►
From YouTube: Intro to Security at GitLab
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
A
Bad
things
aren't
always
intentional
malicious
actions
either
they
can
be
accidents
or
events
caused
by
failing
to
do
something.
What
kinds
of
impacts
could
happen
and
what
does
it
mean
to
minimize
or
reduce
them?
How
can
we
learn
well
from
incidents
avoiding
the
blame
game
in
favor
of
making
systemic
change?
A
A
A
Understanding
security
requires
understanding
risk.
Taking
a
risk-based
approach
is
something
almost
everyone
does
every
day.
Without
thinking.
We
talk
about
risk
in
terms
of
how
likely
an
event
is
to
happen
and
what
the
consequences
or
impacts
would
be
if
it
did.
As
an
example
say,
you're
headed
out
for
a
walk,
and
there
are
dark
clouds
in
the
sky.
It's
likely
to
rain,
and
the
impact
is
you'll,
get
wet,
so
you'd
address
or
mitigate
that
risk
by
wearing
a
rain
jacket,
or
maybe
you
avoid
the
risk
entirely.
A
By
delaying
your
walk
until
later,
a
higher
level
strategic
risk
could
be
losing
your
job.
You
might
reduce
the
likelihood
of
that
by
engaging
proactively
with
your
manager
or
mitigate
the
impact
by
saving
some
cash
in
reserve
and
keeping
your
resume
up
to
date,
and
hopefully
that
risk
never
eventuates.
A
A
How
difficult
is
it
to
identify
and
exploit
this
vulnerability?
Do
you
need
the
victim
to
interact
as
part
of
this,
or
can
you
do
it
yourself
anytime,
and
what
kind
of
access
might
you
require?
First,
like
a
user
account
or
an
administrator
account,
then
there's
impact
reputational
damage
might
occur,
affecting
your
current
customers,
who
might
decide
to
leave
or
prospective
customers
who
might
decide
to
go
with
a
competitor.
A
There
could
be
legal
or
regulatory
impacts
both
of
those
could
lead
to
financial
impacts
like
loss
of
revenue
or
fines.
There's
the
business
disruption
of
having
to
deal
with
this
event.
Instead
of
doing
the
things
you'd
rather
do
like
developing
features
or
engaging
with
your
customers,
then
there
can
also
even
be
health
and
safety
risks.
Even
though
we're
talking
about
technology,
it
can
have
a
real
impact
on
people,
especially
your
own
people,
as
they
deal
with
these
security
events.
A
Finally,
we
determine
the
risk
based
on
the
combination
of
likelihood
and
impact,
and
we
usually
describe
that
as
low
medium
high
or
critical,
and
that
will
most
often
determine
how
quickly
the
business
responds
to
an
event.
For
example,
a
critical
risk
would
be
addressed
very
quickly
and
would
probably
be
talked
about
at
senior
levels
of
the
business
low.
Everyday
risks
might
be
addressed
by
individual
team
members,
and
the
rest
of
the
business
doesn't
really
need
to
know
about
it.
A
A
A
A
The
cyber
security
framework
goes
into
a
bunch
of
detail
on
how
to
achieve
and
measure
security
efforts
against
each
of
these.
So
I'd
encourage
you
to
take
a
look
if
you're
interested
these
building
blocks
can
also
be
seen
in
how
we
do
security
at
get
lab
at
get
lab.
We
build
security
around
three
pillars
or
three
tenants:
secure
the
product,
protect
the
company
and
assure
the
customer.
A
The
way
we
reflect
this
in
our
team
structure
at
get
lab
is
displayed
on
the
screen.
Now
within
security
engineering.
We
have
two
application
security
teams
and
we
work
to
identify,
prevent
and
respond
to
vulnerabilities
that
are
introduced
to
the
product,
whether
that's
proactively
with
the
development
teams
or
in
response
to
a
disclosure
on
hacker
one.
A
We
have
our
security
automation
teams
who
work
to
identify
new
ways
of
preventing
risks
from
being
introduced
and
help
us
with
our
tooling.
We
have
our
security
communications
team
who
are
involved
a
lot
in
response
and
recovery,
communicating
with
customers
and
our
community
about
what
we're
up
to
and
what
they
need
to
do.
If
anything,
and
we
have
our
infrastructure
security
team
who,
like
application,
security,
work
with
the
infrastructure
teams,
and
they
are
a
group
of
cloud
security
specialists
in
security
operations.
A
Finally,
we
have
a
red
team
who
simulates
adversaries
and
attackers
so
that
we
can
practice
and
demonstrate
our
security
capabilities
and
a
security
research
team
who
find
new
ways
to
protect
from
or
detect
vulnerabilities
at
the
time
of,
this
recording
we're
also
introducing
some
new
focused
roles
and
teams
shown
in
red
in
smaller
organizations.
Many
of
these
roles
are
filled
by
just
a
handful
of
people,
or
sometimes
even
only
a
single
person.
A
There
is
a
global
challenge
in
developing
recruiting
and
retaining
security
people,
but
even
with
all
the
security
talent
in
the
world,
a
security
type
department
is
only
ever
going
to
be
a
helper
and
enabler.
We
can't
do
it
alone.
Those
outside
the
security
department
are
responsible
for
helping
us
achieve
security
too.
A
So
security
is
everyone's
responsibility.
We
need
to
provide
them
and
let
them
use
automated
security
tooling.
We
need
their
help
with
improving
processes.
We
don't
want
security
to
be
a
barrier
or
to
slow
things
down.
We
don't
want
people
to
resort
to
sneaky
workarounds,
so
we
need
their
help
in
identifying
ways
we
can
improve
processes.
A
A
I
asked
the
team
and
we
came
up
with
these
three
curiosity,
communication
and
problem.
Solving
curiosity
is
all
about
asking
what,
if
what,
if
we
did
this,
what
if
someone
else
tried
that
and
digging
down
and
figuring
out,
is
there
a
vulnerability
hiding
in
there
somewhere
or
how
can
we
do
it?
Better
communication
is
critically
important.
You
need
to
understand
your
audience
whether
you're
talking
to
a
business
person
who
needs
to
understand
business
impacts
and
business
type
risk
or
a
developer,
who
needs
to
understand
what
the
vulnerability
is
and
how
to
address
it.
A
A
A
A
A
We
have
documented
processes
for
application
security,
risk
management
incident
response.
You
can
find
these
in
the
gitlab
handbook.
Most
companies
would
keep
these
sorts
of
things
behind
closed
doors.
So,
if
you
want
detail,
that's
a
great
place
to
start,
if
you're
interested
in
finding
bugs
we
have
the
hacka1
program
with
cash
awards
of
100
us
dollars
through
the
35
000
us
dollars.