Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / GitLab 13.6 Release Kick-Off / 16 Oct 2020
GitLab / GitLab 13.6 Release Kick-Off / 16 Oct 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Gitlab 13.6 kickoff - Secure:Dynamic Analysis

Description

Planning issue - https://gitlab.com/gitlab-org/gitlab/-/issues/250079
Direction page - https://about.gitlab.com/direction/secure/dynamic-analysis/dast/

A

Hi, this is derek ferguson senior product manager for the das group here at git lab, and I'm going to be going over today. What we're planning on working on in the 13.6 release of git lab. So the first thing that we're working on is adding more options into the site profile for the on-demand das scans.

A

We're going to be building on what we introduced in 13.5, with the site, validation and the text file validation by adding more validation types such as header, validation or meta tag. Validation. To allow you to validate that you own a website in multiple ways, not just by uploading a text file.

A

This will expand the validation to include rest api and websites, so you can validate any type of site for das scanning.

A

The second thing that we're going to be adding in into the site profile are the excluded, url options and additional request headers, as well as the ability to enable authentication so that you can use the on-demand das scans with authenticated sites, so that you can scan those one of the big features that we're working on is that we have started work on building up our own browser-based scanner.

A

So this scanner initially will provide a browser-based alternative for spydering to allow better coverage for modern applications, single-page applications within dast.

A

This is going to be a multi-milestone feature, so we are starting work on it in this milestone and we plan on making significant progress throughout the next few months.

A

The next and final thing that we're working on is that we are going to be working to improve the noise that happens on the dashboard with the das scans. When you have a large website and many vulnerabilities are found a lot of times. The same vulnerability can be found on multiple pages and when you have a large website that adds up to many vulnerabilities listed in the dashboard.

A

So in doing this, we're aggregating the vulnerabilities that have a single fix, such as headers uh back-end issues, things like that into a single vulnerability where each url, where this is found is listed.

A

This will allow you to create one issue for all of the pages, rather than trying to create multiple issues for all the pages when the fix is a single file or a single fix, so we'll be doing that this should cut down significantly on the noise within the dashboard and allow you to focus more on exactly what matters in the high and critical vulnerabilities that are found in keeping with this we're also disabling some vulnerability checks that are informational only and or have been deprecated such as the unix timestamp, vulnerability check.

A

This is an informational check and it really provides very little value if any uh to customers. So we're going to be disabling this and looking for other things that we can disable that have maybe been deprecated, because the headers have been deprecated or other things like that.

A

So that's what we're going to be working on within dast in 13.6. Thank you very much.