►
From YouTube: GitLab 13.2 Kickoff - Secure:Threat Insights
Description
13.2 Release kickoff for Threat Insights group discusses what's in store for Vulnerability Management.
A
A
So
we
have
two
Direction
items
that
we're
going
to
focus
in
on
or
13
to,
let's
jump
right
into
the
first
one
here,
it's
kind
of
a
long
title,
but
really
this
is
part
of
a
larger
effort.
You
can
see.
We've
broken
out
multiple
different
steps
to
enhance
the
vulnerability
list,
so
we
were
on
a
security
dashboard.
You
see
the
list
view
of
the
vulnerabilities.
A
This
is
a
number
of
enhancements
to
it
and
the
first
is
really
probably
the
most
important
and
you
could
almost
say
the
most
urgent
for
teams,
not
just
on
our
customer
side,
but
our
gitlab
teams
as
well.
We've
gotten
a
lot
of
great
feedback
since
the
13
notto
release
of
the
standalone
vulnerabilities,
the
initial
release
of
that
which
brought
the
category
of
maturity
to
minimal,
and
some
of
that
is
directly
related
to
that.
A
So
what
this
issue
is
really
all
about
is
adding
additional
information
to
these
vulnerability
lists,
to
make
it
a
lot
easier
to
have
some
context
of
you
know
what
is
the
vulnerability
without
having
to
drill
into
each
one
and
setting
the
groundwork
for
future
features
which
I'll
I'll
touch
on
briefly.
So,
let's
look
at
this
first
one,
this
first
image,
so
today
you
only
get
these
leftmost
three
columns
when
you're
looking
at
the
security
dashboards-
and
you
don't
even
have
all
of
the
information
that
you
see
on
the
screen.
A
So
one
of
the
key
things
that
we're
gonna
add
here
is
a
line
number
now
it's
hard
to
tell
when
you're
looking
at
multiple
different
vulnerabilities
is
something
especially
as
you
start,
adding
in
more
scanners,
specifically
from
a
third
party,
so
not
get
lamb
provided
scanners.
We
have
a
lot
of
a
secure
scanners,
but
some
customers
do
like
to
integrate
around
third
parties.
This
can
help
you
identify
quickly.
Is
this
the
same
potential
vulnerability
identified
by
two
different
scanners,
or
is
it
maybe
at
the
same
error?
A
We're
also
adding
these
two
columns
over
here
on
the
right,
so
the
identifier
we're
going
to
pick
the
top
identifier
in
that
the
scanners
report
back
so
many
of
the
scanners
will
report
multiple
IDs,
typically
in
decreasing
order
of
specificity.
Cbe
is
usually
the
preferred
one.
Since
that's
going
to
be
very
specific
about
that
vulnerability,
we
may
also
see
a
cwe
a
common
weakness
as
a
more
general
classification.
A
So
if
CVE
is
not
available,
that
may
be
something
you'll
see
here
and
then
there
may
also
be
proprietary
IDs
that
are
not
necessarily
shared
by
all
the
scanners.
So
for
this
example,
we
might
have
a
report
from
hacker
1
from
a
bug
bounty
program.
For
instance,
the
other
column,
we're
going
to
add,
is
information,
that's
already
sort
of
present
in
the
vulnerability
itself,
but
it's
the
scanner
so
by
showing
the
scanner
type.
A
We
think
that
this
is
going
to
make
it
a
lot
easier
to
be
able
to
tell
the
difference
between
detection
that
may
be
the
same
phone
or
building
but
across
the
scanners.
So
you
may
have
a
a
duplicate
identification
or,
as
you
start
adding
in-
and
this
is
example-
we've
used
one
of
our
certified
third-party
security
integration
vendors.
A
They
also
provide
a
container
scan
in
addition
to
get
lab.
So
there's
a
good
chance
that
you
may
see
if
you're
running,
both
of
them
side-by-side.
The
exact
same
item
is
identified.
It's
also
possible
that
they're
gonna
pick
up
slightly
different
things.
So
again,
the
idea
is
to
let
you
know
at
a
glance,
is
what
I'm
looking
at
likely,
something
that
was
identified
more
than
once
a
potential
duplicate,
or
is
it
more
likely
to
be
unique?
A
And
then
that
could
be
used
as
a
jumping-off
point
to
drill
into
the
individual
vulnerability
pages
themselves,
where
there's
more
detailed
information
coming
along
with
this?
Since
we
are
adding
additional
information
over
here
and
in
the
columns
we're
going
to
add
a
new
filter
type,
this
is
going
to
be
a
handy
way,
so
you
can
just
drill
in
and
look
at
only
the
vulnerability
results
provided
by
a
particular
type
of
scanner.
So
we've
actually
got
a
broken
out,
not
just
by
scanner
type.
A
But
if
you
have
multiple
same
type
scanners,
you're
going
to
see
that
as
well.
So
this
is
really
going
to
give
you
a
lot
more
fine-grained
control
over
the
triage
process.
Now
I
mentioned
that
this
is
kind
of
laying
the
groundwork
for
some
future
changes.
If
you
like
to
visit
this
issue,
you'll
notice
that
step
one
and
step
two
or
I
should
say
1.1
and
1.2
are
really
incremental
improvements.
A
In
the
current
experience,
the
rest
of
it
is
actually
geared
more
towards
I
mentioned,
having
potentially
duplicate
findings
from
either
the
same
scanner
or
different
scanners
of
the
same
type,
working
in
the
same
area
of
the
code
being
able
to
group
and
sort
of
combine
vulnerability.
Instances
into
a
single
vulnerability
is
going
to
be
something
that
we
look
at
in
the
future
to
really
make
a
lot
more
efficiencies
out
of
the
end
of
the
vulnerability
triage
process.
So
baby
steps
in
that
direction
were
really
laying
the
groundwork.
A
We're
really
excited
to
see
already
something
that
just
came
out
the
last
release,
where
we're
going
to
be
making
big
improvements
to
it
as
we
go
forward
so
to
go
back
to
the
planning
board.
The
other
issue
we've
got
here
is
linking
an
existing
gitlab
issue
to
a
security
vulnerability.
So
today
you
can
from
a
vulnerability.
You
can
actually
create
an
issue
and
it
will
link
it
directly,
but
in
some
cases
you
may
have
already
had
an
existing
issue
where
maybe
a
user
reported
it
as
a
bug
or
it
came
from
another
internal
team
somewhere.
A
A
To
an
example,
dashboard
and
show
what
it
looks
like
today,
so
if
I
click
on
this
particular
vulnerability,
we
have
a
create
issue
button
up
here
right
next
to
the
status
button,
so
we're
going
to
be
moving
that
down
here
into
a
new
section,
so
this
is
gonna
perform
the
same
functionality.
It
will
create
the
issue.
A
A
Adding
an
issue,
so
if
you
start
adding
issues,
it's
going
to
ask
you
to
just
like
you
would
link
issues
related
issues
and
issues
or
adding
other
epics
or
issues.
This
vulnerability
relates
to
the
following.
So
what's
nice
about
this,
is
you
may
have
multiple
different
issues
that
all
have
some
relation
to
this
vulnerability
that
you
want
to
track,
so
you
can
just
go
ahead
and
add
as
many
as
you
need
to
there
now
behind
the
scenes.