Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Protect Stage / 17 Feb 2020
GitLab / Protect Stage / 17 Feb 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab 12.9 Kickoff -Defend:Threat Management

Description

12.9 release kickoff for Threat Management covering the MVC for First Class Vulnerabilities and Exportable project-level Dashboard reports.

A

Hi I'm Matt Wilson senior product manager for the defense stage, and this is the twelve nine kickoff video for the thread management group. They go ahead and share my screen here and see. We've done so on. Twelve nine you'll see an old friend at the top there. If you've watched the last couple, maybe three of these videos you'll see that we're still talking about the nbc4 stand-alone vulnerability objects. Now, I want to say that this is not typical what you would see for an MVC or a minimum, viable change.

A

This is a bit of a different situation, so the vulnerability management worths are the standalone vulnerability. Objects is really a a redoing, an extension of the way that findings and vulnerabilities are handled today in the application. So this is part technical debt and part net new functionality, and it's a lot of architectural changes. Part of this means that, as we've been going through this in the last several iterations we've been uncovering more and new areas where we actually have to kind of update to this new model of working.

A

Now then, that takeaway is this: is gonna unlock a lot of capabilities for us to sort of move faster and offer more powerful functionality around vulnerability management in the application that we can't do with the current model? So we need to make sure that we take our time and it's kind of an all-or-nothing. Everything has to be done at once, and so this work is sitting behind a feature flag that when we are, we are able to tie off all the work and release it.

A

We will have everything kind of all at once, so this includes the security dashboards, as well as the security widget and against the EM, our widget and the vulnerabilities themselves. One of the biggest changes is that you will no longer see just a little modal pop-up of vulnerability information. These will actually be so. The kind of the first class portion of that is they are their own object, type similar to an issue or an epic where you can actually link directly to them. They will have a you.

A

Each one will have a unique URL, and so it is something that you're gonna have a lot more flexibility and interacting with I just want to point out so part of the changes that that have been going on. You'll see, we have 26 related issues. The things in blue are things that we've already finished off. We have a few things that are in green, that are still open, and a lot of these are being worked in this particular release or being tied off and we're still at the very tail end of the 12 day.

A

Release you'll also notice that we've had 26 merge requests all, but one of them have been already merged and accepted against this particular project. So this is a lot more work than you would normally see in a typical iteration or what we would call an MVC, but we can't really do a half step on redoing the vulnerability management, it's kind of an all-or-nothing, and we think that the work is going to be worth it, and this is gonna unlock a lot of interesting things for us going forward in the future.

A

So that's why you've you've heard about this for some time and we're still kind of talking about it coming in the next release, but we have highest confidence of all the other iterations that 12:9 is going to be able work, finally could be able to tie this off and remove the feature flag for everybody.

A

So let's go back to the planning board. The other direction item that we want to talk about is one that normally wouldn't get mentioned here, because so we we tend to label things with deliverable where we have a best faith. Commitment to delivering that work in that iteration stretch is more of a commitment to start that work, but not necessarily deliver it in the iteration. The reason that I want to mention this is number one.

A

It's something new and exciting that we're working on and number two I think it speaks to what a lot of the standalone film vulnerability object. Work will unlock for us, so project level, exportable security reports. Today, the security dashboards, particularly at the project level, give you a really good overview of any vulnerabilities found by our scanners.

A

Sassed dependency inside the gate lab application, and this is a really helpful resource, but one of the pieces of feedback that we've had from a number of our users and our customers is that you need these reports given to people, like maybe you're, like an audit and compliance team. These are non gitlab users and they don't have access to the information inside the dashboards. The dashboards are also not necessarily in the format that is most conducive to something that lets say.

A

An auditor would look at so in the spirit of really having an NBC, a minimum, viable change. We are trying to make the sort of the lightest touch way to get this information out into a user-friendly format as possible, and so that's going to take the form of the CSV export we're looking to export basic information. So this is not the the complete information available to the scanner, but you know basically what what scanner detected it? What is the vulnerability and additional details?

A

Severity and if there's a CBE present, so these are all going to be in a nice CSV report format that will be downloadable say directly from the dashboard itself. It's going up in the sub. So this is the project level security dashboard pretty much what it exists as it exists today, but there's now this addition of a new download button here. So when you go to this, the first time we'll have a little bit of indication of hey, you can visit something new.

A

You can now go ahead and download a CV CSV report and you get a nice little tooltip here, but so, basically, what this is going to do is it's going to export everything that appears in the project level, security dashboard. So this is across all the severity levels. Now the user, of course, is going to be free to filter. You can sort, you could remove rows as you need, because this is just kind of the NBC. It is a preview of what our kind of long-term vision for reporting.

A

This kind of information is which we would eventually like to see if you're applying any sort of filtering. Let's say by severity type, then the report would only reflect the filters that you have applied in the UI CSD. While you know it's very handy format for getting the data out may not be necessarily the most conducive for just turning it directly over to somebody like an audit and compliance team. So we eventually want to take a peep.

A

You know step beyond this and go to something either in place of or in addition to like a PDF report, so something that's nicely formatted that has the same kind of information but looks more like an actual kind of an audit in compliance, or you know a security report export. So again, this is a stretch goal. This is not something that we are committing to releasing in 12:9.

A

It may very well make good progress or could even potentially be complete, but I just wanted to share this, to show some of the other things that were working on kind of as a fast follow to the first-class vulnerability work and give you an idea of where we hope to take some of this in very near future, with the threat management and the vulnerability management of the product. So thanks for watching and we look forward to maybe twelve nine release.