►
From YouTube: Security Tooling Working Group (August 16, 2022)
C
E
F
F
B
F
F
All
right,
I
assume
that
great,
that's
why
I'm
everywhere,
all
right,
the
s-bomb
everywhere
click
the
link.
You
get
the
doc
there's
an
agenda
item
for
today.
Well,
agenda
section-
I
guess
so
to
for
anyone
who
wasn't
here
I'll,
just
kind
of
summarize
where
we're
going
there
is
there's
a
github
repo,
which
is
we
do
not
have
in
the
meeting
info.
I
will
add
that
later
david.
Do
you
mind?
Can
you
probably
get
her
repo
for
me,
quick
and
just
paste
it
in
the
chat
which.
D
F
F
We
should
submit
pull
requests.
We've
got
some
to
do
items
in
this
document
here
around.
You
know
filling
out
some
more
of
the
scope
as
well
as
we've
got
a
charter.
That's
not
really
filled
out
there
there's
plenty
of
work
to
do
so
if
anyone
would
like
to
volunteer
that'd,
be
lovely,
but
anyway,
if
we
oops,
I
just
closed
my
my
town,
apologies.
F
A
F
Great,
so
here
are
the
I
put
an
old
business
section
in
this
is
what
we
talked
about
last
week
and
we'll
kind
of
briefly
go
over
some
of
this,
and
then
we
can
tackle
some
of
the
new
things
now.
Obviously,
not
all
of
the
old
things
are
done
and
it's
coming
so
I'll
give
a
status
update
on
the
python
library
funding.
F
F
This
issue
for
the
s
bam,
lab
spdx
library,
funding.
We,
the
the
quick
background,
is
we
have
an
spdx
python
library
in
desperate
need
of
attention,
and
so
we
asked
the
open
ssf
tac
if
they
would
be
willing
to
fund
bringing
the
library
up
to
snuff
and
they
unanimously
voted.
Yes,
which
is
great.
So
now
it's
going
to
the
governing
board,
where
the
governing
board
theoretically
will
approve
the
spend
and
then
we
can
get
this
moving
and
like,
for
example,
spdx
2.3
came
out
a
couple
days
ago,
like
the
python
library.
F
Doesn't
I
don't
think
it
even
does
2-2
correctly,
but
that's
it.
This
is
great
right.
This
is
a
good
example
of
what
the
sig
can
do
and
why
it
will
be
good
to
fund
it.
I
guess
is
what
we'll
say
when
we
go
to
potential
donors
and
funding
sources
of
showing
that
it's
not
just
a
money
fire,
we
can
actually
turn
your
investment
into
work
and
progress.
F
So
yeah
I'm
excited
about
this
one.
I
think
if
anyone
has
questions
just
speak
up,
I'm
not
gonna,
because
I'm
sharing
my
screen
it's
hard
to
see
if
someone
has
their
hand
raised.
So
if
something
like
david
or
someone
could
maybe
just
yell
out,
if
there's
a
hand
raise
otherwise,
let's
keep
moving.
Kate
is
working
on
a
one-page
overview
for
s-bombs,
so
this
one
is
ongoing.
I
don't
know
what
else
to
say.
I
talked
to
her
about
it.
She
said
she's
working
on
it.
She
was
busy
with
spdx23
stuff.
F
G
Yeah,
so
the
s
bomb
use
cases
it's
still
in
progress.
I
think
that
it
is
being
tracked
in
that
yeah
right
there.
I
yeah.
I
think
that
it's
I
really.
What
would
be
helpful
would
be
to
get
some
some
clarity
around
the
assumptions
at
the
top
that
state
explicitly
the
like
the
types
of
s
bonds
and
getting
a
little
more
clarity
around.
That
is
that
still
in
the
document,
I
don't
know.
G
F
I
I
D
G
D
D
D
Yeah
now
I
actually
have
some
problems
because
I
think
there's
some
important
things
missing
here,
but
probably
one
of
the
most
obvious
ones
is
there's
nothing
that
talks
about
and
now
ilk
there's
consuming
for
views,
but
nothing
about
doing
risk
analysis
specifically
and
nothing
about.
I
need
to
do
an
inventory
of
all
my
products
across
my
organization
which
have
this
vulnerable
component
in
them,
and
you
can
argue
that
consume
might
be
helpful
to
that.
But
it's
a
lot
like
you
know,
hey
a
keyboard
might
be
helpful
for
writing.
Programs.
G
I
I
I
Source
s-bombs
not
overly
useful
for
most
security
use
cases,
but
for
some
build
time,
s-bombs
very
useful
for
most
security
use
cases
and
then
you've
got
deploy
runtime.
These
are
sdlc
lifecycle,
things
which
are
two
entirely
different
parts
of
the
life
cycle,
but
there's
other
parts
to
the
sdlc
as
well.
I
Now
in
cyclone
dx,
we
we
differentiate
what
something
is
versus
the
life
cycle
in
which
something
was
produced.
We
had
agreement
between
in
austin
just
so.
Everyone
knows
folks
and
cyclone
dx
folks
met
up
in
austin
at
the
ossf
conference,
and
it
was
interesting
because
kate
and
I
we
we
both
had
agreements
that
life
cycle
is
really
really
important.
I
F
Steve
thank
you
for
that
that
background.
Okay,
what
are
we
doing?
We're?
Does
anyone
else
have
any
other
kind?
I
guess
no.
You
know
I
want
to
move
on,
because
I
don't
want
a
rat
hole
in
this.
I
think
if
anyone
has
any
comments
or
suggestions,
we
have
a
github
issue
and
we
have
a
document
like
let's
bring
the
work
there
and
go
to
town
and
we'll
check
back
in
on
this
at
the
next
meeting
and
and
see
how
things
are
going
all
right,
cool,
let's
keep
moving.
F
We've
got
ntia
documents
into
something
more
friendly,
which
we
have
spx
cyclone
dx
and
suid.
Steve
said
that
cyclone
dx
has
a
tool
center,
which
is
more
updated,
obviously
than
the
ntia
documents.
I
actually
haven't
looked
at
your
your
tool
center
at
all.
How
big
is
this?
This
is
pretty
big,
so
this
is
one
of
my
concerns.
I
guess
I
have
with
this
is
like
this
is
an
untenable
list,
and
I
don't
I
don't
know
what
what
I
expect
or
what
I
mean
yet,
but
I
feel
like
I
would
like
anything.
G
And
I
think
that's
why,
like
so
to
me,
like
you,
know,
referencing,
cycling,
dx
more
as
a
specification
or
a
format
allows
you
to
kick
the
technical
downstream
bulk
of
the
documentation,
that's
actually
being
actively
maintained
without
it,
like
kind
of
cluttering
the
conversation,
I
guess
I
think
that
was
my
in
this
particular
thread.
That
was
what
I
was
attempting
to.
F
B
H
H
So,
if,
like
somebody
is
in
the
need
of
a
particular
s-bom
tool
to
fulfill
some
particular
use
case,
that
will
be
discussed
and
defined
in
the
other
use
case,
then
we'll
take
these
use
case,
descriptions
for
instance,
or
classifications
and
put
them
into
yeah,
whatever
kind
of
data
format.
But
there
needs
to
be
some
that
we
can
feed
into,
for
instance,
another
instance
of
the
elf
landscape
or,
for
instance,
the
the
cyclone
dx
tool
center.
But
I
think
that
would
be
the
purpose
that
somebody
who's
looking
for
some
tooling
can
search
that
place.
H
For
let's
say
something
that
can
help
them
fulfill
the
their
needs
and
then,
of
course,
maintains
maintenance
is
always
an
issue.
Interestingly,
like
again,
the
lf
landscape
use
case
is
very
good
one
because
it
works
in
a
very
distributed
fashion,
so
the
the
tool,
maintainers
distributors
and
so
on,
could
kind
of
maintain
the
data
themselves
kind
of
taking
the
burden
of
us
to
having
to
provide
a
100,
up-to-date
list
of
things.
H
C
So,
with
the
other,
with
the
other
mobilization
plan,
sigs
that
I'm
in
the
first
step
has
been
to
look
at
the
plan,
which
was
put
together
very
very
quickly
to
present
in
washington
was
the
first
look
at
what
had
been
put
together
quickly
and
iterate
on
what
had
been
learned
since
then
and
refine
and
come
up
with
a
plan
for
what
are
the
moving
pieces?
What
would
we
like
to
accomplish
in
year,
one
year
two
year,
three?
C
How
can
we
come
up
with
an
actual
project
plan
for
this
and
for
s
bomb
everywhere?
I
don't
get
the
sense
that
we
know
that,
and
I've
been
in
all
of
the
publicly
announced
as
bomb
everywhere
meetings,
although
there
have
been
a
number
of
conversations
that
have
happened,
kind
of
along
the
edges,
so
I've
been
in
all
of
those
conversations
that
I
have
known
about,
and
I
still
don't
see
that
we
have
a
project
plan
and
everybody's
just
kind
of
off
doing
their
own
thing
and
it
doesn't.
C
Of
those,
this
is
one
of
those
pieces,
I'm
like
okay,
this
could
be
important,
but
where
does
it
fit
in
and
what's
its
prioritization?
And
I'm
not
looking
for
over,
like
to
add
a
bunch
of
bureaucracy
to
the
process,
but
I
would
like
some
sort
of
process
because
right
now
it
kind
of
feels
haphazard
and
chaotic.
G
C
G
C
C
I
think
I
think
that
could
be
part
of
what
the
group
does,
if
that,
if
that
does
not
exist,
I
mean
first
look
to
see
whether
it
does
exist.
If
it
doesn't
exist,
hire
someone
to
develop
that
market
data,
but
the
goal
is
s-bomb
everywhere
right.
What
does
that
mean,
and
what
do
we
require
in
order
to
make
that
happen?
F
No
you're
absolutely
right
like,
but
we
need
someone
to
write
this
down
and
and
make
it
a
thing
like
there's
this
scope
section
of
the
readme
that
cameron
and
I
started
putting
together
but
like
this.
Is
this
part
here?
The
draft
this
needs
a
new
line,
but
like
this
is
what
was
written
down
in
that
that
document,
and
so
we
we
don't.
G
C
Absolutely,
but
I
do
think
that
we
could
use
a
bit
more
a
better
framework
around
this
than
hey
there's
a
thing
to
just
go
ahead
and
do
it
setting
up
expectations
coming
up
with
you
know,
action
items
you
know,
standard
project
and
program
management,
sort
of
stuff,
I
think,
would
be
very
helpful
right
now
and
yes
josh.
I
am
writing
it
down
and
I
will
be
working
on
that.
C
F
And
look
so
david,
I'm
going
to
let
you
speak
in
just
a
second,
but
I
wanted
to
address
a
couple
things
from
vicki.
First,
it
is
disorganized,
I'm
not
a
good
organizer.
I
need
help
with
that.
I'm
very
much
the
crack
den
open
source
development
model
person,
and
so
we
build
the
bus
as
we
go
down
the
road
and-
and
I
I.
F
Is
great,
but
that
means
someone
has
to
do
it
and
and
so
vicki's
going
to
help
and
anyone
who
wants
to
help
vicky
like
please,
please
get
involved
in
help.
This
is
there's
nothing
that
annoys
me
more
than
a
bunch
of
people
who
show
up
to
meetings
and
and
moan
and
then
never
help
like
that's
not
going
to
cut
it.
So
if
you
want
it
done
you're
going
to
do
it
and
and
that's
great
but
yeah,
that's
like
that's.
F
D
Yeah,
so
I
I
I
think,
vicki's
on
something
in
terms
of
hey,
let's
step
back,
what's
the
goal
here,
so
you
know
when
I
see
this
whole
s-bomb
everywhere.
What
I
think
is
the
intent
is,
we
need
specific
tools
easily
available
and
I
would
say
certain
kinds
of
them
need
to
be
freely
available,
open
source
tools,
because
otherwise
we
won't
get
them
everywhere.
I,
and
in
particular
I
have
in
mind
three
specific
categories.
At
least
the
first
two
I
think
need
to
be
open
source
widely
available.
D
D
D
Now
I
actually
do
care
because
of
course
we
don't
want
to
rewrite
those
tools,
eight
gazillion
times
we
need
to
have
formats
and
so
on,
but
I
think
those
are
the
three
primary
use
cases.
I
acknowledge
that
those
other
use
cases
like
analyzing
a
final
comp
product
to
figure
out.
What's
in
it,
I've
me
I'm
sure
that
that
people
will
need
those
tools.
D
D
D
To
do
cover
those
three
cases
we're
doing.
Well.
Sorry,
can
you
make
sure
you
write
all
this
down?
Yes,
I've
actually
written
this
down
else
first,
but
I
will
let's
see
here:
where
would
you
like
me
to
write
this
down?
Do
you
want
to
write
this
in
the
s
bomb
everywhere,
sing
agenda,
meeting,
meeting
notes.
D
Okay,
yeah,
so
I
I'm
sure
there's
other
cases.
As
I
said,
you
know,
there
are
other
things
that
people
want
to
do
for
sure,
but
I
I
would
like
to
kind
of
focus
and
let's
figure
out
the
cases
we
most
care
about
and
then
basically,
at
least
for
the
first
two
get
tools
into
people's
hands
that
just
do
the
job
well
quickly
and
people
can
move
on
with
their
lives.
B
B
So,
for
example,
if
we
just
look
at
that
first
sentence
that
scope
sentence-
you
know:
barriers
to
generation,
consumption
and
adoption
of
s-bombs.
What
are
those
barriers
do
we
have?
We
do
we
have
a
clear
idea
of
what
those
barriers
are.
I've
been
in
this
business
a
long
time
we've
been
generating
s-bombs
for
20
years.
B
To
be
quite
honest,
I
don't
really
end
at
many
different
levels,
all
the
way
down
to
the
all
the
different
types
that
you're
talking
about,
but
there
are
barriers
that
companies
are
going
through
right
now
in
terms
of
the
generation
of
them.
In
the
devops
pipeline,
the
consumption
of
them
getting
them
outside
of
the
text
file
and
being
able
to
consume
them.
B
So
maybe
that's
a
conversation
for
our
future.
You
know,
maybe
we
can
all
think
about
the
barriers
and
have
a
discussion
someplace.
Maybe
out
in
I
don't
github.
Discussions
are
great
too.
If
we're
going
to
focus
everything
on
github,
it
might
be
benefit
us
to
use
the
discussions
to
have
these
kinds
of
discussions.
So
when
we're,
when
we
have
the
time
we
can
sit
down
and
start
throwing
out
some
ideas
and
understand
and
in
this
case
identify
what
we
believe
the
barriers
are.
F
F
I
Yeah,
so
it's
interesting
the
the
three
things
that
david
pointed
out
in
terms
of
the
generation.
I
think
there's
a
lot
of
tools
that
do
this
today.
We're
kind
of
swimming
in
tools
which
is
actually
one
of
the
problems,
actually
there's
a
lot
of
choice
regardless
of
python
or
java
or
javascript,
or
what?
What
not
there's
a
lot
less
tools
as
you
go
down
for
risk
analysis,
there's
a
lot
less
tools
and
then
you
go
down
to
the
identification
of
products
in
my
organization,
there's
even
fewer
of
those
tools.
I
I
think
there's
one
other
classification
of
tools
that
simply
don't
exist
at
all,
which
I
just
want
to
maybe
put
on
the
radar,
the
owa
software
component
verification
standard.
I'm
not
sure
if
anyone
knows
what
that
is,
but
it's
it's
a
way
to
measure
and
improve
software
supply
chain
insurance
very
similar
to
salsa.
I
would
equate
scvs
as
a
little
bit
wider
scope
a
little
less
prescriptive,
whereas
salsa
is
narrowly
scoped
and
more
prescriptive,
both
with
the
same
you
know
intent,
but
anyway,
the
scbs
project.
F
I
I
A
Yeah,
just
one
one
quick
go
back
for
tracy
for
the
barriers
to
adoption.
Are
you
envisioning?
Actually,
you
know
doing
some
user
research
there
to
get
a
ground
truth
sense
of
what
those
barriers
are
or
are
there
links
that
perhaps
already
capture
the
barriers
that
I
can
look
through
to
help
to
help
start
that
documentation
in
github.
B
I
don't
think
we
know,
and
you
know
in
terms
of
doing
any
kind
of
research
that
would
have
been
something
that
would
be
approved
to
spend
some
money
on,
but
am
I
personally
going
to
sit
down
and
do
research
on
this?
No
I'm
just
pointing
out
that
when
we
look
at
you
know
if
we
were
to
take
this,
our
our
scope
here
and
set
it
in
front
of
a
handful
of
dc's.
B
First
thing
they
would
say:
ask
us
is
what
problem
are
you
trying
to
solve
and
we
have
not
defined
that
and
that's
why
I
feel
like
it's
confusing,
because
I
think
we
all
come
to
this,
and
this
is
what
I've
seen
it's
not
a.
I
don't
want
anybody
to
think
that
I'm
picking
on
anyone,
but
I
feel
like
we
all
come
to
this
with
an
agenda.
B
We've
all
worked
on
s-bombs
we're
excited
to
finally
have
people
to
talk
about.
S-Bombs
too.
We
want
everybody
to
know
what
we're
doing
and
what's
happening
and
how
we,
you
know
how
we've
interfaced
with
them,
how
we've
used
them,
but
we
haven't
as
a
group
to
find
the
problems
that
we're
trying
to
solve,
and
if
that
means,
we
need
to
go
out
to
get
some
funding
to
do
some
research,
then
maybe
that's
what
we
have
to
do.
D
Yeah
two
completely
different
topics.
I,
I
guess
I'll
think
of
a
reverse
order.
First
of
all,
as
far
as
the
you
know,
gy,
I
agree
with
you.
Always
it's
important
to
always
start
with.
Why
are
you
doing
this?
That's
why
I
was
focusing
on
those
three
use
cases.
The
second
use
two
use
cases
the
risk
analysis
using
an
s-bomb
and
identification
of
products
in
an
organization
that
have
a
that
probably
have
a
key
vulnerability
using
s-bombs.
D
I
think
you're,
really
the
the
driving
goals
and
the
generate
s-bombs
is
merely
because
that's
a
necessary
precondition.
You
can't
analyze
create
s-bombs
unless
you
have
s-bombs
so
I'd,
certainly
I'd
like
to
at
least
propose
that
that
be
an
answer
to
the
question,
and
you
know,
if
you
don't
disagree
with
my
answer
great,
then,
let's
figure
out
what
the
right
answer
is.
Let
me
push
back,
although
not
very
much
against
steve.
I
actually
agree
with
steve
that
is
important
to
be
able
to
answer
the
question.
I
have
this
thing.
D
D
I
think
that
that
would
just
be
part
of
a
tool,
because,
if
you're
trying
to
analyze
an
s-bomb
to
answer
a
question,
you
should
be
able
to
figure
out
wait
a
minute.
This
input
for
this
input
and
not
answer
the
question
I'm
designed
to
answer
so
I
agree
with
the
need
for
it,
I'm
hoping
that
that
can
just
be
embedded
in
one
of
those
other
two
cases
that
I
mentioned.
If
I'm
wrong,
please
help
me
understand.
Why
can.
D
Think
the
answer
is
no,
because
if
it
because
tool
means
automation
and
if
we're
not
meeting
automation,
I
don't
care.
If
I
I
think
that
the
the
time
when
we
only
when
software
components
have
three
or
four
reused
components
in
them,
transitively
is
long
in
the
rear
view
min
here.
We've
gotta
have
automation
for
this
stuff.
G
Like
a
pipeline,
or
I
mean
a
script
that
invokes
multiple
tools
to
repeat
the
same
type
of
thing
but
allows
another
tool
to
attest.
To
I
mean
I
I'm
trying
to
understand,
I'm
I'm
attempting
to
reconcile.
How
is
it
that
a
tool
can
provide
from
within
itself
a
verifiable
means
of
what
it
is
producing
without
some
sort
of
observation
occurring
on
the
tool
itself
like
like
an.
D
I
can
answer
that
one
at
least
the
way
I
think
you
mean
it,
but
others
can
jump
in
here.
Real
quick.
I
mean.
I
know
that
the
let
me
let
me
just
be
specific
about
the
us
government,
although
they
are
by
no
means
the
only
customer
they're
getting
a
lot
of
pushback
from
closed
source
vendors
who
do
not
want
to
reveal
a
lot
of
information.
D
I
understand
that.
So
you
know
one
possibility
of
the
obvious
possibility
is
hey
I'm
a
close
source
vendor.
I
will
tell
you
the
top
level
components.
I
won't
tell
you
the
full
transitive
closure
and
a
and
if
they
do
that,
the
obvious
way
is
to
market
okay,
I
gave
I
I
do
include
component
x.
I
won't
tell
you
what
component
x
contains.
D
J
Yeah,
so
just
kind
of
taking
what
david
was
saying
for
for
risk
analysis.
There
are
tools
like
open
policy
agent
that
can
be
leveraged.
That
will
allow
us
to
take
the
information
that
the
s
bombs
contain
and
make
decisions
upon
whether
something
is
what
for
lack
of
a
better
word,
trustworthy
or
not,
and
the
reason
why
I
kind
of
lean
towards
a
open
policy
agent
is
because
my
view
of
what
is
risky
is
going
to
be
different
than
another
person's
view
of
risky.
J
So
you
can't
do
a
single
kind
of
stamp
on
the
risk
level
for
something
it's
going
to
have
to
be
driven
by
each
individual
organization
and
even
possibly
each
individual
team
and
within
the
organization
on
what
they
think
risk
is.
So
I
think
that's
where,
when
we
look
at
risk
that
we
we
need
to
have
the
data
available,
so
it's
easy
to
consume
to
make
those
decisions.
A
Yeah
I
just
wanted
to
agree
and
and
put
a
perspective
on
what
tracy
said.
I
mean
I
think
that
would
be
great
for
us
to
level
set
on
the
problems
from
two
different
perspectives:
the
problems
faced
by
people
who
want
to
produce
s-bombs,
as
well
as
people
who
want
to
consume
us
bombs,
especially
in
an
automated
fashion,
and
I
think
that
level
thing
in
the
problems
and
then
identifying
the
use
cases,
some
of
which
you
know.
I
like
some
of
the
ones
that
have
been
most
helpful
for
me.
A
F
Yeah,
I
agree.
I
agree
completely
all
right
we're
almost
out
of
time.
I
want
to
use
the
last
couple
of
minutes
to
run
through
this
list
and
make
sure
we
have
everything
captured.
We
need
to
capture
someone
just
just
yell
if,
if
there's
anything,
we're
missing
so
we've
got,
I
think
he's
going
to
start
working
on
goals
and
purpose
for
the
group
now
I'll
create
issues
in
github.
E
E
At
what
level
you
are
incorporating
functionality
like
generating
s-bombs,
as
well
as
key
functionality
of
pulling
in
a
bunch
of
different,
obviously
open
source
tools
to
start,
but
beyond
that,
integrating
proprietary
vulnerability
and
other
scanning
tools
into
one
cohesive
dashboard
to
completely
build
and
manage
the
reporting
around
this.
So
it's
still
in
its
development
phase.
What
I'm
looking
for
is
trying
to
gauge
some
interest,
and
I'm
doing
this
quite
rapidly.
E
You
know
I'll
have
some
things
in
diagrams
to
present
at
a
future
state,
but
really
what
I'm
looking
for
is
if
this
type
of
aggregation
and
tooling
is
of
interest
to
anyone
to
see
if
any
of
the
people
within
the
the
group
would
be
willing
to.
As
we
reach
the
mvp
stage,
do
some
user
acceptance
testing
talk
through
some
of
the
functionality
and
see
if
there
are
areas,
maybe
of
improvement,
and
do
some
of
that
initial
walk
through
with
us?
So
I'm
looking
for
volunteers
to
potentially
help
us
in
the
coming
months.
E
F
Nice,
that's
very
exciting,
all
right
all
right,
I'm
gonna
tear
through
this
really
fast.
Now
all
right.
What
do
we
have
new
business
I'll
open,
an
issue
for
clearly
defined
goals
and
purpose?
Actually
we
kind
of
have
an
issue
for
this
already.
I
don't
know
I'll,
because
we
started
cameron
and
I
there
was
an
issue
for
may.
E
F
D
C
Yeah
this
this
stuff
I
will
be
looking
at,
is
very,
very
closely
aligned
and
if
not
exactly
the
stuff,
that
tracy's
been
talking
about,
really
defining
the
problems.
And
then
you
know
looking
at
how
we
can
or
whether
we
will
even
defining
whether
we
will
try
to
solve
the
problems,
but
because
some
things
might
not
end
up
in
scope
or
that
sort
of
stuff.
So
tracy.
I
would
love
to
collaborate
with
you
on
that.
It
sounds
like
you've
got
a
lot
of
good
thoughts
as
well.
C
C
C
A
C
A
F
Will
I'm
gonna
open
a
second
issue
for
this
and
reference
it
from
the
first,
because
I
think
it's
a
big
enough
question
so
I'll
this?
This
will
be
an
issue.
Vicky's
thing
will
be
an
issue
and
then
what
else
do
we
have
here
steve?
How
do
you
want
to
deal
with
your?
I
guess
bomb
analysis
tool.
I
don't
know
what
to
call
this.
I
I
Standard
the
verification
standard
was
published
a
few
years
ago
and
we
have
a
working
group
that
meets
every
two
weeks
on
a
thursday
morning.
I
believe
that
is
coming
up
with
the
maturity
model
and
we
are
working
through
that.
I
believe
we
have
the
taxonomy
pretty
well
done
now
minus
a
few
minor
issues.
The
next
step
is
going
to
be
working
on
the
maturity
model
itself.
I
How
defining,
how
difficult
certain
things
are
going
to
be
able
to
achieve,
and
when
once
that's
done,
then
it's
really
just
a
matter
of
creating
the
pdf
for
human
consumption
and
the
json.
Once
the
json
is
available
that
you
know
again,
if
you
could
hook
up
tools
to
op
open
policy
agent
or
whatever,
because
quite
frankly,
different
groups
have
different
expectations
for
what
would
be
in
a
bill
of
material.
If
I'm
a
legal
department,
I'm
going
to
certainly
ask
for
certain
things,
then
my
security
department
will.
F
A
F
F
I
wonder
if
we
lost
steve,
I
bet
we
did
okay,
I
don't.
I
can't
think
of
a
work
item
off
that
at
the
moment,
which
is
fine.
It's
we're
about
out
of
time
anyway.
If
anyone
has
anything
else,
bring
it
to
the
list
open
an
issue,
there's
slack
whatever
floats
your
boat
is
fine.
I
like
this.
I
think
this
was
a
great
meeting
and
I
think
vicki
and
tracy
asked
some
really
hard
questions
and
that's
perfect.
So
thank
you
very
much
for
that.
A
F
A
Echo
that
josh
and
just
say
that
I've
attended
these
meetings
in
the
past
and
this
one's
been
quite
productive
and
I
think,
there's
been
a
a
good
dial,
a
good,
healthy
dialogue
and
thanks
again
josh
for
your
leadership
and
steve
thanks
for
joining
us
for
this
session.
It
was
definitely
interesting
to
hear
your
input.