►
Description
Tune in to learn about an exciting update to the GitLab Secure Direction and our newest Fuzz Testing solutions!
Press Release: https://www.globenewswire.com/news-release/2020/06/11/2046908/0/en/GitLab-Acquires-Peach-Tech-and-Fuzzit-to-Expand-its-DevSecOps-Offering.html
Learn more about our plans on our fuzz testing direction page at https://about.gitlab.com/direction/secure/fuzz-testing/fuzz-testing
Give us feedback on our feedback issue at https://gitlab.com/gitlab-org/gitlab/-/issues/221137
A
A
When
we
talk
about
secure
we're
talking
about
helping
you
proactively,
identifying
vulnerabilities
and
weaknesses
to
reduce
your
overall
risk
and
that's
part
of
shifting
your
security
left
and
again
thank
lose
the
category
such
as
SAS
that's
dependency
scanning,
and
recently
we
launched
our
vulnerability
management
module,
which
gives
you
nice
dashboards
and
in
pipeline
reports,
and
things
like
that.
We're
not
going
to
talk
about
defend
today.
That's
our
other
stage
as
part
of
our
security
story
here,
but
that's
allowing
people
within
their
operation
side
to
have
security
visibility.
A
And
with
that
we
would
like
to
announce
today
that
we
have
acquired
two
companies
buzz
it
and
peach
tech
buzz.
It
is
focused
on
coverage,
guided
fuzz
testing,
where
you're
able
to
have
access
to
the
source
code
and
be
able
to
fuzz
individual
functions
fuzz.
It
has
been
a
leader
and
continuous
fuzz
testing,
where
testing
can
be
done
on
a
regular
basis
to
help
get
better
code
coverage.
Peach
Tech
has
been
a
leader
for
many
years
within
the
behavioral
fuzz
testing.
A
This
is
where
your
fuzzing
against
a
live
application
or
service
and
you're
sending
inputs
and
receiving
the
output
to
identify
what
component
C
to
be
fuzz
next
and
with
both
companies
being
acquired.
Gill
lab
is
in
a
very
unique
position
to
be
able
to
offer
both
sides
of
fuzz
testing,
giving
our
customers
and
our
users
a
wide
range
of
new
security
capabilities
and
help
them
find
vulnerabilities
before
someone
else
does
and
with
that,
I
would
like
to
hand
it
over
to
Sam
to
go
over
post
testing
and
our
next
steps
all.
B
Right
thanks
David,
so
I
wanted
to
talk
a
little
bit
about
what
fuzz
testing
is
before.
We
start
talking
a
lot
more
about
the
details
and
where
collab
is
going
to
be
going
with
it
at
a
high
level.
Fuzz
testing
is
all
about
providing
your
application,
random
or
arbitrary
sorts
of
inputs
to
see
how
it
reacts
in
a
lot
of
cases.
When
your
application
is
given
those
types
of
inputs,
it
will
crash
or
behave
in
some
way.
That
is
unexpected
and
these
crashes
are
unexpected
behaviors.
B
These
are
parts
of
your
app
that
could
potentially
be
exploited,
or
they
are
at
least
flaws
in
the
business
logic
of
your
application,
which
you
are
going
to
want
to
resolve,
and
so,
with
that
in
mind,
there
are
a
couple
different
ways
that
fuzz
testing
can
be
done.
Fuzzy
and
Peach
both
take
different
approaches
that
are
very
complimentary
and
by
using
both
provide
far
better
results
than
you
would
get
by
just
using
one
by
itself.
B
Fuzz,
it
is
focused
on
coverage,
guided
fuzz
testing,
and
what
this
means
is
is
that
fuzzy
is
using
contextual
information
from
the
source
code
of
the
application
itself.
To
understand
how
to
better
fuzz
your
applications
using
that
context,
in
contrast,
peach
is
doing
what
we
call
behavioral
based
fuzz
testing,
and
what
this
approach
is
all
about.
B
What's
really
exciting
about.
Both
of
these
approaches,
though,
is
that
we
can
leverage
review
applications
so
that
you
can
do
fuzz
testing
as
part
of
your
developers
workflow
before
being
before,
pushing
the
application
to
production,
and
this
is
going
to
let
you
ship
security,
further
left
in
those
developers,
lifecycle.
B
So
if
we
look
at
our
roadmap
and
we're
get
lab
is
going
with
this,
we
have
a
few
milestones.
I
wanted
to
highlight
for
you
our
initial
preview
release
of
fuzz
testing,
we're
going
to
be
releasing
later
this
summer,
and
this
is
gonna,
be
focused
on
coverage,
guided
fuzz
testing
for
golang
applications.
This
is
going
to
be
leveraging
the
fuzzy
technology
and
we're
really
excited
to
be
releasing
it
to
the
market
and
getting
you
to
use
it
in
fall
of
this
year.
We're
going
to
be
releasing
fuzz
testing.
B
Additionally,
we're
going
to
be
adding
coverage,
guided
fuzz
testing
support
for
additional
languages
such
as
Python,
Java,
C
and
C++
in
the
beginning
part
of
next
year,
we're
going
to
be
moving
fuzz
testing.
What
get
lab
calls
or
buyable
maturity
state
and
what
that
is
going
to
involve,
is
using
the
behavioral
guided
fuzzing
technology
from
peach
in
different
places
such
as
our
dast
scanning,
so
rather
than
using
the
SAP
open
source
project
that
we
use
today
we're
going
to
be
leveraging
a
lot
of
the
new
technology
that
peach
brings.
B
Additionally,
we're
going
to
be
offering
support
for
coverage
guide,
fuzz
testing
for
all
the
languages
that
get
lab
supports
in
addition
to
those
ones
that
I
mentioned
earlier.
We're
also
going
to
be
working
on
making
the
workflows
in
the
UI
have
more
context
to
allow
you
a
better
experience
using
these
fuzz
testing
products
and
further
out
in
the
future.
Our
future
goals
with
fuzz
testing
include
providing
support
for
more
advanced
fuzz
testing
use
cases,
as
well
as
providing
protocol
support
for
behavioral
guided
fuzzing,
including
for
file
fuzz
testing.
B
This
is
an
advanced
use
case
which
we're
happy
to
support,
but
I
did
want
to
also
highlight
that
fuzz
testing
is
a
really
great
set
of
technologies,
but
ast
is
much
bigger
than
just
fuzz.
Testing
Gilla
lab
secure
offers
multiple
different
types
of
scanning
like
sassed,
container
scanning
and
others,
and
all
of
these
together
allow
you
to
accurately
and
continuously
assess
the
security
of
your
application
before
it's
being
pushed
to
production.
B
So
you
can
identify
and
remediate
issues
sooner
rather
than
later,
but
what's
most
exciting
about
this
and
the
unique
value
that
get
lab
is
bringing
with
this
approach
is
that
all
of
these
security
techniques
are
woven
throughout
the
lifecycle
of
your
application
and
the
way
that
your
developers
work
on
their
daily
basis.
Developers
are
not
being
required
to
use
an
additional
tool
or
go
to
some
other
third
portal
third-party
portal.
All
of
those
security
results
are
in
context
with
the
work
that
they're
doing
is
part
of
their
day.