►
Description
Preview session for the upcoming Secure & Defend Section Group Conversation livestream scheduled for 2020-08-06. Hear updates related to the Secure & Defend stages from David DeSanto, Todd Stadelhofer, and Wayne Haber.
A
A
One
of
the
main
highlights
for
this
group
conversation.
We
want
to
make
sure
everyone
is
aware
of.
First
fuzz
testing
has
moved
to
minimal.
At
the
beginning
of
august,
it
became
available
on
the
com
or
sas
offering,
and
so
that
is
now
ready
for
you
to
run
coverage,
guided
buzz
testing
on
the
defense
side.
Container
host
security
also
moved
to
minimal.
This
is
providing
container
visualization
and
support
for
blocking
attacks
that
are
coming
into
your
environment.
We'll
talk
more
about
both
of
them
as
we
go
through
the
call
here.
A
On
the
secure
side,
again
we're
shooting
to
move
the
four
core
categories:
s
dash
dependency
scanning
to
complete
and
plus
testing
the
viable
and
the
next
six
to
12
months.
A
I
just
mentioned
our
coverage:
guided
fuzzing,
mvc
released
as
well
again,
very
exciting
and
then
finally,
we're
continuing
to
expand
what
you
can
do
with
sas,
including
bringing
sas
down
to
core
with
a
lot
of
great
things
coming
out
over
the
next
couple
of
months
as
well.
A
good
example
is
our
api,
fuzzing,
so
you'll
be
able
to
fuzz
rest
apis
that
are
defined
in
open
api,
v2
or
open
api
v3
format,
we're
also
beginning
to
expand
what
you
can
save
with
regards
to
das,
to
help
you
build
new
tests
faster.
A
Again,
coverage
guided
fuzzing
has
been
merged
and
has
shipped
with
on.com
for
go
nc,
plus
plus
support.
You
can
see
the
screenshots
on
the
right
here
as
to
how
you
get
to
the
content.
A
We're
also
very
excited
about
the
fact
we
already
have
customers
who
are
gold
subscribers
using
it
and
had
actually
found
vulnerabilities
in
their
applications
that
have
been
there
for
years,
but
traditional
ast
testing
had
not
found
them
for
them.
We
also
have
a
great
blog
that
goes
over
what
is
fuzzing
and
we're
going
to
be
making
a
lot
of
training
material
available
to
you
as
well.
A
The
point
I
want
to
drive
home
with
fuzzing
and
why
we
acquired
the
companies
is
kind
of
captured
on
the
right
there.
With
the
picture
you
can
see
from
right
or
from
left
to
right
is
known
to
unknown
vulnerabilities
and
going
deeper
here
is
visible
to
hidden
for
source
code,
and
our
traditional
ast
features
have
lived
on
the
left
side
of
that.
Where
things
like
sas
can
see,
the
source
code
doesn't
see
the
source
code.
It
uses
the
review
app,
whereas
then
on
the
right
coverage.
A
A
We
touch
on
this
very
briefly
on
a
couple
of
the
release.
Kickoff
calls,
but
there's
a
lot
of
great
work
being
done
to
our
uis,
we're
going
to
be
able
to
support
configuration
of
the
scanners
in
a
traditional
point-and-click,
drop-down
type
menuing,
giving
us
a
nice
jump
in
our
maturity
and
allowing
us
to
get
greater
adoption,
and
the
last
things
I
want
to
highlight,
for
you
is
our
smile
data,
we're
beginning
to
see
this
collected
it's
available
on
the
handbook.
A
Self-Host
is
a
little
bit
harder
for
us
to
capture
a
lot
of
the
secure
users
are
in
offline
environments
or
they
have
concerns
about
reporting
data
due
to
privacy,
and
so
what
we've
been
able
to
do
is
take
the
data
that
we
see
for
com
and
extrapolate
what
it
would
be
for.
Self-Hosted-
and
we
can
do
that
because
secure
is
predominantly
a
driver
for
ultimate
just
like
it
is
for
gold,
and
we
know
how
many
total
users
we
have
for
self-hosted.
A
So
from
that.
If
you
take
that
and
you
extrapolate
out
what
that
would
look
like,
it
actually
brings
us
to
over
60
000
monthly,
active
users.
That's
an
incredible
feat
for
us
in
just
a
short
amount
of
time
and
we're
seeing
that
drive
more
and
more
with
a
lot
of
the
really
large
deals
that
have
closed
recently,
that
are
in
the
thousands
of
seats
and
the
predominant
again
driver
was
secure.
A
Last
thing
I
just
want
to
touch
on
before
we
kick
over
to
defend.
We
did
have
our
last
strategy
review
back
in
june.
We
shared
you
shared
with
you
right
after
it
happened,
because
we
had
a
group
conversation
call
our
next
one's
in
just
a
couple
of
weeks,
so
please
go
check
it
out
on
the
secure
stage.
Calendar
join
if
you
like,
we'll,
also
update
you
with
a
link
to
the
recording.
Once
it's
available.
A
Also,
recently,
we've
been
able
to
support
exporting
of
logs
to
your
syslog,
so
you
have
a
central
collection
point.
We
also
released
our
first
policy
management
ui,
which
gave
you
that
feeling
of
a
gamble
file
you
can
configure
and
save,
but
we
have
a
lot
of
really
cool
things
coming
up,
including
point
click
ui
for
policies,
as
well
as
additional
controls,
including
things
like
alert
management
on
the
container
host
and
host
monitoring
and
protection.
A
A
A
Here's
an
example
that
policy
manager
I
just
mentioned
you
can
see
on
the
right
is
the
policy
definition
and
more
of
that
will
be
coming
over
the
next
couple
of
weeks.
In
updates,
I
should
say
the
final
point
for
defend
before
I
hand
it
over
to
my
engineering
counterparts,
defend
had
its
last
strategy
review
back
in
may,
we've
included
a
link
to
the
recording
here,
so
you
can
check
it
out
the
next
one's
actually
today.
A
So
I
can't
give
you
a
link
for
it
because
we're
recording
today
ahead
of
the
group
conversation,
I
don't
have
a
time
machine,
so
that
would
be
pretty
cool.
So
we
will
provide
that
information
both
in
our
slack
channels
that
you're
all
members
of,
as
well
as
it'll,
be
available
on
youtube
like
the
secure
ones
are
and
with
that
I
want
to
hand
it
over
to
todd
to
talk
a
little
bit
about
engineering,
metrics.
B
All
right,
thank
you,
david,
and
I
just
wanted
to
remind
everybody
that
the
secure
and
defense
section
has
two
sub-departments
within
it,
one
of
them
being
the
secure
stage
which
still
houses
all
the
the
secure,
analyzers
and
scanners
and
wayne.
Would
you
like
to
cover
the
threat
management
section
sure.
B
All
right-
and
I
just
wanted
to
cover
the
secure
sub
department
okrs
that
we're
working
through
for
q2
the
first
one
had
to
do
with
the
six
month,
rolling
average,
and
you
can
see
our
july
numbers-
are
pretty
high
in
comparison.
This
actually
had
to
do
with.
B
When
we
were
processing
cves,
we
discovered
a
feed
that
we
were
missing,
so
we
had
approximately
180
cves
that
we
had
to
modify
to
to
get
caught
back
up
so
that
that
was
that's
why
the
july
numbers
are
are
exceptionally
higher
than
we
were
expecting
and
then
for
the
second
okr
for
13.2.
We
came
in
at
77
for
our
say:
do
ratio.
C
So
for
the
threat
management,
sub
department
number
number
things
to
celebrate,
including
team
completed
iteration
training.
C
We
improved
the
code
review
process
for
all
of
engineering,
put
in
a
number
of
mrs
that
were
merged
on
on
that
to
improve
it
added
a
database
train
maintain
trainer
on
the
team,
which
we
don't
have
enough
database
maintainers
currently
across
gitlab.
So
that
helps-
and
we
also
delivered
all
planning
priorities
on
time.
So
some
things
that
we
didn't
complete
but
made
great
progress
on
was
getting
the
team
member
monthly
merge,
request
rate
for
engineer
to
greater
than
10..
We
actually
got
it
to
the
highest.
C
It's
been
since
the
creation
of
the
team,
basically
back
in
november
of
last
year,
so
it
was
actually
at
7.4
versus
a
goal
of
being
greater
than
equal
to
10
and
we're
working
to
improve
this
further
via
balancing
higher
effort,
merge
requests
with
lower
effort,
merge,
requests,
breaking
up
work
into
smaller
chunks
and
bringing
more
items
to
iteration
office
hours
in
terms
of
using
more
of
the
product.
We
wanted
the
dog
food
at
get
lab
all
of
the
threat
management
department
features.
A
Thanks
wayne
and
todd,
and
with
that
I'm
just
going
to
hop
to
the
end,
which
is
a
lot
of
slides
and
there
we
go.
So
all
three
of
us
want
to
thank
you
for
taking
the
time
to
watch
the
video
ahead
of
time.
We
look
forward
to
answering
your
questions
during
the
group
conversation
session
this
wednesday
or
thursday,
but
please
take
a
moment
to
go
through
all
the
slides
there's.
A
lot
of
great
content
in
here.
A
Both
the
product
and
engineering
teams
will
spend
a
lot
of
time
to
make
sure
you
have
the
most
up-to-date
data
so
again,
government,
please
check
it
out.
Otherwise,
we
look
forward
to
talking
to
you
all
on
thursday.