►
From YouTube: S2C2F SIG (April 11, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
A
A
B
A
I'm
fine
I'm
glad
to
see
you
I,
don't
see
other
people
I'm
expecting
like
Jay.
B
Yeah
Jay
said
that
he
is
in
meet
in
a
doctor's
appointment,
so.
A
Now
very
good
yeah
and
let's
see
here,
yeah
so
I'm
gonna,
probably
let's
see
today
is
the
oh.
It's
the
11th.
The
time
keeps
marching
forward
all
right,
so
your
name's,
not
in
here
for
attendance
today.
So
let's.
A
C
Hello,
apologies,
I
I
am
at
Microsoft.
We,
we
start
meetings
five
minutes
after
and
it's
trained
me
to
not
be
punctual.
A
No,
that's
a
surprising.
C
A
Brussers
has
taken
to
of
this
is
a
slightly
different
approach.
He
starts
the
meetings
at
literally
five
after
I
mean
they're
actually
on
the
calendar.
As
you
know,
hour,
05.
yeah.
C
That's
that's
how
you
can
set
an
Outlook
rule
to
automatically
do
that
when
you
send
out
meeting,
invites
and-
and
everybody
just
started
doing
it-
and
you
know
it
allows
you
to
have
space
in
between
back-to-back
meetings
for
Bio
breaks
or
whatever
else
you
need
space.
So.
A
Yes,
we
thanks
to
our
video
chat
overlords.
We
should
be
grateful
for
five
minutes.
A
A
I
added
something
real
quick
to
the
agenda:
it's
more
just
an
FYI,
so
maybe
I
should
label
it.
That
way.
C
A
Yeah
so
me,
your
sdc2f
and
salsa
have
different
views,
but
I
I,
poor
Jay,
has
heard
me
multiple
times.
We
need
to
make
sure
that
these
complement
as
opposed
to
oppose
each
other
and
he's
agreed,
but
we
want
to
make
sure
that
happens.
C
B
C
A
Okay,
yeah
so
yeah,
thankfully
I've
got
I'm
in
a
quiet
place.
I've
got
a
microphone
and
a
point,
a
directed
microphone.
That
makes
some
things
easier
so
anyway,
so.
C
A
Thank
you
yeah,
so
I
mean
it's
something
we
particularly
need
to
do
well
other
than
we
have
already
agreed
to
do.
The
the
the
crosswalk
I
don't
know
of
any
conflicts,
but
I
just
want
I'm
sensitive
to
the
issue.
So.
C
Yeah
I'm
glad
you
brought
that
up
this.
This
1.0
announcement
is
for
the
build
track
right
and
I,
so
so
I
guess
an
example
of
a
crosswalk
like
the
first
thing
that
comes
to
mind
in
our
open
ssf
s2c2f
requirements.
There
are
two
requirements
that
have
prerequisites
that
are
outside
the
scope
of
our
set
of
requirements:
boy,
what
am
I,
referring
to
it's
I'm,
trying
to
scroll
and
find
it
right
now.
C
A
I
guess
the
question
is:
do
you
want
to
look
backwards
and
ask?
How
were
the
theme
most
there
are
organizations
who
rebuild
I
actually
think
more
folks
should
do
that.
But
I
do
I
mean
I.
Think
the
reality
is
the
vast
majority
of
people
will
not
most
organizations
won't
want
people.
Won't
it's
it's
a
big
request
and
although
in
theory
you
should
be
able
to
do
it,
everybody
I've
known
who
does
do
it
finds
that
it's
there's
always
something
unstated
yeah
making
making
doing
that
harder.
A
So
my
my
guess
up
and
here's
Jay
Jay
we've
stalled
him
there
for
you
to
be
join
us.
B
B
A
Well,
okay,
some
of
us
well
height,
probably
is
harder
to
change.
Wait.
We
are
capable
of
of
increasing
that
all
right
anyway,
you
don't
give
us
need
to
give
us
medical
details,
but
I
hope
all
is
okay
for
you.
B
Oh
yeah
yeah,
that's
great,
you
know
I'm
one
of
the
few
people
that
I
know
of
at
least
that
take
full
advantage
of
seeing
my
doctor
every
three
to
four
months:
I
get
a
teeth:
cleaning
every
four
months
me
and
my
dentist
and
my
hygienist
and
anybody
else
in
that
dental
office
are
on
a
first
name
basis.
B
We
high
five
when
I
walk
in
you
know,
I
mean
one
of
them
wow,
one
of
them
like,
like
the
the
hygienist
assistant,
we
high
five,
and
we
do
a
little
dance
because
you
know
that's
just
you
know:
yeah
I
get
excited
when
I
go
in
there
me
and
my
me
and
my
and
my
doctor,
you
know
every
four
months
we
get
together,
he's
Charles
and
I'm
Jay.
You
know
we
sit
down
with
one
another
and
we
discuss
things.
It's
wonderful,
I
I
am
all
about
that
life.
C
Yeah,
oh
yeah,
no,
it's
good,
because
it's
so
bad
that
it's
good
my
dentists
go.
You
should
really
think
about
removing
your
wisdom,
teeth
and
I
always
say,
but
they
keep
me
wise
and
then
my
dentist
just
looks
at
me
like
okay,
it
was
a
really
bad
joke.
It's
like
the
only
dentist
joke.
I
know:
okay,.
B
B
Oh
okay,
okay,
so
we
all
right
so
so.
First
things,
first
I
was
on
the
positioning
call
this
morning
with
the
supply
chain,
Integrity
positioning
meeting
and
things
are
wrapping
up
with
the
first
I
guess
the
first
Sprint
of
salsa
when
it
comes
a
1.0,
the
current
the
coming
press
release
and
any
subsequent
blogs
that
are
going
to
happen
after
and
and
where,
and
we've
agreed
on,
a
shift
to
s2c2f
in
terms
of
our
efforts.
B
So
a
lot
of
the
people
that
are
in
those
meetings
are
going
to
shift
over,
at
least
have
said
they
are
going
to
shift
over
to
s2c2f
and
join
these
meetings
to
help
us
get
this
moving
along,
like
everyone
was
like,
everyone
has
been
getting,
salsa
moved
along,
so
I'm
gonna
hold
them
to
that.
So
this
meeting
should
yeah.
B
So
so
hopefully,
this
meeting
should
grow
in
numbers
here
in
the
next
in
the
next
couple
of
a
couple
of
Cycles,
so
that
we
can
begin
to
wrap
ourselves
around.
This
I
did
mention
to
them
in
that
meeting
like
we're
mentioning
here
on
this
agenda,
that
we
are
in
full
swing
with
the
explanatory
report.
Thank
you,
Jasmine
Jasmine,
guys
started
with
that.
You
know
we're
gonna
jump
in
I.
B
Think
we're
gonna
have
a
couple
of
working
meetings
to
see
if
we
can't
put
our
elbows
into
that
and
get
that
polished
up
a
little
bit
more
so
I
can
go
to
the
to
the
jdf
and
and
help
us
become
help
us
make
this
into
a
to
a
real
boy
right,
we'll
see
if
we
can't
get
our
Geppetto
on
and
make
this
into
a
real
boy,
yeah.
A
B
We
we
do
it's
it's
very.
It
is
very,
we
have
to
put
it
actually.
We
have
to
slide
this
over
to
a
Google
doc
too.
At
some
point,
let
me
let's,
let's
do
that,
let's
slide
over
to
a
Google
doc
and
then
and
then
I.
C
Might
be
able
to
do
that
rather
quickly,
I'm
gonna
go
into
our
Google
Drive
and
click
new
I
know
there's
a
way:
I
can
just
click
new
file,
yeah.
B
Yeah
it'll
be
used
to
hit
the
file
and
it's
an
open
up
doc
and
it'll
open
up
a
doc
for
you
right
there,
it's
really
cool
but
yeah.
We
could
do
that,
share
it
and
then
begin
begin
to
do
some
work
on
it.
It's
really
rough
right
now,
so
Jasmine
put
her
hand,
put
her
hands
on
it
and
and
got
us
going
without
this.
B
C
Okay
yeah,
sometimes
we
we
we're
so
used
to
working
in
Microsoft
Word,
okay,
so
we
are
transitioning
that
right
now
copy.
C
Okay
and
I
think
this
is
now
also
showing
up
yes,
it's
inside
of
our
here
I'll
drop,
the
link
in
in
the
chat
and
also
in
the
agenda
all.
B
Awesome
also
I
think
I
forgot
to
put
in
the
agenda
I
I
would
say,
let's,
although
we're
so
close
to
RSA
and
we're
so
close
to
the
open,
Summit
I
think
I
I'm,
almost
saying
we.
B
We
talk
about
this
in
the
next
couple
of
meetings,
once
we
finalize
the
stuff
that
we're
doing
for
for
RSA
and
for
open
Summit
to
talk
about
the
SKF
stuff,
all
the
training
stuff,
because
I
think
that
not
that
that
no
I
don't
know
that
that
was
put
on
hold,
but
I
do
know
that
we
had
a
couple
of
suspenses
for
presentations
and
and
and
everything
else
that
may
have
slowed
some
of
those
activities.
So
maybe
we
table
it
for
next
time.
What
do
you
guys
think.
A
Yeah,
it
makes
sense,
I
mean
their
training.
Stuff
has
gone
up
to
the
governing
board
because
the
the
challenge
is,
you
know
we
can
do
many
things
unless
non-trivial
amounts
of
money
are
asked
for
and
then
we
actually
have
to
like
you
know
ask
we
actually
have
to
ask
the
people
of
the
power
of
the
purse
and
the
people.
A
The
power
purse
are
going
good
idea,
but
we
need
to
read
this
through
and
think
about
it,
which
is
fair,
so
so
I
I
believe
the
status
is
it's
I
can
blame
them.
I
say
that
facetiously,
but
but
more
you
know
it's
been
presented
to
them.
They
need
to
have
time
to
to
read
it
through
think
it
through.
Hopefully,
that
decision
will
be
made
by
the
next
governing
board,
but
that
is
entirely
up
to
I
mean
that
is
their
decision
to
make.
B
Yeah
they
got,
they
have
Tech
members
that
they
need
to
nominate
of
bodon
or
whatever.
It
is
too
so.
A
B
B
Yeah,
okay,
all
right,
so
we
had
that
on
the
agenda.
I
know
well,
I,
know
well,
I
put
on
the
agenda.
I
had
that
and
then
I
had
a
couple
of
other
a
couple
of
other
things.
There
I
had.
B
Yeah
RSA
RSA
Adrian's,
given
that
talk
I
have
gotten
Expo
pass
so
I'll,
be
there,
maybe
at
the
Expo,
maybe
one
or
two
days,
but
definitely
I.
Allow
the
social
events.
I'm
gonna
crash
the
one
on
Monday,
because
I
tried
to
get
a
ticket
and
then
and
then,
like
rsvp4,
was
sold
out
so
I'm
just
gonna
show
up,
it's
gonna
show
up
and
see
what
happens.
You
know
I'm
gonna,
say
I,
know:
Adrian,
that's
what
I'm
gonna
say.
B
C
We
can
also
symbol
it
to
RSA,
Jasmine
and
I
are
gonna
talk
about
S2
c2f
at
Microsoft,
build
in
May.
So
just
that's
just
another
conference
where
we
get
to
continue
our
awareness
campaign
of
of
letting
people
know
that
this
framework
exists.
B
B
C
Good
speaking
of
of
RSA,
our
next
Sig
meeting
is
April
25th,
which
is
one
of
the
days
that
RSA
is
happening
and
I
just
will
not
be
able
to
support
that.
We
might
want
to
consider
counseling.
B
Yeah
because
I'll
because
I'll
be
at
RSA
myself
yeah,
so
that
might
be
that
might
be
a
meeting.
We
need
to
cancel
for
that
particular
day.
Okay,
yeah,
absolutely
yeah,
yep
yeah.
It
starts
the
conference
cycle.
This
conference
cycle
part
one.
B
From
July
starts
all
over
again,
unless
what
besides
is
earlier
this
year,
too
I
mean
it
may
be
a
decent?
Well,
the
the
end
of
May,
decent
June
will
be
okay,
but
coming
into
July,
that's
going
to
be
rough
again
too.
B
Yeah
really
well
all
right,
so
that
that
was
also
on
our
list
of
things
to
talk
about
then
open
Summit.
We
have
catch
ketchup,
mustard
and
relish.
B
Where
I'll
be
sitting
on
the
panel
there,
with
Mike
and
Mark
rodato,
to
talk
about
salsa,
s2c12
and
Fresca
from
the
supply
chain,
Integrity
working
group
perspective
we'll
give
we'll
give
the
you
know
how
they
Bridge
together.
What
what's?
What's
how
they're
different
things
on
you
know
different
parts
and
things
that
are
on
the
horizon,
for
that
and
you
know
so
that
that'll
be
good.
We
have
actually
a
sync
meeting
to
really
nail
down
what
the
talking
points
will
be
for
the
purposes
of
that
panel
discussion.
B
Arno
is
going
to
facilitate
so
we'll
we'll
dig
in
deeper
in
terms
of
what
we'll
actually
be
talking
about.
B
B
That's
at
the
open,
Summit.
C
C
The
the
last
thing
I
had
done
was
I
put
together
a
straw
man
of
like
what
a
training
course
might
look
like
and
I
got
a
lot
of
feedback
and
I
haven't
Incorporated
all
the
feedback,
so
I'm
I'm
curious.
If
if
this
is
related
to
something
else,
or
was
it
specific
to
the
s2c2f
training
proposal
for
the
SKF.
A
Okay,
so
so
I,
don't
know
the
answer
to
your
question.
If
what
you're
really
asking
me
is
hey,
can
you
give
me
some
tips
on
helping
to
create
a
course
that
might
be
released
by
LF?
I
mean
happy
to
talk
about
that
I
can
do
that
and
I
guess
there's
several
different.
Let
me
let
me
put
this
way.
There
are
three
obvious
Avenues
one
is
working
within
SKF.
A
Okay,
one
is
working
within
the
the
fundamentals
course
and
one
is
creating
our
own
courses,
whatever
that
looks
like
obviously
you
know,
if
you
know
open
ssf
work
doesn't
have
to
even
if
it's
a
course
it
doesn't
have
to
be
through
the
LF,
but
we
have
a
group
that
does
it
and
my
experience
has
been
you
know.
Writing
material
for
courses
is
one
thing,
keeping
thing
the
lights
on
for
a
system
to
make
sure
hey
it
works
in
this
computer.
Oh,
you
want
digital
badges.
A
Well
now
you
have
to
have
an
account
and
logins
and
all
the
other
glorious
stuff.
You
know.
Basically,
we
have
folks
who
basically
maintain
an
infrastructure
to
deal
with
that.
So
you
know,
if
you
just
want
to
present
some
material.
Here's
a
document
you
can
go
read
it
that's
one
thing,
but
if
you
want
to
have
like
a
sign
up
for
a
course
and
get
a
digital
badge
and
so
on,
then
you
want
to
do
something
with
somebody.
A
Have
direct
experience
with
doing
that
because
I'm,
the
primary
author
of
The
fundamentals
course
so
now
so
real?
The
question
here
is
what
what's
the
material
you
want
to
teach?
How
long
is
it
if
it's
really
small,
you
might
just
slip
into
something
else?
That's
existing
I
mean
if
it's
really
just
kind
of
an
awareness,
Basics.
Here's
where
you
go
for
more
I
mean
frankly
slipping
into
something
that's
already
being
used
is
the
easy
solution.
If
it's
bigger,
then
yeah,
and
then
you
need
to
talk,
ask
about
questions
like
with
the
audience.
A
What
are
you
trying
to
get
them
to
learn?
You
know,
you
know,
you
know
those
kinds
of
questions,
mechanics
LF
training
can
do
all
sorts
of
things.
They
have
their
own
platforms,
that
they
support
that
they
have
to
get
the
stuff
into
it's
kind
of
a
pain
to
work
with
the
tools,
and
so
their
process
is
what
I
would
call
wet
you've
heard
about
dry
right,
don't
repeat
yourself.
A
Okay,
drive,
don't
repeat
yourself:
it's
a
commonly
used
phrasing
in
some
programming
systems
and
some
folks
are
really
big
on
it,
possibly
the
detriment
of
gaining
work
done.
But
you
know
very
much
the
don't
repeat
yourself:
well,
they're,
very
much
the
they
have
found
it
much
easier
to
let
content
creators
create
content,
and
then
they
have
someone
else.
Take
that
material
and
convert
it
into
the
various
weirdnesses
that
the
tools
require,
because
that
means
that
the
content
creators
get
to
focus
on
content.
A
One
other
thing
that
they
suggest,
which
is
kind
of
weird
but
I've,
come
to
see
the
wisdom
of
it.
They
can
support
videos,
but
if
your
material,
if
your
material
is
short-lived,
go
for
it,
if
your
material
is
long-lived,
they
actually
recommend
doing
most
of
the
stuff,
not
in
video,
and
the
reason
is
maintenance.
A
A
They've
got
some
really
good
stuff,
there's
some
very
good
people
who
have
developed
some
really
good
information
there
and
you
know
my
hats
off
to
alter
them
by
the
way.
This
is
not
a.
This
is
not
a
dig
on
them.
I
would
have
done
the
same
thing,
but
one
of
the
problems
is
that
they
created
some
real
some
videos
for
training
that
at
the
time
were
great
and
then
they
just
could
not
afford
the
endless
update.
So
they've
got
this
Java
specific
course,
and
it
really
focuses
on
how
to
create
your
applet.
A
No
one
does
that
no
one's
done
that
for
years
you
know,
that's
just
not
I
mean
technically
that
capability
exists,
but
you're
highly
improbable
unlikely
to
use
it,
but
there's
the
problem.
There's
some
good
information
still
in
there,
but
it's
trapped
in
a
format.
That's
really
hard
to
maintain,
and
you
know,
whereas
the
the
course
that
I
developed
it's
mostly
marked
on
file
lots
of
texts.
Some
images
super
easy
to
update.
In
fact,
I
routinely
update
it.
We
just
had
an
update
involving
HTTP
HTML
targets.
A
C
That's
even
that's
great
feedback.
I
was
capturing
what
you
were
saying
in
my
notes
offline.
What
I'm
sharing
with
you
now
is
the
course
outline
I
put
together.
This
is
what
I
did
for
a
different
training
organization
before
and
yeah
all
the
up
stuff
upfront
stuff
about
like
how
to
organize
the
content
and
everything
and,
and
then
when
we
got
to
here
and
I,
was
trying
to
outline
well.
How
are
we
going
to
break
this
apart?
C
What
are
we
going
to
teach
I
got
a
lot
of
feedback
on
on
different
ways
to
organize
this.
So
I
need
to
finish
this
outline,
but
your
point
is
noted.
I
think
we
even
have
a
link
to
your
example
here
for
your
training.
C
If
I
could
click
this
one
yeah,
it's
your
fundamentals,
yeah
yeah,
so
that
was
an
example
of
like
a
and
like
for
consistency
purposes.
It
would
make
sense
to
put
it
in
the
same
kind
of
format
that
that
you've
already
done
so.
A
Yeah
well,
I
I
would
even
go
further.
You
know
if
it's
small,
if
it's
small
embed
in
existing,
is
probably
the
simplest
thing
to
do
kind
of
can
simple,
because
now
you
don't
have
to
figure
a
lot
of
things
out,
but
that's
not
a
requirement.
So
very
much
now,
I
guess
the
question
is
I
mean
sdc2f,
although
obviously
there
is
material,
at
least
in
my
mind,
we're
still
kind
of
going
update,
so
I'm
wondering
if
maybe
it's
the
you
know.
A
First,
you
know
get
get
widespread
agreement,
consensus
release
and
then
do
the
training
afterwards.
C
When
you
say
widespread
agreement,
consensus
and
release
are
you
referring
to
like
the
industry
at
Large,
accepting
the
okay.
A
A
True
for,
in
my
mind,
the
right
way
to
create
a
spec
is
the
way
that
both
salsa
and
S2
c2f
have
been
going,
which
is
start
with
something
that
actually
works
in
an
organization,
and
then
you
have
others
beat
it
up
to
say
well,
I
agree
with
your
goal,
there's
other
ways
to
get
there
or
there's
no
way.
Everyone
else
can
do
that
or
absolutely
we
need.
A
In
fact,
we
need
to
make
that
broader
everywhere,
or
you
know
those
tweaks
that
broader
industry
review
and
tweak
and
then
absolutely
make
the
course
I
I'll
note
that
the
the
course
that
I
created
you
know
I
had
lots
of
people
review
it
before
it
went
out
the
door
and
people
still
you
know,
send
in
comments
just
because
and
that
and
that's
a
different
kind
of
thing.
It's
not
it's
not
claiming
to
be
a
speck.
C
C
Okay,
so
that's
good
feedback,
so
anyways
we
we
got
on
this
topic,
because
if
we
go
back
to
the
to
the
agenda,
you
said
that
the
governing
board
is
reviewing
a
training
proposal,
funding
and
I
didn't
know
if
this
was
referring
to
like
what
is
this
training.
A
B
Particular
yeah
I
think
what
they
were
talking
about
is
is
they're
reviewing
how
things
get
funded
overall,
right,
training,
wise
or
training
development,
wise
and
all
that
kind
of
stuff,
and
how
much
sway
does
the
attack
actually
have?
And
you
know
I
mean
when
it
comes
to
the
dollar
amount
and
all
that
kind
of
stuff
I
think
they
wanted
to
review
that.
A
Now
reality,
as
you
know,
is
always
more
complicated,
but
officially
from
the
Charter's
point
of
view,
the
government
borders
the
power
of
the
purse
and
the
tax
does
the
technical
reviews.
That
said
in
practice
and
I
think
this
is
the
right
way
to
go
in
general.
The
governing
board
always
wants
to
hear
from
the
pack
first,
they
don't
have
to
do
it.
A
The
tax
says,
but
they
are
sure,
as
heck
going
to
listen
carefully
and
the
government
board
has
given
the
tax
small
amounts
of
you
know
basically
the
equivalent
of
petty
cash
I.
Guess
the
you
know,
we
know
you're
going
to
need
to
do
use
at
least
a
little
money
for
X.
So
here
we
don't
need
to
you.
A
You
don't
need
to
come
to
us
for
five
dollars
kind
of
kind
of
thing,
so
so
the
the
formal
position
is
very,
very
simple
and
clear,
but
in
this
case,
what's
happening
is
that
a
proposal
has
been
created
for
funding
for
additional
educational
materials
and
the
tax
reviewed
it.
And
now
it's
gone
up
to
the
governing
board
and
I
think
that's
where
it
currently
sits.
C
A
A
You
know
if
the
tech
you
know,
usually
the
tax
is
going
to
have
to
say
yes
before
they
bring
it
up
in
this
case,
yes,
and
then
they
bring
it
up
to
the
government
board
and
the
government,
because
otherwise,
what
will
happen
this
has
actually
happened
before
is,
if
you
just
bring
it
up
straight
to
the
governing
board.
The
government
will
say
great
where's.
A
My
attack
review,
thank
you
and,
if
not
they'll
they'll
say
oh
well,
okay,
you
know
we
have
decided
that
we
want
attack
review
for
for
money
proposals
absolutely,
but
then
they're
right
to
make
that
a
an
implicit
requirement.
So
off
we
go
got
it
is
that
kind
of
making
sense.
A
A
The
hope
of
all
this
review
by
the
way
is,
if
there's
a
problem,
or
you
know,
there's
at
least
you
know
again,
multiple
Eyes.
By
the
time
it
gets
to
the
governing
board,
there's
already
been
some
eyeballs
on
it,
and
then
government
Moore
can
look
at
it
as
well
and
there's
a
lot
of
folks
in
the
governing
board.
Each
of
them
has
limited
time.
So
you
know
the
hope
is
that
there's
more
more
people
have
a
chance
to
review
it.
C
A
C
Openness
and
all
right
great
done.
A
A
I
want
to
make
sure
that
somebody
else
can
pick
it
up
perfect.
C
B
C
Yeah,
so
we
want
to
jump
to
here.
This
has
been
the
the
newest
most
exciting
one
and
I
wanted
to
propose.
C
So
so
jfrog
recently
published
an
article
detailing
a
new
attack
types
that
happened
on
nuget
recently
on
youtube.org.
A
C
We
we
actually
filed.
We
created
this
issue
last
Sig
meeting
that
this
is
the
point
of
establishing
like
a
community.
We
get
to
review
new
threats
and
assess
them
and
see.
Do
we
need
new
requirements
in
our
in
our
framework
to
address
these
new
threats
and
one
of
the
new
threat
type
was
it's
very
similar
to
typo
squatting,
but
instead
of
like
squatting
on
the
name
of
a
of
a
package,
you
squat
on
the
name
of
a
well-known
author,
so
maybe
I
should
open
this
up.
Okay,.
C
So
they
they
mimicked
this
guy
named
Joel
hold
on.
Let's
see
if
I
can
find
it.
C
Yeah,
so
here
we
go,
Joel
of
verhagen
is
actually
a
Microsoft
employee
on
the
nougat
team,
and
he
is
also
like
an
author
of
many
packages
and
they
chose
to
make
it
look
like
they
were
him
by
by
typo
squatting,
his
name
so
they're
publishing
a
brand
new
package.
Okay,
trying
to
give
it
instant
credibility
based
on
making
it
look
like
it
came
from
a
well-known
person.
A
C
Because
in
the
portal
you
know
it's
it's
an
uppercase,
I
instead
of
a
lowercase
L,
and
so
so
a
brand
new
package
which
may
have
some
questionable
like
like
hey,
is
this
a
reputable
package?
You
know
it's
brand
new
nobody's
using
it.
Yet,
oh
look
it.
It
comes
from
this
reputable
person,
but
in.
B
B
A
Yeah
and
so,
and
so
basic
it's
a
little
like
typo
squatting,
but
instead
of
trying
to
subvert
the
process
of
picking
the
package,
it's
subverting
the
process
of
evaluating
the
package
because
you
know
this
is
a
package.
This
is
the
package
that
that
you're
bringing
in.
But
when
you
do
the
evaluation,
you
step
back
and
say:
okay,
you
know
what
do
I
know
about
this
package.
It's
new!
Well,
I,
don't
know
what
else?
Oh
wait!
A
minute!
I
know
this
person.
This
is.
B
C
Yeah
yeah,
and
so
you
know,
by
the
way
internally,
the
nougat
team
is
going
to
do
some
things
to
update
the
UI
to
make
these
sorts
of
things
less
confusing
and
they're
taking
action,
and
they
have
a
plan
to
to
enhance
the
experience,
for
you
know,
selecting
packages
and
and
protecting
customer
safety
and
all
that
stuff.
C
But
as
a
general
framework,
this
is
a
new
threat,
and
should
we
update
an
existing
requirement
or
should
we
create
a
new
one
and
we
we
got
some
good
discussion
going
here
where
they
believe
that
we
should
just
update
the
odd
one
requirement
to
stay
able
to
track
that
a
package
Trace
back
to
expect
expected
repo
and
expected
maintainer.
C
A
You
know
you're
just
a
little
farther
away
from
me.
I
guess
we
couldn't
check,
but
I
I
went
to
the
same
same
metaphorical
class
and
I
and
I
I,
agree:
I!
Think
if
you
put
the
end
in
there,
people
will
go
shake
their
head
up
and
down,
and
that
will
be
the
end
of
the
discussion.
No
activity
will
occur.
A
I
think
I
think
this
should
be
really
a
separate
requirement.
Yes,.
B
A
Is
a
new
one
to
me
too?
To
be
honest,
although
I
have
to
admit
it
kind
of
follows
on
you
know
if
you're
doing
type
of
once,
you
start
countering
type
of
squatting
of
the
package
names.
Well,
what
else
could
we
confuse
you
about?
Well,
confusing,
of
course,
I
I
would
go
broadly
because
it
doesn't
have
to
be
an
individual
author's
name.
It
can
be
a
company
too.
You
know
I
I,
you
know
you
know
my.
A
C
A
That's
right:
yeah
somebody
somewhere
probably
owns
the
domain
micro
Dash
soft,
which,
if
you
know
your
history,
is
the
original
name.
So
if
I
recall
correctly
yeah
so
yeah,
so
yeah
I
I'm
in
the
same
school,
if
you,
if
you
actually,
if
it's
actually
important,
it
should
be
a
separate
requirement.
A
A
Of
the
or
counter
name,
confusion
of
Origins-
well
that
sounds
technical,
but
yeah
I'm
going
to
write
that
down
and
then
and
then
we
can
try
to
simplify
it.
But
but
I
I
think
that's
important.
C
Yeah
I
was
going
to
continue
the
discussion
here
and
and,
and
it
suggests
that
the
speed
tracked
as
a
separate
requirement,
so
they
can
be
individually,
satisfied,
the
and
and
then
just
also
just
change
management
here
I
had
thought
checks
marks
was
the
original
publisher
turns
out
they
just
reblogged
what
jfrog
had
originally
so
so
I
I
changed
the
title
of
this
issue
to
be
J
frog.
Instead,
checksmarts.
B
One
one
other
thing
I'd
bring
up,
though,
is
that
this
isn't.
This
is
considered
to
be
an
audit
item
on
the
framework
which,
in
itself
me
putting
on
my
internal
audit
hat.
If
I
were
to
be
an
auditor
that
looked
at
this
requirement
and
looked
at
an
organization
that
I
was
being
a
third
party
auditor
for
I'd,
ask
two
questions:
one
where
in
the
spec
is
there
the
the
actual
control
that
gets
put
that
gets
implemented?
B
That
allows
us
to
do
that
check
that
allows
us
to
say:
is
this
control
effectively
in
place
and
or
where
is
that
requirement
mentioned
in
another
framework
that
we
that
we
can
attest
that
we
can
use,
as
as
an
attestation
point
and
say,
based
on
this
framework
based
on
the
control
and
the
way
it's
supposed
to
be
implemented?
From
this
framework
we
can
attest
to
this
particular
control
and
s2c2f
being
met
for
the
purpose
of
this
right.
So
that's
just
me
putting
my
auditor
hat
on.
B
A
Yeah
but
actually
hold
hold
that
thought,
because
I
I
think
I
have
a
quick
answer
for
you,
I'm,
not
sure
I
can
point
you
to
anything.
That's
written,
but
I
do
have
a
particular
opinion
on
this.
Usually
when
I
want
to
check,
you
know,
are
the
you
know.
Is
this
the
correct?
Is
this
the
safe
version?
A
B
Oh
yeah
yeah,
absolutely
I'm
only
considering
the
the
adopter
or
the
implementer
on
the
other
end
and
then
what
happens
when
a
third
party
auditor
comes
in
to
and
then
asks
them
well
you're
doing
this.
What
and
then,
of
course
it's
never
oh
you're
doing
this,
that's
great!
It's!
What
standard
are
you
using?
B
B
Is
that
an
automated
action?
How
do
you
continue?
How
do
you
make
sure
that
that
that
that
control
continues
to
work
and
is
scaled
enough
to
work
effectively
right,
I'm
I'm,
going
I'm
just
I'm
saying
that,
because
it's
it's
an
it's
and
and
a
it's
an
audit
one
control,
that's
what
we're
quoting
it
as
right.
A
A
Per
adding
per
added
dependency,
in
other
words,
once
you
say,
once
somebody
double
checks
and
says
yeah.
It
really
is
that
one,
the
one
I
want
I
mean
you
can
obviously
have
others
audit
and
double
check
and
triple
check
and
quadruple
check.
But,
for
example,
if
there's
a
new
version,
it's
from
the
same
place,
I've
it's
already
the
one
like
I,
don't
have
to
check
recheck
that
every
time
there's
a
new
version.
If
it's
from
the
same
sources,
because
I
already
verified
that
Source.
B
Can
we
call
something
else
I'm
playing
so
so
I
I
mean
I,
get
it
I'm
playing
Devil's
Advocate,
with
the
way
with
the
way
it's
presented
in
the
spec.
These
are
the
kind.
B
B
They
only
have
a
clue
about
what
they
read
and
verbatim
according
to
this
industry,
this
industry,
this
organization,
whatever
the
case
is
you're
supposed
to
have
this,
do
you
have
it
yes
or
no
right,
and
do
you
have
an
according
to
the
way
it's
written
now?
If
you
have
it
according
to
the
way
it's
written,
how
well
does
it
work?
C
B
Don't
they
don't
care
right?
They
don't
have
no
idea,
so
the
the
business
reason
behind
it
irrelevant.
Do
you
have
it
or
don't
you
and
is
it
working
effectively
anything
else
about
it?
You
can
take
it
up
later
when
they,
when
it
comes
to
when
the
issue
gets
created,
and
now
you
have
to
respond
to
the
issue.
C
B
C
And
I
I
love
where
you're
going
with
this,
because
it's
maybe
making
me
think
that
the
audit
category
of
requirements
is
creating.
C
Preconceived
notions
of
of
what
that
implies.
Audit
is
like
hey,
you
need
to
in
ingest,
you
have
to
you,
have
to
force
everybody
to
consume
open
source
in
a
in
a
standard
way.
This
is
the
approved
way
to
consume
open
source.
Then
I'm
going
to
audit
my
organization
to
see
if
I'm
catching
people
consuming
it
the
wrong
way,
because
I
can't
control
my
supply
chain
if
people
are
consuming
in
all
of
these
different
ways.
So
audit
was
really
it's
not
like
foreign
auditor,
but
it's
like
it's.
B
If
I
could
tell
you
how
many
times
that
we're
in
an
organization
I'm
doing
an
organization,
a
third
party
or
I'm,
doing
it
internal
and
I'm
being
given
a
policy,
an
internal
policy
and
I'm
auditing
against
this
internal
policy.
Well,
what
was
what?
How
did
you
write
this
policy
and
what
type
of
what
type
of
standard
did
you
use
to
write
this
policy?
B
What's
going
on
and
I
can
kind
of
you
know
this
is
this
is
where
I
go
with
the
difference
between
and
straight
audit
audit
or
an
advisory
type
of
audit
an
advisory
talk
about
yeah
a
little
bit
more
leeway
with
this
right,
where
you
can
now
think
about
business,
the
nature
of
the
business
right
and
then
you
can
say
self-portestation
things
like
diverse,
and
you
know
what
will
come
up
later
on,
especially
as
they
could
they
waive
this
stuff
against
things
like
fedramp
or
weigh
it
against
things
like
PCI,
you
know,
I
mean
where
they're,
where
they're,
creating,
where
they're
creating
services
or
creating
tools
that
have
an
impact
of
those
particular
standards
as
well,
and
whether
or
not
what
gets
implemented
from
this,
it
can
be
crosswalked
over
to
those
other
standards
and
and
and
requirements
so
that
that
they
play
nice
together.
C
Yeah
so
I
mean
I
I
think
we
just
need
to
pull
it
up
in
front
of
our
faces,
and
then
we
can
see
like
we
have
these
as
like
verify
the
provenance
of
your
OSS.
It's
more
like
a
verify
that
the
thing
that
you've
already
pulled
in
is
from
like
where
you
expect
to
come
from
I
mean
this
is
actually
more
of
a
security
check
than
an
audit
thing,
but
it's
it.
C
This
is
like
how
you
establish
trust
that
you
know
this
open
source
came
from
this
repo
and
and
it
tracks
back
right,
that's
what
npm
is
doing
with
their
whole,
like
attaching
build
provenance
to
npm
packages
and
attaching
it
from
the
repo
and
everything
this
is,
and
so
these
are
like
validation
steps.
C
It's
not
really
meant.
This
section
is
not
meant
for
internal
Auditors.
It's
meant
for
like
like
when
you,
when
you
think
about
a
whole,
a
framework
of
things
to
run
a
successful
way
to
secure
supply
chain.
You're
whoever's
responsible
for
implementing
this
framework
needs
to
have
these
things
well
thought
out.
Now.
Let
me
take
a
step
back
because
what
you
also
said
was
like
well:
what
about
the
tooling
that's
going
to
implement
this
and
do
it
in
a
scalable
way?
C
That's
why
I
was
sharing
my
my
strategy,
doc
that
the
s2c
one
of
our
goals
is
to
help
Drive,
tooling
Innovation,
because
I
I
think
I
can
name
two.
Maybe
three
requirements
right
now
that
are
not
really
readily
available
in
the
industry.
Things
like
where'd,
it
go
things
like
scan
for
end
of
life
of
Open
Source,
yeah
right,
we've
had
IBM
on
this
here
it
is.
We've
had
IBM
on
this
call
say
like
hey.
C
That
doesn't
really
exist
right
now,
but
sometimes
you
have
to
have
the
requirements
first,
to
push
the
to
drive
the
industry
to
figure
out
what's
needed
and
IBM
was
actually
really
excited
about
this
because
they
wanted
to
start
doing
this
with
their
tooling.
C
And
that's
exactly
like
the
type
of
thing
that
we
want
this
community
to
to
help
influence
we're
going
to
make
a
if
we
can
set
these
requirements
that
are
going
to
help
people
make
Smarter
Tools,
because
they're
going
to
realize
that
there's
these
problems
that
need
to
be
solved
like
we're,
we're
doing
the
right
thing
and
so
like.
If
we
make
a
requirement
that
says.
B
Yeah
that
end
of
life
piece
was
phenomenal
because
I,
because
it
and
not
just
when
it
comes
to
OSS
I'm
talking
about
like
you'd,
be
surprised
where
end
of
life
comes
up
just
normal,
just
normal
sdl
type
stuff
like
in
life
yeah.
No,
that
really
should
be
a
part
of
this
end
of
life
should
be
a
part
of
this
cycle.
I,
don't
know
why
we
we
keep.
B
B
So
I
get
the
document
here:
I'm
playing
Devil's
Advocate,
as
we
become
a
a
speck
as
we
become
an
a
spec
that
gets
adopted
by
companies
and
we're
asking
them
to
use
this
as
a
tool
to
go
to
to
govern
how
they're
ingesting
and
and
govern
how
they're
managing
their
dependencies
and
let
this
be
a
governing
DOC
for
the
purposes
of
how
they
create
policies
and
procedures
in
their
org.
B
And
then,
of
course,
this
becomes
a
subsequent
look
at
are
how
how
are
you
measured
against
this
stock
and
then
you
look
at
that
area
there
and
you
see
audit
I
can
tell
you
right
now
that
internal
auditor
or
a
third
party
I,
was
going
to
see
audited
and
they're
going
to
say
how
are
you
auditing
it?
What's
the
tool
that
you're
using
what?
How
are
you
recording
any
faults
or
any
issues?
C
Yeah
this
is
the
this
is.
The
goal
of
this
practice
is
really
to
have
that
kind
of
chain
of
custody,
so
to
know
to
know
where
it
came
from
to
know
that
it
came
through
the
the
official
supply
chain
and
it's
a
it's
the
long
tail
to
be
honest
yeah.
C
This
is
the
hard,
the
harder
problem
to
solve
to
be
like
a
hundred
percent
across
the
board
yeah,
but
yeah.
Okay,
we're
we're
about
at
time.
That
was
a
really
healthy
discussion.
I'm
gonna
comment
here,
based
on
our
discussion
that,
like
like
best
practice
when
writing
requirements
is,
is
to
not
include
the
word
and-
and
we
will
I'll
I'll
finish
this
up
and
and
we'll
keep
this
conversation
going
and
I'll
suggest
that
we
create
a
new
requirement.
C
I
was
initially
thinking.
We
could
put
it
in
the
audit
requirements
like
like
an
audit
Dash
five
but
but
Jay.
If,
if
you
think
this
is
like
a
job
for
scanning
and
you,
we
think
that
scanners
should
be
scanning
package
authors
for
I
mean
we
should
have
a
discussion
about
where,
to
put
it
yeah.
B
That's
a
good
question:
I,
don't
know
about
scanners
because
do
we
have
a
would
we
have
a
scaling
mechanism
that
can
actually
do
that
and
if
we
did,
how
do
you
put
all
maintainers
in
such
a
scanner
that
would
allow
you
to
like
like
to
allow
you
to
search
like
for.
In
the
case
of
of
the
example,
we
used
before
capital
I
versus
a
lowercase
l
in
the
name.
B
B
A
Because
someone
has
a
name-
that's
similar
or
equal
to
does
not
mean
the
attack
is
here
so
I,
I
I,
think
I
I
I'm
not
sure
exactly
how
to
where
to
go
with
this.
But
it's
clear
to
me
that
it's
something
that
needs
to
go
in
needs
to
go
in
as
a
separate
item
and
I.
Think
I
would
focus
more
on
the
initial
when
you
bring
it
in
that's
when
the
double
check
is
at
least
needs
to
take
place
and
a
double
check.
That's
aware
that
this
attack
happens.