 We have a good crowd so Let's get started. Thank you all for joining. I'm Arnold Orffs from IBM I'm part of the open technology group at IBM and I've been involved in an open SSF for a year and a half or so now And so I'm going to give you a very quick intro to what we're talking about and then we'll follow up with the panel Esteem colleagues here and we'll do an introduction of everybody at this time So We are going to focus. I mean, you know, this is really probably not necessary I you know, I assume everybody is aware that software is under attack and that's include open Source and so the open SSF was basically created to try to address this problem It's obviously not a problem that any single company can tackle on their own And so open SSF is a links foundation project that aims at trying to help You know improve the security posture of all open source And so it actually was started quite a while ago in 2020 But at the time we had COVID and companies were not too sure what the economic impact was going to be So the organization was not fully funded. It you know, it was kind of like a slow start and But in in 2022 there was a reboot where we switched to a fully funded model that allowed the organization to really start in a real manner and so This is basically the structure that we are talking about There are many different activities My goal is not to present everything but to give you an understanding of what we are focused on today So just briefly, you know, we have the governing board level There's the tack underneath and then we have a whole bunch of working groups and each working group focus in different areas The part that we're talking about today is the supply chain integrity working group in black in the middle there and Each one of these working groups Themself, you know have different sub initiatives underneath. They can be spatial interest groups or projects that focus on actual code and What we are talking about again here, this is kind of the list of everything that goes on But I just want to focus You your attention to the top right corner over there again in black the supply chain integrity working group With the different activities underneath. So we have salsa We have fresco and s2c2f and there is another group, which is the sig Supply chain integrity positioning that's kind of tries to help with the coordination of some of the aspect. So This is just a general pointer to open a ssf and you know a call for action for everybody This is essentially just what I wanted to present as As a general framework to kind of frame what we are going to talk about today And so our goal for today this the goal of this panel is really to give you a better understanding of the different You know Technologies really to ACI in particular So with that and with that further ado, maybe we can People want to look at this fine. I don't know which one is better as background, but it's kind of in their face I can leave that as background as you guys want So let me first, you know allow my colleagues here on the panel introduce themselves So I think I need to specifically call out that my colleague Melba This is not Melba Melba is unfortunately sick And so she couldn't actually participate in this panel today And so lucky us we actually had one of her colleagues from red that you'll be able to step in in her place So Laura, I want you to introduce yourself Well, it doesn't work. Thank you already messed up Laura C from Red Hat I'm a manager of supply chain operations in our product security department Jay White from Microsoft. I work in the open source strategy ecosystem team I do all things liaising between our supply chain security folks one gineering services Our information security cyber security folks over there under our Security org and then I do a whole bunch of work inside of the open SSF to make sure that we all are operating in a safe and comfortable supply chain environment And I'm Mike Lieberman. I'm a CTO and co-founder of Kusari software supply chain security company I am also a salsa steering committee member as well as a maintainer on the fresco CI and built system project So again, I mean the goal for us is to get you a better understanding of kind of the alphabet soup That's hidden behind some of those names. So Namely, we have three main technologies. We're talking about there's salsa Fresco and S2C2F and so I don't know if you know or if everybody here knows what those things mean but hopefully at the end of this talk, you will know and and so They each of them kind of represent one of those Peel off. So Laura, why don't you tell us first what salsa is about? So salsa is the supply chain levels for software artifacts. It's mouthful shortened it to salsa and it's essentially a framework that it is a Set of guidelines for supply chain security specifically It is organized in levels of assurance so there's There's the incremental adoption through the levels of assurance and and that's to help prevent tampering and improve build integrity and also to help secure packages and infrastructure throughout the build process and then if you think of it in terms of if I know I may have heard the analogy for s-bombs being the Ingredients list you can think of salsa as being the the food handling guidelines around the the pipeline so it's If you think of it in that in that terms, it's that that seal the evidence seal to to show that it there it's tamper Proof and also to show that there you can verify What who the create creator was with that stamp of approval and then also you can use it to to help just Verify the provenance All right, thank you Laura So I'm going to skip Jay for a moment and we'll go to Mike who's going to tell us what fresca is about And you'll understand why I skip Jay for now Fresca is a which it's a background in which I'm not gonna Go into too much detail right now, but it's it's a build system Intended to actually hit the highest levels of salsa It stemmed actually it came out of the CNCF's tag security Supply chain working group originally where there was a project called the secure software factory reference architecture Which described how to you know build a to create a build system a cloud native build system that was secure And you know was using the best of sort of breed build frameworks and whatnot and so that's where salsa came in and so Fresca is an actual sort of implementation of that and so fresca consists of a bunch of cloud native Tools such as tecton tecton chains Spiffy spire and and so on to sort of provide a bunch of build infrastructure as well as a set of abstractions on top of that build infrastructure to enforce stuff like salsa rules and then Eventually It'll also be used to enforce stuff like s2c2f and that's where I'll head over to Jay Good call Mike. Thank you All right, that's to see to up so the secure supply chain consumption framework Began as a framework that's heavily utilized today inside of Microsoft We thought it was such a great tool that we decided to publish it and bring it over to the open a stuff so can be further Improved and developed and then brought out to the community. It is a consumption framework mainly for the end user and mainly focused on dependency management In that vein it focuses heavily on the ingestion of open source components it's rooted in threat and risk The threat and risk-based approach that we all Are concerned with so you'll see a threat matrix and based on this threat matrix It takes a lot of those threats and says okay. Well, let's break those out now and how do we mitigate them? What it does is it does this do eight different practices Going all the way from ingestion all the way to fixing it upstream, which is You know dare I say aspirational in nature, but something that's also very much thought about and on the minds But it breaks those eight practices up amongst Four different levels, right? So you can have level one all the way through level four which is very heavily level one being Scanning for known vulnerabilities. You know know or get some type of consistency with how your organization's ingesting open-source components all the way to being able to validate S bombs and Validate and then the quality of the S bombs and all that kind of stuff. So again as to C2f Consumption framework focus on dependency management eight practices four levels All right. Thank you for that first round of introduction of the technologies So let's go a little deeper now. And so Laura salsa one zero just got published I think it you know, it's fair enough to recognize that salsa was started by Google Similar to what Jay was describing They had developed that internally and they felt like this was something that could be useful to broader than just Google so they contributed their specification to open SSF and it's been developed within open SSF since then it's been several months and there was just salsa one zero published So Laura, can you tell us what's in that salsa one zero because it's quite different from what was initially contributed by Google and even publicly available on the salsa dev website Yeah, that's right. So the first Salsa zero dot one Version actually contained about 20 different Requirements and the version 1.0 only has five but those five are centered around provenance generation and isolation strength and So they they there are different tracks in salsa. Yes So there is the that's new right in one zero. Yeah, that's so the build track Currently it as it's published is focused on the build system and then there is a source track as well as a Providence track Sure. Yeah, no. Yeah, I just wanted to add in there You know because I know one of the things we've heard some feedback from folks is like they they saw that We went from having, you know, four levels to now down to three levels. Are we making things less secure or hey We're not doing code review. Does that mean code review isn't important? And just wanted to clarify that yet. No, that's not the case We wanted to really have laser focus for 1.0 We wanted to really focus around we found where the biggest gap was was around that build provenance There's a ton of great best practices and frameworks around doing code reviews Distributing artifacts securely but around that build piece around establishing provenance of that build piece We found sort of like that's where the big gap was and so that's where we focused And then in addition to that some of the stuff that we found with the four levels was level four Which was aspirational was also too vague to be really actionable And so we found that a lot of folks were just getting really confused and for us We'd much rather not have the level than to actually have something that There's so much confusion around that people are not sure how to implement They're not sure what it even means and that confusion can actually lead to worse security So we sort of pulled that back a little bit But stay tuned probably in a couple of weeks maybe a couple of months. You should see a Draft coming out Yeah, and I will also add to this I'm personally also involved in the salsa specification work and and you know the way I see it is Google came with this There is a lot of it that tried to capture what they were doing internally and that'd be you know using but of course You know, I'm an old standards guy and you know, this Happens all the time when you start putting your your work, you know under the scrutiny of a much broader community You realize there's a lot of things that you kind of assume are obvious that don't you know pan out in a larger community and so a lot of the what's in it is actually a big improvement over what was before because There are things that were a bit vague and bit aspirational that were actually removed and What's there? I think is a much stronger solid foundation and that's the advantage We have and this is a choice the group made We could have kept working on that spec for much longer to try to address all of the scope that was in initial Contribution instead this the group said look we don't want to keep you know Work on this spec forever and everybody wait for something to come out. It's better to reduce the scope remove the things that we're not too sure about and then focus on what we can really strengthen now and that we provide some foundation For everybody to use now that we feel comfortable is stable enough that we won't have to change Moving forward but we can build on and so this is really what it is And so I think some people have felt a bit let down because when they looked into it Not it really was following all the evolution and when they started they saw the announcement of 1 0 They looked in there and they say wait a minute. This is nothing like the previous version. What happened? We literally had people say this doesn't deserve being called 1 0 should call it 0 point 5 or something But so you know it's arguable whether it should have been called 1 0 or not But I think the sentiment in the group was that it actually you know in a although reduced scope It is a much stronger foundation to build on Jay Yeah, so one of the things I wanted to make sure that everybody understood and was it was clear about these efforts under supply chain integrity working We wanted things that that were developed that were usable right Not just put a bunch of stuff out there that sounds good You see the fancy names and and you're able to make up memes about them and all that and and you know do they actually work and While we were in and of course I sit in all these rooms as well. So there's Mike and So while we were actually Going through the process of breaking these things down busting them open and saying hey what actually works in the community and What how does this scale right? How can we scale for improvement? How can we scale for usability? How can we scale with the emerging threats? How can we scale? With the merging security concerns How can we scale with different industries that have different concerns that are now building? Software services so and taking a step back and doing what we did here. We said we can take this We can bust open. It's different tracks This track works now We can focus on this track and these things are usable when you get them you can read and you'll say oh Well, this is I mean, this is a shortened experience from the Well, yeah now now go and implement it and Come on in and and and work with us and see you on the next track, right? All right, so thanks Laura. So who is salsa for? So there are Salsa can be used for both software producers and consumers so with them with software producers Like red hat we use it to model the specifications for Pipeline hardening and so we can take that as the guidelines and also Apply it for evidence for attestations for things Like compliance for industry standards. So there's even if you're If your company or organization isn't necessarily You know involved with the us federal government as a vendor you can still use that as a Like a kind of badge of honor right to say like you are salsa You know level three and this is what it means and also there's Other than just the executive order. There's the nist ssdf And then nist 800 161 and 853 that maps really nicely to salsa the salsa framework. And so whatever use use case is As a producer whether you have compliance Related issues that you're hoping to Resolve you can use the implementation steps to to know exactly how to do the things that the That they're being we're being asked to do and then from a consumer standpoint You're in you're informing decision makers on what software packages are most secure. So Sorry in increasing confidence with with every level of insurance. So when you're looking for You know software to use having that it really helps You kind of highlight that security posture for that software package Mike Yeah, I just wanted to add on something there, you know from the fresco standpoint, you know We are using salsa both to produce salsa compliant software But also for stuff like the base images we enforce That the base image, you know, we can have the rules that that enforce that the base images that you're using to build On are also salsa compliant. So you're starting from a reasonable baseline of security And then everything you build on top of that is just sort of You're sort of like layering on on that security And so by the way fresco provides what level of salsa? So yes as of 1.0 it supports Level three as long as you're running it in a reasonably secured kubernetes cluster Um, you know where you're trusting that, you know admins are not attacking the cluster and that sort of thing But with that said, we actually have some open pull requests That parthen and brendan have been working on For a while now for to into tecton and tecton chains that can actually protect against even malicious actors within Um, you know who have administrative access to your kubernetes cluster Via stuff like spiffy inspire that will actually ensure that even if somebody does Come in an attempt to compromise the build while it's running It would get detected and would not get signed would not generate provenance and and all that You have a question The ladder so it it helps with the evidence. So having being able to provide that evidence for whatever attestation you're You're hoping to achieve A question Yeah, thank you Yeah, you mentioned fresca is a implementation. So obviously enterprises are not going to implement fresco on their own So we so what what do you think is the lead time to get something like? Jenkins or Or a github based a cicd solution with actions and such to be fresco compliant So github actions already Is there are ones that had come out of Actually the salsa team a lot of folks at google as well as other folks in github and other places Have built some stuff that actually is salsa 3 compliant And so on that end it's quite quick some of the legacy systems that are out there like your jankins It's going to take a little bit longer And there's some work that's happening on there, but because You know jankins has some made some architectural decisions decades ago that are still have impacts today certain things like jankins by default is very open and Salsa by default really wants everything to be very closed That's a little bit more difficult. And so on that end. Yeah, there's there's some stuff that's already out there And fresco is not, you know, we recognize that not everybody's just going to adopt a fresca and start running everything in kubernetes But it it is something that we believe that at least the architecture can be used as an example that folks can go and say Oh, okay. I want to replace tecton with this thing But i'm going to be looking at how it's been built and try and follow that that process So the salsa 1.0 it's Mostly when you look at it it's for auditors One point But you're saying that fresco 1.0 is aligned with salsa level three Yes, so how did we end up with so much disparity, you know, where 1.0 for general consumption Is only level one But oh, oh no, no That that might be a misunderstanding. Yeah. No. No. Um, yeah, so salsa version 1.0 Yeah, yeah, so so, um, you know salsa 1.0 is intended for general use both from software producers Who can who salsa 1.0 the you know with salsa 1.0? They can go out and say hey, I produce software And here's the provenance of that software So you have some evidence that hey, it's been built in a relatively secure way In particular salsa level, you know, one is pretty much saying are you Recording the fact that you ran a build and what you're doing what you did in there salsa level two is Are you signing that so that we know it came from This organization this build system and then salsa level three is some additional constraints on it on how it's built to essentially enforce that The build itself can't have access to the to the to the signing secrets right because you can imagine Uh, a malicious developer comes in and says hey, I'm gonna sign whatever I want using that key and all of a sudden Okay, I don't you know There's there's a lot of concerns there where so salsa level three by having that You know removed and having a a separate more isolated thing do the signing It's a you're in a much better spot Yeah, let me try to clarify one thing I mean so because it is a bit complicated But we have like three different dimensions at play here We have one zero it refers to the version of the specification Within salsa one zero We have different tracks in fact one zero focuses on one track, which is the build track The expectation there will be other tracks like a source track later on dependency tracks and so on We don't know we don't have a full list yet because it's kind of open-ended But within each track then we have levels that increases the the insurance level that you can expect And and one way to think about salsa is also a bit of like a badging mechanism, right? So if you want to today a build system You're going to have you know, and I think of fresco as a simple implementation If you will of salsa But this notion of salsa level three It just means it's kind of like a badge that you can apply to a build system that says yeah We we fulfill all the requirements for salsa one zero level three And it gives you a series of you know Insurances that come with it and by the way right now, it's all going to be self-certification Anybody can claim whatever they want But there is a proposal and the works within open ssf to develop a conformance program That will allow us to actually have a bit more rigor over those claims so that they can be auditing made and so on But so Jay let's go back to s2c2f. We heard quite a bit about salsa And you know a lot of people asking so what is s2c2f? Who is it for we heard from you? It's more like on the consumer end How do you position it with regard to salsa? Absolutely, um consider s2c2f a companion To salsa think of salsa on one then s2c2f on the other So if we look at the spectrum of things when you think about source integrity, we think about build integrity And and we look at that You know across spectrum and then you come down and you think okay, so salsa You know salsa's looking at you know build integrity over here and then eventually we're going to get back to source integrity But then dependency management, how do you manage the dependencies therein? And that's where you find s2c2f Understanding some of the gaps That each fill on each other When you consider What's experienced from the end user perspective? So even before You get to do you get to doing a get into the build process and you're actually consuming open source software Well, how is your organization going about that when you consider that you have an industry that's building a certain way Then you have organizations within that industry that are building a certain way and now you have business units When then that within that organization that are building a certain way you're going to have chaos So how do you control that chaos? How do you create policy? How do you create the right governance putting the right people processes and technologies in place? To create that governance environment within your organization to get on the same sheet of music with how you're consuming Open source software and then how you're managing those dependencies throughout each respective build process think of version control think of Um, you know the way that you're just scanning you're just checking in and checking out Components and binaries Think of all those things and think about the end level of the end user and that's where you have s2c2f And then jump on over into the build process and then begin to utilize the salsa framework Throughout your build process All right. Thank you. So what's the status of s2c2f? So so s2c2f has been in 1.0 for a long time um We came in really at 1.0 um Which which I believe it or not. I was really kind of upset about like dude You know, I mean this almost looks like like you know, it almost looks too complete, man Like you know trim this fat a little bit, right? um Good news on that Scalability, right? We've have had the pleasure of having people coming with new threats And the idea is Microsoft has done it this way For microsoft is one organization It's one company many different companies many different companies doing wonderful things, right What kind of security concerns are they experiencing? What kind of issues are they experiencing? What kind of threats are they discovering bring that and let's get that in, right? Like I said eight practices Four different levels There are some levels that aspirational at best, but I know when we have a whole level that's dedicated To a validating s-bomb validated quality of s-bombs, but inside of openness itself. We have an s-bombs everywhere A group that's focusing on the idea of s-bombs. We have outside organizations that are focusing on s-bombs Bring all that knowledge in let's let's see where those gaps are and fill those things. So so s2c2f Although it's at one dollar where we're preaching all over the place, right? We were just at rsa adrian gave us That's my partner in crime inside of the sig Given that talk here i'm here. We're everywhere We're still in the position. We're so exciting. We can still scale And and continue to make it better for everyone for everyone in the industry Yeah, jay is literally everywhere. You cannot you know join an open s-sf call with that jay being there He's trying to compete with david. We're there No, no, no. There's there's there's no competition, but but trust me and it's getting kind of annoying Where i'm at arno's that okay? All right So laura, why don't you tell us a bit more maybe on the kind of threats that salsa tries to mitigate Yeah, so um, you Michael touched on it a little bit about the compromised build process and so Everyone's familiar with the the s word the solar winds that like has everybody talks about there's there's also Uploading modified packages Codecove was a really good example of that Happening in supply chain attacks as well and there's just within the build process The build track alone we you can look at Not only the compromise of the build process also, but the the use of that compromise and how They can take that malicious package and continued To destroy reputations. And so I think salsa Helps a lot even just with the with the build track to mitigate those threats Can I raise my hand please? Okay, I'm gonna kind of be a pain in the butt here So you say that salsa would have stopped those attacks But I know it wouldn't have stopped all of them And I think we loved a hand wave all of this stuff we're working on it Like oh, yeah solar winds would not have happened log for jay would not have happened But I think the reality is we have done a poor job as a group at the open ssf of like Concretely tying attacks to the things we're working on and how they would have actually stopped Whatever it is we're talking about So, yeah, I think loves are off. Yeah. Yeah. No, I think I definitely Agree with you on on that one. I think there's a lot better we can do. I also think that also as a Industry we when these sorts of events happen everybody plays things very close to the vest They don't want to really explain exactly how it happened Yes, exactly exactly with that said, um, you know, I think it With everything else it the answer is it depends, right? You know, it depends on all sorts of factors It's how rigorously, you know, some of this happened, you know Did you do all your builds salsa versus just one or two? Um, you know when it comes to stuff like the solar winds attack, right that like salsa level three would have helped out there because the thing that you well It depends on who you believe in which case of how solar winds got compromised Was it an actual individual build or was it the build system itself? Because if it was an individual build would have been protected with something like salsa three If it was the entire build system itself, then maybe not But the idea behind salsa is you are securing your build system such that you're doing sort of the largely the right things, but Like anything else, I think it it all kind of depends and it also depends on like how sophisticated the actor is like when you're talking about A very very sophisticated most likely state sponsored um actor there's You know, uh How much money you spending to secure your stuff is really what it comes down to All right, so I was I was gonna say I would definitely not say that Salsa version 1.0 is going to prevent the next solar winds, but um, and that's because When we talk about the like the other tracks that have not been fully formed yet That's where I personally feel like they like where we're missing with like the the source track and the um, and the the logging and the access control because if you if you look at like the apt um 41 Um wicked panda. I think is what it's called an apt apt 29, which is the the cozy bear of the infamous solar winds. Those are the malicious Attacks were I mean the initial attack vector was through The production Environment itself and the malicious code was injected in the Um in something that was already signed. So If you you're looking at the you make a really good point because if you're all focused on like Getting the package signed Well, they they didn't really care about that. They just went after the signed package anyway um, but because There's other the future of salsa where you want to go in Uh and build out the source tracks. I think uh and also the the build platform track Which is going to be another track kind of jumping ahead of your question But those are the kind of things um that that we can focus on In the in the next and if you want to join us Yeah, go ahead continue on that track. I mean the different tracks So the status as we said there was one zero just came out I think it's fair to say The group is taking a little bit of a breather that we're really pushing hard to get one zero out So the last two or three weeks have been fairly quiet. I was personally offered two weeks So that worked well for me But you know as we pointed out there are there is work. There is more work to be done level four was taken out as well as things like that are pertaining to the source management aspect So laura, can you tell us a little bit more? Oh, yes for the the source track. Um, I'm gonna have to use my cheat sheets on this one and ensuring the changes to the source could reflect the intent of the The producer would be the focus of the source track in the in the dot next and then for Build track the current build track. Um, you mentioned level four would be in Something to focus on as well because even when I did the The mapping to the executive order A lot of the meat of the Executive order is in that level four So we if we want to have like a complete alignment to industry standards, it's definitely important as well And I think it's fair to say the group has not decided exactly what's going to be tackled on next You know still to be decided but you know, there's a fairly long list and growing list because of course once we adopted this notion of tracks You know, he always a few people come and say how about a track on this? so There are some questions jack actually you had something Good day, um So some of you may know me, uh, in other circles. There's somebody who's very passionate About pair programming. I'm concerned that It's sort of being left out in the cold or was certainly in the sort of the point of the point one version So as as things go forward on the source track as that develops Uh, what can I do or what will you do to ensure that pair programming is is not left out or made so to speak a thought crime So just to be clear, I love pair of programming So I think um, I mean first thing is I say join the meetings like express that, you know, open up the issues Uh, regarding that, you know, join the community Um, you know, because I think one of the reasons why we had removed source was because we we felt like we weren't doing it a good enough We were doing it to service by just only including a handful of things and in addition to that I think the things that we're also looking for is is folks input on like, how do we prove it? Right, how do we prove that we did pair programming? Like maybe is that going to be something like two people signing the same commit? Maybe I don't know There could be many other ways of proving that and so we're looking for folks who can come in and say Hey, we we want to do this practice and I also have Uh, you know input on how we might be able to implement that and prove that in like a salsa source provenance at a station All right one more question here All right, and apologies if this has already been answered but um relating back to the gentleman's question over there Um about like how do we know if following these frameworks actually would have prevented certain types of attacks? Are these frameworks being developed against any specific threat matrices or tpp's or sets of risk frameworks that Are like mapped so that we can say this directly attributes to that And also is it being used to determine what the next tracks are going to be as you divert, you know develop next iterations? um So on that end yes Exactly which ones i'm not exactly sure But there is like the ones that it's current like the threats that we're currently Focused on when it comes to the build step is literally the build itself As well as the arrows that go into the build so how like are we essentially enforcing that a build is only pulling You know what it thinks it's pulling right which once again The integrity of what that thing might be Is part of the source track but generally is the build at least attempting to pull from the right places And then like what are the threats against that and and you know have we seen similar attacks where Hey like a dns poisoning attack or something like that where you know those sorts of things Also the same thing goes when it comes to sort of dependencies Right and that's kind of part of the source of provenance piece is by essentially Recording what we're pulling in we have a lot more information And assuming you trust that you know you've secured everything and that what's generating this provenance is actually generating the correct stuff Then you know the threats against you know dependencies like yeah, you might still be building malicious software But you've recorded that you've built malicious software with these malicious packages And then the same thing goes when it comes to like then publishing right you can go and say Yep, I recorded that I built this artifact with this hash. It was signed and then When I go to but when I look at my Um, you know package repository. I see a different hash. What happened something must have gone in there and You know manipulated it or Push something to our package repository without going through our salsa build process And with s2c2f its main base is in ssdf and It uses an actual threat matrix To to develop its mitigators and develop its controls Right, so you can say things like typo squat. You can say the salt stack and you consider You know My friend and anyone who's ever Broken into a web service before php php my admin I mean, but it takes though it takes those threats And and it looks at well, what are the mitigators to those threats? And that's how the controls themselves are developed and as I said before You take the four different levels and how the mitigators you're using whether it be Whether they're being automated, right? You have automated tools that help with mitigation, etc You go through the four different levels So it could be as simple as the level one where it's just minimum open-source software governance, right? And you know scanning for no vulnerabilities All the way until you know, you get to you get to three and you're and you're doing You know, you're doing zero-day detection and doing malicious malicious defense And you're now doing doing scans of of of cloned Or mirrored open-source software repositories, right? That's at level three Right. So so if so all of that stuff is taken from actual real threats that have been experienced is why I said Whatever threats or whatever concerns whatever security concerns that's put up an issue Hey, there's a new threat because that can go into the framework into the matrix a A mitigator can be assigned to it and then of course the control can be assigned to that And then that can be assigned to one of the levels saying hey in order to meet this level you must Apply this control which mitigates against this threat All right, so we're out of time, but I want to thank you all for joining us I hope it did clarify some of this stuff I do want to point out that you know, that's actually a characteristic of linux foundation projects slash foundations They're open to all There's you know, there's a membership if you want to to support it financially But it's not a requirement to participate in any of the work So, you know, if you have any interest, please join us This is the link to the main website obviously, but there is a community calendar that's open You can look it up and you can see all the calls that are happening throughout the week And you can join don't be shy. We all started at one point You can just show up at first you say nothing just look what's going on you listen in Usually we make an effort to invite newcomers to introduce themselves have a chance to say hey, hi This is why I'm here But you don't even have to do it if you don't feel comfortable And then slowly you listen in and then maybe you'll feel more comfortable after a couple of calls and you can start speaking and contributing Every contribution is very welcome. So I can only encourage you to join us There is plenty of work to do So please do so and I want to thank my co-panelists today. Thank you all