
content
in
this
Specsavers
knife
paper,
but
it
was
relatively
small
and-
and
we
thought
it
is
worthwhile
to
extend
this-
have
a
more
comprehensive
attack
tree
than
what
we
have
presented
back
then,
and
also
to
make
it
to
make
sure
that
it
is
more
comprehensible
to
people
consuming
it.
And
so
we
came
up
with
this
with
this
work.
You
see
the
paper
here
and
it
eventually
became
a
taxonomy.
B
B
B
What
is
the
utility
and
cost
of
those
safeguards
and
which
of
the
safeguards
are
actually
in
use
by
developers?
And
to
this
end,
we
have
conducted
a
couple
of
well
basically
two
surveys:
online
surveys,
one
with
kind
of
17
experts
in
the
domain,
some
come
from
the
open
ssf
if
I'm
not
wrong,
and
then
another
100
something
developers
in
regards
to
the
cost
utility
of
different
safeguards
and
whether
they
use
them.
B
Overall.
The
result
is
this:
Tech
Tree
taxonomy,
run
with
around
about
100
attack,
vectors
that
are
linked
to
in
the
meantime,
I
think
more
than
different
real
world
incidents,
either
a
text
or
vulnerabilities
which
could
have
led
to
an
attack
as
well
as
plenty
of
scientific
literature
and
and
gray
literature.
B
I'm
going
to
quickly
show
you
this,
but
you
will
have
a
much
nicer
representation
in
just
kind
of
two
minutes,
but
what
I
wanted
to
so
here?
This
is
basically
the
this
taxonomy.
What
I
wanted
to
raise
your
attention
to
is
that
what
we
have
used,
the
different
criteria
we
have
used
for
structural,
giving
structure
to
this
attacker.
So,
on
the
very
left
hand,
side
and
I
tried
to
zoom
a
little
bit
inside.
B
What
I
was
mentioning
before
injecting
something
in
the
source
code
repository
at
the
top
in
the
middle,
injecting
something
during
the
period
of
a
legitimate
package
or
at
the
very
bottom
here,
injecting
something
in
the
distribution
process
of
how
it
gets
from
package
repositories
to
the
computers
to
the
build
systems
of
developers
and
then,
on
the
right
hand,
side
number.
The
third
Criterion
is
basically.
B
Whenever
it
comes
Whenever
there
are
systems
involved,
source
code
repositories,
build
systems
and
so
on.
We
basically
have
this
pattern
of
you
can
either
compromise
that
system
exploit
a
read.
Configuration
exploit
a
vulnerability
or
you
can
tamper
or
compromise
the
users
of
that
system,
and
so
that
is
kind
of
the
the
structure
or
the
criteria
used
for
for
doing
this
for
structuring
the
tree
right.
B
But
you
will
see
this
in
a
second
here:
Georgia
will
walk
you
through
this
beautiful
web
application
and
then
I
wanted
to
just
very
quickly
raise
your
attention
to
to
this
table,
which
is
a
summary
of
the
the
feedback
of
experts
and
developers
on
the
costs
and
the
utilities
of
the
different
safeguards.
And
so
what
you
see
in
the
table
are
yeah
the
the
30-something
safeguards
we
have
come
up
with
like
product
protect
production,
branches
and
source
code
versioning,
and
for
each
of
those
safeguards
you
see
how
useful
is
it?
B
You
have
the
one
that
are
less
costly
and
more
useful
and
at
the
very
bottom
you
have
the
ones
that
are
considered
more
costly
and
less
useful
and
on
the
right
hand,
side
you
have
the
feedback
on
developers
again
according
the
cost
and
the
usage
right,
I
leave
it
with
this.
You
have
the
link
in
the
minutes
to
to
read
through
the
whole
paper
and
with
that
I
would
like
to
hand
over
to
Pierre
Georgia.
So
you
can
show
you
the
tool
in
action.
G
Thank
you,
Eric.
Let
me
try
to
see.
Can
you
see
my
screen?
Can
you
confirm
yeah
yeah
so
right?
So
this
is
how
it
looks
like
the
web
application.
Let's
say
that
it
started
a
bit
like
a
a
tool
that
we
needed
for
our
discussion
to,
to
show
and
to
reason
about
the
tree
to
categorize
the
the
the
attack
vectors
that
we
that
we
used,
and
then
we
categorize
there
and
so
here.
G
Basically,
you
can
then
explore
the
the
detox
right
in
an
interactive
way,
and
when
you
click
here
you
can,
you
can
see
the
description
here.
You
have
also
a
share
button
to
share
whether
you
need
to
reference
the
specific
attack
vectors
here
and
here
you
have
all
the
list
of
references
attached
to
a
specific
node
and
the
list
of
safeguards
map
to
to
that
nodes
right.
G
So,
basically,
you
can
hear
explore
freely
the
resources
available
and
that
basically
supported
the
existence
of
of
a
specific
attack
Vector
within
within
the
tree
you
you
may
encounter,
especially
in
the
structure
for
for
here
when
it
comes
to
to
the
users,
for
example,
that
there
there
are
some
some
notes
which
don't
have
really
attacks
attached
there,
but
this
is
because,
basically,
maybe
there
were
attacks
happening
in
other
nodes,
because
basically
here
you
have
replicated
some
some
techniques
like,
for
example,
taking
over
a
legitimate
account,
and
this
is
this
very
same-
if
you,
at
least
from
attack
a
technique,
point
of
view,
it's
the
very
same,
if
you
do
that
on
the
on
the
on
the
build
system
or
the
system
that
is
holding
hosting
the
versioning
control
system,
so
right
so
here,
basically
you
can.
G
You
can
inspect
all
the
information
here.
You
have
also
such
Parts,
whether
you
need
to
to
locate
a
specific
attack
within
the
tree,
so
you
can
search
and
is
highlighted
in
the
tree
and
it's
the
same
for
the
safeguards.
Basically,
you
can
you
can
see
where
Safeguard
is
mapped
within
within
the
tree.
With
this
highlight
right,
and
if
you
need
to
access
the
legend,
you
can
yeah
about
the
tree.
What
I
wanted
to
show.
You
also
is
that
you
have
also
tabular
view
for
both
attack,
vectors
and
and
safeguards.
G
So
all
these
information
are
also
available
in
a
tabular
view
and
probably
what
is
also
interesting
for
you.
It's
the
the
entire
list
of
references
attached
here
right
and
so,
as
I
told
you
at
the
beginning,
it
started
really
as
a
as
a
tool
that
we
needed
for
our
discussion,
but
then
it
turns
out
to
be
handy
for
threat,
modeling
use
cases.
G
For
example,
we
we
did
a
threat,
modeling
Workshop
internally,
to
try
to
reason
about
our
internal
infrastructure,
how
yeah
things
can
go
wrong
and-
and
we
thought
that
this
this
context-
view
about
every
part
of
the
system
or
every
part
of
a
possible
threats
and
the
information
available
here
where
yeah
helpful,
at
least
in
this
kind
of
use
cases.
But
another
point
about
the
releasing
it
open
source
is
that
we
we
we
are
trying
our
best
to
maintain
all
the
resources
updated
as
soon
as
a
new
attack
is
going
on.
G
But
this
is
why
we
thought
to
to
discuss
with
you
about
about
the
tool
itself,
because
we
thought
that
having
it,
we
have
below
the
the
open
ssf
umbrella
and
having
a
community
really
that
can
can
can
maintain
the
tool
or
maintain
at
least
the
references
or
all
the
information
there.
We
think
it's
really
important
to
yeah.
B
Yeah,
maybe
one
one
quick
additional
note
on
the
possible
use
cases
and
I
think
this
is
why
it
fits
to
this
work
group
so
clearly,
I
think
this
is
very
a
very
helpful
resource
for
training
and
awareness
and
education
purposes.
Right.
Pierre
Georgia
also
mentioned
that
we
have
used
it
in
the
past
for
threat
modeling,
but
I
think
there
are
maybe
other
use
cases.
One
would
be
to
in
fact
scope
penetration
tests
because
it's
very
easy
to
say
to
the
penetration
test
as
well.
B
If
you
look
at
our
development
infrastructure
at
our
company,
please,
these
are
the
things
that
are
in
the
scope
and
these
other
things.
Please
do
not
do
this.
This
would
be
another
use
case
and
so
I
think
there
are
maybe
more
use
cases
and
yeah.
We
would
be
happy
to
explore
this
with
you
and
coming
back
to
the
second
Point
raised
by
Pierre,
Giorgio
I,
think,
and
we
we
knew
this
from
the
beginning
when
developing
this,
that
such
a
tool
under
Sap's
GitHub
organization
doesn't
make
so
much
sense.
B
We,
of
course,
do
not
have
the
same
visibility
and
then
the
the
same
possibilities
for
growing
a
community
around
such
work
and-
and
that's
why
we
thought
of
proposing
and
asking
whether
you
think
there
is
any
sense
in
moving
this
over
in
one
or
the
other
way.
A
Right
thanks
Henrik,
just
just
to
add
from
my
side,
I
I've
I
found
this
useful
apart
from
the
paper,
have
been
very,
very
useful,
so
I've
put
together
a
threat
model
that
I'm
trying
to
change
and
work
with
a
couple
of
others
and
crowbe
on
and
changing
into
an
architecture
view
of
of
supply
chain.
A
A
So
I
started
with
a
threat
model,
and
then
it
quickly
got
to
the
point
where
I
needed
to
have
some
way
of
classifying
the
different
threats
to
figure
out
where
on
the
threat
model
it
was
actually
going
to
go
and
that
Drew
me
straight
to
the
taxonomy,
which
I
figured
was
actually
quite
useful
to
then
map
to
the
threat
model.
Just
I
wasn't
aware
that
you
were
doing
this.
A
The
threat
model
as
well
in
sap
yeah,
so
it's
so
cool,
so
so
I've
mapped
it
to
the
threat
model
and
taxonomy,
and
then
the
bit
that
I
think
is
missing
on
the
bit
I
was
trying
to
figure
out
from
that
point,
was
the
prevalence
of
these
different
attacks?
A
So
I
was
going
through
the
inkytel
data
to
try
and
figure
out
how
frequent
were
these
different
attack
vectors
applied
to
those
threats
based
upon
that
taxonomy,
with
a
view
of
trying
to
probabilistically
figure
out
where,
within
that,
that
architecture
I
needed
to
really
put
a
lot
more
mitigation,
so
I'd
be
interested
in
adding
that
prevalence
data
into
it
or
starting
to
map
that,
and
maybe
cross-referencing
with
inquito
or
some
of
the
other
data
sets
I'm
aware
of
to
try
and
come
up
with
more
of
a
a
probabilistic
approach
of
figuring
out.
G
Yeah
yeah
what
I
wanted
to
say
that,
for
example,
you
mentioned
incutel,
they
had
this
data
set
about
compromises,
it
basically
I
I
reviewed.
The
disease
was
one
of
the
source
that
we
used
to
basically
put
all
the
references
in
the
within
the
within
the
within
yeah
Factory.
G
We
had
a
discussion
with
the
Herrick
I
think
a
couple
of
weeks
ago
about,
for
example,
having
this
kind
of
feature
or
visualization
about
increasing,
for
example,
the
size
of
a
node,
depending
on
on
the
how
many
attacks
were
attached
to
there
and
we
were
discussing
a
bit,
and
this
is
why
I
would
like
to
have
also
your
feedback,
because
my
my
point
of
view
is
that-
or
at
least
my
fear
is
that
is
it
doesn't
mean
much
that
if
we
have
less
resources
regarding
to
a
specific
attack,
that
is
the
let's
say,
the
less
used
attack.
G
This
is
my
my
fear.
I
mean
I
I,
and
this
is
why
I
didn't
want
to
give
an
impression
with
the
visualization
tool,
to
pass
a
message
that
may
be
wrong,
because
we
we
may
not
have
enough
resources
or
capabilities
to
track
a
specific
attacks
or
or
not,
but
definitely
is,
is
interesting
to
your
your
point
of
view
and
your
your
use
case,
I
agree
check.
I
Yes,
I
have
a
few
quick
things.
First,
one
I
said
I
was
a
huge
fan
of
backstabbers
knife
collection.
Together
with
towards
measuring
supply,
chain
attacks
and
package
Managers
from
interpreted
languages
paper.
It's
had
a
huge
impact
on
how
we
think
about
things
at
Shopify
and
it's
why
I'm
here
today.
I
So
thank
you
for
that.
A
very
small
note
about
the
visualization
I
would
be
cautious
about
using
red
and
green
as
colors
that
indicate
something.
That's
not
any
good
for
people
who
are
colorblind
Unfortunately.
They
won't
be
able
to
distinguish
between
them.
So
that's
that's
something
to
look
into
I
guess.
One
question
I
have
is
in
terms
of
production.
One
thing
we
struggle
with
in
the
end
user
group
is
like
how
do
all
these
different
things
fit
together
that
the
open,
ssf,
sponsors
and
I
suspect
one
of
the
questions
will
be
like?
I
B
Yes,
maybe
two
two
quick
answers
for
the
colorblind.
In
fact,
there
are
also
different
field
patterns,
so
that
should
be
should
be
done
already.
The
we
had
that
feedback
already
in
the
past.
That's
why
we
did
that
and
for
what
concerns
linking
the
different
initiatives.
I
I
agree
that
it's
difficult
there
are
so
many
things
going
on
in
parallel,
and
sometimes
you
wonder
how
they
fit
together.
B
One
one
feedback
is
that
I
think
also
in
salsa,
you
have
kind
of
a
system
system
model
at
some
point
in
time
with
source
code
repository,
build
server
and
I
think
even
package
repositories,
and
so
that
is
ex,
that
is,
that
is
pretty
close
to
what
we
were
using
for
structuring
parts
of
their
Tech
Tree
and
the
second
thing
and
I'm
not
sure
whether
this
became
so
clear
and
Pierre
George's
presentation.
B
One
idea
is
that
if
you
select
the
Safeguard,
you
would
highlight
all
the
attack,
vectors
that
are
covered
and
so
giving
you
a
feeling
for
if
you
implement
this
thing,
this
is
what
you
would
you
would
be
partially,
hopefully
completely
mitigating
and
and
from
learn
from
that.
These
are
paths
still
open
that
you
need
to
cover
in
different
ways.
A
I
Yes
and
what
I
would
what
I
would
say
very
quickly,
Jonathan
sorry
to
interrupt
you
I
think
the
question
from
folks
is
going
to
be.
I
have
two
things
now:
the
taxonomy
and
salsa,
which
give
me
guidance
on
which
countermeasures
to
use
and
in
in
the
situation
that
one
covers
something
that
the
other
doesn't
or
where
they
both
cover,
something
that
they
give
different
answers
about.
What's
going
on
or
what
could
be
done,
it
could
cause
a
lot
of
Acts.
G
Yeah
can
I
take
this
question
because
I
I
had
the
opportunity
just
to
look
at
Salsa
and
different.
Let's
say
proposals
that
we
have
nowadays
even
the
these
new
document
from
NSA
and
Caesar.
G
So
for
for
what
concerns
the
work
of
the
taxonomy.
Our
first
goal
was
to
systematize
the
knowledge
about
the
threats
right,
you
can,
you
can
I,
think
I
I
mean
an
analogy
could
be
to
see
it
like,
for
example,
the
Mitra
attack
in
the
sense
that
it's
a
way
to
explain
how
compromises
happen
in
the
open
source
space
right
while
for
for
salsa,
they
are,
let's
say,
providing
a
level
of
maturity.
G
We
can
say
that
for
what
concerns
the
Integrity,
how
to
preserve
the
Integrity
in
the
supply
chain,
right
so
and
and
of
course,
I
I
agree
with
you,
then,
on
the
fact
that
there
could
be
some
confusion
for
what
concerns
the
the
safeguards.
So
we
could
think
about,
for
example,
how
to
better
handle
or
integrate
salsa
with
giving
it
more
visibility
within
the
tool
or
the
risk
Explorer
tool.
G
But
I
I
think
the
scope
is
a
bit
different
right
because
again
the
the
taxonomy
is
trying
to
describe
how
attacks
happened
and
which
are
the
threats
there
and
and
salsa
is
providing
you
guidance
or
level
of
maturity
depending
on
what
and
where
you
put
some
safeguards
right.
I,
don't
know
if
you
please
answer
your
question
or.
A
A
Once
we've
agreed
as
a
a
wider
group,
what
that
mitigation
would
be
so
we
kind
of
tie
the
thing
together
and
we
have
an
architecture
to
figure
out
what
the
landscape
looks
like.
We
need
a
taxonomy
to
reason
about
those
require
attacks,
and
then
we
have
the
mitigations
at
the
back
and
then
I
think
the
bit
that's
missing
there
is
that
prevalence
bit
where,
given
that
taxonomy,
we
start
to
add
the
prevalence
of
the
attacks.
A
This
is
where
the
attacks
are
coming
from
in
this
part
of
your
architecture,
and
this
is
clear
definition
of
what
you
need
to
go
after
and
mitigate
and
I,
think
I
think
we're
kind
of
I
wonder
if
we're
in
a
kind
of
position
to
pull
that
stuff
together,
because
we
see
it
from
an
end
user
or
Enterprise
View,
that's
just
something
I
I
think
might
be
might
be
worth
considering
because
we're
not
just
looking
at
a
smaller
part,
we're
looking
at
pulling
the
whole
lot
together
of
a
Consolidated,
whole
and
and
you're
right.
A
It's
like
well,
we
can't
just
decide
hey.
We've
got
a
new
version
of
these
medications.
Let's
go
no.
We
need
to
work
together
with
different
peoples
and
figure
out.
Look
the
standards
just
this
that
and
the
other
provide
the
appropriate
feedback
and
that's
canonical
mitigation,
but
I
think
if
we've
got
a
taxonomy
and
things
underneath
I
think
that
starts
to
help
just
my
thoughts
on
that
one.
In
any
feedback
on
that
one
then
I'll
defer
to
Jay
sounds
like
Chrome.
You
thumbs
up
and
heart
untouched.
A
I'm
still
shocked
that
you're
driving,
but
we'll
move
on
from
that.
Just
got
home.
Good,
okay,
excellent,
Jay,
I'll
defer
to
you.
C
Yeah,
you
know
we're
doing.
I
I
mean
I
I
I
I'd
like
to
add
to
that,
but
I
don't
think
I
have
anything.
To
add
to
that
you,
you
kind
of
took
the
words
right
out
of
my
mouth.
You
know
at
the
time
of
your
writing,
and
and
and
and
guys
I
do
have
to
say,
having
you
know
about
with
you.
Is
this
2022
about
about
a
good
seven
or
eight
years
ago,
I
had
the
pleasure
of
writing
a
dissertation.
C
So
when
I
saw
your
your
your
your
scholarly,
your
scholarly
piece
there
I
would
I
was
happy
to
see
the
rq1
architecture.
I
could
read,
those
I
could
read
some
of
the
stuff
and
I
pulled
up
the
document
and
you
know
started
to
look
through
that.
So
I.
So
I
appreciate
how
you
put
that
together.
C
Echoing
what
John
said
all
the
this,
this
piece,
especially
the
taxonomy,
these
things
can
all
be
joined
together.
I
I,
you
know,
having
a
keeping
things
separate
is
is
a
is
a
past
situation.
We
could
bring
that
stuff
together
and
clearly
find
bridges
that
links
each
of
these
things
to
make
a
more
complete.
How
I
would
even
I
I
I
would
even
say
something
a
little
bit
more
provocative
and
say
looking
at
we
could.
C
This
taxonomy
could
be
something
that
could
be
built
out,
such
that
it
does
what
miter
does,
but
specifically
for
supply
chain
security
and
understanding
us
a
true,
especially
with
what
probe
is
doing
understanding.
What
that
supply
chain
attack,
surface
and
attack
landscape
actually
looks
like
and
how
it
will
evolve
over
time
right
so
that
that's
that's
the
that's
the
other
thing
that
I
think
about
that's
top
of
mind
for
me
all
the
time
not
just
today,
but
but
how
does
that
scale?
And
how
does
that
evolve
over
time?
C
And
what
can
we
foresee
based
on
information
that
we're
putting
together
today,
and
we
have
some
smart
people
in
the
room
that
can
do
that.
B
So
I
mean
maybe
to
to
reiterate
what
I
think
was
said
before
so
I
think
the
taxonomy
is
really
taking
this
perspective
of
the
attacker,
which
is
maybe
different
from
some
of
the
other
works
and
but
again,
I
totally
agree
that
the
safeguards
need
to
be
well
aligned
with
with
all
the
other
initiatives.
Otherwise
this
doesn't
make
sense
and
only
and
will
only
cause
confusion.
So
in
general,
I
have
the
feeling
there's
more
positive,
confirming
feedback
on
the
possibilities
to
discuss
this
further
and
and
maybe
work
on
this
together.
A
I
I
was
going
to
sort
of
raise
that
or
question
that
myself
and
we've
got
Probe
on
the
on
the
line.
Who
are
verbal
veritable
member
of
the
the
attack.
I
was
wondering
you
know,
I
I,
wonder
if
we
put
a
proposal
together
to
the
attack
that
look
there's
a
way
of
connecting
these
different
projects
together
and
I.
Think
it's
not
like
taxonomy
is
the
glue
necessarily,
but
it's
an
additional
one.
A
Grub
we're
working
on
the
in
the
the
architecture
underneath
taxonomy
needs
to
go
on
top
and
then
connect
in
SSC
and
salsa.
Is
that
an
appropriate
approach
architecture?
And
then,
if
that
is
the
case,
let's
set
that
maybe
up
as
some
form
of
a
I
don't
want
to
use
the
word
working
group
or
project
there.
You
go
I,
don't
know
what
to
call
it
now,
but
the
initiative.
A
You
initiative
and
also
look
at
sort
of
adopting
the
the
taxonomy
also
as
part
of
that
or
connecting
into
that
initiative.
Does
that
sound
like
something
we
could
raise
to
the
attack
or
how
would
you
yeah.
J
And
we're
more
and
more
grappling
with
these
ideas
or
efforts
that
bridge
many
groups,
so
I
think
this
would
be
very
good
to
bring
to
the
tech,
and
maybe
we
also
kind
of
help,
standardize
kind
of
what
proceduralize,
how
these
types
of
cross,
Foundation
things
get
put
in
great
yeah
I.
Think
it's
great
I
think
we
should
propose
it
up.
J
You
should
have
be
opinionated
with
what
your
proposal
is,
that
we
would
like
to
create
a
a
special
interest
group
or
you
know
we
need
to
connect
these
different
groups
and
you
know
bring
that
forward,
but
I
think
that's,
definitely
something
the
tech
would
like
to
talk
about
great.
A
So
I
think,
if,
if
we
can
take,
you
know,
maybe
I'll
propose
we'll
do
two
things
to
attack.
One
is
that
joined
up
initiative
and
propose
that
number
one
and
and
second
is
the
basic
suggest
adoption
of
the
taxonomy
to
the
tech.
Also
I,
don't
know
if
it's
the
same
thing
or
is
it
two
separate
things,
but
it's
yep
a
thumbs
up
for
Jack
yep,
any
yep.
Okay,
any
feedback
on
that.
C
Yeah
I
think
I
think
what
we
may.
What
we
may
want
to
do
as
well
because
of
the
Joint
part
of
it,
because
I
I
I'm
I'm
in
but
I
Salsa
Salsa,
should
care
this
too
right
and
having
sat
in
the
room
with
them.
I
think
I
think
this
would
be
beneficial
as
well,
so
that
maybe
when
it
gets
proposed
to
the
tech
we're
all
in
the
room
for
that.
C
A
K
So
John,
who
do
you
think
or
whom
I
volunteer
to
write
this
this
up?
This
proposal
we're
talking
about.
A
A
I
will
I've
got
I'm,
taking
a
couple
of
actions
today,
I
think,
but
I
will
write
up
that
proposal.
I
think
it's
really
important.
Okay,.
A
Thanks
Henrik,
all
right,
good
I
think
we've
got
some
good
output
there
right
in
in
terms
of
the
goodness
of
the
order.
The
next
item
on
the
agenda
is
additional
notes
from
working
groups.
A
So
can
I
open
it
to
anyone
on
the
call
to
give
any
feedback
from
any
pertinent
working
groups
that
we've
attended
over
the
last
two
weeks
that
you'd
like
to
bring
to
the
table.
A
K
Yeah,
can
we
make
that
a
priority
too?
We
we've
been
talking
about
that,
not
sure
who's,
the
the
best
person
is
there.
Maybe
curb
you
have
some
information
on
this.
Is
there
a
open,
ssf,
taxonomy
or
diagram
of
all
the
different
working
groups
and
their
activities.
K
J
Initial
picture,
but
it
is
not
going
to
be
our
final
deliverable.
K
A
But
but
Chewie
is
there,
anyone
would
like
to
take
the
pen
on
providing
the
initial
Matrix
potentially
dive
into
that
working
group
as
well
or
sorry.
The
group
of
diagram
enthusiasts
or
putting
together
initial
Matrix.
A
Okay,
look
I,
think
we,
if
there's
no
one
picking
that
one
up.
Maybe
we
put
it
down
as
a
in
the
in
the
notes
as
an
item
and
if
people
are
able
to
pick
it
up
between
now
and
then
please
do
so.
I
will
endeavor
to
do
that,
but
I
I'm
gonna
be
a
bit
short
on
time.
Doing
the
other
work
we've
taken
on.
F
Just
to
be
clear
that
the
action
or
the
item
that
needs
doing
it
so
many
as
providing
feedback
to
the
dive
to
the
diagram
to
the
diagrammers
I.
A
Think
it's
creating
the
Matrix
or
initial
Matrix
of
the
different
working
groups.
We
would
like
to
attend
as
a
group
and
then
putting
a
kind
of
a
bonus.
I
mean
what
I
could
just
ask
right
now
is:
is
there
any
particular
working
group
we
feel
we
need
to
have
direct
input
in
I'd,
suggest
the
education
working
group,
vulnerability
management
and
integrity
group?
Let's
start
best.
E
A
A
G
K
So
I
just
want
to
mention
if
some
of
these
members
I'm
not
sure
if
anyone
here
is
going
to
be
in
Tahoe
for
that
event.
Hopefully,
if
we,
if
we
have
a
few
folks
from
the
undies
working
group,
it'd
be
great
I'm,
I'm,
happy
to
put
together
and
host
a
birds
of
a
feather
session
that
the
the
local
pub
in
the
hotel.
K
K
We
may
be
given
a
keynote
there
if
we
can,
if
we
can
close
that,
but
it's
a
good
event
and
if
you
have
any
interest
in
finding
out
what's
going
on
in
open
source
and
financial
services,
you'll
hear
a
whole
bunch
of
interesting
presentations
from
some
of
the
you
know:
larger
banks
in
the
world
and
what
they're
doing
on
on
open
source
and
and
what
I
want
to
inject
and
hopefully
Jonathan
will
be
there
with
me.
K
Is
this
whole
software
supply
chain
security
elements
to
the
to
the
conversation
there,
which
they've
said
they're
really
really
interested
and
want
to
want
to
make
sure
that
that
we
are
getting
across
in
some
way
shape
or
formed?
So
now
that's
December,
8th
in
New
York.
So
if
anybody's
happens
to
be
based
there
or
can
make
it,
it's
actually
a
really
good
event.
A
No
okay,
well,
look
we'll
close
a
few
minutes
early,
but
thank
you
very
much
for
everyone's
everyone's
input.
I
think
it's
been
really
useful.
Thank
you,
Henrik
and
Pierre
for
the
presentation
and
good
welcome,
backstabbers
knife
and
quite
a
lot
of
actions,
more
progress.
So
thanks
very
much.
Everyone
appreciate
your
time.