Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Protect Stage / 25 Feb 2020
GitLab / Protect Stage / 25 Feb 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Defend Planning Breakdown - Threat Management - Feb 25 2020

Description

Defend engineers working with PM to breakdown upcoming issues into components, clarify requirements, and identify work boundaries.

A

All right welcome to our threat management planning breakdown. I put air quotes around that because we have been talking about reducing the number of meetings and combining that Monday demo meeting with this Tuesday planning breakdown media and have it be a group wide meeting where we cover both topics, as well as any general questions or announcements, so that change should happen starting next week. Scheduling is a little bit hard. I want to make sure that we get as many people find a time.

A

That's is available for as many people as possible, but for today we're focused on planning break down for two issues. Just a reminder: this is not a substitute for grooming. The goal of this meeting is much more high-level. We're gonna, look at these issues and ask the following questions: are the requirements clear enough? Do we understand the boundaries of work and it's the research and solution? Validation complete, oh, and we break it down in these smaller I've.

A

Looked at these issues and I, don't know if that's the case here, but it should always be in the back of our minds, I'm going to read and share my screen unless, if you want to met.

A

Okay, so before you start any questions about the meeting and the goal, okay.

A

So this was one that was created so I guess. This brings up a question for planning breakdowns. I, don't know if we need to actually be planning breakdown, meetings that were originated by engineering I. Think typically, it's the biggest benefit is when they come from. You know large features you know like, but it's really we talk about stuff abettor, so Ross is chewing. I feel like this is a good time to ask him to talk because I see that happening Ross you want to briefly describe or verbalize the intent of this issue.

A

Is there any questions around this just missing vulnerabilities as we dismiss the findings, it.

B

Seems fairly straightforward I mean that cross pointed to the discussion in the slack Channel I don't know if anybody got a chance to kind of look through that as well kind.

C

Of helping.

B

Ross stall for time, so he can swallow it, but I mean.

A

Yeah I.

B

Mean from everything I saw from in this slack channel and on this issue it is pretty much just a straightforward issue, like Ross I, think in slack a little bit of a overlook Wow.

A

And.

D

That's like the window in his office actually just fell out and he has to go. Take care of it.

B

You know thinking you know like he said it's just kind of one of those things that is just needs to be done. um I, don't think it's too complex of an issue. I guess.

E

It's abused, but the permissions are the same someone we can be so fine, you can dismiss it anonymity or so, and you'll see why not, but on trying to find some edge cases here and.

B

This one kind of goes, if you know, as long as we're doing a one-to-one finding versus and vulnerability correct, because if we do end up doing a one-to-many.

B

That's a that's a different type. That's a different workflow.

A

So.

D

At least initially, stop me if this is not not true. The concern here is this is during the cut over from the existing model to the first-class vulnerability objects, and it looks like it was just mapped to an incorrect State, so that so this is got to be kind of like a just, a one-time cut over no no.

C

There's there's there's two separate issues and I am working on the like the migration of data. This is and and and I can hear you talking, I just couldn't unmute myself, because I lost my window. But yes, it is very simple and I really just wanted to like raise it to make sure it got scheduled. I, don't know if you know we need to have a whole lot of discussion about it or not, but um but yeah this is so you you have a vulnerability, you you add it or whatever it gives.

C

You just miss it on your own, your future branch. You say: I, don't worry about this it at that point. It's still just a finding. It hasn't the vulnerability. First custom owner ability hasn't been created. Yet then you, then you merge that into your default branch. The pipeline runs. We create the vulnerability without that change that finding that you dismissed will now become a detected vulnerability where we'd like to carry that across and say: hey you dismissed it over there. It's still dismissed here and that's that's what this is about.

D

Gotcha, sorry, that was my misunderstanding. I anchored on the currently and thought this was something about today and then the new model, but no that makes perfect sense so I agree. We should care for the dismissed state if you've done it in the future branch.

A

This is like the opposite of getting questions from the PM. The PM gets to ask the questions of engineering based on this issue. It's great is this required for launching MVC. Is it something that we need to look to try and scoop into twelve nine, or at least early twelve ten I would.

D

Say it's not required it's just going to be maybe a little confusing kind of a nuisance. If there are things that you're having to double dismiss, I, wouldn't I, wouldn't call this a deal. Breaker.

C

I I will say that, like when we're doing the the migration, which is a related issue, but not this issue, we're gonna have to we're solving for the same problem where we're saying. Okay, let's find all the findings that were dismissed and and move that state over to these vulnerabilities. So it is something that we could redo that migration or whatever, as it pertains to bringing over any sort of dismissed feedback that we missed during that time frame.

C

So you know, as far as it not being a deal breaker, we can also relieve some of that nuisance with the migration of. So you don't have to double this miss everything if you're patient enough to to wait.

C

If that makes sense,.

A

Cool it sounds like we all have a solid understanding of this, so Matt, it's just so no planning breakdown, you know all we can. We can think about flying it. It's time for crew mean and if we want to try pull it into. Twelve ninth will have to look to see if something else needs to about. Otherwise we can talk about scheduling it for a future release.

D

Sounds good thanks.

A

For us and second one.

D

Cool so I hope everyone had a chance to kind of look through this. This one is to put more visibility around the same kind of thing, so the dismissals there we go.

F

Let's.

D

Does anybody else in a little black square, yeah.

A

This picture no.

D

We're seeing that the picture I think Lindsey, so that was in front of it. There was like a little square, but anyway, gonna do a window.

A

You can all look at it. Asynchronously on your browsers.

C

Yeah it's good now I mean it. There was there's like a rectangle, it was like an artifact or something sort of look.

A

So sorry, I asked a basic question. We have other events already showing here in this activity. Tab. It's just expanding. Those to include dismissed is that correct.

D

It is well now I'm gonna have to double check on this, so I think the security tab itself is new. On that view,.

G

But the items would still have to show up in the all tab, I believe.

A

Good point.

A

So the change is bigger than just including dismissal owner abilities. It's about adding the security tab, adding activities around vulnerabilities displaying them both.

C

On.

A

The security tab and also under the all activity, if I understand it correctly, I think.

D

They cover it, yes, so for now on the security tab, though, eventually we want to put other activities, but we're gonna start with just the dismissal events.

A

Okay,.

A

Anyone have questions are on the scope or intent of this particular issue.

D

Yeah, actually, it's probably should add a better header to it, but you see the just above the design, this future iteration. So eventually this is where we're gonna put resolve, and so the other thing. So it's kind of like your your personal history, feed for security activity.

A

There's only been a wait at it to this and I'm confused. Someone already on this group groomed this already yeah.

D

Might have been there for a while I'll be oh.

F

I've.

A

Had.

F

It that way.

A

While.

F

It was still over.

A

Insecure that makes sense.

A

All right.

A

Okay, so back to our three questions, and we understand the intent of the requests and the work boundaries I'm, just I'm, just gonna keep asking questions and they come up. This is this is something that lives on a activity window, that's shared with other stages correct. Would we be contributing the code to change the front-end to include these ourselves? Are going to be working with I, don't know exactly what stage this activity window falls into.

A

Ross, do you have any idea about this? One I'm looking at anyone who's been here longer, so this is. This is sort of a foreign territory. To me you know as far as working outside of our own boundaries, but it feels like given these designs that the boundary is outside of the security tab within the product and then also from a back-end perspective, feeding into this Activity Feed, yeah, I, guess I'm just trying to understand the dependency on another team and what that team would be.

C

As far as the the backend and as far as what I could understand from what LBL had already put into the issue, we're just you know, feeding data into already existing models and all all of that, so I, don't I, don't think we're dependent on anyone else, but the I guess the one question would be like. How do we populate the security tab? You know as far as like fetching that data so I that might potentially be another group I'm, not sure on that. So.

A

They might make sense to talk down the elbow this one. A bit I mean this. One was already groomed. I noticed there was not a front-end tab on here. There might be some amount of once the data is there. It recognizes, you know some attribute of it. I.

A

Can take the action item and following up with a VL on this one, to clarify that.

A

It's any other questions on this one. If I didn't add a comment right now,.

G

The what the back end weight be different if we need a new end point to grab security, specific events so.

A

The new API needs to be created as your question: yeah: okay, I, don't what everyone who watch me take these questions so I'm gonna go ahead and put.

D

A comment.

C

In here you can all read it at your own leisure.

A

After this call, but it's not gonna happen right now,.

C

Okay, that was a good question that daniel has and I have no idea what this looks like, but it might just be a matter of calling the events API and passing in security to filter it that way, which wouldn't need a new API, but I, don't I, don't know other than that being a guess.

A

Okay and I think it some of that falls into grooming. So again, it seems like we all are very clear on the intention here and we don't have any questions, I think again, there's some some questions around the work boundaries, which is what I'm going to work to try and clear out.

A

This is something that is outside of our MBC, so I think we'll have time to revisit this one in a future conversation too.

D

So before we jump off, is it does this feel like something that we need to break up across iterations I.

G

Want to see, no, it doesn't seem like.

G

Yeah.

D

Thinking about it, the only one that I could come up with is starting by introducing the dismissed vulnerabilities into the all activity, tab and then making security as a separate list as a follow up.

G

Without looking at the code, that can either be something really easy to do or really hard to do if the tabs on the top are basically just grabbing the list and then performing a client-side filter. That would be pretty easy to do, but if it needs like a completely different workflow where we're hitting a different API endpoint and it it can't use any of the already like the the format that's already present, and we need to create a new one to display these items, then that would be. That would take more time to do so.

G

Yeah without looking at it. I can't really say.

D

Gotcha a little investigation that sounds like it's going to inform whether or not we want to break this apart. Okay,.

A

Given that it's a back-end wait of it's already fairly small from obvious perspective, even if we add front-end work on a even if it's a relatively large size and to your question of, could it fall within one iteration, ignoring other things that are already scoped I would think we can safely say that this is one iteration worthy.

A

Okay, all right so, like I, said in the future, we're gonna be combining the demo meeting with with this meeting, trying to reduce the amount of time we expect you guys to to be on calls. You really appreciate this early feedback on issues. I think it's already having its benefits on I. Think, at least for me, understanding what we're building and I hope that, as we start executing iterations, you guys feel the same way.

A

Thanks everyone I'll share the video cool.

D

Thanks Lizzie hi all right.