►
From YouTube: Security Tooling Working Group (April 11, 2023)
B
B
C
B
D
D
C
D
C
D
E
D
D
D
D
Well,
I
think
it
all
comes
from
the
if
you
do
it
by
lines
of
code
and
people
always
complain
about
the
lines
of
code
measure,
but
I
think
it's
helpful
for
getting
an
idea
of
scale.
It's
like
you
know.
The
average
npm
package
is
one
one
hundredth
of
the
average
lines
of
code
in
python
python.
In
particular,
you
know,
and
even
though
both
are
you
know,
you
know
there
are
some
similarities,
but
that's
a
really
big
difference
that
causes
many
other
things
to
be
different.
Yeah.
D
D
C
C
I
will
apologize
in
advance
to
everyone
here.
I've
been
gone
for
more
than
a
week
and
I'm
gonna
do
what's
going
on,
so
the
agenda
is
here,
I'll
paste
that
if
everyone
can
sign
in
as
an
attendee
and
then
introduce
yourself
in
the
chat,
Kate
has
s
bomb
use
case
document
we're
going
to
work
on
today.
But
if
does
anyone
are
there
any
tooling
topics
before
we
move
on
to
s-pom
everywhere.
D
F
D
E
D
C
G
C
G
So
from
the
use
cases
perspective
here,
so
this
is
the
document
we
sort
of
had
started
a
while
back
and
then,
after
the
last
meeting
when
we
were
talking
about
this
people
started
going
in
and
flushing
things
out
a
bit
more.
So
what
I'd
like
to
do
right
now
is
see
if
we
all
agree
with
what
people
are
adding
and
just
quite
frankly,
click
add
and
see
if
this
Sparks
other
ideas
and
thoughts
as
we're
going
along
as
well,
so
that
we
can
get
an
articulation.
G
C
G
That's
why
and
then
it's
also
compliance
proof
of
compliant
now,
I'm,
not
so
sure
about
compliant
use
of
crypto,
cryptography
and
and
cryptographic
sensors
is
that
does
someone
else
feel
comfortable
that
feels
strongly
on
that
one
and
I
guess
I'm
going
to
I'm
going
to
tap
on
Emily
here,
because
she
may
understand
where
this
one's
coming
from
and
I
know.
She
knows
this
space.
H
Yeah
thanks
for
throwing
me
in
the
fire,
Kate
I
mean
this
probably
was
from
Matt
murkowski
from
IBM
yeah.
There
is
an
effort
around
there's
a
nist
nccoe
effort
around
discoverability
of
Quantum,
vulnerable
algorithms
and
then
also
ensuring.
How
do
we
move
forward
in
the
in
the
future
to
ensure
that
libraries
and
applications
make
use
of
post,
Quantum,
safe
algorithms,
and
so
there's
a
c-bomb
effort
so
that
people
can
document
what
algorithms
are
in
use,
in
particular
software,
to
make
discoverability
easier.
H
B
D
Yeah
I
I
agree.
In
fact,
I
would
push
it
to
just
simpler,
simpler
to
a
statement
of
the
cryptographic
ciphers
used
instead
of
a
proof
of
compliance,
because
an
s-bomb
can't
prove
well,
an
s-bomb
can
be
used
as
evidence
of
compliance,
but
you
know
it's
I
I
compliance
to
what
would
be
the
questions.
No.
E
D
B
F
E
G
D
Well,
I,
don't
have
any
trouble
with
noting
this
as
a
future.
I
mean
I'm,
a
big
believer
in
the
minimum
viable
product-
it's
okay
to
say,
hey
in
the
long
term.
I
would
like
to
go
there
for
this
first
version.
I
am
not
going
to
try
to
bite
off
that
Apple
I'm
still
trying
to
get
basic
information
out
the
door
and
widely
applied.
G
C
Think
everything
here
is
what
David
said
it's
very
future
based,
but
there
is
there
are
things
you
can
do
today
for
compliance
like
a
good
example
is
like
an
encore.
We
have
a
lot
of
customers
using
the
product
for
fedramp
compliance
right,
and
in
that
case
it's
really
about
returning
package,
names
and
versions
and
then
using
that
to
feed
vulnerability
data
and
then
that
feeds
fedramp.
D
G
D
D
C
E
G
G
E
D
G
G
G
G
G
G
C
G
B
I
G
G
And
that
sort
of
separates
out
you
know
those
who
are
handling
the
ins
and
outs
effectively
of
software
in
an
organization
to
those
who
are
designing
a
product
which
are
different
roles
to
some
extent.
Okay,
security
operations
I
like
that
better
than
slash
no
one.
It's
great
I'm
just
going
to
accept
that
one
and
then
Tim's
adding
a
pair
graph
and
then
add
some
lists.
G
C
I,
don't
like
the
word
operations
here,
I
think.
Maybe
let's
replace
that
with
maybe
engineer,
because
I
think
in
most
organizations
like
the
security
people
working
in
the
sock
are
very
different
from
the
p-cert
people,
I
mean
not
everywhere,
but
you're
gonna
I
think
we'll
see
hair
splitting.
If
we
leave
the
word
operations
there.
What.
G
G
Is
that
procurements
roll
or
is
that
a
different
role?
Is
that
somewhere
else,
I'm
thinking
yeah?
It
looks
like
he's
thinking,
maybe
post
procurement,
app
architecture
or
security
I
think
it's
probably
the
app
architecture
side
since
they're,
generating
these
s-bombs
here
so
I'm
going
to
probably
move
this
one
up
to
there.
G
C
I
Basically
go
ahead,
sir
I
was
going
to
say
in
in
Dell.
We
talk
a
lot
about
how
our
Downstream
customers
are
going
to
use
the
s-bombs,
and
so
we
say
how
is
the
government
going
to
use
the
s-bombs
that
we
provide
to
them?
How
are
you
know
our
consumers
of
Dell
servers
and
storage
devices
and
laptops
going
to
stitch
together
s-bomb?
So
we
talk
a
lot
about
the
end.
The
downstream
consumer
of
the
s-bombs,
we're
creating.
I
Now
the
EO
requires
you
share
it
with
government
organizations
and
so
in
our
minds,
we're
thinking.
Let's
make
sure
we
can
get
the
products
that
the
government
is
using
their,
what
they
need
for
the
the
minimum
viable
products
to
to
fulfill
their
that
EO
requirements,
and
then
how
do
we
also
want
to
continue
on
with
people
who
don't
necessarily
have
to
have
it
right
now,
but
may
want
to
start
using
it
in
the
future,
so
we're
just
separating
based
on
that
executive
order
right
now.
I
A
I'm,
like
I'm,
triggered
by
your
original
question,
I'm
wondering
if
that's
not
like
if
the
personas
above
or
not
included
here,
so
it
feels
like
a
little
different
or
on
different
different
types
of
personas.
The
the
government
sure
has
this
requirement,
but
of
course,
because
somebody
in
a
government
organization
will
then
do
security.
Engineering
right
or
somebody
in
the
procurement
organization
will
look
at
that
data,
so
is
being
a
government.
G
Okay,
I
think
the
ones
that
we've
got
here
have
different
characteristics
that
will
influence
the
roles
of
the
personas
above
so
I'm
kind
of
comfortable
with
them,
because
quite
frankly,
Academia
slash,
open
source
community
may
actually
be
studying
s-bombs,
maybe
working
with
them.
We're
seeing
a
lot
of
you
know,
interest
there
and
then
other
open
source
projects
may
be
needing
to
import
them
in
generate
out
some
of
their
dependency
information.
Yeah.
G
G
G
G
G
C
I
I
agree
with
you:
Kate
I
think
they're
going
to
be
software
producers,
but
there's
also
going
to
be
consumers
of
different
types
and
so
I
think
having
different
buckets,
makes
sense
and
I
think
I
I,
don't
think
I
I
think
Ava's
not
wrong
necessarily,
but
I
also
don't
think.
There's
a
black
or
white
answer
here.
C
G
G
Developers,
I
think,
there's
a
variety
of
stitching
things
together
and
different
types
of
scenarios
with
build
I've.
You
know
from
discussions
I've
had
with
other
people
like
doing
medical
devices
figuring
out
how
to
do
your
system
of
systems
for
your
final
product
is
something
and
then
how
you're
bringing
in
the
information
that
people
need.
I
think
that
is
a
valid
use
case
again
probably
want
to
keep
this.
F
B
G
B
G
No
I'm
gonna
I'm
going
to
see
if
you
can
help
educate
me
here
and
so
a
service
to
meet
what
you
advertise
as
available
for
services
that
people
connect
to
would
be
different
than
what
you
would
track
internally
for
all
the
people,
all
the
parts
that
made
up
that
service.
Would
you
agree
with
that
definition
that
distinction.
B
So
I
guess
I'm
thinking
specifically
of
the
case
where
person
developer
say,
uses
a
command
line
tool
that
command
line
tool
on
the
back
end
is
communicating
with
a
piece
of
software.
That's
in
the
cloud
to
you
know
to
do
whatever
Matt
as
part
of
its
function
and
then
completing
the
task
for
the
for
the.
So
so
in
that
case,
there's
software
that
is
being
run
on
the
you
know
locally
and
there's
software
that's
being
run
in
the
cloud,
but
the
consumer
of
that
wants
to
know
all
of
the.
D
Mean
no!
It's
because
hey
I'm
going
to
depend
on
this
cloud
service,
okay,
and
it's
perfectly
understandable
that
a
customer
wants
to
know.
Well,
what's
that
cloud
service
depend
on
you
know,
what's
what
you
know
are
those
you
know
up-to-date
components?
What
services
does
it
depend
on,
but
my
understanding
of
a
lot
of
these
Services
is
that
you
know
if,
if
we
think
we're
shocked
by
the
number
of
dependencies
within
a
software
system,
it's
nothing
compared
to
the
Cross
dependencies
within
a
cloud
system.
D
I'll
Point,
specifically
to
Amazon,
because
different
organizations
work
different
ways,
but
I
know
that
in
Amazon
they
have
very
much
a
culture
of.
If
you
wish
to
use
the
service
use
the
API,
if
you're
an
Amazon,
employee
too
bad,
you
still
have
to
just
use
the
API
that
we
give
you
nobody
outside
that.
You
know
the
folk
enough
people
who
can
eat
a
one,
a
pizza,
what
two
pizzas,
oh
nobody
else,
knows
what's
inside,
and
so
in
order
to
get
that
kind
of
visibility.
You
have
to
do
the
transitive
closures
across
all
services.
D
E
D
So
I
know
people
have
been
talking
about
that.
But
I'll
note.
For
example,
the
US
government
keeps
saying
you
know
we
want
to
know
s-bombs
and
we
want
to
know
what's
going
on.
Oh
we'll
deal
with
Cloud
later
and
Cloud
later
seems
to
be
the
phrase
and
because
they
know
it's
hard
and
I
suspect
it'll
stay
hard.
G
G
It's
in
an
evil
mood
is
we'll
ask
him
to
basically
say
which
ones
are.
These
use
cases
have
already
been
defined
in
the
NTA
information,
so
we
can
just
pull
from
them
and
make
sure
we're
comfortable
with
them,
because
some
of
this
work
has
been
done
in
other
places.
Historically,
too,
are
people,
okay,
with
my
evilness.
G
E
D
G
G
G
D
G
Okay,
then
we've
got
component
measurement
for
reduced
overhead
by
analyzing
dependencies.
During
the
software
development
process,
software
producers
are
able
to
reduce
the
unused
libraries.
Basically,
it's
reducing
the
attack,
surface
unused
libraries
or
reduce
I
need
yeah.
So
I
think
the
case
that
was
being
talked
about
here
is
like
a
container
or
someone
brings
in
another
container
and
no
one's
going
to
analysis
properly
and
there's
a
surprising
dependency
sitting
and
something
in
there
that
supplies
right
that
can
be
triggered.
D
D
C
Have
another
use
case
for
this,
so
I
worked
on
a
product
at
one
point
in
the
past,
that
was
Ruby
and
there
was
a
bug
and
bundler
that
included
all
the
development
dependencies
in
the
final
build
and
we
didn't
know
until
we
shipped
it
and
the
customers
were
like.
Why
are
there
twice
as
many
Ruby
modules
and
we're
like?
What
are
you
talking
about
they're
like
look
at
all
the
Ruby
modules
we're
like
holy?
Where
did
this
all
come
from,
and
so
it's
not
just
reducing
libraries
as
it
is
I
think
understanding
I.
D
E
G
I
think
so
so
what
I'm
probably
going
to
do
is
take
this
information
and
I'm
either
going
to
move
it
up
to
the
top
and
then
start
it
there.
So
people
find
it
or
I'll
spin
out
a
new
document
in
reference
to
it,
so
people
can
sort
of
keep
prior
comments
and
information,
and
then
we've
got
ensure
license
compliance
and
I'm.
Finding
this
amusing
in
the
security
group
that
someone
other
than
me
is
suggesting
license
compliance.
G
Well,
that's
how
it
started.
Anyhow,
I'll
accept
the
Avis
changes
Matt's,
suggesting
we
share
legal
compliance
rather
than
license
compliance,
and
that
would
be
things
like
copyright
and
patents
as
well.
I
suspect,
although
generally
we
aren't
retracting
that
so
I'm
fine,
with
changing
to
being
legal
compliance
here.
B
C
D
And
to
be
fair,
those
are
still
from
a
legal
point
of
view,
licensing
compliance,
it's
just
not
copyright
license
so
and
most
licenses,
don't
just
include
copyright
anyway,
MIT
Apache
GPL,
they
all
talk
about
their
licenses
and
they
either
by
implication
or
directly
talk
about
patents,
not
just
copyright.
So
as
it
is
I
think
it's
fine
I
would
say
yes
accepting
hooray.
D
E
G
G
C
G
No
worries
good
I
like
to
say
group
group
think
for
the
win
here:
okay,
post
bill
of
s-bomb
generation,
I.
Think
what
we're
talking
about
in
this
case
is
the
analysis
or
the
third
party-
that's
bomb
generation
where
someone
has
been
given.
Something
is
trying
to
figure
it
out
less
effective
than
build
time,
but
sometimes
what
you
need
to
do.
It's.
C
Definitely
a
use
case.
A
lot
of
people
do
this
I
mean
so
I'll.
Give
you
an
example.
David
is
you'll,
see
people
take
a
piece
of
software
and
then
put
it
in
a
container,
and
so
your
your
focus
on
the
s-bomb
in
that
stage
isn't
as
much
the
piece
of
software
you've
received
as
it
is
making
sure
the
container
like
I
also
had
an
instance
where
someone
put
software
in
a
container
that
was
like
they.
G
G
D
B
D
D
D
G
G
G
G
G
G
G
G
G
G
G
C
Maybe
I
like
the
offensive
security,
one
I
haven't
read
the
description
in
in
depth
but,
like
I
know
of
some
people
using
s-bombs
as
part
of
their
like
red,
teaming
exercises
where
they're
looking
at
what's
in
something
and
then
they're
attacking
it
based
on
known
old
stuff.
It's
quite
clever
and
interesting.
G
G
G
G
C
D
G
G
E
G
And
so
the
nice
thing
is
that
the
design
sort
of
fits
in
around
the
planning
stage,
the
sources
in
procure
and
development,
which
goes
into
those
personas
build,
is
in
the
build
test
and
release
portions
deploy.
This
install,
configure
and
runtime
is
usually
maintained
and
retire,
and
so
we
have
those,
and
then
we
have
the
analyze,
which
is
the
third
party
one
we've
been
talking
about,
and
so
bringing
that
in
bringing
those
types
into
these
use.