►
From YouTube: OpenSSF Town Hall (November 9, 2020)
Description
Learn More about OpenSSF Here: https://openssf.org/
A
A
A
The
first
is
about
antitrust
policy,
so
we
do
have
people
in
this
meeting
who
work
for
a
variety
of
different
companies
and
industry
competitors
and
to
ensure
that
we
are
complying
with
anti-trust
and
competition
law.
We
need
everyone
to
be
aware
of
some
of
the
requirements
and
those
you
can
find
in
the
link
here,
which
is
to
the
linux
foundation
and
dyspress
policy.
A
Another
item
has
to
deal
with
code
of
content
conduct,
so
our
intent
for
this
meeting
is
to
provide
a
harassment,
free
experience
for
all
of
the
participants
and
to
do
that,
we
have
set
aside
some
code
of
conduct
policies
and
the
details
of
those
can
be
found
at
the
link
below
and
then
our
last
housekeeping
item.
This
has
to
do
with
how
we're
handling
a
q
a
for
this
event
so
again
for
an
improved
audio
and
visual
experience
for
all.
A
A
A
Well,
let's
talk
about
the
open,
ssf
and
some
background
for
why
we're
here
we
have
a
shared
belief
that
oss
is
a
common
good
and
you
know
like
the
air
that
we
breathe
and
the
water
that
we
drink.
Any
developer
can
create
openness,
open
source
and
others
can
contribute,
and
we
can
all
use
open
source
is
the
basis
for
all
modern
software,
including
the
world's
most
critical
infrastructure
and
the
software
that
we
create
and
consume
whether
what
we're
providing
is
open
source
or
proprietary
software.
A
So
we
founded
the
open,
ssf,
the
open
source
security
foundation.
We
started
in
august
where
it
was
announced
on
august
3rd
of
this
year.
The
purpose
for
the
foundation
is
to
inspire
and
enable
the
community
to
help
secure
the
software.
We
all
depend
on
the
openssf
began
as
a
consolidation
of
existing
efforts.
So
there
there
have
been
over
quite
a
few
years
and
a
number
of
entities
that
have
gotten
together
with
the
focus
on
securing
open
source
and
our
goal
was
to
consolidate
them
and
get
more
of
us
working
together.
A
A
We
have
a
number
of
ways
for
for
individuals
and
organizations
to
get
involved,
so
we
communicate
over
mailing
lists.
We
have
a
group
meeting
calendar,
we've
got
slack
set
up,
we
have
a
github
and
also
a
twitter
account,
and
these
slides
have
links
to
those.
So
so
you
can
see
those
you
can
also
go
to
the
open,
ssf
get
involved
page
and
there's
more
information
and
links
for
all
of
these.
A
For
individuals.
We
have
opportunities
to
participate
in
technical
working
groups.
So
these
are
our
six
technical
working
groups
and
you'll
hear
from
all
of
those
working
groups
later
in
our
presentation,
and
then
we
also
have
a
couple
of
governing
oriented
groups.
So
there's
the
technical
advisory
council
that
helps
with
communication
and
coordination
across
the
individual
working
groups
and
then
also
a
governing
board
planning
committee
and
we'll
talk
about
those
later
as
well.
A
A
Initiatives
in
our
first
three
months,
we
have
we've
been
making
great
progress
and
we
reported
some
some
accomplishments
in
our
press
release.
One
of
those
is,
we
established
an
edx
course
on
secure
software
development
fundamentals.
We'll
talk
more
about
that,
we
consolidated
the
core
infrastructure
initiative
projects
into
openssf.
A
A
So
let's
talk
about
the
secure
software
development
fundamentals
course
this
is
an
edx
course.
Edx
is
a
it's
a.
I
think
I
should
call
it
a
mooc,
so
massive
online,
I'm
forgetting
exactly
what
that
stands
for
anyway.
The
key
point
is
that
this
is
the
place:
that's
free
for
anyone
to
go
to
register
for
a
course
go
and
take
it
for
free
edx,
I
believe,
was
founded
by
harvard
and
mit,
and
there
are
a
bunch
of
great
there's
a
bunch
of
great
technical
content.
A
That's
available
there,
the
again
the
courses
are
free.
There
is
a
fee
to
take
a
test
to
obtain
a
formal
certificate,
and
so
but
and
that's
an
optional
thing
for
people
you
can
sign
up
on
the
edx
site
and
there's
a
link
to
that
site
here
and
please
feel
free
to
share
the
blog
post
that
provides
more
information
with
your
network.
It's
again,
it's
open
to
everyone,
not
not
just
open
ssf
participants.
A
B
Almost
all
software
is
under
attack
and
many
organizations
are
unprepared.
That's
why
the
open
source
security
foundation,
a
project
of
the
linux
foundation,
has
developed
the
secure
software
development
fundamentals
professional
certificate.
This
program
is
geared
towards
software
developers
interested
in
learning
how
to
develop,
secure
software,
focusing
on
practical
steps
that
can
be
taken
even
with
limited
resources.
B
The
best
practices
covered
in
the
program
apply
to
all
software
developers,
and
it
additionally
includes
information
especially
useful
to
those
who
use
or
develop
open
source
software.
The
program
consists
of
three
training
courses
covering
all
aspects
of
the
software
development
lifecycle
and
the
best
practices
for
secure
development
during
each
of
them.
Topics
include
security,
basics,
secure
design,
principles,
supply
chain,
evaluation,
implementation,
security,
verification
fielding
and
more
upon
completion
of
the
program.
A
A
We
have
a
little
about
220
again
as
of
friday,
who
are
signed
up
already.
So
we're
really
excited
about
this.
David
wheeler
put
this
course
together,
and
it's
a
it's
a
great
first
introduction,
a
great
accomplishment
for
lff
for
the
open
source
security
foundation
and
a
great
introduction
to
security
fundamentals.
A
The
first
is
a
survey
of
developers.
This
was
completed
by
a
group
at
harvard
and
in
this
survey,
we're
asking
developers
for
some
of
the
top
open,
ssf
projects
about
some
of
their
their
practices,
and
this
has
been
transitioned
to
the
securing
critical
projects
working
group,
and
you
might
hear
a
bit
more
of
that
in
that
work
when
that
group
reports
out.
The
second
item
is
a
census
project,
and
so
this
was
a
census
of
critical
projects
completed
by
harvard-
and
this
helps
us
understand
how
many
people
are
using,
which
open
source
projects.
A
There
was
a
report
completed
last
february
and
we're
intending
to
do
follow-on
work.
The
last
item
is
the
cii
best
practices
badged
project,
and
what
this
does
is
allow
free
and
open
source
software
developers
or
maintainers
to
show
that
they
are
following
best
practices,
so
they
can
sign.
You
know
they
can
describe
what
they're
doing.
Are
they
requiring
two-factor
authentication?
A
We've
increased
our
member
organizations.
We
now
have
35
member
organizations
and
they
come
cover
a
number
of
large
organi.
You
know,
organizations
from
you
know
large
to
small,
and
we
have
also
a
number
of
security
oriented
organizations,
a
couple
of
well
three
of
the
the
big
linux
distro
providers-
and
these
are
on
in
our
general
members,
and
then
we
also
have
associate
members-
and
that
includes
a
number
of
non-profit
organizations
and
also
universities.
A
A
We
encourage
all
interested
stakeholders
to
participate
in
the
foundation
and
we
make
that
work
publicly
available.
So
we
believe
in
openness
and
transparency,
we
have
a
maintainers
first
approach
to
what
we
do.
So
what
we
want
to
do
is
make
maintainers
successful,
and
so
we
show
respect
for
them
and
work
towards
creating
resources
and
tooling
that
scale
to
the
ecosystem
as
a
whole.
A
We
agility,
so
we
we
follow
a
an
approach
where
we,
where
we
we
try
to
work
fast,
learn.
You
know,
create
projects,
work,
fast,
learn
from
our
mistakes
and
and
move
forward,
and
then
the
last
three
we
give
credit
where
credit
is
due.
We
don't
bias
toward
any
ecosystem
vendor
or
platform,
and
we
treat
each
other
with
empathy,
so
we're
committed
to
creating
a
culture
of
listening
and
caring
for
multiple
opinions.
A
A
E
D
A
So
here's
a
list
of
our
governing
board
members.
We
initially
had
eight
governing
board
members
and
we've
added
five.
Recently,
our
five
new
members
are
jeff
altman
from
our
store
and
let
me
get
anand
pashupathi
from
intel
and
and
lek
sandecki
from
canonical.
We
also
added
a
representative
from
the
technical
advisory
council.
That's
stan
lawrence
to
our
group.
Actually
I
think
we
miss
him
in
this
slide.
Sorry
dan
and
then
I'm
very
excited
to
announce
our
latest
representative,
who
was
just
elected
on
friday.
A
Last
friday-
and
this
is
ian
coldwater
and
ian-
will
serve
as
our
security
community
individual
representative,
so
we
were
looking
for
someone
who
has
experience,
maintaining
projects
to
come
in
and
make
sure
that
that
point
of
view
is
represented
on
our
governing
board.
So
again,
congratulations
ian
and
welcome
to
the
governing
board
so
activities
of
the
governing
board.
We
have
monthly
meetings
and
the
governing
board
has
monthly
meetings
we
meet
for
one
hour,
the
first
week
of
the
month.
A
In
addition
to
those
monthly
meetings
we
have
one
committee
created
currently,
which
is
our
planning
community
committee
and
I'll
talk
more
about
that
in
a
minute,
and
then
we
we
do
anticipate
future
commitment
committees.
We
haven't
created
those
yet
but
we're
at
a
point
where,
if
we
have
people
who
are
interested
in
helping
to
to
lead
those
and
organize
them,
we
can
get
more
started.
A
Some
that
we've
discussed
are
a
committee
for
identifying
conferences
that
that
we
should
participate
in,
and
you
know
either
helping
to
create
full
day
work
streams
or
just
giving
overviews
of
open
ssf.
We
are
anticipating
a
communications
and
marketing
committee
and
then
another
one
that
we'll
be
looking
at
finances,
budgeting
and
dues.
A
A
A
A
The
other
thing
that
we're
doing
in
the
planning
committee
currently
later
this
could
move
to
a
separate
committee,
but
we're
looking
at
website
updates.
So
we
updated
the
get
involved.
Experience
on
the
website
we're
also
coordinating
community-wide
blog
post
twitter
posts
and
organization
announcements.
A
So
if
you
want
to
get
something
into
the
press
release
or
make
sure
it's
highlighted
in
an
upcoming
town
hall
meeting,
if
you
want
to
create
a
blog
post
for
something
that's
going
on
in
a
working
group
or
otherwise
have
that
posted
to
twitter
through
our
account
or
have
an
announcement
made
to
the
openssf
community
or
if
you
have
changes
that
you'd
like
to
see
to
the
website
and
another.
Another
thing
that
you
can
communicate
to
us
is:
if
there
is
something
you'd
like
to
see
the
community
accomplish
in
an
upcoming
planning
milestone.
A
So
if
you've
got
ideas
for
any
of
those
feel
free
to
send
email
to
the
planning
committee
and
I've
got
a
link
to
the
planning
committee
alias
there,
you
can
also
get
involved
in
the
planning
committee.
So
if
you're,
someone
who
enjoys
planning
or
product
or
product
or
project
management,
everyone's
welcome,
we
meet
weekly
on
mondays
at
10
am,
and
I've
got
some
links
here
to
the
meeting
agenda
and
notes
and
the
the
email
list,
and
also
the
github
page.
A
So
she
helps
us,
you
know
schedule.
A
bunch
of
our
meetings
keeps
us
on
track
for
the
governing
board
and
she
does
a
lot
of
the
work
on
the
website
for
us,
and
you
know,
helps
with
sending
out
twitter
announcements
and
those
kinds
of
things.
So
so
a
couple
of
great
resources,
and
we
thank
them
very
much.
A
D
A
A
F
F
So
the
mission
of
the
tag
is
we're
responsible
for
the
oversight
of
the
various
technical
initiatives
of
the
open
ssf.
So
that
includes
the
working
groups,
the
various
projects,
sort
of
all
the
technical
side,
so
we're
going
to
prove
and
facilitate
collaboration
of
those
working
groups.
So,
right
now
we
have
six
different
working
groups.
Those
can
change.
As
time
happens,
you
know
comes
and
goes
we'll
get
new
strategies
and
new
groups
to
focus
on
those
things,
and
some
will
eventually
sunset.
F
As
you
know
in
future,
and
so
we
kind
of
ensure
that
all
those
things
are
coordinated
and
making
sure
that
they're
collaborating
efficiently
and
that
work
is
happening
in
an
optimal
way.
In
addition,
we
assist
with
identifying
funding
requirements.
So
if
a
working
group
has
a
need
for
funding
say
for
infrastructure,
or
perhaps
they
need
to
hire
developer
resources
or
an
outside
vendor,
or
something
like
that,
we
can
help
them
identify
those
needs
and
then
coordinate
with
the
governing
board
to
ensure
that
those
resources
resourcing
needs
to
get
met
next
slide.
F
So
so
far,
what
we've
done?
We've
developed
a
list
of
potential
future
actions
that
we're
not
currently
working
on.
So
like
I
mentioned,
we
have
six
existing
working
groups,
but
we
have
a
massive
laundry
list
of
potential
things
we
could
work
on.
You
know,
as
everybody
knows,
you
know
the
the
world
is
wide
open
as
far
as
security
and
particularly
open
source.
So
there's
a
lot
of
areas
to
go
tackle,
so
we're
sort
of
building
up
a
backlog
of
that
and
then
what
we're
gonna
do
with
that
is
leverage.
F
So
what
we've
been
doing
now
and
the
future
work
that
we
could
do
to
develop
the
the
vision
for
the
tactic
and
sort
of
what
our
technical
strategy
will
be
for
for
the
upcoming
year
and
then
using
that
we're
gonna
formalize
the
the
life
cycle
of
technical
initiatives.
What
does
it
mean
to
be
an
official?
You
know
working
group,
and
you
know
what
are
the
different
stages
once
they
get
sunset
and
that
sort
of
thing
and
then
how
can
you
get
involved?
F
So
we're
kind
of
a
small
group
right
now
as
far
as
the
official
tac
members,
but
we
actually
have
quite
a
few
people
that
participate
in
these
groups,
so
we
meet
bi-weekly,
so
every
other
tuesday
at
8
a.m.
Pacific
time,
so
our
next
meeting
coming
up
is
going
to
be
on
the
17th,
the
calendar
invite
is
listed
here.
F
You
know
the
tac
is
the
right
place
to
bring
that
up
and
additionally
for
communications
we
have
the
official
tech
mailing
list.
We
have
the
slack
channels
and
then
also
we're
active
on
github.
So
if
you
have
ideas
for
something
you
want
to
talk
about
in
the
future
tag
meeting,
you
can
open
up
a
github
issue
or
you
can
even
add
it
directly
into
the
media
notes.
We
have
a
section
right
up
at
the
top
for
future
agenda
items.
F
G
G
Okay,
so
our
mission
is
to
enable
stakeholders
to
have
informed
confidence
in
the
security
of
open
source
projects
that
took
a
while
to
come
up
with
a
short
such
a
short
mission.
Basically,
we
want
to
ensure
that
the
people
that
use
open
source
that
create
open
source
that
base
their
businesses
off
of
open
source
understand
what
the
risk
is
and
that
they're
that
they're,
assuming
based
off
of
lots
of
different
things
and
part
of
that,
involves
understanding
what
the
both
general
ecosystem
threats
are,
but
also
specific
to
individual
projects.
G
So
next
slide,
so
we
have
two
well,
we
have
one
kind
of
accomplishment
and
the
other
one
is
kind
of
the
work
in
progress,
so
the
top
one
is
is
the
accomplishment
we
wrote
a
paper.
The
paper
describes
ecosystem
level
threats,
so
it
was
intended
to
be
a
everything
that
thanks
john
it
tended
to
be.
You
know
everything
that
could
go
wrong
with
the
open
source
ecosystem
from
the
perspective
of
the
kind
of
development
life
cycle.
So
developer
comes
up
with
an
idea.
G
Maybe
the
idea
was
like
just
a
really
insecure
idea
like
that:
the
design
is
bad
or
they're
coding
it
and
they're
making
mistakes
or
they
upload
it
to
a
website
and
the
website
gets
popped
and
the
the
code
is
is
tampered
with
or
someone
consumes
the
code
and
when
they're
consuming
it
it
gets
modified
in
transit
or
something.
So
we
tried
to
look
at
this
broadly
and
say
you
know:
here's
everything
that
can
possibly
go
wrong.
What
do
we?
Where
do?
G
We
really
think
the
risk
is
so
at
the
end
of
the
the
paper?
This
is
kind
of
a
consolidated
list
of
like
you
know,
kind
of
more
or
less
recommendations,
or
you
know
things
that
I
that
that
we
believe
the
community
should
pay
attention
to
or
pay
more
attention
to.
Some
of
these
are
you
know,
short-term
things.
Some
of
these
are
long-term
things.
Some
are
tractable,
some
are
not,
but
we
one
of
the
intents
of
writing.
G
It
would
be
a
little
bit
more
formal
than
you
know,
picking
ideas
that
everybody
has
at
the
top
of
their
head
and
putting
a
little
bit
of
a
little
bit
of
science
behind
it.
That
paper
is
available
through
that
download
link,
luigi
cabello
also
converted
to
markdown,
which
is
awesome.
So
if
you
have
updates,
if
you
disagree
strongly,
you
know
open
up
an
issue.
You
know
send
a
pull
request.
This
is
not
intended
to
be
a
document
that
you
know
is
is
written
in
stone.
G
We
also
could
have
been
wrong
in
certain
things,
so
we
are
interested
in
moving
that
to
you
know
kind
of
a
next
release
at
some
point
pretty
soon.
So,
if
you
have
things
that
you'd
like
to
contribute,
please
do
so
so
that's
the
ecosystem
level,
part
and
and
then
down
to
the
to
the
individual
projects.
What
we
really
want
to
do
is
is
collect
curate,
you
know,
communicate
aggregate
security,
metrics
for
open
source
projects.
So
this
this
means,
like
you,
know,
zlib,
has
these
attributes.
G
So
we've
been
working
at
this
for
a
while,
we
have
a
proof
of
concept
kind
of
ui.
We
have
thing:
we've
put
a
lot
of
thought
into
metrics
definitions
and
formal
requirements.
That
said,
there
are
other
things
that
are
going
on.
So
if,
if
you're
listening
to
this
and
you're
saying
gee,
that
kind
of
sounds
a
lot
like
you
know
what
the
badge
program
does.
Well,
there
is
an
overlap.
G
There
there's
a
natural
overlap
as
you'll
hear
later,
there's
another
project
that
that
there's
definitely
overlap,
and
I,
my
personal
belief,
is
that
all
of
these
should
rationalize
like
where
they,
where
they
fit
and
where
they
feed
and
working
groups
themselves,
are
fluid.
So
we
will,
we
will
do
the
right
thing,
so
yeah
there's
a
source
repository
if
you'd
like
to
play
with
this.
G
G
This
is
just
a
mock
ui
of
what
this
could
look
like,
but
really
what
this
is
showing
is
you
know
the
the
individual
projects
and
what
their
kind
of
quote
score
is,
and
you
know
score
can
be
a
objective
thing.
It
can
be
a
subjective
thing
like
an
ssl
labs
score,
as
I
think,
as
long
as
we're
clear
and
transparent
in
how
we
calculate
things
we
can,
we
can
provide
something
that
people
can
trust
and
next
slide.
G
I
think
that
was
it:
oh
yeah
you,
if
you
want
to
get
get
involved
more.
We
have
meeting
minutes
there,
so
you
can
kind
of
see
what
we've
been
up
to
shoot
me,
an
email
and
I'll.
Send
you
the
invite.
I
need
to
get
the
invite
to
be
kind
of
public
where
I
can
just
post
it
on
the
in
the
calendar.
I
think
I
can
now,
but
regardless
right
now,
just
email
me
you'll,
get
the
invite
we're
meeting
this
wednesday
at
8
a.m.
Pacific
time.
G
C
For
me,
I
think
one
of
the
best
things
for
this
working
group
is
that
it's
brought
together
specialists
in
a
wide
range
of
areas,
so
we've
got
people
in
about
dynamic
testing,
static
testing
software
composition,
analysis,
fuzzing,
delivery,
vulnerable
applications
and
it's
a
chance
to
learn
about
the
challenges
we'll
face,
how
we're
addressing
them
and
where
the
overlaps
are
and
basically
learn
from
each
other
next
slide.
Please
so,
there's
more
work
going
on
this
there's
work
going
on
and
fuzzing
trying
to
identify
the
most
critical
open
source
projects
to
fuzz.
C
C
So
the
baseline
scan
is
just
a
by
default,
is
a
one
minute,
spider
and
then
passive
detection.
So
it's
quite
quick
and
therefore
quite
good
to
run
in
ci
cd,
but
can
still
find
a
whole
load
of
potential
vulnerabilities,
especially
particularly
missing
security
controls
and
then
there's
a
zapful
scan,
which
is
a
a
an
active
scan.
So
it's
really
attacking
your
application.
That
can
take
some
time.
If
you
want
to
know
any
more
about
that,
then
please
talk
to
me
about
it.
C
So
that's
metadata
and
branches
with
both
the
all
the
code
before
that
when
the
vulnerability
was
present
and
immediately
after
it's
been
fixed
and
the
idea
with
this
is
it
allows
anyone
to
benchmark
their
static
analysis
tools
against
real
vulnerabilities.
So
can
your
tool
find
the
original
vulnerability
and
then
can
it
detect?
It's
actually
been
fixed.
C
C
C
So
we
don't
have
a
library
as
such
we
have
code,
so
we
have
a
set
of
scan
rules
and
we
have
passive
scan
rules,
active
scan
rules,
web
socket
scan
rules
and
we
have
different
levels
of
so.
We
have
release
quality,
beta
quality
and
alpha
quality,
and
these
are
all
defined
in
packages
add-ons
which
are
on
the
zap
marketplace.
C
So
we
will
change
these
as
frequently
as
necessary,
and
the
one
thing
I
think
is
worth
remembering
is
that
zap
is
a
tool
for
finding
vulnerabilities
in
custom
applications.
So
it's
not
like
we're
looking
for
known
vulnerabilities,
we
go
okay,
there's
one
particu.
We
know
that
you're
running
wordpress,
this
particular
version.
D
C
So
we've
had
one
of
the
was
a
couple
of
the
guys
from
owasp
who
are
involved
in
some
of
us
projects
around
that.
So
that's
really
where
that
focus
has
been.
I
mean
we're
not
at
the
moment
evaluating
new
tools.
I
don't
think
anyone's
looking
at
that.
I
think
it's
very
much
bringing
together
people
working
on
existing
tools.
I'm
certainly
not
aware
of
a
load
of
resources
we
have
to
across
open
ssf
or
in
the
tools
working
group
for
doing
a
big
analysis
of
new
tools
or
actually
creating
new
tools.
C
D
C
Yeah
I
mean
for
the
working
group
we're
definitely
covering
both
sast
and
dust
for
zap
itself.
We
have
no
intention
of
going
to
the
sast
world
they're
very
different
and
very
yeah.
Our
expertise
is
definitely
in
dust,
but
for
the
working
group
we're
covering
all
security
tools
and
all
techniques.
Yes,
okay,.
H
H
So
you
might
ask
yourself
self:
what's
this
developer
best
practices
working
group
about?
Well,
our
objective
is
to
try
to
provide
open
source
developers
with
best
practices,
recommendations,
the
good
practices
in
writing
code
testing
code
checking
code,
and
we
want
to
supply
easy
ways
to
learn
about
that
and
to
apply
that
learning.
Oh,
my
poor
little
goose,
ideally
we're
looking
to
make
this
available
for
all
open
source
developers.
H
Everything
we're
doing
is
currently
community
sourced
and
we
want
these
practices
to
remain
sticky
so
that
we
just
don't
apply
security
once
and
then
move
on
and
forget
about
it.
We
want
these
things
to
be
ingrained
into
the
developers,
activities
their
ways
of
thinking
and
kind
of
our
vision
on
how
we're
going
to
execute
on
this
is
first
off.
H
Secondly,
we're
looking
at
creating
this
community.
It's
can
be
very
complex
and
challenging
to
keep
up
with
everything
that's
going
on,
so
our
idea
is
to
try
to
attract
open
source
contributors
and
help
them.
You
know
kind
of
remain
engaged
and
continually
contribute
to
our
the
inventory
of
practices
so
that
the
whole
community
can
benefit
and
finally,
we're
looking
at
implementing
a
learning
platform,
and
this
is
a
way
we
mentioned
the
earlier
training
courses,
so
we're
looking
to
try
to
find
a
way
to
help
educate
people.
First
and
foremost,
you
know
the
courseware.
H
We
are
looking
at
implementing
tools
and
methodologies
to
get
things
either
out
to
developers
through
containers
or
the
web,
or
even
integrated
into
their
ides
potentially,
and
we're
looking
to
provide
a
suite
of
exercises
to
help
teach
some
of
these
practices
that
are
built
into
the
inventory
next
slide,
please
just
a
quick
snapshot.
This
is
currently
our
most
active
contributors.
I
So
me
and
my
friend,
the
ghost
we
will
tell
you
where
we
are
in
this
working
group,
so
my
name
is
xavier.
So
first
we
have
released
the
courses
that
kay
already
talked
about,
so
I
won't
spend
a
lot
of
time
on
it.
Just
what
I
want
to
tell
you
is
that
it's
not
a
theoretical
course.
It's
very
practical
and
also
all
the
practices
that
are
in
there
any
developer
can
apply
them
right
now
without
requiring
unlimited
resources
right.
I
We
contributed
to
the
new
major
release
of
the
owasp
skf
learning
platform,
so
skf,
the
secure
knowledge
framework
developed
by
glenn
and
ricardo
10k
is
a
vital
asset
to
the
coding
toolkit
of
your
development
team.
In
skf,
you
can
learn
from
an
open
source
security
knowledge
base.
You
will
have
code
examples
in
multiple
programming
languages.
I
I
Also,
we
think
that
it
will
make
it
much
easier
to
welcome
contributions
from
the
community
with
this
public
platform.
Second,
we
want
to
contribute
to
the
owasp
integration
standards
projects
with
the
goal
of
providing
an
open
source
mapping
of
security
requirements,
testing
strategies,
best
practices,
threats
and
weaknesses.
I
This
would
be
really
part
of
the
inventory
project
that
crave
mentioned
in
introduction.
Last
but
not
least,
we'll
contribute
to
the
securities
score
scouts
project.
The
goal
of
scorecards
is
to
auto
generate
a
score
for
the
security
posture
of
an
open
source
project,
so
you
will
use
these
on
your
project.
As
you
decide
the
target
posture
that
you
want
for
your
use
case.
You
can
also
use
this
data
to
augment
your
decision
making.
I
H
If
you
are
a
project
or
package,
maintainer,
hey
look
at
tools
like
the
best
practices
project
and
make
sure
that
you
can
get
your
project
badge.
Do
you
meet
those
that
kind
of
higher
level
of
quality
and
expectations
that
the
badge
project
can
help
you
earn
and
we
meet
every
monday
at
8
a.m?
Pacific.
D
D
Mascot
yeah,
so
there
was
a
link
to
it
in
the
chat
as
well,
but
yeah
it
was
from
ian
coldwater.
It
would
likes
the
untitled
goose
game.
She
made
a
presentation
before
which
I
watched
talking
about
how
hacking
sometimes
reminds
you
of
the
untitled
boost
game.
So
when
we're
looking
at
badges
or
sort
of
logos,
I
sort
of
mentioned
it,
and
chris
from
the
linux
foundation,
wrote
it
down
so
that
the
designer
can
mock
something
up
and
then
we
had
to
vote
on
the
design
in
the
design.
One.
D
H
That
later
is
now
I
have
by
process
of
elimination.
Today
I
have
been
nominated
to
talk
on
behalf
of
vulnerability.
Disclosures
working
group,
I'm
one
of
the
co-leads
for
the
group.
Unfortunately,
our
dear
friend
marcin,
is
not
feeling
well
today,
so
we
hope
he
feels
better,
but
if
we
get
next
slide,
please
matthew-
and
I
are
here
to
represent
the
group,
so
this
particular
group
is.
We
are
interested
in
to
help
the
overall
security
of
open
source
software
ecosystem
by
helping
develop
and
advocate
well-managed
vulnerability,
reporting
and
communications.
H
This
is
again
another
snapshot
of
the
working
group
members.
We
like
every
group
are
very
interested
in
participation,
so
if
you
feel,
if
you
have
a
particular
hankering
or
interest
or
desire
to
help
participate
in
this
community,
please
welcome
and
welcome,
join,
come
on
in
and
you
get
to
work
with
all
these
great
people
next
slide.
Please.
H
We're
collecting
these
through
a
series
of
user
stories,
they're
going
to
help
frame
our
future
work
and
we've
already
gone
through
and
reviewed.
The
disclosure
practices
that
employed
by
several
of
our
members
we've
looked
at
how
vulnerability
disclosure
and
coordination
is
handled
by
the
node.js
ecosystem,
the
ruby
community,
our
friends
over
at
arch
linux,
and
what
we
do
here
at
red
hat
next
slide,
please
so
what's
next
is
we're
going
to
start
sharing
those
standards
of
coordination
for
both
cve
and
advisory
data
in
consumable
formats?
H
So
right
now
we're
kind
of
doing
an
assessment
of
what
standards
and
techniques
are
used
today
and
we're
starting
to
debate.
You
know
what
the
best
path
forward
is
to
make
a
good
recommendation
for
the
ecosystem
and
actually
coming
up
at
our
next
meeting,
we're
talking
with
the
folks
from
cert
cc.
They
have
a
project
called
vince
that
speaks
to
vulnerability,
coordination
and
disclosure
and
they're
looking
at
open
sourcing
that
project,
so
we're
looking
at
the
potential
to
possibly
collaborate
or
leverage
that
project
as
we
move
forward
and
share
our
data
next
slide.
Please.
H
And
again,
everyone
is
welcome
to
come
and
open
up.
A
discussion
continue
on
discussion
as
it
relates
to
our
mission
and
charter.
If
you
have
pain
points
and
whether
it's
reporting
sharing
or
coordinating
vulnerabilities
in
open
source,
we
would
love
to
talk
to
you
we'd
like
to
hear
your
perspectives
and
hear
your
feedback
on
how
we
can
make
it
better.
Do
you
have
suggestions
on
how
we
can
more
securely
coordinate
these
reports
to
the
subject
matter?
Experts
that
help
fix
the
salute
help
will
fix
the
problem.
H
Great,
let
us
know
and
again
we're
looking
to
capture
all
those
perspectives
and
try
to
find
some
collaborative
solution
that
benefits
the
whole
community.
Again,
we
meet
at
8
a.m.
Pacific
currently-
and
ideally,
it's
the
alternate
mondays
from
the
developer
best
practice
group.
I
hope-
and
we
welcome
you
and
hope
that
you
can
come
join
us
and
I
would
open
the
floor
for
questions.
H
D
H
It's
a
very
interesting
idea:
it's
something
that
the
working
group
currently
hasn't
explored,
but
you
know
kind
of
listening
to
the
presentations
before
me
myself
and
thinking
about
who's
coming
forward.
After
me,
I
think,
there's
very
definitely
potentially
a
lot
of
people
that
could
help
contribute
to
that
idea
and
have
helped
bring
it
together
and
see
if
we
can
think
up
some
kind
of
a
reasonable
standard
yeah.
I
think
it's
something
the
foundation
at
large
could
explore,
and
potentially
the
vulnerability
group
might
be
a
good
place
for
that.
D
Okay,
there
were
two
sort
of
admin
related
questions,
so
the
first
one
is:
how
do
we
access
the
deck
used
in
the
presentation,
so
I've
put
them
in
the
chat
and
then
also
slide
that
do
that
was
another
question:
is
that
how
do
we
join
a
working
group
that
interests
us?
So
an
example
of
that
is
how
would
someone
join
the
vulnerability
disclosure
working
from
that
matter?.
H
At
least
in
the
groups,
I'm
affiliated
with
every
single
one
of
us
has
that
public
calendar.
So
if
you're
interested
in
joining,
you
know
contact
us,
let
us
know
whether
it's
in
whether
you
know
get
issue
or
contacting
us
through
slack
or
on
our
mailing
lists
and
we'll
be
glad
to
coordinate
you
and
get
you
included
into
our
awesome.
Little
team.
D
D
E
J
K
Okay,
my
turn,
I
think
I
just
unmuted.
My
name
is
dan
lawrence
and
I've
been
helping,
coordinate
the
digital
identity
at
a
station
working
group
next
slide.
Please
thank
you.
So,
in
addition
to
geese
and
geese
memes,
we
also
like
other
memes
too
and
other
animals
on
the
internet.
Nobody
knows
you're
a
dog.
This
applies
to
open
source
software
as
well.
You
wouldn't
give
a
stranger.
You
met
on
a
sidewalk
access
to
commit
to
your
internal
git
repository,
but
when
you
take
binaries
you
find
on
the
internet
and
run
those
in
production.
K
That's
basically
what
you're
doing
this
is
not
a
new
problem
or
a
new
space,
but
we
are
a
new
working
group.
The
rise
in
open
source
software
over
the
last
couple
years
has
started
to
make
this
problem
way
more
apparent
and
way
scarier.
So
that's
what
we're
here
to
help
out
with
we
want
to
make
it
easier
and
safer
thanks.
Sorry,.
C
K
Want
to
make
it
easier
and
safer
for
users
of
open
source
to
understand
where
the
software
they're
using
is
coming
from.
So
far,
we've
mostly
been
learning
about
this
space.
Do
you
want
to
go
to
the
next
slide
thanks?
So
far,
we've
been
mostly
learning
about
this
space
through
a
whole
bunch
of
awesome
presentations
from
domain
experts.
All
over
the
industry.
K
We've
had
presentations
from
people
running
things
like
the
entodo
project,
which
is
a
framework
to
secure
the
integrity
of
software
supply
chains
and
stuff
like
the
self-sovereign
identity
project
out
of
the
hyperledger
effort,
and
we've
also
been
learning
how
existing
projects
do
try
to
solve
this.
Today
we
had
some
awesome
presentations
from
people
like
constantine
riya
bitsev.
K
So,
if
you're
interested
in
this
space
and
want
to
present
or
are
trying
to
solve
this
problem
in
an
open
source
project
that
you're
a
maintainer
of
reach
out,
we
have
meetings
every
two
weeks.
There's
a
link
here
in
the
github
repo
and
everything
is
open
in
public.
So
you
should
be
able
to
find
the
calendar
invitation
and
join.
D
F
K
L
Cool,
so
hey
everyone
thanks
again
for
attending
our
first
town
hall
today
and
kay,
and
lindsay
for
organizing
all
of
it
and
getting
us
together,
and
so
I
I'm
kim
I
work
at
google
as
a
product
manager
and,
of
course,
focusing
on
securing
open
source
projects.
We
all
depend
on.
So
this
is
the
last
working
group
we'll
be
discussing
today,
and
this
is
a
great
recent
xkcd
image
that
really
sums
up
the
problem.
L
We're
trying
to
tackle
our
modern
infrastructure
is
all
being
held
up
by
some
random
project
by
some
random
person
in
nebraska,
that's
been
maintaining
it
and
then,
as
dan
says,
you
know,
all
of
our
usage
of
open
source
software
keeps
increasing,
and
so
this
this
sort
of
picture
becomes
more
and
more
scary,
and
so
next
next
slide.
So
our
mission
is
pretty
it's
really
quite
simple.
Is
we
want
to
improve
the
security,
the
most
critical
projects
that
people
rely
on,
and
we
want
to
do
this
with
like-minded
people
and
an
organization?
L
So
you
know
there's
no
point
in
all
of
us
duplicating
work
to
make
improvements
to
one
specific
project
and
it's
obviously
better.
If
we
can
combine
efforts
and
tackle
these
problems
collectively,
okay
next
slide,
so
kate
covered
a
bit
of
this
in
the
beginning
about
some
of
the
cii
efforts
that
we've
folded
in.
So
we
got
presentations
from
the
folks
at
harvard
on
those
and
we're
really
looking
forward
to
working
with
them
going
forward
and
making
improvements,
and
some
changes
on
that
work
that
they're
doing
we've
also
had
some
other
presentations.
L
Folks
from
osif
gave
us
a
presentation
on
how
their
security
audits
process
works.
So
that
was
very
interesting
and
then
one
of
the
docs
that
we
started
working
on
was
what
we're
calling
a
menu
of
services.
So
not
every
open
source
project
needs
the
same
sort
of
thing
when
it
comes
to
the
securities.
L
So
this
was
supposed
to
be
a
just
a
dumping
ground
of
all
sorts
of
ideas
that
we
could
come
up
with
for
helping
projects
out
and
then
and
then
again
I
mentioned
the
harvard
work
next
slide,
please
so
what's
coming
up
next,
so
we're
looking
at
ways
to
raise
money
or
for
organizations
to
put
funds
towards
specific
efforts
and,
like
I
said,
that's
not
all
about
just
money,
so
you
know
other
ways
that
we
can
help
projects
if
it's
through
like
consulting
or
what?
What
have
you.
L
So
those
are
ideas
being
collected
in
that
doc
and
then
another
big
problem,
which
is
why
we
folded
in
some
of
the
harvard
work,
is
coming
up
with
that
list
of
critical
projects.
So
in
doing
that
in
a
collective
fashion,
we
want
to
identify,
you
know
the
top
say
hundred
a
thousand
and
then
go
proactively
figure
out
how
to
help
and
improve
them
next
slide
and
then
similar
to
the
other
working
groups.
We
meet
every
two
weeks.
L
You
can
see
all
of
the
links
to
the
calendar
and
slack
and
things
from
the
github
repo,
and
then
I
think
you
know
one
of
our
hardest
problems
is
really
figuring
out
how
to
to
make
real
impact.
So
even
if
we
have
money
sort
of
connecting
that
to
get
to
get
projects,
you
know
our
contractors
fixing
things
is
not
as
easy
as
as
we
would
like.
So
if
you
are
interested
in
any
of
these
would
love
new
ideas
would
love
creative
thinking
and
ways
we
can
help
tackle
this
together.
D
K
A
A
A
A
A
A
A
We'll
take
you
to
a
page
where
you
can
sign
up
for
our
mailing
list
and
we
have
eight
or
nine
or
so
of
those.
Currently,
you
can
have
a
look
at
our
calendar,
so
we
have
a
google
calendar
that
has
all
of
the
ongoing
meetings
on
it.
So
you
can
see
when
those
meetings
occur.
If
there's
a
group
you're
interested
in
and
you're,
not
quite
sure
you
want
to
commit
to
it.
Yet
you
can
just
attend
to
one
of
the
meetings.
They're
open
and
learn
more
about.
A
A
So
you
can
follow
that
to
see
news,
so
some
of
those
are
some
other
ways
that
you
can
get
involved
and
everyone's
welcome
and
then
just
as
a
final
note,
if
you
can
take
a
couple
of
minutes
to
complete
the
town
hall
survey
and
here's
a
link
to
that
survey,
there
are
six
questions
on
it.
Two
of
them
are
just
you
know.
A
The
basic
you
know
was
this:
you
know
what
was
the
what
was
the
quality
of
the
town
hall
and
do
you
have
any
suggestions
for
how
to
make
it
better
for
the
future
anything
else
you'd
like
to
see
in
it.
You
know
any
ways
to
organize
it
differently
or
better.
Why
we're
we're
open
to
all
that?
So
we
want
this
to
be
an
opportunity,
that's
informative
and,
and
you
know
fun,
for
people
to
learn
about
the
open
ssf.
A
We
will
be
sharing
the
deck
and
recording
for
it.
I'm
not
sure
exactly
how
we
will
share
that,
yet
it
might
be
on
the
website
or
we
might
send
it
as
a,
I
think,
probably
we'll
send
it
at
least
to
everyone
who
is
registered
for
the
event
so
you'll
see
it
there
and
feel
free
to
forward
the
recording
or
the
slide
deck
to
others.