►
From YouTube: Sec Section PM / Field Sync - May 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
thank
you.
Everyone
for
joining
this
is
the
secure
and
oh
I,
guess
SEC.
B
Cs
and
PM
monthly
sync-
and
this
will
be
the
public
portion
that
will
go
over
product
updates
and
if
you
have
any
questions
about
any
of
the
updates
that
we
list
here
feel
free
to
ask
them
here.
So.
A
B
Right
so
I
just
pulled
out
a
few
from
1511
and
then
a
couple
that
we
have
already
deployed
to
gitlab.com
for
16.0,
so
starting
with
1511
I
wanted
to
point
out
that
the
container
scanning
now
outputs
the
Cyclone
DX
s-bomb
documents.
So
that's
I
think
a
really
good
addition
should
help
out
anybody,
that's
using
container
scanning
and
is
concerned
about.
S-Bombs
of
so
we
added
a
the
another
level
of
automatic
response
to
the
elite
sequence
on
public
branches.
B
Before
this
automatic
protection
it
only
worked
before
or
after
you
committed
the
secret
now
merge,
requests
and
and
unmerge
branches
are
also
protected,
so
that
significantly
increases
the
the
security
there
and
reduces
the
possibility
that
you
could
have
any
exposure
if
a
secret
is
late
all
right,
we
added
vulnerability,
dismissal
reasons
and
I
just
listed
the
different
reasons
there.
So
now,
whenever
you
dismiss
a
vulnerability
rather
than
having
to
type
in
the
comments,
why
you're
dismissing
it?
B
You
can
just
use
one
of
those
dismissal
reasons,
then
in
so
in
1511
we
added
the
ability
to
manage
the
project
Frameworks
compliance
Frameworks
at
the
group
level
in
bulk
in
16.0,
and
this
has
already
been
deployed
to
gitlab.com
we've
added
quick
actions
so
that
you
can
just
do
one
at
a
time
so
going
down
the
rows
in
the
table,
you
can
see,
there's
a
plus
and
a
minus
to
get
or
I
guess
a
plus
to
add
a
framework
and
then
once
the
framework
is
applied
to
it,
you
can
quickly
remove
it
with
the
next.
B
C
B
So
we
added
the
bulk.
Previously,
you
can
add
these
now.
You
can
add
the
framework
here.
If
you
don't
have
a
framework,
you
can
create
it
in
line
there.
If
you
do
have
a
framework,
you
can
edit
it
or
you
can
just
remove
it
from
here,
so
that
makes
managing
these
a
whole
lot
faster
than
it
used
to
be
right
and
then
Grant
I
will
throw
it
over
to
you
to
go
over
what
you
put
in
here.
D
D
Okay,
yeah,
so
I
pull
in
a
few
updates
to
share
here.
The
first
one
is
failing
close
for
invalid
security
policy,
approval
checks,
so
more
of
a
heads
up
there's.
This
is
a
rare
case
that
this
would
this.
This
would
really
come
up,
but
if
a
security
policy
does
become
invalid,
we'll
be
blocking
the
Mr
until
the
security
policy
is
fixed.
D
That
way,
there's
no
risk
of
vulnerabilities
being
introduced
so
as
a
result
of
misconfiguration.
So
there's
some
guidance
around
like
action
being
required
working
with
the
security
team
to
fix
that
policy
and
that
would
unblock
merge
requests
to
get
that
once
you
get
that
policy
fixed.
So
an
example
of
how
this
could
happen
is,
if
you
have
a
small
set
of
approvers
set
on
the
policy.
D
Let's
say
someone
leaves
a
company
or
a
number
of
like
things,
change
around
users
get
you
know,
lose
access
to
the
project
that
they
were
set
as
approver
from
then
the
number
of
eligible
approvers
could
drop
below
the
required
number.
So,
in
those
cases
you
know
we'll
display
action
required
in
guide
users
to
kind
of
fix
that
policy
and
I
think
what
we
saw
is
it's
like
a
point,
two
percent
chance
that
this
would
occur,
but
we
don't
want
to.
D
We
want
to
ensure
compliance.
We
don't
want
to
allow
any
vulnerabilities
to
pass
through
the
next.
One
is
role-based
approvals
for
scan
result
policies.
I
think
we
talked
may
have
talked
about
this
last
time.
D
There
are
a
number
of
filters
we're
working
on
the
first
one
that
we're
addressing
in
160
is
updates
to
our
status
field.
It's
been
a
bit
confusing,
I,
think
lumping
new
and
previously
existing
vulnerabilities
together
in
that
in
that
filter.
So
this,
in
this
case
after
this
update
you'll,
be
able
to
say
you
know,
choose
newly
detected
or
previously
existing
first
and
then
you
have
options
for
defining
the
rules
based
on
that
and
that's
that'll.
Allow
you
to,
for
example,
remove
dismissed
vulnerabilities
that
have
been
dismissed
in
the
in
the
Mr
by
re-running
the
pipeline.
D
D
Additionally,
after
160
we'll
be
working
towards
adding
filters
for
the
age
of
a
vulnerability
and
an
attribute
filter
for
a
fix
available
and
false
positive.
So
you
can
take
a
look
in
that
issue
to
learn
more,
but
essentially
this
will
help
reduce
noise
and
make
it
a
lot
easier
to
see
which
vulnerabilities
are
most
actionable
to
address.
This
has
been
definitely
a
highly
sought
after
feature
from
customers
that
we've
heard
from
and
yeah
we'll
be
glad
to
hear
feedback
on
any
of
these.
E
D
Yeah
they'll
know
because
it's
blocked
I
would
say
I
think
we've
got
some
designs
here,
they'll
show
so
yeah
the
Mr
is
going
to
show
action
required
and
then
we
guide
users
through
some
of
the
content
here.
Why?
It's?
Why
there's
an
issue
and
how
to
kind
of
reach
out
to
get
that
to
get
that
fixed
okay,
cool
yeah,
that's
that's
a
good
question.
I
mean
notifications
could
be
useful.
We
just
don't
have
any
yet
so
I
think
I
think
that
that
will
improve
over
time.
D
We
do
have
some
some
epics
around
setting
up
notifications
for
various
security
features
that
we'd
like
to
explore.
C
D
Yeah
I'm,
trying
to
recall
exactly
so
I
know
that
the
intent
is
to
be
able
to
kind
of
set
slas
around
around
the
vulnerability.
So
if
it's
yeah
I
think
it's
the
full
age
of
the
vulnerability.
So
if
it's,
if
it's
existed
in
your
code
base
over
X
days,
you
can
you
know
you
can
set
filters
based
on
that.
So
in
some
cases
you
might
say
like
let's
address
all
critical
vulnerabilities
immediately
but
say
for
low
severity
vulnerabilities.
We
want
to
create
issues
and
set.
You
know,
set
some
requirements
to
get
those
fixed.