►
From YouTube: OpenSSF Identifying Security Threats WG (June 8, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1AfI0S6VjBCO0ZkULCYZGHuzzW8TPqO3zYxRjzmKvUB4/edit
A
Awesome
welcome
everybody
to
the
june
gosh
june,
8th,
identifying
security,
work
groups,
meeting
sorry,
identifying
security
threats,
working
group
meeting,
I'm
your
host,
so
I
I
don't
have
too
many
big
topics
for
today.
Really
it's
just
project
updates,
any
other
business.
A
I
think,
last
time
we
we
talked
about
a
couple
things,
including
like
changing
the
name
of
the
working
group
office
hours
a
little
bit
of
update
on
alpha
omega
things
like
that,
but
it's
a
good
good
time
for
open
chat.
If
there's
anything
that
you
guys
want
to
talk
about,
or
if
you
guys
would
like
some
time
back.
This
could
also
be
a
relatively
short
reading.
So
do
we
have
any
new?
No,
no,
no
yeah!
There's!
If
there's
anybody
who
doesn't
regularly
attend
we'd
like
to
introduce
themselves
feel
free.
B
Yes,
I
have
opened
a
pr
in
the
open,
ssf
repo,
because
now
indirect
is
directly
in
our
organization.
I
have
added
you
as
a
viewer
just
because
it
is
a
good
practice,
not
for
other
reasons,
and
now
I
have
the
dependencies
section
one
for
this
bomb.
B
There
is
no
at
the
moment
a
clear
standard,
first
bomb
file,
or
if
there
is
a
I
miss
it.
I
consider
that
probably
the
most
popular
is
cyclone
dx
biovasper,
but
I
am
not
totally
sure,
but
this
bomb
value
is
quite
generic.
You
can
add-
and
yes
the
spdx
yes
exactly.
Thank
you,
and
but
the
the
this
bomb
section
is
quite
generic.
You
can
add
the
url
to
the
file
and
also,
you
can
add
the
standard
that
you
are
following.
B
So
if
the
scanner
want
also
to
read
this
bomb
file,
they
can
and
now
I'm
working
to
a
python
command
line
to
help
the
maintainer
to
create
this
file.
I
am
using
click
packages
to
create
the
command
line
honestly,
and
in
this
way
the
command
line
can
help
the
maintainer
to
create
the
the
security
insight,
and
it
can
also
check
in
real
time
if
the
value
is
correct
or
not,
so
you
don't
need
to
create
one
and
then
check.
B
The
next
step
is
to
add
this
python
script
to
to
the
wrapper.
For
that,
probably
I
will
ask
a
good
review,
because
I'm
not
so
good
as
python
developer,
so
I
prefer
to
have
a
double
or
triple
check,
and
that
is
I'm.
I
was
a
bit
slow
in
the
last
four
weeks
honestly
for
personal
reason,
but
now
I
have
time
to
work
on
it.
The
main
issue
is
how
to
handle
the
communication
skill
for
me
and
also
in
openssaf.
B
I
I
mean
that
we
have
a
lot
of
rep
a
lot
of
projects.
For
example,
there
is
not
a
good
repo
best
practice
for
package
manager
that
I
didn't
remember
I
didn't
remind-
and
it's
not
correlated
to
the
security
insight,
but
it
is
another
topic
that
interests
me
so
after
that
I
have
added
the
python
script
to
to
link
the
code
and
to
create
the
file.
Probably
I
I
need
to
understand
how
we
need
to
proceed
to
communicate
better
in
openssf
and
with
tea
party,
packaging
and
service.
B
When
I
move
on
github,
I
see
that
a
lot
of
rapport
have
a
lot
of
filing
configuration
that
I
have
ever
seen
in
my
life.
So
probably
something
similar
can
help
to
group
everything
and
collect
data
baptism.
A
Terrific,
do
you
need
do
you
need
help
with
like
planning
out
how
a
better
engage,
open,
ssf.
B
I
need
help,
definitely
because
I
I've
seen
that
bomb
is
a
very
popular
topic
at
the
moment.
Even
if
there
is
not
a
clear
standard
and
the
security
sites
at
the
moment
support
engine.
Expand,
you
add
the
link,
you
can
add,
also
multiple
link,
because
I
don't
know
if
some
big
project
project
can
create
difference
bomb
just
to
have
a
more
compliant
approach
to
these
this
security
requirement.
But,
yes,
I
need
a
good
way
to
communicate
with
a
different
team
to
be
aligned
on
it.
A
Did
you
present
this
to
tac
already
or
was
it
a
different?
I.
B
Presented
it
to
the
cncf.
B
A
Maybe
let's
do
this:
do
you
want
to
send
out
a
or
post
a
message
in
the
slack
channel
say:
hey
we'd
like
to
present
this
I'm
happy
to
go
with
you
support
you
whatever
way,
but
you
know.
B
A
B
It
is
a
good
idea.
Yes,
if
I
remember
right,
I
don't
have
presented
this
still
to
the
attack
meeting
perfect.
Okay,
it
is
a
good
action
item.
A
Good
and
then,
and
then
I
think,
the
the
outcome
that
I
think
we
want
out
of
that
is
getting
the
tact
to
support
all
of
the
open
ssf
projects.
Yes
using
it
as
well
as
like,
do
we
should
have
a
should
we
have
like
an
external?
Should
we
have
a
blog?
Should
we,
like
you
know?
How
do
we
communicate
this
better
and
what
what
the
ordering
of
that
is
like?
Maybe
we
do
it
for
ourselves?
First,
then,
the
blog
and
then
yes.
A
Cool
any
any
other
questions
on
security,
insights.
A
Wonderful
metric
dashboard
christine,
I
don't
know
if
you
have
an
update,
oh.
C
Yeah
I'll
just
kind
of
give
you
an
update,
since
it's
been
about
probably
about
four
weeks
since
our
last
update
and
in
the
last
couple
of
meetings
there
was
like
the
overall
question.
We
were
just
basically
following
up
with
what
happened
from
like
stream,
two
from
the
white
house
and
just
trying
to
kind
of
like
understand
what
was
the
meaning
of
that.
C
So
there
was
like
some
open
questions
around
like
the
stream
to
funding
and
then
also
how
to
collaborate
best
with
the
folks
who
were
tasked
with
this,
the
new
risk
assessment,
dashboard
and
also
around
there.
C
There
was
like
a
a
selection
that
was
around
lfx,
but
we
we
decided
that,
since
there
were
like
some
things
that
were
still
kind
of
like
unknown
around
like
what
the
platform
would
look
like,
we
decided
that
we
were
probably
going
to
spend
time
focusing
more
on
the
content
and
perhaps
maybe
also
think
a
little
bit
more
about
like
if
there
was
a
platform
that
was
selected.
What
should
be
the
criteria
for
what
that
platform
should
look
like
so
kind
of
like
focusing
more
on
the
content.
C
So
we
were
diving
into
things
like
who
are
the
personas
of
the
folks
who
would
want
to
consume
the
content
for
this
dashboard
and
we
identified
like
a
developer,
a
superior
name,
somebody,
a
researcher,
ospo,
maintainer
and
potentially
government,
and
then
even
within
government.
We
thought
that
there
might
obviously
be
different
types
of
even
within
governments.
There
might
be
like
different
types
of
entities
under
government
and
then
they'll
question
even
around
the
personas
is.
How
would
they
want
to
consume
this
data?
Would
they
want
to
consume
it,
be
an
api?
C
So
that
was
one
of
the
quest,
some
of
the
conversations
we
had
last
week
and
then
we
also
talked
about
criticality
data
and
talked
about
those
like
open
disk
questions
around
how
those
the
data
nets
waited
because,
there's,
I
think,
even
within
say
a
project
like
scorecards
there's
been
like
discussions
around
if
the
data
is
biased
and
maybe
some
folks
may
want
to
actually
just
consume
the
data
and
like
do
their
own
waiting
around
it.
So
there's
some
open
questions
that
maybe
folks
in
this
car
might
know
more
about.
A
Right
there
was
a
good
discussion
within
these
securing
critical
projects
working
group
specifically
on
criticality
and
how
to
how
to
measure
it
and
what
it
really
means
and
and
the
more
we
talked
about
it,
the
less
it
seemed
that
we
were
sure
what
words,
what
what
the
words
meant
or
what
we
intended
by
by
the
words.
So
I
think
that
there's
a
lot
of
opportunity
to
bring
clarity
to.
A
C
C
A
I'm
sure
so
so
just
bring
a
little
bit
of
clarity
to
like
stream
two.
So
after
the
the
dc
meeting,
you
know
open
ssf
now
has
a
commitment
of
you
know
more
funds.
Those
my
understanding
right
now
is
that
the
intended
way
for
those
funds
to
be
distributed
is
through
the
working
groups
and
the
projects
to
say:
hey
we'd
like
to
do
x.
We
need
y
dollars
to
do
it
now.
A
There's
a
pool
that
we,
which
we
can
kind
of
pull
from
by
no
means
is
that
process
kind
of
ironed
out,
but
it's
not,
it
is
almost
certainly
not
going
to
be
like.
Like
you
know,
brian
or
or
jim
is
not
going
to
say
great.
We
formed
the
risk
team,
we've
hired
four
people
and
they're
driving
this.
A
This
project
it'll
be
organic
from
the
bottom
up,
so
I
would
certainly
say
connect
with
the
other
folks
from
stream
two,
but
don't
expect
there
to
be
a
top-down
like
proclamation
of
like
this
is
the
project
that
we
will
be
doing.
Okay,
okay,.
C
Yeah,
I
think
one
of
the
thoughts
around
it
and
I'll
kind
of
come
to
that
is
potentially
get
some
of
the
folks
from
stream
two
basically
to
join
into
the
discussion,
and
so
there
was
also
like
a
a
thought
about
actually
making
this
metrics.
This
dashboard
f
would
be
like
a
sub
and
like
almost
like
an
official,
and
we
didn't
know
how
that
would
how
to
go.
Why
that
would
make
it
like
a
sub
project
of
like
the
security
of
this
particular
working
group,.
A
Yeah,
I
would
I
mean
I
would
consider
it
already
kind
of
that
yeah
informally
feel
free
to
just
kind
of
drive
it
invite,
whoever
to
whatever
meetings
you
want
to
have
on
it
yeah.
You
know
I
I
think
it
makes
sense
to
have
have
the
the
actual
like
nuts
and
bolts
discussions
be
outside
of
this
normal
working
group
meeting,
but
that's
kind
of
like
like
what
what
you've
been
doing
with
with
jay
and
bernard
okay,.
A
A
Able
to
use
perfect
just
send
a
note
to
jory
or
or
jen
and
just
say:
hey,
could
you
add
a
recurring
invite,
tell
them
when
and
they'll
add
it
edit
to
the
calendar?
Actually,
we
can
just
do
this
right
now,
because
I
think
I
have
updated
access
to
this
think
about
when,
when
you'd
like
to
have
the
meeting,
show
me
something
slack
and
I'll
take
care
of
it.
Okay,.
C
Cool
right
right
now,
it's
conflicting
with
another
opening,
so
I
think
we
probably
have
to
shift
the
time
okay,
so
that
would
be
the
action
items
there.
And
then
we
didn't
know
what
other
process
beyond
just
making
it
a
calendar
meeting
that
we
needed
to
go
through
yeah.
A
I
guess
probably
the
right
thing
is
to
you
know:
strip
open
the
open
it
up
to
anybody
to
participate
and
then
yeah
just
kind
of
drive
it
as
a
as
a
project.
C
Yeah,
some
of
the
other
topics
we
talked
about
was
vulnerability
data.
It
was
like
currently
there's
like
a
few
vendors
where
that
data
is
being
surfaced
from,
and
there
was
a
question
around
should
we
create
a
criteria
around
like
the
vendor
selection,
for
example,
some
of
the
vendors
have
like
a
freemium
model
and
we'll
think
about.
C
Should
it
just
be
something
that's
always
freely
available
so
anyway,
from
the
last
meeting
where
we
have
action
items
is
just
to
basically
explore
the
different
vulnerability
data
sources
and
also
think
about
what
other
data
that
we
should
be
adding
to
the
dashboard
and
also
the
criteria
for
platform
selection
that
I
bet
based
on
what
the
community
actually
needs.
So
those
are
kind
of
the
major
major
points
that
we're
thinking
through
awesome.
A
Thank
you
any
other
questions
on
that
from
anybody.
A
Wonderful
moving
on
office
hours,
so
we
talked
about
this
last
time.
I
put
a
request
out
to
the
best
practices.
Working
group
got
a
couple
of
folks.
That
said,
hey
I'd
like
to
participate,
but
I
don't
have
time
to
drive
asked
on
general
got.
I
think
the
same
thing
wanted
to
open
up
one
more
time
for
here
to
see.
Is
there
anybody
that
would
like
to
drive
this
effort
and
what
I
mean
by
driving?
A
This
effort
is
basically
like
logistics,
setting
up
the
meetings
and
making
sure
that
there's
enough
coverage
there
validating
the
the
design
to
see
like
isn't,
is
the
open
office
hours
idea
is
that,
should
we
do
that
or
should
we
do
kind
of
a
sign
up
for
a
slot
thing
and
then
get
the
word
out
on
twitter
and
I
guess
an
open,
ssf
blog
and
then
run
it
for
six
weeks
eight
weeks,
something
like
that
and
then
wrap
up.
Think
about
you
know
how
it
how
it
went.
Should
we
continue
it
should
be?
A
Is
there
something
we
should
do
to
improve
it
and
then
kind
of
have
that
end?
So
it's
a
relatively
time-boxed
thing,
wonderful,
martha!
Thank
you,
of
course,
if
there
is
someone.
A
Marta
the
floor
is
yours.
Thank
you
appreciate
it.
We
do
have
a
a
bunch
of
other
folks
that
volunteer
to
be
part
of
it,
so
I
will
I'll
send
out
an
email
or
I'll
I'll
start,
a
slack
conversation
with
you
and
everyone
else
that
expressed
interest,
and
that
way
you
have
everybody
and
we
can
go
from
there.
E
C
A
A
Cool
any
other
questions
of
office
hours.
A
Wonderful
for
alpha
omega
a
quick
update.
We
are
continuing
to
go
through
hiring.
We
are
feeling
good
about
a
couple
of
candidates.
We've
been
talking
to
I'm
hoping
to
land
them
very
soon,
but
you
know
hiring
us
hard.
We
have
we're
also
planning
so
michael
windsor,
and
I
will
be
in
austin
in
two
weeks
for
open
ssf
day.
So
we're
going
to
talk
about
alpha
omega
then
so
we're
putting
together
a
deck,
we're
hoping
to
have
two
more
alpha
engagements
announced.
A
I
I
really
think
we'll
we'll
get
at
least
one
of
them
landed,
I'm
like
50,
50,
60,
confident
on
the
other
one
for
omega.
I
mentioned
last
time
that
we
published
a
bunch
of
kind
of
automated
security
reviews,
so
this
was.
We
ran
the
tool
chain
against
a
bunch
of
projects
for
the
ones
that
the
tool
chain
found
nothing.
We
expressed
that
in
terms
of
a
review
and
sent
that
off
to
secure
reviews
separately.
A
We
started
going
through
some
of
the
findings
where
we
did
find
like
legit
issues,
and
so
I
have
one
report
out
to
a
well.
I
have
three
reports
that
are
ready
to
go
one.
I've
already
sent
out
the
other
two
are
just
pending
my
time,
we're
looking
so
we
know
we
don't
have
a
super
well-defined
vulnerability
management
process.
On
our
end,
we've
been
working
with
a
couple
folks
to
come
up
with
something
that
works.
So
options
are
like
the
cert
vince
project.
A
We
could
use
that
we
could
use
github
security
advisors.
We
could
use
like
private
github
repos.
We
could
create
something
completely
separate.
We
could
just
use
email.
We
could
track
things
in
a
shared
spreadsheet,
like
kind
of
everything's
on
the
table.
I
don't
think
we
need
to
optimize,
for
you
know
thousands
of
vulnerability
reports
until
we're
actually
generating
thousands
of
vulnerability
reports.
A
I
also
think
that
the
long
pole
in
the
tent
is
going
to
be
in
the
back
and
forth
or
follow
up,
or
I
didn't
hear
anything
from
you
in
two
weeks.
Are
we
still
gonna
fix
this
and
things
like
that?
A
A
A
One
more
topic
for
that:
we've
been
speaking
so
we've
had
a
number
of
conversations
with
should
say,
security,
vendors
and
then
the
general,
and
these
are
starting
to
fall
into
a
into
a
common
theme.
So
the
theme
is
a
security
vendor
or
security
research
firm
or
whatever
has
findings
that
they
don't
have
a
large
enough
team
to
like
action
them
all
and
with
they,
but
they
would
like
to
participate
in
alpha
omega
to
some
extent
and
what
we're
thinking
about
is
number
one.
A
A
What's
a
minimally
triaged
validated
findings
from
a
third
party
and
just
act
as
the
final
like
final
triager,
and
you
know,
interface
back
with
the
with
with
the
maintainers
directly,
so
a
concrete
example,
you
know
well
not
concrete,
but
like
it's
an
abstract
example.
Luigi
finds
a
vulnerability
he
sends.
He
sends
it
to
omega.
Omega
looks
at
it
says
yep.
This
is
a
real
vulnerability,
we'll
take
it
from
here
and
and
kind
of
sends
it
out.
A
The
question
is:
does
that
meaningfully
change
the
scope
or
the
direction
of
omega
significantly
enough,
where
that's
not?
Actually,
what
omega
was
designed
for,
because
omega
was
was
originally
like.
We
find
the
vulnerabilities
and
we
take
care
of
fixing
them
if
somebody
else
finds
the
vulnerability
like.
Should
we
just
pick
up
the
second
half
of
that?
I
don't
have
a
super
strong
feeling
on
that.
I
feel
like
at
the
end
of
the
day.
It's
did.
A
We
is
the
world
better
for
us
doing
a
thing
and
if
we're
reasonably
equipped
to
do
that
second
half
like
why
not
it
wouldn't
even
be
a
bad
thing
to
expand
out
omega
to
act
as
a
I
don't
say,
just
like
a
a
dart
board
that
people
can
like
like
throw
vulnerability
at
and
we'll
like,
take
it
from
there
not.
E
E
If
I
understood
what
you're
saying
correctly,
are
you
saying
like
a
intermediary
which
will
accept
a
vulnerability
report
and
inform
the
upstream
project
and
get
it
straight
to
fixed
and
dis
like
a
responsible
disclosure,
or
you
know
like
coordinating
the
disclosure
activities
that
what
you
are
saying
or
is
something
completely
different?
I
got
it
completely
different.
A
Basically,
what
I'm
really
thinking
about
is
like
the
entire
chain
from
someone
finds
a
vulnerability.
Now
that
someone
can
be
an
independent
security
researcher,
they
could
be
a
security
tooling
firm
that
runs
their
tool
against
lots
and
lots
of
stuff.
A
You
know
through
to
you
know
kind
of
lots
of
other
options
and
then
it
and
then
either
they
action
it
or
they
don't
action
it
and
if
they
action
it,
that's
great.
I
don't
really
care,
but
if
they
don't
action
it,
if
that's
because
you
know
they're
just
great
they
generated,
you
know
150
000
potential
vulnerabilities.
A
A
I
think
one
of
the
challenges
is
that
the
vulnerabilities
sit
in
a
database
somewhere,
and
so
so
these
are
now
you
could.
I
think
what
you're
arguing
is
well,
why
wouldn't
they
just
pump
that
to
snake
or
hunter
dev
or
another
party?
I
don't
know
the
answer
to
that.
Maybe
it's
because
the
it's
below
the
confidence
bar
that
those
other
platforms
need.
A
Maybe
it's
because
there
are
no
write-ups,
maybe
for
whatever
reason
and
and
maybe
it's
something
that
omega
can
kind
of
be
the
like
grease
the
pipe
that
connects
those
two
sources
together,
or
maybe
those
aren't
for
what
for
a
different
reason.
Maybe
those
aren't
the
right
platforms
to
do
the
disclosure
and
and
omega
would
do
it
ourselves.
A
E
You
know
all
these
tools,
they
are
not
a
silver
bullet
for
all
the
programming
language
or
the
framework
or
the
technology
right
so
yeah.
I
think
we
need
to
capture
that
gap
in
my
opinion
and
trying
to
improve
that
area
right
like
where
exactly
we
have
the
gap
and
improvement
yeah.
I
would
like
to
hear
others
opinion
also
on
you
know:
you're
right,
I
think
luigi
has
handsome
yeah.
B
No,
yes,
to
be
sure
that
rightly
understood
that
we
are
trying
to
do
a
sort
of
triage
procedure
class
process
to
understand.
If
there
is
a
vulnerability
that
I
mean
it
sometimes
can
be,
especially
from
scanner
can
be.
D
B
And
researchers
send
you
a
profile
concept.
You
need
just
to
reproduce
it
and
communicate
with
a
human,
but
with
a
scanner.
You
have
a
justice
kind
of
say:
hey,
there
is
a
vulnerability
and
if
you
are
lucky,
maybe
this
cannot
give
you
a
good
proper
concept.
Otherwise
there
is
just
a
flag,
and
sometimes
it
is
important,
for
example,
for
log
project
was
important
to
identify
all
the
developers
in
your
project
and
fix
them,
but
if
you
usually
don't
use
them
because
they're
gonna
be,
it
was
too
critical.
B
But
when
you
are
in
a
grey
area
like
high
or
medium
volatis,
can
that
can
impact
your
project?
But
you
don't
know
if
the
dependencies
can
be
hacked
using
the
exploit
that
particular
tiers
is
expensive,
and
this
means
that
people
that
do
this,
usually
they
need
to
know
really
well.
The
project
of
quite
well
so
create
the
environment
replicate,
and
I
think
there
is
a
value
in
this
in
in
this
in
in
this
idea.
B
So
but
my
question
is,
it
can
scale
we
have
enough
people
or
we
have
how
we
can
do
it,
because
the
the
risk
is
that
maybe
we
just
flag
as
not
vulnerable
and
then
the
project
is
vulnerable
and
this
is
another
problem.
Probably
so
I
don't
know
if
we
have
a
procedure
to
mitigate
a
positive
or
false
negative
one
of
the
should
term,
but
so
the
idea
is
good.
B
A
Idea
all
right,
no,
I
I
I
I
think
it's
all
good.
I
mean
I
wonder
if,
if
like,
we
would
be
in
a
better
place
as
an
industry.
If
we
just
essentially
connected
the
data
sources
of
high
quality
vulnerability
information
into
directly
into
platforms
like
hunter
dev,
in
which
case
we
we
just
kind
of
made
the
introductions
and
said,
do
the
thing
and
then
the
platforms
kind
of
went
their
way
and-
and
you
know,
did
everything
think
the
problem
is
going
to
be.
A
As
you
said,
luigi,
when
the
vulnerability
report
is
a
one
line
that
says
you're
using
star
copy
here
without
enough
context
or
poc
or
or
anything
to
to
make
it
compelling
for
a
per
user.
E
Yeah,
I
I
think
that
is
one
of
the
benefit
of
I
mean
honda
is
a
as
an
example.
There
are
many
other
similar
platform.
They
are
rewarding
both
the
person
who
is
reporting
and
fixing.
I
mean
I
think
in
that
case,
both
party
will
have
interest
to
understand
what
is
the
problem
and
how
they
can
fix
it
right,
like
I
think
both
of
them
will
get
rewarded
in,
in
my
opinion,
but
like
as
low
as
you
mentioned,
I
was
also
more
worried
about
that.
Oppression.
E
B
B
So
this
is
the
main
reason
why
developers
don't
like
so
much
to
update
packages,
and
so
maybe
we
can
define
what
is
a
real
risk
for
foreign
project
and
try
to
mitigate
the
high
level
risk
in
this
way.
Maybe
we
can
scale
better
and
yes,
this
is
just
an
idea.
B
There
is
the
other
topic
that
a
lot
of
our
personal
projects
have
the
dependencies
for
the
product
and
the
dependencies
for
the
dev
environment.
If
there
is
a
critical
vulnerability
in
the
dev
environment
is
a
real
vulnerability.
Yes,
in
my
opinion,
but
the
point
is
the
product
is
vulnerable
or
not
because
of
it
and
everything
is
in
the
same
wrapper.
B
E
A
I
I
think
this
is
more
omega.
I
think
the
alpha
engagements,
at
least
right
now
and
probably
through
the
end
of
this
year,
are
going
to
be,
are
going
to
look
and
feel
like
the
node
engagement.
Where
we
come
up,
we
we
have
an
agreement
with
an
external
organization
that
can
manage
the
funds.
You
know
on
a
day-to-day
basis
themselves.
A
We
essentially
will
write
a
check
in
order
to
achieve
security
benefits
for
that.
D
A
That
organization
we
did
talk
a
bit
about
having
alpha
be
more
of
a
a
team
of
you
know,
security
engineers.
Basically,
that
could
go
and
be
applied
in
different
places.
That's
still
possible,
but
at
least
right
now
that's
we're
gonna
focus
more
on
the
other
on
the
other
side
of
it.
A
So
anything
that
that
comes
through
this,
I
I
think,
would
be
more
on
the
on
the
omega
side
and
the
reason
sorry,
and
that
that's
also
because
the
organizations
that
we
would
be
engaging
with
from
an
alpha
perspective
will
already
have
a
response.
A
response
process,
they'll
already
be.
E
E
D
Yeah
thanks
so
first
love
these
conversations.
What
occurs
to
me,
though,
is
I've,
been
thinking
about
a
lot
and
paying
attention
to
and
promoting
what's
happening
at
the
secure
software
factory
work
group.
So
to
me
to
me,
it's
the
drink,
your
own
champagne
thing
that
I
don't.
A
Yes,
I
I
was
only
vaguely
aware
that
that
they
were
going
in
the
in
the
like
like.
Are
they
publishing
like
a?
A
D
It's
it's
crazy,
so
I
mean
the
readme
actually
has
these
list
of
tools
and
a
framework
and
their
integrations
are
really
being
tightly
coupled
they're
tightly
coupling
spiffy
inspire
they're
tightly
covering
a
certificate
authority,
they're
they're,
doing
crazy
stuff
on
a
rapid
pace
and
they're
going
to
be
driven
to
credit
representation
very
soon,
according
to
the
meeting
they
had
this
past
last
week,
and
they
want
to
create
an
example
using
npm
of
all
things
which
has
a
direction
direct
eye
to
alpha
makeup.
Right
now,.
E
D
But
let's
be
real
here
I
mean
everything
they're
offering
independently.
I
know
most
major
companies
are
looking
at
tech
time
and
all
these
technologies
that
they're
putting
there.
So
this
is
the
future.
You
know
you're
looking
backwards
and
projects
in
the
past,
but
this
is
here-
and
this
is
this-
is
what
is
actually
creating
the
salsa
level,
three
compliance
evidence
and
documents,
and
things
like
that,
so
it'd
be
great
for
us
to
assure
that
they're
vetted
and
made
yeah.
E
But
that's
that's
a
very
good
point.
Like
yeah,
I
think
that
that's
the
best
practice
to
encourage
for
the
open
source
project,
but
at
the
same
time
I
I
was
with
the
original
paper
when
we
create
the
the
best
practice
paper
and
reference
architecture.
One
also
right
like
so
one
of
the
big
challenges.
The
focus
in
that
area
was
you
know
that
team
wasn't
going
to
focus
too
much
on
him
fast
or
dust
or
sc
those
kind
of
area.
That
is
a
bit
more
complicated.
D
D
I
think
other
groups
are
talking
about
that,
but
the
the
basis,
the
foundation,
the
framework,
the
workflow
engine,
the
runtime
engine
and
all
the
connective
tissues
to
sig,
store
and
whatnot
are
all
going
to
be
highlighted
in
that
they're
going
to
create
an
npm
example,
and
that's
what's
going
to
be
shown
at
every
conference,
so
it'd
be
great
to
have
a
testimonial
that
this
thing's.
All
these
things
here
have
indeed
been
run
through
some
of
our
core
evaluation,
analytic
tools.
E
D
Even
my
own
company,
99
percent
of
the
people,
98
of
my
products,
2000
products,
don't
use
tech
time
we're
trying
to
make
it
easy
for
them
and
the
more
security
features
we
add
the
less
foot-pounding
fist.
You
know
fist
pounding
what
stomping
they
can
do
and
resist
moving
towards
something.
That's
more
secure.
D
A
Yeah,
so
sorry,
I
just
want
to
make
sure
that
I
have
a
link
to
the
right
link.
Is
this
first.
E
A
Yeah,
okay,.
E
We
are
in
the
process
of
you,
know
the
public
meetings,
sorry,
the
community
meetings
and
everything
so
yeah
cool
yeah.
So
going
back
to
the
the
sc.
Sorry,
the
first
piece.
What
I
was
saying,
michael,
I
think,
in
my
opinion,
just
my
personal
opinion.
I
I
I
think
we
should
improve
the
automation
areas
wherever
we
can.
I
think
we,
it
is
important
to
find
out
the
gaps
of
the
tools
we
have
and
I
I
do
believe
that
there
is.
E
There
won't,
be
one
sas
tool
or
one
sca
tool
or
one
tool
so
the
problems,
but
I
think
it's
all
about
for
us
to
understand.
You
know
what
our
weakness
of
the
tools
we
are
using
and
what
it
is
not
good
for
right,
like
okay,
so
yeah.
I
think
that
is
important
to
cover.
Otherwise
we
may
give
a
full
security
to
a
project.
You
know
which
may
be
a
different
language,
different
framework,
different
ecosystem.
The
tool
is
always
saying
you
are
good.
E
There
is
no
issue,
but
the
tool
you
know
may
not
have
a
proper
support
for
that
language
or
roots
for
the
language,
but
there
can
be
so
many
challenges.
I
think
it
is
important
to
have
good
coverage
from
an
automation
perspective
before
going
for
any
manual
or
semi-manual
kind
of
activity
right.
I
think
it's
important
to
come
back.
D
I
totally
agree,
I
think,
that's
speak,
that's
speaking
to
the
opposite
side,
the
implementation
side
of
the
other
side
of
the
coin,
which
we
have
discussions
at
the
whatever
the,
whatever
the
critical
projects
won
or
debate.
Initially,
what
what's
the
most
critical
projects-
and
it
always
comes
up
in
people-
have
different
views
and
the
same
thing
with
tooling.
If
your
view
is
some
tool
or
some
view
or
something
is
more
important
based
upon
a
language
or
something,
then
that's
view
is
valid.
So,
but
it's
the
I
want
to
point
out.
A
So
I
I
should
clarify
the
best
case
scenario.
D
A
Technology,
if
the
lake
dries
up,
because
we've
done
such
a
good
job
at
pushing
these
vulnerabilities
upstream,
that
the
maintainers
find
it
themselves
and
we
find
we're
out
of
a
job
that
is
wonderful.
A
So
until
that
future
happens,
though,
I
think
omega
should
be
focused
on
making
sure
that
the
tools
are
generate
very
high
quality,
because
so
that
we
don't
waste
time
triaging
garbage,
but
knowing
that
that
we
will
always
be
in
between
we'll
always
have
a
human
in
between
the
tool,
output
and
the
maintainer
like
we're,
never
actually
going
to
automate.
D
A
D
E
Yeah
so
another
opinion
I
have
like
yeah,
there
won't
be
again,
there
won't
be
a
silver
bullet
tools
which
will
be
false,
positive
free
for
all
the
programming
language.
All
the
technology
stack
like
even
sas
or
whatever
tool.
It
is
right
like
yes,
the
tool
should
be
good,
but
there
can
be
some
tools
which
are
subject
matter
expo
in
particular
stack
and
that's
why
they
may
have
good
quality,
but
there
are
also
different
set
of
tools
in
the
abstract
domain,
which
are
doing
a
consolidation
and
deduplication
of
from
multiple
tools.
E
So
you
don't
give
the
raw
result
to
the
consumer.
What
you
do
is
you
feed
all
this
different
tool,
output
to
a
one
tool
which
will
consolidate
like
okay?
This
findings
was
reported
by
code
ql,
some
graph
sonar
cube.
So
this
is
a
99
percentage
guarantee
that
it
is
a
true
positive
finding.
So
we
don't
need
to
do
a
review.
A
I
I
I
I
I
understand
the
sentiment
and
I
and
I
think
that,
if
the,
if
the
output
of
the
at
at
some
point
in
the
future,
I
would
love
that
to
be
the
case
where
we
can,
just
through
fully
through
automation,
whether
it's
aggregation
and
dedupe
and
all
that
stuff
get
a
report
out
to
a
maintainer.
I
think
for
right
now
the
goal
would
still
be
like
all
of
that
stuff
would
help
us
be
more
efficient
in
our
triage.
A
A
Oh
yeah,
yeah,
yep,
okay,
write
write
it
up
in
a
way,
that's
consumable
for
a
maintainer
and
send
a
report
out
whether
that's
through
hunter,
dev
or
directly
or
events
or
doesn't
really
matter,
but
the
the
value
add
that
we
provide
is
the
we
make
it
easy
for
the
maintainers
to
consume,
to
understand
they're,
not
getting
more
results.
It
needs
to
be
like
really
high
quality.
I
didn't.
E
Sorry
it
interrupted,
I
didn't
mean
consumer
is
the
end.
Maintainer
consumer
can
be
this
analyst
itself,
so
yeah.
Imagine
if
there
is
one
person
and
who
has
to
treat
thousands
of
findings
and
they
you
know
having
tools
or
automation
like
that,
will
help
to
reduce
their
workload.
And
you
know
just
it's.
It's
just
automation,
more
information
right
here.
Absolutely.
A
B
Yes,
maybe
one
if
we
can,
it
is
interesting
on
the
topic
about
expired
domain
in
the
open
source.
It
is
quite
common,
and
maybe
we
should
continue
this
topic,
maybe
next
meeting,
but
having
tool
or
ci
that
check.
If
the
domain
in
the
package
manager
is
expired
or
something
similar
could
be
a
good
idea,
it
is
not.
Sometimes
there
are
false
positive
I
mean.
Maybe
the
domain
is
not
expired,
though
it's
not
so
easy
to
understand.
B
If
domain
is
a
pilot,
apparently,
and
especially
maybe
the
email
associated
to
the
package
manager
account
is
not
the
same
of
the
domain,
but
at
the
same
time,
for
a
lot
of
reason,
a
domain
that
is
linked
in
a
package
of
another
web
page
also,
if
it
is
not
user
for
the
account,
can
be
abused
in
a
lot
of
way,
fishing
or
other
or
other.
So
I
think
it
is
a
good
idea
having
it
for
not
just
npm
or
pi
pi,
but
also
for
other.
B
Maybe
we
should
formalize
a
project
also
for
this,
and
the
other
topics
is
related
to
how
to
prevent
this,
because
the
domain
can
expire
for
a
lot
of
reason.
B
So
the
npm
strategy
to
force
this
factor
is
probably
correct.
I
don't
know
if
we
should
suggest
so
to
order
package
manager
to
force
the
two-factor
in
every
account.
D
C
D
To
align
they're
moving
to
standardize
their
metadata
they're
moving
to
a
more
secure
package
managers
and,
as
pointed
out
in
one
of
the
calls
one
of
the
things
you
could
create
all
the
tools
you
wanted,
but
just
simply
domain
switching
is
not
an
indicator.
Then
one
of
the
big
breaches
they
brought
up.
Someone
pointed
out,
I
think
david
wheeler,
pointed
out
if
somebody
got
their
email,
email
stone,
so
basically
they're
impersonating,
the
actual
legitimate
owner
of
the
domain,
and
so
that
would
never
you
can't
detect
that.
So
I
think
it
goes
back.
D
The
onus
needs
to
be
put
onto
the
ecosystem
and
the
package
managers.
I
think
at
least
the
ones
represented
at
that
work
group
are
serious
about
trying
to
close
those
loopholes
so
and
then
actually
they're.
Actually,
some,
I
think
even
this
year
some
were
promising.
They
were
going
to
put
out
even
perhaps
that
with
this
partisan,
more
secure
repo
effort,
they
might
actually
have
fixed,
fixed
domains
that
they
own
themselves
kind
of
like
a
bitly.
D
A
I
also
think
that
that
it
it
might
be
hard
or
impossible
for
you
to
look.
So
when
you
look
at
a
package
metadata
from
the
outside,
you
see
some
things
you
see
like
an
email
address
and
whatnot
that
email
address
is
not
necessarily
the
email
address
associated
with
the
login
to
the
platform.
To
do
the
thing,
so
we
learned.
A
I
think
this
is
more
anecdote
than
I'm
sure
of
this.
But
if
that's
not
the
case,
then
you
can
complain
all
you
want
about.
Like
expired
domains
of
you
know,
users
of
email
addresses
associated
with
old
versions
of
a
package,
but
it
doesn't
matter
because
that
login
possession
of
that
login
account
doesn't
grant
you
any
access
and
the
only
party
that
really
knows
for
sure
are
the
software
repositories
so
matt.
I
agree
completely.
This
should
be
driven
through
that
work.
Working
group.
D
That
working
group
mean
in
terms
of
all
the
work
we
do
to
secure
a
supply
chain,
the
the
key
source,
where
people
pick
up
open
source
libraries
you
know
fix.
The
problem
is
the
right
with
right
approach.
It's
you
know
it's
the
building
blocks.
The
building
blocks
need
to
be
secure.
You
know
for
us
to
build
our
house
from.
E
Yeah,
in
my
opinion,
this
issue
is
primarily
related
to
lack
of
strong
authentication
mechanisms
with
the
the
repositories
itself
right
if
the
repositories
were
enforcing
a
strong
authentication
to
someone
to
login
and
publish
and
modify
even
as
domain
takeover
won't
result
in
an
account
back
over
activity.
So
technically
they
need
to
take
over
multiple
factors,
and
it
won't
make
it
that
easy.
But
I
think
this
all
goes
back
to
you
know.
E
In
some
cases
attacker
may
take
over
the
github
account
or
a
source
code
repository
account,
and
they
may
you
know
upload
that,
but
yeah
the
chain
need
to
be
very
secure
that
there
should
there
should
be
a
strong
authentication,
all
the
way,
from
source
to
the
repository
binary,
repository
or
package
for
their
publishing
and
from
where
they
are
getting
it
right.
So
yeah.
D
Right
and
and
these
that
was
part
of
the
discussion
that
was
had
that
at
that
work
group
and
it's
just
the
problem,
is
they
have
so
many
things
on
the
table
and
so
much
ambition
of
what
they
want
to
do.
You
know
I
just
want
to
cheer
them
on.
I
don't
want
to
get
in
their
way
because
they're
all
moving
the
right
direction
and
it's
the
probably
the
most
organic
group
we
have
in
openssf,
and
I
want
it
to
be
organic.
D
You
know
the
people
are
actually
representing
the
repositories
leading
the
effort
and
they
have
all
the
right
things:
ingredients
in
the
table.
We
just
have
to
make
sure
that
they
keep
those
items
in
the
table
if
they're
going
to
create
a
new
iteration
of
these
things
that
you
know
version
two,
if
everyone's
going
to
step
up
to
version
two
or
version
three
or
whatever
it
is
that
it's
got
to
be
right,
the
metadata
is
gonna,
be
right,
the
signing
is
gonna,
be
right,
the
hashing
is
gonna,
be
right.
A
Terrific
great
conversation
today
any
last
topics
from
anybody.