►
From YouTube: End Users (September 15, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
A
B
B
B
Okay,
all
right
there
you
go
friend,
just
we
haven't
posted
it.
Okay,
no.
C
So
we've
had
a
couple
of
people
send
in
apologies
because
they're
either
in
Dublin
or
in
vacation,
but
if
people
would
go
in
to
the
notes
and
update
it,
that
would
be
great.
C
B
E
E
C
C
C
F
E
C
Okay
and
then
all
right
should
we
start
is
there?
Do
we
have
any
any
offers
of
a
scribe
this
morning.
C
If
you
wouldn't
mind,
that'd
be
great
David
anyone
else
or
we
just
all
CH
chime
in
as
we
as
we
can
I'll.
This
is
Isaac
I'll
contribute
with
David
too
appreciate
it.
Thank
you
very
much
indeed,
all
right
and
if
you've
got
any
new
friends
who
want
to
say
hello,.
G
Yeah
I'll
go,
this
is
Jay
White
for
Microsoft.
G
Also,
you
know
heavily
or
becoming
more
heavily
active
in
the
open
ssf,
as
is
my
charge
of
what
I
do
with
Microsoft
I'm
here,
because
I
I
am
also
an
evangelist
of
of
the
consumption
of
Open
Source
and
trying
to
bridge
the
gap
between
a
lot
of
the
Direction
or
or
a
lot
of
a
lot
of
the
the
direction
that's
being
given
through
the
the
very
smart
people
and
and
open
source,
and
then
how
it's
being
a
produced
production
side.
But
then
how
is
being
consumed?
G
How
that
translates
and
what
kind
of
guidance
is
being
given
towards
the
consumption
of
that
direction?
I'm
going
to
say
a
lot
of
the
words
here
towards
how
open
source
is
ingested
and
consumed
by
the
consumers,
so
so
this
this
work
group
is
especially
exciting
for
me
because,
as
I
as
I
as
I
came
from
a
sideways
where
you
consume,
it,
I
get
to
see
both
ends
now
and
how
relevant
it
is
for
this
kind
of
voice
to
be
had
in
the
open,
ssf.
G
So
I'm
excited
about
it
here
today
and
here
for
it.
C
Thanks
Jay
much
appreciated,
anyone
else
want
to
give
an
introduction.
H
I'll
go
I'll,
say
hello,
Jonathan
to
the
rest
of
the
team,
I
was
I,
think
I
was
probably
out
of
the
office
and
on
holiday
vacation,
depending
on
your
language
when,
when
you
kicked
off
so
obviously
excited
to
join
this
and
I
know
Alan
Morgan,
Stanley
and
I'm
responsible
for
a
lot
of
application,
security
and
various
other
books
and
pieces
at
Morgan
Stanley,
and
you
know
therefore
very
interested
in
the
consumer
side
of
the
open
source
stuff
for
all
the
reasons
ju
just
went
through,
and
you
know
how
do
we
actually
practically
turn
all
this
advice
from
all
the
other
work
streams
into
something
we
can
actually
consume
and
do
and
and
make
a
difference
from.
I
Go
for
it
yeah
sorry,
I'm
I'm
new
here
my
name
is
Adrian
diglio,
I'm
I'm,
also
from
Microsoft
joining
here
with
Jay
and
I'll
and
I'll,
be
talking
about
the
open
source,
secure
supply
chain
framework
and
in
Microsoft
I
lead
our
secure
software
supply
chain
team,
so
pleasure
to
be
here
thanks.
Excellent
welcome.
B
C
Excellent
excellent.
Thank
you
very
much
always
welcome
and
it's
good
to
finally,
a
minute
to
this
one
too.
That's
good,
all
right
great!
So
actually,
if
I
may,
just
before,
we,
we
move
up
to
the
the
first
item
in
general.
I
do
want
to
give
a
little
bit
of
an
update
to
people
about
reaching
out
to
additional
members.
So,
as
Andrew
sort
of
highlighted,
we
are
reaching
out
to
additional
members
to
to
highlight.
We
are
starting
now
and
we've
reached
out
to
Andrew.
C
You
suggested
a
couple
of
people
in
the
automated
sector.
I
just
come
from
the
ossf
Dublin
meeting
and
met
a
lot
of
people
at
Dublin
and
reached
out
to
a
number
of
the
different
LF
working
groups
as
well,
so
we've
got
Healthcare
automotive
and
energy,
all
of
them
doing
Communications
and
looking
at
bringing
in
additional
members
or
reaching
out
to
their
members
as
well
as
fsisac,
so
yeah,
I,
I
think
there's
a
lot
of
communication
going
on
at
the
moment.
C
Quite
a
lot
of
people
still
stuck
at
not
stuck
at
dumpling
in
Dublin,
enjoying
Dublin
and
trying
to
get
on
planes
or
or
enjoying
the
rest
of
the
conference
there.
So
you
know
I
I,
think
there's
a
lot
underway,
so
I
think
I'll
continue
and-
and
please
help
so
without
further
Ado,
then,
if
by
popular
demand,
if
I
can
hand
over
to
yourself
Jay
and
perhaps
Adrian
to
give
a
bit
of
a
Insight
or
deeper
insight
into
the
SSC,
it's
the
first
time.
G
We
are
extremely
excited
and
especially
presenting
this
framework
into
this
working
group
because
of
the
nature
of
the
framework
so
Adrian
and
and
his
team
over
and
when
he
has
developed
an
open
source
software,
secure
supply
chain
framework,
specifically
for
the
consumption
of
Open
Source
software
and
develop
this
with
the
intention
of
bringing
it
into
the
open,
the
intention
of
bringing
it
to
the
openness
itself
and
with
the
intention
of
when
did
they
becoming
a
standard
now
aspirationally
for
me,
I
would
like
to
see
something
like
this
paired
with,
with
with
salsa,
to
or
or
any
other
production
focused
framework
and
and
then
aspirationally,
seeing
something
that
resembles
an
iso-1
and
dash
two.
G
Now,
that's
for
me.
That's
for
me,
because
I
feel
like
oh
and
and
John
and
I
spoke
about
this
before,
but
I
feel,
like
you
know,
you're
on
the
spectrum
of
what
is
supply
chain
security.
We
tend
to
focus
a
bit
more
on
one
end,
not
enough
on
the
other
and
then
when
we
do
focus
on
the
other.
We
focus
on
the
other
kind
of
being
a
little
bit
angry
about
the
focus
on
the
other
end.
G
So
if
we
can
build
something
that
does
end
to
end
Works
into
the
middle,
we
fill
those
individual
gaps.
We
have
something
so
robust
in
supply
chain
security
that
just
increases
the
excitement
increases.
What
we're
able
to
do
as
an
industry,
and
so
we're
here
today
to
present
this
framework
that
we
hope
fills
a
lot
of
those
gaps
and
and
I'll
and
I'll
say
it
Loosely.
You
know,
I've
been
in
all
the
salsa
meetings.
G
I
I've
been
I'm
an
active
contributor
in
those
meetings
and
the
one
place
that
seems
to
get
lost
is
what
is
is
when
we
try
to
expand
the
scope
and
expand
the
scope
for
not
being
able
to
meet
a
lot
of
the
questions
that
are
being
asked.
We'll
just
expanded,
I,
don't
expand
the
scope,
keep
the
scope
we're
exactly.
This
is
great
scope.
We
can
bring
in
something
like
this.
That
does
fill
those
gaps
right
so
you're
not
so
so,
you're,
not
there's
no
stop
creep
right.
G
That
being
said,
exciting
framework
focused
on
now
you're
talking
about
the
ingestion
of
Open
Source
software
Adrian,
just
posted
the
just
posted
the
the
the
GitHub
repo
there
we
already
have
brought
it
in.
We
have
GitHub
repo
for
it.
We
brought
it
into
the
open.
We
have
Community
meetings.
We
have
technical
means,
we'll
talk
about
that
later
on
as
well.
G
It's
in
markdown
it's
in
PDF.
You
can
pull
it
up.
You
can
look
at
it,
you
can
print
it
out.
You
can
scribble
on
it.
Do
all
kinds
of
things
you
can
send.
Your
suggestions
in
this
is
done
in
Earnest
and
in
the
open
and
we're
bringing
ahead
to
this
working
group,
because
it's
a
fantastic
working
group
to
bring
it
to
and
to
pick
it
up
and
run
with
it.
G
Like
I
said,
our
desire
is
to
bring
this
into
the
openness
and
stuff
and
to
have
the
community
improve
upon
it
and
then
have
the
bridge
being
built
with
something
like
salsa
that
that
Train's
already
moving
have
that
bridge
being
built
so
that
we
can
forage
audience
into
the
future
and
create
some
pretty
pretty
magical
and
a
secure
supply
chain.
So
without
further
Ado
I'll
hand
it
over
to
to
Adrian
to
get
into
the
nitty-gritty
of
of
the
framework
and
to
further
discuss
how
we
got
here.
I
Thanks
Jay
I'm
also
really
excited
to
be
here
today.
So
so
thank
you
for
your
time
and
attention
I'll
briefly
give
an
an
overview
of
the
framework
and
feel
free
to
raise
your
hand
and
stop
me
or
whatever
the
way
that
the
framework's
organizes
it's.
It
starts
pretty
pretty
high
level,
and
then
it
gets
a
little
bit
more
and
more
and
more
focused
as
it
goes
down.
So
we
start
with
a
high
level
set
of
solution,
agnostic
practices.
I
These
practices
can
be
applied
to
many
many
different
scenarios,
because
there
are
nuances
with
different
ecosystems
example.
You
know
language
packages
versus
containers
and
then
we
get
into
oh
in
the
the
high
level
set
of
practices.
There's
eight
of
them,
you
know
ingest
it
scan
it
inventory
it
update
it,
audit
it
enforce
it,
rebuild
it
and
fix
it,
and-
and
we
explain
what
all
of
those
things
are,
then
we
we
go
to
the
next
level
down
where
we
create
here's.
I
The
list
of
requirements
that
map
to
each
of
those
practices
and
these
requirements
were
designed
based
on
real
world
threats
that
we've
seen
in
where
attackers
have
been
attacking
open
source,
and
so
we
also
have
a
table
of
real
world
threats
with
links
to
articles
that
explain
what
happened
and
and
then
we
map
those
real
world
threats
to
are
requirements
to
basically
show
how
our
framework
helps
you
mitigate
against
these
real
world
threats.
I
We
then
organize
that
list
of
requirements
across
a
maturity
model
maturity
model
is
always
helpful
because
it
it
helps
organizations
prioritize
some
requirements
over
another,
but
we've
also
ascribed
themes
to
each
level
level.
One
I
would
say
has
been
the
the
general
guidance
that
we've
had
for
years
with
open
source
which
has
simply
been
inventory.
It
scan
it
for
known,
vulnerabilities
and
update
it.
I
I
Level
two
is
helping
organizations
patch
faster
so
that
you
can
operate
faster
than
the
attacker.
Can
the
Sona
type
2021
report
state
of
the
supply
chain
gave
an
example
use
case
of
the
salt
stack
incident
where
they
confidentially
fixed
a
vulnerability.
They
did
everything
right
and
then
they
they
published
the
the
vulnerability
in
the
open
along
with
a
patch,
and
as
you
can
imagine,
there's
many
organizations
out
there
that
take
a
while
to
deploy
their
patches
well
upon
disclosure
of
this
vulnerability.
I
It
only
took
attackers
three
days
to
craft
an
exploit
and
then
find
you
know,
running
applications
in
production
that
were
using
this
and
we're
able
to
start
exploiting
at
scale,
and
there
were.
There
were
multiple
compromises.
This
is
why
we
are
recommending
requirements
for
adopting
Technologies
such
as
Auto
patching
where
it
submits
you
a
PR
to
to
auto
update,
and
then
you
as
a
developer.
You
just
have
to
evaluate
if
you
want
to
accept
that
PR
and
putting
vulnerabilities
in
comments
at
pull
request
time.
I
These
are
all
mechanisms
that
have
shown
at
least
inside
Microsoft
and
probably
elsewhere
as
well,
that
you're
able
to
patch
faster
because
that
that
goal
of
acting
faster
than
the
adversary
is,
is
how
we
stay
ahead.
I
The
Third
level
is
is
has
a
theme
of
protecting
you
from
consuming
compromised
OSS,
so
it
it,
you
know,
gets
into
the
concept
of
malware
scanning,
protecting
yourself
from
dependency,
confusion,
blocking
packages
and
even
doing
proactive
security
analysis
on
the
the
open
source
that
you
depend
on
the
most,
and
that
way
you
yourself
might
be
able
to
find
those
those
zero
day
vulnerabilities
and
then
you
yourself
can
then
go
report
it
up
to
the
Upstream
maintainer
level.
Four
is
mostly
aspirational
in
nature.
I
It
is
not
meant
to
be
done
at
scale
for
all
open
source.
I
I
think
it's
meant
to
be
more
targeted
than
that.
If
you
have
open
source
udem
critical
or
perhaps
you
have
a
critical
application
and
you
want
additional
assurances
level,
four
is
all
about
mitigating
against
the
most
sophisticated
type
of
threats
which
are
you
know
the
the
like
solarwinds
types
threats
where
they
are
have
a
presence
on
the
build
machine
and
they're,
silently
contributing
back
doors
from
malware
to
a
build.
I
So
we
have
you
know,
requirements
and
guidance
in
there
about
hey.
If
you
were
previously
cloning,
the
a
copy
of
the
repo,
you
should
be
able
to
be
rebuilding
it
on
trusted
infrastructure.
I
We
also
have
a
a
process
for
you
to
assess
your
organization's
maturity
against
the
four
levels,
so
we
provide
a
questionnaire
that
anybody
can
take
and
use
to
go
interview
developers
across
different
developer
teams
to
try
to
get
answers
and
figure
out
where
they
are
and
and
then
lastly,
we've
also
mapped
our
requirements
to
six
other
secure
supply
chain
requirements
so
that
there's
that
that
traceability,
there,
okay
and
the
repo
has
the
guide
in
in
markdown
and
and
in
PDF.
I
Is
there
a
link
to
the
questionnaire
it's
it's
hidden
inside
the
guide?
So
let
me
find
the.
I
C
I,
don't
think
that
went
in
actually
okay
here
we
go.
If
I
may
just
ask
a
question
that
you
you
mentioned
that
you
prioritize
the
the
different
requirements
there.
How
did
you
prioritize
them?
Is
there
a
specific
sort
of
rubric
used
SME
you,
you
decided
that
was
the
best
one
to
go
for
sort
of
impact,
or
is
there
any
sort
of
methodology
used
there.
I
Yeah
so
I.
I
I
I,
don't
think
I
can
I
came
at
this
like
very
scientifically
other
than
organizations
today,
I
would
say
most
if
not
all
have
tools
in
place
to
analyze
the
vulnerabilities
of
their
components,
so
I
wanted
them
in
terms
of
thinking
about
maturity.
I
Exploiting
vulnerabilities
is
still
one
of
those
practices
that
that
it's
it's
fundamentals
and
and
organizations
can
do
better
and
so
I
I
thought
it
best
that
for
level
two
teams
focus
on
like
remediating
themselves,
with
with
quicker
speed
using
today's
technologies
that
help
you
shift
left.
So
that's.
I
It
was
kind
of
like
building
on
the
systems
that
I
expect
most
teams
and
organizations
to
already
be
using,
and
that's
that's
why
I
went
with
with
that
for
level
two
and
then
level.
Three,
you
know
protecting
yourself
from
consuming
compromised,
open
source
is
largely
new
ground.
That
I
don't
think
a
whole
lot
of
teams
and
organizations
have
done
before
and
so
I
felt
that
that
like,
when
you
think
about
it
in
levels
of
maturity,
I
felt
like
that
was
the
natural
progression.
F
F
The
document
itself
says:
Microsoft
OSS,
OS
SSC
framework
all
over
it
so
is.
Is
the
intention
here
to
kind
of
bring
this
document
to
the
openssf
and
have
it
go
into
the
incubation
process?
Is
the
intention
to
bring
it
to
the
incubation
process
within
this
working
group
I'm
just
trying
to
think
about
it
from
the
process
from
a
process
standpoint?
If
so,
is
this
something
that
you're
looking
for
further
contributions
on?
F
Are
you
trying
to
create
a
common
language
that
you
know
to
kind
of,
like
you
know,
between
all
the
between
different
members
of
the
open
ssf,
and
do
you
see
this
document
becoming
a
kind
of
part
of
that
effort
to
create
this
common
language
and
and
common
way
of
describing
describing
things
is
that
is
that
kind
of
the
intention
here
and
and
what
and
what?
F
What's
the
trajectory
of
this
document,
I,
guess
and
and
this
and
this
standard
and-
and
you
mentioned
ISO
like-
is
that
what
what's
the
intention
there
from
like
in
you
know
who
who
like
when,
in
order
to
get
something
into
ISO,
somebody
needs
to
submit
it
to
ISO
and
certain
things
have
ISO
submitter
status
like
who
does
that?
Where?
Where
is
the?
Where
do
you
see
the
work
going
in
order
for
it
to
become
ready
to
become
submitted
to
ISO
and
who
submits
it
to
ISO
and
all
that
kind
of
stuff?
G
No,
your
questions
are
great
and
I
and
I,
and
so
David
popped
into
chat
and
actually
David.
What
I
was
getting
ready
to
say
is
so
I'll
address
all
of
your
questions
and
then,
as
far
as
the
iso
part
is
concerned,
I'll
point
to
David
wheeler
on
that,
because
that
that
is
the
nature
of
so
I
can
answer
your
question
and
then
talk
and
then
David
can
talk
about
the
isoprop.
That's
the
nature
of
what
we're
doing
so.
Yes,
right
now
developed
in
Microsoft.
G
G
Hopefully,
we've
pitched
to
the
best
practices
working
group,
we've
pitched
to
the
security,
the
supply
chain,
Integrity
working
group
and
we're
here
with
the
end
users
working
group.
The
most
excitement
we've
had
across
all
all
three
working
groups
are
excited
about
this.
The
most
excitement
we've
had
has
been
here,
especially
with
with
John
because
of
the
nature
of
this
working
group.
If
this
working
group
votes
and
says
we
want
to
bring
it
into
this
working
group
outstanding,
the
objective
here
is
to
bring
this
into
the
open
ssf.
G
The
objective
here
is
to
bring
it
into
one
of
these
working
groups,
whichever
working
group
would
be
best
suited
for
it.
The
objective
is
to
get
all
three
of
these
working
groups
to
put
their
hands
on
it,
put
their
hands
into
it
more
than
just
contributing
to
it.
We
want
this
to
go
into
incubation.
We
want
this
to
be
further
developed.
G
We
want
this
to
be
done
in
the
open
we
if
it
ends
up
with
a
different
name,
as
I
said
before
the
end
state
for
me
aspirationally
and
isos,
whatever
ISO
number
is
given
to
us,
my
ISO
dash
one
iso-2
consumer
Focus
producer
Focus,
well-rounded
secure
supply
chain
framework-
that's
consumable
by
by
everyone
in
the
industry.
That
is
the
that
is
the
the
the
Apex
for
me,
but
right
now,
in
short
term,
get
it
into
the
openness
sub.
G
Let's,
let's,
let's
improve
upon
it
like
we're,
improving
upon
salsa
today,
just
like
we're
doing
with
salsa.
We
do
this
with
this
framework
and
understanding
that
both
need
vast
improvements
both
need
gaps
to
be
filled,
because
and
because,
because
both
actually
complement
one
another
right,
they
could
be
done
in
parallel.
Bridges
can
be
built
between
the
two.
This
framework
can
have
a
line
remnants
with
you
know
which
says
this
so
This
security
requirement
is
out
of
scope
of
this
framework.
G
To
address
this,
please
consult
the
producer
Focus
framework,
which
is
salsa
and
salsa,
can
do
the
same
for
this
framework
right
who
knows,
as
it
develops
over
time
and
as
we
get
closer
and
closer
and
closer
to
to
publishing
or
to
requesting
for
publishing
or
requesting
that
stuff
with
ISO
and
David
will
talk
about
that
in
a
second.
The
names
will
probably
change
the
the
the
the
the
format
will
probably
change,
but
guess
what
the
hard
work
that
we've
done
collectively
together
here
in
the
openness
and
step
towards
getting
it
to
that
state.
G
B
So
I
so
I
worked
with
the
Linux
Foundation.
The
the
quick,
somewhat
glossing
over
details
version
is
Linus
foundation's
actually
already
a
past
submitter
for
ISO.
We've
actually
done
this
several
times.
The
open
chain
and
spdx
in
particular
I
know
have
already
gone
through
this
process.
B
So
we've
done
it
if
you're,
if
you're
really
into
this
stuff,
the
the
the
I
I
copied
and
pasted
into
the
notes
Here
technically,
what
it
is
is
there's
something
called
The
Joint
development
foundation,
the
jdf,
it's
part
of
the
Linux
Foundation,
what
they
call
the
Family
Linux
Foundation
family,
and
it
is
already
in
ISO,
IC
JTC,
one
publicly
available
specification,
submitter,
sorry
for
all
the
words.
B
Yes,
okay,
okay,
so
short
answer
is
wait.
I
mean
somebody
has
to
decide
that
it's
worth
doing
but
and
I'll
note
that
we
we've
actually
Jane
I
have
tried
it
before
they've
already
switched
over
to
the
community.
License.
That's
well
recommended
required
by
the
open,
ssf
Charter
for
things
which
might
go
on
to
become
formal
specifications,
because
how
should
I
put
this
I
have
opinions
about
the
ways
that
certain
organizations
who
are
often
referred
to
as
patent
trolls
deal
with
the
world.
B
It's
it's
an
unfortunate
fact
of
life
that
there's
some
folks
who
who
make
life
harder
for
everybody
else.
So
so
we've
got
some
that
communication.
Community
specification
stuff
is
part
of
the
process
to
try
to
keep
out
the
trolls
think
everything,
but
we
we
are
prepared
to
deal
with
some
things
and
counter
some
problems
ahead
of
time.
B
D
D
D
Couldn't
come
up
with
something
for
tngo,
unfortunately,
but
the
other
thing
that
occurred
to
me
as
as
I
guess,
a
comment
or
looking
again
at
today
and
it
sort
of
struck
me
during
your
description,
Adrian,
but
there's
kind
of
a
demarcation
point
between
levels,
two
and
three
levels.
One
and
two
get
you
to
the
point
where
you're
prepared
to
deal
with
the
consequences
of
vulnerabilities
accidentally
being
introduced,
Upstream
and
levels.
D
Three
and
four
are
where
you're
dealing
with
attackers
who
consciously
look
for
ways
into
your
Upstream
rather
than
exploiting
something
that
was
put
there
accidentally
and
I.
Don't
know
if
that's
something
you
would
call
out
or
whether
you'd
be
like
phase
one
and
two
or
just
just
because
otherwise,
like
sometimes
people
blow
those
things
together
in
their
head,
when
they
talk
about
supply
chain.
I
Yeah,
that's
interesting.
We
internally
here,
we've
we've
had
lots
of
discussions
about
this,
and
and
we've
we've
kind
of
come
at
least
where
my
perspective
is
at
is
is
vulnerabilities,
are
an
entirely
different
class
of
what
we're
talking
about
than
than
like,
malicious
or
compromised
components,
and
even
compromised
components
isn't
entirely
true,
because
if
it's
just
typo
squatting,
all
they
did
is
just
change
the
name
of
the
package
to
look
similar
and
help
you
type
it
wrong.
I
So
so
you
know,
malicious
is
kind
of
a
more
appropriate
term
and
and
we
in
inside
Microsoft
we've
been
scaling
out
our
defenses
to
be
able
to
malware
scan
these
things
type
of
squat
check
these
things
prior
to
developer
consumption,
so
that
these
don't
even
enter
the
chain,
because
the
second
they're
installed
it's
too
late,
they've
already
exfiltrated
your
your
credentials
or
tokens
or
whatever
it
might
be,
and
and
that's
why
it's
designed
around
like
like
blocking
ingestion
of
these
bad
types.
I
C
Andrew,
do
you
want
to
chime
in.
E
Yeah
thanks
a.
F
E
So
I
want
to
go
through
and
and
look
for
that
and
then
the
other
I'd
like
to
understand
a
little
bit
more
about
the
tooling,
because
you
start
off
by
the
presentation
by
saying
it's
solution:
agnostic.
But
the
specification
does
say
that
it
is
a
combination
of
paid
and
free,
tooling,
from
Microsoft
and
other
providers.
I
Yeah:
apologies
for
the
confusion
there.
So
when
you
read
the
the
eight
practices
and
the
description
of
the
eight
practices,
there's
no
mention
of
tooling.
It's
really
just
process
based
thought
as
we
get
deeper
and
deeper
down.
You
know
because
it
starts
at
like
it's
like
a
funnel
and
gets
more
and
more
specific.
I
We
we
have
our
requirements,
and
then
we
have
an
implementation
guide
is
what
we
called
it
in
in
the
document,
and
the
implementation
guide
shows
the
requirements
across
the
four
different
levels
and
has
the
the
free
or
paid
tools
that
help
you
meet,
those
that
was
our
our
first
stab
at
making
a
list
of
of
tools.
It
is
not
a
comprehensive
list
of
tools
that
exist
out
there.
I
Today,
I
I've
already
discovered
more
and
more
tools
that
I
can
add
to
the
list
and-
and
you
know
I'm
thinking
about
you
know
how
do
we
balance
listing
out
the
entire
world
of
tools
versus
just
just
mentioning
a
a
few
that
that
are
kind
of
like
like
well
known
in
that
area?
I
But
we
we
did
make
sure
that
we
listed
tools
from
across
the
industry.
They're
not
they're,
not
just
Microsoft
things.
G
And
I'll
add
to
that
and
say
the
the
idea
behind
us,
bringing
it
into
the
open
and
behind
us
bringing
it
to
the
openness
itself
into
the
working
groups
is
to
develop
sigs
and,
as
I
said
before,
just
like
we're
currently
doing
with
salsa
positioning
means
specification,
meaning
tooling,
meaning
right
all
those
are
relevant.
G
Let's
develop
it
specifically
for
this
effort
right
and
that
could
be
across
salsa
that
could
be
across
the
the
secure
project
framework
that
you
know
all
can
be
all
can
be
discussed
done
and
it's
more
impactful
once
it's
brought
inside
that
way,
these
things
can
be
be
put
down
on
paper,
issues
can
be
created,
a
pull
requests
can
be
done
and
these
things
can
get
can
get,
can
get
Solutions
and
and
ratified.
C
C
B
I
think
so,
just
this
is
actually
a
response
to
the
previous
comment
about
hey.
What
about
the
intentional
vulnerabilities
being
inserted,
and
the
good
news
is
that
with
this
SSC,
you
can
actually
track
it
through
so
right
from
front.
They
list
the
threats.
The
second
one
they
list
is
intentional
vulnerability,
slash
back
doors,
they
list
the
examples,
PHP
mitemin
and
the
mitigation
which
in
their
case
is
sca-5.
B
So
the
good
news
is
that
it's
not
hard
to
find
out
hey
what
are
they
trying
to
cover
and
how
do
they
think
they've
covered
it?
Obviously,
you
know
I'm
sure
things
can
be
beefed,
got
them
and
and
tweaked,
but
you
you.
Can
it's
not
hard
to
track
down
hey?
Are
they
at
least
trying
to
cover
that
case?
So
I
would
suggest,
walk
you
through
that
table
thanks.
A
Well,
hey
there
team
so
for
our
microsofty
friends
For
the
Love
of
dog:
please
don't
create
yet
another
list
of
these
tools.
A
A
After
a
certain
point
and
we're
across
all
of
the
organizations
we
are
going
to
start
to
contribute
to
one
project
rather
than
Reinventing
the
wheel
and
right
now
one
of
the
leaders
in
that
space
when
the
one
that's
making
the
most
progress
is
the
spdx
landscape.
While
it
is
around
spdx,
it
also
encompasses
other,
like
SCA
type
tools,
so
I
would
encourage
you
to
instead
find
other
projects
and
then
refer
to
them
in
the
documentation.
A
G
C
Can
I
sort
of
add
to
the
conversations
for
a
sec,
so
one
of
the
things
that
I
interested
me
about
the
the
SSC
was
that
the
focus
on
the
ingestion
and
sort
of
the
left
of
build
and
that's
certainly
an
area
I've
been
heavily
focused
on,
was
that
you
know
when
you,
when
you
look
at
the
scope
of
SSC,
where
were
you
where's,
the
intent
I
mean?
Is
it
all-encompassing,
except
from
we
have
salsa
as
well
or
or
you
know,
where
does
where
does
it
end?
C
And
this
is
the
end
user
group
right,
so
so
yeah
yeah,
it's
lots
of
the
boxes.
From
my
perspective,
I
just
wanted
to
see
if
it
aligned
to
your
intention
of
of
or
do
you
see
areas
missing,
do
you
see
a
gap
or
how
does
it
integrate
with
you
know,
ssdf
and
and
salsa.
I
So
so,
like
producer
focused
Frameworks
like
ssdf
and
and
salsa
and
others,
they
usually
have
at
least
one
line
item
that
says
something
about.
You
know
secure
consumption
of
of
your
dependencies,
but
this
one
is
is
hyper
focused
in
that
regard
and.
I
I
I
feel,
like
I,
can't
answer
your
question
without
like
telling
a
story.
This
is
quite
frankly
how
Microsoft
got
started
on
our
secure
supply
chain.
Journey,
we
we
didn't
securing
the
software
supply
chain
is
so
broad
that
we
knew
we'd
be
boiling
the
ocean.
So
we
picked
one
category
and
we
said
let's
nail
it
here
first,
so
this
is
how
we've
been
securing
ourselves
since
2019.
I
and-
and
so
it's
it's
worked
out
rather
rather
well.
I
want
to
say
just.
H
E
So
quick
comment
here:
one
of
the
things
I
noticed
about
this
and
I
I
like
a
lot
a
lot
of
it.
That's
here
is
it's
I'm
guessing
the
origination
is
more
on
compliance
and
rather
than
supply
chain
security,
because
I
don't
see
much
about
third
parties
and
maybe
I'm
I
haven't
gone
through
the
document
line
for
line
and
I'm
missing
that
so
securing
your
software
supply
chain
really
is
also
about
third
parties
and
s-bombs,
and
so
on
and
I
see
from
a
maturity
model
perspective
and
some
of
the
questions.
E
It's
really
about
internal
compliance
and
managing
the
components
that
you
ingest
throughout
your
Dev
process,
rather
than
incorporating
and
managing
third-party.
So
the
solutions
that
may
include
open
source
am
I
just
not
getting
into
the
details
enough.
I
So
compliance
for
security
is
a
very
interesting
topic
I
because
our
guidance
is
rooted
based
in
threats
like
we,
we
looked
at
what
are
the
threats
first
and
then
from
those
threats
we
derived
well.
How
do
we
mitigate
against
that
type
of
threat
and
that
formed
the
basis
of
our
requirements?
I
I
E
About
what
about
their
parties
right,
one
of
the
most
interesting
presentations
I've
seen
recently
was
at
the
open
SSundee
in
in
Austin,
in
which
I
attended
one
by
I
think
it
was
New,
York
Presbyterian
hospital,
and
they
said
that
they
have
1800
different
device
manufacturers
that
they
need
to
manage
and
are
trying
to
figure
out
how
to
do
that
from
with
using
you
know,
an
s-bomb
first
type
of
approach.
So
again
it's
it's
for
an
end
user
consumer
managing
third-party
software
is
as
important
or
even
more
so
than
than
managing
their
their
own.
I
Yeah,
that's
absolutely
true!
That
is
outside
the
scope
of
of
what
we're
trying
to
accomplish
here.
There's
there's
many
questions
that
I've
I've
seen
I
communicate
with
a
lot
of
customers
that
ask
about
like
how
do
you
evaluate
your
suppliers?
I
You
know
we're
we're
building
brand
new
systems
in
place
today
with
how
we
bring
in
drivers
and
firmware,
and
things
like
that
that
get
ingested
into
our
other
tools
that
that
are
are
way
different
than
just
consuming
open
source
from
a
public
registry,
so
I
mean
I
feel
like
we
should
have
a
conversation
offline
about
that,
because
I
feel
like
it's
it's
a
separate
topic
than
than
what
this
is.
Its
purpose
is.
G
Yeah
I
want
I
also
want
to
make
sure
we
we
do
put
the
line
in
between
compliance
versus
versus
security.
As
far
as
the
the
framework
is
concerned
start
the
conversation
talking
about
you
know
having
maturity
levels
that
doesn't
necessarily
lend
itself
towards
a
compliance
requirement
where
you're
receiving
some
type
of
certification,
you're
completely
type
of
attestation.
G
You
know
Salsa
Salsa,
deals
more
on
the
end
of
of
that
compliance
and
when
you're
receiving
the
testations,
not
saying
that
this
framework
couldn't
evolve
into
that,
but
that's
not
the
true
nature
of
what's
of
what
this
framework,
how
this
framework
has
been
built
here,
so
so
that
I
do
want
to
make
sure
that
that
those
lines
are
drawn
but
but
Andrew,
you
know
your
points
and
your
questions
are
are
extremely
valid.
I,
as
Adrian
said
you
might
want
to
take.
G
Those
would
be
great
questions
to
have
once
we
are
discussing
the
specification
itself
and
kind
of
level
setting
on
where
things
are
and
how
things
can
be
improved
versus
what
the
nature
of
the
of
the
of
the
of
the
specification
is
as
it
stands
currently
in
scope.
At
this
very
moment,.
C
So
Jay
and
Adrian
we
are,
we
are
coming
up
in
time
a
little
bit
there,
we've
got
other
items,
but
one
one
thing
I'd
like
to
sort
of
add
just
from
our
experience
is
that
you
know
as
you're
looking
at
open
source
software,
particularly
around
ingestion
you're.
Looking
at
certain
controls,
you
need
to
implement
for
the
project
things
like
the
OSS
scorecard
and
you're
looking
at
things,
you
need
to
look
at
for
the
product
or
the
actual
open
source
Library,
and
it's
kind
of
the
same
approach
for
third-party
software
as
well.
C
Instead
of
the
project,
you'd
look
at
the
vendor
and
instead
of
you
know
the
the
open
source
Library,
it
would
be
a
vendor
product.
So
maybe
it's
something
to
extend
or
to
to
look
at
to
add
on,
but
you
know
it's
it's
a
very
similar
approach,
although
clearly
very
different
implementation,
but
more
conversations
to
come,
I'm
sure.
But
thank
you
very
very
much
for
for
presenting
here
today.
It's
been
really
easy.
Thank
you.
Thank
you,
our
pleasure
right.
So
moving
on
and
looking
at
the
agenda
we've
got
next.
C
One
I
got
up
is
update
from
the
CSA
Cloud
s-bomb
working
group.
C
No
I
I
feel
it's
somewhat
slightly
disingenuous
for
me
to
add
this,
but
I've
done
it
anyway,
and
I
wasn't
and
I
wasn't
able
to
attend
the
actual
working
group
itself,
but
I
did
have
a
fairly
detailed
conversation
with
Alan
and
some
email
exchanges,
and
one
of
the
areas
that
is
been
raised
within
this
group
is
the
topic
of
SAS
bombs
and
getting
SAS
providers
to
provide
s-bombs
and,
by
the
way,
a
sort
of
a
general
update.
C
The
the
group
is
looking
to
to
move
away
from
that
as
an
approach
and
look
at
perhaps
looking
at
getting
a
Vex
data
and
other
metrics
from
the
SAS
providers,
rather
than
the
full
Suite
of
S1
data.
I,
don't
think
any
decisions
have
been
made
as
yet
they're
still
working
through
things,
but
I
thought.
That
was
an
interesting
one
to
bring
to
the
team.
C
From
my
conversations
with
them,
that's
the
one
I've
seen
from
the
the
cloud
cloud
group
Vicky.
You
did
highlight
that
there
are
many
and
they
all
blend
in
into
one
certain
extent.
But
the
next
item,
the
agenda
is
sorry,
the
one
below
that
is
any
other
working
groups
see
Sarah,
otherwise
that
we
want
to
apprise
the
members
of
I
think
you
know
we're
all
in
lots
of
them
at
this
point.
Anything
of
note.
E
H
A
A
Oh,
not
the
extended
one
this
afternoon,
I
don't
have
an
invite
for
that,
but
but
I
do
want
to
mention
briefly
might
be
relevant
here
and
I.
Think
that
this
group
should
participate
in
it
is
that
the
best
practices
working
group
at
some
point
in
the
not
too
distant
future
will
be
taking
on
a
a
glossary
of
all
things.
A
Software
supply
chain
security
and
pulling
in
rather
than
Reinventing
the
wheel
again
using,
for
instance,
a
tried
and
true
definitions
and
kind
of
trying
to
standardize
across
all
of
open
ssf
how
we
are
using
this
terminology
and
giving
people
more
importantly,
a
resource
where,
if
they
don't
know
what
the
term
is,
they
can
at
least
go
find
it
somewhere
right,
and
so
that's
something
that's
going
to
be
happening
before
too
long
and
I
think
it
would
be
really
great
for
folks
here
to
participate
in
that
I
will,
if
I
get
the
chance
I
will.
A
Let
you
all
know
when
that
kicks
off?
If
not
I
think
there
are
several
others
here
that
participate
over
there
like
Mr.
A
Jacques
you
I
may
have
seen
you
there,
but
I
see
you
everywhere
so
yeah
that
could
be
really
great
for
us.
D
Yes,
slightly
out
of
out
of
the
way,
but
one
thing
I'm
working
on
at
the
moment
in
securing
software
repos
is
the
idea
of
a
shared
help
desk
facility
for
those
organizations
where
it's
a
volunteer-led
thing
mostly.
So
we
can
scale
up
MFA
rollouts,
because
the
limiting
factor
is
the
amount
of
support
burden
that
comes
from
people
losing
their
mobile
phones
or
their
Hardware
tokens.
D
One
thing
that
would
be
very
helpful
and
has
been
so
far
impossible
to
retain
from
anybody,
because
it's
sensitive
data
is
what
is
the
cost
of
a
person
who
works
support
in
order
to
make
a
proposal
to
the
governing
board
by
the
tech.
I
need
to
be
able
to
come
up
with
a
vaguely,
realistic
figure.
Anyone
who
feels
comfortable
showing
that
confidentially
would
be
all
ears.
D
This
this
is
separate
from
the
SWAT
team,
so
this
is
specifically
for
software
repos.
Where
there's
a
there's,
you
know
an
ongoing
amount
of
support
that
needs
to
be
performed.
D
One
thing
that
is
not
very
large
but
will
grow
is
device.
You
know
basically
MFA
account
resets
and
that's
a
very
sensitive
topic,
because
if
we
don't
do
it
right,
if
we
don't
protect
against
social
engineering-
and
we
turn
two
factors
into
one
and
a
half
factors.
A
I
in
both
the
education
and
the
the
cert
Sig,
so
those
two
six
that
Crow
is
running
under
vulnerability
disclosure
and
best
practices.
Both
of
them
are
revamping
their
whole
foreign
mobilization
plan
plan,
The
Meta
plan,
they're
they're,
fixing
that
right
and
coming
up
with
budgets
and
time
frames
and
things
like
that
and
they
land
we've
landed
on
300K
we're
just
going
to
use
that
that's
our
our
number
for
a
a
person
whatever
that
is.
Is
it
wrong
heck?
Yes,
it's
wrong,
but.
F
A
Least
realistic,
including
things
like
you
know,
Healthcare
and
and
various
things
like
that
it
kind
of
takes
in
that
whole
thing.
So
just
that's
a
piece
of
data
for
you,
that's
the
number
we're
using.
A
It
doesn't
matter
they're
paying
for
Value,
not
for
location.
E
C
A
C
D
There
is,
there
is
no
job
description
at
the
moment.
No,
this
this
is
the
first
phase
of
working
out
the
details,
but
that's
a
good
point.
I'll
have
to
think
about
that.
H
I
I
was
trying
to
get
some
clarity,
I
think
I
just
got
it
on
what
the
what
the
purpose
was
for
the
the
costs
and
piece
but
yeah
the
very
to
the
point.
I
think
where
Andrew
was
going,
the
the
costs
of
variable,
hugely
depending
on
where
in
the
world
you
wish
to
resource
said,
but
one
of
the
other
things
that
we
found
when
we
were
looking
at
similar
sort
of
data
and
costs
per
things
is
a
lot
of
our
help.
H
So
that's
probably
not
going
to
help
you
very
much
either,
but
yeah
I
I
happily
share
something
offline
movies,
but
I
mean
if
for
onshore
300
000
is
a
reasonable
number
of
the
key
I
think
that's
a
reasonable
number
that
we
use
internally
when
we're
just
doing
this,
because
because
it's
good
enough,
if
you're
gonna
be
somewhere
else
in
the
world,
you
can.
C
C
Okay
right
next
on
the
agenda
is
the
the
goals
document
so
rather
than
reviewing
it
at
the
meeting
right
now.
What
I'd
ask
is
that
people
take
a
look
at
the
goals
document.
We've
got
a
number
of
comments
in
there
at
the
moment
has
been
a
bit
of
progress
there
there's
some
particular
elements
of
progress
within
that
are
highlighted
in
yellow
people
can
take
a
look
at
that.
What
I
might
suggest
is
if
people
are
interested.
C
I
think
it'd
be
useful
to
do
an
off-cycle
meeting
of
interested
parties
just
to
review
that
and
then
come
back
to
the
group
at
the
next
session
to
present
results
and
updates.
C
If
anyone
is
interested
in
collaborating
on
that,
please
reach
out
in
Slack
step
hands.
Okay,
make
sense
great!
Well,
you
know,
we've
also
already
done
the
additional
members,
so
that's
fine,
I,
think
so.
I
think
it's
down
to
Andrew.
You
work
in
group,
slides,
yeah,.
E
So
we've
only
got
five
minutes:
I
don't
want
to
try
and
go
through
it.
I
can
do
it.
The
next
session,
so
anyway,
I've
been
working
on
a
presentation
that
we
all
can
use
and
share
with
other
people
that
we're
trying
to
other
organizations
we're
trying
to
bring
into
the
working
group
and
again
I
took
the
the
open,
ssf
town
hall
meeting
as
a
presentation
as
a
framework
I
hacked
it
up
a
bit
added.
More
obviously
working
group
content
sent
it
to
Jennifer
for
some
review.
She
just
got
it
back
to
me.
E
Last
night,
she's
been
a
little
busy,
obviously
with
the
Dublin
meeting,
so
she
added
some
things.
I
had
some
questions
on
so
I'm
going
to
go,
do
another
Rev
on
it
and
I
will
share
it
before
our
next
meeting
for
everyone
to
take
a
look
at
and
I'd
like
to
like
to
request.
You
know
15
minutes,
20
minutes
on
the
next
working
group
agenda.
C
Sounds
good
sounds
very
good.
All
right,
I
think
we've
gone
through
the
agenda,
any
other
business.
One
item
I
think
I
would
be
reasonable
to
suggest.
Is
you
know
follow-ups
to
SSC
if
people
want
to
perhaps
discuss
that
on
slack
next
steps
or
interest
in
in
joining
up
I
think
that'd
be
useful,
but
any
other
business.
F
Question
just
to
expand
on
the
question
that
I
was
asking
earlier:
Do
You
See
so
from
a
group
chair
perspective.
Right
like
this
is
a
new
group,
but
as
I
read
the
recently
merged
process,
update
for
the
for
the
openness
stuff
in
general,
there's
a
kind
of
there's
a
kind
of
steps
towards
incubation
thing,
and
one
of
the
steps
towards
incubation
is
acceptance
into
a
working
group
and
another
is
like.
Then
it
goes
to
the
attack
for
a
certain
level
of
approval,
and
then
it
becomes
a
formal
incubation.
F
C
So
from
my
perspective,
I
I
I
personally
am
but
I'd
like
to
get
other
people's
interest
and
views
from
the
working
group
right
to
make
sure
it's
a
Consolidated
effort.
F
I
I
guess
I'm,
just
in
I'm
in
general,
I'm
personally,
you
know
I'm
cautiously
positive
on
it,
but
also
I
want
to
see
more
things
move
from
ad
hoc
status
in
which
they
have
been
kind
of
stewing,
or
it
looks
to
me
like
that,
has
been
happening
for
a
while
into
more
of
a
official
incubation
process.
F
I
get
I,
guess
I'm
coming
off,
as
rather
a
process
nerd,
but
I
guess
I'm,
just
trying
to
understand
really
kind
of
like
what
things
are
are
happening,
and
this
seems
like
a
a
very
important
potential
one.
But
yeah
I'd
really
like
to
see
some
stuff
move
through
this
incubation
process
so
that
we
have
kind
of
visibility
and
transparency
of
all
the
stuff.
That's
happening
across
open
ssf.
D
I
I'm
surprised
to
learn
that
in
this
industry
we
attract
people
who
are
interested
in
manipulating
rules
and
symbols,
but
more
generally,
very
quickly.
I.
There
was
a
discussion
about
this
in
the
supply
chain.
Integrity
group
yesterday
Abhishek
made
the
argument
that
it
belongs
there,
because
then
it
will
be
a
stablemate
with
salsa
and
that
helps
them
to
ensure
that
they
don't
like
step
on
each
other's
Toes
or
have
overlapping
Scopes.
Then
it
stays
nice
and
tidy
and
neat
and
there's
some
some
coordination.
D
I
like
that
argument,
I
I
see
the
case
for
end
user
as
well,
but
I
I
feel
like
the
case
for
supply
chain.
Integrity
is
stronger,
so
that's
that's
where
I
would
be
pushing
for
it
to
go.
B
Quick
comment:
procedurally,
you
know
we
we,
like
all
things
to
be
in
open,
ssf,
to
have
a
home
within
a
working
group
so
that
somebody's
watching
the
stories
that
were
and
the
tech
can't
watch
everything.
So
you
know
working
group
needs
to
say:
hey
I
I
will
say
that
I
think
in
general,
I've
heard
this
SSC
presentation
several
times,
I
think
in
general,
people
have
had
some
specific
nits,
but
overall
I've
heard
a
lot.
Nothing
but
positive
comments
overall.
So
a
working
group
needs
to
decide.
Yes,
we'll
accept
it.
B
I
I
the
argument
for
why
the
supply
chain
Target,
would
be
a
reason.
One
was
just
discussed
and
then
it
needs
to
go
to
the
attack.
B
One
of
the
reasons
to
bring
it
to
the
tech
is
so
that
they
can
figure
out
things
like
oh
wait.
It
could
go
in
these
three
different
working
groups.
Where
does
it
make
more
sense
and
just
try
to
help?
You
know
help
deconflict,
so
we're
not
trying
to
do
things
three
times.
Yeah
and
but
I
do
actually
agree
very
much
with
Jay.
White's
original
thing
got
comment
that,
regardless
of
whatever
the
home
is
for
the
work
and
I
think
that's
quite
likely
extremely
likely.
B
Other
folks
from
other
working
groups
should
absolutely
be
involved,
because
I
mean
like
many
of
our
projects.
It's
it's
not
easily
cut
into
one
and
only
one
place.
Yeah.
C
And
I
think
the
realities
from
the
end
user
working
group
is
as
we've
set
ourselves
up
right.
One
of
our
initial
statements
was
that
we'd
actually
be
in
multiple
different
working
groups,
and
that's
why
part
of
it
is
often.
You
know
how
we're
getting
on
interfacing
with
the
other
working
groups,
the
bit
we're
putting
it
in
the
end
user
working
group
from
just
reading
through
the
SSC.
C
Is
it's
it's
more
end
user
or
consumer
aligned
to
make
sure
that
as
you're
ingesting
software,
it's
very
much
you're
protecting
an
Enterprise
before
you
you're,
bringing
that
software
in,
but
either
one
I
think
it
can
be
in
all
three
or
sorry
one
of
them,
but
but
I
think
we're
going
to
be
involved
in
it
anyway,
because
you
know
I
think
from
an
end
user
working
group,
we
we
need
to
be
in
the
multiple
working
groups,
that's
kind
of
part
of
our
Charter.
B
So
yeah
to
answer
Dan's
our
question
process,
wise
I,
think
we
want
each
of
these
different
working
groups
to
decide
if
they
want
to
accept
it,
bring
it
forward
to
the
pack
if
more
than
one
working
group
says
yay,
which
is
entirely
plausible,
that
the
attack
will
have
to
say-
and
one
working
group
says
Hey
we'd
like
to
take
it
on.
But
there's
a
reason
for
this.
Other
working
group
I
mean
that's
great
too,
but
we
just
need
to.
B
C
That
makes
sense
to
me
yeah,
absolutely
all
right.
So
thank
you
very
much
for
for
joining
I,
think
good
to
see
a
number
of
additional
members
and
I
think
there's
quite
a
few
will
be
joining
after
we
after
they
leave
Dublin.
So
thanks
very
much
indeed
for
everyone's
time,
thanks
bye,
everyone.
Thank
you.
Bye.