►
From YouTube: GitLab 13.10 Kickoff - Secure:Threat Insights
Description
See what the Threat Insights team will be working on for the GitLab 13.10 release.
A
Now
this
is
a
little
bit
different
than
what
you
may
see
in
some
of
the
other
groups,
and
we
really
thought
that
this
was
interesting
because
we're
we're
using
this,
because
we
tend
to
work
off
of
a
mixture
of
ethics
and
individual
issues.
A
So
the
individual
issues
tend
to
be
for
smaller
items
we
use
epics,
for
if
we
have
a
particular
feature
that
we
want
to
break
down
into
multiple
nvcs,
each
nvc
gets
its
own
epic
and
we
find
that
it's
an
easier
container
to
attach
some
of
the
different
front-end
and
back-end
tasks
to
so
it's
not
all
kind
of
in
one
place,
and
we
can
also
have
a
separate
design
issue
as
well.
So
for
us
this
works.
A
This
is
the
threat,
insights,
priorities,
issue,
you're,
welcome
to
visit
and
follow
along
if
you'd
like
at
any
point,
this
is
going
to
stay
up
to
date.
It's
not
necessarily
what
we
will
be
working
on
in
the
current
milestone.
The
idea
is,
this
is
just
the
ordinal
priority
of
the
major
feature
work
over
the
next
several
iterations,
so,
as
things
get
finished
up,
we'll
take
them
off
the
top.
If
priorities
change,
you'll,
see
them
rearranged
or
inserted
here
below.
A
So
this
is
kind
of
the
background
context
for
what
we're
about
to
see
in
the
video
and
in
fact,
you'll
see
at
the
very
end.
There
was
an
addition.
This
one
right
here,
which
is
a
small
customer
request
that
I
really
wanted
to
see,
get
into
1310
and
we
had
sort
of
pushed
it
back
starting
work
for
a
little
while,
and
we
actually
had
a
great
group
discussion
about
making
some
trade-offs
in
the
current
iteration
for
it,
so
that
we
can
slot
it
in.
B
D
E
D
I
assumed
you
gonna.
Do
it
all
right?
Let
me
share
my
share.
My
screen
so
that'll
give
me
a
chance
to
open
on
my
window
the
priorities
issue
for
for
threatening
sites
so
number
one
jira
integration
number
two:
generic
security
report
number
three
filter
project,
vulnerability
report
by
vendor;
name;
number,
four:
bulk
updates,
number,
five
dismissal
types
and
reasons.
Thank
you
and
everybody
else
can
read
now
for
the
for
themselves.
D
So
back
to
the
board,
starting
with
with
blocked,
we
have
that
mr
refactors
top
waiting
waiting
on
something
else
to
block
it,
the
jira,
which
is
the
number
priority,
so
maybe
that
should
be
at
the
top
lindsay
future
flag.
Thank
you,
then.
D
The
third
one
is
about
the
generic
schema
and
it's
blocked
by
by
something
else-
and
my
refactor,
I
think,
is
a
is
yeah.
It's
right.
It's
below
the
generic
schema
and
then
all
the
other
issues
below
that,
I
believe,
are
related
to
a
technical
debt,
epic,
to
remove,
to
remove
project
fingerprint
and
to
remove
raw
metadata,
so
two
different
epics
there
and
then
at
the
bottom.
D
That
is
priority.
Number
five
dismissal
types
yeah.
B
So
that
should
come
up
as
well,
so
thiago
and
I
switched
we've
been
kind
of
back
and
forth
about
how
we're
indicating
that
something's
blocked
between
just
having
it
in
the
ready
for
development
with
it
indicated
that
it's
blocked
by
having
a
blocker
issue.
We
pulled
all
of
those
items
into
this
blocked
column
just
before
this
call
so
you're
wondering
why
those
moved
around
we'll
have
to
make
sure
that
we
catch
when
they're
unblocked
and
move
them
back
into
the
right
priority
order
and
ready
for
development.
B
D
So
far
so
good,
so
the
intent
of
this
is
to
to
cause
anyone
who
doesn't
recognize
a
an
issue
or
or
disagree
with
the
priority
to
speak
up.
So
please
feel
free
to
interrupt
me
as
I'm
blabbering
down
so
now.
I'm
ready
for
development.
B
I
want
to
call
out
that,
because
thiago
and
I
prioritize
these
issues,
these
lists
separately
between
front
end
and
back
end,
it's
just
sort
of
resulted
that
the
back
end
is
at
the
top
of
the
list,
and
the
front
end
is
below
that.
That
doesn't
mean
these
are
higher
priority
issues.
I
assume
that
most
people,
when
they
come
in
they're,
looking
at
their
filtered
list
and
they
see
just
front
end
or
back
end,
and
then
you
would
see
the
the
correct
priority
in
that
sense,.
D
We're
learning
here
so
we'll
see
if
this
works
and
and
then
we
tweak
the
format,
it's
the
first
time
we're
doing
this
so
in
in
ready
for
development.
For
the
back
end,
the
first
one
is
enabling,
I
believe,
the
priority
number
three,
the
filter
project,
vulnerability
report-
so
that's
in
there,
so
we
can
unblock
the
front
end.
The
second
one
dismissal,
so
that's
priority,
number
five
again,
it's
there,
so
we
can
unblock
the
front
end.
D
D
F
F
D
And
I
said
I
wasn't
gonna
do
refinement,
but
just
because
the
generic
security
report
is
a
blatant
absence
from
the
ready
for
development
it
it's
it's
in
there,
that's
the
top
issue
there,
it's
just
so
we
can
do
the
the
validation.
B
B
I
do
think
that
tiago
has
done
a
better
job
of
pruning
down.
The
amount
of
work
that
is
in
1310
from
back
ends
perspective,
so
some
of
the
items
for
the
front
end
may
need
to
move
out
to
a
future
milestone
so
just
going
through
I'm
going
to
kind
of
skip
over
the
refinement.
These
are
mostly
bugs,
with
the
exception
of
this
top
issue,
that
daniel's
been
working
on
the
plan
for
what
this
new
schema
should
look
like,
and
this
is
dependent
on
the
refinement
of
this
is
dependent
on
that
spike.
B
That
is
in
progress
right
now.
So
that's
why
that's
sitting
there?
The
rest
of
these
are
bugs
that
we
hope
to
get
into
the
milestone,
but
we
do
have
a
lot
like.
I
said,
a
lot
on
the
plate.
Already,
we've
already
talked
a
little
bit
about
what's
blocked,
enabling
the
jira
for
vulnerabilities.
This
is
the
removal
of
the
feature
flag,
so
it's
blocked
on
actually
launching
that
feature
flag
which
we're
very
close
to
this.
B
B
Some
wrap-up
work
on
the
timeline
chart
vulnerabilities
over
time
and
then
some
more
debt.
I
know
we
have
work
around
the
generic
schema,
but
that's
still
in
thirteen
nine
and
in
progress
so-
and
I
think
that's
worth
just
looking
at
because
I
didn't
move
all
of
the
issues
over
from
thirteen
nine
for
the
front
end
that
are
in
progress.
B
Just
to
call
out
that
we've
got
a
lot
of
the
high
priority
issues
still
sitting
here
in
1390
that
will
need
to
be
moved.
Yeah.
D
B
It
would
be
really
nice
to
get
to
do
the
group
by
epic,
for
this
view
to
be
able
to
look
at
things
across
front
and
back
end.
It's
just
it's
very
slow
performance,
wise
and
a
little
buggy
and
we've
got
a
lot
of
epics
listed.
So
I
think
that's
one
area
that
we
can
improve
to
be
a
little
bit
more
focused
and
not
have
as
much
going
on.
B
C
D
It
looks
pretty
straightforward
to
me.
D
A
No,
this
is
great.
Thank
you
both
for
helping
clean
this
up.
It's
going
to
take
me
a
few
hours
to
at
least
get
caught
up
in
what
I
missed
the
last
couple
days.
So
if
there's
anything
on
fire,
just
ping
me
directly,
and
I
can
look
at
it
quickly,
but
I've
had
about
45
minutes
of
online
time
in
the
last
two
days,
a
lot
of
ketchup
on.
D
E
A
Like
it,
it's
I
want
to
make
sure
is
that
going
to
be
too
much
for
you
and
lindsay
to
do
something
like
that
every
time
I
know
you
did
all
the
heavy
lifting
on
this
one.
D
D
I
wish
we
could
have
done
that
same
thing,
but
we'll
do
it
next
week,
but
if
it's
a
format
that
people
appreciate-
and
I
I
like
I
like
calling
out
the
priorities,
so
the
team
understands
why
they're
working
on
something-
and
it
just
gives
you
another
chance
to
say
hey
this-
isn't
the
wrong
spot,
or
I
I
don't
I
don't
see
and
and
if
also,
if
there's
something
that
matt
you
you
believe
should
be
in
there.
We
can
also
use
that
say,
okay,
what
do
you
want
to
take
out
then?
D
A
I
liked
it,
I
think
we
had
the
right
mix
of
feature,
work,
high,
priority
bugs
and
then
some
of
the
technical
that
too,
I
certainly
don't
want
any
of
that
to
get
out
of
hand,
I
didn't
see
anything
that
looked
obviously
out
of
out
of
place.
So
no,
it
looked
great
to
me.
Awesome.
D
D
C
I'm
here
because
lindsay
mentioned,
you
were
going
to
do
a
a
milestone
kickoff
today,
so
I
love
seeing
that
visibility.
Transparency.
I
think
it's
something
I've
desperately
been
wanting
for
myself.
So
I'm
happy
to
see
what
other
groups
are
doing.
So.
Thank
you.
B
B
We
may
have
to
look
at
priority
and
adjust
if
you
want
to
still
pull
that
in.
Is
that
something
that
you
want
to
try
and
do
because
if
so,
we
should
take
a
couple
minutes
and
talk
about
that
issue.
Right
now,.
A
Well,
let
me
look
at
this
one
again,
so
it
was
actually
suggested
by
a
customer.
That
was
why
I
was
trying
to
get
it
in.
It
did
seem
like
it
would
be,
hopefully
pretty
small
since
we're
just
extending
what's
already
there
in
the
export,
and
I
think
that
these
are
both
pieces
of
information.
We've
already
got.
B
So
we
could
take
a
look
at
some
of
the
lower
priority
feature
items
or
tiago,
whether
there's
some
technical
debt
that
we
could
move.
F
D
Like
there's
one
thing
for
the
backhand,
that's
I
believe
it's
being
refined,
which
is
the
api
to
manually,
create
vulnerabilities.
That
is
a
far
priority
for
us.
That's
number,
eight,
and
but
the
reason
I
put
it
there
is
because
it
helps
dust
could
could
ditch
that
one,
but
there's
probably
tech
debt
that
I
clean
up
as
well.
So
if,
if
we
want
to
agree
for
this
to
be
a
deliverable,
I
I
can
make
room
for
it.
F
B
A
It's
just
the
date
detected
and
then,
depending
on
what
type
of
vulnerability
the
location
so
we'll
have
a
location
field.
So
if
it's
file
path,
name
line
number
url,
if
it's
an
end
point
like
for
desk
and
for
containers,
we're
going
to
get
the
image
name
and
the
container
location,
basically
exactly.
We
would
display
in
the
vulnerability
details
today.
D
I
see
no
carrots
in
there,
but
I
just
read
it
and
I
think
I
understand
it
so
I'm
I'm
carroting
it
and
shubhash's.
You
probably
didn't
have
a
chance
either
and
I
don't
think
you've
worked
with
this
before
I.
I
don't
see
this
being
higher
than
a
two,
because
all
the
fields
already
exist.
It's
literally
just
adding
the
fields
to
the
csv
export.
There
might
be
a
a
little
bit
of
you
know,
dealing
there
with
the
with
the
conditional
on
the
on
the
location.
D
So
you
can
treat
so
you
can
see
realize
that
correctly
for
the
right
for
the
right
type,
because
because
dynamic
analysis
will
have
a
url
and
a
path
and
static
analysis
will
be
a
line
number
somewhere.
So
we
just
need
to
account
for
that,
but
that's
my
feeling,
which
means
lindsey.
Do
you
mind
sharing
the
board?
So
we
can
pick
two
points
to
to
heat
yeet
into
thirteen
eleven.
F
B
Okay,
daniel
or
sebastian,
do
you
guys
either
of
you
have
questions
about
that
issue
or
concerns
from
us
moving
it
into
refinement.
E
Yeah,
so
we
added
recently
block
path
as
well
in
the
location
in
the
graphql.
Should
we
add
block
path
as
well
like
in
the
location
things
I
don't
know.