►
From YouTube: S2C2F SIG (March 28, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
A
D
A
B
C
Yeah
I
I,
like
I
I,
kept
trying
to
tell
them
I
was
fun,
I
didn't
make
my
job
wasn't,
wasn't
difficult.
I
everybody
thought
I
was
coming
in
the
end.
I
was,
you
know,
laying
half
no
I
wasn't
I
was
an
advisor
at
best.
I
didn't
God
to
get
people
to
talk
to
me
was
like
pulling
teeth,
but
once
they
did,
they
were
like.
Oh
this.
A
C
C
C
C
C
B
A
B
C
Me
by
my
by
my
full
name,
so
my
he
knows
me
by
jatel,
so
send
my
best
to
him.
You
know
he'll
kill,
you
say:
oh
really
he's
there.
He
kills
the
thorn
in
his
backside,
all
right
good
deal.
So,
let's,
let's
get
into
it
once
again.
Thank
you
all
for
attending
the
you'll,
see
the
the
meeting
notes
there
and
you'll
see
the
agenda
item.
So
the
first
one
on
there
is.
E
So
this
is
like
tools
like
dependabot
and
I.
Think
there's
another
one
out.
There
called
renovate
bot
or
yeah,
and
then
you
know
other
tools
that
you
know
put
OSS
vulnerabilities
as
comments
and
pull
requests
that
way.
If
somebody's
trying
to
introduce
a
new
dependency,
that's
already
vulnerable,
it
gets
caught
during
the
the
peer
review
process.
E
A
B
There's
something
that
went
by
in
that
meeting
so
like
that
was
like
four
hours
ago,
that
working
group
I'm
not
sure
if
it
was
Brian,
balendorf
or
David
wheeler.
Somebody
on
the
call
sort
of
said
they're
trying
to
keep
a
philosophy
of
keeping
tools
and
something
separate
and
I.
The
audio
was
slightly
glitched
right
during
that
sentence
and
I
didn't
catch
that.
But
do
you
do
you
recall
anything
about
that?
E
That's
not
ringing
a
bell.
I,
remember
Alan
Friedman,
asking
what,
if
tools
get
better
and
I
remember
I,
remember
them
answering
like
that's.
Okay,
like
like
the
the
guide
to
security
tools,
is
all
about
just
capturing
the
category
of
tools
that
exist
and
if
they
get
better,
they
get
better.
That's
great,
you
know,
but
I,
don't
I,
don't
remember
him
mentioning
anything
specific
there.
Maybe.
B
That's
what
it
was
like:
the
abstracting,
the
categories
as
opposed
to
recommendations
or
preferences
that
we're
keeping
the
landscape
open
for
people
to
innovate
or
collaborate
or
whatever
that
it's
not
a
prescription
that
doesn't
read.
Prescriptively,
that's
more
about
categories
and
opinions,
yeah
yeah.
C
That
that
part,
I
hope
I
hope
that's
the
case,
because
I
keep
hearing
this
floating
thing
about
a
sterling
tool
chain
which
is
which
is
which
is
kind
of
ruffling
ruffling.
My
feather
just
ruffling
feathers,
okay,
keep
hearing
this
I,
hope,
I,
hope,
that's
the
case
and
and
not,
and
not
the
not
the
latter,
all
right,
okay,
cool
next
thing:
we
have
cooking
on
our
on
our
agenda.
F
C
Our
agenda
is
the
RSA
slides,
so
we
have
so
so.
Adrian
has
a
finalized.
His
RSA,
slides
I
did
I
did
give
a
give
some
feedback
to
that
earlier,
but
the
slides
look
amazing
man
I
mean
like
we
get
a
chance
to
really
talk
about
the
framework
in
total.
You
know
highlighting
it
highlighting
the
work
that
we're
doing
here
in
this
sig.
C
E
E
We
want
to
see
the
whole
framework,
don't
don't
just
highlight
specific
points
like
go
through
the
whole
thing,
and,
and
so
so
I
I
elaborated
on
all
the
requirements
and
and
and
showed
them
on
what
maturity
level
they
are
and-
and
you
know,
gave
pictures
you
know
to
try
to
convey
the
meaning
and
the
intent
behind
the
eight
different
practices,
and
you
know
we're
we're
continuing
along
the.
You
know
how
we're
messaging
the
S2
c2f
as
it
pairs
well
with
salsa.
E
So
like
Salsas,
you
know
the
producer
line
and
s2c2f
is
like
for
the
consumption
part
and
so
we're
we've.
We've
got
that
messaging
and
then
and
then
we
just
start
diving
into
the
all
the
various
eight
different
practices
and
all
the
requirements
that
are
embedded
within
each
practice.
And
you
know,
one
of
the
areas
that
I'm
going
to
be
talking
about
I
think
is
giving
an
example
of
like
identifying
an
insecure
package
source
file
and
a
package
source
file.
Is
you
know
if
you're
consuming
nuget?
It's
a
nuget.config
npm?
E
Establishing
Like
An
approved
ingestion
Channel,
like
all
open
source.
We
consume,
needs
to
be
consumed
in
this
way,
so
so
that
our
security
tools
can
see
all
the
open
source
work
we're
ingesting
and
because
one
of
the
problems
that
the
industry
faces
is
developers
are
very
creative
at
ways
to
bring
in
new
open
source
dependencies
into
a
software
product
and
and
if
there's
no
consistency
with
how
developers
are
are
bringing
in
open
source,
then
it's
possible
that
our
security
tools
are
not
catching
them.
E
You
know
you're
not
receiving
those
vulnerability
alerts
if
your
tools
aren't
detecting
the
way
that
you're
bringing
it
in,
and
so
you
know,
I'm
trying
to
identify
that
that
there
needs
to
be
this
focus
on
ingestion,
that
everybody
should
be
starting
with
ingestion
and
and
then
I
move
on
through
the
other.
The
other
practices,
so
yeah
I
think
it's
going
to
be
I.
Think
it's
going
to
be
good.
E
We
are
are
highlighting
some
example
tools
and
they
are
by
no
means
like
a
comprehensive
list
of
tools.
It's
just
you
know
we
wanted
to
to
Point
people
at
like
a
tool
that
that
is
kind
of
like
well
known,
so
that
they
understand
and
it
resonates
and
and
yeah
I'm,
really
really
hoping
that
this
is
gonna.
You
know
Drive
awareness
of
the
sqc2f
as
a
whole
and
and
get
more
participation
going
on
in
in
our
community
meetings
here
and
and
yeah
I.
C
Excellent,
you
know,
so
what
I'm
going
to
do
now
is
take
a
look
here.
Once
again,
we've
got
five
issues
that
have
sprung
up
show
the
screen.
Here
we
may
want
to
talk
about
these
as
well
at
least,
have
a
good
look
at
them,
real,
quick
as
we
see
here.
So
we
got
these
five
issues
that
showed
up
here.
We
talked
last
time
and
and
Dave
and
David.
A
C
E
C
I
mean
it's
real
good
feedback.
I
mean
that
this.
That's
that's
what
this!
That's
that's
what
we
need
right,
that's
what
we're
looking
for
so
I'm
actually
happy
to
see
that
one.
This
might
take
a
little
bit
more
time
than
when
we
have
the
time
we
have
45
minutes.
If
we
want
to
sit
here
and
chase
this
down,
this
may
not
be.
This
may
be
something
that
we
can
generally
take
off.
What
says
the
group
here.
E
C
E
C
C
E
C
You
know
I
will
say
you
know
to
come
across
these
articles.
We
should.
These
articles
are
very
important
too,
as
we
can
see
like
I
said
before,
we're
trying
to
you
know,
fill
out
the
explanatory
report
get
get
on
into
the
past
process,
but
we
also
want
to
make
sure
that
we're
still
you
know,
tightening
up
buttoning
up
the
current
framework,
but
also
making
sure
that
it's
as
complete
as
possible
Right.
C
That's
it
that's
extremely
important.
So
as
we
come
up
as
we
come
on
this
stuff,
as
we
come
upon
this
kind
of
stuff,
you
know
bring
it
before
the
the
sink,
even
an
email
form,
so
that
we
can
continue
to
put
the
work
in
where
it
needs
to
be
so
that
it
that
that
it's
it's
you
know,
usable
and
there's
nothing
left.
You
know
well,
there's
always
going
to
be
something
left.