►
From YouTube: Supply Chain Integrity WG (May 24 2023)
A
B
C
B
B
C
A
D
D
Okay,
just
before
we
get
started
here,
or
rather
as
we
get
started
here,
I
want
to
give
the
opportunity
for
anyone
who's
new
anyone,
who's
not
been
to
these
meetings
before
and
or
not
introduce
themselves
before.
To
do
so,
and
there's
no
obligation
to
do
so,
but
if
you
want
to
say
hi
to
the
group,
just
please
introduce
yourself.
That
would
be
awesome.
E
C
D
E
Ice
cream
I
have
a
few
slides
and
so,
as
Isaac
said,
the
proactive
software
Supply
Chain
management
risk
management
framework,
so
I'm
at
NC
State
a
professor
there,
but
the
work
that
I'll
be
talking
about
has
been
done
on
a
sabbatical
synopsis
which
is
just
finishing
up,
and
so
you
know,
as
we
all
know,
with
supply
chain,
there's
lots
of
different
help
coming
from
lots
of
different
places,
which
is
good,
but
it
also
does
leave
some
confusion.
So
people
wonder
you
know,
okay,
all
of
that.
But
what
should
we
do?
E
And
so
what
I
did
through
this
academic
year
was
take
all
of
the
Frameworks
and
unite
them
into
one
framework.
So
all
of
the
different
tasks
from
all
of
the
different
Frameworks
into
one
place-
and
there
is
a
link
to
that
place.
I'm
in
the
document
in
the
notes-
and
so
it
turned
out
to
be
72
different
things
from
all
of
the
different
Frameworks
I.
D
D
E
E
So
it
was
really
what
what
gets
attention
and,
as
you
know,
and
so
in
a
lot
of
cases,
we
all
know
which
ones
get
attention
but
then,
as
I
was
going
through
and
as
I'll
talk
about,
I've
been
interviewing
people
at
different
companies
and
then,
as
there
would
be
more
companies
talking
about
one,
a
framework
like
I'll
say
the
cloud
native
was
one
of
those
that
came
up
because
a
number
of
companies
were
talking
about
that
framework
and
then
I
included
it
into
the
framework.
And
so
there.
A
D
E
E
So
I
can't
think
of
any
off
the
top
of
my
head,
I
mean
I,
think
yeah,
but
I'm
I'm
open
to
others
that
you
feel
that
should
be
included,
yeah
yeah
so
anyway.
So
four
groups
15
practices
which
are
in
the
blue,
which
are
groupings
of
specific
tasks,
and
this
is
a
model
where
I
took
the
software
development
life
cycle
and
laid
out
the
practices
to
where
they
were
on
the
software
development
life
cycle.
A
I'm
so
Claire
clarification
question.
Is
this
the
the
like
the
security
model
focused
on
I
from
from
this
slide
I'm,
presuming
that
it's
focused
on
the
business
not
on
the
producer
side
of
the
artifacts
or
the
or
the
locations
of
these
artifacts
are
getting
consumed
from
public
open
reap
open,
artifact
hosts.
It's
mostly
focused
on
how
the
organizations
consume
them.
Is
that
accurate.
E
If
that
makes
sense,
I
mean
so
there's
a
practice
about
in-house
development
as
well
or
a
task
about
in-house
development,
and
then
there's
also
so
internally
developed
source
code
is
over
on
the
left.
Third-Party
components
is
down
on
the
bottom,
so
it
doesn't
it's
trying
not
to
be.
You
know,
trying
to
be
open
to
the
perspective.
A
Yeah
so
I'm,
just
I'm
trying
to
I'm
trying
to
are
are
I
guess
is,
is
the
problem
or
the
is
it
not?
Is
the
scope
of
this,
the
consumer
who's
building
an
application,
or
is
the
scope
all
the
way
from
the
third
party
component
that
you're
that,
like
I
guess
what
is
this
scoped
to
and
does?
Is
this
focused
on
the
open
source
producer
consumer
yeah
where
in
that
pipeline,
or
is
it
all
of
the
above.
E
A
E
All
right
yeah,
so
this
is
this-
is
the
body
of
it.
So
there's
72
entries
like
this,
and
then
you
know,
why
did
why
were
all
of
the
Frameworks
unique
because
it
is
intended
to
be
end
to
end
from
the
management
aspects
to
the
deployment
aspects,
so
the
top
line
is
how
the
you
know
my
framework
came
out
and
then
of
the
four
groupings,
the
governance.
E
A
lot
of
those
practices
are
in
the
nist,
800
161,
and
so
the
way
to
look
at
this
I
put
in
bread,
the
most
influential
framework
for
each
one
of
the
groups
and
then
in
the
parentheses,
are
specific
tasks
that
were
only
mentioned
in
one.
In
many
of
the
cases
the
tasks
are
mentioned
in
multiple
Frameworks,
but
like
under
governance,
there's
23
and
in
my
framework
a
lot
of
them
came
from
nist
800
161..
E
The
product
tasks
primarily
came
from
ssdf.
The
cloud
native,
a
lot
of
the
environment
came
from
there
and
then
deployment
came
from
ssdf
and
then
some
unique
ones
from
different
Frameworks
so
like
I,
did
see,
as
people
mentioned
the
different
Frameworks.
In
order
to
be
more
comprehensive.
Really
all
of
the
Frameworks
were
needed.
E
E
So
an
example
of
so
component
Choice,
the
S2
c2f
is
the
four
is
in
red,
doesn't
say
that
that's
four
unique
practices,
but
it
would
say
that
the
s2c2
have
had
at
least
one
practice
that
no
one
else
had,
and
that's
that's
how
you
got
to
be
a
red,
but
you
know
you:
can
you
can
see
the
contribution
of
each
of
these?
And
one
thing
you
know
yeah
I'll
talk
about
it,
then
how
we
can
all
work
together.
F
I
have
a
quick
question:
I
mean
first
of
all,
I'm
impressed
because
that's
the
amount
of
work
this
must
have
required
is
pretty
staggering.
So
you
know
congrats
for
putting
all
that
work,
but
but
so
I
I'm
trying
to
understand
the
the
categories
that
you
have
on
the
left.
Did
you
come
up
with
that
list
to
start
with,
or
this
as
you
went
through
all
the
different
Frameworks?
You
know
things
came
up
and
you
say:
oh
I,
don't
have
a
category
for
this,
so
I'll.
Add
it
there.
F
E
E
B
B
E
Yeah
so
I
mean
I
would
I
would
say
a
product
so
product
in
that
just
say:
it's
I
know
some
js,
IBM
or
J
is
Microsoft.
We
use
Microsoft
as
an
example.
Microsoft
has
lots
of
products
and
each
one
of
them
would
have
a
different
structure
and
you'll
see
I've
been
interviewing
companies
to
find
out.
I
mean
the
the
main
research
objective
is
to
find
out.
How
are
we
doing?
E
That's
that's
my
research
objective
and
so
as
I
went
through
and
interviewed
companies,
then
I
would
interview
like
a
certain
product
and
there
is
one
open
source
product
that
I
would
like
to
get
involved
with
to
see.
How
does
it
differ?
So
it
is
true
that
some
of
the
practices
might
be
n
a
you
know
for
some
for
some
people
and
not
applicable,
applicable.
E
B
B
That
that's
a
way
larger
and
they're
and
they're
focused
on
Supply
chains.
You
I
would
expect
them
to
do
better.
I
I
think
I
do
well
at
that
I'm.
Thinking
of
of
relatively
small
projects,
which
don't
have
organizational
structures
and
right
you
know
you
know
is
even
is
one
of
my
favorites,
because
it's
a
it's
a
it's
a
JavaScript
package
to
tell
you
if
a
number
is
even
or
odd.
B
A
B
So
I
I
think
that's
I.
I
think
it
would
be
very,
very
you
know:
I
worked
with
best
part
I
would
recommend,
trying
to
find
and
triangulate
many
different
kinds
of
projects
to
your
big
and
small,
but
make
sure
you
cover
the
small,
because
the
small
ones
are
very
much
far
more
numerous
but
challenging
yeah.
E
E
So
if
people
are
familiar
with,
synopsis
has
a
beast
and
building
security
and
maturity,
model
and
they've
had
it
for
13
years
and
they
have
like
121
practices,
software
security
practices
and
they
go
into
companies
and
I.
Ask
you:
do
you
do
this
and
get
some
proof?
And
so
then
the
company
comes
out
of
it.
Having
a
report
like
this
like
saying,
you're
the
company
you're
in
blue
and.
E
E
Related
to
policy,
but
the
industry
is
doing
pretty
well
I
mean
you
can
compare
yourself
to
that,
and
that's
really.
The
purpose
of
these
interviews,
I'm
doing
is,
is
to
give
the
companies
that's
been
participating
this
type
of
a
picture,
but
then
synopsis
does
publish
this,
be
some
report,
which
is
an
industry-wide
which
you
know.
If
then
I
will
publish
an
industry
report
without
the
you
on
it
that
can
show
everyone.
How
are
we
doing
on
adopting
these
practices
from
these
Frameworks?
E
C
C
The
last
one
was
employment,
governance,
yeah
environment,
so
so
and
I'm
not
sure
where
this
would
probably
go,
probably
somewhere
in
the
good
point.
But
one
thing:
I
don't
see
here
that
you'll
only
find-
and
maybe
a
couple
of
these
is
end
of
life
that
is
I'm
I'm,
a
stickler
about
that,
because
that
doesn't
it's
arguable,
you
argue
so
I
think
that
should
be
part
of
any.
C
E
No
I
mean
and
you're
exactly
right
and
I.
Think
in
that
the
life
cycle,
part
I,
think
I
had
end
of
life
on
the
right,
but
nothing
maps
to
it,
and
so
my
first
pass
was
to
really
take
all
of
the
Frameworks
that
are
out
there
and
not
them,
because
72
is
a
lot
already,
but
I
do
I
think
there
are
things
that
aren't
in
those
Frameworks
and
and
I
agree
with
you.
That
end
of
life
is
something
that
could
be
added,
something
that
you
know.
We
all
know
and
love
that
is
not
in.
E
E
Okay,
so
as
far
as
next
steps,
I
mean
I
will
I'm
I'm
finishing
up
my
sabbatical,
we'll
publish
an
industry
report
of
how
are
we
doing
for
adopting
these
practices
in
the
different
areas?
That's
pretty
near
term.
I
also
want
to
take
this
framework
and
develop
levels
so
and
my
levels,
my
preference,
is
that
level.
One
says
you
really
really
have
to
do.
E
I
didn't
highlight
it
so
much
but
like
if
you
look
at
the
bottom,
I
do
have
the
open,
SSS
scorecard
metrics
in
there
and
so
trying
to
show
which
of
the
practices
are
being
automatically
assessed
now
and
trying
to
improve
that
and
then,
as
far
as
you
know,
how
I
would
love
your
help.
First
of
all,
I
did
these
mappings,
myself
and
I
know
from
a
scientific
standpoint.
That's
not
great,
like
having
two
people.
Look
at
anything
is
is
important.
E
Some
of
the
mappings
came
from
different
places
like
you
know,
they
mapped
between
each
other,
so
some
of
them
were
not
just
me.
A
lot
of
them
were
just
me,
and
so
you
know,
if
you're,
if
you
really
love
salsa
or
something
take
a
look
at
the
framework
and
see
where
I
match
the
practices
of
that
framework
and
give
them
feedback,
and
we
really
love
them
and
I
am
still
looking
for
a
couple
more
companies
to
take
part
in
empirical
studies.
E
So
you
know
interviewing
people
within
the
company
to
find
out
if
they're,
adopting
the
practices
or
not
so
to
be
part
of
this
industrial
study
and
then
overall
provide
feedback
and
and
I
hope
that
you
find
it
useful.
That's
really
what
it's
all
about
is
trying
to
bring
everything
together
in
order
to
help
everyone.
D
D
D
D
B
Yeah
so
I
actually
I
actually
put
in
some
notes,
Here
to
at
least
try
to
pre-answer
some
questions
as
it
were,
so
the
governing
board
had
this.
Frankly,
you
know
the
governing
board
basically
said
hey.
You
know,
after
looking
at
the
very
various
options,
we
really
want
to
move
in
this
direction
of
something
called
a
sterling
tool
chain,
and
the
question
is:
what
does
that
mean?
And
the
answer
is
well:
it's
this
a
tool
chain,
that's
Sterling!
Somehow
it
we
had
a
little
more
than
that.
B
That's
not
entirely
fair,
but
not
a
lot.
It
was
I
think
about
a
paragraph
but
I.
If,
if
I
was
going
to
summarize
it
in
one
word,
I
would
I
guess
I
would
use
the
word
automation.
The
notion
here
is
that
they,
basically
if
we
want
to
see
things
done
at
scale,
we
want.
We
need
to
see
more
easy,
more
automation,
so
that
things
don't
have
to
be
done
by
hand
every
time
and
that
will
far
and
that
will
increase
likelihood
of
adoption
of
of
various
ideas.
B
I.
The
the
problem
is
that's
very
nebulous
and
so
I
was
asked
to
try
to
create
a
very
early
draft
of
a
concept
and
so
I
started
with
the
mobilization
plan
and
this
idea
of
Automation
and
whatever
the
government
board
had
said
and
tried
to
create
something
that
tried
to
square
the
circles
between
those
ideas.
B
That
was
not
my
preference,
so
I
have
not
been
able
to
do
anything
with
this
more
recently
and
I'm,
not
even
sure,
if
I
really
have
the
the
pen
on
this,
but
basically
I
I
mean
early
draft
I've,
distributed
around
primarily
to
the
open
ssf
working
group
leads
to.
You
know,
get
some
initial
feedback
to
have
something
a
little
cleaner
and
then
go
go
back
and
go
further.
B
I
think
one
feedback
point
which
I'm
at
least
I'm,
very
sensitive
to
and
I
think
is
right,
is
you
know
in
general
developers
will
not
change
the
tools
that
they
use?
This
is
not
a
might
not,
it
is
a
will
not.
It
does
not
happen
Okay
in
rare
cases
they
might
change,
but
in
general
they
will
not.
So
if
there's
something
that
says
and
change
your
tool,
that's
the
end
of
the
discussion.
So
we
need
to
deal
with
that
in
a
pragmatic
way
and
I
think.
B
Now
exactly
what
it's
supposed
to
do
and
so
on.
You
know
we're
frankly,
still
working
on
on
that,
but
you
know
basically
trying
to
make
it
easy
to
create
a
new
new
project.
If
it's
not
already
there,
you
know,
and
then
you
know
various
things
to
deal
with
some
common
issues
to
to
counter
attacks
anywhere
from
you
know,
improving
the
likelihood
that
it's
not
going
to
have
vulnerabilities
in
the
first
place,
hardening
up
the
build
and
so
on
now
getting
s-bombs
and
so
on.
D
B
Okay,
because
I
mean,
if
you
but
but
I
I,
think
the
quick
answer
is
build
code
right
code,
not
just
an
architecture
now
I
do
think
that
figuring
out
on
architecture
is
a
necessary
part
of
that,
but
basically
the
governing
board.
Basically,
where
this
came
from
was
we
actually
had
somebody
interview
each
of
the
governing
board
members?
Hey?
What
do
you
want
to
do?
What
do
you
want
to
see
and
they
ended
up
with?
B
Oh
I,
guess
it's
three
paragraphs
ooh,
it's
not
just
one,
but
each
of
those
Fergus
is
pretty
short
so
but
I'll
I'll
point
out,
in
particular
the
middle
paragraph
we
will
build
and
we
will
build
an
autonomous
tool
chain.
Okay,
so
not
just
an
architecture
but
actual
code,
because
in
the
end
nobody
cares
about.
Architectures
really
architectures
are
useless
unless
they
are
implemented
somehow
with
code
with
Hardware
with
people
you
know,
but
if,
if
they
don't
turn
into
something
that
you
use,
then
it's
just
another
document
we
can
ignore.
B
Now
that
doesn't
mean
that
documents
are
useless
because
it's
hard
to
write
code.
If
you
don't
know
what
it's
supposed
to
do
so
so
I
I,
don't
think
those
two
ideas
are
in
Conflict,
but
I
think
the
goal
is
to
eventually
have
code.
Now
we
don't
have
to
necessarily
write
it.
All.
In
fact,
I
think
the
goal
would
be
to
as
much
as
possible,
not
write
it
but
use.
What's.
What's
there
and
much
more
focus
on
integrating
piece
parts.
D
And
so
so
one
way
of
reading
that,
because
I
think
Chrome
had
a
similar
comment
in
your
document
like
we
will
build
an
autonomous
tool
chain.
One
could
squint
and
read
that,
as
we
will
assemble
an
anonymous
dual
chain,
which
could
be
that
we
take
parts
off
the
shelf
and
put
this
thing
together
in
a
way
that
we
think
is
represents
best
practice.
But
it's
not
necessary
that
we're
building
all
the
components
in
this
world
Journey.
B
A
D
B
B
B
D
B
B
A
B
D
B
They
are
getting
almost,
they
have
gotten
very
little
pickup
and
it's
not
because
people
look
at
Fresca
and
say:
oh
what
a
terrible
idea
you
people
are
stupid.
That's
not
what
anyone
is
saying:
it's
the
but
I'm,
not
Cloud
native
or
but
I
already
have
a
tool,
Suite
and
so
and
so
I
I
think
they
are
victims
of
the
problem.
I
just
mentioned
earlier
in
general
developers.
F
Yeah
so
first
on
Frisk,
I,
I
agree
with
you
and
I
think
they
would
agree
as
well
and
I
heard
Mike
liberman
with
one
of
the
leaders
of
the
Fresca
project.
Actually,
he
said
the
other
day
that
they
are
thinking
of
trying
to
extract
the
build
part
of
Fresca
so
that
that
could
be
reused
alone
and
integrated
to
an
existing
pipeline,
as
opposed
to
just
do
what
you're
saying
like
you
know,
throw
away
your
pipeline
use
this
one
instead,
which
indeed
doesn't
fly
very
well.
F
The
the
other
part
is
I
mean
Fresca
cannot
be
any
way.
The
whole
solution
right,
because
the
tool
chain
we're
talking
about,
encompasses
a
lot
more
than
what
frescott
even
tries
to
do.
Yeah
so
I
mean
things
like
you
know.
The
scanning
things
that
are
talked
about
in
the
in
the
Sterling
tool
chain
document
for
now
is
not
even
a
scope
for
Fresca
and
by
the
way,
one
more
point.
The
Fresco
thing
is
I've
heard
people
say
they
use
it
as
a
reference
when
they
are
trying
to
implement
salsa
and
try
to
figure
out
okay.
D
As
kind
of
when
Microsoft,
you
know
fleshes
out
fairly
complete
samples
like
contoso
or
or
Northwind
or
I'm,
sure
Jay
can
give
you
what
the
latest
are.
But
these
are
kind
of
you
know
fully
almost
fully
implemented
examples,
but
the
intent
is
they're
educational
in
nature.
It's
not
you're
expected
to
take
this
thing
and
deploy
it.
It's
more
like
this
helps.
You
understand
how
to
how
to
put
things
together.
D
So
in
in
terms
of
next
steps
for
Sterling
tool
chain,
David
is,
is
the
the
document
you're
linked
to
is.
Is
it
a
process
of
kind
of
refining,
incorporating
comments,
kind
of
whittling
that
down
until
it's
smooth
and
shiny
and
and
then
once
we've
got
agreement
on
this
concept?
We
go
okay.
Now,
let's
make
it
happen.
B
B
F
But
so
the
tag
actually
is
looking
into
it.
Now
right
I
mean
it's
one
of
the
one
of
the
the
work
items
that
the
attack,
the
new
tech,
has
decided
to
try
to
tackle
and
the
way
I
see
it
is
the
governing
board.
Basically,
you
know
at
this
bright
idea
and
just
throw
it
out
and
say:
hey
tack,
you
go
figure
out
what
that
means
and
make
it
happen,
and
so
the
attack
is
trying
to
you
know,
say:
okay,
what
does
it
mean
a
better
frame,
what
that
might
actually
mean,
but
I
I?
F
The
tag
is
not
going
to
do
that.
Work
either
right.
So
I
think
once
we
have
a
better
definition
of
with
the
Sterling
tool
chain
is
the
attack?
Will
then
figure
out
okay
who's
going
to
do
it
and
they
may
be.
You
know,
maybe
a
new
project
within
the
open
ssf
that
gets
started
to
look
into
this
and
actually
do
the
implementation,
and
there
may
be
multiple
ones,
because
one
of
the
challenges
is
you
know,
having
a
generic
tool
chain
is
now
going
to
work
across
all
the
different
ecosystems
you
have.
F
F
Some
architecture
that
you
know
is
applicable
across
the
different
framework,
the
different
ecosystems,
the
kind
of
features
you
want
to
have
what
functionality
should
be
you
know
implemented
by
the
tool
chain
when
it
comes
to
the
actual
implementation,
I
suspect
we
may
have
variations
there,
so
there
may
be
different
projects,
but
I
know
you
know
one
that
focuses
on
a
particular
ecosystem
and
another
to
another
ecosystem
and
so
on.
But
this
is
yet
to
be
defined.
I
mean
you
know,
I'm,
just
sharing
my
thoughts
on
that.