►
From YouTube: 2019.08.05 - weekly secure stage meeting
Description
Weekly stage-wide meeting for engineers in the Secure section.
B
A
E
Are
you
okay,
happy
yeah?
Thank
you
very
much.
All
right,
Monday
welcome
back.
Everybody
had
a
great
weekend,
so
we're
we'll
go
ahead
and
kick
in,
even
though
it's
a
it's
a
light
crew
for
us
today.
So
everybody
can
see
the
announcements
so
round
back
session
on
permissions
last
week
got
video
and
slides.
So
thanks
to
Tatiana
for
doing
that
hi.
So
there
was
a
fix
for
the
group
security
dashboard,
the
history
in
point,
timing
out
that
got
merged
last
week
and
I
wanna.
D
C
C
I'll
take
it
and
if
I
miss
one
of
the
four
points,
let
me
know
so:
hey
everyone,
I'm,
Sam,
Kirk
I'm
based
in
West,
Lafayette
Indiana.
So
if
you're
familiar
with
Purdue
University,
that's
the
same
town
as
Purdue
prior
to
get
lab.
I
was
at
a
company
called
arcs
and
technologies.
Also
here
in
West
Lafayette,
so
I
was
doing
product
management
for
them,
focusing
on
their
mobile
application
protection
products
as
well
as
their
white
box.
Cryptography
and
data
protection
products,
so
really
excited
to
be
here
at
get
lab.
C
What
drew
me
to
it
was
you
know.
The
culture
of
the
company
just
seemed
very
different
from
everything
I
read.
Every
conversation
I
had
leading
up
to
joining,
but
I
also
think
we,
as
a
company
have
a
very
unique
opportunity
with
DevOps
maturing
our
opportunity
to
add
security
into
that
DevOps
workflow,
our
customers
are
using
you
know,
is
really
going
to
be
a
great
way
for
us
to
differentiate
against
the
competition
and
really
bring
something
new
to
the
market.
So
I'm
excited
about
that
as
well.
C
F
All
right
so
directed
acyclic
graphs
are
coming.
This
is
a
cool
new
pipeline
addition
and
I'd
encourage
everyone
to
look
at
this
because
well
it's
our
product,
as
philippe
noted
here
there
may
or
may
not
be
a
immediate
use
case
for
these.
Within
our
security
tools,
I
think,
can
think
of
a
couple
cases
around.
Just
speeding
up
execution
like
on
container
scanning
being
bit
slower
than
a
review
app,
for
example,.
A
Just
in
a
few
words
to
explain
what
it,
what
the
idea
are
really
yeah,
it's
mostly
way
to
three
years
some
jobs
without
waiting
for
the
world
stage.
To
finish,
that's
the
part
I
find
a
bit
confusing
about
the
new
pipeline
because
you
can
have
sharp
starting.
You
know
different
stage
where
the
trans
one
is
not
so
yeah.
F
I
think
thank
you
for
that.
That's
something
I
should
have
said.
I
I
think
one.
The
best
example
is
not
being
like
if
you're
building
an
application
for
cross-platform
and
you're
building,
Android
and
you're
building
iOS,
and
then
it
goes
to
a
test
Android
in
test
Iowa
stage.
You'd
have
a
build
stage
in
a
test
stage,
but
you
should
have
to
wait
for
the
iOS
build
to
finish
to
start
testing
Android,
and
so
this
could
speed
up
our
pipelines.
D
I'll
say:
I
got
introduced
to
this
early
in
my
tenure
in
product
management,
and
the
word
seems
far
more
complicated
than
what
it
actually
is,
which
is
like
to
trigger
two
dependencies
or
because
the
example
you
learn
in
computer
science.
School
is
like
spreadsheets
are
DAGs
because
they
update
your
formulas
update
from
one
cell
to
another
and
that
the
word
dag
seems
are
really
complicated.
But
it's
not
that
complicated
yeah.
We
feel
cool
and
we
said
yeah
it's
one
of
those
words
that
you
feel
really
cool.
When
you
say.
E
Already
on
I
am
back
so
today,
today's
first
day
for
Paula,
so
she's
not
on
this
call,
yet
because
it's
a
little
early
for
her
to
start
right
now
so
or
at
least
she
didn't
know
that
we
were
gonna,
be
talking
about
her
this
early
and
during
her
day.
So
if
you
happen
to
see
her
online
in
slack
or
slacker
and
other
mediums
later
today
or
later
this
week,
police
say
hello,
police,
guy
and
welcome
her
aboard.
She
will
be
part
of
the
the
dynamic
analysis
group,
so
another
dag,
oh
sorry,
couldn't
help.
E
G
Following
discussion
in
the
staff
meeting
and
according
to
the
increasing
number
of
issues
regarding
permissions,
there
is
one
permissions
bleeds
ongoing.
So
I
tried
to
find
someone
within
ECA
to
list
all
the
feature
we
have
today
and
the
corresponding
permission
from
technical
perspective
to
make
sure
we
layout
this
and
have
a
good
grasp
at
but
going
on
and
then
playing
with
do,
X
or
X
I
mean
Jane.
G
Products
will
be
able
to
analyze
and
see
what
our
concerns
is
in
this
and
define
the
new
expectations,
but
how
we
want
to
address
access
level
for
all
the
features
we
have
today
and
then,
based
on
this,
we
will
have
to
apply
the
new
expectation
under
source
code.
So
I'm
expecting
this
to
be
a
long-running
issue.
G
What
should
we
be
able
to
address
everything
in
terms
of
three,
but
this
is
very
high
priority,
because
it's
currently
also
blocking
some
new
issues
like
changing
the
navigation
navigation
and
we
for
the
new
security
features
and
we
have
ongoing
issue.
So
we
really
need
to
address
this
just
to
let
you
know,
if
you
are
aware
about
adding
a
new
feature
where
you're
not
sure
about
the
permission,
you
definitely
need
to
have
a
look
at
this
issue
and
contributed
possibly
to
help
us
moving
forward
on
that.
G
And
if
you
don't
have
any
question,
the
next
item
is
about
the
migration
to
the
group
and
stitch
labels.
So
it's
not
the
time
right
now
to
switch
that's
coming
soon.
There
is
an
ongoing,
but
that
is
going
through
all
the
old
issues
regularly
and
there
are
still
some
differences,
but
it's
getting
closer.
So
please
start
using
the
group
labels
on
top
of
the
existing
labels
that
we
have
today.
So
you'll
really
know
what
those
groups
label
are.
G
But
on
top
of
this,
you
need
to
be
aware
that
you
need
to
use
a
DevOps
teacher
label
instead
of
the
team
sexual
label
which
will
be
removed.
So
another
thing
that
is
very
important
is
to
use
back-end
and
front-end,
because
the
way
throughput
we'll
be
working
is
that
a
group
like
static
analysis
will
be
including
both
front-end
and
back-end
team.
G
So,
if
you're
working,
the
back-end
team
you
need
to
apply
is
above
the
group
and
the
backend
enable
so
that
the
throughput
will
be
accurate
and
the
matrix
will
be
reporting
the
correct
numbers
so
starting
from
now,
please
make
sure
all
the
issues
and
merge
requests
are
correctly
labeled.
According
to
this,
and
please
also
leverage
the
feature-
category
label
like
size
difference
is
scanning
dust,
security,
Malik
cetera,
so
that
you
can
benefit
from
the
automation
that
will
ultimately
add
the
corresponding
label
in
case
you're,
missing
them,
and
this
also
improve
the
discoverability.
G
D
Yes,
yes,
there
are
so
I've
been
tracking
some
of
those
conversations
about
they're
not
described
in
the
handbook.
They
are
described
in
our
contributing
Docs
and
they
are
updating
them
there,
a
little
bit
in
an
unclear
state,
given
the
transition.
I
think
they're
waiting
for
the
new
label
adjustment
processing
that
happens
and
as
to
not
confuse
contributors
but
fully
specifically
to
your
question
about
secure
I,
have
seen
an
issue
that
says
we
label
all
team
I.
Think
they're,
like
the
blue
colored,
with
the
capital
letter
stages
to
DevOps,
to
the
scope,
DevOps
label.
G
B
A
D
G
F
Yeah
just
had
an
example
to
the
doc,
which
I
think
we
just
need
to
replace
every
contribute
MD
in
our
projects
to
sing
like
just
have
a
single
URL.
We
can't
really
do
redirects
but
across
projects,
but
just
say:
go
here
for
this
shared
contributing
MD
for
all
SP
products,
so
at
least
this
may
be
the
last
time
we
have
did
everything
so.
D
In
mind
we
should
be
supportive
of
Sterne
all
contributors,
so
mm-hmm.
It's
it's
basically
to
make
sure
that
anyone
who
externally
wants
to
contribute
knows
how
the
workflow
happens,
what
labels
they
should
apply,
because
it's
not
specific
to
get
lab
employees
we're
assuming
they
won't
read
the
handbook
to
get
that
information
yeah.
Our
notion
is,
you:
shouldn't
have
to
read
the
handbook
to
do
to
contribute
to
get
lab.
F
It
was
like
a
minor
thing
for
our
security
product,
specifically
where
we
do
not
use
issue
trackers
for
each
one
of
our
products.
We
use
a
single
issue
tracker,
which
is
a
guideline
like
cee
or
e
project,
so
you
didn't
so.
Contributors
cannot
create
issues
directly
from
our
projects.
They
need
to
put
them
in
the
appropriate
project.
To
triage.
F
D
F
We
have
security,
products
are
small,
self-contained
code
bases
for
doing
security
scans
and
those
run
against
various
languages
and
projects
doing
various
types
of
security
scans
like
static
analysis
or
dynamic
analysis
and
those
together
push
code
up
to
the
github,
C
or
E
code
base,
which
is
like
the
monolithic
rails
F
we
have
the
most
I'd
say:
80%
of
engineering
here
works
on
the
rails,
app
directly
and
then
20%
of
which
were
probably
10%
or
15%
of
that
work
on
these
smaller
projects
and
the
rails
out
got
it
okay.
Thank
you.
C
E
E
Where
on
which
team
are
listed
here
and
will
be
announced
in
the
group
conversation
today,
this
is
as
best
we
could
do
to
follow,
focuses
on
desires,
but
also
keep
the
teams
balanced
between
static
and
dynamic
analysis
as
far
as
as
far
as
tenure
and
seniority
is
concerned.
So
this
is
so
this
we
will
be
having
we'll
be
talking
about
these
more
in
one-on-ones
this
week
and
we
will
begin
to
did
what
begin
to
execute
the
transition,
but
I
wanted
to
make
sure
that
everybody
had
a
chance
to
at
least
see
it
here.
E
D
Let's
say:
thank
you,
engineering
managers
I
know
like
we've
done
two
major
split,
we're
the
first
guinea
pig
split
and
then
now
we're
doing
another
split
shortly
thereafter,
a
couple
months
after
I
know
it's
been
painful,
so
engineering
managers
and
team
members
I
appreciate
we're
growing.
We
seem
to
get
to
be
the
guinea
pigs
because
we're
growing
the
fastest.
E
E
E
B
E
Okay,
got
it
yeah
yeah
yeah,
nobody
is
being
thrown
over
the
side.
It
was
just
that
since
we
were
taking
static
and
dynamic
analysis
group
and
dropping
the
and
and
splitting
and
within
the
software
composition,
analysis
team
or
group
excuse
me
was
was
the
left
unchanged
by
this
particular
activity?
I
did
not
I
did
not
list
them.
Here.
Apologies
for
the
confusion
and
the
concern
no.
D
Worries
just
wanted
to
double-check
thanks
and
I'm.
Just
this
is
also
a
cya
on
my
part,
but
my
view
of
this.
The
other
function
always
Plitt,
is
that
Thomas,
you
and
Seth
are
gonna,
make
a
call
and
then
propose
a
miracle,
and
then
I
can
review
it
there
that
you're
not
waiting
on
me
for
anything
yeah.
E
You
know
the
and
just
to
make
it
explicit
within
this
group.
I
am
I,
have
the
privilege
and
the
honor
to
also
be
the
interim,
am
on
defend,
and
so
it's
going
to
be
so
not
that
my
entire
team
will
also
be
doing
double
duty
with
and
defend
itself,
but
so
I'll
be
I'll,
be
working
on
Logic
I'll
be
working
a
logical
split
within
myself
as
well,
so
just
go
ahead
and
colon
that
out.
D
G
Are
two
different
many
different
things
under
the
tree
expert
but
I
think
you're,
focusing
on
the
issue
package
by
us?
Okay?
Yes,
this
is
one
point.
I've
know
there
is
an
ongoing
issue
and
quality
team
to
redo
that
and
split
accordingly
to
the
groups,
so
it
might
be
over
already
covered
by
this
issue.
Whether
what
I
was
mentioning
is
more
about
automations
between
the
group
and
state
labels
based
on
the
category
level,
so
that
when
the
blood
sees
dust
label
it
will
apply.
The
dynamic
analysis
group
instead
makes.
D
E
Anything
else
yep
alrighty.
Thank
you,
everybody
for
your
time.
We
will
do
the
static
and
dynamic
analysis
group
conversation
here
in
about
nine
minutes.
It
looks
like
the
it
looks
like
yes,
yes,
tomorrow
now
and
so
anyway.
Thank
you
for
your
time.
Thank
you
for
your
attention.
May
the
odds
ever
be
in
our
favor
and
we'll
talk
soon,
thanks,
Dennis.