►
From YouTube: Secure Section Group Conversation (Public Livestream)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Hello,
everyone
good
morning,
good
afternoon,
good
evening,
depending
where
you
are,
if
you're,
watching
the
recording.
Whatever
time
it
is
where
you
are
while
watching
it.
My
name
is
David
de
Santa
rector
of
product
for
the
secure
and
defend
state.
Just
here
at
github
kind
of
get
us
kicked
off
here,
I'm
going
to
hand
it
off
to
said
to
vocalize
his
first
question.
C
It
mentioned
air-gapped
and
offline
networks
and
we
had
a.
We
had
a
call
last
week
and
we
determined
that
air
gapped
offline
networks
make
it
seem
that
gitlab
has
to
function
on
its
own.
Well,
it
there
might
be
a
possibility
that
the
users
don't
think
it
lab
should
function
on
a
tone,
but
it
should
use
internal
registries
like
internal
and
BM
and
jam
registries
instead
of
external
ones.
We
that
we're
not
sure
yet
we
need
to
check
with
the
user.
C
That
makes
sense
to
me:
maybe
it's
good
to
have
a
definition
and
say
I
think
offline
network
does
it
make
sense?
Simply
air-gapped
makes
sense
to
me,
but
maybe
we
should
define
air-gapped
as
as
being
not
that
good
lab
is
on
its
own.
It
just
can't
access
the
broader
Internet
and
that
you
can't
assume
there's
internal
registries
available
yeah.
B
And
that's
a
good
point.
So
awfully
network
was
added
on
to
the
original
epic,
because
customers
wanted
to
be
able
to
upgrade
without
connecting
the
internet,
but
I,
agree.
I,
think
we
could
just
remove
off
line
and
just
call
the
air-gapped,
not
a
definition.
I'm,
sorry,
Nicole,
you're
gonna,
say
something.
E
E
E
There's
there's
a
couple
sort
of
pieces
to
that
which
is
well
the
primary
one
being
with
with
12
8
how
we
were
doing
it.
We
were
we
intentionally
we're
trying
to
get
cut
back
up
for
our
tech
debt
work.
So
not
a
not
a
great
answer,
there's
probably
other
aspects
to
it
that
we
haven't
fleshed
out
yet,
but
that's
that's
sort
of
the
when
you
roll
all
that
together.
That's
that's
what
happened
thanks.
C
B
So
wait:
Wayne
I
from
my
quick
skimming,
looks
like
he
answered
it
properly.
So
section
is
an
internal
term,
I
get
love,
and
so
we
have
sections
that
have
multiple
stages
in
the
case
of
secure
and
defend
sections
prior
to
this
mergers,
each
only
had
one
stage
with
the
same
name,
so
we
moved
those
stages
into
one
section,
but
you
can
see
this
with
other
sections
as
well,
like
dev
I,
think
has
three
or
four
stages
that
make
it
up.
B
B
The
security
dashboard-
and
somebody
can
correct
me
if
I'm
wrong
on
this
I'm,
pretty
sure
that
the
today
the
security
dashboard
includes
findings
from
the
secure
test,
I
think
the
long-term
goal
and
if
Matt
Matt's
on
pto.
So
we
haven't
confirmed
this
by
believe
he
intends
on
also
having
the
defender
items,
show
up
there
from
the
operation
side.
So
it
still
be
one
single
dashboard.
He
is
working
on
reporting
and
I.
B
Think
actually
I
should
say
Sam
way,
he's
on
the
calls
working
on
improving
the
reporting
of
each
of
the
individual
categories,
but
I
think
long
term,
Matt
or
I'm.
Sorry
Sam,
you
correct
this,
but
I
think
you
and
he
are
talking
about
also
having
those
findings
show
up
on
the
dashboard.
If
there's
like
an
alert
of
some
sort.
B
H
Thanks
yeah
and
I'm
still
still
flushing
this
out,
but
I
will
update
my
comment
in
the
doc.
Essentially
I
feel
the
term
air-gap
has
come
up
a
lot
and
part
of
the
value
of
it
is
for
discoverability,
but
really
air-gap.
There
is
a
very
clear
definition
of
air
gap
and
it's
a
network
that
is
physically
isolated
from
insecure
networks
and
insecure
networks
include
the
internet.
H
However,
if
if
we
really
keep
focusing
all
of
the
issues
and
epics
and
things
on
air-gap
support,
I
worried
that
these
solutions
will
apply
to
people
running
an
offline
or
closed
networks
or
even
a
firewall,
where
there's
an
implicit
deny
all
rule,
but
they
won't
find
these
solutions
if
they're
searching
for
offline
or
closed
network
or
firewall,
because
we
do
kind
of
settle
on
the
term
air-gap.
So
how
could
we
expand?
I?
H
B
B
We
would
also
say
this
also
works
with
following
use
cases,
because
I
I
agree
with
exactly
we
just
said
if
you
address
air
gap,
environments
by
definition,
you're
now
supporting
offline
networks
and
the
other
components
that
be
therefore
outside
of
financial
and-
and
you
know,
federal
based
accounts,
it
is
there
anything
you
want
to
add
to
that.
Nicole
I
know
you're
still
typing.
B
Okay,
are
you
good
with
that
Craig
before
we
go
on
the
next
one
perfect.
E
Yeah
so
I
just
got
off
the
last
week,
I
met
with
a
prospect,
and
we
were
talking
through
how
there's
a
lot
of
value
and
get
lab
kind
of
merging
a
lot
of
different
teams
and
getting
them
apartment
that
development,
lifecycle
and
I
showed
them
both
the
security
dashboard
which
they
loved.
It
was
a
really
great
example
of
being
able
to
pull
in
all
those
results,
but
I
also
showed
them
the
operational
error,
tracking
integration
with
sentry,
which
they
thought
was
really
useful
too,
because
from
a
security
standpoint,
you
know
first
line
of
defense.
E
If
you're
getting
application
errors,
there's
a
good
chance
that
there
is
a
security
incident
that
could
be
eminent
right.
I
met
with
another
customer
who
is
also
talking
about
hey,
like
I,
would
love
to
be
able
to
see
when
a
developer
is
attempting
to
push
to
a
protected
branch,
and
then
you're
not
allowed
to.
Where
are
those
failures
at
so?
You
know
pulling
up
auditing?
Do
we
have
any
hopes
of
getting
kind
of
from
an
auditing
perspective
for
the
the
actual
repository
and
the
the
project,
as
well
as
the
application,
monitoring
and
error
reporting?
B
B
But
I
will
say
we're
just
like
on
the
precipice
of
starting
to
get
defend
outside
and
minimal.
A
good
example
of
that
is
we
just
moved
to
network
security
to
minimal
and
I
know.
Sam
has
an
aggressive
plan
to
get
that
closer
to
viable
over
the
next
several
months,
so
there's
a
chance
that
sentry
would
become
a
place
where
you
may
want
to
expose
alerts.
D
B
So
I
think
the
example
I
gave
on
one
of
these
a
while
ago
was
like,
let's
say,
Tim,
you
know
you're,
you
always
do
polls
and
you
know
you're
located
wherever
you
live,
and
now
you
show
up
halfway
around
the
world
and
you're
doing
pushes
like
that
would
be
then
alerted
on
that
your
behavior
has
changed
a
long
term.
I
know
that
Matt
wants
to
get
into
blocking,
having
a
blocking
mode
for
that.
B
B
Have
several
customers
who
are
essentially
begging
us
to
speed
up
holding
on
they're,
worried
that
they
don't
have
visibility
into
what
users
are
doing
within
the
application?
The
second
part
we're
doing
it
for
the
users
environment,
so
their
application
or
service
that
they're
building
with
us
and
we're
calling
container
behavior
analytics
to
kind
of
be
in
line
with
the
industry.
So
it's
a
nice
combination
of
anomaly
detection
threat
activity
and,
like
heuristics
data,
to
be
able
to
say,
hey
something
Bad's
happening
with
your
application.
Yeah.
E
B
And
then
I
would
say
and
it's
what
Wayne
is
typing,
but
yeah
I
mean
please
reach
out
to
the
defend
team.
If
you
have
examples
of
things
they
want
to
look
at
I,
don't
have
I,
don't
think
it's
in
this
group
conversation
you
might
have
in
the
previous
one
I'll
make
sure
I
can
send
you
a
link
to
something
where
we
are
showing
like
here's,
the
MVC
for
it
or
initially
shooting
for,
but
that
would
love
to
talk
to
any
customers.
B
You're
talking
to
we're
just
starting
to
get
more
engaged
of
customers
on
defend,
I,
know,
Sam
again.
Who's
on
the
call
he's
been
very
happier
the
last
two
weeks
in
engaging
customers
on
his
roadmap.
I
know.
Matt
would
appreciate
it.
Yes,.
I
B
A
Yeah,
so
a
lot
of
my
customers
are
very
compliance.
Oriented
and
having
the
maintainer
be
in
charge
of
things
like
environment
variables,
for
every
single
environment.
Things
like
that
means
that,
in
order
to
get
any
velocity
out
of
the
gate
lab
system,
they
need
to
give
that
to
the
developers
to
manage
their
own
kind
of
product.
But
then
they
have
production
environments,
they
have
higher-level
environments,
but
they
don't
want
developers
being
able
to
touch.
They
have
separation
of
duties,
separation
of
concerns,
sorts
of
boundaries,
and
so
my
recommendation
so
far
has
been
like
maintainer.
A
The
maintainer
dynamic
is
great
for
open
source
projects
and
things
like
that
where
the
internal
team
manages
that
and
then
external
contributors
are
developers
or
something
else,
but
inside
the
walls
of
your
organization.
You
want
a
project,
that's
specifically
for
the
developers
and
a
separate
project
for
the
ops
team
that
has
like
the
icy
code
and
other
sorts
of
deployment
methods
that
can
need
to
be
held
back
from
developers.
A
The
developers
can't
change
production
is
there
like
they
all
kind
of
march
down
the
path
of
you
know,
we'll
just
me
we'll
just
keep
maintainer
for
ourselves
and
then
let
the
developers
be
developers
and
then
that
pattern
causes
these
sorts
of
difficulties
and
so
creating
a
separate
project
works
around.
It
is
there
and
is
there
a
better
solution
that
we
can
build
in
or
something
on
the
roadmap
that
may
address
this
sort
of
thing?
Yes,.
B
G
Yep
I'm,
trying
to
type
talk
with
Jeremy
Watson,
recently
he's
over
access,
and
they
do
have
a
few
different
items
on
their
roadmap
to
get
towards
more
granular
permissions.
It
sounds
like
near-term
there
at
least
you
know,
they're
definitely
taking
an
MVC
approach,
which
is
great
because
it
means
we'll
get
something
out
sooner
rather
than
later,
and
you
know
again,
I
would
defer
to
Jeremy
for
a
more
official
statement
of
his
roadmap,
but
it
looks
like
at
least
near-term
in
the
next
couple
milestones,
or
so
we
should
start
to
see
at
least
some
changes
there.
A
B
B
I
started
telling
what
you
were
saying,
but
if
you
can
finish
it
be
great
okay
and
then
I
guess
on
the
next
one
is
Ethan.
Do
you
want
to
vocalize
your
question?
Sure.
J
B
B
What
we're
looking
to
do
is
be
able
to
displace
competitors,
as
part
of
that
that
includes
both
feature
set
as
well
as
usability
in
the
case
of
things
like
SAS
I
know
we're
looking
to
improve
code
coverage,
we're
looking
to
begin
to
eliminate
false
positives
and
then
dependency
scanning
I,
know
Nicole's,
looking
to
also
cover
more
languages,
so
I
guess
it
kind
of
go
down
the
list
well,
at
each
of
the
PM's
and
any
closer
that
I
can't
see
everybody's
online,
so
I'm
Taylor,
you
own
the
cold.
K
For
SAS
right
now
we're
working
on
developing
epics
that
will
fully
track
out
all
of
these
items,
but
at
a
high
level,
largely
getting
our
scanners
that
we
do
have
today
updated
and
continuously
updated
I'm.
Considering
expanding
support
for
other
specific
languages
that
we
don't
have
good
coverage
of
today,
reducing
our
false
positive
rates.
J
D
Dependency
scanning
I'm
hoping
to
improve
our
UX
score,
because
it's
not
that
great
right
now
and
I
would
like
to
the
suggested
solutions
to
be
more
frameworks
than
just
the
one
we
have
supported
today
and
then
also
increase
overall
language
coverage
and
I'm.
Also
wanting
to
make
sure
that
we
have
a
competitive
main
feature
set
with
at
least
one
competitor.
B
Yeah
that
just
leaves
TAS
and
I
did
a
quick
scan.
I
don't
see
Derek
on
the
call,
but
we
can
ask
him
to
follow
up
and
put
notes
in
here
and
I
know
at
the
high
level
Ford
asked
I
know
it's
limiting
false
positives.
I
know,
I,
think
that's
on
the
call.
I
know
Seth.
If
you
have
any
additional
call,
you
want
add
Ford
asked
yeah.
B
B
Yeah
well,
the
the
intent
long
timers
did
not
have
like
20-plus
slides
for
our
short
group.
Conversation
I
wanted
to
make
sure
that
everybody
got
to
see
the
expanded
view
of
what
it
meant
to
merge.
The
two
sections
together
now
have
one
unified
security
focus,
I
think
sito
said
I'm.
Sorry,
you
added
an
additional.
C
Item,
do
you
want
to
vocalize?
Oh,
it
turned
out
to
be
sorry
I
just
added.
It
gave
really
nice
lights
about
who's
in
the
teams.
I
wonder
whether
you
were
missing
something
from
the
product
categories,
page
I'm,
I'm
trying,
but
it's
gonna
be
hard
to
get
everyone
to
work
handbook
first,
and
so
the
handbook
should
be
the
great
source
of
true
for
that.
But
maybe
maybe
the
layout
of
the
handbook
is
not
understandable
enough
or
something
like
that.
I
just
was
wondering
about
that.
Oh
yeah.
B
The
only
thing
that
isn't
on
the
slides,
that
is
in
the
handbook
or
the
internal
categories
I
didn't
put
those
on
here
just
because
I
did
their
internal
they're,
not
really
customer
facing
example
of
that
is
like
the
language
specific
component
force
asked
and
then
the
two
categories
we
pushed
out
of
this
fiscal
year
or
the
elements
that
it
should
be
missing,
cool
glad
to
hear
two
product
categories,
page
adequate
yeah
I
was
I,
will
agree
with
your
comment,
though.
I
think
we
could
probably
work
on
formatting
it
a
little
bit
easier.