►
From YouTube: Security Tooling WG Meeting (January 11, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Yeah,
so
I've
no
idea
if
ryan's
gonna,
be
here
or
not
so
ryan-
has
been
chairing
this
meeting
for
a
while,
but
he
hasn't
been
here
for
a
couple
of
weeks,
so
I'm
happy
to
kind
of
act
as
chair
as
he's
not
here,
as
I
did
that
job
a
little
while
ago,
everyone's
okay
with
that
perfect
cool,
so
hopefully
all
got
access
to
the
shared
document.
A
I've
put
my
name
down
and
see
a
couple.
You
put
your
names
down
as
well.
We're
just
kind
of
everyone
should
have
update
access
to
that.
I
put
something
down
on
the
agenda,
but
we're
very
happy.
There's
no
problem
talking
about
anything
else,
so
I
think
some
of
you
first,
some
of
you
haven't
been
to
this
group
before
this
group
is
kind
of
an
interesting
one,
because
I
don't
think
it's
had
a
huge
amount
of
focus.
A
There's
been
different
people
looking
at
different
aspects
of
security
tooling,
so
you
know,
I'm
not
sure,
we've
managed
to
come
up
with
a
huge
number
of
deliverables,
but
one
of
the
deliverables
we
were
talking
about
a
while
ago
is
the
web
application
definition,
which
I
suggested
and
then
didn't
have
enough
time
to
spend,
spend
on
it.
I'm
afraid.
A
However,
it
was
paul,
got
in
touch
and
said
he
was
interested,
and
so
I
invited
him
along
because
I
thought
it'd
be
really
good
time
to
talk
about
it.
A
So
paul
you're.
B
B
I
work
for
for
robert
bosch.
It's
a
might
be
even
the
largest
tier
one
automotive
supplier,
it's
a
german
company
and
I
work
for
the
corporate
research
division,
where
I
I'm
responsible
for
a
group
doing
research
on
distributed
systems
which
security
is
obviously
part
of,
and
also
responsible
for,
a
research
program
on
security,
privacy
and
certain
safety
aspects.
And
of
course
we
are
very
much
into
you
know
very
interested
in
in
these
security,
tooling
topics.
B
We
we
deal
with
various,
let's
say
yeah,
you
know
layers
kind
of
because
we
have
a
lot
of
embedded
products.
But
since
I
don't
know
three
four
five
six
years,
something
like
that,
all
these
you
know
classic
I.t
technologies.
Basically,
if,
when
you
start
connecting
your
your
embedded
products
to
the
cloud
and
and
whatnot,
then
of
course
you
also
have
the
other
side
of
the
story,
so
web
security
is
basically
also
something
that
we
are
looking
into.
B
But
what
kind
of
intrigued
me
in
in
in
the
approach
that
you
sketched
out
in
this
kind
of
in
in
in
in
the
github
repository,
is
that
you
can
probably
also
use
this
kind
of
approach,
for
example,
to
enable
easy
fuzzing
of
embedded
software
and
things
like
that,
because
anywhere
where
you
need
to
to
attach
these
dynamic
application
security
testing
tools,
you
always
have
the
problem
that
you
have
to
onboard
the
projects
and
when
you
have
hundreds
of
projects,
it's
really
really
hard.
So
so
this.
B
This
is
what
intrigued
me
in
in
in
what
I
saw
there.
A
Great,
thank
you.
So
a
little
bit
I'll
give
a
little
bit
of
background.
For
this
I
mean
when
we
started
the
working
group.
It
was
very
much
there
were
different.
I
wasn't
here
at
the
very
beginning,
but
very
early
on
it
became
clear
that
people
had
different
we're
looking
at
things
from
different
points
of
view.
We
had
static
analysis.
We
had
fuzzing,
and
I
came
in
on
this
kind
of
dynamic
analysis.
Side.
A
Static
analysis
has
the
easier
time
of
things
with
this.
If
you've
got
a
repo,
you
can
find
the
source
code
you
can,
you
can
do
whatever
you
want.
Obviously,
with
the
dynamic
analysis
and
the
fuzzing
it's
harder,
we
need
something
that's
running
and
to
get
to
something.
That's
running
from
a
repo
is
virtually
impossible
in
an
automated
way.
So
that's
why
this
came
about
I'm
the
project
lead
for
the
oscar
attack
proxy,
which
is
why
I'm
very
keen
on
the
dynamic
side-
and
so
this
is
something
I
thought
would
be
useful.
A
Then
a
couple
of
people
from
microsoft
got
involved.
I
sent
an
email
to
one
of
them
which
cc
to
yourself
so
yeah.
I
just
didn't
have
time
to
push
it
forward
and
there
didn't
seem
to
be
enough
other
interest,
but
I'm
still
very
keen
on
the
idea-
and
I,
like
you
know
so
I
had
an
initial
definition
and
then
I
think
was
mark
pushed
through
1.1
definition.
A
I
really
like
the
idea
of
getting
to
a
stage
where
we
have
a
poc
so
actually
having
a
definition
and
a
poc,
maybe
something
like
a
github
action
that
doesn't
actually
do
anything,
but
you
know
will
actually
you
know
we
can
show
actually
starts
up
a
you
know
a
few
example
services
and
then
we
could
go
from
you
know,
then
I
think
that's
something
we
could
actually
start
making.
You
know
making
something
off
telling
people
about
and
getting
more
feedback.
B
So
what
kind
of
because
I'm
I'm
not
so
well
familiar
with
with
the
death
side
of
web
security,
so
what
kind
of
tools
do
you
have
in
mind?
For
you
know.
A
So
well,
the
only
tool
I've
got
in
mind
is
the
old
said,
attack
proxy,
because
I'm
the
project
lead.
So
zap
is
a
says.
Web
scanner
we've
been
claiming
it's
the
most
popular
web
scanner
in
the
world
for
some
time
and
nones
disagreed
with
me.
So
it
must
be
true.
A
A
The
attacking
is
one
of
the
easier
parts
there
are.
Lots
of.
You
know.
There's
there's
lots
of
potential
here,
particularly
once
you
get
into
things
like
authentication,
so
defining
what
authentication
is
available,
how
to
handle
it.
But
I
didn't
want
to
go
down
that
route
early
on,
because
we
just
make
something
so
complicated
that
no
one
would
use.
A
But
I
like
the
idea
of
having
a
the
simplest
definition,
that's
actually
useful
that
allows
us
to
stand
something
up
and
then
start
doing
stuff
with
it
talking
to
the
fuzzing,
guys
surprising
people.
I
understand
that
you
know
you
often
need
entry
points
and
things
like
that
in
a
similar
way
to
we
need
with
web
application
scanning.
So
you
know,
there's
there's
deb,
you
know
this
is
very
much
an
initial.
Let's
see
if
we
can
get
something
up
and
then
go
from
there
with
web
application
scanning.
A
There
are
a
whole
load
of
deliberately
vulnerable
applications.
So
there's
another
obos
project
called
the
the
dvdwa
deliberately
vulnerable
web
applications.
I'm
one
of
the
project
leaders
on
that
as
well.
So
we've
got
a
long
list
of
projects
of
applications.
We
know
about
quite
a
few
of
those
are
containerized.
C
A
Want
to
be
able
to
stand
them
up
very
easily
and
attack
them,
and
I
think
so
I
think
we
have
a
set
of
example,
test
applications
that
we
could
do
this
with
it's
just
a
question
of
agreeing
on
a
good
minimum
set
working
out
a
good
poc,
where
we
can
actually
get
something
like
a
github
action
to
stand.
You
know
anything
up,
you
just
point
it
at
a
repo.
It's
got
all
these
definitions,
it
brings
something
up
and
then
other
tools
like
zap
or
whatever
can
start
doing
their
thing
against
it.
B
Okay,
cool-
I
I
I
used
zap
in
in
the
past,
to
you
know,
play
around
with
cookies
and
authentication.
C
B
And
stuff
like
that,
but
I
I
was
not
aware
that
it
actually
can
also
kind
of
fuss
or
say
scan
the
the
web
applications
on
its
own.
That's
cool.
Okay,
then
I
think
that
it
makes
sense
to
kind
of
to
to
to
start
there.
So
I
don't
know,
can
you
recommend
then
also
from
these
vulnerable
applications?
B
Some
kind
of
you
know
a
set
of
samples
to
to
look
into
yeah.
A
I
mean
we've
got
a,
let
me
find
so
you've
got
access
to
the
shared
document.
I
mean
you
probably
wouldn't.
A
C
A
Like
docker
and
stuff
are
particularly
useful,
and
quite
a
few
of
us
want
to
you
know
we
want
to
know
what
target
applications
are
containerized
rather
than
whether,
particularly
specifically
vms
or
anything.
So
that's
a
pretty
good
start.
There's
quite
a
few
things.
There.
A
Of
these
are
some
of
the
particularly
I
mean
the
offline
ones.
Either
I
mean
there's
budget
store,
which
is
an
ancient
one
which
I
created,
but
there's
some
other
owasp
projects
there
as
well.
I
know
the
project
leads,
so
I
think
there
won't
be
a
problem
in
getting
those
projects
to
adopt
a
standard.
If
we
come
up
with
something
that's
workable
so
and
that's.
A
Where
you
know,
I
could
I'd
be
happy
to
put
in
a
pull
request
as
long
as
it's
not
too
difficult
to
get
these
things
working
and
to
put
those
in
the
relevant
directories.
B
B
You
know,
like
I
said,
I'm
I'm
not,
you
know
really
well
familiar
with
the
with
web
application,
say
well
conceptually,
yes,
but
not
on
the
hands-on
side.
So
so
I
maybe
I
don't
know
what
would
be
your
approach,
maybe
look
into
these
applications
and
then
somehow
try
to
you
know
see
if
if
it
fits
well,
but
I
I,
I
suppose
that
you
already
spent
a
good
amount
of
time
defining
the
1.1
version.
A
So
that
I
mean
I,
I
defined
the
1.0
and
then
the
1.1
got
committed
without
any
real
review,
so
it'll
be
kind
of
useful
to
get
the
folks
from
microsoft
involved
again,
if
they're
still
interested.
A
So
one
option,
I
think,
is
if
you
me,
and
anyone
from
microsoft
and
anyone
else,
who's
interested
kind
of
maybe
try
and
have
another
call
sometime.
It
doesn't
have
to
be
part.
You
know
part
of
this
working
group
meeting
we'll
do
it.
You
know
the
same.
A
It's
part
of
the
working
group,
but
just
we
can
go
off
to
one
side
because
otherwise
might
be
wasting
the
time
of
other
people,
but
I
didn't
give
the
microsoft
people
much
notice
either
as
you've
seen
but
yeah
we
can
try
and
arrange,
and
if
they're
not
interested,
then
I'm
happy
to
kind
of
work
with
it
work
work
on
it
with
you,
because
I
think
it
really
needs
somebody
who
wants
to
drive
it
forward.
B
Sounds
sounds
good,
so
just
out
of
curiosity,
so
basically
these
well
essentially
key
value
pairs
in
the
definition
are
these
kind
of
the
the
settings
that
you
would
normally
do
by
hand
in
zap,
like
report
number
and
and
things
like
that,
yeah.
A
So
I
mean
generally
when
you're
the
deliberately
vulnerable
apps
I've
played
around
with.
Usually
they
have
a
one-liner
to
start
them
up,
but
you
can't
you
can't
tell
from
that
one-liner
easily.
I
mean
you
can
pass
them
for
ports
and
things
they
don't
always
have
them
there.
They
don't.
You
know,
you
often
have
paths
as
well.
You
certainly
don't
have
you
know
any
authentication
any
credentials
in
there.
That
can
be
useful,
so
things
like
ports.
Definitely
you
know.
Typically,
we
just
need
for
zap.
A
We
need
a
url
to
get
started
if
we've
got
the
url
with
the
port
and
the
path
we're
happy,
but
I
think
the
folks
from
microsoft
said
they
were
doing
this.
They
already
had
something
doing
this,
and
these
were
things
they
found
useful
and
on
that
basis,
like
yeah,
I'm
sure
fine.
A
B
Sure
sure,
okay,
so
so
the
I
don't
know
what
what
would
be
your
your
initial
thought
and
then
how
to
start
to
to
do
like
a
very
first
version
of
a
poc
based
on
one
or
more
of
these
vulnerable
applications.
Probably
right.
A
Yeah
I
mean
there's
one
application
called
juice
shop
from
owasp.
It
is
a
really
good,
vulnerable
application,
and
it's
one
that
so
when
I
was
at
mozilla
I
ran.
I
captured
the
flag
event
on
it.
The
all
hands
went
down
very
well,
so
it's
really
well
maintained
and
is
pretty
straightforward
to
start,
so
that
would
be
a
good
one
that
people
might
want
to
actually
use.
I
said
budget
store
is
one
that
I
created
years
ago,
so
I've
still
got
full
permissions
for
that.
A
So
we
want
to
mess
around
and
you
know
still
gets
quite
a
few
pulls.
We
actually
use
it
for
some
of
our
testing
still
just
because
it's
simple,
so
those
two
are
very
easy.
It
should
be
straightforward
to.
I
said
budget.
I've
got
full
access
to
this.
I
can
do
what
I
like,
but
do
shopping,
come
up
with
something
sensible
and
I'm
sure
I'll
be
able
to
persuade
beyond
the
project
leader
to
adopt
something,
particularly
if
we
give
him
a
pull
request.
A
Sorry,
the
juice
shop
or
yeah.
B
Perfect
and-
and
then
I
suppose
I
mean
just
just
as
a
you
know-
kind
of
very
quick
thought,
so
what
would
be
the
way
to
actually
give
zap
all
these?
You
know
these
arguments,
so
I'm
not
familiar
so
much
with
the
tool.
Is
there
a
way
to
kind
of
pass
it
to
call
it
on
the
command
line
and
pass
it
to
all
the
arguments
or
sure
so?
The
the
plan.
A
Here
was
that
we
would
have
this
this
file,
the
web
application
definition
and
that
would
live
in
the
target
applications.
So
something
like
juice
shop
would
have
a
dot
conflict
web
app,
dot,
yaml
file.
Then
it's
up
to
the
tool
authors
to
actually
make
use
of
that.
A
C
A
A
I,
like
the
idea
of
you,
know
a
completely
tooled
independent
poc,
we'll
just
go:
look
we
bring
it
up.
Maybe
we
do
a
curl
request
to
the
target
application
to
prove
actually
works.
You
know
and
so
yeah
you
know
test
action.
Action
bring
it
up.
Wait
for,
however
long
it
takes.
You
know
loop,
making,
curl
requests
until
it
comes
up,
go
okay,
yep!
It's
done
close
it
down
action's
completed,
then
what
I
can
do
is
I
could
take
that
and
I
can
do
all
the
the
mangling
to
get
into
zap.
A
So
that's
that
and
we
were
thinking
each
tool
author
would
then
go
okay.
I
want
to
support
this
standard.
It's
look.
You
know,
I
think
it's
a
chance.
It'll
take
off,
so
we.
C
A
B
A
So
there's
the
github
marketplace:
action
for
the
zap
baseline
scan.
So
this
is
a
relatively
quick
scan
because
we're
just
spidering
we're
not
doing
any
attacking
we've
got
other
ones
on
there
full
scan
on
the
api
scan
as
well,
but
you
kind
of
you've
got
to
put
in
quite
a
few
different
parameters,
quite
a
few
of
the
optional.
But
the
idea
is,
you
know
with
something
like
this.
You
wouldn't
actually
need
to
put
any
parameters
in
at
all.
A
B
A
I
think
the
idea
was
what,
because
we
were
really
initially
looking
at
trying
to
make
open
source
projects
as
secure
as
possible.
So
the
idea
is.
We
would
then
try
and
encourage
open
source
projects
to
adopt
this,
and
maybe
would
kind
of
pick
on
some
try
and
find
some
well-known
projects
and
actually
put
pull
requests
into
them
to
support
this
standard
and
then
write
something
which
basically
on
a
schedule,
you
know,
just
keeps
on
going
through
looping
through
all
the
projects.
B
A
Great
and
I'll
follow
up
on
that
email
thread
see
if
the
microsoft
folks
are
still
interested
out
of
interest.
Is
anyone
else
on
this
call
remotely
interested
in
what
we're
talking
about
or
you're
here
for
something
else.
C
D
Showering
the
kids
but
I'll
I'll
it's
and
it's
my
first
time
here
as
well,
but
I'll
look.
C
C
Yeah
I'm
in
the
same
boat
here.
I
think
this
is
really
interesting.
I'm
trying
to
catch
up
because
wind
river
just
joined
open
ssf
a
couple
of
months
back
here
and
trying
to
get
back
engaged
with
the
different
working
groups
and
everything
so
just
trying
to
come
up
to
speed.
But
any
security,
tooling
is
always
a
good
thing
right.
A
Excellent
great,
so
what
if,
if
it
looks
like
this,
is
actually
getting
some
traction,
then
we
can
certainly
start
talking
about
it
more
amongst
our
various.
You
know,
contacts
and
organizations
hopefully
can
get
more
interest
out
of
our
wasp
as
well.
A
So
we
have
these
meetings
every
couple
of
weeks
so
and
I
don't
think
anything's
going
to
happen
too
quickly.
But
if
problem
tries
to
have
a
look
at
this
stuff,
then
we
can
have
another
chat
in
a
couple
weeks,
time
and
I'll
see
if
I
can
get
anyone
else
interested
as
well.
B
Are
we
using
some
kind
of
slack
channel
or
something
like
that?
I
mean
if
we
want
to
communicate
then
off,
like
in
a
synchronous
manner,
then
email
is
probably
a
bit
tricky.
A
Yeah
there
is
a
slack
in
the
top
of
the
document
slack.openssf.org
I
haven't
actually
logged
in
for
a
little
while.
So
I
hope
to
do
that.
A
A
So
is
there
anything
else
so
not
associated
with
the
web
application
definition
that
anyone
would
like
to
chat
about.
A
So
jen
was
there
anything
you
wanted
to
to
contribute,
or
anything
you'd
like
to
be
any
you'd
like
to
know
about
the
working
group
or.
E
E
Please
don't
hesitate
to
reach
out
I'll
pop
my
email
in
chat-
and
maybe
just
you
may
have
seen
on
the
general
sort
of
announcements,
email
list
and
in
slack
that
there
were
taking
self
nominations
for
the
tac
and
the
security
community
individual
representative
for
the
board
and
if
you
feel
like
you're
you're,
an
eligible
voter
that
you've
contributed
and
want
to
participate
in
that
election.
E
B
E
Okay,
great,
I
will
do
that.
I
will
go
ahead
and
if
there
isn't
a
playlist
for
this
work
group
on
the
open,
ssf
youtube
channel
already
I'll,
create
one
and
then
we'll
we'll
get
in
a
good
routine
here
of
getting
these
posted
so
great
happy
to
help
out
great.
Thank
you
all
I'll,
be.
A
Very
useful
right,
well,
there's
nothing
else.
Anyone
wants
to
chat
now
about
now,
then,
maybe
just
a
quick
question.
E
Oh,
yes,
the
technical
advisory
council.
So
it's
the.
A
Well,
in
that
case,
thank
you
all
for
joining
us
and
hopefully
see
you
next
time.