►
From YouTube: S2C2F SIG (April 11, 2023)
Description
The S2C2F SIG is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
B
A
A
B
A
Jazz
and
there's
presentations
and
I
get
to
watch
watch
a
lot
of
that
stuff
go
down
so
a
lot
of
good
stuff
there,
all
right
all
right,
we're
coming
to
five
minutes
in.
A
You,
sir,
it
is
my
honor.
The
agenda
is,
is
I
I
want
to
say
the
agenda
is
very
very
light
today.
What
I
did
want
to
do
was
go
over
a
couple
of
things
from
the
from
The
Summit
I
wanted
to
touch
on
a
touch
on
those
things
for
a
bit.
There's
also
a
couple
little
things
that
you
wanted
to
make
sure
that
we
that
we,
you
know
a
pine
down
a
little
bit.
A
There
are
still
a
few
issues
that
were
that
were
that
we're
working
through
we're
working
as
well
checking
those
now
to
see
if
there
are
any
updates
to
them
from
some
conversational
education
I'm
going
about
especially
dated
they
knew
we
put
in
a
new.
A
Second,
to
into
the
Matrix
that
was
some
time
ago,
I
believe
it's
still
a
conversation
about
that.
A
So
so
yeah,
let's
get
started
open
source,
North,
America,
so
Summit
North
America,
that
happened.
They
had
a
couple
of
great
a
couple
of
great
discussions,
a
couple
of
hallway
track
conversations,
but
then
we
had
a
nice
annual
discussion
for
salsa
s2c2f
Resco,
and
that
has
some
good
questions
to
it.
We
want
to
make
sure.
A
All
of
them
all
received.
Overall,
we
did
have
a
couple
of
questions
around
the
direct
matrices
and
the
respective
Frameworks,
whether
or
not
those
were
highlighted
enough,
how
the
Frameworks
could
be
utilized
or
what
kind
of
directs
are
mitigated
in
use
of
the
respective
Frameworks.
We
wanted
to
make
sure
that
everything
that
talk
about
those
things
I
think
we
did
a
pretty
good
job
of
it
in
in
the
in
the
conversation.
So
that
was
good.
A
One
of
the
things
I
wanted
to
make
sure
that
that
we
pulled
in
on,
especially
as
the
discussions
over
the
last
couple
of
days
with
respect
to
salsa
I
wanted
to
make
sure
that
we
that
that
it's
understood
through
reading
through
the
reading
of
the
text
in
the
and
the
spec,
that
we
understand
that
s2c2l
is
a
security
framework.
A
If
that's
not
clear,
but
let's
discuss
that
and
let's
make
sure
we
get
an
issue
put
up
that
that
details.
Why
the
details
that
that
needs
to
be
properly
articulated
in
the
specs,
so
that
we
can
get
that
verbiage
in
there
and
and
make
sure
that
we
identify
what
it
is,
what
it
isn't.
And
then
you
know
make
sure
that
the
abuse
case
the
use
cases
of
properly
articulated
in
the
spec
as
well,
so
that
it's
a
usable
framework
right
so
that
it's
usable
right
so
I'll
I'll
stop
there
launches
now.
A
A
And
and
of
course,
new
people
I'm
about
to
talk
about
new
friends,
I
believe
I've
seen
you
in
here
before
Victor,
but
Tom
are
you,
are
you?
Are
you
Tom
you've
been
in
other
other
cities.
E
Yeah
I'm
new
to
this
call
I'm
overall
new
to
security.
That's
why
I'm
attend
mostly
now
the
end
user
related
work
groups
so
yeah
that
this
one,
especially
the
salsa
being
published
I'm
interested
in
enjoying
this
call
to
see
what
happens
to
the
end
user
around.
A
Perfect
and
that
and
that
and
that's
exactly
what
I
I
am
hoping
occurs
more
often
you've
gotten
salsa
the
1.0,
let's
let's
jump
on
in
here
and
see
if
we
can
make
this
better
and
bring
this
up
and
quick
a.
B
Jay
I
I
first
learned
about
S2
c2f,
which
I
finally
written
to
memory
at
the
open
source
Summit
a
couple
of
weeks
ago,
I'm
very
interested
in
it
I'm
responsible
for
my
company
for
a
program
for
consuming
an
awful
lot
of
Open
Source
software,
particularly
the
software
supply
chain
efforts
and
I
kind
of
dabbled
a
little
bit
in
some
of
the
other
working
groups
in
the
open
ssf.
B
B
Perhaps
we
can
also
contribute
some
of
our
practices
and
maybe
even
technology
outwardly
as
we
mature
our
I
guess,
the
governance
and
our
and
our
and
our
workflows
that
we
have
for
bringing
open
source
drives
through
the
companion
for
the
products
we
end
up,
killing
so
excited
to
be
here.
It's
probably
going
to
take
me
a
couple
weeks
to
get
up
to
speed.
B
I
found
everything
I
need
to
read
now.
I
need
to
read
it
so.
A
Well,
you
know
what
so
that
something
that
worked.
It
worked
our
discussions,
our
parents
discussions
everything
like
that
at
the
open
source
Summit
at
work,
you're
here
excellent.
We
can
get
one
if
we
can
reach
one.
Oh
it's
more
than
one
and
then
we're
doing
some,
some
extra
special
have
you
had
a
chance
to
read
the
read
respect
over.
B
Yes,
nearly
completely
I'm
a
few
pages
away
from
finishing
it,
but
the
the
maturity
model
even
kind
of
the
hype,
the
broad
Strokes
of
producing
mttr
for
vulnerability,
the
governance
and
just
save
the
convention.
B
B
One
thing
I
have
probably
not
have
you
ever
missed
or
haven't
got
to
yet
is
I
feel
like
there
are
maybe
two
categories
to
call
categories
of
consumer
of
Open
Source
that
this
may
appear
to
their
other
folks
that
purely
consume
it
as
a
as
a
consumer
of
digital
goods,
and
some
of
those
may
be
open
source.
B
And
then
there
are
those
that
are
consuming
open
source
to
them,
create
proprietary
software,
which
they
then
sell,
and
they
may
have
quite
differently
from
from
what
I
can
see
the
scenes
very
much
useful
to
the
latter,
which
I'm
in
I
just
want
to
check.
I'm,
not
mistaken,
and
it's
just
kind
of
help.
Let's
say
a
non-tech
company
deal
with
some
of
the
things
that
are
going
to
come
up
with
like
things
like
the
CRA
sort
of
thing.
A
Yeah
so
so
I
mean
you
hit
the
nail
on
the
head.
I
think
I
think
this
spec
could
be
used
is
usable
towards
the
the
company
who's
new
in
the
space
who's
just
starting
out,
and
they
need
to
kind
of
formalize
a
a
supply
chain,
security
methodology
of
some
sort
or
or
or
get
themselves
set
up
appropriately
and
then,
of
course,
for
the
company
that
has
a
process
in
place.
This
could
be
used
to
complement,
complement
that
right
as
like
a
check
and
a
recheck
and
hey.
A
Are
we
doing
this
and
we
are
we
doing
that?
There
are
a
lot
of
organizations
with
with
Supply
chains
and
and
say
to
say
secure.
You
know
what
will
shrug
your
shoulders,
but
there
are
a
lot
of
organizations
that
already
have
their
own
processes
and
positive
is
in
place
and
they
come
across
a
a
document
like
this
and
they
read
over
and
say,
oh
wow.
Well,
this
is
a
threat
that
we
haven't
considered.
Oh
and
look.
This
is
a
a
mitigation
strategy
or
recommendation
for
how
we
mitigate
against
that.
A
We
hadn't
thought
about
implementing
this
before.
Let's
go
ahead
and
implement
it
right
and
then
they
go
drop
back
and
they
say
well,
let's
look
at
these
different
levels.
Well,
this
particular.
Are
we
doing
this?
So
we
you
know,
and
then
then
it
becomes
the
process
of
not
necessarily
hey
we're
going
to
implement
this
full-on,
but
let's
see
how
we're
doing
against
it
and
then,
if
it's,
if
it's
viable
enough
to
say,
okay
well
hold
on
we're
finding
ourselves,
not
in
alignment
all
the
way
with
this.
A
Maybe
we
ought
to
implement
this
in
alignment
to
be
in
to
be
it
to
be
further
in
the
line
of
either
compliance
or
to
be
to
be
able
to.
We
had
this
conversation
about
the
differences
in
the
testations
to
say
to
be
compliant
with
or
to
be
able
to
attest
to
how
we
have
applied
these
sets
of
controls
in
this
Frame
and
this
other
framework
right.
So
so
it
you
know
you
could
use
it
as
a
man
which
is
great.
So
your
use
case
is
is
wonderful
as
well.
A
What
I
will
say
is
that
you've
had
a
chance
to
you've
had
a
chance
to
to
look
at
it.
To
read
it
somewhat,
which
is
great
I,
would
then
say
to
you
put
your
thoughts
down.
A
I
was
hoping
Melba
would
join
so
I
had
a
great
conversation
with
Melba
last
week.
I
want
to
say
it
was
either
Thursday
or
Friday,
and
oh,
no,
no,
but
highlighted
underlying
Circle
put
stars
and
Melba
did
this
whole
thing
and
we
went
through
it
and
it
was
wonderful
because
she
picked
the
spec
apart
like
nobody's
business,
and
it
was.
These
are
things
that
we
do.
This
is
things
that
I
love.
These
are
things
that
that
you
know
let's
discuss.
These
are
things
that
you
know
well.
A
Did
it
belong
here
or
should
it
belong
down?
There
I'm
not
fully
understand
what
this
is
all
of
that
stuff,
which
I
thought
was
so
wonderful
that
you
put
the
issues
in
put
the
issues
in
where
you
want
to
see
changes.
Put
you
know,
bring
it
to
the
discussion,
so,
hopefully
Melba
get
a
chance
to
join
I
know
Melvin
had
it
she
bill
has
been
been
going
at
it
all
day
with
stuff
stuff
in
her
day
job,
but
dude.
Please
feel
free
to
do
the
same
thing,
because
that's
what
this
that's!
A
What
this
is
for.
This
is
for
that
this
is
for,
for
the
individuals
who
are
going
to
consume
it
use
it
help
build
their
practices
off
of
it
to
say,
hey.
These
are
the
things
that
we're
looking
for
in
our
industry,
right
and,
and
so
because
of
that
we
want
to
make
sure
that
we
understand
this
threat
or
or
this
particular
risk
right
and
and
let's
get
let's
get
that
stuff
in
there.
So
thank
you
very
much
for
that
song.
C
Yeah
I
mean
I
I'm,
not
proposing.
We
actually
do
that
crosswalk
right
here,
but
we
I
mean
obviously
that's
possible,
but
maybe
we
ought
to
talk
about
what
I'm
hoping
to
do
is
talk.
Somebody
else
into
do
actually
doing
the
work,
always
my
goal
so
but
I
I,
don't
know
of
any
conflicts.
C
I've
read
both
documents,
but
not
like
sitting
down
doing
the
crosswalk
carefully
between
but
I
think
sooner
or
later
we
do
need
to
do
that
and
I
suspect
there's
some
terminology,
differences
that
are
not
intentional,
not
needed,
but
just
you
know
now
that
we've
got
a
1-0
on
the
salsa
side.
C
A
A
An
overlap
and
I
told
her
I
said
you
know
that
looks
like
an
overlap,
but
then,
when
you
consider
what
consumer
means
on
both
sides
right,
we
have
a
consumer
in
this
way
and
the
consumer
in
that
way,
that's
when
there
should
be.
You
should
have
that
at
that
point,
because
then
you're
talking
about
what
one
Persona
is
doing
on
one
end
versus
what
the
other
persona
is
doing
on
the
other
end
and
how
that
hand
shakes
to
this
girl.
C
C
Maybe
making
it
clear
that
this
thing
over
there
meets
this
requirement
over
here
right
so
that
you
know
again
what
we're
trying
to
do
is,
instead
of
oh,
my
gosh
there's
two
different
things
twice
as
much
work.
No,
no.
No.
These
things
have
synergies
here.
A
A
Did
she
had
this
whole
this
book
I
mean
she
had
it
out,
underlined
and
circled
and
starred.
So
I
was
trying
to
see
if
I
can't
get
her
on
slack,
and
maybe
she
could
send
it
over,
so
we
can
bust
it
open
and
look
at
it
here.
That
would
be.
That
would
be
great
to
do.
C
That
would
be,
and
worse
comes
to
worse,
you
know
I've
I
put
in
the
meeting
notes
the
issue
number
here.
This
is
issue
14.
and
you
know.
Maybe
what
we
could
do
is
just
slip
in
all
those
things
into
LinkedIn
and
issue
14.
Ideally
you
have,
you
know
somebody
kind
of
doing
the
walk
through
and
then
we
can.
Basically,
you
know,
get
the
information
and
put
this
to
bed.
D
Yep
yeah
that
I
think
that
would
help
because
I
know
internally
here
we're
starting
to
try
and
make
our
you
know
for
ourselves.
You
know:
follow
the
S2
CPU.
You
know
framework
because
I'd
be
thinking
that
there's
a
lot
of
great
practices
in
there
and
that
are
also
sort
of
relatively
straightforward
and
and
easy
to
follow,
which
is
is,
is
a
a
help
for
following
a
security
framework
is,
is,
is
a
big
badge
of
honor,
because
most
of
them
are,
you
know,
have
a
there.
D
They
get
quite
in
the
weeds
there,
but
yeah
so
I.
Think
with
that
yeah
I
agree,
because
I
think
you
know
we're
trying
to
kind
of
follow
something
S2
c2f
stuff
we
want
to
like
I
get
the
general
gist
of
you
know.
D
It's
almost
like
salsa
artifacts
that
are
produced
are
a
part
of
a
thing
and,
in
fact,
can
be
used
by
something
like
S2
c2f,
where
you
could
say
hey
if
I
look
at
this
thing
and
it
is
salsa
conformant,
then
or
you
know
sorry
if
it's
if
it
is
providing
salsa
provenance
and
I
trust
that
Providence
I'm
not
going
to
use
any
overloaded
terms
right
now.
D
A
E
I
did
but
I
said,
I'm
actually
also
new
to
security.
Overall,
that's
why
I
did
but
I
won't
be
able
to
remember
anything
at
this
very
moment,
but
I'm
yeah
interested
in
listening
and
talking
about
it.
The
cost
check
between
the
two
standard.
A
So
so
so
Victor
just
so,
you
know
from
I'm
one
of
those
that
says
when
you
tell
when
you
say:
you're
new
to
security
I'm,
one
of
those
that
says
you
are
the
perfect
individual
to
pick
this
spec
up,
read
it
and
then
give
us
your
thoughts.
The
reason
why
I
say
that
is
because
you're
new
to
security
that
doesn't
mean
you're,
not
insecure,
it
means
you're
neutral.
You
understand
fundamentals.
A
If
you
picked
it
up
and
you
read
it-
and
you
say
you
know
what
this
part
right
here:
I
don't
expect
you
to
read
The
Matrix
and
understand
what
type
of
squatting
is
or
or
oh,
what's
the
other
one.
You
know
understanding
the
nuances
of
of
PHP
admin
and
why
that's
the
gift
that
keeps
on
giving
I
I?
Don't
I,
don't
expect
you
to
understand
those
things
right,
but
what
I
do?
A
A
Actually
is
aside
from
that
when
you
read
the
framework,
if
you
can
read
the
framework
and
say
okay,
I
can
follow
the
bouncing
ball
here,
then
that's
perfect,
because
that
means
that
at
your
level
you
can
take
that
document
and
you're
able
to
to
walk
through
it.
A
I
mean
or
crawl
through
it
and
get
through
it
right
and
and
then
explain
it
to
somebody
else,
and
it
doesn't
take
much
of
an
explanation,
you're
able
to
apply
it
and
then
say
this
is
what
we
did
and
why
so
you'd
be
the
perfect
person
where,
where
at
what
season
you
are
the
more
critical
you're
going
to
be,
and
the
maybe
potentially
the
more
complacent
you'll
be
with
the
controls
that
you
already
had
implemented
and
now.
E
Yeah
I
do
have
a
what's
it
completely:
I
guess:
database
security
I've
been
working
on
for
20
plus
years,
so
yeah,
but
I
look
forward
to
asking
a
lot
of
basic
fundamental
questions.
I
guess
look
forward
to
that.
A
You've
been
doing
database
secure,
you're,
not
a
newbie
Victor
you're,
not
as
new,
not
as
new
as
you
said,
you
would
have
been
doing
database
security,
I
mean
value,
walk
us
around
server
side
versus
client-side,
encryption,
Every,
Which,
Way
from
Sunday,
and
then
it'd
probably
be
in
this
very
spirited
debate,
which
one
is
better
under
which
circumstances,
and
why
and
very
few
people
can
actually
do
that
yeah,
who
are
more
advanced
in
this
gaming
than
you
know,
all
right.
A
Oh,
and
do
we
want
to
discuss
other
issues,
we
absolutely
want
to
discuss
the
issues
that
we
can
actually
go
through
some
of
the
other
issues.
Now
some
of
the
issues
are
are
older.
Some
of
them
already
have
comments
in
place
that
that
they're
currently
being
worked
on
or
worked
through,
take
a
look
at
okay.
So
so
we
have
here
one
that
says
the
PHP,
my
admin,
but
it
seems
to
be
misclassified.
A
But
you
know
I
really
love.
If
individuals
who
write
the
issues
join
the
join
the
Sig
meetings,
so
they
can
explain
the
issue.
A
C
A
C
Given
okay,
which
one
are
we
out
here,.
A
C
Yeah,
you
know
what
I
I
think.
Maybe
what
really
needs
to
happen
here
is
kind
of
splitting
up
the
the
problem,
because
there's
many
ways
that
back
doors
can
get
into
a
system
anywhere
from
the
back
doors
in
The
Source
Code
somebody
subverted
the
build
process
to
in
this
case.
It's
really
I
would
argue
a
distribution
problem.
You
know
the
you
know,
so
they
got
it
from
somewhere,
but
it
wasn't,
but
where
they
got
it
from
it
was
it
was
hijacked.
A
C
C
How
it
was
happened,
it's.
A
An
issue
16
that
was
an
update,
I,
see
just
the
one,
just
the
one,
no.
C
No,
no,
no,
no,
no
I'm!
Sorry
yeah!
The
RS
Technic
article
has
an
update,
I'm,
sorry,
I'm,
sorry,
yeah,
basically
pretty
according
to
the
updated
portion
of
this
article,
it
was
subverted
on
the
official
Source
sourceforge
in
this
case,
but
only
some
versions
and
at
least
in
this
article
it's
not
entirely
clear
how
that
happened.
A
Yeah,
like
I,
said
I
I,
think
I
I,
think
you
know
in
the
spirit,
I
I
see
his
point
but
I.
Don't
the
control
I'm
not
too
sure
that
the
the
spirit
of
the
control
is
no
like
I
said,
maybe
maybe
the
parsing
of
the
two
different
threats
might
work
to
and
then
you
then
then
you'd
have
to
split
up
the
mitigation
strategy,
split
the
control
yeah
to
say
this
control
for
this.
This
control
for
that.
But
you
know
that
that
might
that
might
work
out
a
little
bit
better.
C
Right
so
so,
let's,
let's
kind
of
push
down
to
Brass
tax
on
this
specific
issue
appear.
It
appears.
What
happened
was
that
the
Korean
mirror
on
of
source
sourceforge
had
a
bunch
of
mirrors,
one
was
in
Korea
a
file
on
the
Korean
mirror
of
sourceforge
was
subverted.
Now
it
doesn't
appear
that
the
subversion
was
in
the
original
code
at
all
this
was
or
in
its
original
created
package.
C
It
was,
but
unfortunately,
sourceforge
was
the
official
source
and
if
you
happen
to
have
gotten
it
in
a
particular
day
range
from
Korea
and
you've
got
that
particular
file
which
I
guess
a
couple
hundred
people
did.
Then
you
got
the
subverted.
One
I
mean
one
obvious
solution
to
that
is
signed
packages
which
completely
you
know.
If
you
verify
the
package,
then
that
eliminates
the
issue,
hi
six
door.
C
A
So
I
can
response
unless
you
baby,
we
want
to
respond
to
the
I'm.
C
Going
to
type
into
the
issue-
okay,
let's
see
here,
yes,
the
problem
in
this
case
was
that
a
single
mirror,
the
Korea,
the
Korean
mirror
of
source
Forge.
C
Yeah
yeah
I
have
to
admit
that.
C
E
I'm
not
sure
how
many
you
should
have
actually
just
one
David
was
talking
about
Mike
Michael,
going
to
crosswalk
between
the
two
spec
I
have
some
just
some
idea
about
that.
One
thing
I've
been
attending
is
the
Henrik
is
actually
hosting
the
one
of
the
work
group
end
user
security
threat
model
architecture.
E
What
I
find
productive?
Actually
the
past
couple
weeks
is
actually
focusing
on
one
area.
In
that
case,
it's
developer
machine
to
just
basically
we're
develop
developers
build
their.
You
know,
do
their
job
right,
so
in
the
in
the
two
spec
salsa
versus
S2
c2f.
Is
there
a
way
to
map?
E
In
other
words,
if
I
read
the
whole
thing,
probably
after
I'll
forget,
is
there
a
way
to
map
the
these
two
in
the
subcategories?
It's
this
way,
and
then
during
the
discussion,
I
can
just
focus
on
one
area
of
the
two
spec.
D
A
A
I
was
gonna,
say
so
you
they,
so
these
both
of
these
don't
over,
don't
lay
over
on
top
of
one
another
like
that,
if
you,
if
you
want
to
take
a
a
supply
chain
from
end
to
end,
you'll,
see
one
starting
on
one
end
and
or
or
one
starting
from
one
and
then
one
starting
from
the
other
and
they're
meeting
kind
of
kind
of
sort
of
in
the
middle
somewhere
you
so
so
so
I
I,
don't
know
that
that
you'd
find
an
area
that
you
overlap
and
then
and
then
provide.
A
If
I
did
this
correctly,
I
should
meet
these
controls
and,
of
course
you
can
look
over
that
and
and
and
verify
that
and
then
you're
just
doing
a
so
you're
just
going
through
the
different
controls
of
s2c2f
from
a
from
an
end
user
from
an
end
user
perspective
and
saying,
okay
well,
I
need
to
apply
these
control.
Here's
applies
control
this
the
idea
now
so
I'll
say
this
again,
but
maybe
different.
A
If
you're
doing
some
of
the
things
in
salsa,
you
may
be
able
to
say
you
may
be,
you
know
getting
those
products
that
I'm
meeting
these
controls
in
s2c12.
Now
you
have
to
look
at
the
controls
in
s2c2f
to
determine
whether
you
know
what
you've
done
is
Meeting
those
controls.
It's
not
just
a
you
know,
I've
done
this
so
I'm
meeting
this.
No,
you
want
to
make
sure,
because
you,
you
are
looking
at
these
things
from
two
different
ends
of
of
the
supply
chain.
A
I
want
I
want
to
make
that
I
want
to
make
that
part
clear.
That
being
the
case,
you
still
just
because
you
might
be
meeting
a
couple
of
a
few
of
the
controls
from
what
you
did
in
salsa.
You
still
have
to
make
sure
you're
meeting
the
level
the
the
requirement
of
the
level
in
s2c12.
So
there
may
be
other
controls
that
are
required
to
be
met
to
reach
that
specific
level,
whether
it's
one,
two
three
four
or
four.
A
So
so
so
I'll
I
I'm,
saying
that
as
a
as
a
as
a
rule
of
caution,
just
because
you're
doing
one
and
one
will
help
unique
controls
in
in
different
areas
of
succ12,
it
doesn't
mean
you
mean
the
full
level
requirement
or
the
full
maturity
level
requirement
of
that
specific
level
in
S2
seeks
work
because
you
have
met
some
of
the
controls
from
how
you've
applied
salsa.
Does
that
make
sense?
Victor.
E
Like
yeah
I
know
what
you're
saying
so
so
I'm
trying
to
just
to
you
basically
digest
it
a
little
in
a
small
pieces,
for
example,
I
just
posted
the
the
the
risk
model
I
mean
the
the
attack
actor
I,
guess
database
from
henrik's
discussion.
E
So
so
how?
When
we,
when
we
try
to
correlate
the
two
spec
so
as
an
s2c2f,
is
it
possible
to
talk
about
like,
for
example,
one
particular
attack
right?
E
If
we
find
find
one
attack
director
and
then
that's
in
order
to
to
Really
Safeguard
against
that
attack,
we
need
to
do
something
with
Source.
You
know,
follow
the
sources
back
and
then
for
end
user
to
be
able
to
leverage
that
they
need
to
do
some
additional
s2c2fs.
E
To
make
it
happen
right,
so
that's
one
way
or
it
could
be
regardless,
whether
it's
built
you
know
salsa
or
let's
do
c2f.
It's
all
related
to
a
developer,
laptop
right.
E
You
are
a
user
if
you're
still
using
developer
machine
a
laptop,
so
that
might
be
a
way
to
say:
okay,
we're
just
talking
about
developer
laptop
when
it
comes
to
both
the
build
stage,
the
sausage
part
and
the
end
user
stage
I'm
just
giving
an
example.
I
guess
is
how
do
we
put
into
two
tools
back
into
pieces,
so
we
can
just
focus
on
one
small
area:
that's
common
between
the
two
specs.
A
And
so
this
is
first
of
all,
I
like
this.
This
is
this
is
this
is
all
right.
A
What
you're
looking
for
then,
is
a
as
a
as
a
threat
Matrix
between
both
documents,
that
you
can
that
you
can
map
the
threats
and
the
and
the
mitigate
and
the
mitigation
strategy,
the
mitigate
or
recommended
mitigation
of
those
respective
threats
across
both
Frameworks.
So.
E
A
So
you're,
so
if
you're,
if
you're
mitigating
a
threat
on
one,
if
you
over,
let
if
you
overlay
them-
and
you
can
say
this
threat
in
this
threat-
and
you
look
at
the
controls
from
salsa
and
the
controls
from
s2c
to
up-
and
you
see
that
those
may
be
similar
or
there
may
be
a
difference.
But
if
you're
applying
all
of
the
controls
that
you
see
there.
If
there
are
differences,
it
might
be
the
same
right.
But
if
you're
applying
those
controls,
then
you
should
be
meeting
the.
A
You
should
be
meeting
that
level
or
you
know,
perspective
levels
per
the
the
applied
controls
for
the
the
mitigation
or
or
for
the
threat
in
the
mitigation
strategy,
based
on
the
threat
that
you
overlaid
between
both
Frameworks,
that
that's
a
that.
That
would
be
something
that
would
that
you
can
do
from
both
s2c2
up
and
salsa,
especially
when
you
take
the
threat.
A
Matrices
that
are
are
are
within
both
and
you
overlay
them
and
say
this
is
the
threat
that's
seen
in
both,
and
this
is
how
one
does
it,
and
this
is
how
the
other
does
it
based
on.
You
know
either
from
a
consumer
standpoint
or
from
the
producer
standpoint
like
I
said
those
may
be
the
same,
but
there
may
be
differences
in
how
the
control
gets
applied
or
what
type
of
tool
is
used.
You
know
during
the
build
or
or
when
you're
consuming
or
injecting
or
or
you're
mirroring
or
whatever
it
is.
A
You
know
there
might
be
something
you
don't
want.
The
other
side
right
that
could
mitigate
the
same
control
that
you
overlaid,
I'm
saying
a
lot
of
words
here,
but
you
get
where
I'm
going
take
the
threat.
Matrices
lay
them
on
top
of
one
another,
find
the
similarities,
identify
the
controls
within
each
one
meet
those
and
you
should
be
able
to
cover
down
on
both
of
them
or
one
or
the
other,
depending
upon
what
the
actual
control
is.
Does
that
make
sense.
A
Right
and
sometimes
it
may
be
the
same
thing
sometimes
it
may
be
two
different
things,
but
it'll
help
attack
it
from
both
ends,
so
that,
if
you
do
both
then
you're,
then
you
know
with
a
degree
of
of
certainty
right,
that's
100
for
the
degree
of
certainty.
You
have
mitigated
that
threat
across
your
your
supply
chain
in
your
pipeline.
D
Salsa
is
very
focused
on
the
producer
side
right
and
we've
largely
said:
hey
it's
up
to
you
to
figure
out
how
you
you
know,
consume
and
who
to
trust
and
yayada
and
I,
think
that's
kind
of
where
a
lot
of
the
S2
c2f
stuff
comes
in
and
says
like
hey,
like
assuming,
let's
say:
I,
do
trust
this
person
doing
the
right
things,
then
what
what
should
I
be
seeing
from
them?
What
is
the
evidence?
What
are
the
things
that
I
should
be
seeing
from
them
so
that
I
know
that?
A
Yeah,
that's
a
that's
a
great
question,
Victor
and
also
man
thanks
for
the
thanks
for
that
link
that
link
you
sent
it.
That's
something!
That's
some
good
stuff
going
on
there.
A
That's
actually
great
stuff
to
great.
This
is
actually
great
stuff
to
look
at
too
lets
us
know.
If
what,
if
we're
doing,
if
we're
looking
at
one,
if
we're
looking
at,
what's
bought,
what's
what's
on
top
well,
what's
in
par
with
the
what's
going
on
in
the
industry,
what
everybody
else
is
seeing,
but
also
are
we
have
we
Advanced
or
pushed
the
needle
with
both
salsa
and
S2
c2l?
Are
we?
Are
we
moving
the
ball
forward?
A
Are
we
just
recognizing
common
common
vulnerabilities
common
concerns,
or
are
we
scaling
and
considering
emerging
threats?
Are
we
getting
creative
right
and
my
whole
thing
about
the
beauty
that
is,
that
is
information.
Security
in
general
is
how
artistic
we
can
be
with
this.
Are
we
getting
creative
enough
around
what
the
threat
actor
could
actually
come
up
with
and
then
are
we
Elite
saying
these
are
potential
or
emerging
threats
that
we
got
to
build
mitigation
mitigation
strategies
around
around
as
well?
So
thank
you
for
that
very
much.
A
What
what
what
what
other
questions
you
got?
I
always
do.
A
Does
anyone
have
anything
else
that
they
want?
Oh
we
got.
We
have
other
issues
here
too
I
mean
I
brought
that
16
out
I
also
looked
down
and
I
saw
issue.
Number
12
and
Adrian
has
responded
to
Reggie
already
about
the
difference
between
sca-5
and
fix
one.
A
We
talked
about
the
crosswalk
already
and
I
know.
Adrian
has
got
with
or
is
currently
working
on,
issue
number
13.
That
was
those
for
me.
Those
days.
A
And
we
did
work
on
17.
A
We
have
some
work
on
sabotage,
I.
Think
17
was
the
one
that
elicited
I,
knew
a
new
control
audit,
five
control,
which
is
good
so
so
that
so
that's
actively
being
worked
on
as
well.
A
If
anyone
has
any
opinions
on
those
always
put
up
any
new
issues
for
us
to
discuss
as
you
as
as
you
see
that
bring
them
here
and
then
lay
them
out,
hopefully
on
the
next
call,
we
can
get
Melba
once
again,
I
I
go
back
to
Melbourne's
as
a
matter
of
fact
I'm
going
to
ask
if
we
can
post
that
on
the
slack-
and
you
know
that
that
way,
it's
on
the
slack
and
it's
up
with
discussion,
you
put
it
to
the
agenda
and
that
way
on
that
next
meeting
you
have
it
up
on
the
slacking.
A
We
have
it
in
the
agenda
for
the
next
next
time.
Discussion
a
couple
of
weeks,
10
minutes
left,
they
won't
have.
Anything
else
would
have
been
the
order.
D
So
I
know
we
we
spoke
about
this
before
and
I
think
it's
it's
a
relatively
minor
sort
of
thing,
but
I
know
one
of
the
things
that
came
out
of
kubecon
EU
was
a
few
folks,
we're
looking
at
s2c2f
and
they
looked
at
sort
of
the
Microsoft
website
that
it
says
still
says:
Microsoft
has
two
c2f
on
on
that
site
and
I
think
just
sort
of
highlighting
sort
of
the
difference
between
hey
it's
an
open,
ssf
project,
Microsoft,
contributed
it
and,
and
and
here's
like
the
Microsoft
tools
that
or
whatever
that
that
you
know
we're
using.
A
D
It's
only
just
in
these
two
places:
I'll.
Let
me
just
copy
this,
where
I
think
it
caused
some
confusion
where,
on
that
website
there,
where
it's
like
it
should
be
like,
let's
say
the
you
know,
open
ssfs2
c2f
is
based
on
you
know
whatever
and
then,
like
our
the
Microsoft
approach,
or
something
like
that,
like
just
to
make
sure
that
it's
clear,
you
know,
unless
I'm
I
might
be
pulling
a
cache
page
or
something
it's.
A
Oh
I
see
it
right
here
at
the
top:
okay,
so
yeah
that
okay,
so
good
I'm,
seeing
that
that
needs
to
change
that
I
talked
about
this
before
that's
at
the
top.
It's
at
the
bottom
here
and
I
was
yeah.
I
told
them
specifically
that
that
means
that
that
needs
to
that
needs
to
change.
You
need
to
be
putting
a
marker
that
it's
been
all
subsequent
materials,
blogs
and
everything
else.
It
says
it's
the
right
thing.
A
Okay,
so
good
I
see
that
the
top
hits
here
at
the
bottom
here,
yeah
we'll
get
we'll
get
that
we'll
get
that
ironed
out
from
the
chain.
Can
you
do
me
a
favor
Mike?
Can
you
put
that
up
as
an
issue
on
the
sure
sure
if
you
want
to
get,
though
that
means
that
needs
to
go
in
there
as
an
issue.
A
I
I
I've
been
the
maniac
over
the
last
couple
of
weeks
about
that,
like
I,
mean
look
into
to
operate
in
Earnest
here
right.
We,
this
is
something
that
that's
very,
that
I
want
the
industry
to
have
its
hands
off,
contribute
to
build
up
and
be
able
to
be
utilized,
and-
and
so
it's
I've
been
I've,
been
like
a
dog
with
a
phone
with
this
one
get
the
damn.
You
know
let
the
messaging
fit
the
situation
right
that
the
messaging
be
consistent
across
the
board.
A
So
yeah,
please
put
that
up
as
an
issue,
so
we
can
fix
it.
Absolutely
foreign.
A
To
to
adjourn
the
meeting,
I
was
hoping
someone
would
say.