►
From YouTube: Security Tooling WG Meeting (January 25, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
B
B
B
A
B
E
E
So
basically
the
the
the
attack
is
already
in.
I
see
ava's
here
also
so
av
can
say
whatever
I
forgot
to
say
or
correct
whatever
I
say,
but
I
think
the
tack
discussion
right
now
is
you
know
you
can't
you
know
who
should
lead
instead,
maybe
should
this
group
be
integrated
into
other
existing
working
groups
instead
of
being
a
separate
working
group?
I
don't
think
any
decisions
been
made,
but
I
think
that's
going
to
be,
but
ryan
is
not
going
to
be
able
on.
E
Basically,
I
think
is
his
new
company
is
not
a
member
of
open
ssf
and
they
don't
want
him
to
use
his
time
on
that,
and
I
mean
that's,
that's
okay.
So
that's
well,
that's
the
situation.
I
think
I
think
that's
unfortunate,
but
you
know
that's
the
situation
and
ava.
Please
correct
everything.
I
said
please.
F
E
E
Yeah,
so
I
I,
I
would
suggest
that
this
group
talk,
you
know
at
least
briefly
talk
about,
doesn't
have
to
be
today
the
what
you
know.
What
would
you
like
to
see,
and
then
you
know
and
let
the
the
new
tech
get
a
chance
to
make
some
decisions,
but
I
think
that's
up
in
the
area
we
want.
I
don't
think
anybody
needs
meetings
just
for
the
sake
of
meetings,
but
we
do,
but
there
are
real
problems
to
be
solved,
so
we
want
to
get
problem
solved
and
as
efficiently
as
we
can.
B
Yeah,
I'm
gonna
completely
understand
that
and
I
have
no
problem
with
any
of
that.
Obviously
so,
and
I
think
this
working
group
has
historically
struggled
to
come
to
a
kind
of
unified
view
of
what
we
should
be
doing.
However,
last
time
we
did
focus
more
on
one
thing:
thanks
to
paul
coming
up
on
board,
because
paul
was
very
interested
in
the
web
application
definition.
I
came
up
with
originally,
and
so
that's
something
that
I
think
we're
both
very
keen
to
push
forward
and
other
people
have
expressed
interest
as
well.
B
F
B
F
Dr
link
on
zoom,
the
tl,
dr,
is,
I
started
a
google
doc
last
summer
to
try
and
do
an
overview
of
the
entire
supply
chain
landscape
in
open
source,
which
included,
collecting
or
building
a
list
and
categorizations
of
lots
and
lots
of
different
projects
in
the
space
tools
available
in
this
space
and
proposing
a
lexical
categorization
of
those
tools
into
roughly
five
five
distinct
functions.
There's
a
couple
tools
that
cross
into,
or
you
know,
fulfill
multiple
purposes
and
the
long
goal
there
was
try
and
help
reduce
the
communication.
B
Different
cool,
okay.
That
sounds
very
useful,
but
I
don't
think
it's
so
related
to
what
we're
looking
at
so
the
web
application
definition
originally
came
about,
because
we
had
a
variety
of
people
or
people
with
a
variety
of
backgrounds.
On
this
working
group
and
we've
got
discussing
the
differences
between
static
source
code,
analysis,
dynamic
analysis
and
fuzzing
and
static
analysis
dense
to
have
an
easier
way
of
getting
started,
because
if
you
point
at
the
source
code,
it
knows
where
the
source
code
is
dynamic.
B
B
F
B
Well,
I
think
the
working
group
has
gone
through
a
quite
a
few
discussions,
some
of
them
very
interesting,
but
they
didn't
really
come
down
to.
You
know
nothing
really
came
of
them
apart
from
a
lot
of
you
know,
a
lot
of
things
were
learned
by
a
lot
of
people,
including
myself,
but
we
originally,
the
people
in
the
working
group
came
from
different
areas
and
we
dis.
B
There
are
definitely
areas
of
overlap
and
areas
where
they
could
collaborate
much
more
usefully,
but
we
hadn't
kind
of
got
down
to
that
particular
we
hadn't
got
down
to
a
great
a
large
number
of
things
that
we
could
work
on.
This
was
something
that
I
kind
of
came
up
with,
like
the
idea
of,
but
it
wasn't
didn't
have
enough
time
to
push
forward,
but
then
paul
didn't
touch
me
recently
and
said
he
was
interested,
in
which
case
great
somebody
can
push
it
forward.
A
A
Personally,
from
the
practitioners
perspective
and
from
the
industrial
perspective,
I
am
very
much
interested
in
having
a
working
group
on
security.
Tooling,
specifically,
you
know,
because
I
mean
you
can
have
all
those
nice
methods
and
metrics
and
whatnot,
but
in
the
end
of
the
day
the
question
is:
how
do
you
transform
this
into
something
that
you
can
apply
to
your
software
projects
or
whatever?
So
this
is
actually
how
I
came
to
to
join
this
group
specifically
because
the
the
topic
is
is
or
the
topics
around
security.
A
Tooling
is
what
what
we
need,
and
I
wouldn't
say
that
we
are
limited
to
any
specific
type
of
tools.
I
I
assume
this
is
just
something
that
we
have
looked
into
and
and
now
we're
kind
of
following
up,
but
I
will
definitely
reads
and
and
check
the
repository
that
you
ever
shared
to
see
what
kind
of
taxonomy
that
is.
E
Just
so
you
know
early
or
on
in
this
in
this
in
the
history
of
this
working
group,
there
was
a
brief
guide
that
was
developed.
I've
included
a
link
to
it
within
the
notes.
Here.
It's
part
of
the
working
groups
results,
but
you
know
it's
a
it's
a
I
mean
it
it's.
I
think
I
don't
think
it's
wrong
as
it
is.
It
doesn't
go
into
some
details,
it's
fairly
abstract.
I
should
say
so:
that's
what
she
it's
it.
It
doesn't
say,
use
tool,
x
and
name
a
tool
or
anything
like
that.
E
B
Yeah,
I
think
initially
quite
a
few
people
who
joined
the
working
group
really
wanted
to
have
that
def
that
definitive
guide
to
these
are
the
tools
I
should
be
using,
and
I
think
quite
a
few
of
us
in
the
other
people
in
the
group
were
saying:
well,
we
don't
have
the
kind
of
capabilities
to
evaluate
tools
in
that
way
and
make
those
recommendations.
Unfortunately,.
F
F
E
Openness
I
mean
I
I
don't
mind
saying
as
much
in
principle
I
don't
mind
and
it
can
be
useful
to
say
given
condition
x.
You
should
definitely
look
at
at
least
you
know,
tool,
y
and
z,
but
it
is
a
challenge
to
do
and
it's
as
far
as
specific
one
of
the
challenges,
it's
very
difficult
to
get
data
about
them.
Those
of
you
who
are
followed
some
of
this
may
be
aware
of
problems
like
dewitt
clauses,
which
make
it
very
very
challenging
to
find
data
about
specific
tools.
E
That's
publicly
available.
I
I
can
tell
you.
The
us
government
has
some
data
about
tools
that
I
am
not
allowed
to
say
to
talk
about
in
public,
because
they
they
internally
did
some
evaluations
but
publishing
almost
any
of
that
is
illegal
under
a
lot
of
the
not
illegal.
It's
a
con.
It's
a
violation
of
the
of
the
service
terms,
so.
D
B
F
E
Yeah,
so
I
I
think
I
I
think,
there's
a
number
of
developers
out
there
who
would
like
to
you
know
just
tell
me
what
to
use,
but
the
challenge
is
okay.
We
we
want
to
be
helpful
to
those
developers,
but
that
turns
out
to
be
much
much
harder,
which
is
why
the
get
guide
ended
up
being
what
it
is,
which
is,
I
think
it
has.
I
I
think
it
does
have
helpful
information
does
not,
but
it
does
not
specify
specific
tools.
F
Yeah
and
the
cncf's
work,
their
initial
formulation
of
this
didn't
include
a
list
of
specific
tools
and
the
ones
they've
been
sort
of
iteratively
generating
do
include
those
lists.
I
can't
speak
to
exactly
how,
but
I
think,
they're
taking
the
approach
of
let
community
members
provide
a
sort
of
a
verified
configuration
like
here's.
The
software
secure
software
factory
paradigm.
Now,
in
this
configuration
it's
a
combination
of
tool
x,
y
and
z,
and
in
that
configuration's
combination
of
tools,
a
b
and
c.
A
F
D
F
F
What
are
the
open
source
tools
available
that
we
can
use
to
do
that
thing
they
need
to
to
get
there.
They
have
to
start
from
knowing
what
are
the
functions
they
need.
What
are
the
things
they
need,
what
are
the
terms
mean
and
how
do
they
disambiguate
an
s-bomb
from
signed
artifacts
from
just
a
manifest
file
like
someone
who
doesn't
know
the
space?
Yet
how
do
they
navigate
the
space
to
discover
what
they
need
to
meet
some
requirement
and
then
what
tools
help
them
do
that
yeah
yeah.
E
D
E
F
F
E
D
E
Yeah
and-
and
I
could
there-
I
actually
did
a
some
work
a
number
of
years
ago
for
something
called
the
software
soar,
which
I
mean
we
identified
50
categories
of
tools
and
you
know
a
number
of
tools
within
each
category.
So
there's
a
little
bit
of
cheat,
but
it
kind
of
said
a
couple
cases
so
the
same
tool
but
used
radically
different
ways.
But
still
there
are
a
lot
of
different
tools
and
that's
okay.
B
E
F
F
B
A
So
the
the
question
from
my
side
would
be:
you
know
if
you
kind
of
come
from
this
like
industrial
background,
I
actually
am
rather
driven
by
specific
problems
and
then
I'm
very
interested
into
looking
in
any
potential
approaches
to
tackle
these
problems,
be
it
existing
tools
or
be
it.
For
example,
ideas
like
what
simon
initially
started
with
this
web
application
definition,
which
I
think
can
be
also
used
to,
I
don't
know
enable,
say
easier.
Fuzzing
of
of
some
embedded
tops
or
something
like
that.
So
I
I
don't
know.
D
B
C
B
I
mean,
I
think,
we're
kind
of
I
mean.
I
know
I've
been,
you
know,
looking
at
particular
things,
I'm
not
sure
anyone's
really
been
looking
at
the
what
this
group
should
be
doing
for
a
little
while
and
it's
kind
of,
as
I
said,
I
think
it's
very
much
a
question
of
who's
here
and
what
we
want
to
do
so
I
mean
maybe
now's
another
good
time
to
just
do
a
quick
round
table
and
say
why
we're
here,
because
I
think
the
you
know
some
people
have
only
just
turned
up.
B
A
All
right,
so
my
main
motivation
is
to
look
into
what's
available
in
terms
of
open
source
tools
for
specific
security
tasks
because
from
well.
Basically,
what
I
do.
I
do
security
research
in
industrial
setting-
and
you
know,
along
of
this
security
engineering
process,
that
we
have.
You
have
many
different
things
you
have
to
do
and
obviously,
if
you
want
to
automate
as
much
as
possible
of
these
tasks,
then
then
you
need
tools,
and
this
is
what
what
mainly
motivates
me
to
to
join
this
discussion.
E
F
B
I
love
chip
in
now,
so
I
got
pulled
into
this
working
group
because
there
were
people
who
understood
about
sustained
fuzzing,
but
not
dust,
and
so
I'm
part
of
owasp
the
project
leader
of
the
whole
zed
attack
proxy,
which
is
das
tool
and
the
most
popular
das
tool
in
the
world
yay.
So
that's
our
claim.
Anyone,
no
no
one's
managed
to
disagree
with
that.
So
I'm
here
to
I
mean
I
don't.
I
certainly
don't
think
the
dust
is.
The
bee
will
end
all.
B
C
B
C
C
Again,
I
guess
what
its
purpose
was,
because
by
the
minute,
so
I
did
find
it
difficult
to
see
kind
of
what
it
was
open
focus
was,
I
think,
from
what
I'd
like
to
be
able
to
get
out
of
it.
Sure
knowing
some
kind
of
defined
list
of
tools
would
be
helpful,
but
if,
if
we
can't
be
that
specific,
at
least
some
kind
of
best
practices
or
things,
we
should
look
for
when
evaluating
tools
and
making
decisions
on
which
tools
are
going
to
help
service,
because
I
think
we're.
G
D
G
So
I
actually,
I
lead
accountability,
research
for
startup
cybersecurity
company
located
in
israel
based
in
israel
and
also
I
joined.
I
recently
started
to
join
several
nssf
working
groups
trying
to
see
understand
the
landscape,
see
where
we
can
contribute
as
a
company.
There
are
several
directions
that
are
interesting
for
us
as
a
company
that
we
deal
with
on
a
daily
basis,
so
we
thought
if
we
can
contribute
some
of
that
knowledge
back
to
the
community.
G
That
would
be
great
so
mainly
around
s-bomb,
with
specifically
dynamic
validation
of
of
of
components
like
if
something
is
actually
loaded
to
the
perspective
that
I
I
we
don't
see
a
lot
of,
mainly
it's
focused
on
either
source
code
or
like
the
static
analysis
and
yeah.
So
that's,
basically
it
and
I'm
open
to
suggesting.
Regarding
what
to
work
on,
I
I
relate
to
the
to
the
idea
of
of
kind
of
creating
like.
G
E
D
Yeah,
I
can
quickly
go
next,
so
I
I
work
for
the
I
mean
I
currently
lead
the
ossf
scorecards
working
group
and
my
so
just
as
a
brief
breakdown
scorecard
is
not
itself
a
security
tooling,
but
it
also
acts
as
like
a
meta
security
tool
which
checks
for
other
tools,
like
let's
say
some
sas,
availability
or
like
ciphers,
and
things
like
that.
So
my
hope
to
come
to
this
working
group
is
to
kind
of
get
an
understanding
of
what
kind
of
things
we
can
be
adding
to
school
cards.
D
E
For
example,
scorecards
wants
to
identify.
Are
there
sas
tools?
Are
there
das
tools
and
it's
very
very
hard
to
determine
that
in
an
automated
way,
the
badging
project
we
didn't?
Even
I
mean
I
guess
we
try
a
little
bit
but
not
very
hard,
because
it's
really
hard
to
do
that
in
an
automated
way.
If
there
could
be
guidelines
and
ways
to
suggest
that
people
do
things
in
certain
ways
to
make
it
easier
to
detect
them.
I'm
sure
the
the
scorecard
folks
will
be
grateful.
B
I
mean
we'll
what
I
mean.
I
think
I've
raised
an
issue
on
that
about
putting
das
tooling
in,
and
I
know
why
you
haven't
done
it
and
that's
actually
one
of
the
reasons
why
the
web
application
definition.
That's.
You
know
a
nice
side
effect.
If
we
can
get
that
working
and
adopted,
then
that
will
be
a
very
simple
way
for
the
scorecard
and
other
projects
to
detect
das
tooling
in
operation.
B
H
D
Yeah,
I
I
can
look
into
it.
Do
you
want?
I
I
don't
know
how
much
time
we
have
in
the
working
group.
I
don't
want
to
take
up
everyone's
time.
I
I
do
you
want
to
maybe
just
walk
me
through.
What
exactly
would
this
add
or
whatever
it
would
involve,
or
if
you
want,
we
can
even
take
it
offline
on
slack
or
something.
A
And
basically,
I
only
did
like
a
let's
say,
an
initial
preparation
step
by
writing
two
github
actions
to
start
the
juice
shop
web
app
in
in
the
on
the
host
of
basically
of
github
actions
and
then
one
with
the
docker
container
just
to
check
what
we
would
need
to
do
and
then
okay
perform
the
simple
curl
and
what
I
would
like
to
discuss
today
is
basically
how
to
how
to
proceed
in
this
in
this
directions.
Show
so
shall
we
write
a
like.
B
So
I
think
that's
great
you
got
to
that
stage
really
good.
I
mean
the
way
I
always
thought
would
be.
We
would
to
create
a
something
like
a
github
action
which,
basically,
just
you
would
add
it
to
a
repo
when
it
runs
it
would
see
if
this
definition
was
present.
If
it
wasn't
present,
it
would
probably
error
her
exit
with
an
error.
If
it
was
present,
then
it
would
try
to
start
the
repo
or
start
the
service
in
docker.
B
B
A
B
I'm
sorry
I
was
so
it
wasn't
specifically
at
you
as
to
generally
to
the
to
the
to
the
group.
If
we
have
a
web
application
definition
that
we
have
a
definition
for,
and
we
have
an
example,
github
action
which
will,
if
you
run
it
on
a
repo,
we'll
start
the
service
and
check
it's
actually
running.
So
it's
a
proof
of
concept.
The
web
application
exists
and
it
seems
to
do
something.
B
D
So
I
I
don't
know
if
this
makes
sense,
but
I
I
could
make
a
suggestion
here
so
scorecard
already.
Has
this
whole
github
actions
thing
which
basically
you
if
it's
installed
it
can
do
a
bunch
of
checks
and
if
those
checks
you
know,
depending
on
how
we
think
they
have
done
performed
if
they
are
performed
poorly,
we
can,
you
know,
show
up
on
alert.
D
What
scorecard
does
we
already
have
passing
libraries
to
figure
out
yaml
files,
github
workflows
and
things
like
that,
and
the
idea
is,
if
you
find
a
certain
file,
then
you
know
you
can
assert
a
bunch
of
things
on
it
and
if
those
assertions
fail,
then
we
show
those
code
scanning
alerts
on
the
github
ui.
So
all
of
that
framework
already
exists.
I
I
wonder
if
it
like
yeah
as
a
proof
of
concept.
B
B
One
thing
we
could
do
is
we
could
actually
change
those
actions
to
make
the
target
urls
optional
and
if
this
definition
exists
to
actually
try
and
start
the
application
and
then
use
that.
So
that
would
be
something
where
would
be
a
a
real
tool
that
does
useful
stuff
would
actually
make
use
of
the
definition.
I
think
then,
we've
got
that
being
able
to
use
it
within
zap
actually
having
it
within
the
scorecard.
So
you
then
start
scoring,
and
we've
got
a
example.
B
D
That
sounds
good.
I
I,
I
think
I'd
be
happy
to
have
this
discussion
even
with
the
other
scorecard
maintainers.
So
if
you
want
you
could
we
could
continue
the
discussion
on
the
issue
that
you
pointed
or
feel
free
to
create
a
new
issue,
and
we
can,
you
know,
discuss
that
also.
We
have
scorecard
bi-weeklies
that
we
run
sorry.
We
can
even
have
this
discussion
there
if
you,
if
you
would
like
to
join
there
and
you
know,
discuss
in
gbc.
D
B
E
I
I
actually
wrote
a
significant
part,
so
so
I
would
be
willing
to
flesh
out
more,
but
not
just
by
myself.
I
mean
you
know
so
you
know
some
help
needed
and
frankly,
I
think
the
the
obvious
question
will
be
exactly
what
is
important
and
useful,
because
it's
really
really
easy
to
write,
long
documents
that
then
get
ignored
and
that
doesn't
do
anybody
any
good.
B
A
E
A
E
E
Yes,
yeah,
that's
definitely
on
the
on
the
on
the
table.
There's
some
other.
I
think
one
challenge
is
that
tools
by
themselves
are
actually
in
support
of
other
things.
So
you
know
it's
perfectly
plausible
to
have
say
you
know
the
supply
chain,
working
group
working
on
tools
related
to
supply
chain
and
the
best
pro.
If
the
goal
is,
what
are
your
best
practices
for
applying
tools?
You
know
that
could
be
easily
moved
into
the
best
practices
working
group.
So
you
know
it's
quite
plausible.
E
Maybe
part
of
the
challenge
here
is
that
tools
really
don't
exist
in
isolation.
They
exist
in
support
of
larger
goals,
and
so
maybe
a
reorg
to
to
support
various
goals
might
be
a
better
way
to
do
and
that's
fine.
I
don't
really
care
how
things
get
organized
as
long
as
we
try
to
make
progress
on
making
things
better.
A
A
E
D
E
It
has
already
been
that
has
already
happened.
The
attack
meeting
happened
earlier
today
and
that
was
specifically
one
to
the
agenda
items.
The
decision
made
by
the
tax
at
the
time
was
that
this
is
actually
the
the
attack
is
about
to
be
we're.
Currently,
in
fact,
you
know
everybody
who's
already
participating.
Please
vote,
there's
a
new
tact
being
voted
for,
and
so
I
think
the
the
feeling
was.
It
wasn't
reasonable
to
do
a
big
change
like
that
when
there's
a
new
attack
coming
in
that
might
make
different
decisions.
E
So
I
think,
what's
gonna
happen
is
the
next
tac
meeting
is
basically
going
to
be.
The
last
meeting
of
the
current
members
will
on
board
the
new
tac
members,
and
so
four
weeks
from
now
there'll
be
an
actual
new
tac
which
can
make
those
decisions
by
that
point,
the
intent
is
to
basically
the
old
attack.
You
know
here's
what
we
propose
and
then
let
the
new
tac
make
make
decision.
If
we
don't
have
somebody
who
says
hey,
I
want
to
be
a
lead
that
may
actually
answer
the
question
so
because.
D
E
But
you
know
it's,
it's
actually
kind
of
reverse
I
mean
in
the
end.
The
working
group
needs
to
just
agree
on
what
they're
trying
to
accomplish,
but
a
leads
job
is
to
help
work
that
out
not
dictate
to
everybody
else.
Here's
what
we're
going
to
do,
but
it's
also
the
you
know.
Nobody
has
any
ideas,
let's
just
stare
at
each
other
for
an
hour
we
don't
need.
I
mean
there
is
always
going
to
be
a
little
soul-searching
in
most
situations
unless
somebody
comes
in
with
a
very
clear
idea.
E
That's
a
significant
endeavor
that
doesn't
make
it
wrong.
I
encourage
it,
but
you
know
I
think
that
comes
down
to
the
you
know.
A
lead
should
help,
help,
define
and
work
with
and
get
us
going
towards
specific
directions,
and
you
know,
for
example,
you
know
simon's
specific
idea
is
the
great
advantage
of
a
specific
idea
is
that
we
have
an
idea
when
we
accomplish
it
all.
For
that.