►
From YouTube: Secure Stage Update - February, 2019
Description
In this video we present our vision for the Secure stage, and which is the roadmap for the next months.
You can read more on https://about.gitlab.com/direction/secure/
A
Hi
I'm
Fabio
product
manager,
gillip
in
this
video,
we'll
go
through
the
vision
for
the
secure
stage
and
the
roadmap
for
the
next
releases.
Let's
start
with
a
brief
overview
of
the
stage
and
which
is
the
vision
for
the
next
year.
Gillip
covers
all
the
stages
in
the
DevOps
life
cycle.
All
the
stages
from
plant
to
monitor
all
the
stages
in
one
single
application.
Gillip
also
includes
a
secure
stage.
The
secure
stage
makes
applications
built
and
deployed
with
Gilla,
more
secured
by
checking
for
vulnerabilities
during
the
entire
development
lifecycle.
A
The
main
goal
of
the
secure
stages
to
make
security
easy
and
accessible
to
anyone.
Security
tools
are
often
hard
to
set
up
and
manage,
or
sometimes
people
just
don't
focus
on
security,
because
it's
not
their
top
priority
until
it's
too
late
having
security
automatically
integrated
in
any
pipeline
with
no
configuration
helps
to
unboard
people
and
to
show
which
is
the
potential
of
this
area.
The
features
provide
support
for
the
cheesemakers.
They
don't
replace
them.
Users
have
their
final
call
on
triaging
vulnerabilities
and
taking
action
to
remediate
them.
A
Security
is
not
a
black
and
white
thing,
and
it
may
highly
depend
case-by-case,
provided
feedback
is
actionable.
Users
can
look
at
the
high
level
security
series
of
their
projects
and
then
drill
down
into
specific
vulnerabilities.
They
can
start
ammunition
processes
and
follow
the
complete
flow
until
a
fix
is
deployed
all
in
one
single
interface,
all
in
one
single
application,
collaboration
between
different
departments
is
easier
with
Gil.
Add
features
are
designed
for
both
developers
and
security
professionals,
even
if
they
use
different
views
and
flows.
A
They
work
on
the
same
data
and
there
is
a
single
source
of
truth.
No
matter
which
is
your
role.
Gillip
will
give
you
what
you
need
in
2019.
The
secure
stage
is
focusing
on
the
following
product
categories:
categories
are
organized
into
groups.
We
also
have
other
top-level
features
that
are
cross
category,
but
deserve
to
be
mentioned.
As
critical
components
of
our
vision
is
a
static
application
of
security
passing.
A
It
checks
the
source
code
to
verify
that
it
has
no
well
known
vulnerabilities,
for
example,
coding
errors
like
buffer
overflows
and
insecure
function,
calls
are
detected
by
this
type
of
test.
Our
goal
is
to
increase
the
list
of
supported
programming
languages,
to
make
the
experience,
even
better
developers
may
unintentionally
commit
credentials
and
passwords
to
their
repositories.
In
some
cases,
this
means
that
their
values
will
be
publicly
accessible
to
anyone.
A
Signal
detection
aims
to
spot
this
data,
for
example,
authorization
keys
to
exit
a
production
environment
after
the
detection
users
can
be
aware
of
the
problem
and
revoke
liquor
credentials.
Our
goal
is
to
introduce
support
for
this
new
category
and
integrate
for
results
in
existing
security
reports.
A
Modern
applications
include
public
libraries,
very
often,
dependency
scanning
part
of
software
composition,
analysis
checks,
security,
advisories
for
third
party
dependencies
and
packages
reporting.
If
they
contain
known
vulnerabilities,
this
helps
developers
to
upgrade
them
to
newer
versions
that
fix
the
flows.
Our
goal
is
to
have
more
package
managers
to
the
supported
list
and
to
shift
left
this
checks,
even
more
even
before
code
is
committed
to
the
repository.
A
The
second
category
of
software
composition.
Analysis
is
license
management,
even
if
not
strictly
related
to
security.
It
deals
with
third
party
components
that
may
introduce
compliance
problems.
Defining
policies
for
approved
and
blacklisted
licenses
is
critical
to
ensure
that
the
final
application
can
be
released
to
the
public.
A
Our
goal
is
to
make
very
easy
for
project
and
group
owners
to
define
policies,
so
developers
know
in
advance
if
their
changes
can
be
accepted
or
not
once
the
application
has
been
deployed,
gillip
can
perform
an
application
test
that
emulates
a
real
attack,
dynamic
application
of
security
testing
can
target
applications
written
in
any
language
to
get
early
results.
Gilad
can
target
review
apps
and
provide
feedback
in
the
merge
request.
Widget
even
before
code
is
approved
and
into
the
master
branch.
A
A
Interactive
application
of
security
testing
is
an
advanced
technique
that
mixes
dynamic
attacks
and
runtime
inspection
to
get
more
information
about
possible
vulnerabilities
triggered
by
remote
requests.
While
the
dynamic
scan
is
running,
a
local
agent
monitors
the
application
behavior
spawning
unexpected
errors
and
flows
that
could
be
leveraged
by
attackers
to
get
access
to
sensitive
data.
Our
goal
is
to
develop
the
technology
needed
to
provide
this
feedback
and
to
cover
the
main
programming
languages.
A
Fuzzing
is
another
new
product
category
that
we
want
to
start
in
2019.
It
consists
in
creating
a
huge
amount
of
arbitrary
random
payloads
and
to
send
them
to
the
running
application,
as
opposed
to
standout
dynamic
analysis.
Fuzzing
can
test
the
app
behavior
we
done
expected
inputs.
Our
goal
is
to
have
a
fuzzing
as
an
additional
advanced
type
of
dynamic
scan
that
users
can
leverage
for
specific
sessions
that
don't
have
time-sensitive
constraints,
printing
or
scanning
scans
docker
images
for
well-known,
secure
components
that
may
be
part
of
the
base
image
used
to
wrap
the
application.
A
Even
if
the
app
code
doesn't
contain
any
security
flow
vulnerabilities
in
the
deployed
container,
make
the
entire
environment
insecure
and
exposed
to
tax.
Our
goal
is
to
improve
the
information
available
to
developers
and
to
deeply
integrate
container
scanning
in
the
built
in
give-up
container
registry
Auto.
Remediation
is
a
cross
category
feature
that
aims
to
provide
an
automated
solution
to
remediate
security.
Vulnerabilities
gilliam
will
automatically
check,
detect,
fix,
deploy
and
monitor
the
new
version
of
the
app
notifying
users
about
the
process
and
in
case
manual
actions
are
needed.
A
A
It
gives
a
high-level
view
of
the
security
status
of
a
group
allowing
drill-down
capabilities
and
statistical
data
to
track
how
the
security
process
is
performing.
Our
goal
is
to
provide
more
insights,
to
better
understand
performances
of
the
security
process
at
the
instance
level,
and
support
to
first
class
management
of
vulnerabilities
from
detection
to
solution.
You
can
find
more
details
and
additional
information
in
the
private
category
page
of
the
gillip
handbook.
Everyone
can
contribute
with
comments
and
proposals
in
epics
and
issues
where
these
categories
are
discussed.
A
Anything
else
please
welcome
the
defense
stage.
Defend
is
a
brand
new
grab
up
stage
that,
along
with
secure,
completes
the
security
coverage
of
the
development
lifecycle.
It
focuses
on
the
up
side
protecting
the
polite
applications
and
cloud
environments.
Even
after
the
app
has
been
deployed,
it
should
be
constantly
monitored
to
prevent
and
detect
real
attacks.
Security
teams
should
be
warned
of
potential
threats,
so
they
can
mitigate
effects
and
minimize
the
impact.
Now
it's
time
to
see
what
will
be
released
in
the
next
versions
of
gala.
A
The
planning
is
always
subject
to
changes
and
you
can
check
the
direction
page
to
be
up
to
date
with
the
latest
decisions.
He'll
at
11.9
that
will
be
released
on
March
22nd
will
include
many
interesting
features.
It
will
be
possible
to
detect
secrets
unintentionally
committed
to
the
repository
and
to
see
results
as
part
of
the
SAS
report.
This
is
the
very
first
embassy
for
secret
detection.
Ultra
mediation
will
reach
a
major
milestone
with
the
ability
to
create
a
multi-class
that
fixes
a
given
vulnerability.
A
Making
the
entire
remediation
flow
available
in
the
gilliam
UI
SAS
will
be
able
to
analyze
multi
model
maven
projects
that
are
currently
unsupported.
This
release
will
also
include
container
scanning
improvements.
First
of
all,
results
will
be
available
in
the
group
security
dashboard,
along
with
SAS
and
dependency
scanning.
We
will
increase
details
of
container
scanning
vulnerabilities,
making
easier
to
identify
the
problem
and
to
fix
it.
A
Starting
with
this
release
pipelines,
job
definitions
will
be
available
officially,
as
include
templates
for
all
the
security
features.
They
should
be
used
at
when
adding
security
jobs
to
pipelines,
so
they
can
be
upgraded
automatically
when
a
new
version
is
released
on
April
22nd
July
11
Burton
will
be
released.
It
will
contain
the
first
iteration
of
runtime
application
security,
one
of
the
categories
of
the
brand
new
defense
stage,
the
web
application
firewall
included
in
the
Ingrid's
controller
for
kubernetes,
will
provide
the
first
layer
of
protection
against
external
attacks
to
deployed
applications.
A
This
release
will
also
include
the
first
iteration
of
the
integration
between
container
scanning
and
the
gillip
container
registry
users
will
be
able
to
check
security
status
from
the
register
page.
When
available,
we
will
add
decibel
abilities
to
the
group
security
dashboard.
This
is
the
last
missing
piece
to
make
the
security
findings
available
to
security
engineers.
Sales
will
be
also
improved
with
the
addition
of
a
new
analyzer
for
projects
using
the
typescript
language.
It
will
be
automatically
available
to
everyone
that
already
has
cells
capabilities
enabled
for
their
projects
without
any
specific
change.
A
Last
release
before
the
numerator
version
is
gilliam
11.11
that
will
be
available
on
May
22nd.
The
first
improvement
is
for
dynamic
application
security
testing.
We
want
to
make
active
scans
available,
so
users
may
have
more
accurate
results
on
environments
where
this
kind
of
attack
is
not
impacting
stability
of
a
production
environment.
On
the
same
topic,
we
also
want
to
introduce
the
rammy
scares
on
the
master
branch
for
out
to
DevOps.
This
could
be
risky
since
it
may
impact
the
production
environment
so
will
ensure
that
the
behavior
is
not
bringing
the
main
site
down.
A
The
security
dashboard
targeting
security
directors
and
engineers
will
be
available.
At
the
instance
level.
Users
will
be
able
to
monitor
any
project
and
group
in
their
guerrilla
instance,
and
it
will
be
easier
to
keep
everything
under
control.
It
will
also
be
possible
to
forbidden
during
a
change
that
is
introducing
a
new
license
that
has
been
already
blacklisted
in
the
project.
This
will
prevent
accidental
merges
that
would
drag
compliance,
creating
possible
legal
and
management
problems
for
the
app
in
this
release.
We'll
add
a
second
iteration
for
secret
detection.
A
A
Excellent
here
is
what
you
will
see
in
the
next
releases
of
kill
app.
Thank
you
for
watching
and
if
you
have
any
question,
please
leave
a
comment
to
this
video
open,
an
issue
in
the
Gila
issue,
tracker
or
just
write,
an
email.
We
love
talking
with
people
about
our
plans
and
we
really
value
any
feedback,
allows
to
better
understand
how
to
solve
real
problems.
Good
bye
and
stay
tuned
for
the
next
video.