►
From YouTube: SLSA Positioning Meeting (November 8, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit#heading=h.yfiy9b23vayj
SLSA repo: https://github.com/slsa-framework/slsa
B
B
A
Lot
of
people
might
not
join
today
because
of
the
member
Summit,
that's
happening
in
Tahoe,
so
I
know
a
couple
of
folks
are:
are
there
attending
so
it
might
be
a
lighter
meeting
today.
B
Pretty
new
to
this
salsa
Team
I
mean
this
open.
Our
CSF
team
recently
I
joined
offensive
and
then
yesterday
I
attended
one
meeting
with
Mark
and
yes.
A
Yeah
yeah
makes
sense,
yeah
I'm,
trying
to
get
the
meeting
notes
Here
For
You.
If
you
can
sign
in.
A
Okay,
so
let
me
share
my
screen:
real
quick
I
need
you
portion
of
my
screen.
D
A
Here
we
go
okay
that
works
so
yeah,
if
you
can
just
sign
in
and
then
as
people
will
join,
we'll
continue
the
discussion.
A
But
since
you
are
a
new
friend
please,
you
already
mentioned
that
you
joined
the
specification
call
yesterday.
So
you
know
what
brings
you
to
salsa.
B
Yeah
recently
I
got
the
opportunity
to
present
what's
new
in
cicd
topic
for
the
next
22,
even
in
Google
and
their
I
was
presented
about
mm
or
that
topic,
and
then
salsa
was
one
of
the
topic
under
that.
So.
C
B
I
learned
about
salsa
I
explored
the
lesser.gov
site
and
then
I'm,
basically,
a
like
I
do
have
around
four
years
of
experience
or
into
the
devops
part.
So
I
worked
in
Azure
devops
in
games,
I
sure
I'm
in
deep
City
and
gitlab.
C
B
Github
as
well
so
then
I
I,
like
was
fond
of
that
topic,
and
then
I
was
really
happy
to
see
that
how
we
have
categorized
into
four
levels
and
then
the
province,
information
generation
and
usage
that
for
the
deployment.
Those
topic
I
was
like
much
interested
and.
B
Found
this
open
ssf
like
group
working
group,
then
I
thought.
Okay,
let
me
join
and
then
get
more
information
to
that.
Yeah,
hi,
Michael,
yeah.
A
Hi
well,
thank
you
for
that
intro
and
welcome
so
Mike
Lieberman
actually
is
one
of
the
steering
committee
members
for
Sosa.
So
he
is
very
much
been
around
for
a
while
I'm
I've
been
around
since
this
year.
So
I'm
relatively
new
I.
C
A
New
you're
voting
after
this
meeting
I
did
my
pre-voting
but
yeah.
If
you
can
sign
in
jumpsy
yeah
and
sometimes
what
we'll
do
is
we'll
try
to
share
you,
it's
optional.
We
try
to
share
something
about
ourselves
when
we
sign
in
I
put
a
little.
A
You
know,
tongue
sticking
out
I
already
voted,
because
I'm,
not
waiting
in
line
or
just
like
Mike
is
going
to
be
waiting
in
line
pretty
soon
here
for
voting
I
try
to
do
things
early,
I,
don't
like
waiting
in
line
so
I'm
just
poking
fun
at
the
folks
that
we'll
have
to
wait
in
line
to
vote
today
for
the
midterms
hi
Laura.
Welcome
is.
A
You
a
new
friend,
then
thanks.
D
Same
I
just
was
trying
to
heat
up
soup
and
quickly
before
this
meeting
and
of
course,
I.
It
was
a
glass
jar
of
soup
and
it
just
shattered
all
over
the
kitchen,
I'm
sorry
yeah
and
I'd
like,
but
they
made
the
kid
they're
a
little
bit
older,
so
they
got
the
broom
and
the
dustpan
and
they
got
shoes
on
and
they're
helping
I
think
that
mostly
would
last
but
they're
helping
scoop
it
I'm,
like
oh,
my
gosh.
Can
you
guys
please
I
know.
A
Okay,
so
for
for
jumpsuit
and
Laura
right
so
for
the
positioning
group,
what
we're
trying
to
do
is
trying
to
you
know,
educate
evangelize,
you
know
what
salsa
is
how
it
can
help.
We
were
doing
some
earlier
efforts
on
mapping
to
the
different
kind
of
Frameworks.
We
kind
of
put
that
on
pause
for
a
little
bit,
because
we
wanted
to
do
it
in
an
automated
fashion.
A
So,
right
now,
what
we're
doing
is
we're
focusing
on
trying
to
put
out
a
few
blogs
and
sorry
if
you
can
hear
a
background
noise
and
so
the
blog
that
we're
working
on
right
now,
it's
called
the
developer.
Blog
of
you
know
why
a
developer
cares
about
salsa
and
we're
focusing
on
level
one
and
level
two.
A
This
session
today
is
called
a
working
session
and
so
working
session.
I
should
put
that
in
yet
in
here,
and
so,
whenever
we
have
things
to
do,
if
we
don't
have
time
to
sync
up
afterwards,
like
in
between
meetings,
we
can
use
this
time
and
really
it
helps
me
Focus,
because
this
is
not
my
day.
A
Job
I
know,
for
some
people,
open
source
is
all
they
do,
but
this
at
least
helps
me:
try
to
focus
at
least
an
hour
to
get
proceed
with
the
agenda
or
trying
to
get
further
along
and
then
on
the
off
weeks.
Then
we
have
the
normal
positioning
session,
where
you
know
pretty
much
anything's
up
for
grab.
A
So
this
is
really
an
optional
session,
but
we
always
welcome
people
to
join
and
collaborate,
and
so
I'm
going
to
put
this
and
do
you
have
any
topics
that
maybe
you
want
to
discuss
before
we
go
into
trying
to
finish
up
the
developer
blog.
D
In
catch-up
mode
on,
but
we
I
did
present
the
the
concept
of
of
the
end-to-end
software
supply
chain
framework
that
doesn't,
it
isn't
just
exclusively
salsa
as
something
that
is,
is
new
for
to
work
on
this
quarter
at
our
security
industry,
coordination
qbr,
so
I'm
really
looking
forward
to
contributing
and
seeing
where
the
best
we
can
pick.
Okay.
B
Okay,
no
we're
not
talking
from
my
side
like
I'm,
pretty
new
and
just
wanted
to
explore.
Things
comes
happening
in
this
meetings
and
then
we'll
yeah.
A
Yeah,
okay,
awesome.
Okay,
then
I
put
in
the
chat
the
link
to
this
document
Michelle
joined
last
week,
and
she
actually
did
a
really
good
job
of
doing
like
an
intro.
A
Basically,
for
the
part,
one,
the
intent
of
the
blog
is
just
you
know
how
salsa
helps
right
very
light,
not
too
prescriptive,
so
that
we
can
get.
You
know
the
developer.
Slash
I
think
we
also
mentioned
product
manager
to
buy
in
to
the
concept
of
salsa
right,
and
so
she
did
a
really
good
job
of
trying
to
make
the
analogy
and
linking
back
to
the
devsecops
manifesto
like.
Why
are
we
actually
doing
this?
A
Why
should
they
care
and
so
feel
free
to
read
through
that
I
think
this
part
is
pretty
pretty
golden
right
now.
I
also
think
most
of
these
two,
the
Y,
should
shop.
The
software
developers
and
product
managers
consider
salsa
I
think
this
is
pretty
good.
There
was
a
Clarity
that
these
are
Developer,
specific
and
I,
wasn't
sure
quite
how
to
word
that
right,
because
it
just
says
salsa
level
one
to
two,
but
it
doesn't
say
that
it's
for
the.
A
What
we
are
focusing
on
here
in
particular
is
developer
specific
and
maybe
it's
enough
to
say
we're
doing
it
up
here.
Instead,
so
I
don't
know
what
your
thoughts
are
on
on
that
aspect.
B
A
So
thoughts
from
Laura
or
or
Mike
on,
is
this
clear
enough?
Do
we
need
to
add
Clarity
that
these
are
Developer
specific.
D
I
would
say:
I
was
looking
for
something
that
it's
been
a
couple
of
months
since
I
I
I
had
to
add
additional
resources
to
something
similar
about
explaining
the
security
requirements
to
a
software
developer,
because
what
we
get
off
oftentimes
the
the
response
that
they
don't
work
in
security,
and
so
what
you
know
not
not
all
of
them
right,
just
occasional,
like
I,
don't
work
in
Securities
to
insecurity
is
not
my
job.
So.
A
D
Actually
took
some
time
to,
and
it
may
take
me
a
few
minutes
to
to
find
the
reference
where
it's
it
states
that,
like
security
is
a
software
is
part
of
the
software
development
life
cycle.
So
maybe
just
something
like
that.
That
ties
it
together
to
say
this
is
why
you
should
care,
and
it's
not
just
because
we
said
so,
but
because.
A
Yeah
yeah
so
yeah
definitely
then
check
this
part
that
Michelle
contributed
to
on
what
you
have
seen
success,
because
Michelle
mentioned
that
she's
seen
success
in
this
type
of
messaging
to
developers,
and
so,
if
there's
something
missing
or
something,
maybe
we
can
enhance
by
all
means
we
we
can
add
to
it
and
I.
So
I
think
this
would
be
a
good
section
for
you
to
to
take
a
look
at
once.
You
do
find
that
reference
that
you're
you're
trying
to
look
for.
A
Vice
also
levels
there's
this
what's
not
covered
by
salsa
levels,
so
we
want
to
make
sure
that
we
are
putting
salsa
in
the
right.
I
guess
position
right,
like
it's
not
going
to
fix
all
your
problems
right
and
so
I
think.
This
is
why
we
added
the
what
is
not
covered
by
salsa
yeah,
but
I
do
go
ahead,
yeah,
but
we,
but
I
am
curious
about
if
we
should
add
something
like
for
these
things
that
we
don't
cover.
B
Just
one
one
thing
that
I
would
like
to
add
here,
like
there
are
some
already
some
security
specification
like
Nest
Securities
specification
and
all
which
more
detailed
about
the
different
security
guidelines
and
all
and
salsa
is
actually
looks
like
giving
a
lighter
version
of
that.
So,
if
you
are
able
to
correlate,
then
people
will
be
able
to
understand
like
those
who
know
that
this
partnist
or
some
other
security
standards,
they
will
be
able
to
understand
where
salsa
placed
in
in
the
security
guideline
slot.
A
Yeah
I'm
wondering
if
we
should
reference
back
to
the
ssdf
blog
that
we
wrote
a
while
ago,
I'm
thinking
about
it.
C
So
I
I
think
also
one
thing
that
we
can
maybe
even
be
a
bit
stronger
on,
is
just
like
making
it
very
clear
here,
because
I
know
you
know,
I'm
a
I'm
I
come
from
that
Dev
world
that
then
transferred
more
into
security,
so
I
understand
where
a
lot
of
folks
are
coming
from,
and
so
there's
like
two
things
one
is
like
salsa
is
not
like:
it's
not
an
application
security
framework
right.
It's
not
in
trying
to
tell
you
how
to
prevent
stuff,
like
you
know,
inadvertently,
introducing
a
SQL
injection
attack.
C
C
That
thing
am
I
lying
to
you,
or
is
that
is
that,
like
accurate,
that's
kind
of
where
it
where
it
comes
in
and
so
so
just
to
be
clear,
like
I,
think
that
there's
elements
of
of
some
of
the
OAS
stuff,
some
of
the
ssdf
stuff
that
do
sort
of
skirt
both
of
those
like
do
sort
of
go
skirt
both
of
those
lines
right
like
they
kind
of
hit
both
you
know
the
provenance
and
what's
a
Integrity
piece
as
well,
as
you
know,
giving
guidelines
on
just
generally
like
how
you
should
be.
C
Salsa
says:
hey
no,
like
we're,
not
that
we
want
to
make
sure
that
we're
very
focused
around
just
purely
the
you
know,
the
the
supply
chain
piece,
so
the
provenance
making
sure
that
hey
I
I
have
some
code
I,
maybe
I
have
some
dependencies
and
then
that
ends
up
in
production.
At
some
point
you
know
like
and
and
yeah
is
everything
in
there
being
tracked
in
a
good
way
and
so
on
and
so
forth.
Such
that
I
can
trust.
It
I
think
that's
one
thing.
C
The
other
thing
I
think
that
I've
also
found
a
lot
of
success
in
having
been
on
the
other
side
of
being
a
developer
is
like
being
a
developer,
being
told
hey,
you
need
to
do
the
security
stuff
is
the
the
the
earlier
on
in
the
process.
It's
pushed
to
me
the
better
right,
because
then
I
don't
have
to
worry
about,
like
the
worry
is
always
which
has
happened
to
me.
C
C
Why
did
nobody
tell
me
what
what
could
I
have
done
to
know
that
this
security
thing
was
something
I
should
have
known
about
and
something
that
I
should
have
been
aware
of
and
been
working
to
fix
or
whatever
right,
because
most
for
the
most
part
developers
just
want
to
you
know
they
want
to
do
their
jobs
and
they
want
to
go
home
at
a
reasonable
hour
and
and
yeah.
C
So
that's
kind
of
I
think
the
when
I
think
about
like
what
developers
are
interested
in
I
feel
like
are
sorry
like
why
they
should
care
about.
This
sort
of
thing
is
like
hey.
This
helps
you
out
with
all
of
these
pieces.
It
helps
you
out
with
making
sure
that
hey
you
don't
inadvertently,
introduce
something
that
is
gonna.
You
know,
hurt
your
self,
your
organization,
your
team
Etc,
as
well
as
just
sort
of
making
sure
that
that's
you
know
more
straightforward
and
something
that
helps
you
go
home
at
a
reasonable
time.
Yeah.
A
I
do
like
that
use
case
about.
You
know
right
before
production
push.
Something
goes
wrong.
I
think
that
would
resonate
and
I'm
wondering
I'll
go
into
this
part
here
in
a
second
but
I.
Think
I'm
going
to
add
that
as
a
use
case,
right
here
and
I'm
going
to
actually
add
it
as
use
case
three,
because
I
think
use
case,
three
would
be
stronger
than
four
like
use
case.
One
and
two
they're
okay,
but
I
can
build
upon
the
story
of
okay
developer.
Does
this
developer?
Does
this?
A
C
Yeah
and
I
think
one
thing
to
just
add
in
there,
like,
as
literal
things
that
have
happened
to
me
right
as
I
saw
I
used
to
work
at
Banks
a
lot
and
you
would
you
would
there
was
a
gating
process
and
usually
the
problem
was
that
security
was
usually
a
gating
process
right
near
production
and
that
sort
of
gating
process
led
to
a
lot
of
inefficiencies.
Because
sometimes
you
know
a
security.
C
Design
kind
of
question
was
still
being
addressed
right
before
you're
ready
to
go
to
production
when
you
would
expect
that
to
sort
of
be
handled
significantly
earlier
on,
so
that
you
have
that,
like
quick
feedback,
loop
of
like
oh,
we
have
this
idea.
Actually
that's
never
going
to
pass
policy,
so
we
should
just
you
know,
you
know
ignore
it,
whereas
you
know
the
thing
that
has
happened
to
us,
or
you
know
myself
and
and
a
lot
of
folks
who
work
at
very
large
Enterprises.
C
Is
you
get
told
that
you
know
right
before
production.
A
Okay,
okay
and
policy
feature
that
features.
What
did
what
word
did
you
use
you?
You
said
not
a
it
wasn't
an
idea
that
then
got
shut
down.
It
was
yeah.
C
Like
so
designs,
so
like
security
designs
like
like,
if
you
know-
and
this
is
something
that
in
in
some
of
that
diagram-
that
you
had
earlier
on
Melba
with
like
the
the
holistic
sdlc
thing-
and
it's
something
that
also
we've
been-
you
know,
we
showed
off
a
little
bit
at
kubecon.
Is
that
idea
of
you
know?
Security
is
often
like
security
is
in
each
stage
of
the
sdlc
and
right
now,
folk
people
are
way
too
focused
on,
like
the
end
stage
of
implementation.
C
C
Hey
you
should
be
funding
security,
you
know
as
part
of
planning,
and
you
should
be
you
know
getting
that
ready
and
then,
as
part
of
like
analysis
or
your
design
phase
or
whatever
you
want
to
call
it.
You
know
all
of
these
things
should
get
done,
which
then
makes
everything
else
much
simpler.
So
you
don't
get
surprised.
You
know
right
before
production
or.
D
That
makes
sense,
you
know
whatever
there's
also
I,
it
wasn't
the
exact
source
that
I
was
looking
for,
but
it's
been
shared
before
is
the
the
application
of
root
calls
analysis
kind
of
ties
into?
That,
too,
is
like
how
you
could
save
time
and
money,
and
you
know
developer
hours
having
something
like
salsa
that
help
guide
you
through,
like
the
software
testing
piece
of
it.
So
there's
there's
that
aspect
of
that
we've
talked
about
it.
It's
been
a
while.
D
The
article
itself
is
really
old,
but
one
of
our
tech
leads
shared
it,
and
so
maybe
that's
something
we
could
incorporate
into
here
as
well
as.
B
A
A
Yeah
now
I'm
wondering
more
and
more
here.
Let
me
show
you
something
really
quickly.
I
was
trying
to
do
this
with
a
J
and
Isaac
I
didn't
finish
right,
but
we
were
trying
to
say
okay,
what
is
salsa
versus?
What's
not
salsa
right,
so
it's
also
build.
We
didn't
go
into
the
levels
right,
but
the
dark
green
is,
you
know,
salsa
build
the
light.
Green
is
social
source,
but
you
see
the
the
blues.
Is
we
called
it?
A
The
S2
c2s
open
source
approval,
Security
check
compliance,
check,
vulnerability
remediation,
but
that's
not
salsa,
so
I'm
wondering
if
something
like
this
could
help
or
if
is
it
just
gonna
complicate
things.
C
So
I
so
I
do
like
the
the
general
thing
going
on
here.
I'm
just
wondering
how
we
can
make
it
a
little
bit
clearer.
C
You
know,
because,
because
I
think,
like
a
simplified
version
of
something
like
this,
would
make
it
a
bit
clearer
and
then
the
the
thing
I'm
reminded
of
a
little
bit
is
so.
This
helps
out
with
the
sort
of
like
trying
to
have
folks
understand
kind
of
like
how
how
salsa
fits
in
right,
where
you
know
where
the.
If
you
you
know
salsa,
is
very
much
focused
right
now,
at
least
on
the
source
to
artifact
kind
of
stuff
and
then
separately.
I
know.
C
One
of
the
things
that
we
had
talked
about
is
potentially
on
like
a
V2.
We
probably
want
to
also
include
like
maybe
even
go,
all
the
way
back
to
developer
right,
so
developer,
writing
source
right
and
helping
protect
that
and
helping
sort
of
help
out
there
and
then
potentially
even
doing
something
like
not
just
tell
artifact
but
all
the
way
into
production.
Something
like
that.
So
that's
something
I
know
that
we've
talked
about
like
eventually
hitting,
but
right
now
we
want
to
make
sure
that,
like
the
big
piece,
that's
that's
missing.
C
It
has
been
the
build
piece
and
the
provenance
from
like
source
to
that
which
I
think
is
super
important
and
then
I
think
separately.
The
other
thing
that
I
know
Isaac
did
which
I
really
liked
is
those
four
levels
and
I
can
re-share
that
that
diagram,
real.
C
So
if
you
give
me
a
link,
yeah
yeah
give
me
one
second
here
you
could
just
that
image
there
from
GitHub.
C
And
so
that
image
like
what
I
like
there
is,
you
have
sort
of
you're
talking
about
the
end
to
end
sort
of
thing,
and
this
is
sort
of
saying
what
are
the
layers
to
kind
of
get
to
supply
chain
security
right
where
the
trust
Foundation
is
just
like.
You
want
to
make
sure
that
you're
assigning
identities
to
things
and
then
the
software
out
of
stations
is
where
salsa
fits,
which
is
hey.
C
You
are
actually
generating
these
attestations
you're
doing
the
right
thing
from
a
security
perspective
and
yada
yada
to
then
feed
into
the
other
tools
and
and
and
you
know,
to
actually
solve
the
problems.
Yeah.
A
C
A
few
other
folks
who,
who
we've
been
doing
stuff
with
got.
A
It
okay,
yeah
I,
think
I,
remember
Brandon
in
there.
B
I
have
I
have
a
question
a
little
bit
out
of
thing
like
you
know,
this
salsa
like
currently
is
mentioning
about
the
application
build
and
deployment
scenarios
securing
that
part
right
so
when
it
comes
to
infrastructure
as
code
now,
that
is
also
software
part,
even
a
similar
rate.
So
in
that
case
RV,
for
example,
considering
the
terraform
or
any
ieac
code
development.
Are
we
considering
salsa
standard
to
incorporate
infrastructure
approaching,
build
and
deployment
securing
infrastructure
building
deployment
as
well.
C
So,
probably
like
not
from
the
perspective
of
like
actual
like
hey,
are
we
securing
the
deployment
of
this
thing?
Salsa
would
be
consumed
by
those
things.
To
sort
of
say
is
my
stuff
salsa
compliant,
because
I
have
a
policy
that
all
applications
must
be,
it's
also
compliant.
So
if
that's
the
case,
then
I'm
going
to
let
that
get
deployed
now
separately.
C
Salsa
is
still
viable
for
infrastructure
as
code
artifacts.
So
if
you
say,
hey
I
have
a
bundle
of
ansible
code
or
terraform
or
kubernetes
like
or
kubernetes
bundles.
There
is,
you
know
you
can
say
hey.
This
was
generated.
C
You
know
because,
like
I
know,
a
lot
of
the
the
configuration
gets
generated
right,
like
you
know,
you
might
have
the
the
actual
sort
of
yaml
files
themselves
might
be
just
sort
of
just
source
code,
but
you
might
have
folks
like
saying,
hey
based
on
this
this
and
this
here's,
a
bunch
of
configuration
that
gets
generated
by
some
sort
of
process.
C
That
sort
of
thing
could
also
go
through
the
salsa
process
to
say
that
this
set
of
infrastructure
code
has
is
is
also
compliant,
but
as
far
as
like,
actually
securing
an
artifact
getting
deployed
out.
That's
something
that's
kind
of
like
outside
of
the
scope
of
salsa,
but
the
intention
is
and
Google
calls
it
binary
authorization.
A
bunch
of
other
folks
call
a
bunch
of
different
other
things.
But
the
idea
of
like
saying,
hey,
I,
have
a
policy
and
only
things
that
meet
that
policy
are
allowed
to
go
to
to
get
deployed.
Yeah.
B
So
what
I
feel
yeah?
That's
that's
good.
So
just
wanted
to
consider
the
use
case
where,
when
we
write
IAC
chords
like
the
rough
form,
we
do
have
also
vulnerabilities
check,
like
we
do
in
applications
say,
for
example,
for
application.
We
use
tools
like
sonar
Cube
or
check
marks
kind
of
tool
which
will
do
the
vulnerability
analysis
of
the
application
code
similar
to
that
terraform
also
have
foreign.
B
Which
will
do
the
vulnerability
check
of
the
terraform
code?
It's
again
like
you
mentioned
Michael,
like
it's
happening
in
the
left,
part
of
the
development
life
cycle,
so
so
salsa,
whether
I
mean
my
question
or
my
doubt
was
like
whether
this
process
is
also
in
line
with
the
salsa
level.
Standard
can
be,
for
example,
can
I
say
an
infrastructure
provisioning
pipeline
like
CHP
is
now
applicable
for
terraform.
Also
so
now
can
I
say:
I
have
a
statement
like
my
cicd
pipeline
for
infrastructure.
Proportioning
using
terraform
is
salsa3
complete.
C
C
So
the
idea
behind
it
is
salsa
itself
largely
just
says
you
should
have
a
secure
pipeline,
but
we're
not
going
to
tell
you
what
that
is,
because
everybody's
going
to
have
different
things,
and
you
know
like
if
you're
running,
an
air-gapped,
military-grade
environment,
it's
going
to
look
very
different
than
if
Mike
is.
You
know,
updating
his
blog
right,
so
there's
gonna
be
a
very
big
difference
there.
C
We
have
a
way
of
saying
in
the
salsa
we
can
see
that,
like
you
ran
like
we
have
records
of
you
running,
you
know
certain
security
scans
generating
of
s-bombs
and
so
on,
whereas
before
like
the
problem,
was
you
might
be
running
a
security
scan
a
sonar
Cube
black
duck
Vera
code.
Whatever
right,
you
might
be
running
some
of
those
scams,
the
problem
is
one
of
the
things
that
often
happens.
C
Is
you
don't
have
records
that
you
actually
ran
it
against
what
you
expected
to
run
and
that
kind
of
is
like
the
the
one
of
the
things
is
that's
one
of
the
things
that
we
saw
with
like
the
sonar
cubes
solarwinds
situation
right
is.
We
saw
that
it
turned
out.
You
thought
you
were
scanning
what
you
were
deploying,
but
you
weren't
right.
You
were,
you
were
scanning
something
else,
and
you
were
deploying
this
other
thing
right
and
that
thing
was
signed.
Yeah
yeah.
C
So
this
thing
because
it
keeps
track
of
the
hashes
and
everything
else,
and
it's
also
integrated
into
stuff
like
in
Toto
right.
It
makes
it
very
very
easy
for
us
to
have
to
say
that,
yes,
you
know
step
a
is
downloading
the
code
step.
B
is
linting,
doing
security
lending
step.
C
is
running
the
actual
build
step.
C
Is
that
what
I
actually
ran
the
tests
on
right?
If
I?
If
it
wasn't
then
I
know
something
happened,
which
is
something
that
you
know
we've
seen
you
know,
we've
seen
happen.
A
couple
of
times
is,
you
know,
folks
think
that
they're
looking
at
what
they're
expecting
to
look
at
but
they're,
not.
C
Yes,
so
salsa
is
really
at
this
point,
like
mostly
recommended
for
anything
that
involves
a
transformation
step
or
something
that
you
want
to
keep
track
of,
because
if
you
want
to
keep
track
of
like
different
things
that
are
happening,
and
you
want
to
have
a
record
that,
like
your
build
system,
signed
off
and
said,
I
ran
these
steps,
so
you
can't
have
just
somebody
say
you
know
falsify
a
record
of
that
thing.
That's
where
salsa
comes
in.
A
Okay,
any
other
comments
about
what
salsa
doesn't
cover
and
I
tried
to
make
this
into
bulleted
items.
I
think
it
would
be
easier
for
their
reader
to
quickly
glance
so
I
put
life
cycle
of
application,
security
which
I
think
covers
the
whole
SAS
stats,
and
it
covers
the
security
framework.
A
And
these
two
were
already
here
and
I.
Put
this
as
a
comment:
do
you
try
to
use
the
chart?
It
has
a
GitHub
user
content
link.
So
do
you
have
the
actual
link
or
the
actual
location
of
where
that
chart
is
referenced
like
if
there's
words
around
it
or
read
me
for
it,
Etc
Mike
in.
C
Yeah,
so
so
that
helps
out
I.
Believe
Isaac
has
like
this
originally
stemmed
from
some
demos.
I
guess
Isaac
has
been
giving
once
again,
I,
don't
work
at
Google,
so
I
don't
know
if
he's
been
doing
it
internally,
but
my
understanding
that
this
is
all
you
know.
This
is
stuff
that
they've
been
obviously
sharing
outside
because
they've
made
it
public
but
yeah.
C
C
But
I
remember
from
his
slide
deck
he
was
going
through
and
talking
through
each
individual
thing,
where
you
know
the
trust
Foundation
is
saying
you
need
to
have
IAM
and
a
signing
mechanism
and
so
on.
And
then
you
need
to
generate
attestations,
sign
those
attestations
based
on
the
trust
and
so
on,
and
then
okay,
then
the
aggregation
and
synthesis
is
saying.
A
Okay,
okay,
so
yeah
I
think
it's
it's
appropriate
to
just
leave
this
and
then
we
could
potentially
have
like
a
like
a
like
call
to
action.
A
A
Okay,
are
we
good
to
go
on
to
the
to
the
next
one,
which
is
the
problems
it
can
catch
thumbs
up,
I,
see
Smiles,
except
for
Jason,
and
no
pressure
Jason,
okay,
Okay.
So
the
the
use
cases
that
we
have
so
far
is
the
local
modification
for
for
local
testing
of
a
yaml
file
right
so
developer,
configures
or
changes
something
in
their
yaml
file
locally.
A
They
forget
about
it
and
they
attempt
to
build
the
code
according
to
how
it
was
explained
to
us.
I
think
it
was
earlier
last
week.
It
would
prevent
that
bad
compile
all
right.
It
would
say
no
what
you
currently
have
on
your
system
does
not
match
the
Upstream,
and
so
it
would
not
compile
the
code
or
would
not
build
the
code.
A
A
A
Maybe
they
don't
have
a
dedicated,
build
infrastructure,
build
environment
and
so
they're
used
to
building
on
their
local
machine
and
maybe
pushing
it
for
whatever
reason
and
they're
not
trying
to
be
malicious,
but
they
make
a
local
modification
right
and
forget
about
it.
C
Yeah
I
think
for
the
most
part,
like
the
salsa
one
is
less
focused
like
it's
also
one's
trying
to
like
build
the
on-ramp
to
security.
It's
not
really
itself
very
useful
from
the
perspective
of
like
actual
security,
but
it
does
help
in
a
couple
of
ways.
One
is
assuming
right
like
it
doesn't
really
protect
against
a
bad
actor,
but
it
does
help
from
like
the
perspective
of
an
investigation
or
audit.
Assuming
your
build
system
hasn't
been
compromised
right.
C
Assuming
that
you
are
trusting
all
the
internal
parties,
it
helps
you
go
back
and
audit
and
you
know
find
stuff
like.
Oh
it
turns
out.
You
know
this
build
happened
on
this
day,
yeah
as
Laura's
messaging
right
like
it's,
it's
stuff
like
it's
more
like
it
just
helps
build
an
audit
Trail.
It's
just
not
necessarily
A
a
trusted
audit
Trail,
just
an
audit
Trail
yeah.
A
Yeah
and
I
think
some
of
these
were
for
for
Laura
and
jumpsuit
that
weren't
here
in
the
past
couple
of
meetings,
there's
these
two
Links
at
the
bottom,
like
all
the
way
at
the
bottom.
If
you
scroll,
where
we're
getting
some
of
this
information-
and
it
talked
about
you
know,
documentation,
mistake
prevention,
inventory
and
level.
Two
is
reduced,
attack,
surface,
weak
tampering,
protection
and.
C
A
Goes
and
it
talks
about
the
benefits,
and
so
this
is
already
on
Salsa's,
GitHub,
I,
think
GitHub,
repo
and
there's
I
think
this.
This
picture
right
here
I
think,
is
on
the
dev
website,
if
I'm
not
mistaken,
I
I
can't
remember,
which
is
which
so
that's
where
we're
getting
some
of
the
stuff.
From
this,
these
two
pieces
of
information,
I.
D
Think
it
also
helps
with
like
what
they
call
the
unwitting
non-malicious
threat
Insider
threat.
So
there's
like
they
probably
don't
go
that
down
into
the
weeds
when
we
talk
about
different
threat
actors,
but
there's
there's
a
I
I
have
some
experience
in
like
the
in
developing
an
Insider
threat
program
and
there's
that
unwitting.
D
You
know
whether
it
be
a
developer
or
just
an
employee
who
thinks
they're
doing
the
right
thing.
But
you
know
they
make
a
mistake,
and
so
that's
where
that
data
processing
error
comment
comes
from.
Is
that
there's
there's
that
that
that
piece
is
considered
a
threat
actor
but
not
in
the
same
sense
that
most
folks
immediately
think
of
of
a
malicious
that
actor?
That's
targeting
that
particular
system.
A
D
A
D
You
know
through
an
unsecure
method,
was
was
more
of
like
the
examples
that
are
I
had
from
previous
job,
but
I
we
could.
It
could
definitely
be
applied
here
as.
B
Yeah,
as
you
mentioned
here
in
the
locker
system,
this
is
also
applicable
when
we
are
building
this
with
the
cloud,
build
art
and
things
or
something
like
that
right,
that's
so
taskful.
So
we
need
to
consider
that,
as
also
to
this,
it
can
happen
when
we
are
doing
this
in
tools
like
in
Champions
or
Cloud
Builder.
D
A
Miles
remind
me,
John
C,
the
the
you
mentioned,
Jenkins,
the
the
issue
with
Jenkins
yeah.
B
Like
the
dependency
packages,
so
basically
this
happened
during
the
build,
and
this
will
be
when
we
specifically
about
the
Salsal
help
on
it
can
be
your
laptop.
But
when
it
moves
to
salsa
level
2,
we
are
building
this
with
tools
like
a
Jenkins
or
Cloud,
build.
A
Oh
I
see
so.
A
B
In
any
other,
these
tools.
C
B
Yeah,
it's
usually
the
on
those
scenarios.
Service
account
will
be
the
like.
You
know
the
the
authorized
identity
to
do
this
so
yeah.
So
with
that
access
still,
this
can
happen.
Other
could
be
so.
Some
organization
will
have
their
own
to
avoid
the
security
issues
they
have
their
own
locally
or
internal
dependency
repositories,
artifact
Registries,
internally
maintained
and
no
packages
like,
for
example,
in
PM,
not
jsnb
package.
B
B
Yeah-
but
this
is
a
quite
like
when
developers
will
not
be
linking
to
the
proper
internal
repo.
Instead
they
will
kept
it
open.
Then
it
will
try
to
download
it
from
internet.
So
in
case
there
is
in
the
net
open
in
that
build
machine,
then
our
artifact
will
become
vulnerable.
C
And
and
I
think
what
you're
saying
there
is
is
stuff
that,
like
one
of
the
you
know
a
lot
of
a
lot
of
the
stuff
there,
that
salsa
sort
of
hits
to
help
out
these
things
are
things
like
hey.
It
doesn't
necessarily
prevent
somebody
from
building
against
the
wrong
thing,
but
it
provides
a
record
that
they
did
build
against
the
wrong
thing.
So
you
can
go
back
and
have
your
policy
that
says,
wait
a
second
you
weren't
supposed
to
do
that
and
and
and
then
from
there
right.
C
D
Was
gonna
say
that
that
ties
back
up
to
that
root
cause
analysis
thing
that
I
I
posted
or
attached
as
a
comment
before
that
could
also
kind
of
loop
back
around
into
having
a
record
of
that
and
being
able
to
to
do
either
debugging
or
an
investigation
with
that
type
of
information.
Sorry
I
didn't
mean:
okay,
no.
A
No,
no,
no,
no
worries,
I'm,
not
looking
up
I'm
like
deep
in
thought
and
just
listening
for
a
pause
in
in
the
GitHub
or
you
know
it's
also.dev,
it
says
prevents
mistakes.
So
is
this
wording
wrong?
Will
it
not
prevent
it?
Well.
C
Build
script
right
like
the
idea,
so
so
what
that
prevents
is,
if
you
just
have
something
like
make,
build
right,
that's
how
you
build
yep!
Well,
that's
a
build
script
like
if,
if
you
do
something
like
oh
go,
build
CP,
you
know
CP
this
file
over
here
and
then,
like
you're
manually
running
all
those
commands
to
package
up
your
application.
Then
all
it
takes
is
one.
A
And
so
I
was
like:
oh
I,
I
was
thinking
of
getting
like
a
terminal
and
like
if
this
was
a
local
modification
right
and
you
do
build
all
dot
sh,
it
Imports
the
yaml
it
downloads
dependencies,
you
know,
runs
unit,
build
complete
and
then
they
go.
You
know
push
or
something
like
that.
A
We
could
then
build
the
use
cases
around
us
to
say.
Well,
if
you
change
the
settings.yaml,
if
you
misnamed
the
files,
if
you
downloaded
additional
dependencies
in
that
same
directory
structure,
then
based
off
of
level
one,
it
should,
in
theory
prevent
it
from
actually
doing
a
build
complete.
Should
it
not.
A
Because
here's
the
build
all.sh,
here's
the
build
script
right,
it's
supposed
to
you-
know,
build
the
source
build
from
Source
rather,
but
you,
as
a
user,
have
changed
the
yaml
file
on
your
local
system.
You
might
have
downloaded
additional
dependencies
on
your
local
system
so
from
level
one
perspective,
even
though
you
have
that
build
all.sh,
would
it
actually
Finish
the
build?
A
Is
the
assumption
that
it's
supposed
to
check
that
yes,
Upstream
is
is
is
not
correct?
It's
not
matching,
or
are
we
saying?
Okay,
yes,
level,
one,
you
have
a
build
script,
and
even
if
you
have
all
these
other
things
that
are
changed,
it's
not
necessarily
going
to
catch
that,
but
it
would
be
an
audit
trail
that
this
is
where
it
went
wrong.
A
A
B
A
D
Ahead,
Laura
I
was
just
wondering-
and
this
is
just
this
is
a
a
question
from
a
a
non-technical
developer
perspective.
But
during
that
downloading
dependencies
is
there
anything
there
that
could
be
introduced
that
could
not
be
prevented
as
part
of
that
process.
C
Foreign
yeah,
so
I
mean
I,
can
talk
a
little
bit
about
like
what
the
the
concern
is
and
like
how
what
we're
trying
to
do
with
salsa
to
kind
of
prevent
it,
and
so
the
you
know,
the
the
concern
with
a
lot
of
this
right
is
is,
if,
let's
say,
I'm
running
this
locally
right.
You
know
my
local
laptop.
The
worry
is
hey.
I
have
something
malicious
on
my
machine
or
you
know
something
like
that
or
me
who's,
just
a
developer,
maybe
messes
with
something.
C
While
it's
running
that
kind
of
thing,
once
you
get
to
like
level
two
and
you're
running
it
in
like
a
bill
like
or
once
you're
required
to
run
it
in
a
build
service.
I
can't
remember
if
it's
level,
two
or
level
three
I
think
it's
level
two
once
you're
required
to
run
into
build
service.
The
idea
is:
hey
that
build
service
right,
your
you
should
be.
You
know,
there's
an
expectation
and
it's
in
the
requirements
that
there's
an
expectation
that
you're
securing
this
build
service.
C
We're
not
going
to
tell
you
exactly
how
you
secure
the
build
service,
but
we're
expecting
that
you
are
securing
this
build
service.
You're,
not
just
letting
you
know,
which
is
also
a
thing
that
I
know
breaks
some
of
the
Jenkins
stuff
is
hey.
C
An
admin
on
Jenkins
can
just
log
in
and
start
messing
with
stuff,
but
the
idea
would
be
you
know,
you're
securing
that
build
service,
and
so
the
idea,
once
you
get
to
like
level
three,
where
even
the
build
surface
is
signing
the
provenance,
then
what
ends
up
happening
is
the
build
itself
is
not
signing
the
provenance.
So
even
if
the
build
reports,
false
information,
you
have
a
separate
service
signing
it.
So
you
don't
so
you
you,
you
have
the
lower
risk
of,
let's
say
the
downloading
of
dependencies.
C
You
downloaded
a
malicious
dependency
and
in
certain
languages
like
or
certain
ecosystems
like
npm,
even
downloading
a
dependency
can
run
arbitrary
code,
and
so
you
can
end
up
with
a
situation
right
where
you
downloaded,
where
you
downloaded
a
dependency.
That
starts
trying
to
steal
your
secrets,
and
if
you
are,
you
know
if
you're
having
the,
if
you're
having
your
build
itself
like
if
your
build
script
calls
something
like
Sig
store
or
notary
to
sign
the
the
resulted
artifact.
C
So
that's
one
big
worry,
and
so
the
idea
is
salsa
prevents
these
sorts
of
things
by
saying:
well,
no,
the
build
service
at
level
three
is
actually
doing
the
signing
and
is
also
introspecting.
So,
even
if
a
particular
build
is
attempting
to
lie,
you
still
know
the
inputs,
so
you
could
go
back
and
rebuild
it
on
a
bunch
of
different
Hardware
or
whatever
a
bunch
of
different
build
infrastructure
and
double
check
like
hey,
I'm
gonna
run
it
in
a
bunch
of
different
places,
and
then
it
helps
you
figure
out.
C
C
A
C
A
C
A
It
says
it
says:
benefits
prevents
mistakes
during
the
release
process,
such
as
building
from
a
client
with
local
modifications
and
the
explanation
that
was
given
by
Mark
and
I.
Think
he's
changed
this
since
I
have
to
go,
find
the
I
think
it
might
be
this
right
here.
A
C
C
Hardened
this
in
some
of
the
actually
no
I
guess
this
is-
is
still
there
but
yeah,
so
the
I
I
get,
and
so
maybe
this
needs
to
be
refined
even
a
little
bit
further
to
make
it
a
little
bit
clearer,
but
I
believe.
The
idea
here
is
like
if
I
were
to
open
up
my
vs
code
and
modify
some
files
run,
go
build
yep.
C
You
know
mistakes
during
the
release
process,
such
as
building
from
a
commit
that
is
not
present
in
the
Upstream
repo
or
if
the
expectation
here
is
that
the
build
process
includes
downloading
the
source
which,
if
that's
the
case,
then
the
idea
and
and
which
either
way.
We
should
make
sure
that
it's
clear,
because
that
that
could
also
be
the
case,
in
which
case
like
your
bill,
your
build
process
is
essentially
hey,
I
have
a
build.sh
script
or
whatever
that
downloads.
C
The
code
runs
the
build
and
so
on,
but
yeah
I'm
not
exactly
sure
what
you
mean.
What
what's
meant
by
that
and
now
that
now
that
you
kind
of
talked
about
like
how
you're
reading
it
and
I
think
how
you're
reading
it
also
makes
sense,
but
it
it
kind
of
complicates
I
think
what
we're
trying
to
kind
of
get
out
of
there.
Yeah.
A
So
yeah,
so
that's
where
and
it
looks
like
here-
reduces
yeah.
It
could
be
reduces
mistakes
because
here
is
so
that
it
generates
and
distributes
at
the
station
describing
how
it
was
built
who
built
it.
What
was
the
process
command
so
here
it
almost
seems
like
okay,
it's
just
recording
what's
happening
and
then
here
it
says
automatically
where
the
art
exists
and
matches
the
expectation.
A
A
Okay,
so
I'll
take
that
back
before
it
was
about
the
language
down
here,
thanks
thanks,
Laura,
oh
I,
just
realized
the
time.
I
didn't
notice
that
we
were
at
time.
A
Okay,
before
we
go
any
other
thoughts,
yeah.
B
One
point
not
related
to
this
document:
I
mean
since
Michael
also
mentioned
about
that
preventive
world.
So
in
the
slsa.site
the
home
page
itself,
we
were
mentioning
like
prevent
armoring
and
all
those
details.
So
instead
it
would
be
like
to
say
help
to
prevent
right.
I
mean
just
the
thought
process.
C
B
First
definition
of
what
these
cells
are,
we
are
actually
mentioning
like.
It
is
a
secretary
framework,
a
checklist
of
standards
and
controls
to
prevent
tampering.
So,
instead
can
we
say,
like
standards
and
controls,
helps
to
prevent
traffic,
which
will
be
like
a
little.
A
Yeah
I
think
that's
something
that
even
the
IBM
lawyers
before
you
write
anything
they
have
like
little
asterisks
like
nothing,
can
be
totally
secure
and
blah
blah
blah
blah.
B
B
Okay,
it's
there
in
the
three
places
in
in
the
home
page.
A
So,
okay,
anything
else
before
I
end
the
call.
A
Okay,
awesome:
well,
if
you
want
to
add
to
this
blog,
feel
free
to
to
add
your
thoughts.
I'm
gonna
probably
sit
around
for
the
next
hour
and
try
to
wrap
up
as
much
as
I
can.
But
thank
you.
Everyone
for
joining
I
appreciate
your
time.
Bye.