►
From YouTube: DAST to Complete Working Session 1
Description
Working session to discuss how DAST will get to complete.
A
So
this
is
the
sheet
that
we're
trying
to
fill
out
and
get
some
answers
to
and
we'll
walk
through
what
Dex
scoring
is
in
a
second.
If
you
look
at
the
epochs
here,
these
are,
they
should
encompass
all
the
work
that
we're
trying
to
get
done
by
the
end
of
the
year
and
we'll
walk
through
how
those
are
set
up.
So
why
don't
I
just
walk
through
what
Dex
scoring
is
and
what
we're
trying
to
do.
A
So,
what
I've
done
here
is
I've
outlined
each
of
the
epochs
and
then
each
of
the
issues
that
we
have
four
for
each
particular
epoch
and
then
what
we're
trying
to
do
is
figure
out.
Are
these
small,
medium
or
large?
These
are
really
t-shirt
size.
The
goal
is
not
to
get
caught
up
on.
You
know
is
this:
you
know
a
day
or
two
days.
You
know
we're
really
trying
to
say.
Is
this
something?
That's
that's
pretty
straightforward.
Is
it
something
that's
yeah.
B
A
The
middle
or
it's
like
hey,
this
is
a
really
big
thing
that
has
to
get
broken
down,
and
there
is
a
tab
here
for
Dex
scoring
that
kind
of
explains
it
a
little
bit
more
and
basically,
what
we're
gonna
do
is
once
we
have
a
small,
medium
or
large
for
whether
it's
defined
when
what
the
effort
is
and
what
the
complexity
is,
it
will
give
us
a
weight,
and
these
weights
are
just
a
number
that
allow
us
to
start
saying.
Okay,
you
know
this
item
is
really
big.
A
It's
a
34
versus
other
item
is
a
1,
and
that
will
help
us
prioritize.
It
will
help
us
figure
out
some
resourcing
again
this.
These
are
large
kind
of
large
blocks
of
effort.
They're
not
trying
to
figure
out
like
hey
day
to
day
or
week
to
week
in
terms
of
defined
defined,
is
probably
the
the
most
confusing
one,
because
a
small
means
it's
well
defined
and
it's
very
articulate
in
terms
of
what
it
used
to
do.
A
A
medium
there's,
still
some
open
questions
and
a
large
means
that
there's
a
lot
of
gaps
in
our
understanding
of
what
that
is,
effort
and
complexity.
These
make
these
are
a
little
bit
more
intuitive,
a
small
effort,
medium
effort
and
large
effort.
Here
we
just
use
an
analogy
of
a
wheelbarrow,
is
a
you
know,
wheelbarrow
a
load
of
rocks,
a
moving
truck
load
of
rocks
or
a
dump
truck,
and
that's
the
same
same
way.
We
want
to
think
about
the
engineering
like
hey.
Is
this
you
a
little
config
change?
Is
this
hey?
A
We're
gonna
have
to
change
a
couple
parts
of
the
application
or
hey?
This
is
gonna
require
you
know,
big
architectural
type,
things
and
then
complexity
is
similar
to
effort,
but
complexity
and
effort
can
be
often
they're,
gonna
travel
together,
but
there's
some
some
cases
where
they're,
not
and
depending
on
the
issue
we'll
get
into
that,
for
example,
one
of
the
one
of
the
examples
here
they
have
as
CVEs.
You
know
it's
a
huge
amount
of
work
just
to
get
them
all
in
there,
but
the
complexity
is
very
low.
A
So,
with
that
in
mind,
any
questions
before
we
kind
of
jump
into
the
epics
cool.
So
let
me
walk
you
through
on
this
screen
here
the
epics,
because
this
is
a
little
bit
I
think
easier,
since
I've
flattened
it
out
a
little
bit.
We
have
I,
don't
know
what
this
is
probably
seven
or
eight
different
epochs
and
all
of
these
epics
are
to
get
us
to
complete,
there's
an
epic
to
go
from
complete
to
loveable,
but
we're
not
going
to
focus
on
that,
because
that
is
going
to
be
next
year.
So
within.
A
Able
to
complete
so
if
you
click
on
viable
to
complete
here,
you
will
find
all
the
sub
epics,
and
this
is
what
we're
showing
in
the
Google
sheet.
So
I
just
copy
these
over
into
the
sheet,
and
you
can
see
the
total
number
of
issues
under
each
particular
one
and
that's
what
we've
got
in
this
sheet
here.
A
So
we've
got
on-demand
scans
and
then
I'll
have
this
over
probably
to
Derek
in
a
couple
minutes
and
he
can
start
walking
us
through
these
issues
and
then
the
idea
on
each
of
these
issues.
My
guess
is
we'll
probably
only
get
through
you
know,
maybe
half
of
these
cuz.
We
want
to
definitely
answer
questions
discuss
what
these
are
and
try
to
figure
out
like
hey
is
everyone
on
the
same
page
as
to
what
these
are?
A
If
not
that's,
ok,
too,
and
that
that
tells
us
that
you
know,
maybe
these
aren't
well
defined
and
we
need
to
spend
more
time
on
that,
so
we've
got
on-demand
scans,
which
is
this
idea
of
a
web
page
where
you
can
run
a
scan
and
you've
got
some
GUI
interface
to
do
that.
Easier.
Configuration
of
this
is
a
lot
of
the
work
that
we're
doing
now
in
13
and
13
113
to
just
the
environment
variables,
better
gamify.
All
things
of
that
sort.
A
Configuration
improvements,
builds
on
that
better
ways
to
work
with
desk
alone,
our
abilities,
things
like
record
and
replay
replay,
adding
timestamps
vulnerabilities
on
the
dashboard.
We've
got
error,
handling
and
messaging,
so
just
providing
the
user
better
feedback
to
help
them
configure
it.
False
positive
reduction
effort,
deduplication
and
then
specific
reports,
page.
A
C
C
What
does
the
scan
do
when
it's
running,
and
some
of
these
are
the
new
ones
that
we're
adding
and
the
next
few
releases?
Some
of
them
have
been
there
for
a
while,
but
basically
it's
it's
taking
this
idea
of
a
configuration
profile
that
you
can
have
multiple
of
them
within
one
project,
rather
than
a
single
configuration
for
desks
in
a
project
and
then
switch
between
them
for
what
and
whatever
scans
you
want.
So.
C
C
Unfortunately,
a
lot
of
these
are
going
to
be
that
way.
So
I
know
that
there's
gonna
be
a
lot
of
ambiguity
around
exactly
what
needs
to
be
done
so
I'm,
hoping
that
we
can
get
enough
clarity
on
them,
but
yeah.
The
profiles
are
just
that.
It's
self-contained
profiles
that
users
can
swap
out
as
they
run
their
tests
and.
A
This
is
still
very
early
draft
and
I.
Think
there's
been
a
lot
of
thinking.
That's
occurred
since
this
has
been
built
mm-hmm,
but
basically
the
idea
and
I
was
talking
I
think
to
Craig
about
this
today.
When
you
think
about
what
a
scan
is
I
broke,
it
I
think
of
it
mentally
as
three
different
things.
So
you've
got
your
site,
which
is
in
zap
terms
it's
the
context
and
your
site.
Is
you
know
your
URL?
It's
the
paths
that
you
want
to
scan
or
not
scan.
A
The
next
item
that
you
have
is
scan
settings,
and
so
those
are
things
like
do
you
want
to
update
the
add-ons
here?
What
rules
do
you
want
to
run?
You
know
what
are
specific
things
that
you
want
to
tell
the
engine
to
do
and
those
scan
settings
are
independent,
potentially
independent
of
the
actual
site.
A
So,
for
example,
you
could
have
a
quick
scan,
you
could
have
a
lengthy
scan,
you
could
have
an
active
scan,
passive
scan
and
then
you
know
maybe
a
passive
scan
that
runs
for
60
minutes,
maybe
a
passive
scan
that
runs
for
you
know,
10
minutes,
so
you
have
scan
settings
and
then
the
third
which
I
don't
know.
If
we
have
any
issues
open
for
is
schedules,
so
you
can
run
the
combination
of
those
two
items.
A
A
That
cuts
across
a
bunch
of
the
issues
actually
but
I
just
kind
of
wanted
to
zoom
out.
So
that's
going
to
be
when
we
talk
about
a
scan
profile,
a
site
profile,
so
the
site
settings
I
get
ascribed
the
scan
setting
and
then
these
others
are
ways
of
pulling
out
those
profiles.
So
let
me
back
up
and
show
you.
A
So
right
now,
all
of
this
information
has
to
get
stored
in
the
get
lab,
CIE
ammo
file,
which
makes
which
has
its
own
challenges,
and
so
one
of
the
ideas
here
is
to
change
it,
so
that
you
would
have
you
know
your
your
template
same
way
that
you've
got
it
today
and
instead
of
setting
all
your
variables
in
your
animal
file,
you
could
have
this
idea
of
a
profile
so
profile,
one
in
this
example
in
this
case
profile
one.
So
this
would
be
in
your
animal
file.
A
It
would
go
to
the
analyzer
and
then
the
analyzer
would
pull
profile
one
out
of
the
database,
and
this
is
all
managed
through
a
web
interface,
and
this
gives
us
the
ability
to
query
these
across
projects
across
instances
across
groups.
So
you
could
look
to
see
if
everyone
has
a
particular
profile
and
then
this
is
your
your
template
to
get
this
going
is
much
simpler.
A
The
other
option
is
to
do
the
same
architecture,
except
you
just
say,
profile,
one
yeah
mol
and
it
gets
persistent
to
a
gamo
file.
The
difference
between
these
is
the
process
in
which
we
can
persist
this
data.
So
if
we
persist
it
directly
to
a
database,
we
can
just
save
it
to
a
database.
No
big
deal
right,
just
a
standard
web
webform.
If
you
do
it
to
a
gamal
file
which
is
then
persisted
in
the
repo,
you
then
have
questions
about.
Do
you
do
a
merge
request
and
things
of
that
sort?
A
So
the
workflow
is
not
necessarily
a
streamline,
if
you
put
it
into
the
repo
and
then
there's
also
we
potentially
just
doing
fallback.
So
you
know
if
you
said
profile
one.
We
look
in
the
database
first,
if
we
don't
find
it
in
the
database.
We
look
for
a
gamal
file
and
do
something
like
that.
So
all
of
this
is
really
built
around
making
this
much
much
easier,
and
so
the
goal
is
that
you
would
be
able
to
come
in
here.
Click
on
on
demands,
hands
plug
in
your
URL.
A
D
C
Mandatory
for
an
active
scan
because
you're
actively
trying
to
attack
a
website
with
that,
so
there's
multiple
ways
that
we
can
do
it
right
now
we
look
for
a
text
file
I,
believe
you
can
also
do
it
with
headers.
You
could
do
some
sort
of
DNS
thing,
so
there's
multiple
ways
that
we
could
do
it,
but
yeah
I'm
planning
on
making
that
domain
validation
mandatory
for
the
attack
or
the
the
active
scans.
A
No
I
think
that's
that's
exactly
the
kind
of
stuff
we
want
to
figure
out
or
at
least
raise
those
questions
here,
because
without
getting
into
solutions.
That
is
a
big
question
like
if
your
your
scan
profile
has
an
active
scan.
We
then
need
to
have
some
kind
of
validation
against
that.
So
I
put
that
here
under
the
asynchronous
scans
MVC,
but
this
this
piece
of
work
will
need
to
get
defined
in
one
of
these
issues.
A
Yeah
and
I
think
we
can
Derek.
Maybe
after
this
meeting
we
can
go
and
put
these
notes
in
each
respective
issue
where
they
make
sense
or
if
you
can
do
it
in
real
time.
Yeah.
C
A
C
C
The
most
important
thing
is
the
on-demand
scans
in
the
configuration,
the
ease
of
use,
the
rest
of
them
sort
of
have
come
out
of
different
conversations,
but
those
two
are
the
big
important
ones
that
we
absolutely
need
to
get
done
so
and
it's
it's
really
I'm
going
to
be
dependent
on
your
feedback
to
decide
how
to
put
these
in
I
started
with
the
configuration
stuff,
because
it's
starting
out
with
just
adding
environment
variables.
So
that's
pretty
easy
and
and
a
good
way
to
get
started,
but
the
rest
of
them.
I
really
don't
know.
E
Guess
it's
it's
hard
for
me
to
think
about
implementation,
because
there's
so
much
about
this!
That
I
don't
understand.
For
example
like,
what's
the
permission
model
going
to
be,
who
can
change
this
screen
when
they
click
when
they
click
to
start
an
on-demand
scan?
Where
do
they
see
the
job
log
and
how
do
they
download
artifacts?
Where,
with
the
vulnerabilities,
how
do
the
vulnerabilities
map
into
the
security
dashboard
is
that
where
they
see
them
and
is
that
different
to
what
happens
on
the
on
a
normal
scan?
A
A
E
Think
that
made
any
difference,
but,
like
issue,
is
this
big
I
feel
like
we
need
a
discovery
to
actually
understand
some
of
the
the
questions
that
we
need
to
answer
before.
We
can
like
put
it
with
any
kind
of
estimate
on
something
that
has
at
least
a
somewhat
likely
probability
of
not
changing
right.
A
Yeah
I
think
there
will
be
some
research
spikes
that
we
have
to
put
in
here
again
right
now.
We
have
big,
broad
brushstrokes,
so
I
think
the
what
we
today
like
the
questions
you
ask.
Those
are
good.
We
want
to
start
getting
those
in
here
and
then
we
can
start
putting
together
issues
to
answer
each
of
those.
Okay.
C
Yeah
and
some
of
them
are
going
to
be
I'm,
going
to
need
you
to
help
answer
them,
for
example,
the
the
issues
the
the
vulnerabilities
when
they're
found
and
putting
them
on
the
dashboard
to
me
just
from
a
user
perspective.
You
know
it
doesn't
I,
don't
see
any
issue
with
putting
them
on
the
dashboard
and
saying
hey,
here's
more
vulnerabilities,
but
from
a
technical
perspective,
I,
don't
know
if
that's
feasible.
So
that's
some
of
those
those
questions
or
things
that
if
I
haven't
answered
because
I
need
engineering
input
on
them,
yeah
yeah.
E
B
B
My
31
and
I
think
that
that's
gonna
have
to
be
a
lot
of
thinking
and
then
probably
rethinking
of
how
to
deal
with
all
these
vulnerabilities
and
the
different
profiles.
I
have
not
thought
about
any
of
that.
I
also
have
a
question
to
add
around
the
profiles.
How
is
a
new
profile
created
and
saved
in
the
mock-up
that
we
saw,
you
can
add
details
for
a
new
profile,
but
then
it
just
does
run
scan
there's
no
like
separate,
safe
profile
button.
C
That's
something
that
Camellia
is
actively
working
on.
It's
probably
going
to
move.
You
might
be
able
to
do
to
create
a
new
profile
in
line
there,
but
I
think
it
makes
more
sense
to
have
those
profiles
be
created
in
the
the
configuration
area
right
now
where
we
just
show.
You
know
whether
something
is
scanners
turned
on
or
off,
I
think
that
it
makes
more
sense
to
have
a
dashed
configuration
area
there.
So
she
is
actively
iterating
on
those
to
change
things
around
I.
C
A
So
this
would
be
our
first
MVC
and
then
what
we
would
do
is
start
building
from
there,
and
the
idea
here
is
this
is
no
different
than
if
you
install
the
the
passive
scan
today
right.
You
just
include
the
template
and
you
put
in
a
URL
and
it
runs
the
scan,
so
that
would
be
our
MVC
and
that's
where
we
would
start
and
the
benefit
to
this
is
my
understanding
is.
If
we
did
this,
this
would
run
on
a
runner.
A
We
can
fire
off
the
job,
it
would
run
on
a
runner,
it
would
run
against
the
site.
The
one
thing
that
we
would
have
to
do
is
associate
it
with
a
branch
and
then
that
branch
is
where
the
results
would
get
attached
to.
So
if
we
attach
it
to
the
master
branch
or
the
default
branch,
it
would
show
up
in
the
dashboard
if
we
attach
it
to
another
branch.
So
long
as
that
there's
an
M
R,
it
would
get
attached
to
the
pipeline
view
on
that
M
R.
A
A
A
A
Then
maybe
the
third
would
be
okay,
let's
configure
all
your
scan
settings,
which
would
be
all
the
rules
about
how
you
what
what
rules
you
want
to
run,
how
long
you
want
it
to
run
and
any
of
the
other
advanced
kind
of
configuration
and
then
the
next
iteration
would
be
potentially
introducing
schedules.
We
don't
need
schedules
initially,
because
you
know
it's
good
enough
to
hit
go
and
then
we'd
probably
want
to
focus
on
getting.
You
know
these
configurations
really
working
nicely.
E
A
A
E
A
A
E
A
Well,
remember
that
when
you're
scanning
a
website-
and
this
is
one
of
the
challenges
that
we
have-
that
I
think
none
of
the
other
security
groups
we're
scanning
a
URL
which
isn't
really
related
to
a
branch
like
when
we
scan
a
URL.
We
don't
actually
know
the
version
or
what's
running
at
that,
URL
Hecky
could
be
running
like
source
code.
From
some
other
repository
like
on
my
on
my
repo
I
could
be
scanning
Google
and
it
seemed
like
hey
on
your
new
branch.
You
introduces
vulnerability.
A
A
Of
the
reasons
I
think
it,
you
know
the
on
demand
scans,
a
bit
more
sense
to
pull
away
from
the
mrs
and
to
have
some
more
these
interfaces
that
you
can
run
directly.
You
know
it
because
one
of
the
goals
to
is
you
know
if
you
have
corporate
assets
that
are
up
there,
a
bunch
of
websites,
you
could
be
it.
You
should
be
able
to
come
into
our
tool
and
just
scan
those
run.
C
And
and
that's
part
of
the
the
thing
for
these
is
that
eventually,
you
know
like
I
said:
ass
is
in
a
very
different
area
than
any
of
the
other
scanners
are,
and
one
of
the
criteria
for
getting
to
complete
is
that
you
have
to
be
able
to
compete
and
displace
another
tool.
So
you've
got
all
these
other
gas
tools
that
were
supposed
to
compete
against
and
being
able
to
run.
E
A
F
E
E
A
E
I
mean
that's
my
question,
but
I
mean
for
me,
I
mean
I
can
I
can
go
and
write
up.
Some
of
my
concerns
and
questions.
I
have
and
things
I
don't
understand,
but
I
would
be
just
be
tempted
to
put
largers
on
all
of
on
all
of
your
deck
scores.
For
this
first
issue
and
move
on
right.
A
Yeah,
so
what
our
goal
here
is
gonna
be
is
figure
out
which
of
these
defined
are
larges,
so
that
we,
the
goal,
would
be
that
you
know
over
the
next
couple
weeks.
We
can
get
these
defined
down
to
mediums
and
smalls
we're
not
going
to
know
all
the
answers,
particularly
until
we
get
to
closer
to
implementing
these
all
right,
we're
going
to
spend
weeks
defining
all
this.
You
know
planning
and
all
that
kind
of
stuff,
but
we
want
to
get
probably
away
from
some
of
the
larges
in
the
defined
areas
so
that
we
can
start.
C
E
Well,
I
would
say:
I'm,
not
I,
don't
fully
understand
the
deck
scoring
yet,
but
I
would
say
my
I
mean
I
would
say.
Effort
and
complexity
are
hard
to
determine
if
you
don't
fully
understand
to
the
landscape,
but
also
to
me
effort
and
complexity.
Seeing
couple
so
to
me,
it
seems
fairly
complex
with
a
fairly
high
risk
that
complexities
even
more
complex
than
we
think,
but
that
high
risk
is
associated
with
not
understanding
the
implications.
E
A
B
B
The
results
can
end
up
on
the
security
dashboard
and
they
will,
by
default
when
we
parse
the
pipeline,
assuming
we
ran
it
against
the
default
branch,
but
I
there's
also
do
we
want
to
show
people
the
pipeline
cage
I
guess
they
might
have
that
by
default,
my
I'm
making
a
lot
of
assumptions
in
my
mind,
I,
don't
know
if
they're
the
same
ones
that
you
all
have,
for
example,
I
see
we
hit
go.
We
redirect
them
to
a
pipeline
page
which
has
whatever
builds
the
tab
and
then
they're
gonna
have
all
the
normal
pipeline
stuff.
B
B
This
is
assuming
that
it's
on
the
default
branch
and
so
I
think
that
can
work
and
then,
if
we
want
to
do
non
default
branch
stuff
that
definitely
gets
stickier,
I'm
sorry
go
ahead
and
I
only
have
these
assumptions
because
stuff
and
I
took
this
out
back
in
February
and
did
a
spike
on
it
technically
and
so
there's
I
feel
like
there's
sort
of
an
engineering
back
and
forth
on.
How
do
we
do
this?
That's
going
to
take
some
time
to
have
anyway,
yeah.
C
Right
and
in
the
the
issue,
some
of
that
is
defined,
Camellia
and
I
went
back
and
forth
in
a
little
bit
in
the
in
the
comments
and
Neel
chimed
in
as
well
that
she's
going
to
mock
up
a
page.
That's
just
going
to
have
a
list
of
all
of
the
of
the
on-demand
scans
that
you
started
so
that
you
can
click
on
it.
C
And
then
it
will
take
you
to
the
pipeline
page,
because
at
this
point
in
the
MVC
I
want
to
reuse
as
much
as
possible
that
we
already
have,
and
so
the
issues
will
show
up
or
the
the
vulnerabilities
will
show
up
in
the
security
dashboard.
The
pipeline
page
is
going
to
be
the
same.
It's
gonna
be
odd,
not
having
I
mean
just
having
that
page
for
these
on-demand
scans,
but
it
is
an
MVC.
So
the
goal
will
be
to
obviously
move
past
that
at
some
point,
but
just
for
the
MVC
yeah.
A
A
C
I
think
it
really
depends,
I
mean
that's.
A
it's
gonna
depend
on
the
feature
and
the
what
we're
I
guess,
what
we're
doing,
but
that's
exactly
the
thing
that
that
Camellia
brought
up
and
why
she
wanted
to
have
an
in-between
page
where
you
start
a
scan.
It
takes
you
to
this
page
where
you
can
see
the
scan
listed,
because
you
could
theoretically
start
multiple
on-demand
scans
at
once,
rather
than
just
flipping
you
over
to
the
pipeline
page.
That
way
you,
when
you
click
on
that,
then
it
takes
you
over
to
the
pipeline
page.
C
A
I
mean
because
the
issue
that
I
have
thinking
about
MVC
is
like
you
know.
We
can't
sacrifice
the
whole
point
of
an
MVC.
Is
we
don't
sacrifice
quality?
We
sacrifice
scope
right,
so
we
cut
the
scope
as
much
as
possible.
So
if
you
have
kind
of
this
disjointed
experience,
is
that
a
scope
issue
or
is
that
a
quality
issue
and
I?
Don't
know
how
our
UX
team
thinks
about
that
or
how
the
product
team
thinks
about
that?
A
It's
obviously
not
a
black-and-white
answer,
but
I
think
that's
we're
trying
to
figure
out
exactly
how
much
of
that
is
scope.
Vers
quality
changes
the
size
of
this
MVC
quite
a
bit,
because
if
we
were
to
build
this
and
say
okay,
you
have
a
go
button
and
then
we're
just
gonna
I,
don't
know
flip
you
over
to
the
pipeline's
page
right.
That's
literally
just
a
redirect.
A
That's
much
less
development,
then
okay,
we're
gonna,
now
open
up,
potentially
a
new
database
table
have
a
list
of
these.
You
know.
You'll
have
a
refresh,
have
a
bunch
of
different
statuses,
that's
a
bit
more
work
and
so
I
think
that's
that's!
You
know!
That's
why
I!
Wouldn't
give
this
a
small
in
terms
of
a
define
you
know,
I'd
want
to
go
more
towards
a
medium.
My
inclination
is,
we
do
have
some
definition
around
what
we're
trying
to
look
for,
so
it
would
be
completely
undefined.
C
Yeah
and
that
that
makes
sense
to
me
because
there
is
still
some
definition
depending
on
what
she
comes
up
with
for
that
intermediate
page
because
it
yeah
this
is
a
we're
basically
trying
to
build
a
whole
new
product
that
is
a
standalone
product
for
most
companies
and
we're
trying
to
get
these
definitions
done
extremely
quickly,
so
that
we
can
start
engineering
work,
and
so
it's
I
apologize.
But
a
lot
of
it
is
going
to
be
on
the
fly
and
and
it's
gonna
be
coming
in
stages,
because
this
is
stuff
that
you
know.
C
A
E
B
A
You
yeah,
so
what
we
did
when
Ivy
up
did
a
VL
and
I
did
that
spike?
We
basically
just
created
that
threw
it
in
the
database
and
then
the
runner
comes
and
picks
it
up,
and
you
can
just
do
that
all
day
long.
You
can
come
up
with
all
these
different
configurations.
Throw
in
the
database.
Runners
come
pick
up
the
jobs.
It's
it's
really
cool.
A
E
A
B
A
further
refinement
it
might
be
possible
in
the
future
to
tag
a
runner
with
death,
and
then
only
our
drugs
will
only
use
that
runner.
So
you
can
have
a
longer
time
out.
Okay
and
it
won't
have
other
traffic
so
that
it's
probably
I
can
assume
to
come
after
Fineman.
If
it's
the
path,
we
decided
to
go
down.
A
A
So
the
idea
here
was
being
able
to
again
create
that
site
that
you
save
in
the
database
and
it
has
a
list
of
values
like
the
web
site,
the
API
specification,
the
URL,
the
user
name
password
the
user
name
password
field
and
any
of
the
other
specifics.
I
think
we
would
probably
add
the
technology
in
here
that
is
associated
with
a
website,
any
other
thoughts
or
comments
on
creating
a
site
profile.
Setting.
E
C
A
E
I'm
not
sure
I
follow
so
so
you
showed
us
a
diagram
earlier
where
you
know
in
the
Yama
file.
They
what
do
they
do
so
they
they
defined
a
profile
name
yep.
Then
the
profile
name
was
passed
to
dust
and
then
dust
called
an
API
yeah,
this
guy
yep,
which
went
and
got
the
profile
right.
Yes,
profile
details,
yep
what
I'm,
what
I'm
suggesting
it's
probably
easier?
If,
when
gitlab
triggers
the
just
best
analyzer,
we
set
up
environment
variables
that
come
from
their
profile.
Yes,.
A
A
A
Yeah,
absolutely
if
we
could
do
that,
I
think
that
makes
sense.
The
reason
I
did
not
design
it.
That
way
in
this-
and
this
might
be.
This
is
probably
a
good
research
spike.
Is
this
process
right
here?
Is
it
outside
of
Secours
realm
right,
so
the
way
that
these
environment
variables
get
passed
over
to
the
runner
is
built
in
ticket
lab
runner
and
built
into
the
gate
lab
CI
tool?
A
So
if
we
want
to
have
something
that
parses
this
too,
with
the
gitlab
way,
you'd
have
to
open
up
some
kind
of
docker
image
and
then
pass
it
over
to
like
another
and
be
doctor
and
doctor,
or
something
there's
no
way
to
read
this
file
here
on,
get
lab
and
then
pass
that
over
to
the
analyzer.
Unless
we
get
into
that
part
of
the
codebase,
and
so
this
structure
was
sidestepping
that
part
of
the
code
base
sends
it
over
to
DES
analyzer,
and
then
we
can
build
our
own
API
endpoints
on
gitlab.
A
That's
a
secure,
you
know
whatever
we
call
it
get
secure
settings,
take
the
C,
I
run
or
job
ID,
which
is
getting
passed
in
as
part
of
the
get
lab
Runner
and
then
get
that
back
here,
because
this,
the
the
analyzer
in
dr.
today
gets
the
you
know,
registry
token,
username
and
all
those
variables
that
get
sent
down
to
the
job.
So
my
thought
is
some
of
those
variables
that
get
sent
down
to
the
job.
We
would
be
able
to
use
to
authenticate
back
into
the
API.
A
So
that
we'd
leverage
all
the
existing
stuff,
you
could
still
continue
to
use
our
documented
way
of
calling
the
analyzer.
This
just
simplifies
it
and
gets
a
token,
then
loads
it
into
the
environment
variables
and
again.
This
is
this
is
just
my
deal.
I
got
I'm,
not
prescribing
this
as
the
way
to
do
it.
It's
just
one
way
of
thinking
about
one
way
of
thinking
about
it.
Yeah.
B
A
C
The
there
are
a
few
stories
are
a
few
issues
that
are
adding
environment
variables
for
some
common
configuration
things
that
I
think
that
they're
all
in
13
0
13
1.
So
there
are
a
few
new
ones
in
terms
of
environment
variables
that
we
don't
currently
have,
but
most
of
them
I
think
you're
pretty
well
documented,
and
there
are
things
that
people
use
already.
A
Probably
come
back
and
do
that
yeah,
because
that
what
I
want
to
do
is
just
get
the
discussion
going
here,
as
opposed
to
like
focused
too
much
on
the
t-shirt.
Size
I
can
come
back
and
put
t-shirt
sizes
in
there.
The
main
thing
is
just
a
listening:
the
questions
that
we
have
and
getting
a
general
understanding
from
everyone
like
hey.
Does
this
make
sense.
A
A
C
And
I
did
have
a
couple
of
questions,
a
couple
of
things
that
I
don't
I,
guess
maybe
I
don't
understand
exactly
where
they
would
fit,
whether
they
should
be
under
the
site
or
scan
profiles
like
they
exclude
rules.
I
have
them
on
the
site
profiles,
but
I
was
they
probably
fit
better
on
the
scan
profiles?
A
And-
and
the
other
thing
too
I
would
say,
is
any
of
your
scant
and
settings
you
could
theoretically
take
those
and
run
them
on
any
website
right.
So
there's
nothing
in
there.
That's
probably
like.
So
that's
why
you
wouldn't
have
a
username
and
password
or
an
exclude
URL,
because
those
wouldn't
make
sense
on
any
website,
so
those
theoretically
can
run
independently
on
any
website
and.
C
C
It
can
it's
more
general
than
a
specific
site
and
you
may
have
a
single
site,
that's
defined
that
has
both
and
JavaScript
like
a
single
page
architecture
as
well
as
a
static
site
component
that
you
may
want
to
do
two
different
types
of
scans,
but
apply
them
to
the
same
base
website.
So
that's
why
I
like
the
Ajax
spider
is
here,
but
I'm
open
to
suggestions
and
I
do
have
a
you
see
if
it's
shared
here
I
believe
you
guys
should
be
able
to
get
to
this
I'm
sending
it
in
the.
C
So
if
you
go
to
then
go
to
the
scan
profile,
UI
options
right
here,
the
all
the
way
over
on
the
right
yeah
that
she
and
I
started
to
document
exactly
what
the
the
option
was
in
the
UI.
What
the
default
was
cuz
he
these
are
things
that
she
wouldn't
have
any
clue,
and
then
the
ones
in
in
red
there
I
need
to
I,
don't
actually
know
what
that
is,
that
generate.
Config
actually
does
so.
I
need
to
get
some
insight
into
that,
but
I.
E
Was
just
gonna
say
actually
some
of
this,
so
if
we
decide
to
go
well
at
some
point,
we
need
to
go
down
a
route,
I
presume
which
allows
users
to
configure
which
rules
they
will
and
won't
run.
So
Zapp
has
policies
for
that
I
believe,
but
the
Python
scripts
have
a
config
file
which
is
slightly
different.
It's
basically
just
a
text
file
like
space
delimited
where
you
basically
define
the
ideas
and
then
the
name
of
the
vulnerability
and
what
you
want
to
do
with
it,
ignore
one
or
whatever
I
actually
think.
E
As
long
as
we
have
a
way
of
excluding
rules
from
actually
running,
because
yesterday
I
was
investigating
the
exclude
rules
that
we
have
right
now
on
the
variable
and
the
rule
still
runs,
and
we
just
always
make
sure
it's
a
false
positive.
So
for
someone
trying
to
make
this
can
run
faster,
it's
not
very
useful.
We
actually
need
a
way
of
turning
them
off
as
well.
All.
A
A
E
No
I'm
saying
like
in
the
web
UI
do
it
do
whatever
makes
sense
for
the
user,
whether
that's
a
file
or
whether
that's
here's,
a
bunch
of
rules
that
these
are
all
of
our
rules
and
pick
the
ones
you
do
or
don't
want
yep
I'm
just
saying
under
the
covers.
We
would
probably
use
a
scan
policy
for
that
when
talking
to
Zapp
mm-hmm
and
a
scan
policy
and
a
scan
config
file,
which
is
what
this
generate
config
and
use
the
config
and
the
config.
You
are
Ella
for
I
believe
they're
solving
the
same
problem.
E
A
A
So
until
we
support
it
natively
we
may
want
to
have
an
ability
for
them
to
pass
that
in,
and
maybe
that's
you
know-
maybe
it's
just
like
hey
give
us
the
variable
and
it's
just
a
big
text
feel
that
they
can
paste
in
their
data
and
then
we
we
parse
that
through
and
then
we
say:
okay,
we're
no
longer
support
that
we've
got
a
clean
nice
way
to
do
it
in
the
web
interface
yeah.
That's.
D
A
Because,
for
the
most
part
you
know,
if
we're
doing
stuff
exclusively
in
the
web
interface,
we
need
to
make
sure
that
people
don't
have
to
log
in
with
the
browser
and
do
it
in
the
web
interface.
They
should
be
able
to
do
it
programmatically.
Yes,
if
we're
pulling
it.
If
we're
pulling
things
out
of
the
pipeline,
we
don't
want
to
just
have
like.
Oh
no,
you
have
to
do
it
in
our
website,
so
we'll
want
to
make
sure
that
we
have
all
endpoints
for
for
all
this.
B
B
A
So,
instead
of
like
having
an
internal
endpoint
and
then
exposing
it,
we
may
want
to
have
you
use
the
same
endpoint,
but
again
that
that's
something
I
think
we'll
want
to
do
some
research
on
and
figure
out
like
hey.
Does
that
add
a
lot
more
work?
What
is
what's
the
implication
of
that?
Okay
and
yeah
I
wasn't
thinking
we'll.
C
Yeah
I
removed
them
from
the
this
document
so
that
Camellia
doesn't
get
confused
and
then
we
can
figure
out
what
we're
going
to
do
exactly
I
like
the
idea.
I
prefer
the
idea
of
exposing
all
the
pawls
I,
all
the
policies
to
the
user
and
creating
and
creating
it
that
way,
but
I
think
that's
further
down
the
road.
Then
then,
what
we're
talking
about
right
now,
yep.
B
C
Think
that
it's
likely
that
we
will
add
variables
I,
don't
think
it's
likely
that
we
will
remove
variables
because
I
don't
like
once
we
introduce
functionality,
I,
don't
like
removing
it
from
the
user,
but
just
thinking
I
had
to
like
the
policies
and
I
think
that
there
will
be
other
things
that
we
find
that
are
going
to
be
useful.
So
I
think
that
it's
likely
that
we
will
add
them.
Okay,.
A
Yeah
and
I
think
there
there
may
be
some
additional
variables
that
we
add
and
then
a
lot
of
the
functionality
I
think
is
going
to
come
in
some
of
these,
like
config
files
right
so
being
able
to
configure
all
your
rule
sets
I
think
zapped
right
now.
There's
like
three
values
you
can
say
like
do
you
want?
You
know
the
release,
alpha
version,
what's
the
threshold
and
then
there's
like
another
status,
and
then
you
can
do
that
for
each
rule
set.
A
So
that's
likely
gonna
be
like
one
big
text
file
or
XML
or
CSV
or
JSON
or
whatever.
So
we
will
probably
have
a
web
interface
for
that,
but
I
wouldn't
really
consider
that,
like
each
one
that
we're
gonna
have
like
a
new
variable,
because
it's
you
know
it's,
it's
a
data
set
that
once
we
design
the
interface,
whether
it's
one
variable
or
a
thousand
it'll,
you
know
it'll
support,
all
of
them.
A
B
A
One
of
the
kids,
one
of
the
I
think
big
questions
out
there.
That
I
have
and
I
think
for
the
rest
of
the
product
team
is
making
sure
that
this
is
consistent
across
the
different
parts
of
secure,
because
if
you
configure
one
way
and
you
configure
the
sass
another
way,
there
has
to
be
a
really
good
justifiable
reason
on
why
it's
configured
one
way
or
the
other.
We
don't
want
to
have
sass
configure
this
way
and
configure
this
way
and
really
it's
kind
of
an
arbitrary
difference.
A
E
C
C
So
I
don't
want
to
get
stuck
in
a
place,
because
this
is
something
that
the
other
groups
are
already
dealing
with,
where
they're
trying
to
move
configuration
up
to
the
group
level
so
that
they
can
have
it
locked
down
to
like
a
specific
user
role
that
can
edit
it
and
then
push
that
out
to
all
of
the
projects.
I
don't
want
to
get
locked
into
a
place
where
we
are
saying
well
now
we
don't
know
where
how
to
do
this,
because
we
implemented
everything
in
the
repo,
but
in
I
agree
with
you
can
it.
C
B
A
A
You
could
do
like
anyone
can
theoretically
run
one
of
these
scans
from
the
desktop
on
to
a
website.
So
you
shouldn't
need
to
approve
it,
because
you're
worried
that
someone's
gonna
run
the
scan
because
anyone
can
run
the
scans,
whether
you're
using
get
lab
or
just
their
desktop.
So
you
would
need
to
approve
it
if
you're
saying
okay,
my
security
policy
is
every
website
needs
to
run
a
B
and
C.
When
someone
says
no
I'm
gonna
go
change
that
now.
E
B
E
E
A
A
Not
that
I
know
of
because
your
Runner
is
offline.
Sorry,
your
runner
is
in
the
network
where
gitlab
is
and
if
you're
running
I
can
get
the
job
your
runners
are
talking
to
get
labs,
so
your
honor
should
be
able
to
go
back
and
forth
to.
In
fact,
your
runner
has
to
because
it
has
to
be
able
to
send
status,
updates
to
get
lab
and
so
on
and
so
forth.
E
B
How
does
that
work
with
the
features
that
we're
gonna
be
creating
a
lot
of
those
seems
to
make
it
easier
for
devs
to
be
doing
this,
which
is
great,
but
the
idea
of
moving
things
to
a
group
level
or
building
things
specifically
for
like
a
kind
of
security
department.
Enterprise-E
things
is
seems
the
contrary.
So
where
do
we
fit
right?.
C
And
I
think
that
there's
two
different
levels
on
that,
because
that
is
the
goal,
is
to
make
it
to
where
developers
it's
the
whole
shift
left
idea
right.
So
it's
that
is
the
goal,
but
when
you're
talking
specifically
about
enterprises,
which
is
another
one
of
the
big
pushes
for
gitlab,
is
enterprise
readiness.
C
While
they
may
allow
the
engineering
group
to
do
the
testing
and
to
look
at
the
results
and
fix
those
results
a
lot
of
times,
they
don't
allow
the
engineering
group
to
own
the
configurations,
because
it's
very
easy
for
an
engineer
and
I'm
guessing
that
in
these
enterprises
they
don't
trust
their
engineers
because
they
could
easily
change
the
configuration
just
run.
A
passive
scan,
say:
hey
I,
didn't
find
any
issues
and
pass
that
on
and
say,
hey
look!
My
code
is
fine
and
then
change
the
configuration
back
to
do
the
active
scan.
C
B
That
makes
sense,
especially
with
with
configuration
stuff
permissions
might
be
more
restrictive.
Are
we
gonna
have
to
care
a
lot
about
having
easy
to
access
sort
of
like
logs?
Just
can't?
Stick
it
running
their
configuration.
C
My
thought
was:
if
we
log
every
change,
that's
done
in
the
configuration
area
to
what
is
it
the
the
Activity
Monitor
area
of
gitlab
and
I?
Don't
I,
don't
know
anything
about
that
that
area
or
what
all
is
required
to
have
something
there,
but.
C
C
A
The
other
piece-
and
we
probably
won't
have
time
to
get
to
this
today,
is
in
the
JSON
report.
We
have
a
scan,
scan
values
and
one
of
the
ideas,
too,
is
that
in
the
scan
details
in
that
JSON
report,
we
would
have
a
list
of
what
the
configurations
are
and
at
some
point
in
our
dashboard
or
on
our
vulnerability
page.
When
you
click
on
a
vulnerability,
you
should
be
able
to
see
okay.
A
This
vulnerability
was
found
on
this
scan
on
this
date
and
then
potentially
click
on
that
scan
and
see
what
were
the
configuration
values
for
that
scan.
So
you
could
say:
okay.
This
was
found
on
this
day
in
this
time
by
scan,
you
know
by
scan
using
zap
version
whatever
or
ghast
version
whatever
and
here's
the
configuration
settings
so
that
you've
got
full
traceability
and
repeatability
and
that
that's
much
further
down
the
road.
E
A
A
Am
I
understanding
for
most
of
gitlab,
like
in
the
admin
settings
and
all
that?
If
you
have
access
to
it,
you
can
do
it,
but
that
also
requires
a
high
level
of
access
and
often
in
most
cases,
it's
the
maintainer
and
owner,
oh,
and
to
figuring
out
how
we
manage
this,
whether
that's
a
maintainer
or
an
owner
gitlab
doesn't
have
a
lot
of
different
permission
levels,
so
it
gets
a
little
challenging
there.
E
One
disadvantage
of
the
top
one
actually
is
that
you
can't
if
your
build
fails.
So
if
your
scan
fails
for
errors,
you
can't
reproduce
it
locally,
because
now
you
don't
have
you
can't
download
all
the
content
that
can
reproduce
the
issue
right,
not
the
it's.
So
if
one
of
our
users
had
a
scan
profile
llaman,
we
wouldn't
be
able
to
access
the
llamó
file
anyway,
but.
C
A
And
I
could
get
into
kind
of
the
technical
implementation
again
like
we
have
a
little
agent
that
goes
and
gets
this
file.
Writes
it
out
to
a
ya,
know:
file
on
the
on
the
analyzer,
and
then
that
gets
parsed
into
environment
variables
so
that,
if
there's
a
problem,
you
could
actually
go
and
grab
that
ya
know
file
or
something.
B
A
And
the
challenge
always
with
the
mrs
right
is:
if
their
file
already
exists
and
you
need
to
add
text
to
that
file.
How
do
you
add
that
text
right?
You
have
to
parse
the
original
file
figure
out
what
you
want
to
add
and
then
figure
out
where
it
goes,
because
we,
when
we
create
an
mr,
we
shouldn't
create,
merge
conflicts.
So
we
have
to
be
really
smart
about
where
that
that
text
goes.
A
A
A
C
C
Probably
not
know
because
I
don't
have
anything
written
up
around
that
and
I
don't
even
know
if
that's
something
that
we
plan
or
we
obviously
it's
something
I'd
like
to
get
done
by
the
end
of
the
year,
but
I
don't
know
if
it's
something
we
can
plan
on
having
in
the
complete
definition
right
now.
Okay,.
C
Yeah
the
I
mean
this
is
base
pretty
much
mainly
on
on
what
cam
found
about
this.
This
add-on
I
think
that
it
would
be
cool
and
a
good
use
of
zap
to
be
able
to
scan
and
automatically
configure
those
technology
variables
so
that
they
wouldn't
have
to
go
through
and
check
every
single
one
that
they
use,
and
maybe
they
forgot
one
but
yeah
I.
Think
that
doing
this
programmatically
in
a
in
a
scan
would
be
a
lot
easier.
The
question
that
I
have
right
now
is:
can
it
be
in?
C
Does
it
have
to
run
before
the
scan
as
a
way
of
building
up
the
configuration?
Can
it
be
run
in
line?
So
you
start
a
scan.
It
runs.
Lap
Eliezer
then
passes
that
config
over
those
are
the
the
questions
that
that
I
don't
know
the
answers
to,
which
is
why
starting
off
I
just
want
to
see
how
it
would
be
used
and
whether
it
would
actually
solve
any
problems
for
us,
but
yeah.
The
Auto
configuration
I
think
would
be
a
huge
plus
for
us.
It's
something
that
I
haven't
seen.
A
Cool,
so
for
thirteen
one,
it
sounds
like
let's
just
go
play
around
with
this
see
what
does
write
something
up
so
that
we're
all
on
the
same
page
as
to
what
it
does
and
then
the
potential
applications
for
where
this
would
get
implemented
is.
If
we
go
back
to
what
we
talked
about
before
the
site
settings
potentially.
A
That
checkbox
of,
like
a
does
it
have
you
know
my
sequel.
Does
that
in
a
post
rest
as
if
you
know
MS,
sequel,
blah
blah
blah
JavaScript,
you
know
et
cetera,
et
cetera.
That
could
be.
We
could
theoretically
not
even
have
that
checkbox
list
and
we
just
say
autodiscover,
you
know,
maybe
it's
a
radio
button,
it
says
auto,
discover
or
the
checkbox
list
and
if
it's
Auto
to
discover.
B
A
G
A
B
E
Name
and
the
she
essentially
Nicole
I
think
it
was
suggested.
This
might
be
a
good
use
for
dust,
so
I
created
an
issue
for
it.
Basically,
we
use
an
environment,
URL,
dot
text.
When
we
deploy
review
apps
to
get
the
review
up
URL
in
theory,
we
could
use
a
dot
n
file,
I,
don't
know
if
it
provides
much
value,
it's
probably
a
new
way
of
doing
things
and
do.
A
Cool
any
of
your
questions
on
this
one,
all
right,
we've
got
I.
Think
two
three
minutes
left
so
we'll
we'll
resume
later
this
week
and
kind
of
get
through
some
of
the
other
items
that
we
haven't
talked
about
so
I
guess
we
can
stop,
therefore,
for
now
just
quick
kind
of
reflection.
If
this
is
helpful
for
everyone,
if
there's
different
ways
that
we
should
go
through
this
for
our
next
session.
C
E
Yeah
I
think
it's
incredibly
useful
to
be
on
the
same
page
as
well.
So
I
think
this
session
is
good,
but
even
if
even
if
you
go
in
the
end
of
just
put
a
medium
on
everything,
I
still
think
it's
useful
but
I'm.
The
only
question
I
have
is
so
I
know
we're
going
through
a
stage
essentially
of
you
know,
defining
decks
for
all
the
identified
work.
We've
done,
I,
just
I
I.
Think
like
we're
still
in
a
stage
we
were
learning
so
much
about
zap
in
particular
that
we're
finding
a
lot
of
new
work.
A
So
I
think
there's
maybe
to
two
parts
of
that
there's
work
that
we
will
find
in
order
to
support
some
of
these
features
and
the
decks
scoring
is
designed
to
accommodate
that
right.
So
if
we
have
a
large
here,
you
know
large
and
large,
the
you
know,
the
back
end
points
is
34,
which
anticipates
that
there's
there's
a
lot
of
stuff
there
that
we're
going
to
find
things.
A
A
Yeah
exactly
so,
you
know
this
is
going
to
accommodate.
Like
hey
yeah,
we
don't
really
know
how
to
implement
this
and
that's
kind
of
agile
and
we'll
figure
it
out
and
tweet
these
stories
as
we
get
closer
or
these
issues
and
then
new
features
like
certainly
if
you
find
stuff
in
zap
or
other
tools
open
up
issues
and
if
it
doesn't
go
in
to
complete
it
might
be
something
that
goes
into
the
lovable.
C
Right
and
and
my
goal
is
I'm
hoping
to
think
through
and
have
you
all
I
think
help
me
think
through
some
of
these,
so
that
we
don't
have
too
much
scope
creep
in
terms
of
new
features.
Obviously,
the
implementation
details
are
gonna,
be
needed
to
be
figured
out,
but
I'm
going
to
be
trying
actively
trying
not
to
add
new
features
outside
of
what
we
have
here,
unless
it's
just
something
that
everybody
agrees.
This
is
incredibly
poor
important
for
us
to
add.