►
Description
Be sure to check out the Runtime Application Security planning board: https://gitlab.com/groups/gitlab-org/-/boards/1420735?&label_name[]=group%3A%3Aruntime%20application%20security
A
Hello
and
welcome
to
the
12.7
release
kickoff
for
the
runtime
application
security
group
that
I
am
matt
wilson
senior
product
manager
for
defend
stage
and
actually
filling
in
for
Sam
Kerr
is
the
normal
product
manager
for
this
release.
So
let's
jump
right
in
and
see
what
we
have
scheduled
for
two
twelve
seven
release.
A
We'll
take
a
quick
peek
at
the
runtime
app
SEC
board
for
the
twelve
seven
release.
We've
got
two
main
items
that
we're
going
to
be
targeting
for
this
release.
We're
gonna
start
with
the
second
one.
First,
the
wave
statistics
reporting.
This
is
actually
a
it's.
A
very
large
item.
That's
carried
over
from
the
last
two
releases,
we've
just
missed
it
on
the
twelve
six
release,
so
we're
going
to
tie
it
off
in
twelve
seven.
A
As
a
quick
recap,
we
have
statistics,
reporting
is
really
trying
to
let
the
users
go,
have
a
step
of
visibility
beyond
what
was
in
the
MVC
of
adding
the
laughs
to
the
defence
stage.
So
right
now,
you
can't
really
see
what
the
wave
is
doing
in
terms
of
traffic
blocking
allowing
how
much
it's
actually
even
processing.
So
this
is
going
to
allow
a
minimal
amount
of
information
that
is
not
available
today
in
the
gitlab
UI
here.
This
is
an
example
of
what
we
intend
for
a
new
section
of
the
dashboard
to
look
like.
A
So
you
see,
we've
got
a
new
threat
and
monitoring
section,
which
is
going
to
be
under
the
security
and
compliance
menu
item
off
to
the
side,
and
it's
just
going
to
give
a
high-level
overview.
You'll
see
total
requests
and
how
much
that
was
anomalous
traffic,
so
very
basic,
but
it
is
the
first
visual
indication
of
what
kind
of
traffic
is
being
processed
by
the
way.
So,
again,
that's
carry
over
from
12
6
and
we
are
targeting
12
7
for
releasing
that
feature.
A
So
this
is
something
important
that
will
help
take
the
wave
from
its
current
minimal
maturity
to
viable,
and
really
this
is
building
on
top
of
the
out-of-the-box
default.
Non
customizable
rule
set
that
it
ships
with
today
so
by
adding
the
custom
rules
for
the
1/2
we're
going
to
allow
users
to
start
configuring.
This
can
be
things
like
how
they're
tuning
for
false
positives,
false
negatives
or
even
performance
impacts
on
the
cluster,
depending
on
how
the
rules
are
configured
likely
not
going
to
be
a
UI.
A
As
part
of
this
release,
we
are
working
with
our
UX
team
to
figure
out
the
best
way
to
kind
of
expose
the
experience
of
configuring
and
tuning
laugh
roles
in
the
gitlab
UI.
So
for
now
we're
actually
proposing
this
Graham
here
is
to
allow
the
user
to
actually
specify
a
file
or
list
of
files
with
mod
security
rules,
probably
using
an
environment
variable.
A
We
are
going
to
do
this
as
a
first
step
towards
really
allowing
a
a
little
bit
more
point-and-click
through
the
aisle
on
UI
long
term,
but
for
now,
if
you
know
mod
security
rules
that
you
would
like
to
enable,
or
just
we're
going
to
have
a
way
to
actually
do
that
directly
within
the
gate
live
environment.
As
with
the
regular
graph,
this
will
be
a
gate
lab
ultimate
exclusive
functionality
as
well,
so
that
covers
it.