►
From YouTube: Securing Critical Projects WG Bi-Weekly (June 1 2023)
B
So
the
business
model
for
guacas
or
sorry
is
to
have
companies
import
their
private
best
bombs
and
dependency
chains
and
into
the
the
rest
and
connect
that
up
to
the
public
graph
that
you
created
and
then
that
concern
will
keep
that
information.
Cordoned
off
and
proprietary
yeah.
A
I
mean
I
think
there's
a
lot
of
options
for
kind
of
early
days,
so,
okay,
yeah
and
like
run
guac
or
you
know,
people
are
going
to
need
a
lot
of
help
getting
like
a
process
for,
however,
they
build
software
and
s-bombs
to
all
like
beat
into
block.
And
then
what
do
you
do
once
you
have
that
data
like
do
you
build
policies,
or
you
know
like
procedures
on
top
of
that
and
integrate
that
with
the
rest
of
your
your
company,
yeah.
B
B
Yeah
autonomic
use
of
this
this
this
graph
could
be
interesting.
A
A
So
the
risk
of
repeating
myself,
I'll,
say
I
think
so
our
our
meeting
invite
got
updated.
The
meeting
notes
document
was
replaced.
The
old
one
I
think
it
was.
It
was
owned
by
Dan
and
it
wasn't
shared
to
everybody
and
we
had
to
join
the
group
to
access
it.
A
A
B
No
yeah
I
mean
I
found
that
even
when
I
went
I
mean
I,
I
use,
Google,
Calendar
and
I
can
never
get
it
to
actually
copy
it.
From
the
openssf
calendar
into
my
calendar
at
the
alternating
times.
It
always
puts
it
at
the
whatever
it
was.
Originally
the
West
Coast
select
I
mean
you
know:
yeah
I'll
go
in
there
and
say:
okay,
yeah
I,
see
it
at
6
pm
and
I'm
in
East,
Coast
us
and
let
me
copy
this
and
then
it
copies
it
and
puts
it.
It's
like
no.
A
C
A
B
A
A
On
the
other
one,
so
if
you
see
this
at
the
top
you're
in
the
wrong
line
and
then
that's
518,
okay,
okay,
cool,
let's
go
back
to
here
all
right!
Let's
keep
these
two
skipped
again.
These
last
few
lines
sonar
Cube.
A
B
B
I
mean
in
some
places,
they're
like
self-referential.
I'm,
like
we're
I,
mean
part
of
what
the
open
ssf
is
trying
to
do
now
is
create
this
Sterling
tool
chain.
So
it
was
the
Sterling
tool
chain
automatically
become
critical
software
because
it's
a
sterling
control
chain,
I,
would
say:
I
mean
it's
like
you
know,
art,
I,
guess,
I,
guess
we
need
to
call
our
I
mean
by
definition.
Our
tools
have
to
be
critical
right.
We
open
ssf
right
all
right,
I,
don't
think
so.
No
okay,
I
mean
I
just
realized.
B
B
C
The
the
thing
that
would
so
assuming
we
like
accept
that
Sona
Sona
cube
is
popular.
The
thing
it's
placed
in
the
CI
chain
is
interesting
and
the
like
the
fact
that
it's
parsing
source
code
is
interesting
as
well,
but
I
really
don't
know
who's
using
it.
C
A
B
C
C
To
here
is
that
a
client,
the
server
is
it
more
than
one
aspect
like
it's
not
actually
clear
what
we
are
actually
asked
to
be
yeah
well,.
B
C
Yeah,
that's
a
fair
point
and
it's
like
technically
like
the
licenses.
We.
C
Like
I
like
on
licensing
terms,
this
could
be
a
dubiously
tricky
one
to
deal
with
the
free
like
there's
a
free
server
license.
But
what
is
the
license
itself.
C
So
it's
a
teams
yeah,
it's
a
customer
license
I
would
claim
this
is
not
quite
open
source,
yeah,
yeah
I.
Think
it's
probably
it's
not
to
say
it's
not
popular
right.
C
B
C
A
C
Although
they
appear
to
have
a
the
plugins
are
built,
there
are
plugins
built
into
the
repo
itself.
C
C
Yeah
Telegraph:
do
you
want
me
to
find
one.
B
A
C
There's
also
looking
at
this
there's
a
telegraph.
Oh
this
repo
itself
has
a
the
score
that
I
had
from
it.
Last
time
was
hang
on,
If
Only,
The
Columns
are
in
order
default
score
is
0.65.
C
C
It's
kind
of
in
like
it's
not
high,
that's
for
sure.
A
Okay,
I
mean
I
think
this
is
one
that
like
we
could
see
it
becoming
critical
if
it
had
more
evidence,
but
it's
like
it
seems
like
a
popular
and
used
projects
that,
in.
A
Yeah,
oh
yeah,
then
my
other
argument
is
like
yeah
things
that
are
like
necessarily
like
outside
of
the
you
know.
Your
core
infrastructure
like
collecting,
processing,
aggregating
metrics,
like
if
that's
compromised,
and
you
have
like
a
true
zero
trust
architecture.
Then
like
what
can
it
access
like
I?
Don't
know
you
know.
C
C
It
depends
on
how
they
are
architected.
Usually,
though,
you
have
agents
living
inside
the
inside
the
kind
of
software
that
you're
monitoring.
So
this
one
is
like
it
would
be
worth
looking
at
what
was
the
other
one
there's
another
one
that
I
was
hit
around,
for
that
was
right
at
the
top
and
I
can't
remember
what
it's
called
because
I'm
having
a
blank
on
it
at
the
moment,
that's
quite
popular
going
through
the
main
set.
Let's
see
if
I
can
see
it.
A
B
A
C
Or
an
nginx
is
like
far
outs
to
trip
them
yeah,
but
it
may
be
that
it
suits
itself
more
too
I
mean
there
are
to
like
kubernetes
uses,
so
it
depends
on
right,
like
yeah.
It's
like
kubernetes
native
API
thing
like
I,
think
it's
tying
itself
to
that.
A
C
Docker
pool
counts
and
it's
the
sort
of
thing
where,
like
it's
accepting
internet
connections,
I
mean
the
others
are
kind
of
like.
B
A
B
I
mean
you
know,
even
if,
if
it's
in
the
you
know
duopoly
or
triopoly,
it's
still
seems
important.
There.
B
Yeah,
but
that
doesn't
mean
it's
not
critical.
I
mean
it's
like.
If
you
know
it
says:
I
mean
yes,
you
don't
want.
You
know
ones
you
chooses,
but
if
it's
still
used
by,
if
there's
some
specific
kubernetes
configuration,
you
know
that
that
uses
a
lot,
that
it
just
gets
embedded
into
lots
and
lots
of
microservices
or
lots
and
lots
of
well
I
mean
lots
of
containers
everywhere.
So
it
just
becomes.
B
A
C
A
lot
yeah
and
it's
and
it's
not
going
to
be
like
the
difference
between
this
and
some
others-
is
that
some
are
like
part
of
the
CI
chain
of
tooling.
This
is
kind
of
more
on
the
edge
of
your
actual
infrastructure
and
given
like
the
prep,
like
the
popularity
in
web
attacks
or
HTTP
attacks.
This.
A
A
Yeah
I
guess
so
the
pull
count
like
if
it's
you
know
every
time
a
part,
a
node
starts
or
something
it
has
to
pull
this
down.
Yeah.
B
It's
see
success
stories,
Dupont
NASA.
B
One
thing
they
said
just
sort
of
looking:
if
there's
a
specific
configuration
that
use
like
you
know,
why
would
somebody
I
mean
you
know
if
there's
a
specific
kubernetes
configuration
that
itself,
we
would
agree,
is
critical
that
prefers
this
then
I
think
that,
given
as
as
we've
been
saying,
this
is
the
you
know:
external
visibility.
It's
the.
A
B
This
is
the
proxy
that
I
can
definitely,
you
know,
go
along
with
you
know
if
by
default,
somebody's
downloading,
some,
you
know
standard
Docker
configuration
for
some.
You
know
Docker
image,
that's
always
using
traffic.
B
That
involves
that
in
some
ways
it's
even
more
critical,
because
it's
this
you
know
web
front
end
is
the
interface
and
people
are
using
this
without
thinking,
I
mean,
in
other
words,
if
it's
just
there
and
they're,
using
that,
it's
even
more
that
this
is
something
that
just
needs
to
be
robust,
because
people
aren't
actually
bothering
to
think
about
the
configuration.
A
C
Falling
I
I
would
lean
to
Yes
yeah,
just
because
it
is
like
on
the
edge
of
the
network
by
its
definition.
A
Let's
go
next
the
vault.
Clearly
it's
there
was
a
lot
of
passwords.
A
A
A
A
C
C
Yeah
yeah,
so
any
like
Cloud
native
storage,
yes,
but
the
fact
that
it's
kind
of
agnostic,
yeah
I,
think
I
have
used
it
before
as
well.
A
A
B
Oh,
you
just
want
everything
given
to
you.
Yeah.
C
Even
if
it's
like
I
think
a
lot
of
people
use
this
project
like
anything.
C
B
A
But
we're
gonna
go
with
this
one.
Then,
okay,.
A
C
Mean
the
only
thing
that's
really
interesting
is
that
it's
used
for
the
same
bar
like
but
I,
don't
think
it's
like
in
the
same
way.
A
C
C
So
online
Commerce
is
often
run
on
WordPress
stuff,
so
yeah
and
lots.
Oh
man,
it's
so
much
yeah
gets
run
on
WordPress,
like
the
obvious
thing,
is
a
lot
of
blogs
and
Company
websites
run
on
WordPress,
but
there
are
plugins
that,
like
letter,
do
other
things
like
data
collection
and
like
online
shopping
and
things
like
that.
So
yeah,
it's
it's.
The
sort
of
thing
where
I
plug
in
getting
compromised
that
runs
on
enough
websites
ends
up
as
a
news
item.
So.
C
So
yeah
I
don't
know
it's
just
the
the
fact
that
like
if
you
were
not
wanting
to
spend
a
lot
of
time,
yeah
building
a
website
or
if
you're,
a
an
agency
building
websites,
you
may
use
WordPress
as
the
basis
for
how
you
stand
these
things
up.
So
the
sheer
scale
of
Wordpress
is
yeah.
A
B
B
C
A
A
C
A
Yep
cool
all
right,
we're
done
I
think
we'll
leave
those
two
for
later.
So
the
thing
that
we
didn't
do
yet
is
go
through
this
current
set
and
see.
If
there's
anything,
we
want
to
take
off.
A
I
did
kind
of
ask
people
to
put
some
stuff
in,
but
I
don't
know.
If
anybody
did
do,
we
want
to
do
like
an
offline
pass
on
this
and
maybe
see
if
there's
something
anything
that
pops
up.
If
not,
then
we
ignore
it
or
you
want
to
go
through
this
live.
C
Yeah,
it's
it's
you'd
almost
have
to
stack
rank
them
and
which
is
itself
like
almost
impossible
to
figure
out
what
stuff
floats
to
the
bottom
yeah.
C
And
I
I
suspect
that
any
stack
ranking
will
be.
Everyone
agrees
on
the
stuff
at
the
top,
but
then
at
the
bottom,
like
the
lists
are
totally
different.
So
it's
gonna
be
hard.
A
B
B
I
mean
there's
these
things,
don't
I
mean
there
there's
ownership
or
so,
like
you
know,
tender
current
feeding
of
it
versus
also
I
think
we
were
talking
about
using
this
as
a
starting
point
to
eventually
automate
the
critical.
It's
not
use
this
as
the
critical
projects,
but
use
this
as
sort
of
an
input
for
the
critical
projects.
Yeah.
A
I
mean
this
that
the
second
half
of
what
you
said
is
a
potential
but
absolutely
not
like
tied
to
this
as
a
requirement
for
you
know
if
we
I
think
the
proposal
here
is
that
we
own
the
list
as
part
of
the
working
group
and
what
we
do
with
it.
We
can
discuss
too
if
we
need
to
clean
on
it,
but
yeah.
Essentially,
we
take
over
the
ownership,
I
I.
Think
I
should
ask
Jonathan
to
do
any,
do
a
little
presentation
on
it
too.
A
C
Yeah
I
think
it
makes
sense
it
just
I'd
like
to
were
there?
Is
there
details
in
the
dock
around
how
it's
generated
like
what
does
it
actually
mean
to
manage?
It.
C
A
All
right,
well,
I'll,
have
Jonathan
present
to
us
what
it
what
it
means
to
make
it
and
run
it
and
stuff.
A
I'm
not
signed
in
here
by
switching
topics
a
little
bit
I
know
that
they
they
change
all
the
GitHub
permissions.
I'm
gonna
stop
presenting
them.
You
know
present
the
other
tab
so
for
our
group
we
should
probably
have
like
and
then,
if
we
do
vote
like,
if
we
do
voting
for
this
accepting
this
list
into
the
working
group,
we
should
probably
have
an
idea
of
like
who's
a
member.
A
So
maybe
we
can
use
these
GitHub
teams
to
indicate
who's.
A
member
of
the
working
group
and
and
I
think
being
a
member
is
just
you
know,
showing
us
them
participating,
so
any
any
thoughts
there.
What
we
should
do
on
the
if
the
GitHub
group
makes
sense.
C
Do
they
do?
They
include
people
who
are
contributors,
but
who
may
not
be
in
the
like
regular
contributors
who
are
not
in
the
in
any
of
those
lists
like
either
as
attendees
to
the
meeting
or
as
members
of
the
groups.
A
Well,
we'll
be
on
we'll
be
owners
of
the
of
the
the
list,
so
we
can
put
whoever
we
want
in
the
list.
Okay,.
A
Moved
us
because
they
oops
this
was
really
really
bad.
Okay,
so
we
were
under
working
groups,
as
was
package.
Analysis
was
a
working
group
and
then
I
told
them.
Oh
no
package
analysis
is
not
a
working
group
move
it
to
projects,
but
they
moved
us
to
project
and
they.
A
A
That's
part
of
the
that's
a
member?
Let's
say
David
you're
not
on
here.
C
A
C
A
A
A
B
A
In
this
team
Caleb,
you
might
be
worried
about
this,
oh
well,
it
used
to
be
right.
This
team
used
to
have
right
access
to
criticality
score.
They
gave
like
all
these
people
write
access
to
criticality
scores.
C
Look
those
people
are
all
fine
to
have
the
right
access
to.
C
A
Said
make
another
criticality
score
team
and
because
you're
like
I
I
me
and
Amir,
don't
need
access
to
right
access
to
criticality
score
yeah.
That's.
B
A
A
Just
permissions
but
yeah
I
want
to
have
our
well.
The
voting
use
I
mean
yeah.
I
want
to
have
you
yeah,
exactly
yeah
I
want
to
have
our
team
here
represent,
who
you
know
I'll
go
through
the
the
meeting
notes
from
the
last
year
and
had
every
person
here
or
something
you
know:
okay,.
A
B
A
A
I
haven't
been
a
thing:
that's
called
big,
the
notes
other
than
that
I
think
we're
done
for
today.
Unless.
A
Last
chance,
yeah
I
mean
I,
you
can
yeah
I.
A
So
this
one
we
nobody's
really
worried
about
it.
It's
just
that.
What's
his
name,
a
guy
from
Intel
said
he
would
go
and
ask
the
Octo
project
about
it.
B
A
So
I
think
the
question
about
puppet
was:
if
the
open
source
puppet
was
something
that's
actually
widely
used
or
not.
Oh.
B
A
B
A
No
worries,
okay,
yeah
I,
think
that
brings
the
end.
Let's
have
a
little
break
back
and
thanks
everybody
for
joining,
see
you
in
two
weeks,
except
for
you,
calebra.
A
Yeah
have
a
good
time
thanks.
Everyone
yeah
thanks,
bye,.