►
From YouTube: Secure Stage Strategy Review - December 2022
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Oh
hello
and
welcome
to
our
December
secure
stage
strategy
review
just
to
get
started.
As
you
may
remember,
we
recently
made
a
reorganization
of
our
groups
and
categories
here
in
the
sex
section
and
so
the
vulnerability
Management
Group
is
now
part
of
govern
and
in
the
secure
stage
we
have
static
analysis
led
by
Connor
Dynamic
analysis
led
by
Derek
composition,
analysis
led
by
myself
and
then
the
vulnerability
research
team
that
set
it
up
by
Hillary.
A
So
today
we'll
be
walking
through
a
roadmap
and
direction
for
each
of
these
areas.
Just
as
a
reminder,
all
of
our
roadmap
items
are
subject
to
change,
so
please
do
not
rely
on
any
of
that
information
for
purchasing
or
planning
purposes
just
to
get
started
with
the
composition
analysis
area.
In
the
last
six
months,
we've
released
a
number
of
features
to
help
improve
our
support.
We've
added
everything
from
FIP
support
mode
for
Java
to
the
ability
to
ignore
npm
development
dependencies.
A
We
recently
added
support
for
Gradle
7
for
license
compliance
and
then,
lastly,
we
added
GA
support
for
operational
container
scanning,
which
is
a
feature
that
was
in
the
works
for
quite
a
while.
But
it's
now
ready
for
production
use
that
allows
users
to
install
the
git
lab
agent
for
kubernetes
and
then
scan
their
production
environment
for
known
vulnerabilities
in
their
container
images.
A
A
The
new
model
allows
you
users
to
run
just
the
container
scanning
and
dependency
scanning
jobs
to
produce
a
software
bill
of
materials
that
then
gets
ingested
and
stored
in
the
gitlab
database.
Our
plan
is
to
also
bring
in
the
advisory
database
as
well
as
a
license
database,
so
that
we
have
all
of
that
information
there
in
postgres,
and
then
we
can
do
both
vulnerability
matching
and
license
matching
right
there
in
Ruby,
so
that
users
don't
have
to
run
scheduled
scans
to
keep
their
vulnerabilities
up
to
date.
B
Great
thanks,
Sam.
We
have
a
lot
of
exciting
stuff
across
the
categories
instead
of
analysis,
including
staff,
speakerjection
code
quality,
ISD
getting
resident
as
part
of
stats,
but
I
like
to
separately,
since
it
has
a
different
user
base.
B
So
a
lot
of
highlights
so
starting
with
staff,
we're
really
expanding
our
use
of
demographic
scanning,
and
that
includes
adding
support
for
C
sharp.
So
as
a
reminder,
there's
some
getting
coverage
means
that
we
have
validated
support
through
some
group
and
we've
combined.
The
rules
or
we've
managed
the
rules
that
that
allows
us
to
deliver
coverage
that
we
support
and
we
stand
behind.
B
This
replaces
an
error
prone
analyzer
called
security
code
scan,
but
currently
they're
running
next
to
each
other,
we'll
revisit
that
as
we
hit
the
dot
Zero
release
15.0
we're
also
working
on
additional
immigrant
based
getting
conversion
during
the
last
few
months.
We've
also
streamlined
our
analyzed
our
coverage,
so
we've
moved
from
other
analyzers
Bandit.
B
Yet
Flint
goes
back
and
spot
thugs,
two
seven
grip-based
scanning
for
a
listing
languages,
JavaScript
typescript,
react
python,
go
and
Java,
so
this
takes
out
positive
prone
analyzers
and
one
that
were
hard
to
set
up
like
spot
bugs
and
replacing
them
with
some
grip
getting
which
doesn't
have
those
same
kind
of
requirements.
Another
great
benefit
of
some
grip-based
scanning
at
gitlab
is
that
we
maintain
the
rule
test
versus
the
Upstream
open
this
horse
project
doing
so
we're
able
to
tune
those
in
response
to
customer
feedback.
B
We've
already
had
the
opportunity
to
do
that
a
few
times
during
the
last
few
months
and
finally,
a
long
requested
feature
for
customers
and
field
teams.
There
are
the
latest
versions
of
template
as
stable
is
the
default
one
that
you
should
generally
use
and
then
there's
a
latest
one
which
can
have
breaking
changes
in
between
the
dots
released
and
this
internet
over
releases.
B
So
the
latest
templates
now
support
scanning
Mr
pipelines
natively,
so
they
will
try
to
run
in
a
in
the
Mr
Pipeline
and
they'll
also
make
sure
that
they're
not
running
duplicate
between
Branch
pipelines
and
our
pipelines.
This
is
actually
supported
across
all
the
scanners
and
its
documented
in
the
documentation
for
the
secure
scanning
area,
so
a
lot
of
fun
inside
and
secret
detection.
B
One
of
the
most
interesting
highlights
is
that
we
have
started
a
beta
for
automatic
personal
access,
token
or
vacation
when
someone
leaked
the
gitlab
credential
into
their
code
base,
especially
if
it's
on
gitlab.com,
it
can
be
very
a
very
big
deal,
and
we
know
that
for
both
our
customers
and
for
gitlab.
B
So
we
started
a
beta
to
revoke
closed
tokens,
went
through
detection,
discovers
them
in
ISP
scanning
we're
working
to
streamline
that
user
experience
again,
so
we've
removed
things
that
kicks
added
that
weren't
really
helping
our
users
and
we're
actually
causing
different
kinds
of
bugs
and
and
worse
performance.
So
we
removed
secret
detection
rules
from
Kik
in
the
way
that
we
ship
the
kick-based
analyzer.
B
This
is
something
you
do
have
to
update
the
template
for
so
make
sure
to
get
your
account
past
that
15.3
boundary
to
have
that
happen
by
default
and
code
quality,
a
really
long-running
task
for
which
we
want
to
credit
pipeline
insights
through
doing
a
lot
of
the
work
there
is
we
enable
support
for
multiple
reports
in
the
diff
View
and
now
use
more
than
one
tool
a
lot
easier,
combine
things
like
a
documentary
and
a
will
show
up
everywhere.
B
Previously
they
only
showed
up
in
the
Mr
widget,
and
it
would
pick
one
of
the
tools
to
show
in
the
other
views,
which
obviously
means
that
people
weren't
adopting
those
multiple
tools
and
really
exciting
was
already
being
dog
food
in
the
gitlab
documentation.
Build
so
you'll
see
if
you
wrote
English
that
has
some
errors.
You'll
see
that
in
the
changes
tab
of
the
Mr
and
it's
also
being
used
in
internal
handbook
with
Mark
demlet.
B
Now
looking
forward
across
the
same
categories,
I'll
try
that
again
in
the
staff,
so
we've
been
investing
a
lot
moving
things
to
some
Crypt
based
gaming.
But
that's
not
where
the
story
ends.
We
are
expanding
that
further
with
more
languages,
Gala
PHP
likely
node.js
after
that,
but
also
investing
in
our
proprietary
technology.
B
That's
been
in
the
background
for
a
long
time,
so
we're
expanding
that
in
the
way
that
it's
used
today
for
false
positive
reduction
and
for
advanced
vulnerability
tracking,
but
also
looking
to
expand
it
into
new
use
cases
for
this
demographic
in
some
ways,
a
stepping
stone
toward
that
proprietary
technology
from
the
UI
or
your
website.
B
The
code
quality
view
lets
you
see
those
errors
right
in
the
changes
tab,
but
staff
bindings
don't
show
up
there
today.
So
the
next
step
is
to
put
pathfinding
in
the
diff
view,
which
would
be
a
really
nice
optimization
on
the
developer
experience,
and
then
we
know
that
people
want
to
customize.
The
rule
sets
that
they're
using
for
scanning.
B
So
we're
looking
for
an
MVP
iteration
to
allow
people
to
manage
that
at
a
group
level
now
to
secret
detection
that
patent
notification
feature
I
talked
about
we're
going
to
be
enabling
that
across
all
of
gitlab.com
and
self-management,
we
will
be
communicating
more
about
that,
including
a
Blog
and
other
announcements.
So
the
customers
are
ready
and
they
know
what
to
expect
we're,
also
adding
new
partners
for
secret
revocation.
Previously
we've
supported
AWS.
B
Our
mutual
customers,
who
use
both
the
partners
and
gitlab
speaker
detection,
will
be
better
protected
once
we
expand
our
set
of
Partners
and
then
the
secret
detection
experience
can
be
a
little
bit
clunky
at
times,
in
certain
circumstances,
they're
working
to
streamline
that,
but
also
in
the
background
working
to
design
how
we
can
be
on
by
default
and
sort
of,
in
the
background
always
protecting
users,
regardless
of
whether
they've
been
able
to
certain
pipeline
feature
or
procedure,
detection
for
IAC
scanning.
B
There's
a
lot
of
rules
that
come
in
from
upstream
and
users
often
prefer
one
set
of
them
or
the
other
we're
exploring
options
for
how
we
can
do
better
customization
for
people
who
want
to
bring
their
own
ideas
to
ISD
scanning
and
note.
We've
documented
now
an
existing
feature
that
had
gone
undocumented
about
the
effect
that
you
can
disable
rules.
B
If
you
don't
like
them,
and
you
can
customize
them
out
of
data
the
same
as
you
can
in
the
fastest,
deeper
detection,
then
for
code
quality,
one
of
the
biggest
pain
points
is
the
scanning
process
through
the
open
source
tool
code
climate.
So
we
are
working
to
deliver
a
new,
bring
your
own
tool,
oriented
scan
ingestion
system
that
let
people
use
the
developer
tools
they're
already
using
like
yes,
Blends
things
like
that.
B
The
people
have
already
integrated
in
their
TI
pipeline,
but
helping
them
up
level
that
experience
to
be
in
the
Mr
Widget
the
pipeline
View
and
the
diff
view
the
changes
tab
as
well.
So
they
can
have
a
nice
tight
Loop
within
gitlabs
shows
the
value
of
scanning
and
bringing
all
your
results
together.
B
So
a
lot
of
interesting
stuff
coming
up
in
static
analysis
land.
But
let's
talk
about
when
the
code
starts
running
Derek
on
to
you.
Thank.
C
You
Connor
all
right,
we'll
look
at
Dynamic
analysis
and
what
we've
done
in
the
last
six
months.
So
the
first
thing
was
that
we
completely
redesigned
the
workflow
for
the
configuration
process
both
for
desks
in
the
cicd
pipeline,
as
well
as
the
on-demand
dast.
So
we
rebuilt
that
from
the
ground
up
and
added
in
a
lot
more
functionality,
so
that
you
are
switching
context
and
that
things
like
site
and
scanner
profiles
are
created
within
the
same
context
of
the
configuration
UI.
C
Then
we
also
added
a
new
analyzer
for
dast
API,
so
this
dast
API
analyzer
has
been
around
for
a
while
on
CI
CD
pipeline
scans,
but
we
were
able
to
incorporate
it
into
the
on-demand
Das
API
scans
now,
which
has
opened
up
a
whole
lot
of
functionality
for
us,
including
using
Postman,
Collections
and
heart
files,
in
addition
to
things
like
open,
API
specs
to
Define
your
API
scans.
C
This
also
added
the
ability
to
get
graphql
so
with
graphql.
We
already
supported
it
in
the
CI
CD
pipelines,
but
we
did
not
support
using
a
graphql
schema.
So,
with
this
new
new
feature,
we
can
now
ingest
your
graphql
schema
to
automatically
Define
any
graphql
scan
that
you
would
want
to
do,
and
this
is
supported
on
Das,
API
and
API
fuzzing.
C
So,
looking
at
the
browser-based
Das
analyzer,
we
got
all
of
our
passive
vulnerability
checks
built
and
into
the
browser-based
analyzer,
so
that
has
completely
replaced
the
Legacy
dust
analyzer
passive
checks
for
the
existing
or
for
for
any
scan
that
has
browser-based
the
browser-based
scan
active
and
then
we
will.
We
have
improved
the
speed
for
test
API
and
API
fuzzing.
We
did
a
lot
of
optimizations
and
maintenance
on
the
code
and
we're
able
to
significantly
improve
the
scan
speed
with
that
all
right.
C
So
looking
at
the
roadmap,
we
will
be
releasing
the
browser-based
datast
analyzer
as
GA
in
this
upcoming
milestone
in
15.7.
So
that
means
that
the
authentication
Service,
as
well
as
the
crawling
The
Spider
and
the
passive
vulnerability
checks
will
be
released
as
GA.
The
active
vulnerability
checks
will
still
be
performed
in
the
Legacy
dast
analyzer,
but
as
we
create
new
ones
and
release
those
they'll
be
automatically
added
to
the
browser-based
analyzer.
C
C
One
big
thing
that
we
are
working
on
right
now
is
API
Discovery
for
Java
spring
boot
applications.
So
this
is
something
that
we
have
seen.
That
has
been
a
big
blocker
for
adoption
in
API
security
is
the
fact
that
a
lot
of
people
don't
have
a
specification
or
Postman
file
or
something
that
they
can
use
to
define
their
tests.
C
So
we
want
to
build
that
up
for
our
customers
and
then
pass
that
over
to
API
security
for
dast,
API
or
API
fuzzing,
and
we're
starting
with
job
spring
boot
applications,
but
we'll
expand
it
out
to
other
languages
and
Frameworks
past
that
we
will
be
adding
support
for
site
validation
for
on-demand
site
profiles
in
the
drawer
that
pulls
out
from
the
in
the
configuration
screen
right
now.
You
can
select
and
build
new
site
profiles
there,
but
the
validation
is
still
done
on
the
profile
Library.
C
So
we
want
to
be
we're
going
to
be
adding
support
for
validating
it
directly
from
that
drawer.
We'll
also
been
looking
at
adding
pre-scan
validation
for
on-demand
scans.
This
will
allow
you
to
go
ahead
and
hit
a
button
to
check
that
your
configuration
it
works
and
is
going
to
authenticate
correctly
that
your
site
can
be
crawled
before
you
actually
run
the
job.
So
it'll
be
a
quick
check
to
make
sure
that
everything
works.
C
Okay
and
nothing
is
broken
into
your
configuration
and
then
looking
at
what
we're
doing
with
browser-based
desks
past
the
ga
we'll
be
adding
in
those
active
vulnerability
checks
like
I
said,
but
then
we're
also
going
to
be
adding
multiple
authentication
improvements.
A
lot
of
these
things
have
come
from
our
beta
customers
using
browser-based
stats.