Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 5 Feb 2019
GitLab / Secure Stage / 5 Feb 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Secure Stage Update - February, 2019

Description

In this video we present our vision for the Secure stage, and which is the roadmap for the next months.

You can read more on https://about.gitlab.com/direction/secure/

A

Hi I'm Fabio product manager, gillip in this video, we'll go through the vision for the secure stage and the roadmap for the next releases. Let's start with a brief overview of the stage and which is the vision for the next year. Gillip covers all the stages in the DevOps life cycle. All the stages from plant to monitor all the stages in one single application. Gillip also includes a secure stage. The secure stage makes applications built and deployed with Gilla, more secured by checking for vulnerabilities during the entire development lifecycle.

A

The main goal of the secure stages to make security easy and accessible to anyone. Security tools are often hard to set up and manage, or sometimes people just don't focus on security, because it's not their top priority until it's too late having security automatically integrated in any pipeline with no configuration helps to unboard people and to show which is the potential of this area. The features provide support for the cheesemakers. They don't replace them. Users have their final call on triaging vulnerabilities and taking action to remediate them.

A

Security is not a black and white thing, and it may highly depend case-by-case, provided feedback is actionable. Users can look at the high level security series of their projects and then drill down into specific vulnerabilities. They can start ammunition processes and follow the complete flow until a fix is deployed all in one single interface, all in one single application, collaboration between different departments is easier with Gil. Add features are designed for both developers and security professionals, even if they use different views and flows.

A

They work on the same data and there is a single source of truth. No matter which is your role. Gillip will give you what you need in 2019. The secure stage is focusing on the following product categories: categories are organized into groups. We also have other top-level features that are cross category, but deserve to be mentioned. As critical components of our vision is a static application of security passing.

A

It checks the source code to verify that it has no well known vulnerabilities, for example, coding errors like buffer overflows and insecure function, calls are detected by this type of test. Our goal is to increase the list of supported programming languages, to make the experience, even better developers may unintentionally commit credentials and passwords to their repositories. In some cases, this means that their values will be publicly accessible to anyone.

A

Signal detection aims to spot this data, for example, authorization keys to exit a production environment after the detection users can be aware of the problem and revoke liquor credentials. Our goal is to introduce support for this new category and integrate for results in existing security reports.

A

Modern applications include public libraries, very often, dependency scanning part of software composition, analysis checks, security, advisories for third party dependencies and packages reporting. If they contain known vulnerabilities, this helps developers to upgrade them to newer versions that fix the flows. Our goal is to have more package managers to the supported list and to shift left this checks, even more even before code is committed to the repository.

A

The second category of software composition. Analysis is license management, even if not strictly related to security. It deals with third party components that may introduce compliance problems. Defining policies for approved and blacklisted licenses is critical to ensure that the final application can be released to the public.

A

Our goal is to make very easy for project and group owners to define policies, so developers know in advance if their changes can be accepted or not once the application has been deployed, gillip can perform an application test that emulates a real attack, dynamic application of security testing can target applications written in any language to get early results. Gilad can target review apps and provide feedback in the merge request. Widget even before code is approved and into the master branch.

A

Our goal is to support multiple approaches for dynamic application security testing like quick scales to fit in pipelines. Well time is a critical aspect.

A

Interactive application of security testing is an advanced technique that mixes dynamic attacks and runtime inspection to get more information about possible vulnerabilities triggered by remote requests. While the dynamic scan is running, a local agent monitors the application behavior spawning unexpected errors and flows that could be leveraged by attackers to get access to sensitive data. Our goal is to develop the technology needed to provide this feedback and to cover the main programming languages.

A

Fuzzing is another new product category that we want to start in 2019. It consists in creating a huge amount of arbitrary random payloads and to send them to the running application, as opposed to standout dynamic analysis. Fuzzing can test the app behavior we done expected inputs. Our goal is to have a fuzzing as an additional advanced type of dynamic scan that users can leverage for specific sessions that don't have time-sensitive constraints, printing or scanning scans docker images for well-known, secure components that may be part of the base image used to wrap the application.

A

Even if the app code doesn't contain any security flow vulnerabilities in the deployed container, make the entire environment insecure and exposed to tax. Our goal is to improve the information available to developers and to deeply integrate container scanning in the built in give-up container registry Auto. Remediation is a cross category feature that aims to provide an automated solution to remediate security. Vulnerabilities gilliam will automatically check, detect, fix, deploy and monitor the new version of the app notifying users about the process and in case manual actions are needed.

A

Our goal is to ensure that the flow can be fully automated and that the highest amount of vulnerabilities can be addressed by this flow. A security dashboard is the primary tool for security, directors and engineers to monitor and star remediating security.

A

It gives a high-level view of the security status of a group allowing drill-down capabilities and statistical data to track how the security process is performing. Our goal is to provide more insights, to better understand performances of the security process at the instance level, and support to first class management of vulnerabilities from detection to solution. You can find more details and additional information in the private category page of the gillip handbook. Everyone can contribute with comments and proposals in epics and issues where these categories are discussed.

A

Anything else please welcome the defense stage. Defend is a brand new grab up stage that, along with secure, completes the security coverage of the development lifecycle. It focuses on the up side protecting the polite applications and cloud environments. Even after the app has been deployed, it should be constantly monitored to prevent and detect real attacks. Security teams should be warned of potential threats, so they can mitigate effects and minimize the impact. Now it's time to see what will be released in the next versions of gala.

A

The planning is always subject to changes and you can check the direction page to be up to date with the latest decisions. He'll at 11.9 that will be released on March 22nd will include many interesting features. It will be possible to detect secrets unintentionally committed to the repository and to see results as part of the SAS report. This is the very first embassy for secret detection. Ultra mediation will reach a major milestone with the ability to create a multi-class that fixes a given vulnerability.

A

Making the entire remediation flow available in the gilliam UI SAS will be able to analyze multi model maven projects that are currently unsupported. This release will also include container scanning improvements. First of all, results will be available in the group security dashboard, along with SAS and dependency scanning. We will increase details of container scanning vulnerabilities, making easier to identify the problem and to fix it.

A

Starting with this release pipelines, job definitions will be available officially, as include templates for all the security features. They should be used at when adding security jobs to pipelines, so they can be upgraded automatically when a new version is released on April 22nd July 11 Burton will be released. It will contain the first iteration of runtime application security, one of the categories of the brand new defense stage, the web application firewall included in the Ingrid's controller for kubernetes, will provide the first layer of protection against external attacks to deployed applications.

A

This release will also include the first iteration of the integration between container scanning and the gillip container registry users will be able to check security status from the register page. When available, we will add decibel abilities to the group security dashboard. This is the last missing piece to make the security findings available to security engineers. Sales will be also improved with the addition of a new analyzer for projects using the typescript language. It will be automatically available to everyone that already has cells capabilities enabled for their projects without any specific change.

A

Last release before the numerator version is gilliam 11.11 that will be available on May 22nd. The first improvement is for dynamic application security testing. We want to make active scans available, so users may have more accurate results on environments where this kind of attack is not impacting stability of a production environment. On the same topic, we also want to introduce the rammy scares on the master branch for out to DevOps. This could be risky since it may impact the production environment so will ensure that the behavior is not bringing the main site down.

A

The security dashboard targeting security directors and engineers will be available. At the instance level. Users will be able to monitor any project and group in their guerrilla instance, and it will be easier to keep everything under control. It will also be possible to forbidden during a change that is introducing a new license that has been already blacklisted in the project. This will prevent accidental merges that would drag compliance, creating possible legal and management problems for the app in this release. We'll add a second iteration for secret detection.

A

Users will be able to test the entire history of their repositories instead of just the last version available. This could be useful in some cases, even if it will may takes a lot of time to complete this option will be available as an alternative to the default flow.

A

Excellent here is what you will see in the next releases of kill app. Thank you for watching and if you have any question, please leave a comment to this video open, an issue in the Gila issue, tracker or just write, an email. We love talking with people about our plans and we really value any feedback, allows to better understand how to solve real problems. Good bye and stay tuned for the next video.