--- file 1 ---
[03:31.000 --> 03:48.000]  To be honest, I watched only the video, but I think there was a document, so I missed that.
[03:59.000 --> 04:11.000]  Yeah, the main question is, yeah, it was not a conceptual question, so just from a tooling perspective.
[04:11.000 --> 04:23.000]  So from one side, I understand why (you) used this sub-(graph) things and the detector and the refinement model.
[04:23.000 --> 04:37.000]  But I didn't really get why I need to create a refinement model to have these state property or the compliance property inside the model.
[04:37.000 --> 04:48.000]  For me, it felt more natural to have everything configured in the compliance framework, because at least I understood it like that.
[04:48.000 --> 05:06.000]  You had to set up the rule there as well and select a certain plugin and wire it with the detector of the model in [Winery].
[05:06.000 --> 05:17.000]  And stuff like that, and there I didn't really get why it is that necessary to have afterwards also this model property.
[05:17.000 --> 05:27.000]  Because also from a modeling perspective, it feels to me at least not natural to have this kind of property inside my node properties.
[05:27.000 --> 05:33.000]  This is maybe also just a tooling problem, of course.
[05:33.000 --> 05:44.000]  They could be hidden or stuff like that or different types of properties, but this was my main issue or main concern, not really question.
[05:44.000 --> 05:47.000]  Also a question, why?
[05:57.000 --> 06:19.000]  Okay.
[06:19.000 --> 06:24.000]  Okay.
[06:49.000 --> 06:59.000]  Yeah.
[06:59.000 --> 07:08.000]  So I get it. So the idea is to have this in kinds like instance properties.
[07:08.000 --> 07:18.000]  At the moment you deal with or when you are dealing with an instance model, then these properties get populated, but just for the instance model.
[07:18.000 --> 07:23.000]  Yeah. Okay. Yeah. And it makes sense. And if you have multiple nodes with, yeah.
[07:23.000 --> 07:25.000]  Okay. Yeah.
[07:25.000 --> 07:37.000]  Oh, I get it.
[07:37.000 --> 07:57.000]  Yeah.
[07:57.000 --> 08:10.000]  Yeah, I see.
[08:10.000 --> 08:35.000]  Yeah.
[08:35.000 --> 08:58.000]  So once the framework process, the instance model, the instance model is self contained in a way because you just from looking at the instance model, you can tell if the if the model is compliant or the instance is compliant or not.
[08:58.000 --> 09:08.000]  Yeah.
[09:08.000 --> 09:13.000]  Okay. Okay. Yeah. I totally get it now. Okay.
[09:13.000 --> 09:22.000]  That's good.
[09:23.000 --> 09:27.000]  Yeah.
[09:27.000 --> 09:37.000]  I barely noticed.
[09:37.000 --> 09:46.000]  I'm a senior software developer.
[09:46.000 --> 09:55.000]  Traditional software engineering tasks like software design and software architecture, but also the implementation.
[09:55.000 --> 09:59.000]  And also a bigger part.
[09:59.000 --> 10:01.000]  It becomes bigger.
[10:01.000 --> 10:05.000]  It's also mentoring for, you know, for other people.
[10:06.000 --> 10:22.000]  I mean, I mean task, I would say.
[10:22.000 --> 10:40.000]  Yeah.
[10:40.000 --> 10:45.000]  Yeah.
[10:46.000 --> 10:59.000]  Or I must say, I hope so.
[10:59.000 --> 11:04.000]  Oh, God.
[11:04.000 --> 11:14.000]  Let's say, let's say 2012.
[11:14.000 --> 11:24.000]  Well, it's a under 50.
[11:24.000 --> 11:38.000]  Nice.
[11:39.000 --> 11:52.000]  Yeah.
[11:52.000 --> 11:57.000]  Manual by checking the IaC scripts.
[11:57.000 --> 12:12.000]  Yeah.
[12:12.000 --> 12:19.000]  Yeah.
[12:19.000 --> 12:32.000]  Well, we have a kind of a, I wouldn't say comprehensive, but a, but a semi comprehensive [Excel], [Excel sheet] that lists.
[12:32.000 --> 12:33.000]  Yeah.
[12:33.000 --> 12:44.000]  Traditional or, or, or let's say common security issues when it comes to running software in the cloud or, or over the Internet.
[12:44.000 --> 13:02.000]  And there are certain aspects covered and we analyze each, each aspect and, and ask ourselves if, if we have this, this aspect covered on the one hand in our application software in our software code.
[13:02.000 --> 13:31.000]  As well, as well, as well as in our ISC scripts, or in our, our final deployment.
[13:31.000 --> 13:38.000]  Yes, of course. Yeah. At least the time consuming factor would, would, I would say, hopefully decrease.
[13:38.000 --> 13:48.000]  Yeah.
[13:48.000 --> 14:04.000]  Yeah, we need to, at the moment, we, we, we do not have a, have a fixed schedule where we check these rules. We, we just do this from time to time when we, when we think, okay, now it's, it's, yeah, it's again time to check them.
[14:04.000 --> 14:16.000]  And, and if there would be something machine readable or, or something that we can automate, we, we could do it with every release, for example, you know, this would be a big benefit.
[14:34.000 --> 15:01.000]  Yes, of course, yeah.
[15:01.000 --> 15:20.000]  Very rarely, not very often. I would, I would, I would have a year.
[15:20.000 --> 15:30.000]  Yeah, the thing is, our [Excel] list is, is very, as I said, it's, it's kind of high level. So there, there are different aspects.
[15:30.000 --> 15:49.000]  There's, there's a public list from the, from the [Owasp] group where they, where they publish their security concerns or a list of, of security concerns.
[15:49.000 --> 16:14.000]  For example, things like that, the communication to the outside should be never unencrypted and stuff like that. And, and, and, and from that very high level point, you need, of course, you have to break it down for yourself in, in, in, in smaller, some smaller pieces that apply to your architecture.
[16:14.000 --> 16:24.000]  And, and.
[16:24.000 --> 16:29.000]  Exactly, exactly. Yeah. Yeah.
[16:29.000 --> 16:43.000]  To summarize it very well now.
[16:43.000 --> 17:00.000]  From what I saw, it's, it's, it's, there, there are pretty good machine readable and also executable compliance rule for for the infrastructure is code layer, but when it comes to, I don't know.
[17:00.000 --> 17:27.000]  A software as a service configurations or, yeah, a platform as a service configurations. It's, it's, it's, I don't know how to deal with, with such things compliance rules, but yeah.
[17:27.000 --> 17:46.000]  Yeah.
[17:46.000 --> 17:52.000]  Yeah.
[17:52.000 --> 18:05.000]  We assume that these plugins are already there or, or, or, or it's, it's, it's a part of defining also writing, writing these plugins.
[18:05.000 --> 18:09.000]  Okay.
[18:09.000 --> 18:29.000]  So just defining the rule in the UI seems pretty simple. And, and, and if you got the script parts ready and stuff like that, or, and, and as I said, if you have the, the right amount of plugins available, like script execution plugin,
[18:29.000 --> 18:41.000]  or I don't know if there's a plugin for Kubernetes, then I would say it's, it's, I, I say, I totally agree that it reduces the effort of defining and shaking, but, but if you.
[18:41.000 --> 18:53.000]  It depends on the number of plugins. If, if you have to implement your plugins with every new compliance rule, I don't know, then it's, it's rather a tool.
[18:53.000 --> 19:03.000]  Got it. Okay. You, you have one time the effort and, and then you have to benefit off of automation, but yeah, it's still effort.
[19:23.000 --> 19:48.000]  Yeah.
[19:48.000 --> 20:05.000]  I think you would, it depends on the compliance rule. I think you, for, for each, for each different compliance rule, you may need a different person to, to define the, the, the rules behind and also to implement the plugin.
[20:06.000 --> 20:26.000]  So I think a complexity perspective, it's, it's, it's, it's, it's highly specific on what kind of compliance you want to, you want to check if you, as you have shown in the, in the video, if you go, if you go on to the, on to the infrastructure layer, you need, you need people that are, are aware of
[20:26.000 --> 20:36.000]  self scripting and, and, and, and aware of all these nuances in, in Ubuntu or in, or in Debian or in whatever
[20:37.000 --> 20:55.000]  distribution that could also be the case that the compliance with Ubuntu seems totally, totally different than for, I don't know, so, I don't know, yeah, so I think from, and there I don't see that it reduces the complexity much.
[20:55.000 --> 20:58.000]  Therefore, I would say it's a, it's a, it's a tool. Yeah.
[20:59.000 --> 21:23.000]  I see benefit into automation, to, to be honest, if you, if you once have it ready, then, yeah, exactly, exactly, you know, yeah.
[21:23.000 --> 21:26.000]  Then I would say, yeah, totally agree.
[21:41.000 --> 21:42.000]  Yes, I (totally) agree.
[21:53.000 --> 22:07.000]  I would create from an instance model, a C4 model.
[22:07.000 --> 22:10.000]  I'm not sure if you are aware of C4 model.
[22:18.000 --> 22:19.000]  Yeah.
[22:20.000 --> 22:21.000]  Okay.
[22:23.000 --> 22:28.000]  It's like a UML that, that, that, that diagram on, on different perspectives.
[22:28.000 --> 22:37.000]  So, so C4 model is like, it's like you create a layered architectures or diagrams.
[22:37.000 --> 22:48.000]  So, well, you start on the first level where you, where you highly shape your, your, your overall system and you, and you identify your,
[22:48.000 --> 22:51.000]  your, your upstream systems.
[22:51.000 --> 22:55.000]  So, so the systems you do not have under, under your own control.
[22:55.000 --> 22:56.000]  Yeah.
[22:56.000 --> 23:11.000]  And then you, and then you go, and then you go one step, um, um, the further and you, and you identify your, your main components that are, that are shaping your overall application system.
[23:11.000 --> 23:15.000]  And then you can go or you, or you may go on one step deeper.
[23:15.000 --> 23:34.000]  And then you, you, um, you, you can, um, create a class, class diagram of each component and to visualize how, how the components itself are, um, are constructed and, um, and stuff like that.
[23:34.000 --> 23:40.000]  And then you see four, or the fourth layer is then the actual source code, but that's, that's, yeah.
[23:40.000 --> 23:53.000]  Or the idea is that you can link, um, or, or the whole idea behind this, the C4 approach is that you, that you can also generate, um, from your existing code.
[23:54.000 --> 23:58.000]  I'm such a model, you know, so automatically, but also vice versa.
[23:58.000 --> 24:07.000]  So if you specify the model beforehand, you can, you, you could be able to generate some, some stops and, um, I mean, skeletons out of it.
[24:07.000 --> 24:16.000]  So, so that, and at every point in time you have a link between the actual source code and the, and the overall architecture.
[24:16.000 --> 24:18.000]  That's the, that's the idea.
[24:23.000 --> 24:42.000]  Yeah, it's, it's, it's rather the software design instead of the, the actual, let's say the deployment aspects of it.
[24:42.000 --> 24:47.000]  You capture some aspects like, like some aspect aspects.
[24:47.000 --> 24:52.000]  This is a container or this runs on an Ubuntu system, but you do not capture.
[24:52.000 --> 24:55.000]  Um, on what port or stuff like that.
[24:55.000 --> 24:56.000]  Yeah.
[25:01.000 --> 25:07.000]  I would do it manually or by checking if there are already an IaC scripts in place.
[25:07.000 --> 25:17.000]  I would check the ISC scripts and, and, um, and check it, let's say side by side for, for each component or for each deployable component.
[25:22.000 --> 25:25.000]  No, no.
[25:52.000 --> 26:05.000]  Yeah.
[26:05.000 --> 26:14.000]  Yeah, I would say (four) I'm not sure if this is, if this is always valuable to see the actual running application instances.
[26:14.000 --> 26:20.000]  But, but for some, for some, for some decree, I agree.
[26:25.000 --> 26:26.000]  It's true, it gets true.
[26:26.000 --> 26:27.000]  Yeah, for full.
[26:37.000 --> 26:39.000]  All good, all good.
[26:39.000 --> 26:40.000]  Fun.
[26:45.000 --> 26:52.000]  It.
[26:52.000 --> 26:59.000]  In, in, in, in high level terms, we create an issue and, um, and fix it.
[26:59.000 --> 27:11.000]  And then we deploy a new version of the, of the, of the, either of the, of the, of the application component itself or, or, or we apply a different.
[27:11.000 --> 27:15.000]  compliant configuration manually.
[27:22.000 --> 27:23.000]  Exactly.
[27:23.000 --> 27:24.000]  Yeah.
[27:42.000 --> 27:43.000]  Yeah.
[27:43.000 --> 27:46.000]  We, we do everything completely automated.
[27:46.000 --> 27:48.000]  We, we have a pipeline.
[27:48.000 --> 27:54.000]  Oh, um, sorry.
[27:54.000 --> 27:56.000]  Forgot the term.
[27:56.000 --> 28:02.000]  When you do not alter your infrastructure, you, you always, you always create new entities.
[28:02.000 --> 28:06.000]  How's that, how's that, that term?
[28:06.000 --> 28:08.000]  How's the, the term?
[28:17.000 --> 28:18.000]  Yeah.
[28:27.000 --> 28:29.000]  Damn it. How's it called?
[28:29.000 --> 28:31.000]  Is it?
[28:37.000 --> 28:39.000]  It's immutable architecture.
[28:39.000 --> 28:40.000]  Sorry.
[28:40.000 --> 28:41.000]  My bad.
[28:41.000 --> 28:41.000]  Yeah.
[28:41.000 --> 28:42.000]  Yeah.
[28:42.000 --> 28:44.000]  So we apply, um, the concept of immutable architecture.
[28:44.000 --> 28:54.000]  So we are not able to, to, to change any configuration at, at runtime, because on the next deployment, it, it will get overwritten.
[28:54.000 --> 28:56.000]  So we do everything.
[28:56.000 --> 28:59.000]  Um, let's say kind of model base.
[28:59.000 --> 29:00.000]  Yeah.
[29:00.000 --> 29:02.000]  In a, in a, in a.
[29:03.000 --> 29:06.000]  Oh, not model base, but declarative base.
[29:06.000 --> 29:07.000]  Yeah.
[29:07.000 --> 29:22.000]  And, and, um, and use the ISC tool to, um, to, to calculate the new diff and, and to deploy these, these, these, these changes into, into our environments.
[29:33.000 --> 29:34.000]  Yeah.
[29:34.000 --> 29:35.000]  Yeah.
[29:35.000 --> 29:36.000]  Yeah.
[29:36.000 --> 29:37.000]  Yeah.
[29:37.000 --> 29:44.000]  Yeah.
[29:44.000 --> 29:45.000]  Yeah.
[29:45.000 --> 29:52.000]  Yeah.
[29:52.000 --> 29:53.000]  Yeah.
[29:53.000 --> 29:54.000]  Yeah.
[29:54.000 --> 29:58.000]  Yeah, for, for stuff like that, we, um,
[29:59.000 --> 30:00.000]  Okay.
[30:00.000 --> 30:02.000]  I will summarize this as a, as managed services.
[30:02.000 --> 30:05.000]  So for managed services, we consume.
[30:05.000 --> 30:09.000]  We, we, we apply manual configurations.
[30:14.000 --> 30:18.000]  Like cloud services from Google or AWS or whatever.
[30:28.000 --> 30:38.000]  Yeah.
[30:38.000 --> 30:39.000]  Yeah.
[30:39.000 --> 30:40.000]  Yeah.
[30:40.000 --> 30:43.000]  If you, if you do have a plugin, yeah.
[30:43.000 --> 30:44.000]  Of course.
[30:44.000 --> 30:46.000]  I totally agree.
[30:46.000 --> 30:49.000]  But if you do not have a plugin, then now.
[30:49.000 --> 30:52.000]  It would be done also two or three.
[30:53.000 --> 30:54.000]  Let's say two.
[30:54.000 --> 30:55.000]  Yeah.
[31:23.000 --> 31:25.000]  Yeah.
[31:25.000 --> 31:27.000]  Yeah.
[31:27.000 --> 31:30.000]  I'm just thinking about this database.
[31:30.000 --> 31:32.000]  The user use case you.
[31:32.000 --> 31:33.000]  Only in the video.
[31:33.000 --> 31:37.000]  So if, if we would apply this to our architecture.
[31:37.000 --> 31:39.000]  This would mean that.
[31:39.000 --> 31:43.000]  So at the moment, we consume each database as a.
[31:44.000 --> 31:46.000]  As a service from Google.
[31:46.000 --> 31:51.000]  So we would need to, uh, a plugin to understand.
[31:51.000 --> 31:56.000]  Um, what kind of databases we use in the Google cloud.
[31:56.000 --> 32:00.000]  And they, the plugin needs to check.
[32:00.000 --> 32:03.000]  Um, if the user, um, is, is, um,
[32:03.000 --> 32:05.000]  Or needs to read.
[32:05.000 --> 32:06.000]  Yeah.
[32:06.000 --> 32:09.000]  The users from the, from the configured database.
[32:09.000 --> 32:13.000]  And also needs to needs to alter the.
[32:13.000 --> 32:18.000]  So when it comes to fixing needs to also alter the configured user
[32:18.000 --> 32:20.000]  via the Google APIs.
[32:20.000 --> 32:24.000]  And, and, and, and, and, and, and, and, and,
[32:24.000 --> 32:28.000]  and, and, and, and, and, and, and, and, and, and,
[32:28.000 --> 32:29.000]  Yeah.
[32:29.000 --> 32:30.000]  This is.
[32:30.000 --> 32:32.000]  Exately, no, no.
[32:32.000 --> 32:33.000]  Yeah.
[32:33.000 --> 32:34.000]  Yeah.
[32:34.000 --> 32:35.000]  Yeah.
[32:35.000 --> 32:36.000]  Yeah.
[32:36.000 --> 32:37.000]  Yeah.
[32:37.000 --> 32:39.000]  Mm.
[32:39.000 --> 32:40.000]  Yeah.
[32:40.000 --> 32:41.000]  Yeah.
[32:41.000 --> 32:43.000]  We are exactly, exactly.
[32:43.000 --> 32:59.800]  All you need to use to plane, to plane API, but this would make you happy because of the
[32:59.800 --> 33:25.800]  authentication bullshit, and, uh, it's, it's, it's, it's, it's, it's, it's, it's, it's,
[33:56.800 --> 34:17.800]  Hard to tell because I have never researched about compliance frameworks,
[34:17.800 --> 34:39.600]  so it seems nice, but from a conceptual perspective, I don't know if this is a novel
[34:39.600 --> 34:48.840]  approach, I don't know, but it seems you use or incorporate well-established concepts
[34:48.840 --> 34:59.560]  from this instance model or deployment model stuff, and combine that with this compliance
[34:59.560 --> 35:09.160]  layer and the way you designed the tool in a way that also the rules and the plug-ins
[35:09.160 --> 35:15.400]  behind are kind of decoupled, makes it very flexible, but also on the other hand, not
[35:15.400 --> 35:24.480]  that usable, you know, from a user or from a simplification perspective, I would say.
[35:24.480 --> 35:52.520]  So, from what I have seen in the video, it is very good and very extensible from what
[35:52.520 --> 35:59.240]  I saw, so you can define your rules, your own rules, you can extend it with new rules,
[35:59.240 --> 36:06.640]  but you can also extend it with new plug-ins that enable you to run or incorporate, let's
[36:06.640 --> 36:18.600]  say, more advanced or more complex rules. And the whole tooling, I think, it's steht und fällt
[36:18.600 --> 36:32.680]  with the plug-ins, I don't know how to say it in English. Yeah, but it's always
[36:32.680 --> 36:51.560]  the case, I think. We would at least do a proof of concept if there would be plug-ins
[36:51.560 --> 36:58.560]  for Kubernetes and any Google Cloud.
[37:21.560 --> 37:46.160]  Okay, but just for the instance model creation, I'm just curious, are you using, how do you
[37:46.160 --> 37:54.880]  instrument the plug-in? Do you say, now let's inspect the name space A, B, and C, or do you say,
[37:54.880 --> 38:15.920]  just, okay, cool. How do you detect if an application connects to database if the database is not
[38:15.920 --> 38:39.800]  part of the cluster? Yeah, I see. Yeah, for sure. That's what I want to do.
[38:45.920 --> 39:09.040]  Yeah. Yeah, yeah. My general impression is it's a nice tool, but I think it would be at a moment,
[39:09.040 --> 39:23.920]  so from what I saw, would be a lot of effort, I think, to instrument. It needs to, at least we
[39:23.920 --> 39:34.640]  would require, let's say, a basic set of compliance rules for applicable for our tooling before we
[39:35.120 --> 39:44.000]  really start investing in it or start using it, I would say, because our time is unfortunately very
[39:44.000 --> 40:00.560]  limited. Compliance rules, exactly. For example, a repository would be nice where you have the
[40:00.560 --> 40:09.440]  compliance rules, according to the OVASP, top 10 or top 20 security common issues, I don't know,
[40:11.440 --> 40:19.120]  if these things are already captured in compliance rules for Kubernetes, for example,
[40:19.680 --> 40:22.880]  this would be very, very, very beneficial for us.
[40:28.240 --> 40:38.240]  And I think, yeah, I mean, research-wise for you guys, this is of course nice to have, but for
[40:39.120 --> 40:49.360]  for a general open source tooling, that would be, I think, also the starting point to, let's say,
[40:49.360 --> 41:00.880]  to make it big, so from a project perspective, because Kubernetes is widely used, and
[41:00.880 --> 41:10.320]  yeah, and with these kind of things, you could get famous in that area, I don't know, maybe.
[41:15.280 --> 41:17.360]  But yeah, it's open source, I don't know.
[41:21.120 --> 41:24.000]  If trust-of-getting famous is a good thing,
[41:24.000 --> 41:36.880]  that. And I had one more thing in my mind, but I forgot it when I was talking just a second.
[41:36.880 --> 41:47.680]  Yeah. Oh, it passed. I forgot it. It wasn't that important, so.
[41:56.240 --> 41:58.320]  No problem. Flexible.
[41:59.280 --> 42:05.040]  Yeah, thank you very much for your help.

--- file 2 ---
[00:00.000 --> 00:04.640]  whether you have independent teams that are writing services and pushing and deploying.
[00:05.440 --> 00:10.400]  So I think you need something if you are in that stage
[00:11.920 --> 00:18.560]  that checks the configuration of the whole cluster so that it is not happening that some services
[00:19.360 --> 00:25.920]  is just having access to the Internet or could be accessed from the outside for some reason.
[00:26.880 --> 00:35.600]  Yeah, this would fall into like design time compliance checking, which I think is also really important.
[00:36.880 --> 00:42.720]  We didn't choose to work on it because it's hard to sell in academia because it's
[00:44.400 --> 00:50.080]  [redacted] did that in the paper beforehand, but not for competitors.
[00:50.080 --> 01:01.360]  If I can if I can find our if you are interested our compliance document
[01:04.080 --> 01:08.160]  I think this is this is club if
[01:13.120 --> 01:15.120]  Can I share? Yeah
[01:15.920 --> 01:18.720]  from an access sorry. Yeah, yeah, yeah.
[01:23.040 --> 01:24.080]  Oh, yeah.
[01:25.920 --> 01:32.400]  So and and our comp let's say compliance rules are mostly also security concerns.
[01:33.120 --> 01:39.440]  That's like, as I said, it's it's it's I would say not even on the infrastructure or operating
[01:39.440 --> 01:46.320]  system level, but not on a higher higher scope. So for example, you say authorization. Yeah,
[01:46.320 --> 01:53.360]  that there are that there are strong ACLs and use to enforce them,
[01:53.360 --> 01:59.680]  authorize access to some resources. And we say it's okay because we do this in that
[01:59.680 --> 02:06.960]  blah or that we that we hear from a configuration management perspective that we that we use
[02:06.960 --> 02:13.200]  to lease these these privilege processes. Yeah, or that we apply at least at least
[02:14.080 --> 02:20.400]  these privilege configuration for all of our of our service accounts in the cluster and stuff like
[02:20.400 --> 02:32.400]  that. This would be would be very handy to check automatically. Yeah, but but a lot of things are
[02:32.400 --> 02:39.120]  also let's say not not only deployment perspective Sonon or it's it's it's rather
[02:40.560 --> 02:46.720]  yeah, also implement it's also an implementation perspective. Yeah, so so so how do you deal with
[02:46.720 --> 02:54.320]  locking and I mean auditing your stuff. Yeah. Yes, or how do you deal with users set it with with
[02:54.320 --> 03:01.920]  users sessions. Yeah. In the application, right? The application exactly so stuff like that. I'm not
[03:01.920 --> 03:08.880]  sure if this is also so so this is what we use as our compliance rules, but I'm not sure if
[03:08.880 --> 03:14.960]  these are really compliance rules in a in a in a traditional compliance rule sense, you know what
[03:14.960 --> 03:25.120]  I mean. Yeah, I don't know. It's it's it's blurry between like like just requirement like application
[03:25.120 --> 03:31.520]  requirement or a compliance rule. It's and I don't think there is a clear border between these
[03:31.600 --> 03:40.160]  two concepts. Yeah, it depends it depends where do you get this rule from I guess. If you get it
[03:40.160 --> 03:47.280]  from a catalog that's labeled as compliance that it's compliance. So I think companies care about
[03:47.280 --> 03:55.680]  this compliance certification. So if it some rule goes into the test that will be conducted in
[03:55.680 --> 04:01.760]  order to obtain some certification, then it's considered compliance. Like there's there's this
[04:01.760 --> 04:10.000]  ISO, I don't know which number one to seven. Okay, nine thousand is this quality. But yeah, no, there's this like
[04:11.120 --> 04:20.400]  ISO standard for compliance, security compliance of application systems. And yeah, it it has certain rules.
[04:21.360 --> 04:25.920]  Yeah, so that's what people usually call compliance rules.
[04:27.120 --> 04:32.800]  Yeah, you know, yeah, here is the threat modeling process. So we use this this threat modeling
[04:32.800 --> 04:38.880]  approach as our at the moment as our as our compliance rules. Thank you if you want to
[04:40.160 --> 04:49.440]  yeah, that's that's interesting as a related work or as a background. Yeah, yeah, threat modeling
[04:51.200 --> 05:00.960]  but yeah, that's that's my five cents. Yeah, thank you very much. But no, yeah, you are right,
[05:00.960 --> 05:10.560]  if you are if you are in the sharing state, you cannot easily go back. Ah, you own. Yeah,
[05:10.560 --> 05:34.560]  Oh god, what is this? Yeah, I get stopped. Okay, it's weird Webex. Okay, I don't get it. Okay. So you're at home. Yeah, I'm at home. Always at home. But next week,