►
From YouTube: S2C2F SIG (March 28, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
A
D
D
This
I
know
it's
between
this
and
the
cncf
I
feel
like
I
work
more
with
with
people
and
some
of
these
groups
than
I
do
with
Folks
at
VMware.
A
C
You
guys
will
be
fun
for
you
guys
to
know
that
was
that
VMware
exactly
a
year
and
some
a
year
and
a
month
ago,
I
was
there
a
year
and
a
month
ago,
I
just
left.
A
Yeah
certain
VMware,
the
the
internal
audit,
the
internal
auditor.
B
C
Yeah
I
I,
like
I
I,
kept
trying
to
tell
them
I
was
fun,
I
didn't
make
my
job
wasn't,
wasn't
difficult.
I
everybody
thought
I
was
coming
in
the
end.
I
was,
you
know,
laying
half
no
I
wasn't
I
was
an
advisor
at
best.
I
didn't
God
to
get
people
to
talk
to
me
was
like
pulling
teeth,
but
once
they
did,
they
were
like.
Oh
this.
A
C
C
We
do
have
a
couple
of
things
we
want
to
put
out
outside
the
agenda,
but
the
agenda
items
to
what
they
are
is
pretty
small
for
the
day
and
then
I
guess
have
an
open
discussion
on
where
we
see
things
with
the
with
the
framework
Etc.
C
So
we'll
we'll
we'll
do
that
we
have
a
pretty
tight
things,
will
actually
start
heating
up
a
little
bit
after
open
Summit
Adrian's
got
a
got
a
a
talk
or
two
coming
up
over
the
next
month,
I'll
be
at
open
Summit
with
the
framework
you
know,
after
that,
we'll
both
be
digging
in
a
little
bit
deeper,
especially
when
it
comes
to
the
training,
that's
being
developed
and
then
we'll
and
then
we'll
be
putting
together
that
explanatory
report,
so
that
we
can
begin
marching
towards
an
actual
the
actual
ISO
spec
route
that
we
that
we
talked
about
way
dead
in
the
beginning
in
the
summertime.
C
So
we
have
all
of
that
kind
of
stuff
heating
up
that
would
start
taking
shape
here
pretty
shortly
so
yeah
that
that's
exciting
times,
things
are
going
to
be
moving
very,
very,
very
fast.
C
So
that
being
the
case
again
I'll
pop
the
agenda
document
right
here
for
anyone
who
doesn't
have
it
do
we
have
anyone
new
second
I
can't
remember.
Were
you
on
last
the
last
meeting.
C
C
The
running
joke
here
is
I
use,
nuances,
Dragon,
Naturally,
Speaking
to
type
any
paper.
I
want
to
write,
I
kind
of
use.
My
four
fingers
to
four
fingers
in
the
thumb
yeah,
you
guys,
would
have
loved
me
in
software
engineering
school.
C
B
A
B
C
Excellent
perfect
yeah
and
I
love
hearing
that
how's
how's
initial
one.
C
Me
by
my
by
my
full
name,
so
my
he
knows
me
by
jatel,
so
send
my
best
to
him.
You
know
he'll
kill,
you
say:
oh
really
he's
there.
He
kills
the
thorn
in
his
backside,
all
right
good
deal.
So,
let's,
let's
get
into
it
once
again.
Thank
you
all
for
attending
the
you'll,
see
the
the
meeting
notes
there
and
you'll
see
the
agenda
item.
So
the
first
one
on
there
is.
C
We
have
is
a
we're
out
in
a
new
category
to
the
guide
for
security
tools,
Adrian
and
speak
a
little
bit
more
about
that.
E
Yeah
so
as
part
of
this
siggs
strategy
and
I'll
throw
the
strategy
doc
into
the
chat
we
when,
when
I
wrote
the
strategy
doc,
we
tried
to
think
about
like
the
open
ssf
as
one
big
team
and
like
what
are
all
the
other
parts
of
openssf
that
we
should
plug
into,
so
that
we
tell
like
a
consistent
story
and-
and
you
know,
leverage
each
other's
work
and
and
all
that
sort
of
thing.
E
So
we
started
investigating
all
the
different
working
groups
and
and
things
that
they
have
when
we
first
published
our
our
framework,
the
s2c2f
framework.
E
We
have
an
implementation
guide
section
and
in
that
implementation
guide
we
recommend
example
tools
and
one
of
the
feedback
that
we
got
when
we
were
joining
the
openssf
was
that
we
should
keep
like
recommended
tools
all
in
one
place,
and
so
this
was
me
like
finally
like
listening
to
that
feedback
and
finally
saying
like
Okay
well,
I
would
love
to
contribute
to
your
Guide
to
the
security
tools
document
when
I
reviewed
that
document,
it
didn't
include
tools,
a
category
of
tools
that
help
you
update
your
open
source
and
and
help
you
maintain
good
hygiene
there.
E
So
this
is
like
tools
like
dependabot
and
I.
Think
there's
another
one
out.
There
called
renovate
bot
or
yeah,
and
then
you
know
other
tools
that
you
know
put
OSS
vulnerabilities
as
comments
and
pull
requests
that
way.
If
somebody's
trying
to
introduce
a
new
dependency,
that's
already
vulnerable,
it
gets
caught
during
the
the
peer
review
process.
E
E
So
they
they,
they
reviewed
it
today
in
their
in
their
security
tools.
Working
group
meeting,
they
said
just
submit
a
pull
request
and
ping
them
when
the
pull
request
is
ready.
A
B
There's
something
that
went
by
in
that
meeting
so
like
that
was
like
four
hours
ago,
that
working
group
I'm
not
sure
if
it
was
Brian,
balendorf
or
David
wheeler.
Somebody
on
the
call
sort
of
said
they're
trying
to
keep
a
philosophy
of
keeping
tools
and
something
separate
and
I.
The
audio
was
slightly
glitched
right
during
that
sentence
and
I
didn't
catch
that.
But
do
you
do
you
recall
anything
about
that?
E
That's
not
ringing
a
bell.
I,
remember
Alan
Friedman,
asking
what,
if
tools
get
better
and
I
remember
I,
remember
them
answering
like
that's.
Okay,
like
like
the
the
guide
to
security
tools,
is
all
about
just
capturing
the
category
of
tools
that
exist
and
if
they
get
better,
they
get
better.
That's
great,
you
know,
but
I,
don't
I,
don't
remember
him
mentioning
anything
specific
there.
Maybe.
B
That's
what
it
was
like:
the
abstracting,
the
categories
as
opposed
to
recommendations
or
preferences
that
we're
keeping
the
landscape
open
for
people
to
innovate
or
collaborate
or
whatever
that
it's
not
a
prescription
that
doesn't
read.
Prescriptively,
that's
more
about
categories
and
opinions,
yeah
yeah.
C
That
that
part,
I
hope
I
hope
that's
the
case,
because
I
keep
hearing
this
floating
thing
about
a
sterling
tool
chain
which
is
which
is
which
is
kind
of
ruffling
ruffling.
My
feather
just
ruffling
feathers,
okay,
keep
hearing
this
I,
hope,
I,
hope,
that's
the
case
and
and
not,
and
not
the
not
the
latter,
all
right,
okay,
cool
next
thing:
we
have
cooking
on
our
on
our
agenda.
F
C
Our
agenda
is
the
RSA
slides,
so
we
have
so
so.
Adrian
has
a
finalized.
His
RSA,
slides
I
did
I
did
give
a
give
some
feedback
to
that
earlier,
but
the
slides
look
amazing
man
I
mean
like
we
get
a
chance
to
really
talk
about
the
framework
in
total.
You
know
highlighting
it
highlighting
the
work
that
we're
doing
here
in
this
sig.
C
So
you
know
I
mean
just
just
this
great
work
here
it's
going
to
be
broadcast
along
with
the
actual
actual
piece
which,
which
is
which
is
which
is
amazing,
so
I'll.
Let
Adrian
talk
more
about
that.
I'm
exact
I'm
actually
excited
about
this,
believe
it
or
not.
E
Yeah,
so
you
know
we're
we're
introducing
it
early,
so
so
I
I
got
a
chance
to
submit
draft
slides
to
RSA
and
they
have
reviewers
that
give
you
feedback.
So
I
got
feedback
that
they
were
like.
E
We
want
to
see
the
whole
framework,
don't
don't
just
highlight
specific
points
like
go
through
the
whole
thing,
and,
and
so
so
I
I
elaborated
on
all
the
requirements
and
and
and
showed
them
on
what
maturity
level
they
are
and-
and
you
know,
gave
pictures
you
know
to
try
to
convey
the
meaning
and
the
intent
behind
the
eight
different
practices,
and
you
know
we're
we're
continuing
along
the.
You
know
how
we're
messaging
the
S2
c2f
as
it
pairs
well
with
salsa.
E
So
like
Salsas,
you
know
the
producer
line
and
s2c2f
is
like
for
the
consumption
part
and
so
we're
we've.
We've
got
that
messaging
and
then
and
then
we
just
start
diving
into
the
all
the
various
eight
different
practices
and
all
the
requirements
that
are
embedded
within
each
practice.
And
you
know,
one
of
the
areas
that
I'm
going
to
be
talking
about
I
think
is
giving
an
example
of
like
identifying
an
insecure
package
source
file
and
a
package
source
file.
Is
you
know
if
you're
consuming
nuget?
It's
a
nuget.config
npm?
E
It's
a
DOT
npmrc
file,
python,
it's
a
pip.com,
so
I'm,
giving
an
example
of
like
how
to
how
to
identify,
because
this
is
really
important
for
when
you
think
about
an
organization
or
just
a
large
development
team.
E
Establishing
Like
An
approved
ingestion
Channel,
like
all
open
source.
We
consume,
needs
to
be
consumed
in
this
way,
so
so
that
our
security
tools
can
see
all
the
open
source
work
we're
ingesting
and
because
one
of
the
problems
that
the
industry
faces
is
developers
are
very
creative
at
ways
to
bring
in
new
open
source
dependencies
into
a
software
product
and
and
if
there's
no
consistency
with
how
developers
are
are
bringing
in
open
source,
then
it's
possible
that
our
security
tools
are
not
catching
them.
E
You
know
you're
not
receiving
those
vulnerability
alerts
if
your
tools
aren't
detecting
the
way
that
you're
bringing
it
in,
and
so
you
know,
I'm
trying
to
identify
that
that
there
needs
to
be
this
focus
on
ingestion,
that
everybody
should
be
starting
with
ingestion
and
and
then
I
move
on
through
the
other.
The
other
practices,
so
yeah
I
think
it's
going
to
be
I.
Think
it's
going
to
be
good.
E
We
are
are
highlighting
some
example
tools
and
they
are
by
no
means
like
a
comprehensive
list
of
tools.
It's
just
you
know
we
wanted
to
to
Point
people
at
like
a
tool
that
that
is
kind
of
like
well
known,
so
that
they
understand
and
it
resonates
and
and
yeah
I'm,
really
really
hoping
that
this
is
gonna.
You
know
Drive
awareness
of
the
sqc2f
as
a
whole
and
and
get
more
participation
going
on
in
in
our
community
meetings
here
and
and
yeah
I.
C
Excellent,
you
know,
so
what
I'm
going
to
do
now
is
take
a
look
here.
Once
again,
we've
got
five
issues
that
have
sprung
up
show
the
screen.
Here
we
may
want
to
talk
about
these
as
well
at
least,
have
a
good
look
at
them,
real,
quick
as
we
see
here.
So
we
got
these
five
issues
that
showed
up
here.
We
talked
last
time
and
and
Dave
and
David.
A
Right,
you
can
take
a
look
at
this
one,
real,
quick.
A
C
But
this
seems
like
something
that
we
need
to
take
and
bust
down
offline
and
he's
referencing.
One
of
the.
E
Okay,
that's
good
feedback
yeah.
We
can
take
that
and
review
it
and
and
respond
that
one
just
popped
up
today.
C
I
mean
it's
real
good
feedback.
I
mean
that
this.
That's
that's
what
this!
That's
that's
what
we
need
right,
that's
what
we're
looking
for
so
I'm
actually
happy
to
see
that
one.
This
might
take
a
little
bit
more
time
than
when
we
have
the
time
we
have
45
minutes.
If
we
want
to
sit
here
and
chase
this
down,
this
may
not
be.
This
may
be
something
that
we
can
generally
take
off.
What
says
the
group
here.
E
I
was
actually
this.
This
just
gave
me
a
light,
bulb
and
I
was
actually
gonna
share.
Something
else
I
didn't
think
about
this
as
something
we
should
talk
about
in
the
agenda,
but
I
I
think
it
should
be
I'm
gonna
throw
this
link
in
the
in
the
chat
here.
E
So
this
is
something
that,
like
this
group,
should
add
to
our
list
of
known
threads
and
see
if
we
need
to
create
a
new
requirement
or
if
there,
if
our
existing
requirements
mitigate
against
this
type
of
threat,
I
haven't,
read
it
full
front
to
back,
but
I
think
the
the
thing
that's
new
here
is
that
they
are
masquerading
as
a
well-known
author,
rather
than
just
typo
squatting,
the
name
of
the
package,
their
type
of
squatting,
the
name
of
the
the
author
to
make
themselves
look
like
Joel
verhagen,
who
is
like
on
the
nougat
team
and
as
like
a
well-known
person
in
the
new
get
community.
E
C
Yeah
that
that
well
that's
definitely
one
of
that's.
Definitely
one
of
the
one
of
the
tactics
that's
being
discussed
in
the
article
actually
I
mean
hell.
That's
actually
good.
That's
actually
appropriate,
it's
one,
but
that's
one
of
the
taxes
being
discussed
here.
C
C
Anybody
want
to
take
I
mean,
maybe
a
couple
a
couple
of
us
can
can
take
a
look
at
that.
C
Else
want
to
get
in
on
that
doing,
you
know
taking
a
look
at
that
article
against
the
framework
and
seeing
where
we
have
gaps.
Maybe
we
can
fill
those
gaps
with
with
that
kind
of
information
in
it.
Does
anybody
else
want
to
do
that
as
well?
C
Two
eyes,
three
eyes:
four
eyes
are
better
than
better
than
one
on
this.
One.
C
E
Yeah
so
I
guess
we
should
maybe
add
this
as
an
as
an
issue.
I
can
I
can
create
the
issue
that
way.
It's
tracked.
C
You
know
I
will
say
you
know
to
come
across
these
articles.
We
should.
These
articles
are
very
important
too,
as
we
can
see
like
I
said
before,
we're
trying
to
you
know,
fill
out
the
explanatory
report
get
get
on
into
the
past
process,
but
we
also
want
to
make
sure
that
we're
still
you
know,
tightening
up
buttoning
up
the
current
framework,
but
also
making
sure
that
it's
as
complete
as
possible
Right.
C
That's
it
that's
extremely
important.
So
as
we
come
up
as
we
come
on
this
stuff,
as
we
come
upon
this
kind
of
stuff,
you
know
bring
it
before
the
the
sink,
even
an
email
form,
so
that
we
can
continue
to
put
the
work
in
where
it
needs
to
be
so
that
it
that
that
it's
it's
you
know,
usable
and
there's
nothing
left.
You
know
well,
there's
always
going
to
be
something
left.
C
C
All
right
that
I
mean
that
that's
that's
what
we
have
for
the
agenda.
Aside
from
that
is,
are
there
any
questions
around
the
past
process
or
any
questions
around
the
training
stuff,
that's
being
completed
with
SKF?
C
C
And
Adrian
just
put
up
another
issue:
yeah.
E
That's
the
one
I
just
created
so
that
we
we
can
assess
that
article
and
see
if
we
need
to
add
to
our
list
of
known
threats
and
see
if
any
net
new
requirements
need
to
be
created.
C
C
Right
good
deal
good
deal.
All
right,
guys
have
a
great
have
a
great
day,
see
you
guys
all
in
the
cut
in
a
couple
of
weeks,
yeah.