►
From YouTube: Security Tooling Working Group (May 9, 2023)
A
B
B
B
I
can
flag
that
we're
going
to
have
an
s-bama
Rama
in
on
June
14th
in
LA,
and
that
will
also
be
virtual
and
and
we'll
have
the
official
announcement,
hopefully
by
the
end
of
this
week.
But
to
and
the
goal
there
is
to
have
a
sort
of
holistic
view
of
all
the
different
moving
pieces
in
the
s-bomb
community.
B
Heavy
on
what
we're
doing
here
at
cisa
and
across
the
US
government
we'll
have
someone
from
the
Japanese
government
will
hear
from
some
sectors
like
automotive
and
Healthcare,
maybe
Finance
so
that'll
be
June
14th
in
La
and
I.
Will
anyone
who
wants
that
announcement
will
make
sure
to
circulate
it
widely.
B
Yes,
we're
we're
going
for
that
it'll
be,
but
it'll
be
a
full
day
meeting
so
again,
I'm,
never
quite
sure
who
actually
watches
you
know
recordings
of
five
hours
of
teams
meetings,
but
I
think
talking
here.
I
think
it
would
be
good
to
get
someone
to
give
a
high
level
overview
of
what
openness
sep
is
doing
around
that
spawn.
B
And
then
the
other
thing
I
will
flag
that
is
s-bomb
relevant
is
in
case
you
did
not
see
it.
The
U.S
government
issued
our
first
wave
of
actual
implementation
for
the
executive
order
and
again
this
is
for
more
for
commercial
providers
rather
than
the
open
source
side
of
things,
and
so
what
that
is
is
right.
C
C
B
B
B
So
right
now
it
is
a
draft
form
for
people
to
see
it.
Let
me
just
there
we
go
so
there's
a
bunch
of
stuff
about.
What's
the
purpose
of
filling
out
this
form-
and
this
form
is
essentially
for
agencies
that
are
buying
things
from
software
vendors
and
it
explicitly
says
in
s-bomb
you
there's
policy
that
explicitly
says
you
don't
have
to
give
an
agency
or
any
sorry
take
a
step
back.
B
This
document
is
meant
to
be
used
by
federal
agencies
when
they
buy
software,
and
so
it's
you
know
Department
of
State
Department
of
energy
when
they
buy
something
they
have
to
get.
This
form
filled
out.
This
form
has
a
number
of
requirements
such
as
you
have
to
attest
that
you're
separating
and
protecting
each
environment
with
building
software
that
you
have
multi-factor
authentication
across
your
environments,
basic
stuff,
that
pretty
much
every
organization
should
be
using.
B
D
B
B
So
that's
the.
If
you
look
at
this
so
This
Clause
is
which
part
of
executive
order
14028
and
I
apologize.
This
is
very,
very
gov
heavy
right.
This
is
meant
to
be
consumed
by
all
the
lawyers
working
for
software
companies.
It
explicitly
says
this
says:
have
an
s-bomb.
This
says
a
lot
of
stuff.
That
is
a
little
confusing,
but
this
is
the
relevant
piece
and
I'll
paste
this
in
the
document
as
well
in
the
notes.
A
D
D
B
Yeah
right
today
we're
going
for
sort
of
the
good
faith,
actor
side
of
things
and
part
of
that
is
right.
The
tools
aren't
perfect,
especially
when
you
move
away
from
Advanced,
Cloud
native
and
into
ship
software,
and
then
the
other
piece
is
right.
What's
your
risk?
Is
your
risk
people
buying?
Is
your
risk?
Hey
we're
worried
about
someone
lying
to
the
US
government?
B
Well,
there
are
a
lot
of
other
problems
that
are
going
on
if,
if
you're
you
know,
if
your
company
is
willing
to
lie
to
the
US
government
to
get
a
contract,
are
you
worried
about
someone
tampering
with
the
software
or
tampering
the
build
process?
That's
a
legitimate
concern,
but
how
many
organizations
are
equipped
to
actually
detect
that
today
again,
especially
for
enterprise
software
or
industrial
control
system,
software
specialized
medical
stuff?
So.