►
From YouTube: OpenSSF APAC Wipro webinar (March 24, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
to
this
special
open
source
security
foundation,
asia-pacific
webinar,
how
open
ssf
is
combating
key
software
supply
chain
security
challenges,
I'm
julian
gordon,
the
asia
pacific
bp,
with
openssf,
I'm
normally
based
in
hong
kong,
but
today
I'm
in
australia,
and
I
am
delighted
to
be
moderating
this
event
we're
in
for
a
real
treat
today.
The
global
community
at
open
ssf,
which
is
the
linux
foundation's
open
source
security
foundation,
is
doing
amazing,
timely
and
important
work
to
enhance
the
security
of
software
supply
chains.
A
Companies
and
governments
everywhere
are
urgently
rising
to
this
challenge.
So
today,
you'll
hear,
amongst
other
things,
how
you
can
and
should
get
involved
in
this
vital
initiative,
and
it
is
so
great
that
we
have
three
of
the
leaders
of
these
in
these
developments
here
with
us
today
to
share
their
expertise
and
insights.
A
But
before
I
introduce
you
to
our
distinguished
speakers,
I'd
like
to
quickly
run
through
a
few
housekeeping
items
in
a
second
brian
will
give
us
an
overview
of
the
amazing
work
done
at
the
foundation,
followed
by
vicky.
Who
will
talk
about
the
great
work
being
done
at
bookpro,
then
we're
going
to
go
into
a
panel
discussion.
A
If
we
have
time
we
will
do
q
a
so.
Please
do
submit
your
questions.
You
know
via
the
qa
button,
you'll
see
it
at
the
bottom
of
your
screen.
So
please
do
put
questions
in
and
we
hope
to
answer
those
in
the
q
a
period
and
we
will
answer
them
a
number
of
them
as
we
go
along
and
after
the
webinar
you
will
be
sent.
We
will
send
you
all
recordings,
so
no
need
to
take
notes.
B
Thank
you
rookie
mistake.
As
julia
mentioned,
I'm
general
manager
for
the
open
source
security
foundation.
I've
been
with
the
linux
foundation
for
six
years,
but
but
only
in
this
role
since
october,
and
so
really
excited
to
to
share
share
with
you
what
we're
doing
at
the
opens
and
stuff
and
then
be
a
part
of
the
conversation.
A
C
So
I'm
david
a
wheeler,
I
work
at
the
linux
foundation.
I've
only
joined
the
linux
foundation
in
2020,
but
I've
been
working
on
how
to
improve
the
security
of
software
or
on
open
source
software
for
literally
decades.
C
So
I've
been
studying
this
for
a
while
and
I'm
hoping
to
be
able
to
share
some
helpful
information
tonight.
A
D
Hi
there
yeah
vicky's
good,
we're
all
friends
here,
bro,
so
hi
viandra.
You
can
call
me
vicky,
I'm
at
wipro
a
fabulous
india-based
company,
although
I
unfortunately
myself,
I'm
not
indian
I've
been
in
and
around
free
and
open
source
software
for
about
30
years
now,
probably
about
the
same
time,
almost
as
as
much
as
you
have
brian
lots
of
really
great
experience
on
this
webinar
that
I'm
looking
forward
to
sharing
with
the
audience.
B
Thank
you.
Well,
I
really
appreciate
the
opportunity
to
to
speak
with
all
of
you
and
share
what
we're
doing
at
the
open
ssf.
As
I
mentioned,
I've
been
with
the
linux
foundation
for
for
six
years
and
then
that
time
worked
with
julian
on
hyperledger
before
moving
to
openssf,
and
we
really
focused
a
bit
quite
a
bit
on
making
sure
that
hyperledger
was
a
global
community.
B
The
blockchain
thing
was
has
been
a
very
global
thing
and
in
fact,
we've
seen
a
lot
of
use
of
distributed,
ledger
technology
and
hyperledger,
specifically
in
the
asia
pacific
region
in
india
and
really
everywhere
around
the
world,
but
it
takes
focus
and
it
takes
investment,
and
so
we
at
open
ssf
are
really
determined
to
to
work
with
all
of
the
brightest
engineers
and
really
all
the
companies
in
that
in
in
this
region,
to
help
move
the
project
forward.
So
I
thought
I
would
tell
you
more
about
why
the
open
ssf
exists.
B
What
kinds
of
problems
we're
trying
to
address?
I
want
to
tell
you
a
bit
about
the
how
kind
of
our
theory
of
what
we're
doing
we're.
Not
just
writing
software,
like
most
linux
foundation,
projects,
we're
doing
quite
a
few
things
and
then
talk
about
the
what
the
substance
of
the
different
projects,
the
different
working
groups
and
really
help
you
all
see
what's
going
on,
but
to
give
some
context
the
I
don't
know.
B
If
any
of
you
realize
this,
you
probably
do,
but
the
number
of
pieces
of
open
source
software
out
there,
the
number
of
components
has
simply
exploded
back
when
I
was
getting
started
with
open
source
software
in
1991
long
before
it
was
even
called
open
source.
B
There
were
maybe
a
couple
of
dozen
things
you
could
download
to
set
up
a
mail
server
or
a
dns
server
and
and
things
like
libsy
and
gcc
and
kind
of
some,
some
underlying
tooling
was
there
and
then
web
server
packages
like
apache
and
that
sort
of
thing,
but
then
things
exploded
and
things
haven't
stopped
exploding.
B
There
are
now
by
by
some
estimates,
40
million
different,
open
source
software
components
available
out
there
and
and
lots
of
them
duplicate
each
other.
Lots
of
them
are
very
tiny.
Some
of
them
are
very
large
and
major
right,
and
you
know
on
average
they
do
quite
a
few
releases
a
year.
In
fact,
the
estimate
is
that
by
2026,
there'll
be
420
million
yearly
releases
of
open
source
software
far
too
much
for
for
even
a
modest
stack
to
stay.
B
On
top
of
I
recently
learned,
kubernetes
has
thousands
of
underlying
dependencies
that
it
pulls
in
to
build
just
for
that.
One
piece
of
software.
Now
it's
a
pretty
large
piece
of
software,
but
staying
on
top
of
all
those
dependencies
is
becoming
really
really
a
challenge,
and
what
we've
also
learned
from
folks
who
are
distributors
of
open
source
code
is
that
that
the
number
of
downloads
is
simply
exploding
and
and
trying
to
stay
on
on
top
of
all.
This
is
just
really
tough.
B
We
also
know
that
this
is
not
whatever
problems
we
have
in
the
open
source.
Space
are
not
limited
to
just
those
of
us
who
work
at
the
linux
foundation
or
think
of
ourselves
as
open
source
developers
or
open
source
users,
but
really
is
an
all
of
software
problem.
It's
something
that
affects
the
proprietary
package,
software.
You
might
see
out
there,
the
software
that
sits
in
a
phone
or
that
sits
in
a
car
there's
for
those
who,
those
of
you
might
not
be
aware.
B
There
are
linux
foundation
projects
in
the
automotive
space
in
the
banking
space
in
the
electrical
grid,
space,
so
open
source
software
is
getting
everywhere.
In
fact,
some
estimates
are
that
ninety
percent
of
a
modern
applications
code
base
is
open
source
software,
pre-existing
open
source
software
and
only
10
is
the
custom
code.
B
Now
it's
a
very
important
10,
obviously,
but
but
we
we
really
have
this
security
problem
that
affects
the
entirety
of
the
software
industry,
to
whatever
degree
there's
a
security
issue
at
the
heart
of
popular
open
source
packages,
and
in
fact
you
know,
as
we've
gotten
better
at
discovering
vulnerabilities
in
open
source
code
and
reporting
them
and
organizing
ourselves.
We
haven't
always
gotten
really
great
at
fixing
them.
B
In
fact,
another
study
showed
that
29
of
popular
open
source
projects
that,
as
they
shipped
shipped
with
known
vulnerabilities,
either
in
that
code
itself
or
in
the
underlying
dependencies,
even
in
the
long
tail
of
projects,
six
and
a
half
percent
of
those
also
contained
known
vulnerabilities.
So
so
this
is
really
a
problematic
thing
and
this
isn't
just
a
risk.
B
In
theory,
this
is
there's
there's
an
emerging
set
of
new
attacks
on
on
our
cyber
infrastructure
that
come
not
just
from
the
ordinary
kinds
of
buffer
overflows
or
hacked
credentials
or
that
kind
of
thing,
but
come
from
some
of
the
unique
ways
that
we
in
the
open
source
community
have
been
building
software
and
building
really
a
supply
chain
of
software
that
come
from
things
like
compromising
the
cicd
infrastructure
or
bypassing
code
review.
For
those
projects
that
have
code
review,
a
lot
of
projects,
don't
have
code,
review
processes
or
typo
squatting.
B
So
so
these
are
issues
that
are
really
have
only
come
up
in
the
last
few
years
and
I
think
we're
addressing
now
because
open
source
software
kind
of
came
about
at
a
time
when
there
was
a
lot
of
trust
between
developers
and
the
people
using
the
code,
it
was
fewer
there
was,
it
was
a
smaller
community.
You
typically
could
get
to
know
the
developers
behind
perl
or
the
linux
kernel
or
apache
as
individuals
and
trust
them
that
way,
but
just
we
can't
that
doesn't
scale
anymore.
We
need.
B
We
need
something
better
to
address
this,
and-
and
this
is
really
again
a
picture,
if
you
will
of
where
those
different
attack
points
might
be
in
what
you
think
of
as
the
softer
supply
chain-
and
I
want
to
highlight
here-
one
of
the
biggest
risks
is
just
the
fact
that
any
modern
component
has
you
know
all
these
dependencies
that
it
consumes
and
keeping
those
dependencies
up
to
date
and
we're
in
avoiding
when
an
updated
dependency
does
something
crazy
underneath
your
feet,
which
we
can
give
examples
of
later.
B
This
is
this
is
this
is
the
problem
that
we're
trying
to
address
is
how
systematically
do
we
do?
We
think
about
how
open
source
software
is
built
and
improve
the
security
of
that,
so
the
open
ssf
is
really
a
cross-industry
collaboration
hosted
at
the
linux
foundation.
Very
much
like
the
hundreds
of
other
projects
that
we
host.
B
That
brings
together
all
sorts
of
companies
to
think
about
and
and
pull
together
an
expert
community
around.
Where
are
these?
Where
are
there
these
weaknesses
and
and
how
we
build
code,
and
it
might
be
an
education,
it
might
be
in
understanding.
You
know:
what's
the
next:
where
is
the
next
log
for
j
likely
to
happen?
It
might
be
in
the
tooling
that
that
organizations
use,
but
let's,
let's
think
about
this
and
then
start
to
go
and
systematically
address
them,
and
in
fact
it
has
been
doing
this
for
about
two
years
now.
B
The
open,
ssf
first
really
got
started
in
march
of
2020,
and
it
was
october
of
last
year
that
we
really
pulled
together
a
set
of
funders
and
to
go
out
and
tackle
some
of
the
properly
resource.
The
fight
against
many
of
these
many
of
these
kinds
of
things
so
to
talk
a
little
bit
about
how
we
operate,
we've
organized
ourselves
into
a
couple
of
different
working
groups,
but
those
different
working
groups
speak
to
kind
of
these
different
approaches.
B
First,
off
simply
understanding
what
are
the
most
critical
projects
out
there
in
open
source
and
there
we
have
funded
research
work
to
identify
those
and
not
just
based
on
things
like
stars
on
the
github
repo
right,
which
is
you
know,
an
easily
gameable
metric,
but
based
on
an
understanding
of
what
software
it
depends
upon.
What
depends
upon
what
so
we've
been
working
with
the
the
sca
tool,
vendors
software
composition,
artifact
tool,
vendors,
as
well
as
funding
work
at
harvard.
B
We
just
released
something
called
the
census,
2
report,
to
identify
those
and
then
once
we
know
what
those
are
maybe
starting
to
ask.
Well
what
are
ways
that
we
can
help
those
projects,
in
particular
by
adopting
some
better
tooling,
some
better
practices,
that
kind
of
thing,
but
first
just
understanding
who
they
are
and
securing
those
critical
projects
is
important.
The
second
is
trying
to
identify
common
tooling.
B
That
would
help
those,
and
by
tooling
we
mean
not
just
code
scanning
tools,
but
but
also
tools
like
the
security
scorecard
project,
which
we
can
talk
a
bit
more
about,
which
is
a
systematic
tool
for
looking
at
a
repo
on
github,
and
it
could
be
extended
to
others
to
ask
things
like.
Are
you
pinning
your
dependencies?
Are
you
doing
fuzz
testing?
Are
you
doing
some
of
the
other
basic
good
practices
in
software
engineering
that
tend
to
lead
to
more
secure
software?
B
Another
big
part
of
what
we
do
is
educate
david
wheeler,
who
you'll
hear
from
soon,
along
with
with
some
help
from
some
of
the
others
in
the
community
developed
some
free
courses
that
we
have
put
up
on
edx
to
basically
help
teach
in
the
course
of
a
40
or
50
hour
kind
of
chunk
how
to
be
a
software
developer,
who
writes
more
secure
code,
how
to
think,
like
a
hacker
to
some
degree,
how
to
think
like
where,
where
the
weaknesses
were
the
assumptions
I'm
making,
that
might
be
invalid
assumptions,
or
you
know,
help
me
understand
when
I'm
you
know
delivering
a
set
of
things
that
are
actually
kind
of
dangerous
and
could
be
misused
or
might
be
hard
for
me
to
properly
secure.
B
So
so
education
is
a
big
part
of
this,
and
it's
in
that
courseware.
There's
also
some
guides
that
we've
put
out
around
coordinated
vulnerability,
disclosure
and-
and
you
know
so
what
happens
when
somebody
shows
up
to
your
open
source
project
and
says
I
found
a
really
bad
bug
and
it
should
be
fixed.
What's
what
process
should
you
go
through
to
get
that
fixed
in
the
most
graceful
kind
of
way
for
your
user
community
right
getting
in
and
actually
fixing
bugs
is
also
really
important
to
us.
B
So
we
we,
we
know
that
there
are
in
the
pro
course
of
what
we
do,
we're
going
to
find
projects
that
are
under-resourced,
that
I
haven't
had
even
a
third-party
audit
or
code
review
that
know
of
some
cvs
within
their
own
code
or
simply
some
dependencies
that
they
need
to
update
so
part
of
what
we
feel
is
important
is
going
in
and
actually
helping
fix
those
bugs
and
help
the
community
of
those
who
do
handling
of
vulnerabilities
and
and
the
like
to
be
more
systematic
and
informed
about
how
they
work.
B
The
final
thing
I'll
draw
out
is,
we
think
it's
important
to
talk
about
standards
and
and
tools
that
support
those
standards,
so
you'll
see
mention
of
something
called
salsa
in
a
little
bit.
Salsa
is
a
standard
for
tracking
the
status
of
components
as
they
move
through
the
software
supply
chain
and
how
trustworthy
those
components
are
so
that,
at
the
end
of
the
day,
you
pull
these
pieces
together.
You
can
get
an
aggregate
picture
of
the
overall
risk
in
this
package
that
you're
about
to
deploy.
B
That's
one
kind
of
specification.
We
see
potentially
evolving
to
a
standard
the
way
that
another
linux
foundation
project
called
spdx
evolved
the
s-bomb
standard,
the
first
software
bill
of
materials
into
something
that
became
an
iso
standard.
So
so
all
of
this
is
really
important
to
to
what
we
do
and
we've
organized
these
efforts
into
working
groups
that
largely
map
to
those
different
different
domains,
and
I
touched
on
some
of
the
different
things:
the
different
work
products
that
are
coming
out
for
those
things.
I
don't
have
enough
time
to
go
into
depth
on
all
of
them.
B
In
fact,
I
think
we'll
have
a
chance
during
the
q
a
to
highlight
some
of
our
favorites,
but
they're
all
very
active,
and
a
lot
of
a
lot
of
them
are
about
creating
code
and
and
thinking
about
software
and
tooling,
and
where
that
might
matter,
but
so
many
of
them
are
just
about.
How
do
we
just
help
us
as
open
source
developers,
be
more
thoughtful
and
informed
about
both
how
we
write
code,
but
also
how
we
consume
code
and
how
we
choose
what
software
to
build?
B
On
top
of
that's
a
really
critical
thing,
I'll
also
mention.
We
have
started
to
add
to
this
working
group
structure,
a
set
of
special
initiatives
for
which
we
go
out
and
get
additional
funding
and
and
set
up.
As
you
know,
projects
within
the
open
ssf.
B
One
of
those
is
called
project,
sig
store,
which
is
essentially
a
a
toolkit
and
a
specification
for
signing
software
artifacts,
so
that
you
know
when
you
get
this
component,
that
it
actually
came
from
the
developer
community
who
released
it
because
it
has
their
signatures
all
the
way
through
the
the.
However,
it's
come
through
the
pipeline
to
you,
rather
than
what's
usually
the
case,
which
is
the
signature
on
the
last
mile
right,
the
debian
package
or
ubuntu
package
or
apple
app,
store
signature.
B
That
kind
of
thing
this
is
about
moving
those
kinds
of
signatures
up
the
chain
and
having
a
system,
that's
kind
of
like,
let's
encrypt
for
more
easily
provisioning
signature
keys
to
be
able
to
to
sign
those
packages.
It's
taken
off
like
wildfire.
It
is
becoming
embedded
inside
of
some
major
systems
out
there.
The
cloud
native
community
has
adopted
it
very
widely
we're
also
seeing
the
maven
central
repository
is
trying
to
start
publishing
packages
and
asking
for
those
signatures
from
their
their
the
the
package
submitters.
B
So
that's
really
cool
the
final
one
I'll
mention
as
a
special
initiative
is
something
called
project
alpha
omega
and
alpha
mega
is
focused
on.
I,
I
resourcing
a
team-
and
this
is
we're-
actually
have
three
job
descriptions
up
now
for
for
these
roles,
but
a
team
of
specialists
who
can
simultaneously
work
with
the
most
important
open
source
projects
on
a
very
consulting
kind
of
basis
to
help
them
raise
their
game.
B
In
terms
of
their
adoption
of
many
of
the
other
different
open,
ssf
tools
and
otherwise,
but
really
humbly
approaching
them
going,
how
are
you
doing
security
today?
How
might
we
help
you
raise
raise
the
bar
on
what
you're
doing
and
then
the
omega
side
is
trying
to
cover
the
long
tail
of
open
source
projects
scanning
those
for
new
vulnerabilities
based
on
things
like
well,
we
discovered
this
bug
and
log4j
based
on
this
kind
of
thing,
how
many
other
software
packages
out?
There
also
exhibit
that
kind
of
issue,
and
so
with
alpha
mega.
B
We're
really
just
getting
started
on
this,
but
we've
we're
really
ambitious
here
about
creating
essentially
an
open
source
team
that
that
will
go
out
and
help
all
these
different
projects
raise
raise
their
level
of
security
and
all
of
these
projects
work
together.
B
They're
all
aware
of
each
other
part
of
the
the
goal
of
putting
them
into
different
working
groups
is
to
encourage
them
to
think
about
where,
where
they
meet
up
with
other
projects,
sigstor,
for
example,
works
very
closely,
has
a
lot
of
overlap
with
salsa
and
the
teams
working
on
those
have
worked
together
to
create
a
reference
implementation
of
something
called
the
secure
software
factory.
That's
pretty
exciting.
Some
of
this
is
way
upstream
at
the
developer
end.
B
You
know
teaching
them
about
how
to
be
more
secure
software
developers
right,
but
then
some
of
it
is
way
at
the
at
the
tail
end
of
this
you
know:
how
do
we
make
the
package
managers
and
the
big
distribution
points
more
secure
and
how
they
operate?
So
it
really
is
all
over
and
it's
it's
sometimes.
B
I
lovingly
call
it
a
circus,
but
that's
that's
because
there's
so
much
goodness,
and
so
many
different
kinds
of
things
happening
within
the
open,
ssf
and
I
just
want
to
give
a
little
bit
of
a
of
a
acknowledgement
to
this
is
happening
as
part
of
a
context
of
a
whole
lot
of
other
security
initiatives
happening
across
the
linux
foundation,
lots
more
than
I
can
go
into
today.
This
is
not
meant
to
say,
hey.
No
one
else
in
open
source
needs
to
worry
about
security,
we'll
do
all
the
security
stuff.
B
This
is
very
much
about
making
sure
that
every
open
source
project
is
thinking
hard
about
how
it
manages
code,
thinking
about
what
practices
they
adopt,
how
to
write
more
secure
code
and
resource
their
own
security
teams.
We
want
to
be
in
a
capacity
building
kind
of
mode
where
I
I
we're,
really
can
spread
out
and
be
active
across
a
wide
array,
both
of
their
linux
foundation,
projects
and
other
open
source
projects
far
beyond
the
linux
foundation.
So
we
are
very
fortunate
to
have
some
support
from
some
amazing
organizations.
B
Each
of
these
organizations
here
has
made
a
major
financial
commitment
in
in
in
as
a
yearly
membership
in
the
organization.
I
think
in
particular
wipro
for
that,
but,
as
you
can
see,
it
also
represents
a
very
global
set
of
companies,
many
of
them
obviously
based
in
the
united
states,
but
represented
representation
here
from
organizations
headquartered
in
europe
and
a
few
in
the
asia
pacific
region,
and
we
certainly
are
hopeful
to
build
more
representation
from
from
the
region
as
and
as
well.
B
Our
our
other
members
who
are
are
also
participating
and
putting
developers
in
putting
some
some
financial
resources
in
and,
as
you
can
see,
also
some
some
membership
representation
from
asia
pacific
there.
B
And
with
that,
I
I
really
we
are
an
open
book.
We
do
a
lot
all
of
our
work
by
slack
by
email.
Each
of
the
working
groups
has
a
conference
call
once
every
two
weeks
we
are
working
hard
to
think
about.
How
do
we
adjust
the
timing
on
a
lot
of
those
calls
to
be
at
times
that
are
are
more
accessible
for
asia,
pacific,
but
many
of
them
already
happen
very
early
in
the
morning
pacific
time.
B
One
of
the
other
things
we
really
want
to
focus
on
going
forward
is
internationalizing
the
content
that
we
create,
translating
that
to
other
languages,
translating
the
website
that
sort
of
thing
and
that's
an
area
that
we
could
also
use
some
help
if
any
of
you
are,
are
interested
in
helping
with
that.
B
But
please,
if
this
is
of
any
interest
as
a
contributor
as
a
developer,
come
to
the
open,
ssf
website,
there's
more
to
learn
there
and
and
if
you're,
a
company
thinking
about
how
to
help
your
community
or
your
employees,
write
more
secure
code
and
be
more
thoughtful
about
how
they
consume
open
source
code.
We'd
love
to
talk
to
you,
and
maybe
even
have
you
come
in
as
a
as
a
member
of
the
organization.
B
So
with
that,
let
me
take
a
breath
and
pass
the
baton
back
to
julian,
and
I
I
don't
know
if
there's
been
any
questions
so
far,
but
I
think
it
might
be
good
to
move
on
in
the
agenda.
Yeah.
A
I
think
we've
got
a
few
questions
coming
in,
so
please
people
do
bring
those
questions
in
and
we'll
answer
them
as
you
go
along
and
have
any
new
ones.
So
you
know
we'll
we'll
answer
them
at
the
q
a
and
now
I
think
we're
going
to
go
to
vicki's,
going
to
talk
a
little
about
the
coming
initiatives
and
work.
That's
been
done
at
wic
pro,
as
brian
said,
very
much.
Thank
you
very
much
for
being
up.
D
Well,
we
are
very
happy
to
be
here
so
I'll,
try
and
keep
this
very
short,
because
I
think
the
most
interesting
part
for
all
this
is
going
to
be
the
q,
a
that
will
come
later
as
and
what
my
fellow
panelists
will
have
to
say
as
well.
So
as
most
of
you
know,
wipro
is
a
very.
D
And
well-known
older
indian
company
we've
been
around
for
more
than
70
years
now
in
multiple
incarnations
and
throughout
our
time
as
a
technology
company,
we've
always
had
really
strong
focus
on
technology.
We've
had
great
technology
and
security
teams
and
capabilities,
so
it
we
do
this,
not
only
because
it's
important
to
our
customers,
which
it
certainly
is,
but
it's
also
important
to
us
as
a
company.
D
We
really
believe
in
doing
the
right
thing,
and
that
includes
ensuring
that
our
customers
and
all
of
our
stakeholders
are
safe,
and
I
want
to
give
a
quick
shout
out
here
to
my
colleague,
vinod
who's
on
in
our
attendees
right
now
and
vinod's
team
does
an
excellent
job
they're
a
great
example
of
the
people
who
are
doing
this
for
us.
So
if
you
ever
want
to
know
anything
about
open
source
and
security,
the
node's
a
great
place
to
start.
D
So,
as
some
of
you
might
also
know,
in
2020,
we
got
our
first
non-indian
ceo,
which
was
a
big
change
theory
teleport.
He
took
the
reins
as
wipro's
new
ceo
in
the
middle
of
a
pandemic,
so
you
know,
bless
his
heart
for
doing
something
so
difficult.
That
really
shows
that
he's
up
for
a
challenge
and
he's
been
doing
some
great
stuff
since
he
came
on
board
so,
along
with
the
change
of
leadership.
D
They
we
really
are
so
customer
focused
that
we
see,
as
brian
pointed
out,
just
the
rising
tide
we
have
of
these
vulnerabilities
and
of
these
bad
bad
people
taking
advantage
of
them,
and
it's
our
responsibility
to
help
our
customers
be
safe,
and
so
security
is
going
to
be
really
key
in
that.
So
as
pretty
much
all
software
as
again
brian
showed
it's
all
relying
on
open
source.
90
of
your
average
software
out,
there
is
open
source
right.
D
It's
those
open
source
components,
those
bricks
that
are
put
together
so
as
pretty
much
all
software
now
relies
on
open
source,
wipro
being
a
part
of
increasing
the
security
and
the
sustainability
of
the
open
source
ecosystem.
It
is
absolutely
critical.
We
see
this
as
so
fundamental
to
doing
the
right
thing.
D
This
also
presents
a
great
opportunity
for
wipro
to
use
our
existing
security
knowledge
from
people
like
the
node
and
our
capabilities
of
him
and
his
team
to
help
lead
the
overall
direction
of
securing
open
source,
so
naturally,
as
soon
as
we
had
the
opportunity
to
do
so
in
our
strategic
planning,
we
joined
open
ssf,
and
this
shows
our
commitment
to
this
effort.
We
feel
and
we're
also
excited
to
just
contribute.
We've
got
a
lot
to
offer
as
a
company
and
by
helping
the
community
we're
also
helping
our
customers.
A
Yeah
thanks
thanks
vicky,
that's
great
right
and
let's
talk
about
that
rising
tide
and
what
we're
going
to
do
about
it
right
absolutely.
D
A
The
flood
hitting
us,
so
I
think
the
first
kind
of
question
which
I
have
to
all
of
you
right
we
have.
We
is
basically
what
are
the
key
open,
open
source
software
supply
chain
security
challenges
today,
how
urgent
are
these,
and-
and
where
do
you
see-
maybe
give
some
examples
and
what
how
you
see
this
rising
tide
this
this
challenge
that
we
have
today
so
should
I
go
to
david
first.
C
All
right
first,
I
meet
myself.
Okay,
so
I
mean
there
are
multiple
challenges.
I
think
one
brian's
already
emphasized
here,
which
is
scale
when
there's
when
there's
only
a
few
open
source
packages
in
the
world.
C
That's
many
tiers
deep.
That
perhaps
has
has
some
issues,
so
I
I
think
scale
and
the
dependencies
which
are
which
bring
in
a
scale
that
you
might
not
be
aware
of
is
is
one
challenge.
C
I
think
another
challenge,
and
so
I
think
tooling,
is
going
to
be
an
important
part
of
that
to
deal
with
with
scale.
Another
challenge
is
education.
I
don't
have
as
good
figures
internationally.
I
can
certainly
say
within
the
us-
and
I
think
within
europe
as
well.
C
The
vast
number
of
software
developers
really
aren't
taught
how
to
develop.
Secure
software
they're
not
taught
how
to
look
at
software
when
bringing
it
in,
and
it's
that
lack
of
knowledge
that
causes
many
other
troubles
and,
as
brian's
already
mentioned,
we're
we're
making
we're
working
on
that
problem
as
well.
C
And,
of
course,
you
know,
we've
got
clever
attackers
who
are
trying
to
exploit
this,
and,
and
the
good
news,
though,
is
that
we're
we
are
having.
We
do
have
increasing
information
on
how
they're
being
attacked
and
what
we
can
do
to
counter
those
attacks
to
make
the
risks
not
no
risk,
because
all
of
life
has
risks
but
bringing
them
down
to
far
more
acceptable
levels.
B
Hard
to
even
add,
I
mean
one
thing
that
that
has
changed
quite
a
bit
from
just
I'd,
say
in
the
last
eight
eight
years
or
so
from
from
historically
an
open
source
is
the
rise
of
really
tiny
components.
B
I
I
you
know
the
rise
of
say
a
component,
that's
100
lines
that
has
one
or
two
functions
and
it's
written
by
one
person
and
and
and
that
one
person
I
I
you
know
sometimes
they're
really
diligent,
not
just
thinking
about
security,
but
also
thinking
about
the
community
dynamic
too
and
having
making
sure
they
find
somebody
else
who
can
answer
issues
or
push
out
an
update
so
that
if
they
go
on
vacation
right,
but
a
lot
of
times,
it's
that
one
individual
and
they
start
to
feel
a
bit
of
this
pressure
to
to
be
the
maintainer
to
be
the
sole
support
provider
rather
than
thinking
about.
B
How
do
I
make
this
a
social
thing?
How
do
I
combine
my
one
piece
with
five
or
ten
other
pieces
and
build
a
community
around
this
and
then
have
enough
buffered
and
enough
people
around
to
to
to
make
this
thing?
Be
a
living
thing
right.
So
we
have
to
think
about
tooling.
We
have
to
think
about
standards.
B
You
have
to
think
about
ways
to
help
these
small
components,
because
that's
where
I
think
a
lot
of
the
biggest
risk
is
right
now
in
in
in
open
source,
and
I
think
those
are
distinct
from
thinking
about
like
log
for
j.
What
led
to
that
and
what
was
difficult
about
about
dealing
with
its
aftermath.
I
think
that's.
B
The
other
thing
I'd
throw
in
is
even
when
we
find
a
bug,
and
we
think
we
have
a
fix,
and
sometimes
it
takes
a
few
iterations
to
get
to
the
right
fix
now
going
out
and
patching
everywhere
is,
is
really
hard
as
really
for
for
organizations
that
don't
have
a
great
handle
on
how
they're
using
software,
which
frankly
is
most
of
them
and
so
finding
log4j
remediating
it
updating.
B
It
has
been
a
major
source
of
pain
and
it
was
funny
to
hear
so
many
organizations
go
well
we're
not
affected
because
we're
using
log
for
j1.x
the
bug
was
in
2.x,
but
1.x
has
been
out
of
support
for
five
years
and
had
known
issues
in
it.
So
so
really
I
I
think
we
have
to
think
about
this.
This
tail
end
of
the
development
supply
chain
as
much
as
we
think
about
the
upstream.
D
I'd
like
to
build
on
that,
because
brian
really
ended
up
in
a
direction
that
you
know
great
lead-in.
Brian.
Thank
you
for
that.
So
a
lot
of
our
focus
and
a
lot
of
what
we
talk
about
in
open
ssf
and
in
general,
in
open
source,
and
these
security
conversations
are
about
the
open
source
site
right,
the
module,
z,
the
projects
themselves.
D
But,
as
I
work
in
the
industry,
one
of
the
biggest
problems
I
see
is
actually
at
the
other
end.
I
mean
obviously
the
problems
that
open
source
and
the
vulnerabilities
and
helping
developers
learn
how
to
do
this
correctly.
As,
as
david
pointed
out,
you
know,
and
you
know
how
to
make
and
write
secure
software
and
how
to
work
with
researchers
and
how
to
patch
things
appropriately
and
get
the
word
out
there.
That's
super
important
we're
doing
a
lot
of
great
work
on
that
and
what
I
see
like
boots
on
the
ground.
D
D
So
when,
if
you're
looking
at
your
supply
chain,
when
a
link
breaks,
that's
a
problem
and
if
you
don't
know
you're
gonna
have
a
big
problem
with
like,
say:
you're
not
gonna,
be
able
to
update
your
log4j
quickly
enough
and
then
somebody
will
take
advantage
of
it
and
so
that
discoverability
of
the
supplied
chain.
I
think
that's
something
that
we
really
are
are
starting
to
pay
a
lot
more
attention
to,
especially
in
open
ssf
and
there's
a
lot
of
really
great.
D
What
I'm
seeing
some
good
cross
project
collaboration
not
only
within
open
ssf
but
outside
of
it,
as
well
as
they're,
starting
to
collaborate
with
s-bombs,
for
instance,
as
pdx
and
open
chain,
and
things
like
that
and
that
sort
of
collaboration
to
help
build
that
end-to-end
solution
from
discoverability
to
the
remediation
of
the
vulnerabilities
and
everything
in
between.
So
that's
really
been
interesting.
Seeing
these
connections
get
made
just
in
a
few
times
few
months,
that
I've
been
working
with
open,
ssf,
pretty,
consistently
and
and
a
lot.
But
I've
already
been
seeing
these
happening.
A
And
it's
amazing
how
things
have
been
pulled
together
right
now?
I
think
the
slide
that
brian
share
just
beautifully.
You
call
it
the
circus
right.
I
think
I
think
that
that's
great
so
actually
just
take
a
take.
A
little
step
back
is
is:
do
we
see
the
kind
of
these
challenges
the
vulnerabilities
are
affecting
any
particular
industry
or
country,
or
is
this
just
generic
everywhere?
What's
that,
what's
the
kind
of
feeling
on
that.
B
Yeah
we're
seeing
so
the
financial
services
world
has
stepped
in
and
participated
in
open
source
in
the
open
source
security
foundation.
Quite
well
quite
deeply.
You
know,
folks,
from
jp
morgan
from
city
from
other
other
organizations
are,
are
aligning
how
they
do
I.t
and
security
in
that
industry,
with
so
many
of
the
standards
coming
out.
We
know
that
healthcare
companies
are
affected
and
we
haven't
seen
much
engagement
from
them,
so
so
I'm
knocking
on
some
doors
and
trying
to
raise
some
awareness
there.
B
B
So
so,
when
the
log
for
jbug
hit
that
triggered
a
lot
of
people
in
the
united
states
and
the
us
government
to
go,
is
there
something
systematically
either
wrong
here
or
we
should
be
doing
to
help
avoid
the
systematic
cost
of
this?
Not
only
for
government
I.t
systems,
but
for
for
us
industry
and
now
we're
starting
to
see
other
countries
start
to
knock
around
and
ask
about
this
as
well.
D
We
work
a
great
deal
in
in
financial
services
and
health
care,
and
and
we
do
help
governments
as
well,
but
we
also
have
manufacturing
and
we've
just
got
all
of
these
different
areas
that
we
work
in
and
everyone
we
talk
to
all
the
account
managers
within
wipro
they're,
all
concerned
about
this
sort
of
stuff
right,
and
so
this
is.
This
is
not
just
one
region.
This
is
worldwide.
This
is
cross
industry.
This
is
across
academia
and
governments.
D
C
A
Yeah
everything's
software,
now
right
so
even
crypto
in
other
worlds,
right,
everyone,
everyone,
everything
has
it
relies
underlying
on
open
source
software.
So
so
what
are
the
key
ways
in
which
the
open,
ssf
members
and
community
are
collaborating
to
help
help
with
this?
With
this
challenge,
opportunity.
B
Well
I'll
jump
in
I
mean
I
alluded
to
this
a
little
bit
when
I
suggested
the
specific
kind
of
tools
that
we
use
to
collaborate
they're.
Really
they
start
with
conversations
they
start
with.
Folks
saying
you
know
here
is
here's
a
domain
like
education,
where
we
think
we
could
do
something,
and
then
it
takes
folks
stepping
up
and
saying
here's,
here's
the
beginnings
of
something.
What
do
others
think
so
an
example
of
this
would
be
the
coordinated
vulnerability
disclosures
guide
that
we
came
up
with.
B
I
forget
where
the
first
couple
of
drafts
of
that
came
from.
I
think
it
was
some
folks
at
google,
if
I,
if
I
recall
correctly
david
or
was
it
github
or
or
or
somewhere
else,
do
you
know
do
you
happen
to
remember.
C
B
Sorry,
no,
but
but
but
it
all
starts
with
somebody
saying
here's
something,
I'm
passionate
about
here's
something
that
I
think
you
know
it
needs
some
work.
Maybe
it's
something
they've
already
created
for
an
internal
audience
or
for
one
of
their
customers
and
they
go.
You
know
this.
This
should
be
opened
up.
B
This
should
be
shared,
and
so
things
like
that
things,
like
the
the
educational
materials
david
worked
on
and
and
the
community
gave
input
to
all
of
this-
starts
with
an
idea
and
with
a
group
of
people
within
those
working
groups
or
even
beyond.
B
In
fact,
we're
now
looking
at
adding
a
seventh
working
group
focused
on
software
package
managers-
and
you
know
those
folks
at
the
tail
end
of
the
distribution
span
and
what
are
things
they
might
do
in
in
concert
across
you
know:
maven,
central
and
pi
pi
and
rust
crates
and
all
these
others
to
to
coordinate
more
effectively,
but
it
has
to
come
down
to
conversations
in
the
best
of
open
source
traditions.
It
has
to
come
down
to
individuals.
You
know
companies
certainly
put
their
individuals
on
the
the
job.
B
We're
very
grateful
to
we're
pro
for
putting
vm
and
and
others
from
wipro
on
many
of
these
different
working
groups
and
projects,
and
that's
but
but
a
lot
of
it
comes
from
individuals
with
no
other
connection
to
us
showing
up
and
saying
we.
B
I
think
I
think
the
world
needs
something
like
this,
and
our
job
is
to
try
to
channel
those
energies
into
productive
outputs
david
and
I
and
others
at
the
linux
foundation
were
more
like
air
traffic
control,
but
the
real
substance
is
being
created
in
most
the
time.
At
least
the
real
substance
is
created
being
created
by
all
of
the
or
all
of
the
organizations
involved
in
our
community.
C
If
I
may
add,
you
know
brian's
already
several
times
the
word
circus
has
come
up,
but
but
there
is
a
method
there
is
method
to
the
madness,
as
it
were.
Fred
brooks
wrote
a
very
influential
paper
decades
ago
about
software
engineering
called
no
silver
bullet,
and
I
think
it
very
that
very
much
applies
here
as
well.
There
isn't
just
one
thing
that
hey:
if
this
one
little
thing
was
done,
all
security
issues
disappear
completely.
It's
just
not
like
that.
C
There
need
to
be
multiple
efforts
working
together
in
order
to
make
progress
on
that,
and
so,
as
a
result,
we
have
an
entire
foundation
open,
ssf
working
on
a
lot
of
these
specific
projects,
and
indeed,
coordinating
with
you
know
specific
projects
say
in
in
the
energy
sector
or
finance.
They,
of
course,
are
going
to
have
to
take
additional
steps
specific
to
their
situation.
C
You
know
make
sure
that
their
software
is
written
securely
and
so
on,
and
so
really
this
is
going
to
be
an
effort
of
many
people
collaborating
together,
but
the
good
thing
is
that
I
mean
this
is
that's.
How
open
source
works
in
general
is
through
collaborative
collaboration.
A
Okay,
great,
so
I
think
I'm
going
to
ask
now
all
those
initiatives
and
all
the
things.
What
is
the
most
eye
catching
initiatives,
that's
coming
out
of
open
sf.
What's
that
I
hate
these
coolest,
maybe
or
the
best
or.
However,
you
want
to
call
it
the
one
that's
going
to
make
the
most
impact.
Maybe
I'll
ask
each
of
you
and
I'll
do
this
in
alphabetical
order,
just
to
make
it
clear
so
brian.
B
Well,
I
I
thought
it
was
pretty
cool
when
we
managed
to
get
a
thousand
of
these
hardware
devices
out
or
coupons
at
least
for
them
out
to
maintainers
at
the
top
100
open
source
projects
over
the
course
of
winter
break,
for
as
kind
of
a
christmas
gift,
because
these
things
help
with
implementing
multi-factor
auth,
as
it's
called,
so
that
we
can
help
protect
against
accounts
being
stolen
credentials
being
stolen.
You
know,
which
is
an
attack
vector
out
there
and
it's
this
is
starting
to
be
required.
B
Now
I
I
think
npm
requires
their
top
100
or
200
projects
now
the
maintainers
to
use
multi-factor
auth
so
that
it's
it
sounds
small
it.
But
it
was
very
a
very
horizontal
thing
and
it's
one
of
the
cheapest
things
we
can
do
to
improve
the
security
and
it
gets
to.
B
A
C
I'm
gonna
answer
two
ways,
although
let
me
first
kevin
with
you
know
you're.
This
is
asking
a
lot
like
which
of
your
babies
is.
C
So
I
think
we're
all
going
to
squirm
a
little
bit
because
in
fact,
what
we
need
them
all
that
said,
I
think
coolest
in
many
ways
is,
I
think,
for
a
lot
of
folks
are
going
to
look
at
this
alpha
maker
project,
where
the
alpha
side
they're
going
to
focus
on
trying
to
really
focus
on
a
couple.
You
know
really
critical
projects
of,
what's
called,
sometimes
called
white
glove
or
really
giving
a
specific
hand
and
also
search
trying
to
improve
ways
to
search
for
vulnerabilities.
C
But
I
I
think
coolest,
maybe
the
wrong
question.
I
think
higher
impact
really
is
now,
and
I
think
alpha
omega,
I
mean
there's
some
experimental
parts.
C
I
think
it
has
a
lot
of
potential
and
perhaps
I'm
biased,
but
I
think
courses
on
how
to
develop
secure
software
may
be
one
of
the
bigger
impacts,
because
I
think
in
the
longer
term,
we're
going
to
have
to
have
tools
we're
going
to
have
to
have
lots
of
other
things,
but
unfortunately,
it's
been
demonstrated
over
and
over
again
that
giving
tools
to
people
who
have
no
idea
what
they're
doing
but
there's
a
phrase
called
a
fool
at
the
tool
is
still
a
fool,
and
so
we
we
do
need
tools.
A
Yes,
very,
very,
very
reasonable
and
and
vicky.
D
I
mean
everybody's
mentioned
alpha
omega
already,
so
I
mean
it
is
certainly
the
new
hotness
and
so
therefore
it's
the
epitome
of
cool
and
it
is
going
to
be
very,
very
great
once
it
gets
going,
but
we're
just
starting
with
alpha
megan.
So
it's
a
great
time
for
people
to
join
and
to
start
participating
because
literally
the
next.
The
first
call
is
in
two
weeks
right.
So
this
is
the
perfect
time
to
show
up
and
to
start
participating,
because
alpha
omega
is
going
to
really
revolutionize
security
and
open
source
right.
D
It's
it's
going
to
be
that
big,
but
that's
in
the
future.
Talking
about
right
now,
now
david's
talking
about
education,
for
you
know
and
learning
courses
and
stuff
like
that,
I'm
thinking
more
shift
left,
which
is
similar
to
where
he's
going
right
at
like
security.
You
make
it
earlier
and
earlier
is
going
to
be
getting
to
these
people
and
helping
them
know
how
to
do
these
things.
Well,
there's
lots
of
people
involved
here.
D
There's
the
developers
there's
the
users,
there's
the
researchers
and
so
the
vulnerability
disclosure
working
group
is
doing
some
stuff
right
now
that
you
can
pick
up
today
and
share
and
use
and
make
a
difference
and
that's
going
to
be
the
cbd,
the
coordinated
vulnerability
disclosure
guide,
which
helps,
helps
open
source
projects
with
templates
and
how
to
learn
how
to
manage
your
security
world
right.
How
do
you
have
your
contacts?
How
do
you
interact?
How
do
you
disclose
these
things
at
all?
C
D
They
just
started.
This
working
group
is
speaking
to
the
researchers,
the
other
side
of
that
equation,
which
is
how
can
you
better
reach
and
better
communicate
with
open
source
projects,
and
that's
going
to
be
so
incredibly
valuable,
and
I
just
that's
something
that
I
don't
think
we
spent
enough
time
on
and
it's
I'm
just
so
glad
to
see
that
and
it's
going
to
be
a
really
powerful
thing
and
again
that's
another
one,
that's
just
starting
now,
but
because
there
are
researchers
already
working
within
that
working
group.
D
We've
got
great
people
there
to
provide
the
information
and
to
guide
this,
and
so
we're
going
to
be
launching
this
at
some
time
sooner
rather
than
later.
I
won't
take
away
the
big
you
know
reveal
on
that,
but
just
started
working
on
it
so
again,
great
situation
for
people
to
just
come
in
and
chime
in
and
make
a
difference
like
today.
A
Okay,
excellent,
so
there's
some
wonderful
things
going
on
right
and
lots
of
new
things
so
and
we're
kind
of
coming
to
nearly
into
the
last
10
minutes.
So
I'm
going
to
ask
actually
maybe
how
do
people
get
involved?
You've
talked
about
these
wonderful
things
right,
so
I
think
that's
the
key
the
cracks
to
what
you
know.
How
do
people
get
involved?
You've
got
these
working
groups.
You've
got
these
activities,
obviously
we're
in
asia
pacific
predominantly
here,
and
we
some
people
have
language
barriers.
A
Some
you
know
we're
at
the
wrong
time
zone
and
thank
you
for
getting
up
late.
We
appreciate
that,
but
I
think
and
we'd
like
to
have
doing
some
things
in
our
own
time
zone
here,
but
obviously
with
globally,
rather
than
having
you
know
fragmented.
So
how
would
people
whether
they're
a
business
whether
there
is
a
developer
or
a
government
agency?
How
should
they
get
involved
right?
And
this
isn't
just
for
members-
it's
an
open
source
community
right.
So
how
should
how
should
people
get
involved
as
individuals
as
governments?
So
surprisingly,
sure
yeah.
B
Yeah,
let
me
let
me
tackle
that,
because,
on
top
of
the
fact
that
many
of
the
things
I
mentioned
were
you
know
very
focused
on
individuals
getting
involved
right.
I
I,
through
the
working
groups,
the
mailing
lists.
B
We
have
everything
documented
on
github
and
that's
you
know
if
you,
if
you
live
and
breathe
github
as
a
developer,
you'll
you'll
understand
what
we're
doing
there
in
terms
of
process
and
using
the
issue
tracker
there
to
kind
of
manage
outstanding
issues
and
the
working
groups,
and
that
kind
of
thing
and
we'd,
probably
use
slack
more
than
we
should.
I
understand
slack,
is
not
always
accessible
globally
and
we're
very
interested
in
exploring
alternatives.
In
fact,
we
do
have
a
wechat
group
to
reach
those
in
china
who
want
to
participate.
B
So
some
of
this
is
about
tooling
talking
about
organizations
about
companies.
We
have
a
membership
model,
so
companies
can
join
as
members
two
different
tiers
and
there
are
benefits
to
that.
Mostly
it's
about
putting
your
logo
on
the
website
and
and
as
a
kind
of
a
thank
you
for
the
work
we
do
and-
and
you
know
we
keep
you
updated
on
on
how
you
know
our
priorities
are
and
how
we're
spending
spending
the
money
and
that
kind
of
thing.
B
But
I
I
you
know
that
there's
no
special
code
benefit
to
being
a
member.
You
know
we're
not
limiting
or
giving
giving
a
special.
You
know
security
service
or
anything
like
that,
but
we
do.
We
do
want
to
engage
with
our
members
and
their
own
security
teams
and
and
help
educate
their
their
their
own
organization.
B
So,
if
that's
of
interest,
let
us
know
the
one
thing
I
do
want
to
highlight,
though,
is
we
know
that
working
internationally
is
very
limiting
when
you,
if
you
want
to
treat
everyone
as
if
they
were,
you
know
all
sitting
in
the
same
room.
One
thing
that
we
did
with
hyperledger
that
seemed
to
work
very
effectively
was
for
some
countries
we
created
basically
a
satellite
team
that
was
volunteers
that
were
kind
of
like
a
we
called
them.
The
the
technical
working
groups,
one
for
china.
B
We
had
one
for
in
have
one
for
india
on
hyperledger.
We
haven't
set
those
up
yet
for
openssf,
and
I
would
like
to
I'd
like
to
see
if
there
are
some
really
leading
people
in
different
regions
of
the
world
who
realize
their
job
is
to
help
advocate
for
for
openssf
and
can
connect
the
communities
there.
I
don't
know
how
many
of
you
are
getting
back
to
doing
face-to-face
meetups.
B
I
know
that's
we're
a
long
ways
from
that
in
some
some
countries,
but
in
others,
things
are
starting
to
open
up
at
least
right
now
and
so
being
being
people
who
are
willing
to
help
drive
some
of
those
meet
up
communities
in
different
regions,
but
really
just
help.
You
know
get
over
the
language
barrier
get
over
the
time
zone
barrier
get
over
the
cultural
barrier
and
help
us
connect
with
developers
and
companies
in
those
spaces.
C
If
I
could
add
to
that,
I
mean
everything
that
brian
said,
plus
all
the
working
groups
and
many
of
the
larger
projects
also
have
mailing
lists
that
you
can
sign
up
for,
and
you
know,
and
at
least
you'll
find
out
what's
going
on,
communicate
back
work
with
he
mentioned
github.
Of
course
you
know:
that's
not
just
issue
tracking
but
actually
allow
the
work.
You
can
propose
changes,
review
things
and
that
sort
of
thing
a
few
groups
are
already
looking
at.
I
think
there's
at
least
one
group.
C
That's
already
doing,
and
my
apologies,
I
know,
there's
a
name
for
it,
but
the
name
for
it's
going
off,
but
but
basically
where
we
have
meetings
every
two
weeks,
but
we
shift
the
time
so
that
sometimes
it's
it's
better
for
european
europe,
and
sometimes
it's
better
for
asia,
pacific
so
alternate
so
that
that
increases
the
ability
for
people
in
different.
There
is
no
time
zone,
that's
good
for
everyone,
it's
just
it's
the
way
it
is
but
trying
to
make
it
so
that
everyone
can
participate.
C
I
I
think
is
is
the
key
thing.
If
I
may
just
add
additionally,
you
know
what
does
the
open
ssf
do?
Well,
you
know
we
have
a
certain
goal,
but
in
terms
of
specifics,
so
much
of
it
is
just
driven
by
the
people
who
care.
If
you
have
a
good
idea
share
it.
If,
if
either
you
or
someone
else
says,
oh,
I
really
want
to
contribute
and
work
into
that.
C
A
Okay,
excellent
excellent,
so
yeah,
please
do
get
involved
if
you're
on
this
time
zone.
You
know
please
reach
out
to
me
or
anybody
in
the
community
and
I
think,
I'd
love
to
see
as
we
as
brian
said,
we
have
a
technical
working
group
in
china.
We
have
a
a
chapter
in
india.
We
have
many
meetups.
A
Obviously
we
haven't
done
that
because
of
the
physical
world,
because
I've
covered
it's
all
virtual,
which
actually
may
be
easier,
but
but
not
so
easy
in
other
ways
so
definitely
do
reach
out
and
it's
it's
open
source.
So,
basically,
you
know
come
out
come
come
forward,
so
the
other
things
that
I
would
like
to
look
at
is
maybe
let's
answer
some
questions
right.
We've
got
a
whole
bunch
of
questions
coming
in,
do
any
of
you.
I
know
david
and
vicky
and
brian
you've
been
asking
any
questions.
B
There's
one
I
wanted
to
highlight
the
the
link
to
the
courseware
was
identified
by
hiroshi.
Thank
you
very
much
for
that,
but
I
did
want
to
emphasize
so.
The
the
links
are,
the
the
courses
right
now
on
edx
are
free
to
take,
they
do
cost
money,
and
this
is
an
edx
requirement
to
be
certified.
There's
like
an
exam
that
you
take
to
get
a
certification
and
you
can
prove
that
you've
received
that
we
are
working
to
bring
the
price
down
on
that.
B
I
don't
want
to
discourage
you
from
taking.
The
courses
certainly
do
that,
but
it's
our
goal
to
get
the
price
on
those
certifications
to
be
much
more
affordable.
There
are
some
hard
costs
with
doing
this,
but
our
goal
is
to
get
as
low
as
possible.
Let
me
just
leave
it
at
that.
I
don't
have
anything
to
announce,
yet
I'm
going
to
wait
on
that
until
we
can
confirm,
but
please
feel
free
to
take
the
courses
and
and
watch
this
space
for
when
we
offer
lower
price
certifications.
C
There
we
go-
oh
my
goodness,
there's
there's
so
many
here.
Let's
see
information
about
security
testing,
we've
already
talked
about
alpha
omega.
C
C
C
So,
for
example,
the
cve
benchmarking
initiative
has
a
whole
bunch
of
test
cases
for
testing
primarily
static
analysis
tools,
and
the
fuzzing
group
has
fuzz
infraspecture,
which
is
used
to
help
us
evaluate
and
improve
fuzzer,
so
we've
actually
got
quite
a
bit
going
on
and
oh
there's
so
many
questions
here.
I
wish
I
had.
A
Time
to
answer,
I
think
there
are
some
things
I
think.
What
we'll
do.
Maybe
we
can
answer
say
sometimes
we've
answered,
maybe
when
we
send
out
the
email
we
can
answer
some
of
those
questions,
some
of
the
specific
and
I
think,
we'll
come
out
with
where
the
working
groups,
where
the
where
the
training
is
we'll,
try
and
give
you
everyone.
A
kind
of
you
know
what
what's
what
I'm
not
going
to
say
circus,
but
I
just
did
it
within
the
within
the
within
the
environment.
B
No,
there
was
another
question.
I
I
that
I
I
wanted
to
answer
this
real
quick,
which
was
what
okay
were
there?
Should
there
be
rules
that
software
vendors
list
out
open
source
software
that
they
used
for
a
customer
to
reference
like
labels
on
packaged
foods
and
yeah,
and
this
is
the
point
of
the
software
bill
of
materials
concept
and
there's
a
couple
of
different
standards
out
there.
B
For
for
this,
the
one
that
has
been
in
development
for
a
while
that
the
linux
foundation
is
behind
is
called
spdx,
and
this
is
for
both
security.
You
know
knowing,
what's
inside
and
being
able
to
check
signatures
as
well
as
for
license
conformance,
so
you
can
know
hey
the
code
that
I
pulled
together
is:
are
all
the
licenses
compatible
and
are
they
compatible
with
my
company
standard
for
for
what
license
open
source
licenses
we
use?
B
So
I
really
encourage
you
to
check
out
spdx,
that's
not
over
technically
an
open,
ssf
project,
but
we
plan
to
help
that
community
quite
a
bit
over
the
next
little
while
so
just
wanted
to
highlight
that.
A
Okay,
I'm
just
going
to
go
with
one
round
lightning
round
question
so
between
one
and
ten
one
being
bad,
ten
being
good
right.
How
successful
are
open
source
software
security
challenge
is
being
addressed
today
and
how
well
will
the
cyber
security
challenges
have
been
mitigated
in
five
years?
So
how
much
today,
would
you
say
one
out
of
ten?
Are
we
doing
and
how
well
are
we
doing
in
five
years,
one
out
of
ten,
so
brian
I'll
start
with
all
right
all.
B
Right
all
right,
sorry,
we've
got
reversals,
okay,
yeah!
I
I
think
we're
at
about
a
three
right
now.
To
be
honest,
I
mean,
if
you
look
at
like
in
the
census,
to
the
list
of
top
100
open
source
packages
in
these
different
couple
different
ways
you
slice
it
very
few
of
them
have
even
done
the
best
practices
badge
I
I
which,
which
is
so
easy
for
a
project
to
fill
out,
so
we're
at
three
right
now
and
I
think
if
we
work
really
hard
and
all
pull
together
adopt
a
common
set
of
standards.
B
I
think
over
the
next
five
years
we
can
get
that
to
a
seven,
maybe
an
eight,
but
I
really
want
people
to
surprise
me.
Maybe
we'll
go
higher
too
so
yeah.
B
Three
two
and
eight
five
years
is
a
long
time
in
open
source.
So
yeah,
that's
that's
that's
what
I'm
gonna
be
doing
for
the
next
five
years.
I
don't
know
about
the
rest
of
you.
C
I'll
buy
brian's
numbers,
but
I
want
to
explain
why
and-
and
that
is
I
I
think
saying-
hey
the
open:
there
are
literally
millions
of
open
source
projects.
Some
of
them
are
doing
spectacularly
well
like
give
them
an
eight
nine
or
a
ten,
but
there's
a
whole
lot
that
are
not
doing
that
are
not
doing
well
at
all
and,
frankly,
that's
not
just
true
for
open
source.
That's
also
true
for
proprietary.
C
As
I
mentioned
vast
number
software
developers,
they
never
heard
nobody
told
them,
and
so
they're
not
doing
anything,
because
they
don't
know
they
what
they
should
do
so
we've
got
we
if
you
we're
a
couple,
tens
and
a
whole
lot
of
ones.
Your
averages
move
quickly
down
closer
to
three
than
to
10.,
but
so
I
think
that,
as
we
can
increase
knowledge
tool,
use
encouraging
the
you
know.
C
A
Okay,
so
that's
a
three
and
an
eight
and
with
good
reasoning
and
vicky.
So
do
you
agree.
D
I
I
don't
think
it's
possible
for
me
to
put
numbers
on
that.
To
be
honest,.
C
D
Really
don't,
but
I
I
tend
to
be
pretty
skeptical
about
these
things,
because
I
know
I've
done
way
too
much.
Research
into
humans
and
change.
Okay,.
A
D
We
say-
and
I
think
there's
this
is
complex.
This
is
a
sociological
thing
that
we've
got
to
deal
with
and
a
human
beings.
The
world
round
are
difficult,
squishy
things
and
it
it's
gonna,
be
a
real
challenge.
I
think
to
get
that
many
people
to
all
move
in
the
same
direction,
even
if
it's
not
in
a
standard
way,
at
least
in
the
same
direction.
So
I
but
it's
never
going
to
happen.
If
you
don't
try.
D
A
All
right,
excellent,
that's
that's
a
great
way,
a
great
way
to
end
it,
and
thank
you,
I
think,
and
actually
it's
up
to
everyone
here
right,
everyone
in
the
open
source
community.
You
can
get
involved.
Please
do
asia.
Pacific
is
an
important
part
of
the
global
community.
So
please
do
get
involved
this
hopefully,
for
many
will
be
a
start
of
a
journey
to
help
us
move
to
an
eight
or
nine.
As
vikki
says,
you
know
it's
up
to
us
as
a
community
right.
A
So
with
that
I'm
gonna,
I
think
we've
hit
the
hour.
Actually
we've
over
gone
our
hour.
So
I'd
like
to
say
thank
you
to
david,
particularly
for
being
up,
it
must
be
nearly
midnight
now.
Thank
you
very
much
to
brian
and
to
vikki.
Thank
you
for
all
listening
and
take
care.
You
know,
keep
safe
and
we're
still
got
challenges
all
around
the
world.
So
please
keep
safe,
take
care
and
look
after
yourself
and
thank
you.