►
From YouTube: Security Tooling Working Group (March 28, 2023)
B
B
D
D
F
F
B
C
C
G
C
G
Andrew,
this
is
Adrian
diglion
I'm
from
Microsoft
I,
contributed
the
secure
software
or
supply
chain
consumption
framework,
and
in
that
we
we
have
requirements
on
how
to
securely
consume
open
source
into
the
developers.
Workflow
and
some
of
the
requirements
that
we
are
advocating
for
are
tools
that
help
you
patch
your
open
source
faster.
G
G
Another
type
of
tool
is
surfacing
OSS
vulnerabilities
as
comments
in
a
pull
request,
such
as
dependency
review
within
GitHub
I.
Think
that
those
are
an
entire
category
of
tools
that
are
designed
to
make
keeping
your
OSS
hygiene
better
easier
and
help
you
patch,
faster
and
I
would
love
to
see
that
category
added
to
the
guide
to
security
tools.
E
C
E
Great
and
if
I
may
I
would
suggest
make
at
least
two
pull
requests.
You
know
separate
the
two
different
ones,
because
I
think
for
like
depend
upon
I'm,
pretty
sure
we
already
have
that
category
it
may
not,
but
the
but
the
other
one,
maybe
not
so
I
would
make
them
as
two
different
ones,
because
it's
easier
just
accept
one
not
another
or
or
make
some
changes.
C
F
E
C
We
yeah
the
the
topic
of
tools
as
well
Alan.
One
of
the
things
this
group
is
looking
to
do
is
create
a
specifically
a
focused
on
s-bombs,
but
a
landscape
like
the
cncf
has
to
better
track
and
categorize
like
all
the
tooling
and
I
think.
If
we
figure
it
out
for
s-bombs,
we
could
even
think
about
doing
it
for
more
broad
security
Tooling
in
general,
because
I
think
there's
a
lot
of
value
in
it
and
there's
like
700
lists
of
tools
and
I
can't
track
anything
anymore.
C
H
Yes,
so
I
see
David
here
so
if
I
knew
he
was
presenting,
but
I
I
volunteered
to
krobe
to
to
go
out
and
spread
the
word
which
is
to
share
the
yes.
Thank
you
for
grabbing
the
link.
So
basically,
every
single
being
asked
to
confirm
the
entries
under
their
work.
Yeah
yeah
confirm
the
entries
credited
to
their
working
group
so
for
it
gets
published
in
any
way
shape
or
form
that
you
know
it.
It
has
accuracy.
H
So
the
other
question
I
had
here
was
that
I
think
that
krub
just
said
that
that
who
did
it
but
grabbed
all
the
work
products
from
the
readme
and
put
them
on
there
and
assigned
Sig
at
the
end
of
them.
So
I
know
a
lot
of
these
were
didn't,
have
sigs
or
were
cigs
or
maybe
pseudo-cigs
at
some
point
in
time,
so
I
was
hoping
to
figure
out
figure
out
which
things
are
projects
which
things
were
sigs.
From
my
my
perspective.
H
H
E
I
can
comment
yeah
the
there's
a
there's,
a
name
change
along
the
way.
Basically
the
attack
earlier
I
guess
it's
actually
the
last
year
basically
said
hey.
We
want
to
be
consistent.
So
if
it's
mostly
code
call
it
a
project,
otherwise
call
it
a
sink,
and
that
was
a
change
because
a
lot
of
people
referred
to
these
other
things
as
project.
So
you'll
you'll
see
some
inconsistency
out
there
in
the
wild,
but
that's
what
that's.
What
we're
trying
to
maneuver
towards.
H
Yeah
I'm,
just
looking
at
the
other
work
groups
that
I
know
I
attend
on
occasion
and
and
I
see
still
products
made
I.
Think
that
like
they
have,
you
know
things
that
are
projects.
The
question
is,
can
you
know
I
I
know
in
the
diagram
of
society,
I
produce
a
different
mind
map
that
had
you
know,
non-codes
non-code
projects.
So
the
question
is:
do
we
you
know
to
me
if
I
the
thing
is
like
if
I
see
a
Sig,
that
means
there's
a
meeting.
I
can
attend
on
the
calendar.
No.
H
Yeah
I'm
just
worried
I
just
want
to
make
sure
this
work
group
understood
the
ram
the
ramifications
of
the
of
the
terminology
here
that
they
would.
You
know
we
need
to
understand
that
people
come
to
say:
hey
I
want
to
attend
the
Sig,
and
you
know
words
that
we
need
to
have
it
in
the
agenda.
Someplace.
You.
H
C
H
E
H
C
H
B
D
E
C
Thanks
awesome
all
right,
I'm
going
to
move
ourselves
into
s-bomb
everywhere,
then
to
discuss
that
a
bit.
We
did
that
in
the
chat.
I'll
start
with
the
action
plan
that
Dan
was
so
kind
to
put
into
GitHub.
So
thank
you
for
that.
Dan
I
would
say
at
this
point.
If
anyone
has
any
comments
or
suggestions,
we
should
add
pull,
requests
and
issues.
B
C
C
C
So
Kate
is
talking
with
Tracy
Miranda,
who
has
some
landscape
knowledge
and
if
she's
willing
to
help
us
stand,
one
up
I
think
we
can
probably
get
it
filled
out
in
a
fraction
of
the
time
it
would
take
just
to
get
the
approval
of
funding.
So
I
guess
stay
tuned
is
all
I
can
say
for
that,
but
I'm
I'm
very
excited
I'm,
very,
very
hopeful
that
Tracy
can
lend
a
hand
here
and
we
can
I,
don't
think
is
Tracy
here.
I,
don't
think
Tracy's
here.
C
J
So
if
anyone
understands
the
landscape
tool
well
enough
to
do
a
little
bit
of
surgery
with
us
or
figure
out
how
to
how
to
set
up
some
automation,
you
know
I
think
I
think
we
could.
We
could
get
something
up
pretty
quickly
and
not
have
to
wait
for
for
funding
or
too
much
planning
and
in
a
way
that
allows
for
folks
to
play
with
it
safely.
Yeah.
So.
C
Open
to
that
volunteering,
and
that's
my
hope,
with
working
with
Tracy-
is
if
she
can
at
least
push
me
down
the
hill
I'm
gonna,
like
document
the
crap
out
of
everything.
I
can
because
I've
tried
to
stand.
You
like
get
the
landscape
running
in
the
past
and
I
gave
up,
because
it
was
just
too
nitpicky.
J
D
C
J
F
And
and
Josh
I
can
help
with
that,
because
there
are
a
lot
of
other
attempts
to
do
this
in
the
past
and
use
cases
gets
messy
and
complicated
and
can
either
expand
to
the
overlap
of
all
of
supply
chain
and
all
of
software
Assurance
or
can
be
much
targeted.
So
I'm
happy
to
tackle
that.
If
you
wanted
to
find
some
time
to.
C
Absolutely
Alan:
you
were
on
my
short
list
of
people
to
hassle
once
we
had
a
landscape
and
it
the
intent
is,
it
will
be
a
public
GitHub
repo.
So
literally
anyone
can
update
it.
So
my
hope
is
just
given
the
popularity
of
s-bombs
once
we
start
getting
momentum
there
we'll
get
a
lot,
because
I
think
every
organization
and
every
project
will
want
to
make
sure
they're
on
the
list,
but.
F
D
No,
no
we've
got
so
basically,
Alan
I
think
we're
taking
it
from
the
template
view.
We
started
in
ntia
and
we're
also
going
to
layer
in
the
types
of
spawns
into
it
as
well,
and
then
people
will
hopefully
put
pull
requests
in
to
put
in
their
tool,
and
people
can
query
it
and
say:
okay
show
me
that
you
actually
have
evidence
that
you're
doing
what
you
can
say.
You
do
and
it's
documenting
the
pull
request,
but
what's
actually
put
up
in
the
landscape
is
much
simpler.
C
E
H
D
C
D
But
it's
also
going
to
be
useful,
I
think
for
our
use
cases
to
start
to
understand
what
types
of
use
cases
are
pulling
on,
what
types
of
s-bomb
types
so
I
think
for
this
General
intuitive
agreement.
Anyhow,
that
where
the
facts
are
in
the
software
life
cycle,
is
the
best
place
to
generate
the
s-bomb
for
that
type.
D
So
the
question
then
becomes
is
when
we
started
to
look
at
things
like
use
cases.
Can
we
basically
say
hey?
This
is
what
I'm
trying
to
put
together
and
I'm,
applying
a
patch
to
a
package
fix
of
all
that?
Well,
what
does
it
actually
look
like
in
terms
of
types
of
s-bombs
and
in
types
of
information
in
that
sort
of
a
decision
tree?
So
we've
got
this
type
of.
D
So
I
met
with
Peter
lore
from
Red
Hat
and
he
and
I
started
serving
noodling
on
this
topic,
a
bit
I'm
starting
to
come
up
with
some
symbols
that
we
can
start
to
use
to
potentially
look
at
diagramming
these
things
again.
Thinking
back
to
people
understand
diagrams
and
Comics,
so
you
can
maybe
think
of
the
s-bomb
comics
associated
with
each
use
case
as
a
way
of
trying
to
explain
to
people
how
these
things
interact
between
organizations
and
between
types
of
s-bombs.
So
this
is
a
first
attempt
at
it.
D
I
suspect
seriously
we'll
be
refining
it
a
lot
more
people
come
up
with
better
ideas.
It
was
initially
just
colors
and
shapes
and
the
shapes
are
nothing
special
other
than
what's
available
easily
in
Google
Docs,
because
that's
what
I
have
easy
access
to.
But
someone
who
is
colorblind
pointed
out
to
me
that
we
really
should
put
something
in
as
a
symbol
to
distinguish
things,
and
so
we've
got
a
couple
of
distincts.
You
know
symbols
added
in
and
things
like
that,
and
so
the
thinking
was.
D
We
started
working
in
this
group
on
a
use
case,
s
BLM
use
cases
for
security
document,
Last,
Summer
and
starting
to
articulate
what
these
use
cases
are
in
this
been
on
the
shelf
for
a
bit,
but
I'm
kind
of
thinking
that
if
people
are
interested,
what
might
make
sense
is
to
take
the
security
use
cases
and
refine
them
and
effectively
come
together
with
a
comic
of
a
diagram
comic
of
how
we
can
actually
say
these
types
of
s-bombs.
This
type
of
data
is
flowing
through
to
satisfy
each
of
these
use
cases.
D
D
Okay,
first
so
I
think
you
know,
go
through
see
if
these
use
cases
are
ones
that
you
care
about
would
be
the
ask
of
everyone
on
the
group.
If
you
see
things
missing
in
this,
just
go
into
the
document
and
add
the
use
cases
we'll
do
a
scrub
of
these
use
cases
and
remove
all
the
commentary
from
people
and
get
a
clear
set
and
then
decide
which
ones
we're
going
to
prioritize
and
then
start
working
on
the
diagrams.
D
But
I
think
that'll
help
convey
information
in
a
way
that
people,
obviously
my
computer's,
slow,
we'll
sort
of
get
through
again
some
of
the
bud
aspects
and
I'm
not
seeing
the
use
case
stuff
things
are
worked
on
right
now
on
the
cesa
side,
so
this
gives
us
an
area
to
focus
on
here.
That's
independent
of
the
quality
stuff
that
cease
is
focusing
on
right.
Now.
D
E
We
can
nitpick
on
that,
but
but
identifying
how
things
used
definitely
seems
like
a
right
step.
I
I
do
worry
about
the
cartooning
effort
in
part,
because
my
guess
is
that
you're
going
to
use
whatever
the
whatever
data
you
have
available
and
in
many
cases
you're
going
to
be
constrained
by
the
data
availability.
Not
what
the
ideal
is,
but
I
mean
that
that
doesn't
make
it
wrong,
though,.
D
S-Bomb
I've
been
using
this
diagram
for
about
a
year
now
in
the
AI
side,
how
to
show
that
things
are
related,
and
this
depends
on
various
libraries,
but
also
this
generated
from
things,
and
so
each
of
these
types
of
s-bombs
potentially
can
be
linking
back
to
other
types.
You
know
to
earlier
types
in
the
software
life
cycle
as
part
of
their
evidence.
They
don't
need
to
carry
the
whole
weight
all
the
way
through
themselves,
like
a
deployment,
might
link
back
to
a
build,
but
you've
got
a
deployed.
One
and
you've
got
a
vulnerability.
Okay.
D
How
do
you
deal
with
looking
up
that
vulnerability?
Well,
you
might
want
to
look
back
and
see
the
build
and
see
what
the
dependencies
are
in
your
build
and
oh,
hey.
There's
a
package-
oh
well,
maybe
I
care
about
whether
or
not
that
file
was
built
into
my
image.
So
I
may
even
go
back
and
double
check
with
some
of
the
sources.
You
know
you
only
have
to
go
back
as
far
as
you
need
to
go
back
so
to
rule
things
out,
and
so
that's
kind
of
what
I'm
thinking
but
showing.
C
F
Sorry,
hey
I,
I
I
like
this,
because
I
think
this
is
a
one.
This
is
a
big
missing
piece
in
our
conception
of
s-bomb
types
is
how
they
relate
to
each
other
and
and
what's
right,
I
have
a
source.
S-Bomb
I
still
have
my
use
cases.
Is
it
insufficient
right?
We
we
haven't
effectively
communicated
that
the
other
thing
that,
as
we
sort
of
pile
on
yes
and
and
especially
graphically,
is
out
other
sources
of
data
right.
F
Obviously,
loan
databases
license
data,
other
things
that
I
care
about.
You
know
LF
badges
things
like
that,
and
then
the
other
piece
here
that
I
think
will
be
useful
is
the
other
types
of
tools
right.
So,
okay,
I'm
gonna
need
to
sort
of
dump
this
into
a
service.
This
is
my
Asset
Management.
This
is
hey.
There
is
no
asset
management
for
this
corner
of
the
ecosystem.
I
would?
What
does
that
even
mean
and
so
sort
of
identifying
gaps
as
well?
F
So
I
will
say
personally
this
symbol
vocabulary
seems
like
all
of
the
nice
things
about
a
very
complex
regression
equation,
with
none
of
the
benefits
of
being
legible
to
those
of
us
who
speak
math
right
right,
you've
all
seen
the
the
equation
slides
and
you
have
to
sort
of
sit
and
memorize
what
each
variable
means,
but
we're
good
at
that,
because
we've
been
reading
math
papers
for
a
long
time.
New
symbolic
references
seem
like
a
very
hard
thing
to
do
that
mental
mapping
as
we
draw
the
picture.
D
E
F
D
Yeah
this
is
like:
we've
got
a
lot,
a
line
around
what's
actually
inside
the
contents
of
it
and
then
you're
showing
relationships
pictorially
as
needed.
This
type
of
thing
people
seem
to
get
it
when
they
showed
this
up
and
that's
what
will
served
the
motivator
to
sort
of
aim
in
this
type
of
direction
for
explaining
to
people
what
has
happened.
D
I
think
the
security
use
cases
if
we
restrict
the
scope
to
be
security,
I
think
that
we
must
so
basically
prioritizing
the
use
cases,
people
care
about
most
and
making
sure
we
have
a
clear
set
of
use
cases,
and
then
we
start
to
die.
You
know
basically
make
it
visible.
I
think
that'll
move
itself
forward
in
a
reasonably
constructive
fashion.
D
H
Compliance
I
think
that
that
might
serve
us
well
to
to
have
subcategories
of
compliance
for
different
interests,
because
I
know
things
like
things
like
machine
learning,
compliance
of
creation
of
data
models,
according
to
ethics,
for
example,
cryptographic
Cipher
inclusion.
You
know
due
diligence
things
like
that.
D
I
In
The
Proposal
that
Dan
and
I
put
together,
we
actually
had
a
link
to
the
concept
of
a
user
needs
document,
and
we've
been
talking
a
little
bit
about
how
you
would
articulate
what
an
end
user
is
looking
to
get
out
of
an
s-bomb
in
combination
with
other
tooling,
to
solve
problems
and
reduce
risk.
Dan
and
I
were
chatting
a
little
bit
together
and
we
think
that
this
document
is
a
lot
more
fleshed
out
than
the
link
to
our
empty
Google
doc.
I
That
says,
we
need
to
put
some
user
needs
in
here,
so
we
think
there's
really
good
alignment
to
taking
and
re-linking
to
this
document
in
our
proposal
to
continue
to
flesh
this
out
from
a
user
needs
perspective
and
Dan.
Do
you
have
any
color
that
you'd
like
to
add
on
a
user
need
versus
a
use
case?
You
do
a
really
good
job
of
describing
it.
B
Yeah,
well,
it's
just
you
know,
I,
just
think
you
they're
different
they're
different
granularities.
That's
all
you
know
so
and
and
I
often
think
about
user
needs
as
being
thinking
about
like
a
story
like
you
know
the
person
who
the
the
thank
you,
the
person
in
the
ospo
needs
to
evaluate
this.
So
they
do
this.
So
therefore
they
use
this
kind
of
tool.
You
know,
whereas
the
use
case
is
more
like
granular
in
nature,
but
I
think
there
it's
it.
D
I'd
say
that
yeah
this
person
in
the
hospital
needs
to
look
at
this
type
of
tool,
or
it
needs
to
look
and
start
saying,
look
at
this
type
of
tool.
It
needs
to
look
at
this
type
of
s-bomb
data.
It
just
has
happens
to
be
presented
by
a
tool
yeah
and
if
you
can
take
it
to
the
blood
type
of
data,
we're
looking
for
across
the
supply
chain,
what's
key
for
them
to
do
their
job,
then
we
can
sort
of
map
I.
Think
these
things
in
but
articulating
that
there's
Tools
in
there
yeah.
D
A
Yeah
sorry
I
I'm
my
first
time
joining
these
meetings,
so
I've
been
just
doing
more
listening
than
anything
else
here,
but
just
Dan
kinda
made
me
to
the
punch
there,
but
in
terms
of
the
user
needs
or
kind
of
user
stories.
Is
that
the
way
of
framing
it
like
this
is
something
that,
like
me,
and
my
team
have
been
doing
for
the
past
year
so
specifically
on
s-bomb,
so
I
don't
like
I
wish.
We
had
something
documented
that
we
could
copy
and
paste.
A
But
we've
been
talking
about
this
a
lot
and
so
in
the
in
any
event
that
we
can
help
flesh
the
stuff
out,
because
I
think
we've
clearly
articulated
internally
like
three
or
four
key
example:
users.
What
their
workflows
are,
what
their
needs
are,
what
tools
they
use,
what
the
gaps
are.
I
think
a
lot
of
that
knowledge
has,
you
know,
started
to
consolidate
in
certain
places
and
there's
some
good
coverage
of
it
and
on
certain
websites,
so
just
offering
my
hand
to
help
support
kind
of
flushing
this
stuff
out.
So.
D
I
D
And
so
suggestions
are
very
welcome
there
and
you
know
people
with
graphic
artist
skills
who
want
to
improve
things,
go
for
it,
but
I'm,
putting
a
link
in
there
and
just
ask
for
perms
if
I
don't
have
to
open
right
up
now,
I
can't
remember
if
I
opened
the
door
not
before
the
doctors,
I
think
I'll
just
open
it
right.
Thank
you
about
it.
There
are
comments
and
that
I
hope
so
just
a
little
slow
laptop
right
now
need
to
reboot.
D
D
F
I'm,
just
as
the
structure
this
document-
maybe
it's
because
it's
been
so
collectively
edited
I,
don't
see
the
relationship
between
the
type
of
s-bomb
in
the
use
cases.
Is
that
something
that
we're
going
to
need
to
flesh
out?
Or
is
there
just
something
that
I'm
missing,
because
they
seem
to
be
two
great
tastes
that
are
probably
served
on
different
tables
in
different
restaurants?.
F
F
D
So
when
you're
doing
your
high
Assurance
use
cases
for
safety,
you
want
to
make
sure
you
actually
know
exactly
which
pieces
of
source
made
it
in.
Do
you
want
to
be
able
to
link
back
to
the
source
files?
You
may
not
need
that
in
a
lot
of
cases,
so,
but
you
may
want
that
for
basically
safety
certifications,
so.
F
F
But
I
I
what
I,
uh-huh
I
think
if
we
lock
that
into
the
type
of
s-bomb
that's
going
to
confuse
people,
especially
as
we
get
into
GRC,
where
there
isn't
any
current
consideration
for
that
and
and
and
I
think,
we've
got
a
lot
of
work
to
do
to
take
the
type
thing
and
put
it
into
the
both
government
and
non-government
GRC
World.
Okay,.
D
D
Well,
I
love
the
fact
that
people
are
going
in
and
editing
right
now,
I
think
it's
awesome,
and
if
people
want
to
have
a
separate
meeting
to
talk
about
this
between
now
and
the
next
meeting,
just
basically
put
your
name
in
the
chat
and
I'll
try
to
see.
If
we
can
find
the
time
for
a
group
of
us
to
meet
and
see
if
we
can
flesh
this
out
and
restructure,
you
know
make
sure
we
best
structure
to
then
do
group
review
on
okay,
so
Dan's
volunteering.
Thank
you.
Dan.
D
D
D
E
So
a
broader
note,
Kate
several
of
these
I
don't
think,
are
use
cases
they're
like
roles
and
other
things,
but
I
don't
particularly
want
to
kill
the
brainstorming
because
I
think
getting
the
ideas
down.
First
is
often
helpful
and
then
working
that
okay,
you
know
organizing
it
so
that
this
is
this
and
that
and
that
may
be
the
better
approach
anyway.
D
D
D
Then
I
think
we've
got
it
and
David
wheeler
says
he's
interested
too
so
I
think
we've
got
a
working
group
now
to
continue
to
flush
this
out,
move
it
forward
between
meetings
and
I.
Think
that
accomplishes
what
I
was
hoping
to
accomplish.
I'm
just
wondering
you
know
I
think
Matt.
You
commented
initially
to
do
what
want
to
be
part
of
this.
No
or
not.