►
From YouTube: Govern Stage Strategy Review - August 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
to
our
August
govern
stage
strategy
review
just
for
a
real
quick
overview
of
our
orc
structure.
Here,
I'm
leading
the
government
stage
and
I'm
also
working
on
our
software
supply
chain,
security,
working
group
and
then
Derek
is
leading
compliance
as
our
interim
PM.
While
we
work
to
hire
somebody
into
that
role,
full-time
Grant
is
working
on
our
security
policies.
Group
and
Alana
is
in
threat
insights
just
for
a
real,
quick
overview
of
our
strategy
here
in
terms
of
what
markets
and
personas
we're
targeting
our
largest
market.
A
Although
legal
teams
and
compliance
teams
do
also
play
a
role
in
that
as
well,
and
we
have
some
participation
with
infrastructure
security
teams,
we
do
participate
a
little
bit
in
the
GRC
Market,
which
is
governance,
risk
and
compliance.
We
do
solve
those
concerns
as
far
as
they
overlap
with
devsecops,
but
we're
not
trying
to
become
a
universal
compliance
solution
or
a
solution
that
competes
solely
in
that
GRC
Market.
A
The
key
difference
there
is
a
lot
of
GRC
tools
will
take
in
data
from
a
really
wide
variety
of
different
applications
to
determine
compliance
and
we're
focused
primarily
on
compliance
of
the
activities
that
are
being
done
within
gitlab
and
then,
lastly,
is
the
asoc
market.
We
do
play
in
this
one
to
some
extent
as
well,
by
consolidating
vulnerability
data
in
gitlab.
A
Again
we're
not
really
at
your
play
in
that
market,
especially
as
we
don't
do
correlation
right
now,
but
we
may
add
that
in
the
future
to
expand
our
presence
there
coming
out
of
this,
we
have
a
few
roadmap
themes
for
our
three-year
strategy.
The
first
is
top
down
security
controls.
This
helps
security
and
compliance
teams
to
manage
all
of
their
security
and
compliance
needs
in
the
central
location.
A
So
they
don't
have
to
do
that
project
by
project
commonly
there's
one
security
team
or
one
compliance
team
for
an
entire
organization,
and
it
just
doesn't
scale
well
when
you
have
thousands
or
tens
of
thousands
of
projects
across
gitlab,
and
so
they
need
a
way
to
manage
those
centrally.
The
second
one
is
no
compromises
with
compliance,
so
this
is
in
order
for
compliance
teams
to
use
gitlab
for
enforcing
compliance
requirements.
A
We
have
to
make
sure
that
those
requirements
requirements
are
met
100
of
the
time
and
that
we
have
the
necessary
tools
to
audit,
monitor,
improve
that,
and
so
that
means
we
can't
have
any
compromises
there.
If
there
are
workarounds
or
loopholes,
it
really
tends
to
nullify
the
advantage
of
those
features.
The
last
one
is
coordinating
security
across
gitlab,
so
this
means
taking
advantage
of
all
of
the
other
things
in
the
gitlab
platform
to
provide
for
a
seamless
experience
that
brings
those
different
personas
together.
A
A
Just
this
is
our
standard
legal
disclaimer.
To
note
that,
as
we
talk
about
the
roadmap
items,
they
are
subject
to
change
or
delay,
and
so
please
do
not
rely
on
them
for
planning
or
purchasing
purposes
at
a
really
high
level.
We
actually
have
a
huge
number
of
features
slated
for
the
next
three
months:
I'm
not
going
to
talk
through
all
of
these
in
detail
because
we'll
talk
through
them
here
in
the
upcoming
slides.
But
we
have
a
really
solid
one-year
roadmap
with
that
I'm
going
to
hand
it
over
to
Derek
to
talk
about
compliance.
B
All
right,
thank
you,
Sam,
so
yeah.
The
first
thing
that
we're
going
to
look
at
is
some
things
that
we've
recently
released,
so
we
have
recently
released
the
audit
event.
Improvements
We've
made
several
improvements
here,
so
the
first
one
is
that
you
can
now
stream
instance
level.
B
Audit
events
and
this
added
to
the
top
level
groups
allows
you
to
capture
all
the
audit
events
that
can
be
produced
at
every
level
since
the
audit
events
from
the
projects
and
subgroups
roll
up
to
the
top
level
groups
that
are
reported
through
those
streams,
we've
also
added
more
options
to
filter
the
audit
events
and
with
those
you
can
now
look
at
the
audit
event,
type
we're
also
planning
on
moving
or
adding
more
filters
to
this
area
in
the
future.
B
So
we'll
be
adding
things
like
project
and
user
and
more
are
ways
to
filter,
to
see
exactly
the
information
that
you
need.
In
addition
to
that,
we're
also
adding
third-party
streaming
locations
for
these
audit
events,
that's
something
that
we've
already
added
support
for
Google
Cloud
logging
and
we're
in
the
process
of
adding
snowflake,
as
well
as
several
other
locations
like
Splunk
and
datadog.
B
So,
let's
talk
about
what's
next,
the
compliance
adherence
report
is
the
big
project
that
we're
working
on
right
now.
So
this
will
allow
teams
to
look
at
exactly
what's
going
on
with
their
projects
and
how
those
projects
comply
with
specific
standards
or
regulations
that
are
out
there.
C
Thanks
Derek
I'll
jump
in
as
well,
starting
with
what
we're
working
on
actively
and
what's
been
recently
released.
So
the
first
topic
I
wanted
to
to
highlight
is
improved
accuracy
of
our
scan
result
policies,
so
we've
been
making
some
changes
to
our
approval
logic,
to
make
sure
that
when
we
require
approvals,
the
behavior
is
what
our
customers
expect.
There
are
some
cases
where
they
may
see
an
approval
required
when
they
don't
expect
that
to
be
the
case,
or
vice
versa.
C
We've
been
working
on
this
for
some
time
and
I
think
I
think
our
customers
are
going
to
be
really
excited
about
it,
which
is
adding
some
more
granular
filters
to
our
scan
result
policies,
and
what
this
will
do
is
allow
you
to
filter
out
a
lot
of
the
noisy
vulnerabilities
that
are
not
actionable,
such
as
by
setting
an
age
filter
based
on,
say
the
severity
of
the
vulnerability
you
can
set
an
SLA
before
we
start
to
block
merge
requests
where
we
find
such
results
or
if
we
detect
false
positives
or
vulnerabilities,
where
a
fix
is
not
yet
available.
C
Customers
can
use
these
these
options
to
kind
of
toggle
and
filter
more
of
these
vulnerabilities
out
and
free
up
their
security
team
to
focus
only
on
what
is
really
addressable,
so
we're
targeting
this
Milestone
16
3
to
complete
it,
but
it
is
still
in
active
development
and
then
moving
on
the
scan
result,
policy
type
we're
actually
going
to
be
freshing
it
up
a
bit.
C
You
might
see
this
called
the
merge
request,
approval
policy
here
very
soon,
and
we're
going
to
be
focusing
a
lot
more
on
the
compliance
enforcement
aspect
by
introducing
a
new,
a
new
capability.
As
a
result,
this
will
be
a
new
way
to
use
a
merge
request,
approval
policy
that
will
allow
you
to
ensure
that
we
are
doing
two-person
approvals
on
all
in
Mars.
C
The
last
one
I
want
to
highlight
is
also
much
anticipated
is
the
ability
to
to,
in
the
future,
unify
some
of
our
I
guess
two
capabilities
that
we
have
today
in
gitlab,
which
is
compliance,
pipelines
and
security
policies.
We're
going
to
be
introducing
support
for
custom
yaml
to
be
able
to
kind
of
execute
these
compliance
pipelines
in
the
background
through
a
security
policy,
and
the
other
component
of
this
is
improving
the
usability.
C
D
So,
let's
started
so:
we
recently
released
the
group
dependency
list
for
the
group
and
subgroup
levels.
I'll
talk
about
some
iterations
that
are
coming
in
quick
succession,
but
this
will
give
users
the
ability
to
see
everything
within
a
group
or
all
the
different
projects.
So
they
have
that
higher
level
overview
rather
than
going
project
by
project.
D
And
we
recently
shipped
explain
this
vulnerability
with
AI.
This
is
still
in
the
experiment
phase,
but
we
will
be
shipping
to
Beta
in
16-3.
D
We
have
been
slowly
releasing
beta
related
features
like
showing
the
prompt
and
then
also
like
a
quick
check
for
potentially
exposing
secrets
and
sending
them
to
AI.
We've
been
slowly
rolling
that
out,
but
we
are
expecting
beta
in
16-3
and
the
goal
with
this
is
to
help
up
level
developers
to
improve
their
skills
and
help
them
write
more
secure
code.
D
So,
like
I
mentioned
in
a
quick
succession
of
the
MVC
iteration
that
we
just
released
for
the
group
dependency
list,
we
are
going
to
go
back
and
add
license
and
vulnerability
information,
and
we
also
are
going
to
enhance
what
is
available
for
searching
and
filtering
on
these
dependencies.
Eventually,
we
are
going
to
support
this
at
the
organization
level,
so
that
way
organizations
can
see
if
they
have
a
dependency
that
might
be
super
risky,
like
log
4J,.
D
And
we
are
getting
really
close
to
having
this
work
complete
for
Custom
Security
team
roles.
So
we
want
to
make
sure
that
customers
are
able
to
give
their
users
the
the
least
privileges
for
their
different
projects.
So,
for
example,
a
lot
of
we're
hearing
from
a
lot
of
customers
that
they
don't
want
developers
to
be
able
to
change
the
vulnerability
status.
So
we're
going
to
be
in
17-0.
D
We
are
going
to
make
that
a
breaking
change
and
remove
that
from
that
option
from
developers
and
then
ultimate
customers
that
have
access
to
these
customizable
roles
will
be
able
to
create
a
new
role
with
reporter
as
the
base.
That
adds
things
specific
to
their
security
teams,
who
don't
necessarily
need
to
be
changing
code,
but
do
need
that
change,
vulnerability,
status.
D
And
very
exciting:
we
will
be
expanding
on
options
for
searching
and
filtering
it's
great
to
know
that
gitlab
is
scanning
for
all
different
types
of
vulnerabilities,
but
it's
also
important
to
be
able
to
have
that
level
of
fidelity
to
be
able
to
find
what
you
are,
what
you're
looking
for
and
be
able
to
triage.
So
we
are
going
to
add
filtering,
so
you
can
easily
chain
multiple
filtering
criteria
right
now.
D
We
have
some
of
those
options,
but
it's
a
little
bit
limited,
so
we
will
be
adding
to
that
and
we're
getting
started
by
adding
the
group
by
so
hopefully
that
will
that
work
is
going
to
start
soon
and
the
we'll
see
that
sooner
as
the
first
thing,
rather
than
later,.
D
And,
in
addition
to
explain
this
vulnerability
going
to
Beta,
we
are
working
on
another
experiment
that
would
suggest
a
fix
for
vulnerability.
You
can
see
in
this
slide.
This
looks
a
lot
like
explain
this
vulnerability,
but
we
do
have
two
buttons
on
that
drawer
to
create
the
NMR
with
the
AI
solution.
So
this
will
give
development
teams
a
insecurity
teams
a
more
efficient
way
to
mitigate
these
vulnerabilities
by
getting
them
started
with
a
suggestion.
A
All
right
thanks
thanks
Alana,
we
have
a
lot
of
features
coming
up
there
for
software
supply
chain
security.
This
is
a
working
group
that
we
have
within
the
governed
stage.
A
We
recently
released
support
for
keyless
signing,
which
has
some
huge
benefits
in
terms
of
making
it
significantly
more
simple
for
developers
to
begin
signing
their
build,
artifacts,
their
container
images
and
their
packages
that
they
build
as
part
of
cicd
I,
provided
a
few
slides
on
the
details
of
that
in
the
appendix
it
was
too
in-depth
to
go
into
for
this
presentation,
but
the
net
result
is
that
users
can
now
add
just
a
few
lines
on
ID
tokens
line
which
generates
a
Sig
store.
A
Id
token,
that's
automatically
read
by
cosine,
which
can
then
be
used
to
sign
their
artifacts.
So
it's
a
huge
Improvement
and
it
eliminates
the
need
to
manage
a
separate
command
management
system.
Wrote
you
know,
eliminates
the
need
to
create
and
rotate
your
keys
and
simplifies
the
solution
of
how
to
verify
things,
because
you
no
longer
have
to
figure
out
how
to
distribute
your
public
key
coming
up.
Next,
we
are
getting
close
to
having
support
for
automatic
commit
signing.
A
So
it's
a
little
bit
of
a
painful
process
currently
to
do
that
verification,
so
we're
planning
to
instead
of
showing
the
signature
on
a
separate
line
item
in
the
container
registry.
We're
planning
to
add
this
badge
right
alongside
the
container
image,
where
users
can
immediately
see
if
it's
signed
or
not
what
the
verification
status
is
of
that,
and
then
they
can
click
in
and
view
all
the
details
of
that
signature
shifting
to
our
roadmap
just
to
show
where
we're
at
and
where
we're
headed
that
top
row
of
keyless
signing.
A
A
Also,
we
plan
to
eventually
begin
signing
the
attestation
that
we're
generating
and
improve
the
contents
of
the
attestations
as
well
with
that
we'll
shift
it
over
to
any
questions
that
you
may
have
during
our
synchronous
q.
A
if
you're
watching
this
async,
please
feel
free
to
drop
any
questions
that
you
have
asynchronously
into
the
document
ahead
of
time.
Thanks
for
watching
today
have
a
great
day.