►
From YouTube: Securing Critical Projects WG (May 20, 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
There
we
go
okay,
now
this
meeting's
being
recorded
and
just
for
the
record
amir
was
just
giving
us
an
update
on
the
manage
audit
program,
there's
an
email
out
for
folks
that
want
to
read
more
details
that
are
pushing
forward
and
trying
to
get
more
companies
and
foundations
to
help
sponsor
sponsor
this
work.
So
cool.
We
have
one
item
on
the
agenda
today:
jeff
mendoza
from
google
is
going
to
give
an
intro
to
this
github
app
we've
been
working
on
and
is
there
any
any
other
items
folks
would
like
to
discuss?
B
If
we
had
time,
I
was,
I
had
an
idea
based
on
some
discussions
that
were
had
earlier
in
the
week
about
the
white
house
executive
order,
and
there
was
some
good
info
on
that
and
a
breakdown
of
kind
of
what
part
of
that
executive
order
could
apply
to
our
work
group,
and
I
put
it
up
in
our
working
notes
as
a
future
topic
idea.
But
if
we're
looking
for
something
to
do,
I
think
it'd
be
a
really
good
table
top
exercise
to
to
kind
of
just
start.
B
D
I
agree
with
that.
I've
been
doing
a
lot
of
thinking
and
talking
and
discussing
and
workshopping
that
that
topic
in
our
little
world,
so
I
think,
it'd
be
great
to
talk
more
here.
Yeah.
A
E
I
looked
for
everybody
I
could
plug
and
stuck
in
there,
so
hopefully
that
will
result
in
more
people
well
at
least
knowing
about
and
hopefully
even
using
or
or
helping.
A
Yeah
cool
yeah:
let's
talk
about
that!
If
we
have
time
at
the
end
and.
F
A
A
So
we
we
do
have
a
couple
of
googlers
working
on
it.
I
don't
see
them
on
the
call
right
now
and
I've
definitely
seen
other
names
in
the
project
and
that
are
active
on
it.
So
I'm
not
I'm
not
sure
who
they
are.
Unless
I
go
digging.
E
Yes,
I
would,
I
just
posted
a
a
note
by
the
way,
just
a
quick
fyi.
Hopefully
jim
zemlin
has
asked
me
to
create
a
hey.
If,
if
we
wanted
to
fund
a
whole
bunch
of
things
and
fix
open
source
software
security
and
supply
chain,
what
will
we
do?
Can
you
make
me
a
list?
I
need
that
in
a
budget.
A
E
Or
not,
but
just
I
I
think
basically
I
I
don't-
I
don't
have
much
more
other
than
I
think
he
thinks
he
he
needs
something
quick
in
his
back
pocket
to
at
least
have
something
to
to
start
shopping.
I
I
think
think
of
it
as
a
marketing
way
to
enter
in
hey.
There
are
things
that
can
be
done
and
there,
but
you'll
need
money.
So
it's
I
know
I'm
not
trying
to
make
it
that
list,
I'm
just
to
be
clear
that
I'm
not
claiming
that
list
is
going
to
be
an
open.
E
Ssf
approved
vetted
list,
there's
no
time
for
that
anyway.
So
I
think
he
just
wants
something
to
shop.
A
Okay
sounds
good,
all
right
cool,
any
other
topics
to
add.
I
guess
we've
covered
a
couple
of
shorter
things.
A
No
all
right
jeff!
It
is
all
you
do.
You
wanna
share
your
script.
Yeah.
You
can
just
share
your
screen.
H
Yeah
well
in
a
sec
but
yeah.
I
just
wanted
to
say,
as
you
mentioned,
I'm
jeff
mendoza.
I
work
at
google
on
the
open
source
security
team
and
I
have
a
prototype
of
a
github
app
that
I
wanted
to
share.
H
H
Essentially,
the
app
is
going
to
be
installed
by
you
know
an
org
owner
on
an
org
and
then
configured
with
configuration
to
enable
or
disable
certain
policies
or
certain
options
in
those
policies,
and
then
it
will
see
if
the
repos
are
compliant
and
taken
action.
Based
on
that
that
detection
of
compliance,
so
I'm
going
to
share
a
window.
H
So
I
have
the
code
here
of
the
prototype
and
I'll
just
go
over
a
very
quick
section
of
the
code,
just
to
kind
of
reiterate
what
I
was
just
covering.
H
Essentially,
the
app
would
be
based
on
github
github
web
hooks
typically,
but
for
the
prototype
we
can
list
the
installations
and
repos
of
the
of
the
app
and
then
run
policies
on
every
repo
that
the
app's
installed
on
run.
Policies
will
run
a
check
for
each
policy.
That's
been
been
developed,
the
policies
aren't
meant
to
be
plugins,
they're
they're
going
to
be,
they
have
a
clean
interface
and-
and
we
can
accept
contributions
for
for
policies
in
the
future
and
then
based
on
if
the.
H
If
the
policy
doesn't
pass,
there's
an
action
that
you
can
configure
for
each
policy,
so
different
org
owners
might
want
to
have
different
actions.
Log
is
just
to
log
this.
The
status
issue
will
be
to
create
a
github
issue,
which
I
have
the
code.
I'll
demonstrate
that
potential
other
actions
might
be
email
and
then
fix
would
be
if
the
policy
is
something
that
can
be
fixed
in
code
very
easily.
H
So
the
way
it's
configured
is
through
a
org
level
repo.
Now
this
configuration's
optional,
you
could
have
repo
level
configuration,
but
it's
easiest
to
do
it
at
the
org
level
and
and
by
default.
When
you
install
the
app
it's
set
into
opt-in
mode,
which
you
would
have
to
actually
list
repos
that
you
want
to
opt
in
that
way,
you
can
install
it
on
your
whole
org
and
not
get
a
bunch
of
messages
at
once.
H
And
that's
going
to
turn
on
the
bot,
but
then
I
have
a
configuration
per
policy.
So
the
first
policy
I
wrote
is
branch
protection,
and
the
default
here
again
is
that
it's
it's
on
an
opt
out,
sorry
on
an
opt-in
and
I'm
going
to
change
it
to
opt-out,
not
true
and
then
also
the
default
action
would
be
log.
But
I
want
to
change
it
to
issue
and,
as
you
can
see
here
here
are
all
the
other
defaults.
It
enforces
that
pr
approvals
are
required,
approval
count,
one
dismiss
stale
block
force,
etc.
H
H
And
then
maybe
refresh
here,
I
can
see
that
it
went
ahead
and
created
an
issue
or
actually
opened
an
old
issue
that
I
that
I
had
on
on
this
repo
saying
that
I
have
a
security
policy
violation
and
branch
protection.
Branch
protection
is
the
name
of
the
policy,
so
different
policies
will
have
different
names
and
then
it
tells
me
exactly
which
setting
that
I
have
out
of
out
of
compliance
so
reopening
this
and
again
you
know
on
the
settings.
I
could.
H
I
could
go
ahead
and
make
this
this
repo
out
of
compliance
for
other
things,
such
as
I'm
checking
there
and
checking
here.
H
Bot,
it's
going
to
reopen
the
issue
and
find
a
bunch
of
other
things
wrong
with
it.
Also,
the
configuration
on
the
issue
could
be
to
ping
the
issue
after
so
many
hours
like.
If
it's
open
and
nothing's
being
done,
it
could
ping
it
every
24
hours,
that's
the
default.
I
have
right
now,
but
again,
I'm
really
just
trying
to
show
the
the
concept
here.
The
github
issue
would
just
be
one
action
could
be,
email
could
be
fixed.
H
H
H
So
it's
really
a
kind
of
an
open
slate
and
meant
to
be
to
grow
over
time
in
mostly
in
policies,
but
also
kind
of
in
in
actions
that
people
want
to
to
see
their
their
results
show
up
in
any
questions
anything
else.
Anyway.
Anybody
wants
to
see
me
demo.
I
have
a
few
other
things
here.
D
Jeff
remind
me,
the
name
of
it
is
this,
so
this
is
out
there
now
or
is
it
yet
to
be
made
public
or.
H
H
C
I
I
have
one
question
yeah,
which
is
imagine
a
company
using
this.
How
would
they
deal
with
the
github
api
usage
limits
like
if
you
really
had
a
lot
of
repos
you're,
a
big
software
company?
Is
there
a
way
around
that
or
or
do
you
just
need
to
generate
a
bunch
of
personal
access
tokens
using
that
yeah.
H
Great
question
and-
and
you
know,
quota
is
a
big
problem
with
github,
so
this
is
developed
as
a
github
app
and
the
way
it
works
is
apps
have
quota
per
installation,
and
so,
when
you
install
this
on
the
org,
you
get
quota
for
your
org,
and
so
we
will
run
we.
You
know
we
or
somebody
could
run
the
app
and
let
other
people
install
it
and
they
wouldn't
actually
have
to
have
to
run
themselves.
H
Of
course,
it's
open
source
anybody
can
run
it
if
they
wish
and
the
quota
will
be
based
on
the
installation.
In
the
org
and
google
I
mean
sorry
github
scales
the
quota
based
on
the
number
of
repos
and
the
number
of
users
in
the
org.
So
it's
actually
pretty
generous
and
it
and
it
will,
it
will
scale
again
per
installation
per
org
and
the
the
app
is
using
I'll
show.
You.
H
Yes,
it
doesn't
use
personal
access
tokens
and
we
are
using
some
caching,
so
the
based
on
github,
which
has
conditional
requests.
H
So
if
you've,
if
a
bunch
of
policies
are
requesting
the
same
resource
over
and
over
again
in
each
run,
we
will
use
the
e-tag
to
not
not
scoop
up
too
much
quota
there
as
well.
So
it
is.
It
is
kind
of
written
in
with
quota
preservation
in
mind
and
then,
of
course,
choosing
to
make
it
an
app
to
kind
of
get
the
generous
quota
you
get
there
versus
an
oauth
app
or
something
you
would
run
with
a
personal
access.
Token.
Okay,.
I
E
So
you've
already
mentioned
the
protected
branch,
the
you
know
and
requiring
additional
reviewers.
What
are
some
of
the
other
can
list
some
additional
policies
that
you
could
do.
You
haven't
mentioned
so
far
that
you
know.
H
Yeah,
so
the
ones
I
mentioned
were
the
anything
on
branch
protection,
the
security
security
policy,
which
would
be
the
security
md.
I
had
a
couple
other
anything
in
github
action
because
that's
a
file,
a
file
in
the
repo.
J
H
Making
sure
it
depend
upon
making
sure
dependable
is
turned
on,
could
be
one
something
that
we've
thought
about,
but
I'm
not
sure
because
there's
other
tools
that
do
this
is
managing
the
people
in
in
the
repo
in
the
organization.
H
So
if,
if
you
want
to
list
the
people
here
and
then
make
it,
it
can
ensure
that
those
people
are
there
or
let
you
know
if
there's
somebody
added
somebody
that
that
you
didn't
expect
but
yeah.
I
think
I
would
want
to
do
some
com.
Compare
compare
that
to
some
existing
tools.
That
already
kind
of
do
that,
for
you.
K
H
H
We
should
be
able
to
accept
policies
that
maybe
only
one
person
is
going
to
use,
but
they're
turned
off
by
default
or
highly
configurable.
Again,
it's
pretty
straightforward.
You
know
you
check,
fix
you,
get
a
github,
client
and
anything
you
can.
You
can
check
for
with
the
client
to
the
repo
with
the
you
know
and
then
give
the
true
or
false
will
be
something
that
we
can
add
as
a
policy.
D
By
the
way,
this
this
looks
really
really
cool.
I
I
think
this
is
awesome,
we're
we're,
I
mean
honestly
yeah
trying
to
implement
more
of
these
policies
in
github
and
I'm
having
this
done.
I
think
it
will
be
awesome.
You
know
having
this
available
really
really
good.
J
A
Jeff,
I
think,
do
we
have
plans
when
you're
gonna
move
when
you're
gonna
make
this
public
or
how
much
further
you
wanna
get
before.
We
can
start
recruiting.
H
D
And
you
said
you
sent
some
mail
out
on
this,
but
I
didn't
actually
see
any
email,
maybe
I'm
not
on
the
right
list.
So
so,
if
you
just
maybe
I
don't
know
you
can
afford
that
too.
A
I
don't
know
if
we
can
show
like
a
thumbs
up
thumbs
down.
Oh
wait.
We
have
these.
I
don't
know
if
they
work
for
other
people.
Oh
yeah
give
me
a
thumbs
up
if
you
like
it
all
right,
cool
yeah.
Thank
you
jeff.
I
I
think
this
looks
really
cool.
H
A
Sweet
all
right
and
switching
gears-
I
guess
amir,
do
you
want
to
kick
off
this
con
discussion
on
the
executive
order.
B
Sure,
I'd
love
to
yeah
so
kind
of
my
my
thought
process
for
this
was
to
do
essentially
like
a
tabletop
exercise
on
the
two
kind
of
main
objectives
that
came
out
of
the
executive
order
that
really
applied
pretty
specifically
to
our
work
group.
I
would
say
so.
I'm
gonna
share
my
screen
and
see
if
I
can
do
that,
let's
see.
A
What,
while
you're
doing
that,
I
don't
know
if
any
everyone
in
the
room
is
aware
of
what
has
happened,
but
the
white
house
published
an
executive
order
on
cyber
security.
I
think
maybe
last
week
and
I
will
pace
it
in
may,
12th
may
12.
there
we
go
so
so
that
is
what
we're
talking
about.
I
just
pasted
the
link
in
the
video
chat.
B
Awesome
yeah,
so
can
everybody
see
my
screen.
A
B
Okay,
so
the
first
one
that
that
came
out
of
this-
that
I
thought
applied
to
the
work
group-
was
the
specific
languages
here
off
to
the
side.
But
basically
the
objective
is
to
pop
to
publish
a
definition
of
the
term
critical
software.
Basically
in
a
sentence,
can
you
tell
me
what
is
critical
software,
so
I
thought
as
a
tabletop
exercise,
we
could
come
up
with
a
like
a
one-page
document,
capturing
some
thoughts
on
that
and
basically
come
up
with
our
best
version
of
what
we
think.
The
definition
of
that
term
is
so.
B
I
threw
up,
threw
up
a
couple,
just
really
basic
questions
here.
You
know
what
it
is,
what
it
is
not
other
things
that
we
could
consider
so
I'll
open
that
up
to
the
group
to
discussion.
You
know
what
would
we
say
you
know
is
critical
software.
I
know
it's,
it's
really.
It
sounds
simple,
but
it's
also
very
expansive.
So
just
throwing
some
ideas
out
there.
You
know
there's
no
wrong
answers
here.
I
thought
we
could
capture
some
thoughts
and
ideas.
If
anyone
wants
to
jump
in.
D
Yeah
I
mean
one
thing
had
occurred
to
me
and
I
don't
have
the
actual
definition.
This
is.
This
is
really
a
good
exercise
to
put
thoughts
together.
I
would
think
anything
which
operates
at
privilege.
You
know
level
anything
which
requires
authentication
which
uses
a
network.
D
Those
those
are
those
are,
I
mean
those
those
are
kind
of
some
of
the
that
uses
crypto.
You
know
these
are
all
sort
of
the
elements
that
I
kind
of
look
for
that
kind
of
automatically,
at
least
when
we're
looking
at
internal
software.
What
are
some
of
the
things
that
really
you
know
highlight.
B
Okay,
oh
and
by
the
way,
this
document
I've
shared
with
the
whole
work
group.
So
if
you
want
to
jump
in
and
type
stuff
into,
you
know
I
figured
the
more
the
more
more
the
merrier
so,
but
I
think
that's
definitely
a
great
point.
That
was
mentioned
a
little
bit
too
in
the
executive
order
as
well
talking
about
privilege
and.
B
B
Dependencies
dependencies,
the
software
interacts
with
good
good.
It's
a
great
start.
Anything
else
come
to
mind
for
anyone.
E
E
When
we
talk
about
what's
critical
software,
what
the
us
government
thinks
is
critical
software.
They
immediately
start
talking
about,
for
example,
energy
systems.
You
know,
dams,
electrical
distribution
systems
and
you
know
petroleum
delivery
systems.
Anyone
you
know
they
talk
about
what
matters
to
the
society
or
to
like
the
critical
government
functions.
E
E
So
you
know,
if
you're,
if
your
company
goes
out
of
business,
that's
bad.
If
your
government
ceases
to
have
a
working
government
or
working
country,
that's
bad!
So
getting
back
to
that
other
list,
you
know
the.
I
would
also
add
you
know
wide
use,
because
it's
more
likely
to
trigger
that.
You
know
both
by
itself,
it's
more
likely
to
trickle
problems
and
it's
more
difficult
to
fix
it,
because,
for
example,
if
it's
ubiquitously
used
a
lot
of
the
processes
we
might
use
to
fix
it
don't
work
either.
E
I
think
that's
an
example:
the
problem
with
crypto
libraries,
you
know
if
the
crypto
libraries
have
a
serious
problem.
You
often
can't
talk
about
it
quietly
and
you
can't
easily
update
because
the
update
mechanisms
depend
on
the
you
know.
The
crypto
libraries.
D
Yeah
dave,
I
was
going
to
comment
on
what
you're
talking
about
you
know.
Critical
software
is,
is
one
that's
that's
more
based
on
the
usage
right
and
the
problem,
often
with
software.
We
all
see
this
right
if
some
little
side
project
somebody
does
turns
into
something
that
that
at
some
point
in
the
future
now
everybody's
like
depending
their
critical
infrastructure
on
it,
that's
that's
the
whole.
D
If
you
will
ethos
for
this
work
group
to
try
and
identify
those
things
and
try
and
address
them
right,
and
so
I
think,
if
you
think
about
the
the
problem
from
not
just
the
u.s
government,
but
any
organization
is
you
know
at
the
I
this
could
this
thing
could
get
used
everywhere
or
nowhere,
let's
just
put
some
sort
of
stamp
on
it.
That
says
well,
no
matter
where
it
gets
used,
we
can
head
off
this
sort
of
thing
in
terms
of
how
it's
developed
you
know
before
it
gets
used
everywhere,
right.
B
Let
me
check
it
out:
okay,.
E
F
So
yeah
it
was
just
we
were
coming
up
with
definitions
of
things
that
we
considered
critical
and
I
just
wanted
to
make
sure
that
we
had
the
the
transitive
statement.
That
said,
therefore,
anything
that
we
need
in
order
that
those
critical
things
continue
to
function
is
also
critical
right.
B
Yeah
dependencies,
I
definitely
think,
is
a
big
factor
here
dependencies
and
how
widespread
it
is.
What
about
like?
What's
it
called
availability
of
of
alternatives,
or
you
know
if,
if
one
thing
is,
let's
say
important,
but
there's
10
other
things
that
can
do
it
very
similarly,
you
know
is
it
as
critical
as
something
where
there's
only
one
or
two
projects
doing
that
particular
function?
B
It's
a
good
point:
what
about
if
we
flip
the
script,
so
sometimes
I
think
it
helps
when
you
think
about
what
something
is
you
think
about
what
it
is?
Not
so
does
anything
come
to
mind
from
anyone
when
we're
thinking
of
well,
what
is
critical
software
not
or
what
is
not
critical.
J
The
software
doesn't
necessarily
have
to
be
trusted
if
all
your
handling
is
trusted.
Data
right.
J
I'm
thinking
like
the
software
that
you're
running
a
vm
to
do
data
analysis,
for
example,.
D
D
So
interesting
I
was
thinking
for
me.
Having
you
know
open
table
not
work
is,
is
is
really
critical
right,
but
for
somebody
else
it
might
not
be
I'm
just
you
know.
I
don't
use
open
table
anymore
because
I
can't
go
to
restaurants,
but
I'm
just
saying
you
know
it
is
very
context.
Dependent
is
a
game.
You
know
a
hyper.
You
know
high
end
game
that
software
is
a
critical
software
yeah,
maybe
not
to
you,
maybe
to
somebody
else.
D
That's
interesting,
but
I
would
but
that's
an
example
of
not
critical.
You
know
software
would
be
something
that's
like
consumer
software
or
something
of
that
sort.
At
least
as
far
as
the
executive
order
is
concerned,.
F
F
J
J
B
I
I'll
flip
it
around
just
a
little.
I
mean
it
makes
me
think
of
two
of
thinking
about
it's
also
about
avoiding
harm,
not
just
about
capturing
benefits,
but
if
there's
widespread
harm
inflicted-
and
I
realize
that
then
requires
a
definition
of
harm.
You
know
the
economic
or
physical
harm
that
also
seems
to
you
know
to
me:
that's
related,
but
I
I
don't
have
a
crisp
definition
for
you.
Okay,.
B
No,
that's
that's
a
good
point
and
yeah
the
whole
the
whole.
The
whole
point
exercise
is
just
to
get
some
ideas
out
there.
So
this
is
good
stuff,
that's
definitely
a
good
start
and
then
other
considerations,
slash
definition,
resources.
I
put
here
as
well,
because
you
know
a
lot
of
things.
There's
a
lot
of
people
already
doing
these
and
we
don't
want
to
necessarily
recreate
the
wheel
with
a
lot
of
other
efforts.
So
I
thought
if
there
were
other
other
resources
white
papers,
I
know
some.
B
Some
decent
research
came
out
of
the
eu
fossa
work
that
I
could
probably
dig
through
and
come
up
with
some
resources
here.
I'm
curious
if
any
other
resources
or
other
things
that
are
already
being
done,
come
to
mind
that
we
could
maybe
use
as
reference
or
to
to
look
at
to
see
you
know.
Are
we
on
the
right
track
or
I
get
some
ideas
from
I
mean
a
nist
comes
to
mind
as,
like
our
accreditation
bodies
come
to
mind
right
away
as
well.
C
One
thing
I
wanted
to
mention
is
the
criticality
score,
so
the
problem
with
a
lot
of
these
approaches
is
it's
like
manual
work,
so
it
never
really
scales
to
let's
say
x,
hundred
or
x
thousand
libraries.
So
maybe
automation
is
some
part.
We
should
think
about
where
how
we
can
derive
many
of
these
things
in
a
more
automated
fashion,
and
maybe
thinking
about
like
extending
criticality
score,
which
started
as
an
open,
msf
project
to
account
for
these
factors.
D
That's
why
I
was
kind
of
trying
to
get
generic
sort
of
identifiers
like
does
it
doesn't
touch
a
network?
The
other
is
you
know
the
other
approach
to
this
amir?
Is
it
maybe
like
what
are
there
categories
of
software?
That
we'd
say
this
thing
really
is
critical.
Like
I'd,
say
an
operating
system
right,
like
I'd,
say
a
linux
distribution
right.
That's
critical
software
boom
yeah.
What
else
that's
non-critical
software
would
be
the
latest.
You
know
game.
B
Right,
that's
that's
a
great
point
that
you
bring
up
because
actually
part
two
of
the
of
the
of
the
executive
order
is
actually
once
we
get
an
idea
of
what
critical
software
is.
The
goal
is
to
come
up
with
basically
some
categorizations
and
then
basically
come
up
with
a
list
of
projects
that
we
would
actually
call
critical
projects.
So
I'm
glad
that
you
thought
that
that
means
we
must
be
on
the
right
track.
B
I
would
say
os
is
definitely
a
is
a
definitely
a
category
of
software
when
you
think
about
that.
Absolutely
so
I
mean,
since
we're
already
kind
of
building
some
momentum
there
do
any
other
categories
immediately
come
to
mind
with
folks
I
mean
you
have
like
the
database
level.
B
I
know
there's
a
bunch
of
the
different
layers
that
go
with
the
development.
B
E
E
Yeah,
as
I
say
I
mean
we
could
go
down
this
path,
I'm
almost
a
little
afraid
too,
but
we,
you
know
os
and
databases
and
so
on,
but
once
we
start
going
further,
there's
an
endless
number
of
categories.
E
F
E
D
D
System
yeah,
but
remember
the
goal
here
david.
I
think
I
think
it's
important
to
understand.
Why
are
we
trying
to
identify?
Why
are
we
trying
to
define
critical
software?
It's
because
once
you
identify
those
things,
you're
going
to
be
asked
to
apply
certain
principles
on
to
them
development
methodology
and
prove
that
you're
actually
doing
them.
If
you
want
to
sell
them
to
the
government,
so
ultimately
no
one's
trying
to
if
anyone's
still
trying
to
sell
multics
to
the
government,
god
bless
them.
D
D
So
that
that's
that's
the
value
of
something
like
an
operating
system.
That
says
that's
in
the
category
that
says:
okay,
if
you're
gonna
sell
an
os
and
and
along
these
same
lines,
by
the
way
I
was
gonna
say
I
I
shudder
to
even
mention
this,
but
probably
I
I
wonder
if
something
at
the
level
of
a
bios
or
a
firmware
or
something
like
that
is,
is
considered.
E
But
yeah,
it's
probably
you
know,
firmware
and
frankly,
also
management
engines,
google
management,
but
the
the
well,
I'm
specifically
thinking
like
intel's
ime,
it's
the
other
cpu
that
controls
the
cpu.
You
talk
about
yeah.
E
The
baseband
processors
of
smartphones,
nobody
runs
android
or
ios.
Everybody
runs
the
the
main
chip
that
controls
everything
doesn't
run,
android
or
ios.
It
runs
the
weird
cell
phone
stuff
that
nobody
sees,
because
you
can't
you
know,
and
yet
it
was
written
when,
typically
in
c,
with
no
buffer
overflow
protections
right,
I
think
I
touched
a
nerve
there
dave
it
sounds
like
yeah
yeah,
so
I
mean
you
so
you've
got
the
firmware.
You've
got
the
cpu
or
you
know
I
ime
slash.
Cpu
control
systems
got
databases,
you've
got
low
level.
E
Libraries
like
to
see
runtime,
you
know
you
for
web
applications.
You
typically
have
web
frameworks.
D
E
D
E
E
E
Yeah,
let's.
G
See
here
the
build
system
is
that
what
you
mean
by
management
engines.
D
D
D
E
Yeah
yeah,
I'm
actually
thinking
of
a
separate
cpu,
not
not
a
sandbox
within
the
cpu,
but
the
separate
cpu
that
controls
the
cpu.
You
talk
about
which
a
lot
of
people
don't
even
realize
it's
there.
D
D
D
E
Right
so
again
I
mean
databases
and
so
on
now
weirdly
enough
many
systems,
image
processing
software
is
critical
because
I
mean
android
demonstrated
this
several
times
and
I
bet
ios
has
also
you
know
where.
If
you
process
untrusted
data
and
it's
a
version
subverts
the
system,
then
you
know
basically
more
in
general
parsers.
You
know
so
image,
processors,
xml
json
parsers.
E
D
Well
and
it
just
something
wasn't
captured,
maybe
I
should
just
go
ahead
as
to
help
as
well.
Is
the
we
talked
about
management
engines?
Let's
be
clear,
fir
management
engine
firmware,
let's
just
be
clear,
not
the
engine
itself
and
then
the
the
piece
that
got
lost
was
mana
system
management,
software,
so
system
management
software,
which
is
typically
separate
from
an
operating
system.
But
that's
that's
the
core
of
what
you
know.
Solarwinds
you
know
was
system
management,
software.
F
I
just
wanted
to
say
I'm
not
sure
that
it's
necessarily
a
a
fixed
category,
but
any
piece
of
software,
which
is
on
a
path
for
establishing
trust
or
authenticity,
is,
is
critical.
F
B
Yeah,
it's
a
great
point,
authentication
absolutely
that
goes
with
that.
Has
that
goes
hand
in
hand
with
privilege
access,
so
absolutely.
F
A
Amir,
did
you
see
the
the
comment
in
the
chat?
You're
gonna,
not
pronounce
your
name
right
by
yaakov.
It's
actually
pretty
interesting,
a
different
way
to
sort
of
categorize
this
like
how
much
time
and
effort
does
it
take
to
overcome
an
incident
small,
medium,
large
and
then
that's
another
way
to
think
about
categorization.
B
Yeah,
that's
a
good
point.
Does
that
have
to
do
with
if
you
have
any
more
context,
availability
of
like
alternatives
as
well
or
is
it
specifically
just
kind
of
categorizing
based
on
how
how
hard
it
would
be
to
overcome
something
big,
basically
like
an
incident.
A
B
But
yeah,
if,
if
they,
if
they
get
a
chance
to
provide
any
more
context,
would
be
happy
to
to
discuss
that,
and
I
lowry
makes
a
interesting
point
too,
when
there's
something
critical,
how
would
it
be
possible
to
limit
its
attack
surface
just
to
limit
damage
with
some
automatic
mitigation
features?
Yeah.
That's
that's
a
good
point.
I
mean
we
talk
about
things
like
secure
configurations
and
you
know
security
by
default.
Things
like
that.
E
Can
I
propose
that,
for
purposes
of
this
exercise,
we
we
not
go
there
because,
I
think,
that's
part
of
the
larger
question
of
once.
You
identify
a
critical
software.
What
do
you
do
about
it
and
I
think
there's
a
long
list
and
that's
one
of
the
first
ones
I
would
do
is.
Can
I
reduce
the
attack
surface
on
that
critical
software
yeah.
B
Right,
yeah,
that's
a
good
point.
It's
a
good
thought,
though.
Absolutely
I
think
when
the
time
comes,
we
should
definitely
discuss
that
more
mitigation
strategies.
Things
like
that.
Okay,
I
was
thinking
one
thing
we
could
do.
I
don't
know
if
the
work
is
down
is
we
could
just
go,
each
person
can
go
and
just
say
in
a
sentence
what
they
think
critical
software
is.
I
think
a
lot
of
good
info
would
come
out
of
that.
If,
if
the
work
group
is
willing
to
kind
of
do
a
round
table.
B
The
beauty
is,
is
that
this
is
shared
with
everybody.
So
please
input
comments,
anything.
You
know
it
definitely
helps.
So
I'm
sorry
david,
were
you
gonna,
say
something
as
I.
B
B
E
You
know
if
it's
not
in
the
list,
but
a
problem
will
will
cause
you
to
lose
your
country
or
lots
of
lives
lost.
That's
a
problem.
B
C
Question
is,
are
folks
planning
to
submit
this
as
acquisition
paper
for
this,
like
I
pasted
the
link,
so
this
applies
to,
I
would
say
one
and
three
and
those
that
could
be
definitely
useful.
So
I
was
just
curious
from
open,
ssf
side
if
this
could
be
submitted
as
a
position
paper.
E
I
I
do.
I
can't
speak
for
open
ssf.
I
do
know
that
after
I,
after
I
do
the
current
my
current
fire
drill.
My
next
fire
drill
is
to
write
some
position
papers
for
that
nist
for
nist
for
that
executive
order,
but
I'm
just
going
to
write
them
as
me.
I
don't
want
to
try
to.
I
don't
want
to
try
to
speak
for
the
open,
ssf
I'll.
Just
you
know.
E
This
is
just
me
and
if
other
people
want
to
organize
something
for
the
openness
of
as
a
whole,
that'd
be
awesome,
there's
very
very
little
time
to
respond
if
you're
trying
to
respond
by
next
wednesday,
though.
B
Yeah
yeah,
that's
a
great
point,
amish
that
was
actually
kind
of
my
inspiration
for
doing
this.
Tabletop
exercise
too,
was,
I
thought
if
we
at
least
had
something
you
know
it
doesn't
have
to
be
a
very
formal
position
or
say
you
know
this
is
you
know
infallible
even
if
it's
just
an
opinion
or
a
one
page
on
you
know,
this
is
what
we
think
critical
software
is
and
what
its
categories
are.
B
I
think,
would
at
least
help
us
contribute
to
the
conversation
I
actually
signed
up
for
that
conference
as
well,
and
so,
if
we
want
to
kind
of
formalize
this
a
little
bit
more,
I
mean
I
could
see
us
putting
something
on
our
github
on
the
work
groups.
Github
just
saying
like
this
was
just
some
basic
ideas
we
had
on
what
critical
software
is,
and
you
know
a
working
list
of
what
we
think
you
know
the
categories.
Are
I
don't
know
how
much
we
want
to
formalize
it?
B
I
guess
we
could
leave
that
to
the
work
group,
but
I
just
thought
it
would
be
a
good
place
to
start
with
getting
some
ideas
on
paper
and.
D
Yeah,
hey.
Can
I
ask
a
question?
Is
this
a
good
time
to
ask
yeah
related
to
the
eo
yeah?
Let's
do
it
so
one
of
the
things
that
really
has,
as
when
I
read
the
particularly
section
four
anyone
who
wants
to
just
sort
of
narrow
down
on
on
something
section.
Four
is
really
a
good
one
to
to
focus
on.
I
got
that
hint
that
was
awesome
that
really
reduced
my
amount
of
reading
time
a
lot,
but
one
of
the
things
that's
really
got
me
thinking
a
lot
is
the
requirement
for
build.
D
I
can't
remember
the
exact
wording.
I
have
to
look
it
up,
something
about
that.
Your
build
infrastructure
is
administratively
separate.
Okay
and
the
way
I've
heard
this
described,
as
is
your
build
servers,
are
not
connect,
are
an
isolated
network
from
everything
else.
Okay,
I'm
kind
of
I'm
I'm
kind
of
being
a
little
bit.
You
know
I
you
know
I've.
I
heard
about
this
and
I've
checked
with
a
few
of
my
friends
or
security
experts
and
says:
oh
yeah,
this
has
been
a
you
know.
D
This
has
been
a
methodology,
accepted
methodology
for
the
last
decade
right
and
more
maybe
from
the
high
security
area,
and
so
it's
now
coming
into
sort
of
everybody
else
who's
affected
by
this
thing.
So
I
guess
the
question
is:
if
anyone
is
actually
producing-
and
I
realize
this
is
an
open
source
group-
so
we're
producing
we
produce
source.
But
you
know:
there's
organizations,
google,
maybe
others-
that
produce
binaries
right
and
and
would
be
affected
by
this.
So
I
guess
my
question
is:
does
anybody
already
have
practices
that
they
think
define
better?
D
I
could
try
again
sorry
I
could
take
it
to
taylor.
I
could
take
it
to
the
tailor
and
have
it
shortened
for
you
by
so.
E
D
And
I'll
restate
the
the
money
question
is:
does
anybody
have
build
systems
that
follow
this
practice?
In
other
words,
are
administratively
separate.
A
So
I
don't
know
the
definition
of
administratively
is
here,
but
we
there
is
an
open
source
project
that
we
contribute
to
called
tecton
that
lives
in
another
foundation
and
there's
been
a
lot
of
progress
on
that
project
and
one
of
the
I'm
not
sure
if
it's
it's
working
yet
or
what
state
it's
in,
I
can
certainly
find
out,
is
doing,
builds
in
like
a
closed
sandbox
environment.
So
that
way
you
can
see
that
you
know
you
can't
access
anything
outside
what
it's
supposed
to
access.
A
B
Cool
so
with
that
I'll,
just
close
by
saying,
thank
you
so
much
for
the
great
discussions.
B
Kind
of
maybe
formalize
it
a
little
bit
more
or
just
you
know
just
to
create
something
to
show.
You
know
for
our
work
today.
So
thanks
again,
and
if
you
have
any
questions,
just
hit
me
up
directly
and
I'd
be
happy
to
talk
about
it.
A
Thanks
amir
yeah,
I
mean
I
like
the
idea
of
if,
if
we
can
get
a
little
bit
further
of
you
know
putting
it
out,
there
is
like
these
are
ideas
coming
from
this
working
group
we're
working
on
our
own
sort
of
papers
here.
So
I
can't
volunteer
my
time,
but
I
think
yeah,
if
you,
if
you're
gonna,
if
you
want
to
make
progress
on
this
or
other
people
that
want
to
help
and
circulate
it
for
review
before
the
deadline,
I
think
that
would
be
awesome.
A
I
think,
as
long
as
we
frame
it
a
certain
way
that
that
would
be
fine.
You
know
coming
from
the
open,
ssf.
B
J
J
So
one
thing
I
wanted
to
say
quickly
is:
I
think
this
is
executive
order
is
kind
of
signaling
that
they're
going
to
try
to
do
more,
and
my
biggest
concern
is
that
they're
going
to
insert
giant
layers
of
bureaucracy
into
some
of
our
projects,
and
I
really
worry
about
a
policy
where
they
try
to,
for
example,
fix
a
bunch
of
different
things.
I,
and
that
would
be
horrific
for
everybody.
I
think,
and
it
would
definitely
not
improve
security
overall.
J
I
I
don't
know
how
everybody
else
feels
about
that
or
if
you've
dealt
with
fip
software
before
open
ssl
is
yeah.
I
mean
we
didn't
open,
ssl
audit
and
talked
about
problems
that
we
found
that
affected
fips
and
they
literally
said
we
don't
care
about
fips,
because
it's
too
ridiculous
to
deal
with.
So
that
means
that
improvements
could
have
been
made.
Had
those
layers
of
bureaucracy
not
been
there,
and
I
think
that
that
is
a
barrier
that
we
do
not
want
to
erect
in
other
places.
J
So
I
I
do
think
that
that's
something
that
we
should
be
thinking
about,
because
that
is
a
really
bad
pitfall
that
we
can
get
into.
Yes,
they
make
the
wrong
choices
here.
Total.
D
Totally
agree
with
you,
derek
and
and
other
parts
of
my
organization
are,
are
trying
to
work
with
that
exact.
You
know
thought
in
mind
of
let's
not
make
life
miserable
without
actually
fixing
things.
I
would,
I
would
say,
the
approach
my
concern.
The
way
I've
learned.
That's
a
really
good
way
of
approaching
these
things
is
to
create
a
threat
model
right
who
who
or
what?
What
are
your
assets
you're
trying
to
protect?
What
who
are
the
actors?
D
Who
might
you
know,
try
to
you
know,
do
something
you
know
and
what
are
the
reasonable
threats
to
mitigate?
None
of
that
from
what
I
can
tell
is
being
done.
It's
all
about.
Oh
here's,
some
best
practices
boom,
let's
put
them
in
place,
and
so
it's
like
it's
bad
practice,
but
I
do,
I
think,
the
the
rush
to
get
something
going
is
is
taking
over,
but
I
I
totally
agree
with
you
that
that
we
do
not
want
to
create
something.
That's
that's
a
bunch
of
bureaucracy.
D
That's
not
going
to
help
there's
some
things
like
s-bombs,
requiring
s-bomb
requirements
and
some
other
things
that
that
will
and
again
I
think
a
lot
of
this
is
based
on.
You
know
best
practices
if
you're
creating
a
binary
right,
but
there's
also
a
totally
one
thing
that
be
really
helpful
for
the
open
source
community.
To
help
with
is
there
is
a
clause
in
there
about
you
know
providing
some
sort
of
provenance
of
the
open
source
software
you're
using?
D
Well,
I'm
not
sure,
that's
a
part
of
this
work
group
that
may
be
part
of
one
of
the
other.
You
know
open,
ssf,
work
groups.
I
think
that's
going
to
be
a
key.
You
know
how
do
I
establish
the
provenance
of
the
app
store
software
that
I'm
using
as
part
of
my
you
know,
critical
software
right
and-
and
I
I
think,
that's
going
to
be
a
biggie
for
us.
A
Cool
all
right
well,
we're
out
of
time
good,
seeing
everyone
and
hope
you
have
a
good
day.