►
From YouTube: GitLab 12.9 Kickoff -Defend:Threat Management
Description
12.9 release kickoff for Threat Management covering the MVC for First Class Vulnerabilities and Exportable project-level Dashboard reports.
A
Hi
I'm
Matt
Wilson
senior
product
manager
for
the
defense
stage,
and
this
is
the
twelve
nine
kickoff
video
for
the
thread
management
group.
They
go
ahead
and
share
my
screen
here
and
see.
We've
done
so
on.
Twelve
nine
you'll
see
an
old
friend
at
the
top
there.
If
you've
watched
the
last
couple,
maybe
three
of
these
videos
you'll
see
that
we're
still
talking
about
the
nbc4
stand-alone
vulnerability
objects.
Now,
I
want
to
say
that
this
is
not
typical
what
you
would
see
for
an
MVC
or
a
minimum,
viable
change.
A
This
is
a
bit
of
a
different
situation,
so
the
vulnerability
management
worths
are
the
standalone
vulnerability.
Objects
is
really
a
a
redoing,
an
extension
of
the
way
that
findings
and
vulnerabilities
are
handled
today
in
the
application.
So
this
is
part
technical
debt
and
part
net
new
functionality,
and
it's
a
lot
of
architectural
changes.
Part
of
this
means
that,
as
we've
been
going
through
this
in
the
last
several
iterations
we've
been
uncovering
more
and
new
areas
where
we
actually
have
to
kind
of
update
to
this
new
model
of
working.
A
Now
then,
that
takeaway
is
this:
is
gonna
unlock
a
lot
of
capabilities
for
us
to
sort
of
move
faster
and
offer
more
powerful
functionality
around
vulnerability
management
in
the
application
that
we
can't
do
with
the
current
model?
So
we
need
to
make
sure
that
we
take
our
time
and
it's
kind
of
an
all-or-nothing.
Everything
has
to
be
done
at
once,
and
so
this
work
is
sitting
behind
a
feature
flag
that
when
we
are,
we
are
able
to
tie
off
all
the
work
and
release
it.
A
We
will
have
everything
kind
of
all
at
once,
so
this
includes
the
security
dashboards,
as
well
as
the
security
widget
and
against
the
EM,
our
widget
and
the
vulnerabilities
themselves.
One
of
the
biggest
changes
is
that
you
will
no
longer
see
just
a
little
modal
pop-up
of
vulnerability
information.
These
will
actually
be
so.
The
kind
of
the
first
class
portion
of
that
is
they
are
their
own
object,
type
similar
to
an
issue
or
an
epic
where
you
can
actually
link
directly
to
them.
They
will
have
a
you.
A
Each
one
will
have
a
unique
URL,
and
so
it
is
something
that
you're
gonna
have
a
lot
more
flexibility
and
interacting
with
I
just
want
to
point
out
so
part
of
the
changes
that
that
have
been
going
on.
You'll
see,
we
have
26
related
issues.
The
things
in
blue
are
things
that
we've
already
finished
off.
We
have
a
few
things
that
are
in
green,
that
are
still
open,
and
a
lot
of
these
are
being
worked
in
this
particular
release
or
being
tied
off
and
we're
still
at
the
very
tail
end
of
the
12
day.
A
Release
you'll
also
notice
that
we've
had
26
merge
requests
all,
but
one
of
them
have
been
already
merged
and
accepted
against
this
particular
project.
So
this
is
a
lot
more
work
than
you
would
normally
see
in
a
typical
iteration
or
what
we
would
call
an
MVC,
but
we
can't
really
do
a
half
step
on
redoing
the
vulnerability
management,
it's
kind
of
an
all-or-nothing,
and
we
think
that
the
work
is
going
to
be
worth
it,
and
this
is
gonna
unlock
a
lot
of
interesting
things
for
us
going
forward
in
the
future.
A
So
let's
go
back
to
the
planning
board.
The
other
direction
item
that
we
want
to
talk
about
is
one
that
normally
wouldn't
get
mentioned
here,
because
so
we
we
tend
to
label
things
with
deliverable
where
we
have
a
best
faith.
Commitment
to
delivering
that
work
in
that
iteration
stretch
is
more
of
a
commitment
to
start
that
work,
but
not
necessarily
deliver
it
in
the
iteration.
The
reason
that
I
want
to
mention
this
is
number
one.
A
It's
something
new
and
exciting
that
we're
working
on
and
number
two
I
think
it
speaks
to
what
a
lot
of
the
standalone
film
vulnerability
object.
Work
will
unlock
for
us,
so
project
level,
exportable
security
reports.
Today,
the
security
dashboards,
particularly
at
the
project
level,
give
you
a
really
good
overview
of
any
vulnerabilities
found
by
our
scanners.
A
Sassed
dependency
inside
the
gate
lab
application,
and
this
is
a
really
helpful
resource,
but
one
of
the
pieces
of
feedback
that
we've
had
from
a
number
of
our
users
and
our
customers
is
that
you
need
these
reports
given
to
people,
like
maybe
you're,
like
an
audit
and
compliance
team.
These
are
non
gitlab
users
and
they
don't
have
access
to
the
information
inside
the
dashboards.
The
dashboards
are
also
not
necessarily
in
the
format
that
is
most
conducive
to
something
that
lets
say.
A
An
auditor
would
look
at
so
in
the
spirit
of
really
having
an
NBC,
a
minimum,
viable
change.
We
are
trying
to
make
the
sort
of
the
lightest
touch
way
to
get
this
information
out
into
a
user-friendly
format
as
possible,
and
so
that's
going
to
take
the
form
of
the
CSV
export
we're
looking
to
export
basic
information.
So
this
is
not
the
the
complete
information
available
to
the
scanner,
but
you
know
basically
what
what
scanner
detected
it?
What
is
the
vulnerability
and
additional
details?
A
Severity
and
if
there's
a
CBE
present,
so
these
are
all
going
to
be
in
a
nice
CSV
report
format
that
will
be
downloadable
say
directly
from
the
dashboard
itself.
It's
going
up
in
the
sub.
So
this
is
the
project
level
security
dashboard
pretty
much
what
it
exists
as
it
exists
today,
but
there's
now
this
addition
of
a
new
download
button
here.
So
when
you
go
to
this,
the
first
time
we'll
have
a
little
bit
of
indication
of
hey,
you
can
visit
something
new.
A
You
can
now
go
ahead
and
download
a
CV
CSV
report
and
you
get
a
nice
little
tooltip
here,
but
so,
basically,
what
this
is
going
to
do
is
it's
going
to
export
everything
that
appears
in
the
project
level,
security
dashboard.
So
this
is
across
all
the
severity
levels.
Now
the
user,
of
course,
is
going
to
be
free
to
filter.
You
can
sort,
you
could
remove
rows
as
you
need,
because
this
is
just
kind
of
the
NBC.
It
is
a
preview
of
what
our
kind
of
long-term
vision
for
reporting.
A
This
kind
of
information
is
which
we
would
eventually
like
to
see
if
you're
applying
any
sort
of
filtering.
Let's
say
by
severity
type,
then
the
report
would
only
reflect
the
filters
that
you
have
applied
in
the
UI
CSD.
While
you
know
it's
very
handy
format
for
getting
the
data
out
may
not
be
necessarily
the
most
conducive
for
just
turning
it
directly
over
to
somebody
like
an
audit
and
compliance
team.
So
we
eventually
want
to
take
a
peep.
A
You
know
step
beyond
this
and
go
to
something
either
in
place
of
or
in
addition
to
like
a
PDF
report,
so
something
that's
nicely
formatted
that
has
the
same
kind
of
information
but
looks
more
like
an
actual
kind
of
an
audit
in
compliance,
or
you
know
a
security
report
export.
So
again,
this
is
a
stretch
goal.
This
is
not
something
that
we
are
committing
to
releasing
in
12:9.
A
It
may
very
well
make
good
progress
or
could
even
potentially
be
complete,
but
I
just
wanted
to
share
this,
to
show
some
of
the
other
things
that
were
working
on
kind
of
as
a
fast
follow
to
the
first-class
vulnerability
work
and
give
you
an
idea
of
where
we
hope
to
take
some
of
this
in
very
near
future,
with
the
threat
management
and
the
vulnerability
management
of
the
product.
So
thanks
for
watching
and
we
look
forward
to
maybe
twelve
nine
release.