►
From YouTube: End Users Working Group (June 14, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I
C
And
hey
Jack.
C
E
B
A
Do
we
have
the
link
to
that
note
in
the
chat,
John
yeah.
C
C
You
I
literally
just
did,
but
for
the
go
to
the
order,
let
me
put
it
in
there
as
well.
C
And
unfortunately,
all
right
should
we
kick
off
and
other
people
enjoying
and
and
jump
in
later,
there's
actually
three
three
members
that
are
currently
at
the
Finos
open
source
Summit,
which
is
where
I'm
at
at
the
moment
so
likely.
Another
call
right
before
we
start
anyone
willing
to
describe
today.
C
G
Yeah
I'm
I'm
obsessed
from
I,
don't
well
I'm,
not
sure
you're
asking
me,
but
anyway
go
ahead.
Well,
yeah
I'm,
SAS
from
MasterCard,
so
I'm
I'm,
responsible
for
maturing
supply
chain
security,
lips,
evaps
and
secure
sdlc
Atmos
records
I'm
a
principal
architecture.
So
that's
that's!
Why
I'm
interested
and
also
we
are
rolling
up
our
open
source
governance
policies,
mostly
from
the
consumer
perspective.
So
that's
why
I
think
when
we
are,
we
are
doing
a
collaboration
with
open
ssf.
So
that's
why
this
group
interests
me.
A
Thank
you,
I'm
just
joining
from
city
Side
I
work
with
John
John
Meadows
teams,
so
I've
been
part
of
opennesses
of
Alpha
Omega
project
and
now
I'm,
trying
to
get
into
the
end
users
side
of
it
as
well,
and
learn
more
from
your
folks
and
see
if
I
can
be
of
any
help
here.
C
Welcome
Anna
and
I
also
want
to
point
out
that
Anna
has
been
helping
a
lot
on
Alpha
Omega,
which
is
one
of
the
things
that
I
really
really
really
believe
in
so
very
cool
thanks
for
that,
right.
C
I
think
that
the
first
or
the
main
point
of
the
day
is
the
threat
model,
work
and
a
couple
of
things.
We
wanted
to
sort
of
go
through
around
different
time
and
just
make
sure
that
people
are
set
up
appropriately,
but
before
we
get
into
that
Henry
do
you
want?
Do
you
want
to
perhaps
give
a
bit
of
an
update,
because
that
is
one
of
the
main
deliverables
we're
trying
to
work
through
as
a
group.
H
H
I
also
did
a
couple
of
updates
of
the
document,
which
I
think
are
no.
At
least
two
of
them
are
noteworthy.
The
first
is
I
better
describe
the
object
objectives
in
the
beginning.
I
made
a
couple
of
track
changes,
so
please
feel
free
to
review
main
update.
I
think
is
that
I
try
to
better
explain
that
it
is
all
about
identifying
the
threads
on
those
software
development
infrastructures
and
processes
of
larger
organizations,
independent,
whether
malware
or
malicious
actors
come
through
open
source,
malicious
open
source
packages
or
through
other
channels.
H
H
With
a
small
table
to
better
structure
and
describe
Red's
animal
systematic
fashion,
so
we
have
a
impact,
description,
severity
and
a
couple
of
other
two
three,
let's
say
properties
of
every
thread
which
was
missing
in
the
past
and
which
resulted
in
a
little
bit
of
a
an
unstructured
bullet
item
list
which
which
I
didn't
like
so
much
so
we
didn't.
You
know
over
complicated
the
you
know
the
properties
and
how
to
describe
those
threats,
I
think
if
ever
needed.
This
can
be
done
at
a
later
point
in
time.
H
I
think
it's,
at
least
in
my
opinion,
of
the
right,
granularity
and
detail.
To
start
with,
the
other
things
is
right:
I
mean
the.
We
came
up
with
this
very
Europe
friendly,
convenient
time
slot
on
a
Tuesday
three
o'clock
that
I
very
much
appreciated,
but
retrospective
in
the
retrospective.
It
was
a
little
bit,
maybe
ad
hoc,
selected
and
so
I've
created
a
new
doodle
in
order
to
basically
have
a
broader
agreement
on
when
to
meet
and
work
on
this
document.
H
H
Right
and
then
there
are
two
questions
that
came
up
during
the
discussions.
One
was
mentioned
by
Randall
last
time.
How
do
we
actually
want
to
distribute
the
results
of
this
effort?
Will
this
be
a
PDF
document?
Will
this
be
marked
down
documents
in
a
GitHub
or
repository?
What
do
we
wanna?
How
do
we
want
to
communicate
this
I
think
that
is
something
we
can
already
start.
You
know
thinking
about,
even
though
I
think
we
still
need
a
couple
of
weeks
until
the
content
is
mature
enough
to
be
distributed.
C
Do
you
just
talk
about
that
I'm
just
wondering
if
anyone
else
is
on
the
call
has
got
I
mean?
Is
there
any
particular
precedence?
Certainly
within
the
cncf
I
think
we
were
creating
a
PDF
and
a
markdown.
Does
anyone
have
any
particular
bias
one
way
or
the
other
or
any.
B
F
H
It's
a
good
point:
yeah
I
mean
looking
how
many
new
open
ssf
initiatives
seem
to
pop
up
on
a
regular
basis.
I
have
the
feeling
they
continue.
There
is
a
continued
need,
placing
those
and
relating
those
to
each
other
and
to
those
threads
that
we
identify.
So
even
though
the
term
living
document
is
maybe
used
a
little
bit,
you
know
yeah.
So,
oh
no,
let's,
let's
say
it
differently.
Living
document
is
maybe
good.
A
good
thing
to
to
have
considering
all
these
things
going
on
at
the
open,
ssf
I.
C
H
C
As
a
PDF
and
at
least
that's
an
artifact
that
capric's
been
passed
around
with
versioning
and
not
necessarily
updated,
and
then
if
people
want
to
contribute
and
add
to
the
living
document,
they
can
certainly
come
back
to
the
group.
Look
at
the
work,
the
markdown
and
you
have
the
ability
to
edit
it,
but
also
like
a
point
in
time.
Version
that
we
can.
We
can
discuss.
H
Good
I
mean
I
I,
guess
it
would
be
yeah.
Okay,
the
Scribe
already
took
care
Chuck.
D
Just
just
a
quick
note
with,
if
you
choose
to
go
down
the
website,
even
with
versioning
I
would
talk
to
David
a
Wheeler
who's
on
the
open,
ssf
staff.
He
helped
to
set
up
the
best
working
group
website
and
so
he'd
be
the
person
to
talk
to
about
that.
H
Yeah
I
said
I
think
we
still
have
some
time
until
we
release
version
one
but
yeah,
it's
good
to
start
a
discussion
around
already
now.
H
Right
and
the
in
the
other
question
that
came
up
I
think
two
sessions
ago
was
around
how
git
is
typically
used
in
Enterprises,
so
I
mean
in
principle.
It
is
a
decentral
Version,
Control
System,
but
many
corporations-
you
know,
set
it
up
by
convention
in
a
central
fashion
where
you
have
a
leading
git
server,
and
then
this
is
where
the
developers
sync
with
and
so
and
we
wondered
so.
H
D
Check
speaking
to
myself
at
least
I've,
never
seen
a
decentralized
use
of
git
in
the
Linux
kernel,
Style
I
would
say
that
the
main
variation
I've
seen
is
between
sort
of
trunk-based
development
and
pull
request
based
development
and
within
pull
request
based
development.
I
would
say.
C
D
I've
got
like
a
Spider
Sense
tingling
about
the
difference
between
organizations
where
they
do
a
PR
at
a
time
and
a
merge
request
at
a
time,
but
I
guess
there's
no
difference
in
threat.
There's
really
just
a
difference
in
response
right,
like
a
single
PR,
has
X
percent
chance
of
of
being
bad
and
naughty
and
Evil,
but.
H
And
maybe
also
how
much,
how
big
those
pull
requests
become
that
require
review
and
which
is
kind
of
determining
or
influencing
the
chances
of
seeing
any
malicious
thing.
If
Everett
is
in
right.
D
D
Github
have
something
equivalent
is
very
often
now
not
didn't
used
to
be
the
case,
but
now
it's
very
often
the
case
that
dependency
upgrades
happen
independently
of
Feature
work,
because
the
bot
creates
specific
things
so
like
it
used
to
be
that
you
had
all
these
things
mixed
together,
like
ill-disciplined
teams
were
just
like
write
some
code
and
they'd,
throw
in
an
upgrade
in
the
middle
of
it
right
because
they're
like
oh
I,
need
an
upgrade
boom
right,
and
so
you
just
get
this
this
salad
of
changes.
D
B
There's
that
and
there
also.
It
was
also
pointed
out
to
me
that
there
are
some
very
large
companies
that
do
use,
get
a
decentralized
manner.
I,
too,
have
not
seen
this,
but
apparently
it
does
happen.
Just
not
something
I've
interacted
with
so
I
just
wanted
to
put
those
two
things
out
there
for
consideration
as
well.
C
C
B
And
I'm
also
trying
to
get
one
of
my
colleagues
to
our
meetings
with
Henrik
as
well,
so
that
he
can
provide
more
details,
but
I
know
that
he's
very
close
to
Lioness
and
the
colonel
developers
and
yeah
that's.
That
was
why
I
do
think
that
he
a
lot
of
his
thoughts
are
interesting
but
but
yeah
but
I
do
know
across
like
the
LF
community
in
general.
B
Not
just
an
end
use
this
thing,
I
believe
that
Tim
and
I
share
this
with
omagadar
or
I.
Don't
know
how
to
pronounce
his
name
but
he's
they're.
D
E
H
Great
so
I
think
there
was
an
agreement
on
that.
We
continue
on
this
assumption
that
there
is
a
central
setup
in
these.
These
kind
of
typically
essential
setup
on
the
organizations
in
the
focus
of
this
threat.
Modeling
Workshop
grid
already
put
this
into
into
the
document
yeah.
Maybe
in
the
last
comment
on
on
this
on
this
work
is
so
now
that
we
have
these
kind
of
table
structure
to
describe
threats.
H
H
So
would
be
happy
to
receive
your
feedback
I
hope
to
have
this
done
by
by
kind
of
Tuesday
next
week
when
we
have
the
next
session,
but
I
always
struggle
a
little
bit
to
do
this
in
the
in
the
three
three
or
four
hours
or
so
a
week.
I
can
dedicate
to
this
yeah
foreign.
C
Just
to
add
to
that,
we've
got
a
group
of
threat
modelers
at
a
city
that
are
taking
a
look
and
trying
to
coordinate
actually
attending
at
the
right
time,
but
taking
a
look
offline
and
I've
asked
them
to
contribute
back
to
the
document
and
join
the
meeting
as
well.
So
that
gives
additional
backup
where
how
do
you
feel
because,
like
reading
through
the
document
and
looking
through
the
this
there's
some
good
detail
there
already
I
mean
you
can
always
go
further
with
threat
models.
So
you
never
find
the
end.
H
I've
I
think
we
it's
true
that
we
touched
upon
a
number
of
things,
but
I
still
feel
we
just
scratched
on
this
surface.
I
very
much
enjoy
those
discussions,
but
at
the
very
end
of
an
at
the
top
of
the
hour,
we
basically
discussed
two
or
three
of
those
things
in
detail,
which
is
a
lovely
discussion
great.
But
it's
not
giving
me
the
feeling
weak
progress
there
on
a
significance,
deep
and
reach
with
a
significant
speed
and
and
reach
completeness
and
and
the
foreseeable
future.
So
yeah.
C
Yeah
I
mean
when,
when
some
of
our
when
I've
seen
threat
models
go
into
a
lot
of
detail,
it
could
could
be
you
know,
weeks
and
a
month
or
two
of
really
dedicated
full-time
work.
So
we've
got
to
be
reasonable,
I
think
on
what
we're
going
to
expect
from
from
our
group.
H
C
H
Thoughts,
so
my
so
my
my
idea
would
be
to
con.
So
what
we
do
right
now
is
we
basically
go
from
one
system
of
that
infrastructure
to
the
next
and
try
to
come
up
with
those
threats.
Until
now
we
got
recovered
tools
were
covered.
We
touched
upon
two.
H
There
are
a
couple
of
other
symptoms
to
be
to
be
looked
at,
so
my
my
idea
would
be
to
continue
down
this
road
as
I
said,
I
very
much
enjoy
those
discussions
and
then,
at
some
point
in
time,
I
would
start
linking
the
open,
ssf
initiatives
and
see
whether
this
fits
together,
whether
they
address
the
things
whether
we
describe
them
in
sufficient
details
such
that
you
know
this
is
matching,
and
maybe
that
is
that
is
a
way
to
also
assess
whether
we
require
more
detail
and
whether
we
yeah.
C
Yep
I
think
I
think
I.
Think
that
makes
sense.
I
was
I.
Think
I
would
I
wonder
if
I
wonder
if
it'd
be
even
worthwhile
drafting
what
the
architecture,
what
even
today
the
overlap
would
be
with
the
other
standards,
even
with
the
architecture
we
currently
have
and
put
that
at
the
bottom
as
sort
of
a
draft
assuming
this
is
the
threat
model
in
the
draft.
C
This
is
where
salsa
Fitz,
let's
do
c2f,
sits
just
get
that
initial
initial
view
might
start
to
bring
out
some
additional
threats,
because
we
know
that's
also
roughly
fits
in
one
place
and
it's
supposed
to
be
mitigating
in
threats.
Well,
it
kind
of
kind
of
maps
it
straight
back
up
to
the
threat
one.
It
gives
you
a
bit
of
an
easy
indication.
C
C
H
H
Your
current
favorite
is
half
past
six
Central
Europe
time.
So
this
would
be
a
half
past
nine
West,
Coast
U.S
West
Coast.
C
Thank
you
word
for
it:
okay,
cool
all
right,
more
work
there,
but
I
think
there's
some
good
progress.
There
there's
a
little
detail
in
that
document
already
so
good
to
see
that
progressing.
That's
cool
nice
work.
C
Yes,
did
anyone
make
their
call
or
take
a
look
at
that
foreign
I
thought
I'd
give
a
bit
of
an
update
if
no
one
else
has
been
to
it.
So
espamarama
the
conference
put
on
by
Sita
Dr,
Alan
Freeman,
there's
some
interesting,
interesting
presentations
and
they've
got
some
interesting
working
groups
going
on
I
think
it's
definitely
a
fluid
space
and
I
think
different.
They
presented
well
I
presented
on
the
finance
side.
There
was
automotive
and
pharmaceuticals
presenting
leveraging
s-bombs
as
they
are
looking
to
secure
Supply
chains
using
that
Focus
approach
as
you'd.
C
Imagine
really
interesting
feedback
from
automotive
and
Pharma
in
how
far
they've
got
with
their
pocs
I
think,
there's
a
number
of
challenges
that
were
raised
around
the
s-bomb
quality
and
naming,
but
it's
clear
that
people
are
really
trying
to
use
them
and
using
almost
an
anger.
C
There's
a
couple
of
working
groups
that
we've
often
sort
of
suggested
is
end.
Users
we'd
probably
want
to
jump
into
and
they
presented
some
interesting
stuff.
C
So
I'd
recommend
if
people
haven't
looked
at
it,
taking
a
look
at
the
working
groups
and
some
of
that
material,
the
S,
bom
Aroma
I'm
fairly
sure
is
what
certainly
was
recorded.
I,
don't
know
when
it's
going
to
be
represented.
Some
interesting
feedback
on
the
I
think
it
was
the
tools
working
group
in
terms
of
interesting
stuff.
C
There
was
a
couple
of
really
good,
slides
detailing
different
s-bombs
and
the
implications
of
what
the
S1
would
look
like
if
it
was
taken
at
different
parts
of
the
sdlc,
whether
it's
build
pre-build
deploy
runtime
operations,
the
whole
lot,
there's
a
really
good
diagram
showing
sort
of
circular
sdlc
and
that
the
and
the
implications
and
and
effectively
naming
these
different,
s-bombs
I
think
I've
seen
them
talking
about
it
before,
but
I
think
that
was
quite
insightful
in.
C
C
So
I
think
that
was
really
really
very,
very
useful,
so
recommend
people
take
a
look
at
that
as
it
comes
up
I'm
sure
the
slides
are
going
to
be
published
as
well
of
people
looking
at
the
s-bomb
community
and
I
think
the
I
think
the
healthcare
POC
they
actually
have
a
meeting
every
month
and
I
believe
it's
open.
C
So
if
people
are
interested
looking
at
s-bombs
or
how
different
communities
are
leveraging
them
I'm,
pretty
sure
that
the
h-bomb,
the
the
healthcare
sector
has
a
meeting
an
attendant
get
some
more
detail.
They
were
also
the
group
that
published
or
the
the
the
chair
I
believe
they
were
the
group
that
published
daggerboard,
which
is
an
interesting,
interesting
piece
of
software
to
manage
your
s-bombs
so
worth
a
look,
no
one's
taking
a
look
right.
So
that's
me
any
other
feedback
from
any
other
working
groups
that
people
have
attended.
D
Quite
yeah
famously
easy
to
travel
during
summer
in
the
US
yeah
one
one
thing
I
guess
I
can
can
advise
on
is
coming
from
the
securing
software
repos
group.
There
is
an
effort
forming
for
our
formica
to
chip
in
money,
for
audits,
to
be
performed
and
also
to
pay,
for
you
know,
contractors
or
donations
to
get
remediations.
D
D
D
C
Very
nice
Anna
sorry
to
put
you
on
the
spot,
but
it
is
there
an
update,
maybe
from
the
Alpha
Omega
group,
public
update.
A
I
have
to
recall,
but
mainly
they
are,
you
know
there
is
step
security
team
that
has
presented
and
the
work
is
being
looked
at
as
scorecard
work
to
be
allocated
towards
openness
and
stuff.
That's
going
to
be
added
in
and
there
is
a
mentoring.
That's
started
this
summer,
so
the
team
is
working
on
the
scaling
and
automation
of
finding
the
disclosures.
So
that's
being
active
right
now
and
there
is
also
a
summer
Purdue
program
that
is
just
starting
or
started.
You
know
they
are
very
much
interested.
A
So
that's
also
in
Works
couple
of
this
week
has
been,
as
you
said,
conferences
so
there's
not
much
of
the
feedback
from
the
stakeholders
or
we
couldn't
get
together
with
the
updates
on
the
alpha
front
as
such,
but
lots
of
work
is
getting
done
on
the
Omega
side
and
securing
repository.
You
know
the
disclosures.
A
Those
are
the
areas
that
they
are
presently
currently.
You
know
working
on,
though
they
are
doing
automation.
We
are
requesting
them
to
focus
on
just
spitting
out
some
kind
of
an
output
with
the
outcomes,
so
we
can
have
some
kind
of
visibility
into
it.
Probably
we
should
be
able
to
see
some
kind
of
a
report
result
with
that
kind
of.
You
know
how
many
vulnerabilities
have
been
found,
what
are
in
progress
assertions
and
such
so
that's
the
focus.
That's
going
on.
It's
quite
going
on.
You
know
active
now,
so
it's
exciting.
G
Yeah
Anna
you're
talking
about
the
step
security
right,
they're,
they're,
building
up
I
recently,
you
know
had
a
chance
to
talk
with
them.
They're,
building
a
product
on
the
supply
chain,
security,
mainly
monitoring,
side,
they're,
I,
think
they're,
developing
a
that.
G
They
have
developed
an
agent
which
can
go
in
the
build
workers
or
on
the
Jenkins
to
measure
and
monitor
animal
as
activities
happening
like
doubt,
bound
connectivities
and
all
and
they'll
be
able
to
show
you
the
reports
based
on
that
and
that
report
is
available
within
Jenkins
and
can
be
associated
with
the
build
jobs.
A
So
let's
start
here,
but
we
are
kind
of
you
know,
helping
our
guiding
and
reviewing
their
work,
and
you
know
just
providing
some
kind
of
strategic
guidance
to
them
as
well,
so
probably
moves
towards
the
scorecard
work
of
openness
and
stuff,
as
I
said
and
there's
others
I
I
see
isrgl,
as
you
know,
has
been
coming
into
as
well
John
like
into
the
alpha.
So
that's
proximal.
So
that's
another
one,
a
major
one
that
we
are
looking
at
too.
E
H
Yes,
that
is
still
on
this
s-bomb
generation,
I'm,
not
sure
whether
we
are
past
this
topic,
but
I
just
wanted
to
say
that
I
was
looking
at
this
kind
of
in
March
or
so,
and
I
created
a
small.
No,
actually
it's
a
it's
a
kind
of
a
shell
script
that
is
also
open
sourced,
which
we
do
with
which
you
can
try
now
to
make
basically
the
running
different,
open
source,
s-pom
generators
at
different
sdlc
cycles
and
then
compute
in
an
automated
fashion.
H
The
recall
meaning
those
components
that
we
consider
to
be
the
minimum
should
be
included
at
every
stage
and
to
what
extent
those
different
s-bomb
generators
miss
those,
and
it
should
be
relatively
it's
only
for
Java
Maven
projects,
but
it
should
be
relatively
straightforward
to
do
this
for
any
any
other
Maven
project
by
by
just
means
of
configuration
and
the
the
life
cycle
phase
is
covered
are
basically,
there
are
spawn
generators
run
after
cloning,
a
project
after
building
it
on
the
container
and
at
runtime,
and
so
and
then
and
then
those
are
automatically
compared.
F
F
F
They,
like
this
working
group,
is
now
looking
at
collecting
experience,
experiences
kind
of
from
people
developers
who
have
already,
let's
say
done
the
task
of
integrating
an
s-bomb
generator.
It
doesn't
matter
which,
at
which
state
Adena
or
with
an
open
source
project,
and
so
now
there
are
last
week
I
think
they
had
two
presenters
presenting
kind
of
their
experience.
Next
week,
a
colleague
of
mine
is
scheduled
to
talk
about
her
experience
with
istio
implementing
an
spdx
as
bomb
as
part
of
their
build
process
and
I.
F
E
F
Let
them
know
or
I
can
also
take
it
back
if
you
want,
but
it's
your
work,
so
I,
don't
wanna
I,
wouldn't
just
I
would
just
point
to
it.
H
Yeah
I
mean
feel
free
to
I.
Think
I
will
not
be
attending
I'm
I
feel
there
are
too
many
too
many
work
groups
to
attend
so
but
feel
free
to
share
those
links,
and
if
ever
there
is
a
need
for
a
presentation,
I
would
be
happy
to
say
15
minutes
about
it
or
10
minutes
whatever
times
necessary.
H
C
Adding
to
the
S1
conversation
for
a
second,
it
was
interesting
talking
to
different
people
about
their
their
usage
of
s-bombs
at
the
moment
and
from
different
groups
they're
starting
to
use
s-bombs
internally,
at
least
as
they're
coding
and
building
our
own
software,
generating
s1s,
storing
them
and
leveraging
them
for
vulnerability
management,
but
I
think
it's
the
healthcare
and
pharmaceutical
sectors
that
are
absolutely
leading
the
way
and
using
them
externally.
C
Certainly
from
my
experience,
there's
not
an
awful
lot
of
s-bombs
being
sent
and
distributed,
but
obviously
I'm
in
a
smaller
vacuum,
but
where
I
am
definitely
seeing
as
people
using
them
internally
and
one
of
the
other
interesting
parts
of
that
is
and
I
think
it
goes
back
to
the
the
different
stlcs
and
and
where,
within
the
stlc,
the
s-bombs
are
generated.
C
But
a
lot
of
people
are
shifted,
left
and
they're,
providing
vulnerability,
data
up
to
developers
in
tools
and
such
but
they're
starting
to
generate
s-bombs
and
cicd,
and
people
are
trying
to
look
at
the
difference
between
the
two.
If
we're
telling
developers
one
thing
and
then
the
next
minute
we're
hitting
them
with
a
different
level
of
vulnerabilities
in
the
build,
how
do
they
reconcile
between
the
two
when
we
spend
a
lot
of
money
showing
people
how
to
shift
left
so
I
think
the
the
diagram
highlighting
well
you've
got
more
information.
C
A
I
just
want
to
add
those
couple
of
meetings.
If
anybody
is
interested
about
the
alpha
omega
work
right,
that
is
vulnerability.
Disclosure
sync
autofix
calls
that
they
are
available
if
you're
interested
or
looking
at
securing
repositories
calls
one
is
on
Wednesday
and
the
other
one
is
on
Tuesdays.
Just
take
a
look
for
it.
It's
on
the
open,
ssf
calendar,
and
also
we
have
a
public
meeting.
So
that's
those
informative
sessions
that
you
want
to
join
and
learn
more
about
it
or
even
participate
and
help
them
with
the
disclosure.
A
I
C
One
thing
I
was
going
to
ask
is
I
think
we
need
to
get
additional
additional
support
in
the
threat.
Modeling
threat,
modeling
work,
helping
helping
you
out
Enrique,
certainly
from
our
org
I'm,
trying
to
get
additional
groups
in,
but
I
wonder
if,
if
anyone
knows
of
any
budding
threat,
modelers
or
groups
that
have
spare
bandwidth
it'd
be
good
to
see.
C
If
we
could
reach
out
to
people
see
if
they
have
the
interested
diving
in
and
helping,
particularly
if,
if
their
experienced
the
threat
modeling,
maybe
that's
something
we
can
reach
out
to
others.
G
Hey
sorry,
I
can
help
here,
so
I
have
developed
a
threat.
Modeling
pattern,
best
thread,
modeling
practice
in
MasterCard
and
I
have
an
objective
to
develop
a
threat
model
on
cicd,
so
that
is
anyway
matching
what
you
guys
are
trying
to
do
so
I
can
definitely
contribute
it.
C
B
I
was
going
to
suggest
maybe
having
multiple
times
for
the
threat
modeling,
because
I
can
get
different
people
there
at
different
times.
It's
really
hard
to
get
certain
people
early
and
it's
yeah.
C
I
didn't
actually
respond
to
that
I
guess
in
in
Enrique,
I
guess:
let's,
let's
see
how
how
we
we
get
people
signing
up
to
different
times,
and
maybe
it's
this
a
couple
of
groups.
Maybe
maybe
we
can
do
that?
What
do
you
think.
H
Yes,
I
mean
so
far.
We
just
have
four
people
who
voted,
and
so,
let's
see
how
many
other
votes
come
in,
maybe
we
can
bid
two
groups,
but
my
current
feeling
is
that
by
you
know,
going
for
half
past
six
European
Time.
This
is
covering
most
parts
of
the
US
and
I
hope.
Your
your
connections
render
are
able,
even
maybe,
if
you're,
if
they're,
sitting
on
Hawaii
it's
getting
difficult,
but
California
should
be.
Do
that
I
would
say
well.
C
H
B
Let's
try
out
the
time
that
we
have
and
let's
see,
if
that
helps
the
situation.
I
know
with
b
and
who's
the
guy
that
was
talking
about
kids,
specifically
I,
know
that
it's
kind
of
early
for
him
but
I,
know
for
Glenn
who's.
Another
person
that
would
be
a
good
resource
for
you
he's
in
European
time
because
he's
in
Belgium,
so
it's
kind
of
difficult
to
figure
out
Glenn
is
basically
the
senior
cyber
security
instructor
at
LF.
B
C
Okay,
all
right,
okay,
so
more
more
power
to
threat.
Modeling
right,
I
think
that
that's
still
the
main
thing
that
we're
trying
to
push
at
get
that
done
and
then
win
decent
shape.
All
right.
If
there's
no
other
business,
we'll
close
a
couple
of
minutes
early
all
right
have
a
good
summary
day.
Everyone.