►
From YouTube: End Users Working Group (June 14, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1abI65H4pF5y8YtA2_TuDBAaI47v9mTfpr5mwVvccX_I
C
E
B
C
C
And
unfortunately,
all
right
should
we
kick
off
and
other
people
enjoying
and
and
jump
in
later,
there's
actually
three
three
members
that
are
currently
at
the
Finos
open
source
Summit,
which
is
where
I'm
at
at
the
moment
so
likely.
Another
call
right
before
we
start
anyone
willing
to
describe
today.
C
G
Yeah
I'm
I'm
obsessed
from
I,
don't
well
I'm,
not
sure
you're
asking
me,
but
anyway
go
ahead.
Well,
yeah
I'm,
SAS
from
MasterCard,
so
I'm
I'm,
responsible
for
maturing
supply
chain
security,
lips,
evaps
and
secure
sdlc
Atmos
records
I'm
a
principal
architecture.
So
that's
that's!
Why
I'm
interested
and
also
we
are
rolling
up
our
open
source
governance
policies,
mostly
from
the
consumer
perspective.
So
that's
why
I
think
when
we
are,
we
are
doing
a
collaboration
with
open
ssf.
So
that's
why
this
group
interests
me.
C
I
think
that
the
first
or
the
main
point
of
the
day
is
the
threat
model,
work
and
a
couple
of
things.
We
wanted
to
sort
of
go
through
around
different
time
and
just
make
sure
that
people
are
set
up
appropriately,
but
before
we
get
into
that
Henry
do
you
want?
Do
you
want
to
perhaps
give
a
bit
of
an
update,
because
that
is
one
of
the
main
deliverables
we're
trying
to
work
through
as
a
group.
H
H
I
also
did
a
couple
of
updates
of
the
document,
which
I
think
are
no.
At
least
two
of
them
are
noteworthy.
The
first
is
I
better
describe
the
object
objectives
in
the
beginning.
I
made
a
couple
of
track
changes,
so
please
feel
free
to
review
main
update.
I
think
is
that
I
try
to
better
explain
that
it
is
all
about
identifying
the
threads
on
those
software
development
infrastructures
and
processes
of
larger
organizations,
independent,
whether
malware
or
malicious
actors
come
through
open
source,
malicious
open
source
packages
or
through
other
channels.
H
H
With
a
small
table
to
better
structure
and
describe
Red's
animal
systematic
fashion,
so
we
have
a
impact,
description,
severity
and
a
couple
of
other
two
three,
let's
say
properties
of
every
thread
which
was
missing
in
the
past
and
which
resulted
in
a
little
bit
of
a
an
unstructured
bullet
item
list
which
which
I
didn't
like
so
much
so
we
didn't.
You
know
over
complicated
the
you
know
the
properties
and
how
to
describe
those
threats,
I
think
if
ever
needed.
This
can
be
done
at
a
later
point
in
time.
H
I
think
it's,
at
least
in
my
opinion,
of
the
right,
granularity
and
detail.
To
start
with,
the
other
things
is
right:
I
mean
the.
We
came
up
with
this
very
Europe
friendly,
convenient
time
slot
on
a
Tuesday
three
o'clock
that
I
very
much
appreciated,
but
retrospective
in
the
retrospective.
It
was
a
little
bit,
maybe
ad
hoc,
selected
and
so
I've
created
a
new
doodle
in
order
to
basically
have
a
broader
agreement
on
when
to
meet
and
work
on
this
document.
H
Right
and
then
there
are
two
questions
that
came
up
during
the
discussions.
One
was
mentioned
by
Randall
last
time.
How
do
we
actually
want
to
distribute
the
results
of
this
effort?
Will
this
be
a
PDF
document?
Will
this
be
marked
down
documents
in
a
GitHub
or
repository?
What
do
we
wanna?
How
do
we
want
to
communicate
this
I
think
that
is
something
we
can
already
start.
You
know
thinking
about,
even
though
I
think
we
still
need
a
couple
of
weeks
until
the
content
is
mature
enough
to
be
distributed.
C
B
F
H
It's
a
good
point:
yeah
I
mean
looking
how
many
new
open
ssf
initiatives
seem
to
pop
up
on
a
regular
basis.
I
have
the
feeling
they
continue.
There
is
a
continued
need,
placing
those
and
relating
those
to
each
other
and
to
those
threads
that
we
identify.
So
even
though
the
term
living
document
is
maybe
used
a
little
bit,
you
know
yeah.
So,
oh
no,
let's,
let's
say
it
differently.
Living
document
is
maybe
good.
A
good
thing
to
to
have
considering
all
these
things
going
on
at
the
open,
ssf
I.
C
H
C
As
a
PDF
and
at
least
that's
an
artifact
that
capric's
been
passed
around
with
versioning
and
not
necessarily
updated,
and
then
if
people
want
to
contribute
and
add
to
the
living
document,
they
can
certainly
come
back
to
the
group.
Look
at
the
work,
the
markdown
and
you
have
the
ability
to
edit
it,
but
also
like
a
point
in
time.
Version
that
we
can.
We
can
discuss.
D
H
Right
and
the
in
the
other
question
that
came
up
I
think
two
sessions
ago
was
around
how
git
is
typically
used
in
Enterprises,
so
I
mean
in
principle.
It
is
a
decentral
Version,
Control
System,
but
many
corporations-
you
know,
set
it
up
by
convention
in
a
central
fashion
where
you
have
a
leading
git
server,
and
then
this
is
where
the
developers
sync
with
and
so
and
we
wondered
so.
H
D
C
D
I've
got
like
a
Spider
Sense
tingling
about
the
difference
between
organizations
where
they
do
a
PR
at
a
time
and
a
merge
request
at
a
time,
but
I
guess
there's
no
difference
in
threat.
There's
really
just
a
difference
in
response
right,
like
a
single
PR,
has
X
percent
chance
of
of
being
bad
and
naughty
and
Evil,
but.
H
D
D
B
There's
that
and
there
also.
It
was
also
pointed
out
to
me
that
there
are
some
very
large
companies
that
do
use,
get
a
decentralized
manner.
I,
too,
have
not
seen
this,
but
apparently
it
does
happen.
Just
not
something
I've
interacted
with
so
I
just
wanted
to
put
those
two
things
out
there
for
consideration
as
well.
C
C
B
And
I'm
also
trying
to
get
one
of
my
colleagues
to
our
meetings
with
Henrik
as
well,
so
that
he
can
provide
more
details,
but
I
know
that
he's
very
close
to
Lioness
and
the
colonel
developers
and
yeah
that's.
That
was
why
I
do
think
that
he
a
lot
of
his
thoughts
are
interesting
but
but
yeah
but
I
do
know
across
like
the
LF
community
in
general.
B
E
H
Great
so
I
think
there
was
an
agreement
on
that.
We
continue
on
this
assumption
that
there
is
a
central
setup
in
these.
These
kind
of
typically
essential
setup
on
the
organizations
in
the
focus
of
this
threat.
Modeling
Workshop
grid
already
put
this
into
into
the
document
yeah.
Maybe
in
the
last
comment
on
on
this
on
this
work
is
so
now
that
we
have
these
kind
of
table
structure
to
describe
threats.
H
H
C
Just
to
add
to
that,
we've
got
a
group
of
threat
modelers
at
a
city
that
are
taking
a
look
and
trying
to
coordinate
actually
attending
at
the
right
time,
but
taking
a
look
offline
and
I've
asked
them
to
contribute
back
to
the
document
and
join
the
meeting
as
well.
So
that
gives
additional
backup
where
how
do
you
feel
because,
like
reading
through
the
document
and
looking
through
the
this
there's
some
good
detail
there
already
I
mean
you
can
always
go
further
with
threat
models.
So
you
never
find
the
end.
H
I've
I
think
we
it's
true
that
we
touched
upon
a
number
of
things,
but
I
still
feel
we
just
scratched
on
this
surface.
I
very
much
enjoy
those
discussions,
but
at
the
very
end
of
an
at
the
top
of
the
hour,
we
basically
discussed
two
or
three
of
those
things
in
detail,
which
is
a
lovely
discussion
great.
But
it's
not
giving
me
the
feeling
weak
progress
there
on
a
significance,
deep
and
reach
with
a
significant
speed
and
and
reach
completeness
and
and
the
foreseeable
future.
So
yeah.
C
H
C
H
C
Yep
I
think
I
think
I.
Think
that
makes
sense.
I
was
I.
Think
I
would
I
wonder
if
I
wonder
if
it'd
be
even
worthwhile
drafting
what
the
architecture,
what
even
today
the
overlap
would
be
with
the
other
standards,
even
with
the
architecture
we
currently
have
and
put
that
at
the
bottom
as
sort
of
a
draft
assuming
this
is
the
threat
model
in
the
draft.
C
This
is
where
salsa
Fitz,
let's
do
c2f,
sits
just
get
that
initial
initial
view
might
start
to
bring
out
some
additional
threats,
because
we
know
that's
also
roughly
fits
in
one
place
and
it's
supposed
to
be
mitigating
in
threats.
Well,
it
kind
of
kind
of
maps
it
straight
back
up
to
the
threat
one.
It
gives
you
a
bit
of
an
easy
indication.
C
C
H
C
C
Yes,
did
anyone
make
their
call
or
take
a
look
at
that
foreign
I
thought
I'd
give
a
bit
of
an
update
if
no
one
else
has
been
to
it.
So
espamarama
the
conference
put
on
by
Sita
Dr,
Alan
Freeman,
there's
some
interesting,
interesting
presentations
and
they've
got
some
interesting
working
groups
going
on
I
think
it's
definitely
a
fluid
space
and
I
think
different.
They
presented
well
I
presented
on
the
finance
side.
There
was
automotive
and
pharmaceuticals
presenting
leveraging
s-bombs
as
they
are
looking
to
secure
Supply
chains
using
that
Focus
approach
as
you'd.
C
C
So
I'd
recommend
if
people
haven't
looked
at
it,
taking
a
look
at
the
working
groups
and
some
of
that
material,
the
S,
bom
Aroma
I'm
fairly
sure
is
what
certainly
was
recorded.
I,
don't
know
when
it's
going
to
be
represented.
Some
interesting
feedback
on
the
I
think
it
was
the
tools
working
group
in
terms
of
interesting
stuff.
C
So
if
people
are
interested
looking
at
s-bombs
or
how
different
communities
are
leveraging
them
I'm,
pretty
sure
that
the
h-bomb,
the
the
healthcare
sector
has
a
meeting
an
attendant
get
some
more
detail.
They
were
also
the
group
that
published
or
the
the
the
chair
I
believe
they
were
the
group
that
published
daggerboard,
which
is
an
interesting,
interesting
piece
of
software
to
manage
your
s-bombs
so
worth
a
look,
no
one's
taking
a
look
right.
So
that's
me
any
other
feedback
from
any
other
working
groups
that
people
have
attended.
D
Quite
yeah
famously
easy
to
travel
during
summer
in
the
US
yeah
one
one
thing
I
guess
I
can
can
advise
on
is
coming
from
the
securing
software
repos
group.
There
is
an
effort
forming
for
our
formica
to
chip
in
money,
for
audits,
to
be
performed
and
also
to
pay,
for
you
know,
contractors
or
donations
to
get
remediations.
D
A
I
have
to
recall,
but
mainly
they
are,
you
know
there
is
step
security
team
that
has
presented
and
the
work
is
being
looked
at
as
scorecard
work
to
be
allocated
towards
openness
and
stuff.
That's
going
to
be
added
in
and
there
is
a
mentoring.
That's
started
this
summer,
so
the
team
is
working
on
the
scaling
and
automation
of
finding
the
disclosures.
So
that's
being
active
right
now
and
there
is
also
a
summer
Purdue
program
that
is
just
starting
or
started.
You
know
they
are
very
much
interested.
A
So
that's
also
in
Works
couple
of
this
week
has
been,
as
you
said,
conferences
so
there's
not
much
of
the
feedback
from
the
stakeholders
or
we
couldn't
get
together
with
the
updates
on
the
alpha
front
as
such,
but
lots
of
work
is
getting
done
on
the
Omega
side
and
securing
repository.
You
know
the
disclosures.
A
Those
are
the
areas
that
they
are
presently
currently.
You
know
working
on,
though
they
are
doing
automation.
We
are
requesting
them
to
focus
on
just
spitting
out
some
kind
of
an
output
with
the
outcomes,
so
we
can
have
some
kind
of
visibility
into
it.
Probably
we
should
be
able
to
see
some
kind
of
a
report
result
with
that
kind
of.
You
know
how
many
vulnerabilities
have
been
found,
what
are
in
progress
assertions
and
such
so
that's
the
focus.
That's
going
on.
It's
quite
going
on.
You
know
active
now,
so
it's
exciting.
G
A
So
let's
start
here,
but
we
are
kind
of
you
know,
helping
our
guiding
and
reviewing
their
work,
and
you
know
just
providing
some
kind
of
strategic
guidance
to
them
as
well,
so
probably
moves
towards
the
scorecard
work
of
openness
and
stuff,
as
I
said
and
there's
others
I
I
see
isrgl,
as
you
know,
has
been
coming
into
as
well
John
like
into
the
alpha.
So
that's
proximal.
So
that's
another
one,
a
major
one
that
we
are
looking
at
too.
E
H
Yes,
that
is
still
on
this
s-bomb
generation,
I'm,
not
sure
whether
we
are
past
this
topic,
but
I
just
wanted
to
say
that
I
was
looking
at
this
kind
of
in
March
or
so,
and
I
created
a
small.
No,
actually
it's
a
it's
a
kind
of
a
shell
script
that
is
also
open
sourced,
which
we
do
with
which
you
can
try
now
to
make
basically
the
running
different,
open
source,
s-pom
generators
at
different
sdlc
cycles
and
then
compute
in
an
automated
fashion.
F
They,
like
this
working
group,
is
now
looking
at
collecting
experience,
experiences
kind
of
from
people
developers
who
have
already,
let's
say
done
the
task
of
integrating
an
s-bomb
generator.
It
doesn't
matter
which,
at
which
state
Adena
or
with
an
open
source
project,
and
so
now
there
are
last
week
I
think
they
had
two
presenters
presenting
kind
of
their
experience.
Next
week,
a
colleague
of
mine
is
scheduled
to
talk
about
her
experience
with
istio
implementing
an
spdx
as
bomb
as
part
of
their
build
process
and
I.
F
E
H
H
C
But
a
lot
of
people
are
shifted,
left
and
they're,
providing
vulnerability,
data
up
to
developers
in
tools
and
such
but
they're
starting
to
generate
s-bombs
and
cicd,
and
people
are
trying
to
look
at
the
difference
between
the
two.
If
we're
telling
developers
one
thing
and
then
the
next
minute
we're
hitting
them
with
a
different
level
of
vulnerabilities
in
the
build,
how
do
they
reconcile
between
the
two
when
we
spend
a
lot
of
money
showing
people
how
to
shift
left
so
I
think
the
the
diagram
highlighting
well
you've
got
more
information.
C
A
I
just
want
to
add
those
couple
of
meetings.
If
anybody
is
interested
about
the
alpha
omega
work
right,
that
is
vulnerability.
Disclosure
sync
autofix
calls
that
they
are
available
if
you're
interested
or
looking
at
securing
repositories
calls
one
is
on
Wednesday
and
the
other
one
is
on
Tuesdays.
Just
take
a
look
for
it.
It's
on
the
open,
ssf
calendar,
and
also
we
have
a
public
meeting.
So
that's
those
informative
sessions
that
you
want
to
join
and
learn
more
about
it
or
even
participate
and
help
them
with
the
disclosure.
A
I
C
One
thing
I
was
going
to
ask
is
I
think
we
need
to
get
additional
additional
support
in
the
threat.
Modeling
threat,
modeling
work,
helping
helping
you
out
Enrique,
certainly
from
our
org
I'm,
trying
to
get
additional
groups
in,
but
I
wonder
if,
if
anyone
knows
of
any
budding
threat,
modelers
or
groups
that
have
spare
bandwidth
it'd
be
good
to
see.
G
C
B
C
H
Yes,
I
mean
so
far.
We
just
have
four
people
who
voted,
and
so,
let's
see
how
many
other
votes
come
in,
maybe
we
can
bid
two
groups,
but
my
current
feeling
is
that
by
you
know,
going
for
half
past
six
European
Time.
This
is
covering
most
parts
of
the
US
and
I
hope.
Your
your
connections
render
are
able,
even
maybe,
if
you're,
if
they're,
sitting
on
Hawaii
it's
getting
difficult,
but
California
should
be.
Do
that
I
would
say
well.
C
H
B
Let's
try
out
the
time
that
we
have
and
let's
see,
if
that
helps
the
situation.
I
know
with
b
and
who's
the
guy
that
was
talking
about
kids,
specifically
I,
know
that
it's
kind
of
early
for
him
but
I,
know
for
Glenn
who's.
Another
person
that
would
be
a
good
resource
for
you
he's
in
European
time
because
he's
in
Belgium,
so
it's
kind
of
difficult
to
figure
out
Glenn
is
basically
the
senior
cyber
security
instructor
at
LF.
B
C
Okay,
all
right,
okay,
so
more
more
power
to
threat.
Modeling
right,
I
think
that
that's
still
the
main
thing
that
we're
trying
to
push
at
get
that
done
and
then
win
decent
shape.
All
right.
If
there's
no
other
business,
we'll
close
a
couple
of
minutes
early
all
right
have
a
good
summary
day.
Everyone.