►
From YouTube: Protect PM/CS Sync - August 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
well
welcome
just
to
kick
things
off.
I
wanted
to
send
out
a
shout
out
and
a
reminder
that
we've
got
our
protect
stage
strategy
meeting
next
week.
If
you
don't
have
the
invite
that
should
be
on
the
protect
stage
calendar
we
actually
pre-record
those
these
are
done
once
a
quarter
and
it's
a
great
place
to
get
some
good
information.
So
please
do
watch
the
pre-recording
and
if
you
have
questions
we
actually
have
two
live
q
and
a
sessions.
A
B
I
did
so
I
was
giving
a
demo
a
couple
of
weeks
ago
and
then
the
cluster
image
scanning
randomly
popped
up,
as
I
was
going
through
something
I
was
like.
Oh
that's
new,
and
then
I
saw
that
it
popped
up
in
the
docs,
so
I
guess
I
just
wanted
some
more
information
around
that
like
how
we
should
be
talking
about
it
to
customers.
All
of
the
info
you
gave
in
the
doc
was
great
yeah,
so
that
was
helpful.
For
me,
I've
heard
it
pitched
a
few
times.
B
Trying
to
correct
it
as
like:
no
actually,
this
is
an
alpha.
You
shouldn't
use
this
against
anything
production
like
please
don't
but
test.
A
Yeah,
it
definitely
is
an
alpha.
That's
interesting
that
the
field
has,
or
some
people
are
starting
to
pitch
it
is
already
viable.
I
mean
it
certainly
is
usable.
The
big
caveat,
like
the
only
thing
that
makes
it
not
really
production
ready,
is
that
we've
got
some
changes,
including
some
potentially
breaking
changes
planned
upcoming
for
it,
and
there
also
are
some
nuances
around
the
permissions
so
because
it
runs
in
a
cicd
pipeline.
You
have
to
make
a
a
token
for
your
cluster
accessible
to
that
ci
job
and
really
the
only
way.
Well.
A
A
It
would
be
easy
for
them
to
just
echo
out
or
cat
out
that
variable
and
now
they've
got
access
to.
Basically,
the
keys
of
the
kingdom
right
they've
got
access
to
the
token
that
would
grant
them
access
and
permission
into
their
production
cluster,
so
it
can
be
d
scoped
so
that
you're
just
providing
the
minimal
set
of
permissions.
With
that
token,
it
doesn't
have
to
be
like
a
full
cluster
admin
rights
token.
A
It
can
be
just
the
bare
minimum
to
retrieve
the
vulnerabilities,
but
even
with
that,
obviously
you
know
making
a
token
or
credentials
available
for
your
production
cluster
available
as
a
ci
cd
variable
that
can
be
you
know,
exposed
in
that
way
is
not
the
best
security
practice.
Necessarily
unless
you're
you
know
a
closed
company
or
a
really
small
project,
or
maybe
you
set
this
up
in
its
own
project
and
you
limit
access
to
that
project,
just
the
individuals
that
have
permission
to
anyway.
A
So
if
you
set
it
up
right,
there
are
ways
to
work
around
that,
but
longer
term
we
want
to.
You
know
see
what
we
can
do
to
make
that
a
little
bit
easier
and
cleaner
and
resolve
those
downsides,
and
so
there
probably
will
be
breaking
changes
that
come
about
as
part
of
that,
which
is
why
it's
still
in
alpha
we're
not
going
to
wait
for
the
15
auto
release
to
roll
out
those
braking
changes.
So
if
someone
goes
and
tries
it
today,
it
could
break
tomorrow.
B
That's
great
to
know.
Thank
you.
I
think
my
next
question
was
about
a
demo
project
which
you
gave
thank
you.
I
will
be
showing
that
tomorrow,
with
the
very
detailed
like.
Please
don't
rely
on
this
yet,
but
it's
really
cool
you
should
try
it
pitch
and
then
the
last
question
was:
can
multiple
clusters
be
scanned
from
one
project
and
it
looks
like
maybe
unofficially.
A
Yeah,
I
would
say
it's
a
big,
maybe
I
haven't
tried
it
out,
but
I
would
think
that
you
should
be
able
to
just
configure
multiple
jobs.
One
for
each
cluster,
like
I
said
each
job
needs
its
own
would
need
its
own
credentials
to
each
you
know
of
the
individual
clusters,
so
that
would
be.
The
trickiest
part
is
just
making
sure
that
each
of
those
have
are
using
the
right
set
of
credentials.
A
A
But
yeah,
if
you,
if
a
customer
were
to
set
this
up
like
in
its
their
own
dedicated
project
and
they
walked
down
access
to
that
project.
Just
you
know
to
a
really
small
set
of
individuals,
then.
Obviously
that
mitigates
the
credential
sharing
or
permission
problem
and
if
they're,
okay
with
it
potentially
breaking
you
know
or
making
changes
down
the
road,
they
certainly
could
start
using
it
right
now,
but
we're
working
on
it.
You
know
gitlab
we're
very
iterative,
so
we've
got
this
out,
we're
going
to
be
improving
it
over
the
next
few
milestones.
A
Things
are
going
to
kind
of
shift
around
and
then
eventually,
in
the
long
run,
we
want
people
to
start
setting
these
up
as
a
security
policy,
which
is
also
another
feature,
that's
behind
a
feature
flag
at
the
moment,
but
instead
of
running
it
through
the
pipeline,
it'll
actually
be
a
policy
you'll
schedule.
This
scan
to
run
against
your
production
cluster
on
a
given
interval,
so
kind
of
a
different
way
of
doing
things.
A
lot
of
changes
coming
there,
but
I
think
it'll
be
a
lot
better
and
more
secure.
In
the
long
run,.
A
So
with
that,
I
just
wanted
to
run
over
three
other
areas
that
we're
going
to
be
releasing
in
the
near
future,
or
we
already
have
released
in
some
form.
Some
of
this
we've
already
talked
about,
like
we've,
already
talked
about
scanning
containers
in
production
right
now,
that's
just
an
extra
filter
in
the
drop
down
for
the
vulnerability
report
based
off
of
our
testing.
It
was
a
lot
users
preferred
for
that
to
be
a
little
bit
more
separated
out.
A
So
that's
going
to
be
moving
into
another
tab,
a
separate
tab
in
the
vulnerability
report-
and
you
can
see
some
of
those
mocks
there
and
that
linked
linked
epic,
but
we're
going
to
have
a
tab
for
your
development
vulnerabilities,
which
would
be
basically
at
the
moment.
It'll
be
everything
except
for
cluster
image
scanning
and
then
we'll
have
operational
vulnerabilities,
which
would
be
your
cluster
image
scanning
vulnerabilities
and
down
the
road.
A
We
would
actually
like
to
add
a
lot
of
additional
types
of
scans
for
production
environments,
so
that
cluster
image
scanning
is
really
just
the
first
scan
type
to
go
out
there.
You
actually
could
run
a
dash
scan
against
a
production
environment.
A
fuzz
testing
scan
you
know:
infrastructure
is
code
like
configuration
type
scans,
hardening
scans,
there's
a
really
big
long
list
of
types
of
scans
that
we
could
be
running
in
those
production
environments.
So
that's
really
just
our
first
step
into
that
space.
A
And
then
I
mentioned
security
policies.
I
think
it
might
be
worth
just
doing
a
really
brief
demo
if
you
haven't
already
seen
where
we're
headed
here
and
if
this
is
not
useful,
go
ahead
and
stop
me.
But
we've
got
this
up
in
staging
at
the
moment
and
it's
not
perfect
yet,
but
I'm
going
to
show
you
what
we
have.
A
A
A
There
are
a
set
of
yaml
files
that
get
stored
there
that
define
the
security
policies
that
then
get
applied
to
the
development
project
having
them
separated
in
two
different
projects
lets
us
do
a
lot
of
things
it
lets.
You
have
one
set
of
policies
that
get
applied
to
multiple
development
projects,
so
it
allows
for
a
one-to-many
relationship.
A
It
gives
you
full
audit
logging
and
it
lets
you
have
two-step,
like
a
two-step
approval
process
through
our
regular
merge
request
approval
workflow,
so
you
can
really
limit
who
is
able
to
change
these
policies
and
track
all
of
the
changes
that
happen
there
and
then,
if
I
come
in
and
I
click
new
policy,
we've
got
a
couple
types
in
here.
A
This
would
be
a
scan
execution
policy
and
at
the
moment
we
only
support
das
when
we
turn
the
feature
flag
on
in
14
3
we're
going
to
support
desk
as
well
as
secret
detection,
but
this
is
a
way
to
require
that
a
das
scan
gets
run
every
single
time.
The
pipeline
runs
independently
of
what
the
developers
put
in
their
gitlab
ci
dot,
yaml
files.
A
A
It's
really
unlikely
that
another
job
already
exists
with
that
same
name,
but
if
they're
dead.
For
some
reason
it
would
actually
overwrite
that
job.
So
it
goes
in
it
overwrites.
Any
variables
that
it
needs
to
to
make
sure
that
this
job
will
always
100
guaranteed.
You
know
be
kicked
off
the
way
that
it
was
specified
here
with.
A
We
are
planning
to
have
a
side-by-side
ui
editor,
where
you
can
just
use
regular
english
alongside
that
yaml.
So
you
can
say
if
a
pipeline
is
run
for
a
given
branch,
then
you
know
this
is
the
example
that
I
showed
before
I
want
to
require
dash
to
run
and
it
auto
generates
that
yaml
or
for
the
cluster
image
scanning.
You
would
actually
come
and
pick
a
cluster
that
you
want
to
scan
and
the
schedule
that
you
want
it
to
run
on.
A
A
And
this
paul,
so
this
policy
editor,
is
really
at
the
core
of
a
lot
of
things
we're
working
on
right
now.
The
last
thing
that
I
wanted
to
touch
on
is
some
changes
that
we're
making
to
the
vulnerability
check
process
so
we're
starting
out
again
in
a
very
iterative
way,
just
improving,
what's
already
there
by
adding
some
more
options.
In
fact,
you
might
notice
this
because
this
is
actually
in
production
already.
Some
of
this
is
so
you
can
now
pick
which
security
scanners,
the
vulnerability
a
check
applies
for
and
how
many
vulnerabilities
are
allowed.
B
A
A
Okay,
so
we're
still
ideating
on
some
of
the
specifics
of
this
flow,
but
just
to
give
you
an
idea,
we
would
keep
vulnerability
check
for
backwards,
compatibility
and
until
15.00,
because
that
would
be
a
breaking
change
to
remove
it.
So
we
would
just
deprecate
it,
but
then
we
would
let
you
have
basically
security
policy,
vulnerability,
check
rules
still
working
on
terminology
there,
but
you
would
not
be
able
to
edit
those
in
that
settings
ui.
A
A
I
know
this
is
a
little
bit
small,
but
it
would
take
you
to
a
different
policy
type
would
be
a
scan
result
policy
and
you
can
come
and
say
you
know,
for
which
scans
you
know
which
branches
the
number
of
vulnerabilities
the
severity
of
it,
whether
it's
newly
detected
or
not,
and
then
you
know
who
do
you
want
to
require
approval
from
so
it
moves
it
from
where
it's
at
now
into
more
of
a
flexible
if
this
than
that
format,
and
it
also
stores
all
of
it
again
as
code.
A
So
again,
if
it's
going
to
have
all
the
same
benefits,
it's
going
to
provide
separation
of
duties,
so
your
security
team
will
be
able
to
edit
these
instead
of
you
know
the
individuals
who
are
editing
the
rest
of
the
mr
approvals
and
again
it
just
provides
a
lot
more
flexibility
than
what
exists
today.
So
you
can
chain
these
rules
as
well
like
if
you
want
multiple,
if
conditions
you
can
chain,
those
all
together
is
where
we're
headed
anyway.
In
the
long
run.
A
Are
there
any
questions
on
that?
I
know
I
just
blew
through
a
lot
of
different
features
that
we're
planning
to
that
we're
working
on
in
one
way
or
another.
C
No
for
me
either,
but
I
would
say,
that's
wow.
Do
I
sound
terrible.
B
A
C
Okay,
all
right,
sorry,
I'm
gonna
get
a
fresh
audio
afterwards,
but
I
just
want
to
say
that
security
policy
management
is
one
of
the
biggest
things
that
I
think
bars
adoption,
because
if
you
thought
it
was
tough
to
get
ops
folks
to
write
code
or
even
the
ammo,
then
yeah
get
security
folks
to
write.
C
It
is
even
tougher
and
the
fact
that
we
allow
it
to
be
version
as
policy
as
code
securities
code,
etc,
etc,
etc,
is
really
nice
and
by
the
way,
just
so
you're
aware
of
sam
and
taylor,
since
I'm
kind
of
using
time
for
both
of
you,
I
joined
today
because
I'm
so
behind
in
my
understanding
of
where
protective
and
where
it's
headed
that
I'm
largely
going
to
be
just
observing
the
last
time
I
looked
into
it,
we
had
just
done
the
web
application
firewall
and
the
container
network
host
security.
B
A
The
challenge
that
we're
seeing
there
is
most
of
that
is
done
by
like
an
infrasec
team,
which
is
not
a
persona
that
uses
git
lab
today.
So
there's
a
lot
of
value.
There
there's
a
lot
of
money
there
for
git
lab,
but
on
the
sales
side
and
adoption
side,
it's
a
little
bit
more
tricky
than
some
other
features
to
get
used.
A
Get
them
started
using
gitlab
at
least
a
little
bit
or
interested
in
it,
and
you
know
just
bridge
ourselves
over
rather
than
you
know,
going
at
that
space
head
on.
So
as
we
start
to
see
that
payoff
and
a
little
bit
more
interest,
come
there
we're
hoping
to
go
back
and
reinvest
and
contain
our
host
to
network
security.
A
But
you
know
again:
we've
got
a
we've
got
to
find
a
path
from
where
we're
at
today
to
get
to
where
we
want
to
go
rather
than
just
trying
to
jump
to
the
end.
The
end
state.
C
That
makes
a
lot
of
sense.
In
fact,
I
have
a
personal
theory
about
this,
which
I'll
just
espouse
really
quickly
is,
if
you
think
about
some
of
the
other
security
vendors
out
there,
there
were
very
few
that
did
anything
in
the
run
time
up
until
you
know
few
years
back
right,
I'd,
say
two
of
the
names
that
popped
to
mind
immediately
would
be
like
arcsan,
which
has
since
been
acquired
but
they're
very
narrowly
focused
they're
android,
o
contrast
had
a
general
purpose.
C
Rasp
solution,
where
I
heard
from
multiple
security
researchers,
has
the
quickest
return
on
investment
out
of
all
the
security
solutions
out
there.
Well,
the
adoption
rate
didn't
reflect
that
at
all,
and
I
personally
have
a
theory
that
some
of
the
stuff
that
goes
on
in
runtime
it
has
to
do
with
ownership.
As
you
pointed
out
right,
I
feel
like
there's
this
kind
of
weird
broken
bridge
between
infrastructure
as
code
and
like
runtime
security.
Like
that's
all
your
infrastructure,
that's
kind
of
important,
but
you
know
regardless
what
the
reason
is.
C
It's
just
there's
been
a
couple
of
decent
products
out
there
that
just
don't
get
very
much
traction
when
it's
in
the
run
time-
and
I
think
it's
just
you're
we're
ahead
of
the
market.
A
little
bit
contrast
was
a
little
bit
ahead
of
the
market
and
it's
a
waiting
game
right.
I
think
picking
a
meeting
ground
of
where
people
naturally
intersect
today
is
a
smart
move,
because
I
was
also
looking
at
things
like
I
asked
and
rasp.
C
I've
worked
with
a
couple
of
those
solutions
which
were
embarrassingly
immature
in
the
past
and
I'm
like
well,
hey,
whatever
we've
got
is
gonna
be
at
least
par
with
those
solutions.
If
we
were
to
make
it,
but
now
I'm
thinking
like
you
know,
maybe
par
isn't
the
right
thing.
We
don't
know
what
par
is
because
the
market's
not
quite
ready
for
it.
Let's
and
I
like
the
notion
of
finding
a
common
meeting
ground
today,
I
do
get
asked
like
how
do
you
secure?
C
You
know
a
container
once
it's
in
production
right,
so
that
is
something
that
gets
asked
today,
not
as
frequently
as
I'd
like,
but
I
think
there's
also
a
chicken
and
egg
consideration
there
right
when
we
beat
the
security
drums.
If
you
will,
they
tend
to
be
around
like
pipeline-centric
things
right,
automation-centric
things
that
happen
in
the
pipeline.
I
think
it
would
make
a
lot
of
sense
for
the
infosec
teams
to
just
get
something:
that's
natural
to
their
universe
as
a
starting
point.
A
Yeah,
absolutely
thanks
for
sharing
those
thoughts,
so
yeah
we
are
almost
out
of
time
just
a
few
minutes
left.
But
my
last
item
is
just
an
open
question
to
the
two
of
you.
You
know
what
hot
issues
focus
areas
are
you
seeing
in
the
field?
You
know
what
feedback
just
to
phrase
it
a
little
bit
differently.
You
know
what
feedback
do
you
have
for
me,
questions
feedback,
anything
in
terms
of
road
map
or
where
we're
headed.
C
C
I
think
I
saw
that
I
apologize
for
not
having
read
the
whole
agenda
before
I
hopped
on,
but
you
know
just
letting
folks
know
that
it's
out
there
for
the
day
that
they're
ready
right,
they
may
not
be
ready
today,
but
hey
we're
doing
good
things
that
are
maybe
a
little
bit
ahead
of
the
market
but
you're
going
to
get
there
and
this
stuff's
going
to
become
super
important
so
just
to
plant
that
seed
and
let
folks
know
that
when
you're
all
ready
we've
been
ready.
C
I
think
that's
the
key
number
one
thing
for
me.
A
lot
of
folks,
don't
even
know
you
know
that
we
have
anything
in
that
stage
until
they
sit
down
and
play
with
the
upstream
secure
stage
and
then
they're
like.
Oh,
it's
interesting
that
I
read
some
stuff
about.
You
know
the
runtime,
so
I'd
say
that's
step
number
one
folks
can't
buy
what
they
don't
know
that
much
about.
B
I
guess
I
kind
of
already
talked
a
little
bit
about
what
I'm
seeing
in
the
field
outside
of
the
container
scanning
and
scanning
like
actively
running
containers
like
the
dependency
firewall
has
been
a
pretty
popular
thing
for
some
of
my
customers
to
talk
about
that's
a
focus
area
for
quite
a
few
of
mine,
I'm
not
sure
if
that's
super
relevant
here,
but
I
I
like
the
idea
of
more
like
distributable
content.
B
We
could
send
out
to
customers
like
here's,
this
blog
post,
about
where
we're
gonna
go
and
why
you
should
care
about
it.
That'd
be
fun,
maybe
that
exists,
and
I
just
haven't
found
it.
So
that's
probably.
A
The
case
yeah
we
thanks
again
for
that
feedback.
I
mean
on
the
note
of
blog
posts.
We've
actually
had
a
couple
go
out
recently.
Some
of
them
were
published
like
jointly
with
gitlab
and
some
of
our
partners.
When
we
made
this
switch
from
aquasic
earth
from
claire
and
clark
over
to
trivi,
we
did
a
joint
blog
post
with
aqua,
secure
who
owns
trivia
and
then
same
thing
with
encore
since
they
added
native
support.
A
We
also
got
a
really
good
article
that
was
written
by
one
of
the
analysts
anyway
I'll
try
to
put
a
list
together
and
share
it
on
our
slack
channel.
B
A
Absolutely
all
right!
Well
thanks!
Everyone
thanks
for
your
time
today
and
enjoy
your
enjoy
your
week,
and
if
you
have
time,
please
do
check
out
our
again
just
a
reminder,
my
sales
pitch
at
the
beginning,
but
check
out
our
protect
stage
strategy.
Video
sounds
good
thanks.
Sam
thanks
have
a
good
day.