►
From YouTube: Security Tooling Working Group (April 25, 2023)
C
Think
you
said
yeah,
it
was
a
tag
meeting
like
it's
the
group
that
I
co-chair
and
we
have
one
member
who
is
based
in
Japan,
and
we
also
have
a
member
in
in
Beijing
who
was
supposed
to
come,
but
I
unfortunately
wasn't
able
to
come.
But
but
the
like,
we
are
we're
always
asking
the
who
lives
in
Japan
to
you
know,
travel
to
London
and
travel
to
Reykjavik
and
travel
to
Boston
and
all
these
places.
So
every
once
in
a
while
a
meeting
in
in
Japan
and
he
can
host
us.
A
C
A
A
A
I
am
not
a
smart
person,
it's
all
right.
Let's
just
work
on
this
doc,
then
I
think
yeah.
We've
all
been
around
all
right.
All
right,
so
I
spent
some
time
holy
cow
where'd.
All
these
people
coming
from
like
this
can
be
a
real
meaning.
That's
fine,
all
right!
So
anyway,
I
spent
some
time.
I
was
on
the
road.
Last
week,
so
I
went
I
looked
through
this
a
bit
and
made
some
changes.
A
A
I,
don't
know
if
I
can
find
the
chat.
I,
don't
know
my
chat
is
there,
it
is
Zoom
is
hard,
but
so
my
thought
was
just
to
go
through
it
and
if
people
have
thoughts
or
ideas,
we'll
write
them
down,
we'll
we'll
Wordsmith
it
a
little
bit
and
then,
when
we're
done,
we're
done
I'm,
not
looking
to
kill
a
ton
of
time
here.
A
So
I,
don't
remember
who
was
here
last
week,
so
I'll
just
go
over
this
again.
What
we
did
last
week
is
Kate
Steward
started
putting
this
document
together
like
a
really
long
time
ago,
and
we
basically
are
the
top,
is
notes.
So
we're
going
to
ignore
all
that,
and
the
bottom
is
just
identifying
some
of
the
use
cases
this
group
sees
for
s-bombs
I
mean
it
sounds
simple,
but
it's
unfortunately
not,
and
so,
let's
just
like,
let's
start
at
the
top
and
and
go
through
and
see
what
makes
sense
if.
C
A
Yes,
thank
you,
and
if
anyone
has
any
questions
or
comments,
just
jump
in,
we
don't
need
to
worry
about
hand
raising
or
anything,
there's
not
enough.
People
to
matter
today,
which
is
great
I,
enjoy
small
working
groups
like
this,
and
you
can
get
a
lot
done
because
we
aren't
going
to
argue
for
25
minutes
over
some
detail.
A
A
C
C
Not
I'm
not
particular
about
it.
It's
it's
just
a
matter
of
like
like,
like
the
problem
with
the
term
use
cases
is
that
sometimes
use
cases
can
be
really
super
granular,
and
sometimes
they
could
be
like
very
high
level
and
like
well
like
thinking
about
things
in
terms
of
a
user
need
tends
to
put
people
tends
to
focus
people's
mind,
but
I
wasn't
involved
in
the
meeting
last
week.
So
you
know,
don't
don't
let
me
hijack
things
no.
A
This
is
good,
Dan
I
mean
we
didn't
really
Define
user
I
think
we
let
it
flop
around,
and
you
have
a
good
point.
There's
these
personas
exist
kind
of
in
the
context
of
the
use
cases,
but
at
the
same
time
the
use
cases
are
kind
of
all
over
because
we've
got
producers
of
software
and
they
obviously
create
these
s-bombs
in
certain
places
and
we
have
the
consumers
of
it,
which
theoretically
are
taking
s-bombs
from
somewhere
else
or
potentially
generating
them
themselves,
and
so
I
think
user
isn't
very
clear
in
this
context.
A
A
A
Where
I
think
you
can
end
up
in
a
situation
where
someone
will
say
our
use
cases
generating
s-bombs
and,
like
that's,
not
a
use
case?
That's
something
you're
doing
like.
Why
are
you
making
these
s-bombs?
What
is
the
purpose
and
goal
of
that?
So
I
think
the
user
needs
perspective,
puts
a
focus
and
I
I,
don't
know
I'm
suggesting
I.
F
E
E
C
I
I
mean
I'm
trying
to
write
something
that
would
sorry
they
so
I'm
trying
to
write
something
that
kind
of
like
to
me
scans,
like
a
user
need.
You
know
it's
a
little
bit
more
like
not
necessarily
a
story,
because
the
story
is
All
is,
is
you
know
a
longer
thing,
but
it's
like
they've
run
it.
You
know
that
this
a
person
working
in
an
Xbox
in
an
aspa
which
is
one
of
the
key
user
personas
you
know,
wants
to
evaluate
security
characteristics
of
a
software
Library
they
utilize
a
tool.
C
You
know
a
tool
that
evaluates
Ms
bomb
associated
with
a
specific
build
of
that
library.
In
order
to
you
know,
evaluate
these
characteristics,
something
like
that
right
to
me.
That's
a
user
need,
and
it's
like
it's.
Yes,
it's
instructive
about
not
only
what
the
s-bomb
has
in
it,
but
what
the
tool,
what
the
tools?
Why.
C
A
A
D
C
E
A
That's
hard
to
explain
in
a
sentence
the
the
use
cases
I
mean:
do
you.
This
is
the
use
cases
right.
I
think
this
is
where
we
start
getting
the
use
case,
territory
and
I
think
maybe
some
of
these
use
cases
need
to
be
tightened
up
a
little
bit
if
we
think
about
it
in
that
context,
because
like
for
example,
obviously
we
say
what
are
the
licenses
in
my
dependencies,
I
mean
why?
Why
do
you
care
right?
A
That's
a
use
case,
though
I
think
and
it's
pretty
specific
vulnerabilities
gets
a
little
more
squishy,
because
I
think
vulnerability
is
a
feature
of
s-bomb
that
is
used
by
multiple
use
cases,
but
then
you've
got
like,
for
example,
IC
customers.
They
just
want
to
know
what
they
have,
because
when
the
next
log
for
J
event
happens,
they
want
to
type
log
for
J
in
a
search
box,
and
then
they
know
exactly
what
they
have
where
they
have
it.
A
You
know
and
that's
like
another
instance
where
the
s-bomb
can
drive
a
feature
like
that
I
think
one
of
the
other
pieces
to
this
I
just
had
this
conversation
the
other
day
we
talk
about
s-bombs
a
lot
like
there's
some
like
singular
entity,
but
s-bomb
is
just
really
a
tool
in
a
larger
ecosystem.
S-Bombs
will
never
Exist
by
themselves
and
if
they
do
like
you've
done
something
terribly
wrong.
A
F
A
No,
no
David,
you
misunderstand
I'm,
saying
there's
often
discussion
saying
things
like
you
need
an
s-bomb
but
like.
Why
do
you
need
an
S1?
What
are
you
going
to
do
with
that?
S-Bomb
just
having
an
s-bomb
for
the
sake
of
having
an
s-bomb
is
silly
they're,
saying
I
have
an
s-bomb
and
I'm
going
to
use
it
for
license
compliance
or
understanding
my
vulnerabilities
or
doing
something
with
it
is
even
if
customers
are
asking
for
it.
That's
a
reason,
but
I
think
just
saying
like
in
s-bomb
is
not
a
tautology.
Oh.
F
Absolutely
absolutely
all
right
we're
really
drilling
down
and
I'm
wondering
if
we're.
Let
me
step
back
and
when
people
ask
me,
why
do
you
want
an
s-bomb
I
say
there
are
many
reasons,
but
for
security
they're,
exactly
two
one
I'm,
estimating
security
risk
of
a
program
either
one
I
already
have
or
when
I'm
thinking
about
adding
and
number
two
I
is
the
log
for
shell
problem.
I
hear
that
there's
a
big
vulnerability.
Tell
me
everything
that
has
it
you
know.
A
F
E
A
I
think
so
I
think
I
think
we're
putting
too
much
content
in
this
section
that
belongs
beneath
it.
So
let's
keep
going
personas
all
right.
There
are
more.
These
are
the
initial
set
all
right
Developers,
so
we
list
developers
as
creating
open
source
building
on
open
source
and
Enterprises
building
on
open
source
in
the
Enterprise.
Just
like
a
an
Enterprise
developer.
Do
we.
C
Do
we
want
us
is
creating
open
source,
actually
multiple
things,
because
there's
like
evaluating
libraries
that
I
might
want
to
use
in
my
in
my
open
source
application
like
say,
I'm,
building
an
application
or
or
a
web
app
or
anything
right
evaluating
what
what
I
want
to
use
evaluating
libraries
or
other
dependencies
and
then
there's
also
generating
builds
in
which
case
you're
you're.
So
there
are
two
but.
C
A
Yes
and
I
can
even
think
that,
if
you're
a
developer
of
an
open
source
project,
that's
not
the
same
as
a
developer,
at
sneak
necessarily
right,
like
sneak
product
as
developers,
working
on
open
source
and
Developers,
incorporating
open
source
into
the
product
and
developers
working
on
product
features.
And
do
we
want
to
split
developers
apart
in
that
context,
or
we
just
want
to
leave
developers
squishy
and
hand
wave
it
away.
I.
C
A
Terry,
no,
that's
pretty
good
it'll
be
clarified
in
the
use
cases,
all
right
cool
that
makes
sense
to
me
I
like
that,
all
right,
all
right,
so
we're
gonna
leave
developer
squishy
I'm.
Okay
with
that,
so
then
we
said
application.
Product,
Architects,
product
management
generating
are
detecting
us
bomb
generation,
integrating
from
content
security
champions.
A
A
A
B
D
C
A
We
didn't
write
it
down
because
that
would
be
easy
all
right.
Last
week,
two
weeks
ago,
whatever
open
source
program
office
manage
s
bombs,
S1
product
manager.
So
this
one
was
interesting.
Sarah
Evans
said
last
week
that
at
Dell
they
have
actual
s-bomb
product
managers
whose
job
is
like
wrangling
s-bombs
around
the
organization,
which
is
amazing
to
me.
A
D
B
Yeah
compliance-
that
was
one
that
was
on
my
mind
as
well.
It
can
fit
in
and
I
feel
like
a
few
of
these
different
places
so
like,
for
example,
at
the
downstream
customers
government
organization
level,
as
well
as
in
the
security
engineering
sections.
These
are
just
two
below
auditing
is
another
word
that
I
would
like
to
see
in
here
somewhere.
A
A
Let
me
so
compliance
means
many
things
to
different
people
right.
If
you
talk
to
an
infosec
team,
compliance
is
going
to
mean
something
like
sock
2..
If
you
talk
to
your
federal
team,
it's
going
to
mean
853.
If
you
talk
to
your
open
source
team,
it's
probably
going
to
mean
license
license
compliance.
B
A
A
G
G
B
G
I
was
going
to
say,
you
know,
and
you
know
all
these
all
the
specific
security
compliance
programs
reporting
things
are
assumed
to
be
part
of
that.
But
you
know
typically
corporations
don't
talk
in
terms
of
specifics.
They
don't
adhere
to
one.
Typically,
they
create
their
own
policies
and
guidelines,
and
things
like
that
that
map
to
one
or
more
external
Frameworks,
basically.
G
Was
wondering
if
we
should
call
out,
since
it
has
direct
alignment
with
work
being
done
in
honored,
Billy
work
groups?
Cert
teams
are
here
because
there
I
know
that
one
of
my
largest
consumers
in
IBM
for
OS,
Pro
and
first
ESO
teams
is
the
is
the
our
pcert
team,
our
cert
team,
because
they're
they're
interested
in
what
tools
they
need
to
employ
to
s-bomb
or
whatever,
to
do
reverse
lookups
and
vulnerabilities,
and
how
to
analyze.
Things
like
that.
So
I.
F
A
C
G
So
there's
so
when
I
see
procurement,
three
things
come
to
mind,
whereas
we
have
the
ciao
office.
Who
basically
has
you
know
canonical
toolingly
procure
that
support
security
and
compliance,
so
they
procure
and
host
tools
for
us,
the
Cisco
team
actually
has
their
own
subset
of
tools
they
host
that
are
not
covered
by
the
CIO
office
and
then
a
a
separate
context,
but
related
is
that
a
lot
of
that
tooling
is
augmented
by
mergers
and
Acquisitions.
So
we
actually
have
emergency
acquisition.
G
Well,
they
so
yeah,
it's
it's
third
party
vendor
procurement
yeah,
but
the
the
the
elephants
yeah.
So
the
CSO
teams
to
see
those
team.
If
they
have
involves
open
source,
they
go
through
the
same
procurement
processes
as
a
third
party
vendor
as
well.
They
go
through
the
same
clearance
pipelines.
If
you
want.
G
A
A
All
right,
I'm,
gonna,
I'm
comfortable
calling
this
third
party
vendor
procurement,
I,
think
that
clears
it
up,
because
it's
not
open
source.
Okay,
I'm
gonna
even
put
not
open
this
bookmarks
in
the
title,
because
I
do
think
this
is
an
important
persona
for
us
to
consider,
because
if
we
want
to
Encompass
more
than
just
open
source
in
the
context
of
use
cases,
we
need
it's
a
it's
a
thing.
G
A
A
G
I
think
that
this
last
bullet
should
be
elevated
to
below
developers,
because
I
think
that's
the
most.
Actually,
they
might
be
the
top
one
of
the
top
most
things,
because
that's
what
we're
lacking
is
the
downstream
consumers
of
Open
Source
they're,
the
ones
asking
for
the
information
they're,
the
number
one
customer.
So
that
should
that
well,
that
Persona
should
be
elevated,
I
think.
G
A
G
G
F
D
I
would
maybe
so
this
first
sentence
under
future
s-bomb
considerations
where
it
says
these
use
cases
and
considerations
are
not
important
today,
I
would
I
would
maybe
soften
that,
like
yes
for
some
folks,
these
might
actually
be
important
use,
casing
considerations,
but
I
think
maybe
the
point
here
is
like
this.
These
areas
that
are
highlighted
are
very
nebulous,
and
you
know
not
not
a
lot
of
definition
of
how
they
fit
into
s-bomb.
F
F
A
D
A
A
Absolutely
both-
and
we
kind
of
had
this
listed
with
software
integration
right
where
you've
got
someone
taking
in
something
else
as
part
of
their
application,
but
then
you
also
definitely
have
like.
Well,
we
don't.
We
don't
do
a
very
good
job
of
describing
like
making
an
s-bomb
and
giving
it
to
someone
else.
A
I
guess
it's
kind
of
build
time
as
Mom
generation,
because
we
talk
about
Downstream
but
I,
don't
I,
think
keeping
those
two
use
cases
separate
makes
sense,
because,
even
though
it's
the
same
thing,
I
think
the
activities
on
each
end
of
the
elephant
will
be
pretty
different
or
do
you
disagree?
You
can
disagree
like
I
would
I'm
glad
to
listen.
D
A
Do
we
treat
that
different
than
being
a
producer
and
a
consumer,
or
do
we
want
to
create
a
third
thing?
That's
both
because
I
think
from
the
context
you're
talking
about
the
only
producers
of
software
are
going
to
be
that
aren't
also.
Consumers
are
going
to
be
extremely
low
level
things
right
like
in
insanely
low
level.
In
fact,
even
then
I
don't
think
you
could
talk
about
that.
Oh,
what
is
do
I
Matt?
It's
not
a
YouTube
link,
I'm,
definitely
not
clicking.
G
That,
right
now,
when
I
was
talking
remind
me
of
an
old
movie
that
would
probably
be
lost
in
on
younger
people,
but
anyways
I
think
that
producing
consumer
are
good
Concepts
to
have,
but
I
think
we
need
in
terms
of
use
case,
we
need
to
talk
into
specifics
of
roles
we
defined
above
that's
more
more
clear,
I.
Don't
think
that
you
know
conceptually
it's
beneficial
to
say,
like
I
said
Rob,
said:
I
think
it's
mixed
up,
so
I
think
we
need
to
discreetly
reference
the
personas.
You
know
detailed
above
yeah.
A
A
All
right,
I'm,
just
gonna,
leave
it
there.
Yes,
I
I,
okay,
that
makes
sense
so
we'll
yank
those.
So
that
means
we
need
to
rework.
Probably
all
of
these
use
cases
and
I.
Don't
think
these
use
cases
are
very
use.
Casey
either
like
I,
don't
think
generating
an
s-bond
is
a
use
case.
Is
it
no?
It's
not
Distributing
an
Ask
bomb
is
a
use
case.
C
A
C
A
Get
it
right,
but
but
here's
my
point,
though,
like
saying
build
time:
s-bomb
generation
that
isn't
a
use
case,
but
it
encompasses
many
use
cases.
So
how
do
we
Define
like,
for
example,
the
the
needs
of
a
regulator
and
your
internal
security
team
and
your
customers
and
all
those
might
say
we
want
s-bombs,
which
is
functionally
the
same
use
case
just
with
different
personas.
G
Well,
I
think
I
think
that
we
should
we
should
reference.
We
should
reference
life
cycle,
artists
and
life
cycle
that
I
know.
Kate
has
shown
many
times
as
far
as
L
Foundation
the
life
cycle
of
an
s-bomb,
so
I
think
that
the
Persona
is
acting
relative
to
the
life
cycle
is
how
you
want
to
probably
go
about
it.
First,
against
a
specific
use
case.
All.
C
E
E
G
G
G
Relative
to
the
information
that
the
life
cycle
you
know
is
revolves
around.
You
can
highlight
different
aspects
of
life
cycle
where
it
was
where
that,
where
that
data
was
created,
where
it
was
sourced,
where
it
was
added
to
the
s-bomb
and
how
it's
how
it's
used
after
the
fact
how's
it,
how
is
it
reposited.
G
D
E
G
E
D
G
But
but
I
I
think
that
that
document
you
land
give
is
coming
from
Seaside
I,
think
C
says
where
they're
hashing
out
the
normative
nomenclature
and
semantics,
and
things
like
that
so
over
time.
We
might
want
to
reference
that
the
the
graphic
from
historical
graphic,
but
we
might
want
to
make
sure
we
we
follow
what
cesa
is
doing
in.
E
A
A
A
This
is
good,
though
this
is
really
good.
I
feel
like
this
is
why
I
like
having
a
smaller
group,
because
I
think
it's
a
more
candid
discussion,
so
all
right,
I'm
gonna,
send
us
on
our
way.
I
would
say
if
anyone
has
time.
Look
through
all
this
stuff
add
more
comments
or
questions.
I
think
we
need
to
rework
all
of
these
use
cases,
though
I
don't
think
many
of
these
are
actually
use
cases
in
the
context
of
what
we
just
talked
about.
I.
C
A
A
Yeah
all
right
all
right,
I
I
have
no
issue
with
you
like
gutting.
It
I
think.
That's
fine,
I
think
we
can
go
back
in
time.
There's
history
like
if,
if
someone's
completely
opposed,
which
no
one
will
be
because,
let's
face
it
like
this
is
totally.
If
you
do
the
work
you
get
to
make
the
decisions
like
I'm,
a
huge
proponent
of
that.
So
is
this
H
document
you
just
linked.