Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / MPO List / 21 May 2020
GitLab / MPO List / 21 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab DevSecOps Tools in Action

Description

Overview of DevSecOps using GitLab Secure. Secure provides Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning, and Dependency Scanning to help you deliver secure applications along with License Compliance.

The security scans display vulnerabilities in a uniform UI where a developer can resolve them before merging to master. The Security posture of a project or group of projects can be further assessed via the Security Dashboard.

Follow @awkwardferny and @gitlab on twitter. 🐦
Read more about our Secure product vision: https://about.gitlab.com/direction/secure/
Learn about FOSS & GitLab: http://bit.ly/2KegFjx
Get in touch with Sales: http://bit.ly/2IygR7z

A

Hi, my name is Fernando and I'm. The technical marketing manager here at get lab I'm going to walk you through good lab secure stage and show you how to integrate security into your development lifecycle. Now, let's get started here, we can see the different components of get lab secure stage in.

B

This.

A

Video I'll go over security scanning as well as workflows from the perspective of developers and members of a security team.

A

Here's an example of the developer lifecycle. The developer commits some code and then the get lab CI runs. This begins the whole suite of security scans, including tasks which can run against the review app after the scans are run. The developer is provided with detailed information on the vulnerabilities. The developer can also create issues or dismiss them, as they see fit. Also note that the security team has access to a security dashboard where they can have an oversight of the security posture of a project or group of projects.

A

Here we can see the pipeline in action. You can see that first there's a build stage in which the image is built and then a variety of security scans are run. Then we deploy the review up and run dashed against it. Here are the results of the security scan. They are made available in one common view in the typical developer workflow, the developer will continue to iterate over the M R. Until all the vulnerabilities have been resolved. Now, let's get into each type of scan and what they do.

A

Here's an example of sassed or static application, security testing, it scans the application source code and binaries to spot potential vulnerabilities before deployment using.

B

A combination of open source and gillip created scanners, all maintained by github. You.

A

Can see here with this pop-up that it detected a possible sequel injection vector? You can also see that there's more information on the vulnerability provided as well as a link to the line of code in which it has occurred.

A

Then there's dependency scanning, which analyzes all the external dependencies, such as libraries for known vulnerabilities. Here you can see a denial-of-service vulnerability was detected because we were using an older version of flask. You can see that there is a solution provided as well as a link to more information on this vulnerability container scanning check, stalker images for known vulnerabilities in the application environment. It uses an open source tool known as Clair. Here you can see that a vulnerability was detected because we were using an older version of Alpine.

A

Or dynamic application security testing analyzes your running web application for known vulnerabilities, it runs, live attacks against a review, app or an environment of your choice. Here we can see that it detected that the web application was missing. The X content, type options, header.

A

License scanning scans all the licenses within the dependencies of a project and matches them against an approved or denied list which is usually based off a policy set by the security team. Now, let's go over some common developer workflows, a developer can dismiss a vulnerability and provide a reason as to why it's being dismissed. This will show the vulnerability has crossed out. The security team will be able to see who dismissed it and why the developer can also create confidential issues from the vulnerability.

A

The issues will be auto populated, with more information on the vulnerability and how to resolve it.

A

The security team has access to the security dashboard here. The security team can overview every vulnerability within a project. These vulnerabilities can be sorted by severity, confidence and report type.

A

The security dashboard is also available at the group level. This shows all the vulnerabilities within a group. This allows the security team to assess the security posture over time notice. That vulnerabilities can also be sorted by severity, confidence report, type and project.

A

Other described security scans can be added using templates which are provided as part of your github installation. Each scan can also be further configured using environment variables.

A

Also, enabling Auto DevOps ads all these scans by default.

A

Thanks for watching and I hope you enjoyed for more information, please visit about gitlab com.