►
From YouTube: Shifting Security Left - GitLab DevSecOps Overview
Description
Learn how GitLab shifts Security left with a variety of Different DevSecOps tools, which provide Vulnerability Scanning and enable collaboration between Developers and AppSec.
Follow @awkwardferny and @gitlab on twitter. 🐦
Application Security Overview: https://docs.gitlab.com/ee/user/application_security/
Use Cases: https://about.gitlab.com/handbook/marketing/product-marketing/usecase-gtm/devsecops/
Secure Direction: https://about.gitlab.com/direction/secure/
How to Configure: https://youtu.be/Fd5DhebtScg
Get in touch with Sales: http://bit.ly/2IygR7z
A
A
It
starts
with
a
developer,
creating
a
merge
request
from
a
feature
branch
they
have
been
working
on.
The
security
scans
are
automatically
run
as
part
of
the
cicd
pipeline,
detecting
vulnerabilities
and
displaying
them,
along
with
detailed
information
in
a
uniform
interface
developers,
can
resolve
and
rerun
the
pipeline
for
regression
testing.
A
A
Then
there's
the
test
stage,
which
runs
unit
tests,
as
well
as
a
variety
of
different
security
scans.
These
scans
include
sas
or
static
application
security
testing,
which
searches
the
static
code
for
known
vulnerabilities,
their
secret
detection,
which
detects
unintentionally
committed
secrets
and
credentials.
Within
your
repository,
then,
there's
container
scanning,
which
searches
the
container
images
for
known
vulnerabilities.
A
Then
there's
the
deploy
stage
which
deploys
our
code
into
a
staging
environment.
After
the
code
has
been
deployed,
we
run
dast
or
dynamic
application
security
testing
on
the
running
application.
This
sends
malicious
requests
to
the
application
in
order
to
detect
vulnerabilities
tasks
can
also
be
run
on
ephemeral,
staging
environments
spun
up
by
gitlab
ci.
A
A
A
There
is
a
vulnerability
check
which
means
that
if
there
is
a
vulnerability
of
a
certain
severity
detected,
then
an
approval
is
required
before
this,
mr
can
be
committed.
There
is
also
a
license
check,
which
requires
approval.
If
a
denied
license
is
detected,
these
checks
can
be
configured
in
the
cicd
section
of
the
project
settings.
A
Scans,
this
is
an
example
of
a
sas
vulnerability.
It
contains
detailed
information
on
the
vulnerability,
its
severity,
its
location
as
well
as
how
to
resolve
it.
In
order
to
start
a
discussion
around
the
vulnerability,
a
confidential
issue
can
be
created
without
alluding
to
the
vulnerability
this
enables
developers
and
the
security
team
to
collaborate
on
finding
a
resolution.
A
A
confidential,
merge
request
can
also
be
created
only
allowing
those
with
permissions
to
view
open
to
issue
status.
Changes
are
tracked,
which
is
great
for
compliance
audit
trails.
Now,
let's
take
a
look
at
a
dependency
scanning
vulnerability.
You
can
see
that
there
is
also
detailed
information
on
the
vulnerability
and
how
to
resolve
it.
There
are
also
relevant
links
to
the
cve
which
go
in
depth
on
how
the
vulnerability
affects
the
system.
A
Next,
we
have
a
container
scanning
vulnerability.
It
provides
detailed
information
as
well
and
can
be
autoremediated
with
a
click
of
a
button.
A
merge
request
will
be
created
which
will
rerun
the
pipeline
allowing
for
regression
testing
this
tests.
If
the
changes
succeed,
then
there's
a
das
vulnerability,
which
shows
information
on
the
requests
sent
and
received,
along
with
relevant
links
to
the
vulnerability.