►
From YouTube: Sec Section PM / Field sync - October 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
so
thanks
for
joining
our
cspn
monthly
sync
up
just
a
few
things.
First
of
all,
as
a
reminder,
we've
Consolidated
meetings,
so
this
is
now
one
meeting
for
all
of
secure
and
governed.
So
anything
in
any
of
that
in
the
whole
sex
section
you
can
bring
up
and
discuss
here.
A
It
does
mean
that
some
of
our
product
updates
are
a
little
bit
beefier
than
before,
when
we
had
them
broken
out
into
separate
things,
but
I'll
try
to
not
not
bore
you
too
much
with
with
rambling
on
for
these
things.
So
a
couple
things
I
wanted
to
cover
in
just
in
terms
of
product
updates.
We
have
a
number
of
big
features
that
are
currently
planned
for
15.5
I
know:
we've
been
working
towards
operational
container
scanning
for
what
feels
like
forever.
That's
been
in
an
alpha
state
for
a
really
long
time.
A
The
one
merge
request
that
was
blocking
moving
this
to
GA
finally
went
through.
So
things
are
looking
pretty
good
for
actually
being
able
to
move
this
formally
over
to
GA
the
way
this
will
work
once
it's
G8
is.
A
You
will
have
to
install
the
gitlab
agent
for
kubernetes,
and
then
you
can
configure
that
either
as
part
of
your
agent
config
file,
which
would
be
if,
like
the
infrastructure
team,
is
setting
up
the
scan
or
you
could
set
up
a
scan
execution
policy
to
enforce
the
scan,
and
so
that
would
make
it
so
that
the
security
and
compliance
team
could
manage
that
policy
instead
of
the
infrastructure
team.
So
that's
really
what
we've
been
working
towards.
It's
already
99
percent,
but
we're
hoping
to
close
out
those
last
few
gaps
and
make
it
officially
ga.
A
Hopefully,
this
release,
the
other
big
thing:
that's
coming
out
is
related
to
security
policies,
part
one
of
that
is,
we've
now
launched
rule
mode
for
scan
execution
policies,
so
that's
already
turned
on
on
gitlab.com,
we'll
be
announcing
that
as
part
of
15.5
and
then
the
second
thing
is
group
level
scan,
result,
policies,
group
and
subgroup
level,
so
those
haven't
have
only
been
at
the
project
level.
Up
to
this
point,
we're
getting
really
close
to
turning
that
on.
There
is
some
risk.
A
It
slips
to
15
six,
but
if
we're
lucky
we'll
be
able
to
still
get
it
in
15.5
so
either
way
coming
soon
is
the
ability
to
to
manage
those
policies
of
the
group
in
some
group
levels
if
you're
wanting
to
require
approval
on
a
merge
request
that
has
vulnerabilities.
A
And
then
I'm
not
going
to
read
through
all
of
these
in
detail
and
I,
think
I'll
just
run
through
the
titles
of
these
and
then
turn
it
over
to
you.
If
there's
any
one
area
that
you
want
me
to
go
deeper
on,
but
some
of
the
big
things
that
we're
working
on
going
forward
is
replacing
license:
finder
re-architecting
our
dependency
list,
we're
working
on
continuous
vulnerability
scanning,
getting
that
browser-based
dashed
engine
to
GA
and
then
consolidating
our
analyzers
with
some
grub.
A
Those
are
probably
just
a
few
of
the
bigger
highlights:
I've,
probably
even
missed
over
some
others,
but
are
there
any
of
those
items
that
you
want
to
go
into
more
detail
on
foreign
or,
if
you're
good,
we
can.
We
can
move
on
and
that's
totally
fine
too.
B
A
Yeah,
so
that
continuous
scanning
would
be
for
specifically
for
container
and
dependency
scanning,
because
those
are
things
where
the
advisories
change
pretty
frequently,
so
we're
always
getting
the
information
coming
into
our
advisories
database,
and
we
see
that
those
analyzers
typically
are
the
biggest
reason
that
customers
run
scheduled
scans
to
rescan
and
rescan
their
project.
Trying
to
see
if
there
are
any
new
vulnerabilities
for
secret
detection,
though
it's
a
little
bit
different
because
once
you've
pushed
up
your
code,
the
only
time
your
code
changes
is
when
you
push
up
new
code.
A
So
the
only
reason
you
would
see
new
vulnerabilities
otherwise
is,
if
we
updated
our
rule
set,
which
you
know
does
happen,
it's
not
nearly
as
problematic
or
frequent
as
the
advisory
database
being
updated,
but
otherwise
you're
not
likely
to
see
any
new
vulnerabilities
for
secret
detection.
Unless
we
had
some
sort
of
major
rule
set,
update,
yeah
I.
B
I
think
the
group
level
that
was
a
group
level
scan
result
policy
is
useful
because
I
add
link
to,
and
we
can
talk
about
it
after
but
kind
of
some
of
the
challenges
customers
were
facing
and
adopting
ultimate
and
one
of
the
one
of
the
items
was
like
applying.
B
You
know
scans
that
the
group
and
subgroup
level,
so
hopefully
that
helps
you
know,
mitigate
a
concern
outside
of
using
like
compliance
pipelines.
But
do
you
think
that
would
be
useful
in
terms
of
I?
Don't
know
securing
at
the
group
level?
Are
there?
Are
there
any
other
things
in
the
Horizon
for
making
other
scanners
available
at
the
group
level?.
A
A
So
that's
one
area
that
we've
got
some
improvement
planned
and
that
would
come
with
all
of
the
benefits
that
you
get
with
policies.
You
can
manage
it
as
a
group
subgroup,
project
level.
You
know
you've
got
two-person
approvals
for
any
changes.
You've
got
the
ability
to
separate
that
out
separation
of
duties
for
your
security
team
to
manage
those
separately.
So
we
are
looking
at
moving
those
over.
In
fact,
the
front
end
work
for
that
is
already
in
development.
A
The
back
end.
Work
is
actually
going
to
be
the
lagging
Factor
there,
just
given
our
current
resource
availability.
So
obviously
we
can't
launch
it
without
the
back
end,
but
we
are
at
least
starting
that
work.
A
Now
on
the
scan
execution
side,
we
have
support
for
SAS,
secret
detection,
container
scanning
and
dast,
so
we're
missing
dependency
scanning
and
fuzzing
and
technically
we're
missing,
license
compliance
as
well,
but
given
that
we're
planning
to
replace
license
compliance
anyway
and
basically
get
rid
of
that
analyzer,
we
won't
need
to
add
support
for
license
compliance
because
it'll
just
become
dependency
and
container
scanning
to
do
your
license
compliance.
A
So,
yes,
we
do
have
support
for
dependency
scanning
on
our
roadmap.
Support
for
fuzzing
is
considerably
lower.
Probably
the
next
thing
you
know
in
terms
of
like
support
in
that
regard.
The
next
thing
on
the
list
would
be
adding
support
for
custom
rule
sets
for
SAS
and
secret
detection
before
we
go
and
add
support
for
fuzzing,
so
we're
planning
to
fill
that
out.
It's
it's
just
takes
a
little
bit
of
time,
because
we've
got
to
add
each
scanner
individually.