Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / 12.6 Release Kickoff / 14 Nov 2019
GitLab / 12.6 Release Kickoff / 14 Nov 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab 12.6 Kickoff - Manage:Compliance

Description

GitLab 12.6 Kickoff for the Manage:Compliance Group.

Group-level compliance dashboard MVC: https://gitlab.com/gitlab-org/gitlab/issues/35284

Extend audit events API for gitlab.com: https://gitlab.com/gitlab-org/gitlab/issues/34078

Inventory all PAT/SSH credentials in a single view: https://gitlab.com/gitlab-org/gitlab/issues/32463

Enforce entropy requirements for passwords: https://gitlab.com/gitlab-org/gitlab/issues/18515

A

Hi everyone, my name- is Matt Gonzalez and I'm, a product manager at gate lab representing the compliance group for the manage stage, and this is the kickoff video for twelve six and so we're gonna walk through the issues that we feel are most beneficial and valuable for our particular enterprise customers, but really any organization. That's focused on compliance in the rate of regulatory context may be an internal program, and so the the first issue that we're excited to get out is this group level compliance dashboard MVC.

A

We feel that there's there's a lack of insight or visibility into what's happening within a get lab environment customers who have multiple projects, complex environments, don't really have a quick and easy way to see what's happening from a compliance perspective, they have a lot of policies or procedures that they need to follow, but they don't really have a way to validate that they're following them and so part of how we're gonna achieve that goal is building out a simple dashboard for now that shows the latest activity that's happening across all of the projects and will iterate or, as we iterate we'll start building out additional features such as did it pass policies that were set for the projects?

A

Did it pass security scanning? Did it go through the appropriate code review process? We want to make sure that we're equipping our customers with the information they need to rest easy, knowing that their gate lab environment is compliant.

A

So the other future that we're excited about is extending our audit events API to get lab comm customers right now.

A

Self-Managed customers have access to this API, but if you're, a comm customer, there's there's not quite the same ease of access to the activity, that's occurring within your environment, so this particular feature is part of a much larger epoch that we'll be iterating on this API, to make it more verbose to meet the more complex needs of our customers with respect to API endpoints that help connect them with the data or the activity that their environment is generating.

A

The the plan here is to make it so that you can answer any question about who did what? Why did they do it? When did they do it, and what was the purpose for doing that action among any other, any other problem spaces that we discover from our customers.

A

The third issue we're looking at is releasing an inventory of existing credentials for an environment, so right now we're look, we're scoping it for personal access tokens and as a sage credentials, though, that may change a little bit to scope it down to something a bit more minimal. But the idea here is that we want to be able to give you again on that theme of insight or visibility. We want to give you insight into what's happening within your environment.

A

We want to let you know how many users have what credentials when were those credentials last used? When do they expire to empower you to make decisions about any actions that might you could take in in future? Iterations we'd like to empower you further to say: if you know you need to enforce an expiration or a rotation policy, you can do that if you want to manually expire a token or a credential, we want to be.

A

We want to empower you to do that, and so this is step one for a much larger vision, so we hope you'll be as excited about it as we are and the last issue that we have scheduled for twelve six is enforcing entropy for passwords for new users and so based on based on our research and feedback from customers.

A

We feel that NIST's guidance in terms of length and complexity for passwords versus necessarily divine defining specific rules that must be adhere to is is the best iteration to start with. Get lab has actually deployed this policy internally for our own, our own team or in employees, but we'd like to bring that power to our customers, starting with self managed, so self managed. Customers will be able to set some basic and tree requirements for new user passwords, and this will apply to passwords that are reset going forward as well.

A

The idea here is that we want to be able to help enforce password policies that exist within your organization and future iterations will help to build upon this concept to add additional features such as allowing you to customize. If you want the the rules that might exist for the password complexity, to enable you to set password expiration rotation and even present user friendly elements in the UI to show a new user, how strong their password is all all within the context of supporting our customers and their compliance efforts.

A

So these are the big issues for us in 12.6, in the compliance group for managed, and we hope you enjoy them.