►
From YouTube: Security Tooling WG Meeting (January 25, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
A
Yeah,
I'm
today,
I'm
not
not
in
the
car,
that's
good,
but
rather
calling
from
from
my
home
office
here.
B
B
B
A
B
So
hopefully
everyone
has
access
to
the
shared
doc,
so
please
drop
your
name
in
there.
If
you'd
like
to.
B
We
do,
I
don't
know,
what's
happening
to
ryan,
he
hasn't
been
a
few
last
few
of
these
meetings,
but
well.
E
Actually,
I
can
answer
that
one
so
shall
we
just
go
ahead
and
start
because
I
do
want
to
answer
that
question.
So
it
turns
out
that
ryan
has
just
recently
moved
to
a
new
company
and
it
and
is
basically
no
longer
going
to
be
able
to
lead
this
working
group.
E
So
basically
the
the
the
attack
is
already
in.
I
see
ava's
here
also
so
av
can
say
whatever
I
forgot
to
say
or
correct
whatever
I
say,
but
I
think
the
tack
discussion
right
now
is
you
know
you
can't
you
know
who
should
lead
instead,
maybe
should
this
group
be
integrated
into
other
existing
working
groups
instead
of
being
a
separate
working
group?
I
don't
think
any
decisions
been
made,
but
I
think
that's
going
to
be,
but
ryan
is
not
going
to
be
able
on.
E
Basically,
I
think
is
his
new
company
is
not
a
member
of
open
ssf
and
they
don't
want
him
to
use
his
time
on
that,
and
I
mean
that's,
that's
okay.
So
that's
well,
that's
the
situation.
I
think
I
think
that's
unfortunate,
but
you
know
that's
the
situation
and
ava.
Please
correct
everything.
I
said
please.
F
Yeah,
I
think,
the
the
tac
meeting
we
had
a
pretty
healthy
discussion
about
what
the
relationship
between
the
tac
and
working
groups
and
projects
now
the
projects
are
coming
in
with
code
should
be
in
the
future,
and
we
seem
to
all
agree
that
we
want
to
think
more
intentionally
about
that
and
maybe
model
the
relationship
here
in
the
open
ssf
on
what's
been
successful
in
a
couple
other
foundations
like
the
confidential
computing
consortium
or
the
cncf,
I
dropped
some
links
into
that
meeting.
F
Notes
on
what
ann
bertuccio
and
I
built
in
the
confidential
computing
consortium.
That's
been
working
well
for
them
for
the
past
two
years,
but
ultimately,
I
think
that
conversation
just
now
ended
at
we're.
Gonna
have
a
brand
new
attack
in
what
two
weeks
so
action
items
for
them.
No
changes
today.
E
Yeah
yeah
I
the
voting,
will
have
ended
in
two
weeks,
but
I
don't
think
we
will
have
seated
everybody.
So
I
think
the
honest,
although
we
will
know
more
in
two
weeks,
I
think
the
new
tac
will
actually
meet
in
four
weeks.
Yeah.
E
Yeah,
so
I
I,
I
would
suggest
that
this
group
talk,
you
know
at
least
briefly
talk
about,
doesn't
have
to
be
today
the
what
you
know.
What
would
you
like
to
see,
and
then
you
know
and
let
the
the
new
tech
get
a
chance
to
make
some
decisions,
but
I
think
that's
up
in
the
area
we
want.
I
don't
think
anybody
needs
meetings
just
for
the
sake
of
meetings,
but
we
do,
but
there
are
real
problems
to
be
solved,
so
we
want
to
get
problem
solved
and
as
efficiently
as
we
can.
B
Yeah,
I'm
gonna
completely
understand
that
and
I
have
no
problem
with
any
of
that.
Obviously
so,
and
I
think
this
working
group
has
historically
struggled
to
come
to
a
kind
of
unified
view
of
what
we
should
be
doing.
However,
last
time
we
did
focus
more
on
one
thing:
thanks
to
paul
coming
up
on
board,
because
paul
was
very
interested
in
the
web
application
definition.
I
came
up
with
originally,
and
so
that's
something
that
I
think
we're
both
very
keen
to
push
forward
and
other
people
have
expressed
interest
as
well.
B
So
that's
on
the
agenda,
whether
that
has
to
be
part
of
this
working
group
or
another
working
group
or
an
entirely
separate
project.
I
I
don't
mind
I
I
don't
get
involved
in
these
politics
things
I
just
like
getting
on
with
work
so.
F
I
would
love
to
ask
if
some
of
the
work
that
I've
been
doing
on
supply
chain
synthesis
is
useful
or
good
information
or
duplicative
to
what
this
working
group
has
already
done.
Since
I
haven't
been
active
in
this
working
group
before.
B
I
don't
know
anything
about
your
work,
I'm
afraid.
So,
if
you
give
us
a
quick
summary
that
will
be
very
useful.
F
Dr
link
on
zoom,
the
tl,
dr,
is,
I
started
a
google
doc
last
summer
to
try
and
do
an
overview
of
the
entire
supply
chain
landscape
in
open
source,
which
included,
collecting
or
building
a
list
and
categorizations
of
lots
and
lots
of
different
projects
in
the
space
tools
available
in
this
space
and
proposing
a
lexical
categorization
of
those
tools
into
roughly
five
five
distinct
functions.
There's
a
couple
tools
that
cross
into,
or
you
know,
fulfill
multiple
purposes
and
the
long
goal
there
was
try
and
help
reduce
the
communication.
B
Different
cool,
okay.
That
sounds
very
useful,
but
I
don't
think
it's
so
related
to
what
we're
looking
at
so
the
web
application
definition
originally
came
about,
because
we
had
a
variety
of
people
or
people
with
a
variety
of
backgrounds.
On
this
working
group
and
we've
got
discussing
the
differences
between
static
source
code,
analysis,
dynamic
analysis
and
fuzzing
and
static
analysis
dense
to
have
an
easier
way
of
getting
started,
because
if
you
point
at
the
source
code,
it
knows
where
the
source
code
is
dynamic.
B
B
F
Okay,
so
checking
my
understanding
of
this.
The
focus
of
this
working
group
has
gone
from
broadly
look
at
all
open
source
security,
tooling,
to
here's,
a
one
category
of
tools
that
you've
all
thought
you
could
make
an
impact
with.
B
Well,
I
think
the
working
group
has
gone
through
a
quite
a
few
discussions,
some
of
them
very
interesting,
but
they
didn't
really
come
down
to.
You
know
nothing
really
came
of
them
apart
from
a
lot
of
you
know,
a
lot
of
things
were
learned
by
a
lot
of
people,
including
myself,
but
we
originally,
the
people
in
the
working
group
came
from
different
areas
and
we
dis.
B
We
talked
about
our
experiences,
not
the
tooling
and
the
problems
we
found
came
across
and
we
came
to
the
real
conclusion
that
a
lot
of
things
were
kind
of
different
security
tools,
work
in
different
ways,
because
they
do
very
different
things.
B
There
are
definitely
areas
of
overlap
and
areas
where
they
could
collaborate
much
more
usefully,
but
we
hadn't
kind
of
got
down
to
that
particular
we
hadn't
got
down
to
a
great
a
large
number
of
things
that
we
could
work
on.
This
was
something
that
I
kind
of
came
up
with,
like
the
idea
of,
but
it
wasn't
didn't
have
enough
time
to
push
forward,
but
then
paul
didn't
touch
me
recently
and
said
he
was
interested,
in
which
case
great
somebody
can
push
it
forward.
B
Yes,
yeah.
Let
me
it
is
in
this
repo.
A
Maybe
simon,
while
you're
searching
just
let
me
quickly
chip
in
here,
so
please
today
is
my
my
actually
my
my
second
meeting.
So
I'm
not
very
familiar
with
kind
of
the
the
history
of
of
this
working
group
and
what
phases
you
went
through,
but
maybe
connecting
to
to
what
david
said
in
the
beginning.
A
Personally,
from
the
practitioners
perspective
and
from
the
industrial
perspective,
I
am
very
much
interested
in
having
a
working
group
on
security.
Tooling,
specifically,
you
know,
because
I
mean
you
can
have
all
those
nice
methods
and
metrics
and
whatnot,
but
in
the
end
of
the
day
the
question
is:
how
do
you
transform
this
into
something
that
you
can
apply
to
your
software
projects
or
whatever?
So
this
is
actually
how
I
came
to
to
join
this
group
specifically
because
the
the
topic
is
is
or
the
topics
around
security.
A
Tooling
is
what
what
we
need,
and
I
wouldn't
say
that
we
are
limited
to
any
specific
type
of
tools.
I
I
assume
this
is
just
something
that
we
have
looked
into
and
and
now
we're
kind
of
following
up,
but
I
will
definitely
reads
and
and
check
the
repository
that
you
ever
shared
to
see
what
kind
of
taxonomy
that
is.
E
Just
so
you
know
early
or
on
in
this
in
this
in
the
history
of
this
working
group,
there
was
a
brief
guide
that
was
developed.
I've
included
a
link
to
it
within
the
notes.
Here.
It's
part
of
the
working
groups
results,
but
you
know
it's
a
it's
a
I
mean
it
it's.
I
think
I
don't
think
it's
wrong
as
it
is.
It
doesn't
go
into
some
details,
it's
fairly
abstract.
I
should
say
so:
that's
what
she
it's
it.
It
doesn't
say,
use
tool,
x
and
name
a
tool
or
anything
like
that.
E
It's
much
more
of
the
what
are
the
main
kinds
of
tools
and
what
you
might
look
for,
and
but
I
think
there
was
a
very
big
challenge
to
try
to
figure
out
how
to
go
further
than
that.
So
we
we
created
that
brief
guide
and
left
it.
That.
B
Yeah,
I
think
initially
quite
a
few
people
who
joined
the
working
group
really
wanted
to
have
that
def
that
definitive
guide
to
these
are
the
tools
I
should
be
using,
and
I
think
quite
a
few
of
us
in
the
other
people
in
the
group
were
saying:
well,
we
don't
have
the
kind
of
capabilities
to
evaluate
tools
in
that
way
and
make
those
recommendations.
Unfortunately,.
F
Yeah
I
I
would
even
pose
a
challenge
to
doing
that.
The
open,
ssf
isn't
a
great,
isn't
it
isn't
appropriate
to
say
for
all
projects
and
products
out
there.
Here
are
the
few
that
have
been
blessed
right
now.
F
The
cncf
has
been
doing
in
their
security
technical
group
a
what
they
call
a
secure
software
factory
with
a
couple
white
papers
and
recommendations
both
on
broadly
on
on
the
flow
one
should
follow
what
kinds
of
tools
to
use
at
each
step
along
the
software
life
cycle
with
a
list
of
ones
that
they
know
about
they're,
they're,
being
quite
good
at
making
recommendations
that
are
non-exclusive.
F
E
Openness
I
mean
I
I
don't
mind
saying
as
much
in
principle
I
don't
mind
and
it
can
be
useful
to
say
given
condition
x.
You
should
definitely
look
at
at
least
you
know,
tool,
y
and
z,
but
it
is
a
challenge
to
do
and
it's
as
far
as
specific
one
of
the
challenges,
it's
very
difficult
to
get
data
about
them.
Those
of
you
who
are
followed
some
of
this
may
be
aware
of
problems
like
dewitt
clauses,
which
make
it
very
very
challenging
to
find
data
about
specific
tools.
E
That's
publicly
available.
I
I
can
tell
you.
The
us
government
has
some
data
about
tools
that
I
am
not
allowed
to
say
to
talk
about
in
public,
because
they
they
internally
did
some
evaluations
but
publishing
almost
any
of
that
is
illegal
under
a
lot
of
the
not
illegal.
It's
a
con.
It's
a
violation
of
the
of
the
service
terms,
so.
B
Well,
I
think
people
were
just
asking
for
you
know,
recommendations
on
open
source
tools
which
shouldn't
have
so.
D
B
F
You're
desirable
my
point:
it's
it's
not
there's
not
a
problem
with
making
a
list
of
recommendations,
but
with
picking
a
single
one.
Yep
no
king,
making.
E
Yeah,
so
I
I
think
I
I
think,
there's
a
number
of
developers
out
there
who
would
like
to
you
know
just
tell
me
what
to
use,
but
the
challenge
is
okay.
We
we
want
to
be
helpful
to
those
developers,
but
that
turns
out
to
be
much
much
harder,
which
is
why
the
get
guide
ended
up
being
what
it
is,
which
is,
I
think
it
has.
I
I
think
it
does
have
helpful
information
does
not,
but
it
does
not
specify
specific
tools.
F
Yeah
and
the
cncf's
work,
their
initial
formulation
of
this
didn't
include
a
list
of
specific
tools
and
the
ones
they've
been
sort
of
iteratively
generating
do
include
those
lists.
I
can't
speak
to
exactly
how,
but
I
think,
they're
taking
the
approach
of
let
community
members
provide
a
sort
of
a
verified
configuration
like
here's.
The
software
secure
software
factory
paradigm.
Now,
in
this
configuration
it's
a
combination
of
tool
x,
y
and
z,
and
in
that
configuration's
combination
of
tools,
a
b
and
c.
G
Yeah,
so
something
that
just
comes
to
mind
is
maybe
like
taking
the
entire
depth
of
crop
cycle
and
just
like
for
each
phase
of
the
pipeline,
naming
a
few
tools
that
open
ssf
knows
that
can
be
beneficial
again,
opening
it
up
for
contributions
like
if
I
have
a
new
tool
that
I've
developed
and
I
think
it
it
can
fit
in
this
phase,
I
can,
I
can
suggest
it
or
add
it
under
certain
conditions
and
then
even
for,
like
small
companies,
that
don't
have
the
resources
to
buy
commercial
tools,
they
can
have
like
something
that
that
that
they
can
use
open
source
tools
to
basically
build
out
their
entire
devsecops
pipeline.
A
And
you
know,
even
if,
if
you
don't
have
like
a
really
defined,
say
recommendation
or
something
like
that,
just
having
this
displace
this
group,
this
form
to
discuss
with
other
experts
what
you
could
use
and
and
what
approaches
you
could
use
to
tackle
specific
problems
right
if
someone
comes
with
a
specific
challenge
is
extremely
useful.
A
F
Not
to
toot
my
own
horn,
but
that
is
a
big
heart
of
why
I
started
the
lexicon
work
or
the
landscape
work
last
year
to
try
and-
and
it
has
not
reached
the
desired-
my
desired
goal
for
it
yet.
But
what
you're
pointing
at
is
the
same
thing.
D
F
F
What
are
the
open
source
tools
available
that
we
can
use
to
do
that
thing
they
need
to
to
get
there.
They
have
to
start
from
knowing
what
are
the
functions
they
need.
What
are
the
things
they
need,
what
are
the
terms
mean
and
how
do
they
disambiguate
an
s-bomb
from
signed
artifacts
from
just
a
manifest
file
like
someone
who
doesn't
know
the
space?
Yet
how
do
they
navigate
the
space
to
discover
what
they
need
to
meet
some
requirement
and
then
what
tools
help
them
do
that
yeah
yeah.
E
Now
it
is,
although
it's
a
lot
of
work,
it
is
easier
if
you
are
simply
saying
I'm
going
to
list
all
the
open
source
or
all
the
tools
in
a
particular
area.
There
is
a
challenge
of
some
tools
that
it's
it's
not
always
clear,
what
bin
they
fit
into,
or
they
fit
multiple
bins.
E
But
when
I
wrote
up
a
paper
a
couple
years
ago
trying
to
identify
categories
of
tools,
I
listed
examples
but
didn't
try
to
do
the
king
making
just
the
here
are
examples
of
tools
to
show
that,
in
fact,
this
category
exists
and
here's
a
bunch
that.
D
E
F
F
E
D
E
Yeah
and-
and
I
could
there-
I
actually
did
a
some
work
a
number
of
years
ago
for
something
called
the
software
soar,
which
I
mean
we
identified
50
categories
of
tools
and
you
know
a
number
of
tools
within
each
category.
So
there's
a
little
bit
of
cheat,
but
it
kind
of
said
a
couple
cases
so
the
same
tool
but
used
radically
different
ways.
But
still
there
are
a
lot
of
different
tools
and
that's
okay.
B
Talking
of
which
I've
just
dropped
a
link
into
open
source
web
scanners,
I've
just
remembered
it
seemed
there's
something
I
created
recently.
I've
been
maintaining
it
for
some
time,
but
I've
actually
made
it
public
recently.
So
I
just
thought
I'd
throw
that
in
there
as
a
something
else.
E
I
have
yeah,
I
have
an
older
list
of
all
open
source,
static
analysis
tools.
I
haven't
maintained
it
for
a
little
while,
but
I
mean
that
would
could
be
if
somebody
wants
to
pick
it
up
and
grab
and
move
on.
That
would
be
awesome
with
my
blessing.
F
F
B
I
people
have.
This
has
been
suggested
before
of
maintaining
a
list
of
all
of
the
tools
in
the
area.
I
do
I
mean
owasp
maintains
a
list
of
dust
and
sass
and
various
other
tools
as
well.
So
there
are
other
organizations
doing
these
things.
B
I
think
really
one
of
the
key
things
is
who
actually
wants
to
do
some
work,
because
I
think
there's
a
lot
of
people
who
are
very
happy
turning
up
and
chatting
about
things-
and
I
include
myself
in
that
list
as
well,
so
I'm
not
here
to
to
grab
loads
of
extra
work,
so
I'm
as
guilty
of
that
as
anyone,
but
I
think
there's
been
some
grand
ideas
before,
but
if
people
don't
want
to
pick
up
and
actually
do
stuff,
then
it
doesn't
get
done
so
you
know
there's
loads
of
things.
A
So
the
the
question
from
my
side
would
be:
you
know
if
you
kind
of
come
from
this
like
industrial
background,
I
actually
am
rather
driven
by
specific
problems
and
then
I'm
very
interested
into
looking
in
any
potential
approaches
to
tackle
these
problems,
be
it
existing
tools
or
be
it.
For
example,
ideas
like
what
simon
initially
started
with
this
web
application
definition,
which
I
think
can
be
also
used
to,
I
don't
know
enable,
say
easier.
Fuzzing
of
of
some
embedded
tops
or
something
like
that.
So
I
I
don't
know.
A
I
I'm
not
entirely
aware
of
your
background.
So
yeah
can
you
somehow
what's
your
take
on
that.
A
Everyone
basically
like
what
what
about
this,
like
problem,
driven
approach,
basically,.
D
B
Go
for
the
problems
driven
approach,
you
know.
Are
there
certain
things
I
want
to
solve
and
I
like
focusing
on
those,
so
I'm
all
for
that
kind
of
approach.
It
depends.
I
don't
know
what
other
people
think.
C
B
I
mean,
I
think,
we're
kind
of
I
mean.
I
know
I've
been,
you
know,
looking
at
particular
things,
I'm
not
sure
anyone's
really
been
looking
at
the
what
this
group
should
be
doing
for
a
little
while
and
it's
kind
of,
as
I
said,
I
think
it's
very
much
a
question
of
who's
here
and
what
we
want
to
do
so
I
mean
maybe
now's
another
good
time
to
just
do
a
quick
round
table
and
say
why
we're
here,
because
I
think
the
you
know
some
people
have
only
just
turned
up.
B
Some
of
us
have
been
here
for
a
while,
but
you
know
the
group
has
definitely
changed
over
time.
It'd
be
very
interesting
to
know
what
people
actually
want
to
get
out
of
it.
A
All
right,
so
my
main
motivation
is
to
look
into
what's
available
in
terms
of
open
source
tools
for
specific
security
tasks
because
from
well.
Basically,
what
I
do.
I
do
security
research
in
industrial
setting-
and
you
know,
along
of
this
security
engineering
process,
that
we
have.
You
have
many
different
things
you
have
to
do
and
obviously,
if
you
want
to
automate
as
much
as
possible
of
these
tasks,
then
then
you
need
tools,
and
this
is
what
what
mainly
motivates
me
to
to
join
this
discussion.
E
E
E
I
do
take
simon's
point,
though,
that
if
you
say
hey,
we
want
to
do
x,
but
no
one
will
do
x
well,
nothing's
happening
then
so
something
needs
to
change,
then
tell
it
when
we
have
everybody
point
to
somebody
else,
or
it
takes
a
long
time
for
us
to
stare
at
people
to
figure
out
who's.
Next,
I'm.
F
Hey,
I'm
fine
with
that
I've
dropped
into
this
and
a
couple
other
working
groups
infrequently,
but
in
looking
at
the
github,
there's
been
very
little
activity.
So
I
think
agreeing
with
simon's
point
working
groups
are
great
when
work
is
being
done.
F
I
would
love
to
see
this
body
start
having
regular
attendance
from
people
from
the
same
people
who
are
actually
standing
up
to
do
the
work
that
is
valuable
to
the
group
with
then
a
check
into
the
attack,
or
you
know
to
other
folks
saying:
hey
here's,
what
we're
doing
here's,
why
we
think
it's
important
we'd
love
some
feedback
and
the
most
important
thing
that
I
can
think
of
just
my
opinion.
B
I
love
chip
in
now,
so
I
got
pulled
into
this
working
group
because
there
were
people
who
understood
about
sustained
fuzzing,
but
not
dust,
and
so
I'm
part
of
owasp
the
project
leader
of
the
whole
zed
attack
proxy,
which
is
das
tool
and
the
most
popular
das
tool
in
the
world
yay.
So
that's
our
claim.
Anyone,
no
no
one's
managed
to
disagree
with
that.
So
I'm
here
to
I
mean
I
don't.
I
certainly
don't
think
the
dust
is.
The
bee
will
end
all.
B
I
know
that
there's
no
civil
bullets,
there's
you
know
lots
of
things
you
need
to
worry
about.
I
mean
vaguely
interested
in
all
of
them,
but
I'm
definitely
here
to
make
sure
that
dust
doesn't
get
misrepresented
and
to
make
sure
I
get
my
already
about
zap.
C
B
C
I
I
only
kind
of
recently
started
to
attend
open
ssf
working
groups
will
stop.
I
was
trying
to
understand
which
kind
of
going
to
be
valuable
and
which
we
can
kind
of
as
commonly
contribute
back
to
kind
of
came
to
this
one
more
to
understand.
C
Again,
I
guess
what
its
purpose
was,
because
by
the
minute,
so
I
did
find
it
difficult
to
see
kind
of
what
it
was
open
focus
was,
I
think,
from
what
I'd
like
to
be
able
to
get
out
of
it.
Sure
knowing
some
kind
of
defined
list
of
tools
would
be
helpful,
but
if,
if
we
can't
be
that
specific,
at
least
some
kind
of
best
practices
or
things,
we
should
look
for
when
evaluating
tools
and
making
decisions
on
which
tools
are
going
to
help
service,
because
I
think
we're.
C
I
can
be
open
about
the
fact
that
we've
been
quite
reactive
to
things
that
are
happening
in
a
landscape,
but
that
doesn't
mean
that
we're
selecting
tools
that
will
help
us
in
the
long
run
and
having
some
kind
of
additional
context
and
wisdom
is,
is
definitely
going
to
be
valuable
for
us.
G
D
G
So
I
actually,
I
lead
accountability,
research
for
startup
cybersecurity
company
located
in
israel
based
in
israel
and
also
I
joined.
I
recently
started
to
join
several
nssf
working
groups
trying
to
see
understand
the
landscape,
see
where
we
can
contribute
as
a
company.
There
are
several
directions
that
are
interesting
for
us
as
a
company
that
we
deal
with
on
a
daily
basis,
so
we
thought
if
we
can
contribute
some
of
that
knowledge
back
to
the
community.
G
That
would
be
great
so
mainly
around
s-bomb,
with
specifically
dynamic
validation
of
of
of
components
like
if
something
is
actually
loaded
to
the
perspective
that
I
I
we
don't
see
a
lot
of,
mainly
it's
focused
on
either
source
code
or
like
the
static
analysis
and
yeah.
So
that's,
basically
it
and
I'm
open
to
suggesting.
Regarding
what
to
work
on,
I
I
relate
to
the
to
the
idea
of
of
kind
of
creating
like.
G
A
knowledge
base
which
is
vetted
by
openssf
for
different
security
tools
in
various
stages
of
the
pipeline
sort
of
said,
something
I
think,
can
be
valuable.
But,
as
I
said
open
to
anything
that
will
be
decided
by
the
group.
E
D
Yeah,
I
can
quickly
go
next,
so
I
I
work
for
the
I
mean
I
currently
lead
the
ossf
scorecards
working
group
and
my
so
just
as
a
brief
breakdown
scorecard
is
not
itself
a
security
tooling,
but
it
also
acts
as
like
a
meta
security
tool
which
checks
for
other
tools,
like
let's
say
some
sas,
availability
or
like
ciphers,
and
things
like
that.
So
my
hope
to
come
to
this
working
group
is
to
kind
of
get
an
understanding
of
what
kind
of
things
we
can
be
adding
to
school
cards.
D
What
kind
of
things
should
we
be
checking
for,
and
you
know
what
kind
of
tools
should
open
ssf
be
promoting
to
help
open
source
users?
You
know,
encourage
usage
of
these
tools
in
open
source
world,
so
yeah.
E
For
example,
scorecards
wants
to
identify.
Are
there
sas
tools?
Are
there
das
tools
and
it's
very
very
hard
to
determine
that
in
an
automated
way,
the
badging
project
we
didn't?
Even
I
mean
I
guess
we
try
a
little
bit
but
not
very
hard,
because
it's
really
hard
to
do
that
in
an
automated
way.
If
there
could
be
guidelines
and
ways
to
suggest
that
people
do
things
in
certain
ways
to
make
it
easier
to
detect
them.
I'm
sure
the
the
scorecard
folks
will
be
grateful.
B
I
mean
we'll
what
I
mean.
I
think
I've
raised
an
issue
on
that
about
putting
das
tooling
in,
and
I
know
why
you
haven't
done
it
and
that's
actually
one
of
the
reasons
why
the
web
application
definition.
That's.
You
know
a
nice
side
effect.
If
we
can
get
that
working
and
adopted,
then
that
will
be
a
very
simple
way
for
the
scorecard
and
other
projects
to
detect
das
tooling
in
operation.
B
So
the
if
you
scroll
up
to
the
top
of
our
dock,
there's
a
link
to
the
web
application
definition.
The
issue
I
raised
on
scorecard
I'll
have
to
look.
H
D
Yeah,
I
I
can
look
into
it.
Do
you
want?
I
I
don't
know
how
much
time
we
have
in
the
working
group.
I
don't
want
to
take
up
everyone's
time.
I
I
do
you
want
to
maybe
just
walk
me
through.
What
exactly
would
this
add
or
whatever
it
would
involve,
or
if
you
want,
we
can
even
take
it
offline
on
slack
or
something.
B
Well,
I
mean,
I
think
now
might
be
a
good
time
for
paul
to
have
a
chat
about
say
what
he's
been
up
to
recently.
A
Sure
all
right,
so
so,
basically,
what
we
discussed
last
time
sorry
was
how
to
kind
of
develop
this
idea
forward
and
we
decided
to
try
to
develop
this
kind
of
for
the
for
the
juice
shop
web
application
and
see
how
we
could
apply
this
web
application
definition
there.
A
And
basically,
I
only
did
like
a
let's
say,
an
initial
preparation
step
by
writing
two
github
actions
to
start
the
juice
shop
web
app
in
in
the
on
the
host
of
basically
of
github
actions
and
then
one
with
the
docker
container
just
to
check
what
we
would
need
to
do
and
then
okay
perform
the
simple
curl
and
what
I
would
like
to
discuss
today
is
basically
how
to
how
to
proceed
in
this
in
this
directions.
Show
so
shall
we
write
a
like.
A
I
don't
know,
a
very
simple
basic
script
of
kind
of
parsing,
the
the
the
web
app
definition
and
then
passing
these
this
data
to
some
sort
of
a
command
or
something
like
that.
B
So
I
think
that's
great
you
got
to
that
stage
really
good.
I
mean
the
way
I
always
thought
would
be.
We
would
to
create
a
something
like
a
github
action
which,
basically,
just
you
would
add
it
to
a
repo
when
it
runs
it
would
see
if
this
definition
was
present.
If
it
wasn't
present,
it
would
probably
error
her
exit
with
an
error.
If
it
was
present,
then
it
would
try
to
start
the
repo
or
start
the
service
in
docker.
B
Once
it's
up
try
and
access
an
endpoint,
and
if
that
was
successful,
then
the
action
would
succeed.
Anything
else
would
fail.
B
So
that's
kind
of
a
kind
of
sanity
check
that
the
web
definition
is
there
and
it
appears
to
do
the
right
thing.
I
think
that
would
be
a
you
know,
particularly
without
being
open
source.
That
would
be
a
really
useful
proof
of
concept
really.
A
Okay,
yeah
sounds
sounds
doable.
B
A
B
I'm
sorry
I
was
so
it
wasn't
specifically
at
you
as
to
generally
to
the
to
the
to
the
group.
If
we
have
a
web
application
definition
that
we
have
a
definition
for,
and
we
have
an
example,
github
action
which
will,
if
you
run
it
on
a
repo,
we'll
start
the
service
and
check
it's
actually
running.
So
it's
a
proof
of
concept.
The
web
application
exists
and
it
seems
to
do
something.
B
D
So
I
I
don't
know
if
this
makes
sense,
but
I
I
could
make
a
suggestion
here
so
scorecard
already.
Has
this
whole
github
actions
thing
which
basically
you
if
it's
installed
it
can
do
a
bunch
of
checks
and
if
those
checks
you
know,
depending
on
how
we
think
they
have
done
performed
if
they
are
performed
poorly,
we
can,
you
know,
show
up
on
alert.
D
D
What
scorecard
does
we
already
have
passing
libraries
to
figure
out
yaml
files,
github
workflows
and
things
like
that,
and
the
idea
is,
if
you
find
a
certain
file,
then
you
know
you
can
assert
a
bunch
of
things
on
it
and
if
those
assertions
fail,
then
we
show
those
code
scanning
alerts
on
the
github
ui.
So
all
of
that
framework
already
exists.
I
I
wonder
if
it
like
yeah
as
a
proof
of
concept.
D
Maybe
I
wonder
if
you,
if
you
guys
just
want
to
try
out
starting
from
scorecard
and
maybe
then
you
know
adding
more
complex
features
on
that.
B
B
One
thing
we
could
do
is
we
could
actually
change
those
actions
to
make
the
target
urls
optional
and
if
this
definition
exists
to
actually
try
and
start
the
application
and
then
use
that.
So
that
would
be
something
where
would
be
a
a
real
tool
that
does
useful
stuff
would
actually
make
use
of
the
definition.
I
think
then,
we've
got
that
being
able
to
use
it
within
zap
actually
having
it
within
the
scorecard.
So
you
then
start
scoring,
and
we've
got
a
example.
B
Action
which
doesn't
do
anything
just
shows
you
how
to
get
to
that
stage.
I
think
that'll
be
quite
a
good
starting
point.
D
That
sounds
good.
I
I,
I
think
I'd
be
happy
to
have
this
discussion
even
with
the
other
scorecard
maintainers.
So
if
you
want
you
could
we
could
continue
the
discussion
on
the
issue
that
you
pointed
or
feel
free
to
create
a
new
issue,
and
we
can,
you
know,
discuss
that
also.
We
have
scorecard
bi-weeklies
that
we
run
sorry.
We
can
even
have
this
discussion
there
if
you,
if
you
would
like
to
join
there
and
you
know,
discuss
in
gbc.
D
Yeah
I'm
available
on
slack,
so
you
can
bring
me
there.
We
also
have
a
scorecards
slack
channel,
so
they'll
also
have
the
other
scorecard
maintainers,
who
can
also
chime
in.
B
E
I
I
actually
wrote
a
significant
part,
so
so
I
would
be
willing
to
flesh
out
more,
but
not
just
by
myself.
I
mean
you
know
so
you
know
some
help
needed
and
frankly,
I
think
the
the
obvious
question
will
be
exactly
what
is
important
and
useful,
because
it's
really
really
easy
to
write,
long
documents
that
then
get
ignored
and
that
doesn't
do
anybody
any
good.
B
E
The
guy
does
list
specific
categories
already
and
there
and
and
defines
them,
which
is
maybe
not
exactly
when
now
do
I
apply,
but
hopefully
it
helps
in
in
that
area.
A
So
I
I
would
be
interested
definitely
to
to
look
into
the
guide.
I
I
don't
know
how
much
I
can
contribute,
but
yeah
would
definitely
be
interested.
E
Okay,
I
think
we've
got
in
the
notes,
yeah
I
just
put
in
the
notes
the
the
link
there,
so
it
I
mean
it's
sit
down
and
read,
but
it's
not
very
long
so.
E
This
link
right
here,
guide.md.
E
A
Well,
I
I
suppose
you
need
someone
with
at
least
some
experience
doing
this
these
things,
so
why
would
you
not
volunteer
to
at
least
continue
for
the
next?
I
don't
know
a
couple
of
months
or
something
like
that.
B
I
well
I've
kind
of
been
vaguely
leading
it
for
the
last
few
weeks
when
the
last
few
times,
because
ryan
hasn't
been
able
to
attend
happy
to
do
that,
but
I'm
also
very
happy
to
for
anyone
else
to
take
it
on
I
mean
I
don't
think
I've
led
any
working
groups
before
this,
so
I
don't
think
you
need
that
much
experience,
I'm
happy
to
be
the
default
person
who
will
just
get
discussions
moving,
but
if
someone
would
actually
like
to
lead
it,
then
I'm
very
happy
to
hand
over
the
reins.
E
Yeah,
I
don't
be
because
I
work
because
of
my
role.
I
think
I'm
not
supposed
to
be
a
lead
of
a
working
group
also,
but
I'm
happy
to
help.
Whoever
is
the
lead.
D
I
I
don't
know
if
this
this
came
up
in
the
meat
before,
but
the
did
we
consider
merging
this
working
group
with
something
else
like.
E
Yes,
yeah,
that's
definitely
on
the
on
the
on
the
table.
There's
some
other.
I
think
one
challenge
is
that
tools
by
themselves
are
actually
in
support
of
other
things.
So
you
know
it's
perfectly
plausible
to
have
say
you
know
the
supply
chain,
working
group
working
on
tools
related
to
supply
chain
and
the
best
pro.
If
the
goal
is,
what
are
your
best
practices
for
applying
tools?
You
know
that
could
be
easily
moved
into
the
best
practices
working
group.
So
you
know
it's
quite
plausible.
E
Maybe
part
of
the
challenge
here
is
that
tools
really
don't
exist
in
isolation.
They
exist
in
support
of
larger
goals,
and
so
maybe
a
reorg
to
to
support
various
goals
might
be
a
better
way
to
do
and
that's
fine.
I
don't
really
care
how
things
get
organized
as
long
as
we
try
to
make
progress
on
making
things
better.
A
Just
as
a
spontaneous
comment-
but
you
know-
maybe
I
I
don't
understand
the
current
group
structure,
so
I
think
you're
right
tools
don't
exist
in
isolation.
A
Of
course,
on
the
other
hand,
if
you
kind
of
have
a
very
or
say
an
application
area,
or
something
like
that,
then
anything
that
is
beyond
this,
this
specific,
I
don't
know
type
of
problem
or
or
something
something
that
you
do
kind
of
gets
lost,
and
so,
from
my
point
of
view
you
know
when
you're
talking
about
security
tools
in
general,
you
kind
of
you
have
a
broad
range
of
problems
that
you
you
can
cover.
A
D
D
I
think
the
next
step
there
would
be
to
like,
let's,
let's
start
a
discussion
on
the
scorecard
channel,
either
slack
or
the
github
issue
and
figure
out
what
might
be
a
concrete
action
item
we
can
take
there
in
terms
of,
like
you
know,
figuring
out
this,
like
how
where's
the
overlapping
web
app
definition
and
scorecard
checks,
and
I
guess
we
can
go
from
there.
A
E
Yeah,
I
will
I
will,
I
will,
I
will
add,
a
link
to
the
guide
and
at
least
at
l
at
least
make
the
current
guide
less
of
a
mysterious.
I
can't
find
it.
I
item.
D
David,
I
I
wonder
this
discussion
of
you
know
whether
to
continue
with
with
the
with
the
working
group
or
to
be
merged.
Like
is
this
something
that
should
be
brought
up
in
the
attack
meet.
E
It
has
already
been
that
has
already
happened.
The
attack
meeting
happened
earlier
today
and
that
was
specifically
one
to
the
agenda
items.
The
decision
made
by
the
tax
at
the
time
was
that
this
is
actually
the
the
attack
is
about
to
be
we're.
Currently,
in
fact,
you
know
everybody
who's
already
participating.
Please
vote,
there's
a
new
tact
being
voted
for,
and
so
I
think
the
the
feeling
was.
It
wasn't
reasonable
to
do
a
big
change
like
that
when
there's
a
new
attack
coming
in
that
might
make
different
decisions.
E
So
I
think,
what's
gonna
happen
is
the
next
tac
meeting
is
basically
going
to
be.
The
last
meeting
of
the
current
members
will
on
board
the
new
tac
members,
and
so
four
weeks
from
now
there'll
be
an
actual
new
tac
which
can
make
those
decisions
by
that
point,
the
intent
is
to
basically
the
old
attack.
You
know
here's
what
we
propose
and
then
let
the
new
tac
make
make
decision.
If
we
don't
have
somebody
who
says
hey,
I
want
to
be
a
lead
that
may
actually
answer
the
question
so
because.
D
There's
no
point
yeah,
so
yeah
I
was
just
saying
like
I
I
mean
I,
I
think
the
lead
question
kind
of
ties
back
to
the
point
of
what
exactly
is
the
working
group
trying
to
accomplish?
I
I
guess,
if
there's
clarity
there,
it
should
be
possible
yeah.
E
But
you
know
it's,
it's
actually
kind
of
reverse
I
mean
in
the
end.
The
working
group
needs
to
just
agree
on
what
they're
trying
to
accomplish,
but
a
leads
job
is
to
help
work
that
out
not
dictate
to
everybody
else.
Here's
what
we're
going
to
do,
but
it's
also
the
you
know.
Nobody
has
any
ideas,
let's
just
stare
at
each
other
for
an
hour
we
don't
need.
I
mean
there
is
always
going
to
be
a
little
soul-searching
in
most
situations
unless
somebody
comes
in
with
a
very
clear
idea.
E
E
That's
a
significant
endeavor
that
doesn't
make
it
wrong.
I
encourage
it,
but
you
know
I
think
that
comes
down
to
the
you
know.
A
lead
should
help,
help,
define
and
work
with
and
get
us
going
towards
specific
directions,
and
you
know,
for
example,
you
know
simon's
specific
idea
is
the
great
advantage
of
a
specific
idea
is
that
we
have
an
idea
when
we
accomplish
it
all.
For
that.
E
E
All
right,
I
see
we're
at
the
top
of
the
hour
and
I'm
hoping
that
I
added
our
guide,
because
that
is,
I
may
have
done
it
correctly,
we'll
see.