►
From YouTube: OpenSSF Identifying Security Threats WG (August 4, 2021)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
B
Well,
you
know
what
I
it
looked
like:
it
was
going
to
go
much
longer
and
they
said
time's
up
we're
good
we're
done
so
nice
yeah,
so
yeah
it
was
a
different
foundation.
It's
the
it's
the
what
it's
the
movie
industry
foot,
one
aswf!
So
they
you
know
the
the
guy
who's
leading
it
is
who's.
Doing
a
lot
of
the
who
who's
covering
a
lot
of
the
panel
was
from
industrial
light
and
magic
star
wars,
stuff
behind
him
that
exactly
exactly!
A
A
Talk
a
little
bit
about
hiring.
I
have
a
new
project
idea.
I
just
wanted
to
kind
of
throw
out
there
to
see
what
see
what
sticks
and
then,
obviously,
if
you
guys
have
any
other
anything
you'd
like
to
talk
about
edit
in
the
chat
this
can
be.
We
have
an
hour
for
discussion,
so
we
can
do
whatever
we
want
so.
First
off
for
security
reviews,
amir
any
news
or
anything
of
interest.
To
note.
C
A
B
A
D
C
C
Or
or
just
well,
I
thought
some
of
those
resources
that
you
uploaded
were
pretty
good.
I
thought
that
that
that
initiative
that
trey
waters
won
was
definitely
a
good
start
because
it
had
you
know
a
lot
of
the
kind
of
those
basic
building
blocks.
You
know
so
that
we're
not
recreating
the
wheel
here
and
we
can
build
on
something
you
know
to
if
we
wanted
to
include
you
know
more
meta,
more
yammer,
more
metadata
opportunities,
but
I
thought
at
least
as
a
starting
point.
C
I
thought
it
was
pretty
solid
and
then,
when
just
thinking
about
a
little
bit
about
how
we
would,
I
guess,
announce
this
or
advocate
for
it.
One
thought
that
came
to
mind
was
just
basically
doing
a
blog
post
saying
you
know
this
is
an
opinion
almost
like
an
opinion
piece
saying
that
you
know
security.md
is
a
good
practice.
This
is
what
we
think
should
happen.
This
is
some
resources
we
put
together
in
our
working
group
and
you
know
just
put
it
out
there.
I
don't
I'm
that's
just
a
thought.
C
C
Well,
yeah,
it's
just
a
tough
line
to
walk,
because
you
know
I
guess
we
have
there's
so
many
different
opinions
here
and
whatnot
so
and
things
for
things
to
be,
I
guess
formally
endorsed.
There
is
quite
a
long
process
to
it.
So
I
almost
wonder
if
an
opinion
piece
would
be
better.
Just
saying
you
know
hey
based
on
some
discussions
that
we've
been
having
and
looking
at.
What's
out
there.
C
You
know
we
think
having
a
security,
md
file
and
all
of
all
the
oss
repos
on
github
is
a
good
practice.
It
should
contain
this.
This
is
a
template
that
we
put
together
something
along
those
lines.
I
think
if
we
want
to
build
it
out
further,
maybe
into
something
more
formal
like
this
structured
security
md.
That
would
obviously
involve
probably
a
little
bit
more
of
a
coordinated
effort
before
we
really
put
something
out
there
as
an
opinion
piece.
So
again,
these
are
all
just
kind
of
thoughts
that
I'm
spitballing
out
there.
B
B
Or
email
list,
or
something
that's
the
most
important
second
most
important,
maybe
is
some
sort
of
you
know
it's
a
very
different
kind
of
use
is
the.
Why
do
I
think
this
is
secure?
You
know
security
information,
you
know
what
what
you
know,
what
I
I
would
call
it
an
insurance
case,
but
basically
it's
the.
Why
do
I
think
it's
secure
sure
it's
well
what's
called
an
assurance
case
and
supposed
to
yeah
there
you
go.
Why
do
I
think
it's
secure?
B
E
E
But
I
can
go
through
it,
I
mean
it's
all.
The
things
are
trying
to
address
the
executive
order.
So
most
most
most
people
in
cloud
native
space
and
again
we're
supposed
to
be
focused
on
on
on
open
and
cloud
is
our
future.
You
know
no
doubt
about
that.
There's
lots
of
automation
already
present
and
but
you
know
you
hit
the
nail
on
the
head:
it's
about
first
access
to
existing
information,
so
we
need
a
road
map.
E
So
clearly
there's
a
broad
picture
that
we
need
to
enable
and
connect
with
being
developed
in
our
sister
groups
and
sibling
groups
in
the
open
ssf.
We
should
do
that.
If
there
are
information
we
can
provide
definitively,
that
can
be
used
by
that
automation
to
do
lookups,
to
do
content
information
to
open
up
issues,
to
send
notifications
to
people.
You've
got
to
bat
you
sas
scanning
gas
scanning,
whatever
notify
these
people
contact,
these
people
produce
reports.
E
But
it's
you,
can
you
can
create
different
profiles?
You
say
here's
the
minimum
table
stakes
but
at
least
have
a
vision
for
how
it
could
be
used
and
submit
that
vision
to
people
and
let
them
decide.
You
know
that's
what
that's
what
you
do
and
we
should,
and
if
other
projects
are
you
know,
could
use
this
information.
Let's
add
that
and
and
show
how
it
connects
together,
connective
tissue.
A
Would
it
would
it
be
helpful
to
dive
deep
on
this?
I
mean
we
can
do
this
right
now
and
come
out
with
like
come
up
with
a
with
a
made-up
spec
yeah.
It
doesn't
matter
what
what
it
is
and
then
iterate
on
it,
because
I
I
agree
with
everybody
but
like
I.
I
think
it
would
just
be
useful
to
like
make
it
up
as
we
go
and
and
and
and
for
you
know,
for
the
next
45
minutes.
E
I
mean
that's
the
cloud
native
way,
you
know,
put,
you
know,
put
put
the
kitchen
sink
in
there,
put
it
out
there
and
for
review
and
comment
as
an
issue
in
github
and
that's
cloud
native.
I
mean
that's
it.
It's
iterative,
you
know
open
an
issue,
you
know,
create
and
create
your
mvp
create
your
mvp
and
let
it
you
know.
C
B
A
A
E
C
E
I
yeah,
I
think
it's
good
to
you,
know,
say
you
know,
I
think
in
my
mind,
they're
they're,
you
know
we're
going
to
be
providing
references
to
two
either
pros
human,
readable
things
or
things
that
reflect
artifacts.
That
can
be
used
in
automation,
they're
those
two
kinds,
but
that
will
work
itself
out
as
we.
E
E
E
E
E
So
you
know
there
might
be
a
case
where
people
probably
the
bombs
and
these
reference
their
bombs
or
some
if
they
use
xmls
like
that,
they
can
use
an
enter
document,
link
some
type
to
point
to
the
section
in
the
xml
document
of
the
bomb
and
say:
here's
where
you
contact
me.
You
know
those
type
of
things
right,
so
choosing
how
you
link
is
important
right.
D
B
A
Alternatively,
I
so
I
think
there
was
chat
last
time
with
time
before
about
being
able
to
kind
of
override
the
security.
So
security
scorecard
says
you're
not
using
sas,
but
you
are
so
you
you
make
mention
of
that
in
this
file
and
therefore
the
security
scorecard
picks
that
up
and
says
I
don't
know
how
it
would
know
to
trust
it.
But
let's
just
assume
a
truck,
because
I
guess
you
could
yeah
and
it
overrides
and
says.
B
A
E
If
it's
better,
I'm
glad
you're
showing
this
because
to
me
this
is
kind
of
like
you
know.
If
the
scorecard
is
our
way
to
assess-
and
these
are
the
criteria-
and
instead
of
you
know
this
to
me,
the
roadmap
is
to
disambiguate,
as
I
said
earlier,
so
anything
in
here
that
could
not
be
inferred
by
the
tooling
or
guessed
at
by
the
tooling,
I
believe,
should
be
in
a
security
md
or
like
file
to
help
the
tool
to
disambiguate.
So
the
granulator
you
have
here
is
is
fabulous.
You
know,
yeah.
E
E
A
E
E
How
do
we
prove
that
yeah,
my
so
here's
my
belief
system,
my
belief
system
is,
you
know
this
artifact
we're
creating
is
great,
because
we
can
we
can
dictate
what
goes
in
it
and
and
we
don't
have
to
mandate
it
or
require
it
necessarily,
but
it
can
be
used
for
our
for
our.
You
know
for
all
of
the
necessary
work
groups
you
know
to
to,
like
I
said,
the
connective
tissue,
but
over
time
I
believe
a
lot
of
information
might
be
duplicative
in
the
bill
of
materials.
E
So
it's
interesting.
I
think
the
build
materials
is
evolving.
If
you
look
at
cyclone
dx,
I
think,
and
if
you
look
at
what
you
get
from
private
scans
from
a
lot
of
companies
like
twisted
black
white
source,
they
have
a
lot
of
information
in
there.
They
just
keep
it
private.
So
I'm
just
trying
to
make
put
this
in
the
public
arena
and
give
them
a
public
place
to
put
the
same
information
now.
If
we
can
put
it
in
the
problem,
is
the
s-bam
formats
are,
are
not
lossless.
E
We
convert
between
them,
so
spdx
doesn't
have
a
lot
of
ways
to
express
a
lot
of
this.
A
lot
of
this
date
at
all
or
cyclone
ds.
May
so
you
know,
you
know
it's
great,
that
we're
creating
this
stop
gap,
but
so,
and
so
it
avoids
so
if
it
exists
in
a
bomb
reference
it
if
it
doesn't
put
it
in
our
artifact
absolutely,
and
I
think-
and
I
always
think
back
to
my
apache
project,
so
apache
has
processes.
So
I
can.
E
I
can
point
to
the
apache
process,
where
applicable
and
my
overriding
processes
that
build
on
top
of
that
in
my
project
at
project
level,
and
then,
if
I,
if
I'm
asked
to
do
even
further
to
go
into
my
build
processes
and
things
like
sauces
asking
for,
I
can
further
describe
those
things.
You
know
it's
a
tiered
system.
B
E
Yeah
I
mean
there's
been
quite
there's,
been
a
ask
that
I
reproduced
a
bit
of
s-bombs.
There's,
there's
two
views:
there's
the
views
of
the
s-bomb,
so
there's
the
my
my
bomb
perhaps
for
automation
for
and
then
there
might
be
the
public
version
of
it.
I
know
microsoft.
At
the
tac
last
week,
k
presented
some
things
with
these
the
I
forget
the
name
of
the
secure
coalition,
where
there's
a
blockchain
based
methodology,
and
she
was
talking
about
policies,
so
there's
actually
policies
about.
E
What's
expected
for
the
build
and
the
bomb,
and
things
like
that,
so
you
know,
I
think
that,
like
I
said
being
informed
by
the
salsa
work
being
formed
by
the
sig
store
work
and
making
sure
that
we
consider
those,
you
know
the
criteria
for
those
things,
absolutely
the
keys
that
are
used
in
sig
store
how
I
produce
those
keys.
What
which
do
I
use
oidc?
I
used
to
use
my
pr,
my
own
private
system
to
generate
ephemeral
keys.
E
A
I
mean,
I
think
so
as
a
way
to
and
not
not
to
tangent
us
too
much.
You
know
if
you
had
a
web
page
that
you
as
a
project
owner
could
go
to
and
use
like.
You
know,
cr
create
my
security
dot,
whatever
file
and
it
goes
and
it
does
the
scan
and
then
it
it
comes
in
and
it
templatizes
your
templated
thing
with
whatever
it
can
fill
in
filled
in
and
then
you
fill
in
what's
missing,
like
I'm
trying
to
think
about
how
to
make
this
easy
for
projects
to
adapt.
B
E
Is
key,
I
think
that's
why
you
break
down
by
profiles?
Here's
the
basic
profile
101,
but
I
think
we
can
produce
profiles
that
you
know
incrementally
add
features
like
scorecard
requirements
likes
things
that
are
in
this
group,
things
that
are
supplied
by
this
group
that
we
have
answers
for
you
know.
C
E
E
A
B
E
D
B
B
B
E
E
C
E
Yeah
yeah
cause,
I
mean
I'll,
go
back
like
I'm
very
proud
of
our
projects
that
we've
thought
of
these
things,
and
I
want
to
exhibit
them
in
this
document
to
my
customers.
So
when
they
compare
my
product
to
competing
products,
even
in
open
source,
they
know
I've
thought
of
these
things
and
I
have
a
place
to
to
show
them.
I've
had
that
a
thorough
thought
process
and
actionable
readable
human
readable
things
that
can
be
that
can
be
viewed.
A
C
E
E
B
E
E
D
E
There
was
a
debate
yesterday
in
the
technical
working
group
where
they're
well
anyways.
I
won't
go
there,
but
yeah
they
their
belief
system.
There
was
a
debate
about
creating
external
links,
but
all
their
for
for
relationships
and
they
there's
there's
a
staunch
group
of
legacy
people
there
saying
that
they
they're
all
xml
namespace
based
internal
links
to
the
document
where
we
wanted
to
use
full
external
external
references
with
full
uris
and
things
like
package
urls.
But
there
seem
to
be
a
lot.
You
know.
E
Well,
even
kate
stewart
returns
and
said
we
should
be
working
on
tv
tag,
value
format
because
it's
most
highly
used-
and
somebody
made
the
point
well,
it
won't
be
tomorrow
so
but
she's
like,
but
there
seems
to
be
a
belief
system
that
you
know
super
simple
tech
value.
Does
it
all?
But
you
know
I
don't
know
it
doesn't
provide
a
lot
of
the
facilities.
It
doesn't
provide
a
signing
mechanism,
that's
built
in
like
the
xml
or
json
it
doesn't
provide.
E
B
B
C
Along
with
iterating
on
the
fields,
above,
I'm
not
exactly
sure
how
to
put
this,
but
essentially
making
sure
that
there's
one
source
of
all
the
information,
so
people
won't
see
something
in
one
place,
see
it
in
another
and
then
another
and
another
where
it
kind
of
loses
some
of
its
value.
I
guess
so
where,
where
like,
if
something
is
in
the
security.md
file,
and
it
could
easily
be
found
in
the
s-bomb,
for
example,
you
know
just
making
sure
kind
of
everything
has
one
source
in
a
way
where
things
aren't.
E
A
A
B
But
but
I
think
the
answer
is
yes,
I
mean
I,
I
can
tell
you
that
from
so.
So
let
me
pull
up
the
ci
best
practices
badge,
because
I
I
lead
it.
So,
let's
imagine
for
a
moment
that
this
file
might
be
yanked
in
by
various
tools
like
the
ci
best
practices
badge.
What
the
ci
best
practices
badge
expects
is.
E
Yeah,
I
was
doing
a
quick
check
against
that
paradigm.
You
know
basically
it's
kind
of
like
there's
a
security
practice
and
I
have
a
reference
to
that
practice,
either
in
automation
or
in
pros
or
both,
and
then
I
have
evidence
for
it.
So
it's
always
appearing
it's
always
appearing.
You
know,
process.
B
E
E
Yeah,
this
is
the
corollary.
It
was
referencing
earlier
when
I
had
I've
completely
depicted
our
internal
ibm,
cicd
process
for
federal
clouds,
and
I
said
I
wanted
the
ability
to
for
the
customers
to
have
a
link
to
every
output
from
every
point
in
our
cicd
process.
Every
artifact,
every
piece
of
evidence,
so
total
agreements.
B
A
E
E
A
A
B
I
mean
I
I
I
could
do
a
short
something
I
I
think
my
model,
I'm
you
know
my
mental
model
may
be
different
than
yours,
where
and
some
others,
whereas
we've
been
calling
it
security
md,
but
I
think
this
is
something
different.
Now,
it's
not
really.
You
know
it's
not
necessarily
a
document.
If
it's
a
true
database
schema,
it's
basically
a
telling
me
the
information
security
information
about
this
project
in
a
way
that
other
tools
can
hopefully
snag
it
instead
of
trying
to
guesstimate
it
is
that
a
fairer
statement.
E
E
B
B
B
A
Beautiful,
I
will
send
out
a
meeting,
invite
I'll
do
it
to
everybody
on
the
call
today,
if
you're
not
interested,
feel
free
to
not
not
attend
but
okay.
That
way
that
that's
easy
and
it'll
be
for
tuesday,
the
10th
at
10
8
at
10
a.m.
Pacific,
awesome,
cool,
okay,
awesome,
okay,
moving
on
a
little
bit
so
metric
dashboard,
I
don't
have
any
updates.
I
did
see
a
couple.
I
saw
a
pr
from
you
dylan.
D
Yeah,
it's
just
a
simple
like
minimum
kind
of
which
we
call
tutorial.
I
didn't
really
know
what
was
like
what
we
were
looking
for.
So
I
just
kind
of
made
a
basic
breakdown
like
markdown
kind
of
tutorial
situation
and
then
made
some
progress
on
the
on
the
watchers
thing.
I
submitted
that
to
the
criticality
score
project
and
they're
going
to
integrate
it
there,
so
I'm
just
working
with
them
as
well.
A
Nice
job
awesome
on
hiring,
so
it's
so
it
sounds
like
we
are
kind
of
approved,
except
for,
like
the
final,
like
actual
pen
to
paper
approval
signature
thing
from
the
governing
board.
So
as
of
as
of
right
now,
I'm
gonna
start.
I
reached
out
to
two
firms
that
kind
of
do
this,
and
neither
of
them
were
interested
in
the
the
overhead
to
start
a
new
thing
or
like
a
half
a
resource.
A
So
I'm
gonna
keep
plugging
away
at
that
and
trying
to
find
somebody
interested
the
the
contract
will
be
for
between
now
and
at
at
worst,
the
end
of
the
calendar
year.
It
may
extend
beyond,
but
I
I
don't
know
like
how
long
I
have
to
actually
use
these
funds.
So
I
need
to
get
get
some
clarity
on
on
what
it
would
actually
be.
The
purpose
of
this
work
would,
though,
to
would
be,
to
you
know,
extend
improve
re.
A
You
know
actually
make
the
metric
dashboard
a
real
production
thing,
move
it
over
to
a
open,
ssf
owned,
azure
subscription
and
do
all
of
that
stuff.
So
so
this
some
of
it
is
just
clean
up
work
because
we
cut
a
lot
of
corners
to
to
get
it
out
and
other
parts
of
it
are
real,
real
new
stuff.
The
other
side
is,
you
know
we
do
have
extra
money
in
there
for
other
things.
A
So
if
we
want
to
hire
a
contractor
to
do
really
anything
related
to
our
working
group,
we
should
have
money
to
to
pay.
You
know
normal
rates
for
for
that
kind
of
work.
So
that's
good.
I
do
need
to
create
a
job
description,
though,
for
the
metric
dashboard.
I
have
a
list
of
tasks,
but
I
need
to
uplevel
that
a
little
bit
so
we
can.
A
Without
it,
without
them,
without
a
doubt,
yep,
so,
okay
cool.
So
the
last
thing
that
I
just
wanted
to
kind
of
touch
on
quick
was
an
idea
that
I've
been
mulling
around,
and
this
is
not
baked
like
many
of
my
ideas,
but
I
just
wanted
to
throw
this
out
there
to
see
what
sticks
and
just
get
thoughts.
So
internally
we
run
lots
of
tools
on
lots
of
open
source,
generating
lots
of
bugs.
A
A
So
what
I
was
thinking
was
particularly
for
security
researchers,
but
perhaps
there
are
other
other
groups
as
well.
What
if
we
basically
took
all
the
tools,
we
kind
of
collectively
have
run
it
on
all
of
the
open
source
we
can
find,
and
we
can
do
this
stuff
at
scale
to
to
infinity,
get
the
output
of
those
tools
someplace
that
the
security
researchers
can
dive
into
and
do
things
like,
you
know,
correlations
of
the
same
issue
between
different
types
of
projects
and
and
like
really
like
making
it
a
power
user
experience
for
bug.
B
A
B
E
E
So
so
I
guess,
I
guess
you
know
having
attending
the
security
tools
work
group
I
worry
about
you
know.
I
I
think
in
my
mind
there
has
to
be
a
critical
mass
of
tools
that
can
be
applied
to
the
general
space
that
produce
comparable
results.
So
I
think
the
exercise
would
be
to
show
that
at
least
three
tools
could
be
a
could
be
applied
to
produce
comparable
results
against
at
least
two
different
types
of
applications.
B
E
I'm
sorry
yeah,
sorry
david,
I
worry
about
what
you
said
david
in
is
that
many
of
these
tools
are
so
specialized
or
work
looks
for
specific
things
that
they
don't
produce
comparable
data
or
a
lot
of
the
really
cool
scanning
stuff
like
they
keep
it
private.
They
want
you
to
pay
for
it.
So
I
worry
about
how
much
you
know
can
be
accessed
in
the
open
source
public
domain.
B
Right
right
that
that
that's
true,
too,
and
even
if
you
run
the
open
source
tools
where
that's
not
an
issue,
there's
that
sensitivity
of
hey
wayman,
are
you
helping
the
bad
guys?
I
know
we're
short
on
time.
One
thing
that
I
had
toyed
with,
I
had
done
a
little
research
years
ago,
but
we
we
don't
have
time.
B
A
B
That's
right,
I
actually
did
an
analysis
years
ago.
I
never
got
the
report
released.
We
can
talk
about
that
later
about
the
problems
of
that
where
I
I
think
there
was
some
indication
that
vulnerability
densities
had
some
value,
although
they
became
if
your
project
was
very
small,
it
started
to
become
dubious.
B
B
A
B
E
I
think
I
think
that
I
mean
I
think,
that
what
a
lot
of
the
barriers
that
I'm
hoping
to
break
down,
you
can
tell
my
my
passion
and
is
that
I,
I
think,
there's
been
too
much.
I
think
there's
been
too
much
obscurity
and
too
much
money
being
made
of
the
security
space
and
not
enough
sharing
of
information
and
I'd
love.
I'm
very
pleased
that
this
group,
especially,
is
trying
to
break
down
those
boundaries.
It's
one
to
say
that.
C
I
bring
out
a
quick
idea
just
before
I
forget
absolutely
just
throwing
it
out
there,
because,
when
we're
talking
about
you
know
having
this
this
potential,
this
data
to
analyze
at
scale
and
stuff-
I
I
I
think
of
instead
of
making
it
public
if
we
did
some
rudimentary
analysis
among
the
work
group
and
then
if
we
have
some,
you
know
money.
For
you
know
potential
projects
we
could
potentially
hire
like
an
actual
security
firm
or
somebody
to
analyze
the
data,
but
they
would
obviously
they
wouldn't
do
it
for
free.
A
What
about
and
last
point
if
we
could
end
up
bug
bounty
patch
bounty,
triage
bounty,
you
know
so
we
we
have.
We
have
five
million
findings
in
this
thing,
as
a
security
researcher,
you're
invited
to
this
platform,
you
get.
You
know,
five
bucks,
an
issue
to
triage
it
or
or
whatever,
depending
on
how
long
it
takes
and
fifty
dollars
or
five
hundred
dollars
for
for
a
patch
and
a
grand
if
it
gets
accepted
or
something
like
that
where,
where
we
incentivize
the
crowd,
sourcing
and
pay.