►
From YouTube: Security Tooling Working Group (April 11, 2023)
B
B
Completely
off
topic,
but
well,
not
not
really
completely
off
topic
but
related
on
a
related
topic.
I
wanted
to
chat
with
you
at
some
point
about
sift.
C
No,
that's
fine,
I
can
pull
in
the
the
devs
if
you
want
to,
or
we
can
chat
it's
totally
up
to
you
I'm.
What
does
my
calendar
look
like.
B
B
See
to
to
start
a
conversation
about
that
kind
of
stuff.
D
D
D
C
It
came
up
like
two
or
three
weeks
ago
in
a
conversation
I'm
like
I
just
need
to
write
this
down.
I've
had
this
data
for
over
a
year
and
I'm
like
it,
it's
going
in
a
blog.
D
C
D
E
D
Ecosystem
is
different
and
there's
something
that
makes
it
different.
Otherwise,
why
have
a
different
ecosystem
right.
D
D
Some
other
numbers
about
npm
average
package,
size
and
I
think
the
numbers
that
immediately
jump
out
is
it's
over.
Half
of
all
packages
have
zero
or
one
function
totally.
D
Well,
I
think
it
all
comes
from
the
if
you
do
it
by
lines
of
code
and
people
always
complain
about
the
lines
of
code
measure,
but
I
think
it's
helpful
for
getting
an
idea
of
scale.
It's
like
you
know.
The
average
npm
package
is
one
one
hundredth
of
the
average
lines
of
code
in
python
python.
In
particular,
you
know,
and
even
though
both
are
you
know,
you
know
there
are
some
similarities,
but
that's
a
really
big
difference
that
causes
many
other
things
to
be
different.
Yeah.
D
D
You
end
up
with
these
huge
numbers
and
it
just
it.
It
causes
a
lot
of
I
guess
if
artifacts
that
create
bizarreness,
when
you
try
to
do
analysis.
C
Yeah
100
percent,
we'll
get
going
here
in
just
a
minute:
I'm
like
I'm
super
out
of
it
I'm,
so
glad
Kate
has
a
topic
because
I've
got
nothing
for
today.
I
think
all
right,
let
me
find
my
intro
paste
moving.
C
I
will
apologize
in
advance
to
everyone
here.
I've
been
gone
for
more
than
a
week
and
I'm
gonna
do
what's
going
on,
so
the
agenda
is
here,
I'll
paste
that
if
everyone
can
sign
in
as
an
attendee
and
then
introduce
yourself
in
the
chat,
Kate
has
s
bomb
use
case
document
we're
going
to
work
on
today.
But
if
does
anyone
are
there
any
tooling
topics
before
we
move
on
to
s-pom
everywhere.
D
No
other
than
I'm
gonna
Post
in
the
in
the
notes
for
the
tooling
group,
the
blog
post
of
yours
Josh.
So.
F
D
People
can
appreciate
it
also
because
I
think
I
think,
although
it's
not
tooling
per
se,
it
impacts
the
tools
and
I.
Think
people
should
should
at
least
be
aware
of
it
and
easy
and
make
it.
E
There
yeah
we've.
G
All
been
there:
okay
right
now
is
there
anyone
that's
new
that
we've
got
an
observer
I'm
just
wondering
if
that's
a
new
person
that
wants
to
introduce
themselves
before
we
get
into
everything.
C
We
paste
our
intros
in
the
chat.
Okay,.
E
D
C
G
C
G
So
from
the
use
cases
perspective
here,
so
this
is
the
document
we
sort
of
had
started
a
while
back
and
then,
after
the
last
meeting
when
we
were
talking
about
this
people
started
going
in
and
flushing
things
out
a
bit
more.
So
what
I'd
like
to
do
right
now
is
see
if
we
all
agree
with
what
people
are
adding
and
just
quite
frankly,
click
add
and
see
if
this
Sparks
other
ideas
and
thoughts
as
we're
going
along
as
well,
so
that
we
can
get
an
articulation.
G
It's
been
coming
in
in
sort
of
a
couple
ways
in
terms
of
perspective,
user
perspective,
compliance
perspective
and
so
forth,
got
added
in
here
and
then
the
button
added
in
as
paragraph
novel
sort
of
descriptions
which
is
I
think
where
we're
going
to
need
to
go
to,
but
that's
kind
of
where
I
think
we
want
to
sort
of
work
our
way
through
and
then
also,
quite
frankly,
decide
what
is
out
of
scope
and
remove
that
from
what
is
out
of
scope
of
this
list
so
that
we
can
start
iterate
this
list
into
something
a
bit
more
useful
foreign.
G
So
the
first
one
is,
you
know,
user
need
perspective.
Obviously,
we've
got
to
catch
up,
but
Matt's
added
in
adding
some
examples
of
the
requirements.
Compliance
perspective,
the
ad
here
I,
have
everyone
comfortable,
adding
this
into
our
scope.
C
G
We've
got
a
data
set
profile
as
well,
but
whatever
because
for
reproducibility
and
training,
if
you
actually
want
it's
more
than
just
a
software
these
days,
okay,.
G
That's
why
and
then
it's
also
compliance
proof
of
compliant
now,
I'm,
not
so
sure
about
compliant
use
of
crypto,
cryptography
and
and
cryptographic
sensors
is
that
does
someone
else
feel
comfortable
that
feels
strongly
on
that
one
and
I
guess
I'm
going
to
I'm
going
to
tap
on
Emily
here,
because
she
may
understand
where
this
one's
coming
from
and
I
know.
She
knows
this
space.
H
Yeah
thanks
for
throwing
me
in
the
fire,
Kate
I
mean
this
probably
was
from
Matt
murkowski
from
IBM
yeah.
There
is
an
effort
around
there's
a
nist
nccoe
effort
around
discoverability
of
Quantum,
vulnerable
algorithms
and
then
also
ensuring.
How
do
we
move
forward
in
the
in
the
future
to
ensure
that
libraries
and
applications
make
use
of
post,
Quantum,
safe
algorithms,
and
so
there's
a
c-bomb
effort
so
that
people
can
document
what
algorithms
are
in
use,
in
particular
software,
to
make
discoverability
easier.
H
G
No,
no,
it's
like
to
say:
we've
got
something
like
this
already
in
spdx,
so
I'm,
just
sort
of
I
think
I'll,
just
I'm
gonna
Mark,
that
in
there
and
we
can
refine
it
from
there.
B
Just
feel
like
the
compliance,
the
the
use,
the
word
compliance
is
really
loaded.
I.
B
D
Yeah
I
I
agree.
In
fact,
I
would
push
it
to
just
simpler,
simpler
to
a
statement
of
the
cryptographic
ciphers
used
instead
of
a
proof
of
compliance,
because
an
s-bomb
can't
prove
well,
an
s-bomb
can
be
used
as
evidence
of
compliance,
but
you
know
it's
I
I
compliance
to
what
would
be
the
questions.
No.
E
D
B
F
E
G
D
Well,
I,
don't
have
any
trouble
with
noting
this
as
a
future.
I
mean
I'm,
a
big
believer
in
the
minimum
viable
product-
it's
okay
to
say,
hey
in
the
long
term.
I
would
like
to
go
there
for
this
first
version.
I
am
not
going
to
try
to
bite
off
that
Apple
I'm
still
trying
to
get
basic
information
out
the
door
and
widely
applied.
G
C
Think
everything
here
is
what
David
said
it's
very
future
based,
but
there
is
there
are
things
you
can
do
today
for
compliance
like
a
good
example
is
like
an
encore.
We
have
a
lot
of
customers
using
the
product
for
fedramp
compliance
right,
and
in
that
case
it's
really
about
returning
package,
names
and
versions
and
then
using
that
to
feed
vulnerability
data
and
then
that
feeds
fedramp.
D
G
D
D
We're
we're
still
at
the
crawling
walk
stage,
so
I
I
think
all
of
these
are
relevant.
Important
and
Future.
C
G
E
G
G
E
G
That
so
well,
let's
deal
with
Avis
comment
in
a
minute,
but
let's
go
let's
finish
through
kios,
okay,.
G
G
So
I
will
let
someone
shift
this
lower
in
the
document,
while
I'm
continuing
on
got
it,
let's
go
for
it
David,
in
other
words
yeah,
so
my
man,
my
manifest
contributions:
okay,
key
I,
spawn
user
personas,
so
I
think
this
is
a
good
thing
to
add
in
here
at
the
top
level.
G
Okay,
and
so,
let's
give
it
a
little
bit
of
space
to
breathe
until
things
get
moved
around
developers.
Does
everyone
agree?
You
know,
developers
are
a
persona.
G
G
Okay,
managing
test
bomb
product
manager,
I,
actually
then
probably
put
product
Architects
and
product
management.
Here,
personas.
G
All
right,
yes,
bomb
product
manager,
we
have
a
team
even
solely
dedicated
to
s-bombs
I.
G
G
Then
I'll
leave
it
alone.
You've
told
on
call.
G
C
G
That's
kind
of
what
I
was
thinking
too
actually
I'm
wondering,
though,
if
that
is
different
than
Architects
and
product
management,
I
think
that's
its
own
category.
Quite
frankly,.
B
I
G
G
And
that
sort
of
separates
out
you
know
those
who
are
handling
the
ins
and
outs
effectively
of
software
in
an
organization
to
those
who
are
designing
a
product
which
are
different
roles
to
some
extent.
Okay,
security
operations
I
like
that
better
than
slash
no
one.
It's
great
I'm
just
going
to
accept
that
one
and
then
Tim's
adding
a
pair
graph
and
then
add
some
lists.
G
Gallery
response
team
piece,
cert
bug
shelf
or
like
responses,
I,
think
you
know
those
who
are
responsible
for
supporting
to
all
that
I
think
that's
a
reasonably
good
set.
So.
C
I,
don't
like
the
word
operations
here,
I
think.
Maybe
let's
replace
that
with
maybe
engineer,
because
I
think
in
most
organizations
like
the
security
people
working
in
the
sock
are
very
different
from
the
p-cert
people,
I
mean
not
everywhere,
but
you're
gonna
I
think
we'll
see
hair
splitting.
If
we
leave
the
word
operations
there.
What.
G
Okay,
Tim's
right
with
the
procurement
one
GRT
inventor
due
diligence,
makes
sense.
G
G
Is
that
procurements
roll
or
is
that
a
different
role?
Is
that
somewhere
else,
I'm
thinking
yeah?
It
looks
like
he's
thinking,
maybe
post
procurement,
app
architecture
or
security
I
think
it's
probably
the
app
architecture
side
since
they're,
generating
these
s-bombs
here
so
I'm
going
to
probably
move
this
one
up
to
there.
G
And
I'll
also
say
suggest:
we
also
potentially
look
at
what
I'm
not
sure
how
we
want
to
say
the
equivalent
of
the
open
source
side
of
it,
but
I
think
that
sometimes
the
stuff
these
go
in
that
direction.
G
C
I
Basically
go
ahead,
sir
I
was
going
to
say
in
in
Dell.
We
talk
a
lot
about
how
our
Downstream
customers
are
going
to
use
the
s-bombs,
and
so
we
say
how
is
the
government
going
to
use
the
s-bombs
that
we
provide
to
them?
How
are
you
know
our
consumers
of
Dell
servers
and
storage
devices
and
laptops
going
to
stitch
together
s-bomb?
So
we
talk
a
lot
about
the
end.
The
downstream
consumer
of
the
s-bombs,
we're
creating.
D
Back
to
your
original
question
of:
what's
this
division
for
government
organizations,
I'm
sorry
go
ahead
right.
I
Now
the
EO
requires
you
share
it
with
government
organizations
and
so
in
our
minds,
we're
thinking.
Let's
make
sure
we
can
get
the
products
that
the
government
is
using
their,
what
they
need
for
the
the
minimum
viable
products
to
to
fulfill
their
that
EO
requirements,
and
then
how
do
we
also
want
to
continue
on
with
people
who
don't
necessarily
have
to
have
it
right
now,
but
may
want
to
start
using
it
in
the
future,
so
we're
just
separating
based
on
that
executive
order
right
now.
I
A
I'm,
like
I'm,
triggered
by
your
original
question,
I'm
wondering
if
that's
not
like
if
the
personas
above
or
not
included
here,
so
it
feels
like
a
little
different
or
on
different
different
types
of
personas.
The
the
government
sure
has
this
requirement,
but
of
course,
because
somebody
in
a
government
organization
will
then
do
security.
Engineering
right
or
somebody
in
the
procurement
organization
will
look
at
that
data,
so
is
being
a
government.
A
Is
that
a
Persona
in
itself
or
is
it
one
of
the
personas
we
have
already
mentioned
above
I
think
this
is
what
you
ask
kind
of
it
at
least
I'm
asking
that
myself
so
is
is:
are
the
ones
above
a
subcategory,
more
fine-grained
category
of
the
the
three
or
below.
G
Okay,
I
think
the
ones
that
we've
got
here
have
different
characteristics
that
will
influence
the
roles
of
the
personas
above
so
I'm
kind
of
comfortable
with
them,
because
quite
frankly,
Academia
slash,
open
source
community
may
actually
be
studying
s-bombs,
maybe
working
with
them.
We're
seeing
a
lot
of
you
know,
interest
there
and
then
other
open
source
projects
may
be
needing
to
import
them
in
generate
out
some
of
their
dependency
information.
Yeah.
G
G
G
So
the
one
other
one
we've
got
is
get
Josh
on
boyfriend,
saying
users
and
workflows
no
tools
here
yet
right.
Okay,
let's
mark
that
down
and
there's
one
last
thing,
and
so
this
is
now.
G
G
G
C
I
I
agree
with
you:
Kate
I
think
they're
going
to
be
software
producers,
but
there's
also
going
to
be
consumers
of
different
types
and
so
I
think
having
different
buckets,
makes
sense
and
I
think
I
I,
don't
think
I
I
think
Ava's
not
wrong
necessarily,
but
I
also
don't
think.
There's
a
black
or
white
answer
here.
C
G
G
Developers,
I
think,
there's
a
variety
of
stitching
things
together
and
different
types
of
scenarios
with
build
I've.
You
know
from
discussions
I've
had
with
other
people
like
doing
medical
devices
figuring
out
how
to
do
your
system
of
systems
for
your
final
product
is
something
and
then
how
you're
bringing
in
the
information
that
people
need.
I
think
that
is
a
valid
use
case
again
probably
want
to
keep
this.
F
B
G
B
I
was
just
wondering
if
software
is
a
service,
because
that's
one
thing
that
we've
been
talking
about
a
lot
is
as
a
software
as
as
a
service
provider.
You
know
how's
that
different
from
from
a
producer's
package.
Software
or
you
know,
open
source
software
or
whatever.
G
No
I'm
gonna
I'm
going
to
see
if
you
can
help
educate
me
here
and
so
a
service
to
meet
what
you
advertise
as
available
for
services
that
people
connect
to
would
be
different
than
what
you
would
track
internally
for
all
the
people,
all
the
parts
that
made
up
that
service.
Would
you
agree
with
that
definition
that
distinction.
B
So
I
guess
I'm
thinking
specifically
of
the
case
where
person
developer
say,
uses
a
command
line
tool
that
command
line
tool
on
the
back
end
is
communicating
with
a
piece
of
software.
That's
in
the
cloud
to
you
know
to
do
whatever
Matt
as
part
of
its
function
and
then
completing
the
task
for
the
for
the.
So
so
in
that
case,
there's
software
that
is
being
run
on
the
you
know
locally
and
there's
software
that's
being
run
in
the
cloud,
but
the
consumer
of
that
wants
to
know
all
of
the.
B
G
I
don't
think
so,
but.
D
This
seems
this
seems
like
Beyond,
crawl,
walk
run
and
moves
towards
I
have
transformed
into
a
cheetah
for
some
black
magic.
D
Mean
no!
It's
because
hey
I'm
going
to
depend
on
this
cloud
service,
okay,
and
it's
perfectly
understandable
that
a
customer
wants
to
know.
Well,
what's
that
cloud
service
depend
on
you
know,
what's
what
you
know
are
those
you
know
up-to-date
components?
What
services
does
it
depend
on,
but
my
understanding
of
a
lot
of
these
Services
is
that
you
know
if,
if
we
think
we're
shocked
by
the
number
of
dependencies
within
a
software
system,
it's
nothing
compared
to
the
Cross
dependencies
within
a
cloud
system.
D
I'll
Point,
specifically
to
Amazon,
because
different
organizations
work
different
ways,
but
I
know
that
in
Amazon
they
have
very
much
a
culture
of.
If
you
wish
to
use
the
service
use
the
API,
if
you're
an
Amazon,
employee
too
bad,
you
still
have
to
just
use
the
API
that
we
give
you
nobody
outside
that.
You
know
the
folk
enough
people
who
can
eat
a
one,
a
pizza,
what
two
pizzas,
oh
nobody
else,
knows
what's
inside,
and
so
in
order
to
get
that
kind
of
visibility.
You
have
to
do
the
transitive
closures
across
all
services.
D
We
generally
aren't
going
to
be
controlled
by
you.
Wow,
that's
much
harder
and
I
just
I
mean
I'm,
not
saying
it's
a
it's
a
bad
thing
to
desire.
I,
just
I,
wonder
if,
if
I
will
live
long
enough
to
see
something
like
that,.
E
D
So
I
know
people
have
been
talking
about
that.
But
I'll
note.
For
example,
the
US
government
keeps
saying
you
know
we
want
to
know
s-bombs
and
we
want
to
know
what's
going
on.
Oh
we'll
deal
with
Cloud
later
and
Cloud
later
seems
to
be
the
phrase
and
because
they
know
it's
hard
and
I
suspect
it'll
stay
hard.
G
Okay
and
I
think
we
need
to
basically
look
at
this,
so
let's
keep
going
through
this,
so
we
can
get
through
this
sect
and
then
the
other
thing
I
think
I'd
like
to
do.
Since
Alan
graciously
said
we
could
assign
him
action
items
in
the
chat
when
he
before
he
dropped.
G
It's
in
an
evil
mood
is
we'll
ask
him
to
basically
say
which
ones
are.
These
use
cases
have
already
been
defined
in
the
NTA
information,
so
we
can
just
pull
from
them
and
make
sure
we're
comfortable
with
them,
because
some
of
this
work
has
been
done
in
other
places.
Historically,
too,
are
people,
okay,
with
my
evilness.
G
E
G
Evilness
is
to
ask
Ellen
now
that
we've
got
these
use
cases
to
do
a
search
through
the
ntia
documents
were
produced
before
and
figure
out
where
there's
definitions
already.
D
G
G
And
then
this
may
be,
okay
or
after
the
fact
yeah.
That's
a
good.
Those
are
good
clarifications,
David,
thank
you
and
then
identify
products
containing
specific
high
risk
vulnerabilities.
G
D
G
Okay,
then
we've
got
component
measurement
for
reduced
overhead
by
analyzing
dependencies.
During
the
software
development
process,
software
producers
are
able
to
reduce
the
unused
libraries.
Basically,
it's
reducing
the
attack,
surface
unused
libraries
or
reduce
I
need
yeah.
So
I
think
the
case
that
was
being
talked
about
here
is
like
a
container
or
someone
brings
in
another
container
and
no
one's
going
to
analysis
properly
and
there's
a
surprising
dependency
sitting
and
something
in
there
that
supplies
right
that
can
be
triggered.
D
D
Except
and
then
just
tweak
the
unuses
one
of
the
options,
because
even
when
they're
used
there
are
sometimes
surprising,
you
know
you
know
five
different
I'm
using
five
different
libraries
to
do
the
same
thing.
D
C
Have
another
use
case
for
this,
so
I
worked
on
a
product
at
one
point
in
the
past,
that
was
Ruby
and
there
was
a
bug
and
bundler
that
included
all
the
development
dependencies
in
the
final
build
and
we
didn't
know
until
we
shipped
it
and
the
customers
were
like.
Why
are
there
twice
as
many
Ruby
modules
and
we're
like?
What
are
you
talking
about
they're
like
look
at
all
the
Ruby
modules
we're
like
holy?
Where
did
this
all
come
from,
and
so
it's
not
just
reducing
libraries
as
it
is
I
think
understanding
I.
D
E
G
I
think
so
so
what
I'm
probably
going
to
do
is
take
this
information
and
I'm
either
going
to
move
it
up
to
the
top
and
then
start
it
there.
So
people
find
it
or
I'll
spin
out
a
new
document
in
reference
to
it,
so
people
can
sort
of
keep
prior
comments
and
information,
and
then
we've
got
ensure
license
compliance
and
I'm.
Finding
this
amusing
in
the
security
group
that
someone
other
than
me
is
suggesting
license
compliance.
G
Well,
that's
how
it
started.
Anyhow,
I'll
accept
the
Avis
changes
Matt's,
suggesting
we
share
legal
compliance
rather
than
license
compliance,
and
that
would
be
things
like
copyright
and
patents
as
well.
I
suspect,
although
generally
we
aren't
retracting
that
so
I'm
fine,
with
changing
to
being
legal
compliance
here.
B
C
D
And
to
be
fair,
those
are
still
from
a
legal
point
of
view,
licensing
compliance,
it's
just
not
copyright
license
so
and
most
licenses,
don't
just
include
copyright
anyway,
MIT
Apache
GPL,
they
all
talk
about
their
licenses
and
they
either
by
implication
or
directly
talk
about
patents,
not
just
copyright.
So
as
it
is
I
think
it's
fine
I
would
say
yes
accepting
hooray.
D
I
know
I,
oh
I,
see
yeah
I
would
keep
it
as
it
is
and
not
say
legal
I
mean
we
could
mention
the
word
legal
inside
license,
but
you
could
say
something
like
to
in
to
ensure
the
results
are
legal
or
something
like
that.
Have
it
like
that.
D
Patents,
trademark
and
other
legal
requirements,
I
usually
do
this
as
suggested
and
I
didn't
do
that
this
time,
but.
E
G
G
Okay,
consumer
of
software.
Okay:
these
are
producers
of
software,
will
be
a
validation
analysis,
imported
S1,
okay,
post,
build
time,
s-bomb
generation,
it's
a
time
period.
So
maybe
what
you're
saying
what
maybe,
what
we
should
call
this
one
here
is
third
party
as
well.
C
G
No
worries
good
I
like
to
say
group
group
think
for
the
win
here:
okay,
post
bill
of
s-bomb
generation,
I.
Think
what
we're
talking
about
in
this
case
is
the
analysis
or
the
third
party-
that's
bomb
generation
where
someone
has
been
given.
Something
is
trying
to
figure
it
out
less
effective
than
build
time,
but
sometimes
what
you
need
to
do.
It's.
C
Definitely
a
use
case.
A
lot
of
people
do
this
I
mean
so
I'll.
Give
you
an
example.
David
is
you'll,
see
people
take
a
piece
of
software
and
then
put
it
in
a
container,
and
so
your
your
focus
on
the
s-bomb
in
that
stage
isn't
as
much
the
piece
of
software
you've
received
as
it
is
making
sure
the
container
like
I
also
had
an
instance
where
someone
put
software
in
a
container
that
was
like
they.
C
They
used
a
container
version
for
an
Ubuntu
version
that
was
like
five
years
old
when
I
found
it
I'm
like
holy
crap
like.
G
Anyway,
sure,
okay,
it
was,
it
was
yeah,
so
so,
rather
than
manager
software
do
we
basically
are
we
talking
software
integrators
here,
I
think
that's
what
was
being
meant
for
by
the
description.
G
D
B
D
D
D
G
That's
why
I
was
starting
to
use
an
integrator,
but
that's
okay.
We
probably
are
missing
I'm,
just
looking
at
our
personas
here
and
I
guess.
Integrators
would
be
under
the
applicator
under
under
application
side
of
it.
Product
creation.
G
G
Okay
and
then
risk
estimation
here
through
s-bomb
analysis,
is
a
consumer
and.
G
Working
so
it's
looking
at
that's
a
value
space,
doing
risk
estimation.
G
Known
vulnerabilities
components
in
average,
Lab
years,
I'm,
fine
with
leaving
that
one
and
then
vulnerably
responds
to
respawn
analysis.
This
only
works
with
complete
s-spons
for
full
dependency
change,
which
is
not
required
for
a
spawn
standard
or
NTI
minimum.
G
G
G
G
There's
my
giving
out
my
evilness
to
go
and
do
the
homework
there.
Okay,
so
I
think
that
was
the
part.
I
really
wanted
to
look
through.
G
G
G
G
C
Maybe
I
like
the
offensive
security,
one
I
haven't
read
the
description
in
in
depth
but,
like
I
know
of
some
people
using
s-bombs
as
part
of
their
like
red,
teaming
exercises
where
they're
looking
at
what's
in
something
and
then
they're
attacking
it
based
on
known
old
stuff.
It's
quite
clever
and
interesting.
G
That's
fine
and
I
think
Cameron
answered
so
I
think
we're
good.
So,
let's
just
move
it
up
up
the
line
so
and
then
attack
vectors.
This
is
one
that
you
wanted
to
move
above.
G
G
It's
all
attack
vectors,
but
it'll
also,
quite
frankly,
be
a
safety
case
in
this
case
is
safety
profile
remediation
for
critical
infrastructure
there's
another
use
case.
That's
in
my
mind,.
G
C
D
G
One
of
the
things
we
started
looking
at
is
okay
use
case,
applying
a
patch
to
fix
a
vulnerability
start
articulating
exactly
what
has
to
happen
where
and
the
thinking
is
possibly
to
start
looking
at
diagramming
it
out.
G
Away,
that's
why
I
was
being
evil
because
I
was
doing
it
with
him,
not
here
in
the
room.
Okay,
however,
it's
sitting
in
Sister,
lawyer's
hands
and
design
Source
build
deployed.
Runtime
we've
got
some
degree
of
community
consensus
on
it.
The
link
there's.
G
E
G
And
so
the
nice
thing
is
that
the
design
sort
of
fits
in
around
the
planning
stage,
the
sources
in
procure
and
development,
which
goes
into
those
personas
build,
is
in
the
build
test
and
release
portions
deploy.
This
install,
configure
and
runtime
is
usually
maintained
and
retire,
and
so
we
have
those,
and
then
we
have
the
analyze,
which
is
the
third
party
one
we've
been
talking
about,
and
so
bringing
that
in
bringing
those
types
into
these
use.
G
Cases
I
think
will
help
to
add
clarity,
but
I
also
was
thinking
that
diagramming
has
the
elements
are
being
used
and
making
it
visible
in
some
way
helps
with
also
with
understanding
I
found.
G
G
C
D
C
G
C
G
I
guess
quick
Roundtable:
does
anyone
have
anything
else?
You
see
is
obvious
gaps
or
things
that
are
missing.
G
George
you
good
Ed,
not
okay,
Sarah
you're,
pondering
your
thumbs
up,
okay,
Observer!
Anything
you
want
to
chime
in
with.
B
Thanks
everybody
I'd
like
to
get
my
my
I'd
like
to
get
some
other
folks
in
sneak
looking
at
this
over
the
next
couple
of
days.
That's
the
only
caveat
that
I
have
awesome.
Yeah,
sorry.
G
I
B
I
think
once
it's
checked
into
GitHub,
then
maybe
yes,
it
makes
sense.
I.