►
From YouTube: Secure & Defend Monthly Release Kickoff - 13.5
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
and
welcome
to
the
secure
and
defend
monthly
kickoff
call.
My
name
is
david
desanto,
director
of
product
for
the
secure
and
event
section
I'm
joined
by
all
of
the
pms
as
part
of
this
section,
and
we
want
to
share
a
lot
of
great
updates,
they're
coming
out
with
13.5
and
and
beyond.
So
before
we
get
started.
I
just
want
to
take
a
moment
and
acknowledge
what's
going
on
in
the
world
today,
here
are
three
shots
from
nasa
on
the
impacts
of
the
wildfires
in
the
u.s.
A
It's
a
big
problem.
Our
hearts
go
out
to
everyone,
who's
impacted.
You
can
learn
about
how
you
can
help
by
visiting
the
red
cross
website
or
any
non-profit
disaster
organization
of
your
choice
and
again
our
hearts
go
out
to
not
only
the
gitlab
employees
impacted,
but
everyone
who's
impacted
by
the
wildfires
to
kind
of
dive
in
we're
going
to
focus
primarily
on
the
two
stages.
Secure
and
defend
you
can
see
them
highlighted
here.
A
Secure
is
continuing
to
grow
and
expand,
and
last
time
we
talked
a
little
bit
about
our
new
category
fuzz
testing.
But
you
can
see
we
have
a
full
complement
of
categories
and
lots
of
updates
related
to
them
our
three
strategic
objectives.
For
the
current
fiscal
year
we
achieved
the
first
one
again
it
was
offline
environment
support
and
that
mvc
shift
in
1210.
A
we're
currently
focused
on
the
last
two.
Our
application
security
testing
leadership
we
initially
had
a
target
at
the
end
of
this
fiscal
year,
looks
like
we're
going
to
be
closer
to
mid
next
year
and
into
the
early
fall.
That
does
not
mean
we're
not
delivering
value
to
you
today,
we're
continuing
to
provide
value
and
there's
a
lot
of
great
updates
from
the
team
today,
but
we're
a
little
bit
behind
that
original
target
and
the
final
is
dog
fooding
of
secure
within
our
engineering
organization,
and
I
can't
stress
enough.
A
The
value
of
this
I'm
sure
we'll
have
some
updates
related
to
this
and
items
we're
working
on
both
in
this
milestone
and
future,
but
it's
underway
security
teams
using
it
for
their
top
25
projects
and
our
development
team
has
started
the
security
and
defend
engineering,
team
and
they've
rolled
it
out
to
the
majority
of
our
projects
for
defend.
A
We've
got
three
main
categories
here:
nicely
cascaded
down
the
slide
again
focus
on
two
strategic
objectives:
we
want
to
emphasize
usability
and
convention
over
configuration
and
we
shipped
our
mvc
event
with
lots
more
plan
coming
out
here
and
then
our
second
was
disability
first
protection.
Second,
this
one
we're
a
little
bit
behind
on
due
the
fact
that
we're
having
to
implement
more
than
we
are
initially
planning.
A
B
Hi
everyone,
so
I
have
a
very
busy
13.5
planned
for
us,
so,
let's
just
dive
straight
into
it,
we've
got
some
focus
on
our
ast
leadership.
B
We're
going
to
be
adding
support
for
our
custom
rule
sets
we're
actually
building
this
right
now.
It
will
support
all
of
our
existing
secure
analyzers
for
sas,
so
about
19
different
tools,
we'll
have
a
normalized
rule
format
that
you
can
pass
into
all
of
those
tools.
It'll
also
work
for
secret
detection
as
well,
so
really
allowing
you
to
consistently
interact
and
customize
all
of
the
sas
tooling
that
we
use
so
that
you
can
change
the
behavior
of
the
the
rule
sets,
and
this
will
particularly
be
useful
for
you.
B
If
you
want
to
stop
running
certain
rules
or
even
add
new
custom
rules
to
detect
things
that
are
not
part
of
our
default
rule
sets
so
really
excited
for
that.
It's
been
our
top
requested
sas
feature.
So
look
forward
to
that
in
this
next
release.
I
also
am
going
to
go
ahead
and
share
as
we
move
to
our
next
one.
Let's
see
there
we
go
our
next.
B
One
is
really
focused
on
following
up
with
our
move
of
secret
detection
and
sas
to
core,
which
we
completed
last
release
we're
basically
focusing
on
improving
the
usability
of
our
sas
in
secret
detection
functionality
for
non-ultimate
plans.
B
B
B
Today,
we
support
a
variety
of
tools:
we're
actually
going
to
be
rewriting
one
of
these
tools
or
nodejs
scan.
There
is
a
new
version
4
of
this,
that
supports
the
new
syngrep
mechanism
for
writing
rules
and
so
we'll
be
updating
our
implementation
of
this
to
support
the
new
v4
of
that
which
supports
over
a
hundred
new
node.js
specific
rules.
B
And
again
this
will
tie
into
the
previous
thing
that
we
mentioned
earlier
about
supporting
custom
rule
sets
so
you'll
also
be
able
to
add
your
own
rules
to
those
also,
we
are
I'm
very
excited
to
say
that
we
are
working
on
integrating
mob
sf,
which
is
a
open
source
security
scanner
for
ios
and
android.
B
This
is
actually
part
of
a
contribution
from
one
of
our
customers,
which
we're
very
excited
about,
so
look
forward
to,
hopefully
soon
having
support
for
ios
and
android
all
right
so,
like
I
said,
action
packs
release
for
sas
and
now
I'll
hand
it
off
to
my
other
teammates
to
talk
about
their
sections.
C
Let
me
share
my
screen
and
we
can
look
at
the
few
things
that
we
have
coming
in
they're,
all
based
around
the
same
area,
adding
configuration
options
and
usability
around
the
on-demand
scans
and
the
profiles.
So
the
first
thing
that
we're
adding
is
the
site
validation
options
for
the
site
profile.
C
The
second
thing
that
we're
working
on
is
adding
more
options
into
the
scanner
profile
that
was
introduced
in
13.4,
so
in
134,
you're
able
to
specify
the
spider
timeout
and
the
target
timeout
we're
adding
in
options
to
select
whether
it's
active
or
passive,
scan.
Turning
on
or
off
the
ajax,
spider
and
debug
messaging.
C
And
the
final
thing
is
that
we
are
adding
in
more
options
within
the
site
profile
being
able
to
select
whether
it
is
a
website
or
api,
adding
the
excluded,
excluded,
urls
and
additional
request,
headers
options
and
adding
the
ability
to
enable
authentication
so
that
you
can
scan
the
websites
that
are
hidden
behind
an
authentication
url,
which
you
can
specify
here,
as
well
as
the
username
password
and
the
fields
that
are
used
for
that
or
if
it's
a
rest
api.
You
can
use
the
request
headers
to
copy
in
tokens
and
validate
authentication
that
way.
C
D
Hopefully
I
shared
the
right
thing
so
as
part
of
our
ast
leadership
we're
working
to
make
everything
kind
of
continuing
on
with
the
theme
more
usable
and
actionable
insights
when
we
do
find
something
for
you.
So
this
little
tiny
bit
right
here,
autofix
solutions,
three
ready
for
review.
Over
the
past
few
releases,
we've
been
working
hard
to
introduce
a
auto
remediation
bot
which
will
take
these
suggested
solutions
for
your
dependency
scanning
and
your
container
scanning
and
be
able
to
automatically
create
that.
D
This
is
going
to
be
around
for
one
or
two
releases
and
we're
doing
a
bunch
of
behind
the
scenes
work
as
well,
which
is
related
to
upgrading
our
tooling,
reducing
bugs
reducing
technical
debt,
which
I
always
spend
about
half
the
time
of
my
developers
on,
because
in
order
to
be
an
ast
leader,
I
feel
we
need
to
be
reliable
and
stable.
So
we're
going
to
continue
that
through
the
remainder
of
this
year
and
I
will
hand
it
off
to
fuzzing.
E
E
One
of
the
things
we're
focusing
on
13-5,
though,
are
some
foundational
steps
that
we
need
to
complete
to
be
able
to
expose
that
data
inside
of
the
security
dashboard
inside
the
security
tabs,
along
with
all
the
other
scanners
that
you
use
from
secure
that
you're
used
to
seeing
so
we're
going
to
be
focusing
on
that
for
the
coming
release.
We're
also
going
to
be
really
focusing
on
enhancing
our
documentation
to
make
it
more
straightforward
to
get
started
with
api
fuzz
testing.
E
We
have
a
number
of
other
projects
that
we're
working
on,
but
we're
not
quite
confident
they're
going
to
ship
in
13-5.
So
I'm
excited
to
talk
to
you
all
again
in
probably
about
a
month
or
so
when
we
have
our
13.6
plans
nailed
down,
and
with
that
I
will
pass
over
to
matt
to
talk
about
threat.
Insights
thanks.
F
So,
for
the
last
several
iterations,
the
main
focus
has
been
on
the
security
dashboards,
the
vulnerability
lists,
so
we've
actually
made
a
lot
of
progress
on
this
we're
getting
very
near
to
the
end
of
that
work,
and
a
lot
of
this
is
what
we
would
consider
foundational
so
making
sure
that
the
right
information
is
available
on
the
screen,
so
that
you
can
take
the
right
actions
quickly
and
efficiently.
Some
of
the
highlights
to
call
out-
and
this
is
actually
a
test
project
liveon.com.
F
Some
of
these
features
you
will
see
already
rolling
out
in
the
134
release
for
self-managed
detected
date
is
something
that
was,
I
think,
the
top
request
from
our
own
internal
apps.
That
came
so
you
can
actually
see
when
something
was
actually
first
detected,
like
things
that
might
be
sitting
around
for
a
while.
F
We're
going
to
continue
to
build
onto
this
and
add
sorting.
So
that's
something
another
highly
requested
feature
which
is
going
to
make
it
a
lot
easier,
combined
with
these
filters
to
just
drill
into
looking
at
exactly
what
you
need
to
to
accomplish
the
task
at
hand.
Other
little
minor
enhancements
like
these
numbers
right
here.
Currently,
don't
update
dynamically
when
you
change
the
filtered
view,
but
eventually
well
actually
looks
like
it
already
went
live
I
take
that
back.
F
So
previously
the
vulnerability
reports
on
the
group
in
the
instance
level
were
constrained
because
there
wasn't
a
lot
of
horizontal
real
estate,
we're
finishing
up
splitting
out
the
old
security,
the
instance
level
security
dashboard
into
we're
kind
of
calling
a
security
center.
So
there's
now
dedicated
places
for
these
things,
so
the
dashboard
can
now
grow
over
time
with
other
widgets
that
are
not
just
related
to
vulnerability
management,
but
the
security
stages
in
general.
F
F
One
thing
that
we
have
not
finished
yet
you
may
have
seen
notice
the
visualization
widgets
that
I
just
showed
on
the
the
security
dashboard
we're
replacing
that
with
something
a
little
bit
more
interactive.
So
you'll
have
a
lot
more
control
over
your
trends
over
time
with
the
vulnerabilities
this
is
actually
this
is
a
prototype
or
a
mock-up,
but
these
will
be
clickable,
so
you
can
actually
adjust
the
data
series
and
the
time
slice
in
real
time
to
get
a
better
understanding
of
your
data.
F
It
seems
like
a
small
little
addition,
but
I
think
this
is
going
to
make
a
huge
impact
similar
to
what
nicole
showed
right
now
you
can't
tell
when
the
last
pipeline
was
run
or
if
there
were
any
issues
so
knowing
when
the
last
pipeline
ran
on
the
default
branch
is
critical
to
know
if
your
vulnerability,
your
list
at
the
project,
level
or
group
or
instance,
is
up
to
date.
So
by
adding
this
you'll
be
able
to
see
not
only
when
it
last
ran.
F
So
that
was
the
show.
Those
are
the
visuals
and
really
quickly
on
the
tell
we
do
have
a
lot
of
other
things
that
are
not
going
to
be
visible
on
the
front
end
necessarily,
but
we
are
continuing
to
build
out
the
graphql
api,
so
vulnerability
management
is
trying
to
be
graphql
first
and
make
sure
that
everything
that
you
could
do
on
the
front
end
is
supported
on
the
back
end.
So
some
of
these
filtering
sorting
capabilities
getting
individual
vulnerability
details
are
things
that
we'll
be
adding
over
the
next
couple
of
releases.
F
Just
like
you
can
mention
an
issue
or
an
mr
by
using
a
special
character
and
then
the
number,
the
id
of
that
we're
going
to
add
that
for
vulnerabilities
as
well,
so
that
you
can,
in
an
issue,
just
drop
a
link
to
it
very
quickly.
So
that's
another
item
to
expect
over
the
next
couple
of
releases
and
with
that
that
is
that's
it
for
vulnerability
management
because
I'll
pass
it
on
to
sam
white
and
defend.
G
Awesome
thanks
matt,
looking
forward
to
those
improvements
in
defend.
We
currently
don't
have
anything
big
planned
for
13.5,
but
I
wanted
to
highlight
some
of
the
work
the
team
is
doing
in
line
with
our
theme
about
visibility,
first
and
protection.
Second
right
now,
alerts
are
really
hard
to
view
for
defend,
really
they're
represented
as
logs
and
to
get
to
those
you
have
to
log
into
the
kubernetes
cluster
and
basically
parse
through
a
text
file
manually.
G
Adding
an
action
will
let
you
send
an
alert
to
gitlab.
So
again,
this
lets.
You
bring
down
that
mountain
of
a
blog
to
just
those
items
that
are
actually
interesting
and
need
a
person,
a
human
to
go
and
review
them
that
actually
constitute
an
alert.
Once
you
do
that,
once
the
alert
fires
it
will
show
up
on
an
alert
dashboard
similar
to
this
one,
where
you
can
then
move
the
status
around
change,
the
status
or
optionally
dismiss
it,
and
that's
what
we
have
planned
in
defense,
david
I'll,
pass
it
back
to
you.
A
Thank
you,
everyone
for
going
over
the
highlights
again,
if
you're
watching
the
video
and
thank
you
very
much
for
taking
the
time
to
hear
our
updates.
We
look
forward
to
continuing
to
give
you
amazing
security
features
and
improvements.
If
you
have
any
questions
and
anything,
anybody
went
over,
feel
free
to
comment
on
the
issue
and
we'll
get
right
back
to
you
on
it.
So
again,
thank
you.
Everyone
and
have
a
great
day.