►
From YouTube: OpenSSF Identifying Security Threats WG (July 21, 2021)
Description
Weekly meeting of the Identifying Security Threats working group. Our GitHub page is located at https://github.com/ossf/wg-identifying-security-threats and from there you can find meeting minutes and other information.
A
Cool
welcome
everybody
to
the
was
july
21st
meeting
of
the
identifying
security
threats
working
group.
I
don't
have
too
much
of
an
agenda
for
today.
Let
me
go
back
and
see
where
we
left
off.
Last
time
we
were
talking
about
dashboard,
scooter,
reviews
reproducibility.
We
did
a
bit
of
a
demo.
A
We
talked
about
hiring,
so
I
think
today
either
we'll
be
right
or
we
can
talk
about
interesting,
interesting
topics.
I
did
get
off
a
a
call
with
safe
code
just
before
this,
so
we
can
talk
a
little
bit
about
what
we're
planning
that,
because
it
it
would
be
nice
for
that
to
be
a
joint
thing,
it's
probably
more
for
the
security
best
practices
working
group,
but
you
know
whatever
it's
fun,
to
talk
about
stuff.
A
B
No,
no!
No!
Okay!
Actually!
Yesterday,
yeah!
Sorry,
sorry!
No
go
ahead!
Yeah
yesterday
I
like
joined
the
open
security
seminar
that
by
given
by
david,
so
I
got
interested
in
this
so
I
searched
about
it
and
I
was
trying.
A
B
A
Perfect,
could
you
any
relevant
background
kind
of
intro
that
you'd
like
to
give
on
on
on
you.
B
B
So,
actually,
I've
been
working
as
an
application
security
engineer
from
last
one
year,
and
this
is
my
first
job
so
yeah.
I
have
been
doing
fantastic
and
security
of
like
open
source,
not
exactly
open
source,
but
I've
been
part
of
the
desktop
of
steam.
So
that's
support.
Terrific.
A
Terrific
welcome
thank
you,
cool
and.
A
So
amir
any
any
updates
on
the
secure
review
side.
I
guess
we
could
just
kind
of
go
down
the
list.
I
saw
it.
Thank
you
so
much
for
kind
of
taking
that
over
and
just
making
things
happen.
C
Yeah
absolutely
a
couple
brief
updates,
so
I
did.
I
did
clean
up
the
github
a
little
bit
just
close
some
of
the
issues
that
we
had
already
taken
care
of
and
just
yeah,
as
I
mentioned,
cleaned
it
up
a
bit
and
then
there
was
the
new
edition.
So
thanks
to
kevin
backhouse
for
updating
a
new
review,
it
was
for
fail
to
ban
and
there
was
a
nice
article
associated
with
it
as
well,
and
there
were
a
couple
of
hiccups
with
the
with
the
checks
before
merging
the
pull
requests.
C
But
we
got
all
of
that
taken
care
of,
and
that
is
updated
in
the
in
the
github.
So
so
far
it's
going
well-
and
you
know
more
reviews-
are
welcome
in
the
future
and
I'm
sure,
especially
as
we
do
more
and
as
you
know,
more
people
hear
about
this,
we'll
be
getting
more
content
onto
the
github
and
making
it
more
more
refined.
So,
but
so
far
so
good.
D
Can
I
jump
in
here
real
quick,
yeah,
absolutely
yeah,
so
you
know
I.
I
did
comment
on
that
article
and
I
was
very
glad
to
see
it.
We
had
some
very
weird
responses
from
the
ci
pipeline
on
that
and
I
you
know-
and
I'm
not
sure
I
understand
the
problem.
Obviously
it
got
fixed.
So
I
guess
the
real
issue
is
I'm
curious
what
the
problem
was
and
more
importantly,
have
we
fixed
it
for
the
future.
C
C
D
A
It's
like
a
caffeinated
puppy,
so
it
it
it
really.
It
looks
for
everything,
even
things
that
are
not
profane.
A
A
A
Yeah,
the
the
quick,
the
quick
page
form
should
emit
valid
the
things
that
the
validator
is
cool
with
other
than
than
profanity.
But
if
not,
then
it's
a
bug.
Yeah.
D
Okay,
I
mean
you
know
bugs
happen,
and
you
know
I
I
actually
understand
the
need
for
that
sort
of
thing
because
there
are
there
are.
There
are
bad
people
on
the
internet
who
knew
but
yeah
it
just
it
was.
It
seemed
like
it
over
triggered
yeah
and
I
couldn't
figure.
I
couldn't
figure
out
why
it
was
triggering
so
it's
just
a
bug
and
it's
been
fixed
yeah.
D
C
All
right
yeah,
but
what
was
holding
it
back,
was
basically
it
was
checking
for
whether
it
was
implementation,
full
implementation,
partial
or
non-implementation,
and
I
think,
unless
you
get
it
exactly
right,
it'll
basically
kick
back
an
error.
D
C
C
Yep,
so
that's
about
all
I
got,
but
I
agree
I
think
I'll
take
that
as
a
note
to
the
guidance
for
inputting
the
metadata,
maybe
putting
a
little
more
guidance
on
that
prevent
that
from
happening
for
other
folks.
So
it's
very
easy
to
upload
reviews.
A
Okay,
cool
on
metrics
dashboard.
I
noticed
this
tweet
from
from
our
cox,
so
I
thought
that
was
pretty
cool.
They
just.
D
A
A
G
Yes
and
probably
he's
right,
because
there
are
some
projects
that
have
their
security
page
on
github,
for
example,
but
they
haven't
the
security
md.
I
think
security.md
is
better.
Maybe
we
want
to
improve
awareness
about
this,
because
so
people
can
add
also
on
repo
in
a
gitlab
bitbucket
or
sell
foster
service.
So
probably
it's
not
our.
It's
not
a
problem
of
the
metric
board.
It
is
a
a
standard
that
is
not
still
a
standard.
A
Absolutely
yeah
and-
and
I
think
that
that
the
the
way
to
influence
that
so
like
there's
also
like
security.text,
which
is
slightly
different.
But
in
the
same
thing,
but
but
like
having
the
scorecard
because
we're
just
leveraging
the
scorecard
project.
Having
scorecard
project.
Be
more
aware
of.
A
The
the
essence
of
security.md,
and
not
the
actual
implementation
on
github
of
security
md,
have
it
be
more
more
general
scorecard
also
only
looks
at
github
right
now.
So
if
you're
in
get
lab,
you
don't
even
get
seen.
D
Okay,
all
right
how's
this.
So
let's
write
this
down
because
I
think
it's
these
are
perfectly
reasonable,
security.txt,
as
well
as
security.md.
Right
and
frankly,
I
would
also
add
docs
security
dot.
D
You
know
what
I
I
would,
I
guess
I
would
add,
further
txt
or
really
html.
A
Yeah,
so
so,
right
now
it
looks
like
the
scorecard
looks
for
security.md
or.
A
Security.Rst
in
either
doc
or
docs,
okay,
so
so
so
they're
they're
trying.
So
what
what
are
they?
What
are
they
currently
doing
here,
I'll
just
post
a
link.
A
It
it
a
security.md
security,
dot,
rst
and
security.
Rst
can
be
in
the
dock
or
in
the
docs
folder.
H
Does
anyone
know
what
the
main
problem
with
like
the
apache
projects
are,
because
I
don't
see
a
security
dot?
Anything
on
there
like
I
went
to
like
apache,
slash
hadoop,
for
example,
I
don't
see
docs
a
docs
folder
or
any
like
security
dots.
I
was
just
curious
like
where
that
tweet
was.
D
Well,
I
don't
know
where
that
tweet
comes
from,
but
I
mean
apache
has
a
number
of
default
policies,
but
they
don't
necessarily
get
reflected
as
files
within
their
repos.
H
D
It
sounds
like
their
solution,
which
I
love
from
the
point
of
view
of
automation.
Is
you
know,
instead
of
expecting
everyone
to
know
organizational
policies
of
all
organizations?
Good
luck,
they're
gonna,
add
those
files,
and
it
could
be
as
simple
by
the
way
those
files
could
be
as
simple
as
a
link
to
the
apache
master.
You
know
policy
organization,
wide
policy.
G
Matt
riser
he
signed
on
on
google
on
microsoft
team.
Maybe
he
want
to
talk.
F
Yeah,
so
I'm
an
apache
committer.
I
shared
a
project
for
four
years
through
incubation
to
graduation,
and
I
can
tell
you
that
that
a
that,
if
a
project
is
graduated,
it
has
followed
a
set
of
security
processes
to
secure
all
the
repos
that
it
is
not
mandated
or
required,
and
there
is
no
communication
to
any
of
this
effect
that
we're
going
to
be
asked
to
create
a
security
dot
md
file.
In
fact,
if
you
were
to
search
my
project,
you
would
find
a
security.md
file
under
the
docs.
F
Folder,
however,
describes
security
security
for
containers
running
in
the
project,
not
for
the
project
itself.
They'll
get
false
positives.
F
My
thinking
has
been
in
terms
of
trust
that,
indeed
you
can
at
a
trusted
fund.
You
have
a
trust,
trust
assertion
level
for
a
foundation
based
upon
the
processes
enforced
on
on
projects
that
achieve
graduation,
because
apache
fits
that
bill.
You
cannot
graduate.
It
has
very
strict
processes
for
how
you
commit
for
participation
for
nomination,
for
waiting
periods
for
voting
for
release
processes
for
signed
releases,
sign,
keys,
keys,
key
strength,
they're.
The
best
word
I've
seen
in
terms,
and
it
could
be
used
as
a
stellar
example
of
how
you
would
apply
a
foundation-wide
policy.
D
Well,
I
mean
one
thing
we
could
do
would
be
try
to
find
evidence
that
a
project
is
one
as
part
of
an
organization
that
we
have
confidence
in,
so
that
supports
it.
I
mean
it
sounds
like
they're
going
to
solve
it
a
different
way.
Maybe
we
don't
need
to
do
that
in
this
case,
because
I
I
think
the
challenge
is
always
you
know
not
all
organizations.
Do
that,
of
course.
F
I'm
saying
that
that
that's
economies
of
scale
it's
talking
about
other
work
groups,
so
if
you're
at
a
foundation,
the
foundation
should
place
requirements
on
their
projects.
So,
instead
of
attacking
you
know,
tens
of
thousands
of
projects
attack
it
at
the
foundation
level.
Who
has
has
enforcement
capabilities,
they
can
block
releases
being
published,
they
can
block
projects
from
graduating
and
reaching
status.
It
means
something
to
people
in
terms
of
trust.
That's
an
apache
graduated
project.
F
In
fact,
they
do
not
let
you
release
binary
artifacts,
they
make
you
release
source
code
and
everything
the
process
itself
could
be.
You
know
well
referenced
and
and
documented
it
is
possible.
I
would
like
I
mean
we
could
go
to
cncf.
Cnc
is
trying
to
do
things.
They
were
just
released,
kubernetes
just
released
their
own
s-bomb
tool
and
they
have
a
they
have
a
work
group
dedicated
to
this.
So
you
can
work
with
a
few
number
of
people
at
the
big
foundations
and
get
a
large
bang
for
your
buck.
D
Oh
yes,
absolutely
I
agree
with
that.
That's
that
said,
I
do
think
that
there's
value
even
for
apache
projects
to
have
within
their
repos
a
hey,
wait,
a
minute
we're
an
apache
project
or
project
or
whatever,
and
we
require
certain
things
and
we
record
this
information
in
a
conventional
file
so
that
it's
super
easy
to
find
that
information
so
that
a
new
committer,
because,
frankly,
not
everybody
commits
to
who
who
proposes
a
patch
to
an
apache
project,
really
understands
apache.
D
You
know,
I
you,
I
think
it's
still
useful,
to
have
something
like
a
security.md
file
within
a
repo,
even
if
it's
an
apache
project,
because
people
new
to
that
project
may
not
know
all
the
apache
processes.
Oh
look
right.
There
we're
going
to
tell
you
stuff.
F
Yeah
I
mean
I'm
all
for
cross
referencing
foundation
of
project
project
foundation.
Absolutely
but
again,
the
foundation
level.
Apache
infrastructure
is
very
aggressive
in
implementing
locking
down
repos
and
setting
policies,
checks
and
policies
on
repos.
They
could
easily
force
enforcement,
but
you
also
have
to
consider
that
they
that
most
of
the
legacy
projects
still
use
svn
as
well.
So
you
know
you
have
to
so.
How
do
you
scan
svn.
D
F
F
I
think
that
what
we're
seeing
in
terms
of
those
materials
and
security
companies
is
that
they
use
dot
files.
So
I
think
that
relying
on
marketing.
F
Dot
files,
dot
security
or
dot
dot,
white
source
or
dot
twitter
dot
whatever.
So
I
think
that
that's
a
better
convention
to
like
to
to,
if
we're
offering
you
know
best
practices,
you
know
we
could.
We
should
suggest
using
some
ossf,
maybe
dot,
file
event
if
they
want
to
go
that
far
so.
A
A
D
So,
coming
back
to
this
amy,
obviously
our
the
metrics
thing
is
because
it's
sucking
in
data
from
the
scorecards
we
clearly
we
want
to
propose
some
changes
to
scorecards
to
improve
the
quality
of
the
results.
So
what
what
should
we
is
there
anything
from
this
discussion
that
we
should
propose
back
to
the
scorecard
folks.
A
I
I
mean
if
if,
if
and
obviously
this
conversation's
not
really
about
apache,
but
just
because
that's
the
one
that
came
up
if,
if
so
so,
for
the
apache
projects
that
don't
have
a
security
md
file
if
they
had
a
dot
security
file
that
we
just
we
didn't
know
about
so
so
scorecard
isn't
looking
for,
then
that
would
be
a
bug
back
to
scorecard
to
say:
hey
dot,
security
files
count
as
security
md.
So
if
you
see
that
flag,
it
is
yes
what
I'm.
A
What
I
suspect
is
more
likely
is
that
there
is
no
security
md5,
because
it's
implicit
that
you
know
apache
project
foo
falls
under
the
global
apache
security
reporting
process.
H
A
Structures
process,
you
know
all
that
which
is
makes
complete
sense,
but
I
I
would
still
say
we
should
then
like
I
mean
I
think,
mark
mayhem
I
mean.
Would
I
we
may
not
need
to
do
anything
in
this
case,
but
like
right,
we
should
reach
out
to
apache
and
say:
hey.
Have
you
heard
about
security
md
like
we
think
that
maybe
it
might
make
sense
to
have
this
be
as
a
global
default
and
maybe
push
it
down
or
whatever.
D
Yeah
and
and
clearly
having
interaction
I
mean
in
this
case,
I
I
think
it's
clear
that
somebody
thinks
apache
should
make
a
minor
tweak,
really
not
changing
the
apache
policies,
just
making
what
the
policies
are
very
clear
within
the
repo
and
in
an
automated,
so
that
can
be
detected
automatically
and
that's
great,
and
so
I
don't
think
in
this
case.
We
need
to
make
changes
for
this.
D
I
do
agree
that
there
may
be
some
other
changes
where
it
might
make
sense.
Oh
we
detect
it's
apache
or
whatever
and
make
some
you
know
some
other.
D
F
Like
I'm
saying
a
dot
like
say,
security
is
great
today,
but
here
are
all
the
things
we're
looking
for.
If
you
want
to
be
scanned
by
us-
and
you
want
us
to
be
completely
clear
and
have
no
lack
of
uncertainty
about
how
we're
communicating
and
evaluating
your
project,
you
can
create
a
oss
ossf
file
or
something
like
that
that
that
follows
some
schema
or
something
like
that
that
we
know
you
know.
That
is
a
clear
indication.
D
Yeah,
I
will
say
that,
at
least
for,
for
I
mean
there's
several
different
other
documents
that
talk
about
security.md
files.
D
A
F
I
think
the
format
is
important
because
what
people
are
trying
to
do
with
both
cyclone
dx
and
spdx
going
forward-
hopefully
maybe
not
if
this,
depending
on
how
security
profile
3.0
turns
out.
You
include
vulnerability,
contact
information,
so
it's
nice
to
have
a
means
to
map
whatever
we
asked
them
to
produce
to
an
insertable.
F
A
F
D
G
This
means
that
there
is
a
a
sort
of
agreement
between
the
company
or
the
project
and
the
security
researcher,
and
there
is
a
of
course,
a
security
contact,
but
there
is
also
that,
if
a
particular
project
want
to
share
the
scope
or
the
back,
the
debug
that
they
want
to
receive.
For
many
reasons-
and
I
don't
know
if
security
dot
md
is
similar
to
security.xt-
not
only
for
website
or
not,
we
can
you,
you
can
add
the
similar
format,
also
in
the
repo
but
security
dot.
D
Yeah
there
there's
actually
something
like
trey
waters
that
proposes
security,
a
security
readme
file,
which
is
basically.
G
And
at
the
same
time,
I
agree
with
the
michael
I
mean.
I
know
that
some
projects
have
a
different
system
in
place
similar
to
security,
dot
md,
but
probably
the
dashboard
can
help
a
big
project
to
create
standard
and
like
security.txt,
is
a
standard.
Now,
maybe
we
want
to
have
a
similar
standard
in
for
the
metric
board
and
for
open
source
project.
If
apache
want
to
have
a
better
score,
they
just
need
to
create
a
little
security.nd.
G
When
we
can
talk
about
the
format,
I
agree
that
the
format
is
important,
not
the
structure,
just
the
requirements.
I
mean
the
security
need
to
contain
this
information
about
the
point
ballot
point
point,
but.
F
I
mean
I
would
love
to
create
like
a
just
a
skeleton
of
what
we
expect
and
and
some
draft
of
some
new
format
that
we
can
to
hostdiff.
If
we're
paying
host
of
60k
to
secure
a
project
they
propose
which
then
they
propo
propose
to
solve,
but
they
would
institute
that.
So
we
can
showcase
that
at
the
end
of
the
day,.
A
I
I
think
this
would
be
very
useful,
because
without
it,
all
that
anybody
can
say
is
that
a
daddy's
file
called
security.md
exists.
G
A
With
them,
I'm
not,
I
don't
know
that
they
have
anything
going
on
around
this,
but
I
think
I
think
it's
actually
perfect
and
and
kind
of
fits
the
when,
when
open
ssf
started,
we
were
a
little
bit
concerned
about
everybody
kind
of
being
whatever
it's
called
pipelined
into
their
own
working
group.
Where
all
you
do
is
stuff.
That's
in
your
working
group.
We
really
wanted
projects
to
be
kind
of
cross
working
group.
I
think
this
one
fits
us
vulnerability,
disclosures
and
best
practices,
so
maybe
via
go
ahead.
David.
D
F
Later,
can
we
create
a
project
that
you
know
recommends
what
should
go
in
the
file
and
make
actually
make
work
towards
some
type
of
schema,
because
what
I'd
love
to,
if
we're
gonna,
if
we're
gonna,
make
an
effort
to
do
this,
we
should
make
sure
all
of
the
groups
have
an
ability
to
to
comment,
because
immediately
I
want
to
throw
in
an
example
of
what
the
schema
is
for
contact
information
for
an
s
bomb,
and
I
also
want
to
make
sure
that
people
have
a
place
to
stick
if
they
have
a
cpe
or
suit
or
a
pearl
package
url
that
they
can
slap
that
in
there
as
well.
F
D
I
will
note
that
there
already
are,
although
I
think
schema
may
not
be
the
right
phrasing,
but
you
know
kind
of
a
formats
and
contents
so
that
there's
agreement
on
what's
well.
F
D
D
F
F
I
have
to
do
the
deterministically
you
run
on
any
tools
against
that
determination.
Tells
me
the
pro
I
can
reference
this
process
procedures
contact
input
for
vulnerabilities.
I
can
identify
my
my
project,
software
identifier,
my
s-bombs,
and
things
like
that
from
a
from
my
strict
schema
based
file
that
I
can
directly
use
to
import
into
an
s-bom
or
the
report.
It's
that's.
That's
gold!
That's
the
grail!
I
mean
that's
the
grill.
That's
the
binding
document
brings
all
these
processes
together.
F
To
solve
that
security,
people
have
failed
to
do
over
the
last
20
years,
because
we
have
a
collective
set
of
principles
now,
with
cloud
native
and
source
code
control,
management
system
and
github
kind
of
as
the
as
a
central
nervous
system.
You
know
there's
a
set
of
processes
and
methodologies
that
are
expected
now
for
any
software
development
life
cycle
that
inc
and
we're,
if
we're
by
matter
of
fact,
we're
talking
about
markdown
and
security.mt,
is
a
convention
looking
for
it?
So
clearly
we
can
do
better.
The
time
has
come
for
us
to
do
better.
D
F
If
you
go
to
apache
foundation,
you
will
you
will
get
attentive
years
and
the
infrastructure
team
will
be
able
to
help
roll
that
out
to
all
the
apache
projects-
and
I
is
apache
chair
for
my
project-
would
gladly
do
that
if
I've
got.
If,
when
I
have
to
report
to
my
quarterly
board
report,
if
I,
if
they
say
you're,
you
know
your
board
report,
you
don't
have
this
file
and
then
I
get
a
negative
board
report.
Then
people
will
take
action.
Absolutely.
F
D
Okay,
when
you
say
schema
to
me,
you're
you're,
implying
an
additional
level
of
complexity,
which
sometimes
is
exactly
what's
needed,
but
we
need
to
make
sure
that
extra
complexity
usually
means
it's
harder
to
get
deployed.
So
we
got
to
make
sure
that
if,
if
we've
got
to
accept
that
extra
complexity
that
it's
worth
the
worth
the
squeeze
as
it
were,
I
know.
A
If
I
can
throw
my
thoughts
here,
I
I
think
that
this
is
all
good
and
we
should
absolutely
like
try
we're
not
committing
to
doing
anything
other
than
thinking
about
it
and
coming
up
with
something
that
we
think
makes
sense
and
then
talk
to
people
about
it.
So
I
think
that
that's
all
good.
A
Second,
I
think
that
there's
no
reason
why
security
and
security
md
will
will
live
on
forever,
because
enough
projects
have
it
where
it's
not
going
anywhere
having
the
better
dot
security,
dot,
whatever
dot,
yaml
or
something
with
more
structured
stuff
means
that
we
can
do
we.
We
can
infer
better
things
out
of
projects
that
adopt
that,
and
then
we
can
say
hey
using
security
md.
That's
terrific!
A
Have
you
thought
about
this
other
thing
and
here's
the
advantages
of
it
and
for
apaches
and
the
apaches
of
the
world?
We
think
that
that's
that's
the
better
approach.
They.
A
Something
readable
because
the
purpose
of
security
md
is
that
when
you
open
up
an
issue,
it
says:
hey,
you're,
opening
for
security
bug,
here's
our
policy,
here's
our
textual
thing
that
you
as
a
human
being
can
read
and
there's
no
reason
why
this
structure
can't
include
that
too,
but
yeah
amen,
amen,
100.,
cool,
okay.
So
how
about
this?
I
so
I
opened
up
an
issue
in
our
working
group.
We
can
create
this
as
a
product
we
could
do
whatever,
but
just
as
far
as
getting
something
done
like
right.
A
This
second
there's
the
issue.
Matt,
you
are
super
passionate
about
this.
Would
you
like
to
just
own
this.
F
And
drive
this
I'm
passionate,
because
this
is
my
life.
This
is
my
life
right
now,
because,
I'm
being
it
seems
like
I'm
being
gravitating
towards
the
cso
office
and
because
I
have
so
many
projects
and
open
source
in
very
places,
I've
been
asked
them
what
we
should
be
doing
so
terrific,
I
feel,
like
you,
sounded
and
described
the
onset
of
the
calm,
michael.
F
A
Okay,
the
other
thing
I
wanted
to
talk
about
was
that
this
this
kind
of
safe
code
survey,
which
is
definitely
not
fully
baked-
it's
like
still
watery
in
the
oven,
but
what
we
were
we've
been
throwing
around,
and
so
we've
been
meeting
we've
been
meeting
twice
a
month
for
the
past.
I
don't
know
four
or
five
months
to
to
think
about
how
open
open,
ssf
and
safe
code
could
work
together
and
we've
thrown
around
a
lot
of
different
ideas.
A
And
this-
and
this
is
me
with
my
safe
code
hat
on
now,
because
as
a
safe
code
we
want
to-
I
mean
we
were
part
of
openssf.
We
want
to
contribute,
we
want
to
do
the
right
thing
and
but
we
kind
of
represent
different
audiences
a
little
bit
and
but
we
all
have
the
same
challenges,
which
is
why
we're
here,
where
we've
kind
of
coalesced,
is
that
we
want.
A
We
we're
thinking
of
something
like
kind
of
like
an
oauth
top
10,
but
for
the
security
practices
that
open
source
developers,
particularly
small
and
medium-sized
projects.
A
So
this
would
not
be
the
apaches
of
the
world,
or
at
least
we
wouldn't
like
consciously
target
them,
but
instead,
like
all
of
this
single
in
like
two
or
three
person
projects
out
there,
what
are
the
top
ten
things
that
you
should
do
like
enable
to
factor
off
you
know,
run
static
within
ci,
have
a
security,
md,
etc
and
like
kind
of
articulating
and
providing
links
and
existing
guidance
where
they
exist
and
then
kind
of
evangelizing
that,
as
a
you
know,
you
know
high
you're
you're
a
small
to
medium-sized
open
source
project.
D
I
mean
frankly,
although
it's
not
quite
the
the
list
of
ten,
I
mean
the
ci
best
practices
badge
has
already
got
that
basic
list,
so
I
mean
if
it's,
if
there's
something
egregious,
that's
missing,
I'd
love
to
hear
about
it
regardless,
but
it's
already
got
the
2fa.
It's
already
got
these
other
things
and
it's
got
automated
detections
for
not
all
of
them,
but
many
of
them.
Anybody
knows
how
to
detect
2fa
users,
I'd
love
to
know
externally,
but
for
a
lot
of
the
rest
of
it.
A
The
okay
yeah,
so
I
don't
want
to
lose
that
that
threat
I'm
going
to
hold
on
to
that
thread
and
just
continue
a
little
bit
longer
than
we'll
come
back
to.
I
promise,
okay,
because
I
really
don't
want
to
redo
stuff
and
if
it's
just
a
matter
of
like
if
nothing
needs
to
be
done,
I
have
lots
of
other
things
that
I
couldn't
be
doing
so,
but
but
at
the
same
time,
what
we,
what
we
were
kind
of
considering
was
they
were
going
to
start
with
a
survey
and
the
survey
we.
A
It
is
not
going
to
be
duplicative
of
the
harvard
survey,
because
we
we've
been
looking
at
that
and
I
think
that
that
is
definitely
half
the
story.
What
we
really
want
to
see
is
like
static
analysis
on
the
journey
of
static
analysis
from
I've
never
heard
of
it
to
I've
heard
of
it,
but
I
don't
see
the
value
I've
tried
it.
A
It
doesn't
work
on
my
platform,
it's
just
too
many
false
positives,
too
expensive,
all
the
way
up
to
like
it's
fully
integrated
into
ci,
and
I
get
alerts
and-
and
I
take
action
on
them.
Where
do
you
fit
in
that
spectrum
and
then
and
then
the
next
thing
like
two
factor
off
like
do
you
use
two
factor
rock
no,
never
heard
of
it
or
yes,
of
course
I
do
like
who
well,
I
can't
possibly
not
et
cetera
so
so,
as
you
come
up
with
practices
that
we
think
are
important.
A
Where
do
teams
like,
where
are
the:
where
do
they
fall
off
the
journey
towards
towards
goodness
and
then
can
we?
What
can
we
get?
What
could
we
give
as
guidance
in
order
to
bump
them
from
level
n
to
level
n,
plus
one
or
n
plus
two,
because
if
we
see
that,
for
instance,
most
open
source
developments
came
out
in
harvard
study
that,
like
more
than
half
of
open
source
developers,
don't
use
static
analysis
at
all?
A
That's
interesting
because,
for
the
vast
majority
of
open
source
projects,
at
least
the
ones
hosted
on
github
static
analysis
is
like
a
click
or
two
away
for
languages
that
it
supports,
et
cetera.
So
you
know
perhaps
there's
an
evangelization
opportunity
there,
whereas
if
we
found
out
that
two
fractal
off
doesn't
work
because
everybody
publishes
to,
I
don't
know,
pick
a
pick-
a
package
manager
that,
in
theory,
doesn't
support
two-factor
off.
Well,
that's
really
interesting
too.
So
that's
kind
of
what
we
were
thinking.
So
the
difference
between
that
and
the.
A
I
I
think,
sourcing
the
questions
and
I'm
sorry,
I'm
I'm
talking
as
I'm
thinking.
So
I
apologize
sourcing
the
questions
from
the
best
practice
badge,
I
think
totally
makes
sense
and
and
or
sourcing
the
the
the
domains
two
fractals
static.
Do
you
do
crypto
et
cetera,
but
what
I
I
don't
I
don't
know
if
the
data
in
the
best
practice
badge
will
tell
me
what
opera,
what
what's
needed?
A
It'll
tell
me
like
the
the
projects
that
have
opted
into
it,
the
ones
that
don't
do
two-factor
off.
I
could
infer
that
to
fracture
off
this
hard
for
one
reason
or
another,
but
it
doesn't
tell
me
the
rest
of
the
universe
that
hasn't
opted
into.
So
it's
kind
of
a
selection
bias
on
on
that.
D
Fair
enough,
although,
although
to
be
fair,
you
know
you
can
say
hey,
the
selection
bias
is
for
projects
which
are
at
least
trying
and
so
hey.
If
it's
hard
for
a
project,
that's
trying
that
might
give
you
some
additional
information,
but
yeah
I
mean
that
I
mean,
and
that's
I
mean
you
know
not
all
projects
use
github.
So
you
know
just
looking
on
github
is
is
a
bias
also.
So
you
know
it's
hard
to
eliminate
all
those
you
do
what
you
can.
D
Actually,
I'm
gonna
post
the
correct
just
for
your
amusement
michael
I'm
gonna
post
in
the
chat,
the
the
cia
criteria,
and
I
also
just
posted
a
link.
I
actually
just
gave
a
presentation
on
how
to
write
secure
on
how
to
develop
secure
software,
which
primarily
points
people
off
to
the
the
open
ssf
course
and
cii
badge
it
mentions.
I
belie
I'm.
It
mentions
metrics,
opa
and
ssf
org
you'll
be
shocked
to
hear
so
trying
to
give
at
least
people
a
you
know,
places
to
start.
D
And
maybe
I
should
copy
paste
this
into
our
notes,
since
everything
we
put
in
the
chat
disappears
in
seconds.
A
D
Okay,
so
let's
see
here
so
wow
and
when
I
copy
weird
stuff
happens:
okay,
so
if
you
just
want
to
see
the
criteria
there,
they
are
and
then
I'll
just
note.
The.
D
D
Yeah,
there's
actually
three
levels,
so
this
is
for
the
passing
badge.
Now,
that's
all
the
criteria.
A
lot
of
these
have
additional
information
that
basically
explain.
You
know
common
ways
to
do
it:
yeah,
yeah,
yeah,
yeah.
So
basically,
oh
wait.
How
about
I
do
x?
Well,
there's
something
called
details
which
you
can
actually
there's.
Actually
you
can
click
on
additional
information,
it'll
show
the
details
and
rationale
and
stuff
like
that,
but
yeah
for
the
actual
criteria.
That's
that's
all
it's
it's
more
than
10,
but
it's
not
it's!
It's
not
a
thousand.
D
That
was
very
much
and-
and
this
comes
back
to
my
earlier
comment
of
we-
I
think
that
we
need
to
be.
We
need
to
not
just
have
good
criteria,
but
do
our
darndest
to
make
it
easy
as
possible
to
really
apply
because
the
best
criteria
that
no
one
uses
is
worthless.
D
A
If
you
live
in
the
analog
world,
you
know
so
to
have
it
be
and
not
to
have
it
be,
like
you
know,
a
half
a
point
font
you
know
for
it,
but
like
have
it
be
like
here
like
yes,
there's
like
100
things
that
you
need
to
worry
about,
but
you
really
need
to
worry
about
like
antennas
of
just
a
nice
number,
because
it
just
kind
of
it
brings
its
brain
bring
it
brings
branding
but
yeah.
A
You
know
what
look
so
let
me
let
me
go
back
to
safe
code
and
see
maybe
it's
just
a
matter
of.
E
A
You
know
cool
okay,
so
go
back
yeah
and
the
last
last
part
metrics
open
sf.
I
haven't
made
any
changes.
I
do
need
to
refresh
the
date.
I
really
need
to
figure
out
why
the
data
doesn't
refresh
automatically
it's.
Oh.
D
Weird,
I
I
don't
understand
the
the
one
thing.
Computers
are
easy
to
easy
at
is
doing
things
with
the
crime,
jeff
and
kron.
D
D
A
A
I
do
have
a
a
work
item
open
or
an
issue
open
against
metric
dashboard
project
that
we
can
give
to
the
developer
that
we
hire
as
soon
as
we
can
hire
a
developer
to
work
on
this.
So
it'll
it'll
get
resolved
eventually.
H
Yeah,
michael,
I
took
a
look
at
that
and
couldn't
figure
it
out
like
what
the
issue
was
either
I
kept
running
it
for
me.
I
redirected
everything
and
it
said
I
had
an
issue
with
like
the
security
key
or
something
which
I
definitely
had
from
django.
When
I
like
redirected
it.
It
said
it
was
doing
nothing
and
I
redirected
standard
standard
error
somewhere.
That's
what
I
was
getting.
I
don't
know
if,
like
I
honestly
like
on
okay.
A
You
don't
want
to
throw
that
note
in
the
in
the
issue
and
that
that
way,
the
next
time
we
take
a
look
at
it
I'll
I'll
have
that
in
my
head
yeah
I
mean
it's
possible
that
it's
it's
lost,
environment,
variables
or
path
or
something
silly
and
then
just
errors
out.
Yeah.
D
A
But
luigi
you
posted
a
note
in
slack.
I
just
wanted
to
make
sure
we
got
to
about
the
the
api.
G
Yes,
I
can,
I
mean
I
try
to
create
a
github
action
to
have
automatic
output
from
the
api.
At
the
moment
we
have
a
single
endpoint
for
packages,
and
probably
it's
not.
G
I
mean
there
are
all
information,
more
information
that
in
the
dashboard
for
example,
but
sometimes
they
they
are
not
so
clear
because
the
the
api
are
not
human
friendly
and
there
is
no
description
of
a
particular
result
and
we
have
now
the
same
output
for
different
projects.
For
example,
if
I
have
an
endpoint
I
expect
there
is
the
same
number
of
value,
maybe
with
null
value
with
all
minus
one
value.
But
if
you
try
different
products,
there
are
different
number
of
response.
G
G
The
kubernetes
kubernetes
is
a
really
good
project,
with
the
best
standard
and
security
best
practice,
but
the
json
are
really
different,
and
so,
if
you
want
to
create
a
script,
it
can
be
not
so
easy
to
to
do
this.
I
need
to
add
a
lot
of
extra
exception,
for
example,
to
handle
to
handle
it,
and
maybe
we
want
to
create
a.
G
A
Yep,
I
I
think
I
think
100
the
api
literally
took
about
10
minutes
to
to
do
so.
It
is
literally
whatever
like
this
is
as
close
to
the
raw
database
representation
as
you
can
get.
So
you
know,
the
database
is
just
key
value
and
the
key
is
dotted
to
kind
of
name
space
it
a
little
bit,
but
you
know
so
so
the
the
one
I'm
highlighting
here
says
that
the
criticality
pro
the
the
data
we
get
from
criticality
it
just
has
a
field
called
closed
issues.
Count.
A
I
don't
interpret
that
that
is
whatever
it
gives
me.
Has
this
value
and
on
the
grafana
side,
that's
where
grafana
knows
that
closed
issue,
that
this
key
here
means
something
that
you
should
convey.
So
it
is,
this
is
very,
let's
say
untyped,
I
think,
having
more
more
typing,
there
makes
sense,
but
then
that
increases
the
coupling
between
the
the
the
the
different
piece
that
we
we
have
to
know
about
exactly
what
we're
getting
from
the
different
data
sources.
A
So
the
advantage
to
this,
I
think,
is
that,
if,
like
scorecard
added
a
bunch
of
more
a
bunch
more
data,
so
it's
in
here
we
didn't
need
to
do
a
thing.
If
we
structure
it,
then
we
need
to
figure
out
what
do
we
do
about
the
things
that
we
don't
know
about
like
do
we?
G
It's
not
urgent,
I
mean,
and
I
there
are
useful
in
my
opinion
right
now.
At
the
same
time,
I
don't
know
if
we
want
to
create,
I
mean
if
we
want
to
create
a
sort
of
api
service.
At
the
moment
there
is
just
an
endpoint
and
it
is
enough
for
grafana
for
people
that
need
need
to
use
it,
and
I
mean
I
can
work
on
it.
G
It
is
a
json,
so
it's
not
a
big
problem
at
the
same
time,
I
don't
know
if
we
want
to
share
a
sort
of
swagger.js
or
similar
containing
the
information
for
human,
not
for
machine,
of
course,
but
I
mean
it's
not
urgent.
It
is
and
creating
good
apis
in
my
opinion,
is
not
so
easy.
They
are
still
good,
in
my
opinion,
very
good,
because
I
can
use
them
at
the
same
time.
I
am,
I
don't
know.
A
So
yes,
what
might
be
helpful
here
is
throw
a
lot
of
your
thoughts
into
an
issue
under
the
project,
security,
metrics
thing,
and
that
way
as
we
get
as
the
developer
comes
on
board,
we
can
have
them
look
at
that
or
we
can
or
you
can
or
whoever
can,
but
we
can
kind
of
just
track
it
and
not
not
lose
it,
and
because
the
api
is
already
version,
we
can
just
make
it
version
two
and
then
we're
good
to
go
so.
G
A
Happy,
thank
you
awesome.
We
are.
We
are
out
of
time.
Thank
you
all
very
much
for
the
great
conversation
today
looking
forward
to
next
time
and
making
progress
in
especially
in
the
secure
structured
security
md,
I'm
interested
in
what
comes
out
of
that.
So
thank
you.
All
very
much
have
a
great
rest
of
your
whatever
day
today
is
wednesday,
bye
all
bye.
Thank
you
bye.
Thank
you.