►
From YouTube: Secure:Threat Insights Weekly Group Discussion
Description
Weekly meeting for the Secure:Threat Insights group
A
C
Yeah,
so
this
was
a
kind
of
an
fyi
that
nicole
passed
along
from
her
her
team
meeting.
Will
meek
is,
I
don't
know
if
he's
dedicated
or
not?
I
didn't
think
that
we
had
a
dedicated
estet
for
secure,
but
it
sounds
like
he
has
been
at
least
joining
their
meetings
and
asked
for
us
to
give
him
an
at
mention
for
any
features
where
there's
going
to
be
front.
End
work,
so
he
can
review
the
end-to-end
tests
and
do
any
updates,
if
need
be.
So
that
was
that's
pretty
much.
C
A
D
So
this
is
this:
was
a
proposal
came
up
on
the
retro
and
we
decided
to
put
it
here
for
the
team
for
the
group
to
consider
there's
an
example
there,
one
that
mammoth
did
and-
and
I
believe
I
wrote
one
as
well
recently.
I
had
to
write
an
issue
and
I
used
gurken
to
describe
it.
So
it's
a
trial
have
some
interest,
because
if
you
don't
like
it-
and
you
don't
say
anything,
you
might
end
up
having
to
write
some
gerking
and
deep
be
unhappy.
B
It
seems
it
seems
very
accurate,
a
great
way
to
do
things
and
also
extremely
prescriptive,
which
I
think
you
know
it
has
its
pros
and
it's
cons
now.
But
I'm
interested
after
people
get
a
chance
to
take
a
look
to
see
what
their
feedback
is.
D
Yeah
that
could
be,
that
could
be
the
the
outcome
of
this
will
be
a
bit
more
choosy
when
we
use
gherkin
or
not.
One
thing
that's
worth
mentioning
that
that
matt
brought
up
is
gerkin
can
get
very
complicated
and
the
example
that
we
we
gave
there.
It
doesn't
have
all
these
features
of
the
language.
It's
it's
a
basic
level
just
to
just
to
sort
out
the
the
the
cases
where
you
know
when
this
happens,
then
that
or
if
this
and
not
that
we
got
babies,
I'm.
D
B
Do
you
have,
do
you
have
a
daniel?
Do
you
have
a
little
get
lab
shirt
for
onesie.
A
We're
gonna
have
to
work
on
that
hold
on
I'm
kind
of
my
action
item
list
the
more
the
merrier
on
our
discussion.
So
I'm
glad
she's
here.
Thank
you
for
bringing
up
this
gerkin
topic
thiago.
We
talked
about
it
being
something
we
experiment
with,
and
I
know
that
matt
said
he's
on
board
because
you
know
I
think
a
lot
of
it
is
about
defining
requirements
as
issues
are
created
and
then
improving
that
over
time.
So
we're
not
gonna,
try
and
ask
people
we're
not
requiring
it
right
now.
E
So
is
the
engineers
then
wouldn't
be
running
any
garrick
and
we'd
just
have
to
read
it.
It
would
be
like
whoever
did
the
you
know
the
pms
would
be
doing.
It,
then,
is
that
correct.
D
Not
necessarily,
I
I
think
if,
if
you're
reading
a
gherkin
and
it's
not
clear
you,
you
should
go
and
rewrite
it
or
if
something
doesn't
have
a
gherkin
language
and
the
english
description
is
conflicting
or
not
clear
enough.
You
might
take
a
stab
at
going,
but
I
think
I
think
you're
right
that
generally
it
it's
expected
that
the
product
manager
does
that
and
I
think
matt's
happy
to
so
we
could
right
matt.
C
Yeah,
I'm
definitely
willing
to
give
it
a
shot.
I
think
maybe
this
is
a
silly
suggestion,
but
if
we
don't
want
it
for
all
cases
where
it's
not
needed,
maybe
much
like
we
have
the
carrot
for
reviews.
Is
there
a
pickle
emoji,
that's
probably
not
in
there
for
various
reasons,
but
if
we
could
use
some
sort
of
a
an
emoji
to
denote
that
it's
requested
on
the
issue
perhaps
like.
If
we
want
that
clarification.
E
A
E
A
Confirmed
it's
pickle,
rick,
okay,
yeah
moving
on
so
about
a
week.
No,
I
guess
it
was
after
the
last
planning
breakdown
discussion.
We
had.
I
shared
an
epic
with
a
breakdown
for
the
failed
jobs,
design
issue
that
we
all
thumbs
up
on
in
our
planning
breakdown.
I
got
no
response,
so
I
assumed
everything
was
perfect,
but
the
comments
in
the
issue
say
otherwise,
I
think,
there's
some
confusion.
A
So
if,
as
a
group,
everyone
can
take
a
look
at
the
epic
and
make
sure
that
the
issues
that
were
created
off
the
epic
represent
what
you
think
make
sense,
I
think
thiago.
I
think,
there's
two
duplicate
back
end
issues
now,
so
I
don't
know
what
the
correct
process
is
at
this
point.
As
far
as
you
know,
we've
had
the
conversation
at
a
high
level.
We
identified
there's
front-end
back-end
work.
A
These
issues
were
signed
up
for
refinement.
I
guess
my
ask
for
everybody
is:
is
make
sure
that
you
take
a
look
at
the
epic
to
see
what
other
issues
were
created
off
of
that
epic
as
you're
doing
your
refinement,
because
that'll
help
as
you're
asking
questions
of
you
know,
is
this
already
available
in
the
back
end
you
know
is:
is
this
covered
in
some
other
issue
somewhere?
D
A
A
Cool
and
in
general
suggestions
for
how
to
improve
this
part
of
our
process
are
welcome
and
appreciated.
E
E
A
D
A
Was
following
in
line
with
alexander's
suggestion
of
you
know,
the
front-end
issue
was
getting
refined.
There
was
a
question
of
whether
the
data
was
already
available
at
an
end
point,
so
you
created
the
backend
issue
at
that
time,
which
is
sort
of
the
pattern
that
I
think
alexander
is
suggesting
versus
you
know
during
our
planning
breakdown
discussion,
we
said
there
is
back
end
work
for
this.
Generally
speaking,
so
I
created
sort
of
a
big
bucket
type
issue
for
that,
whereas
this
would
be
more.
D
A
Okay,
I'll
put
a
little
note
here
and
we'll
move
on
so
everyone
take
a
look.
Is
any
other
suggestions
or
comments
on
this
item.
A
A
You're
such
a
bully,
tiago
you're
just
pushing
people
out
of
the
way
jeez
all
right.
We
got
a
couple
of
demos
listed
here,
so
savash
shared
the
fixed
remediation
badges.
So
I
know
this
has
been
kind
of.
I
think
it
was
something
that
we
initially
launched
with
the
mvc
and
then
found
some
issues
with
it.
So
you
can
see
lots
of
blue
badges
now.
A
B
It
was
a
that
was
a
great
learning
experience
by
us
now
we
know
how
that
process
works
and
we've
got
good
ideas
to
improve
it.
So
a
great
job
by
the
team
on
it.
A
This
is
a
good
plug
for
our
retro.
What
to
improve
on
is
that
with
the
next
person
who
does
pick
up
a
security
issue.
Remember
that,
especially
if
it's
the
first
security
issue
that
you've
picked
up,
that
we
want
to
go
with
a
buddy,
so
make
sure
that
somebody
else
is
assigned
to
the
issue
not
to
necessarily
help
with
your
code
changes,
because
we
have
reviewers
and
maintainers
for
that,
but
because
the
process
itself
is
subject
to
missteps
that
can
make
it
completely
miss
a
release,
tiny
little
things.
C
A
C
It
is
big
I'll
say
a
few
words
and
then
I'll,
let
andy
take
over
since
it's
his
design.
So
we've
been
talking
about
this
for
a
long
time.
The
current
mr
experience
today
is
say
it's
not
not
the
best
in
terms
of
usability.
If
we
really
want
people
to
see
new
security
issues
in
the
development
workflow,
so
andy
has
put
a
ton
of
effort
into
rethinking
how
it's
going
to
behave
all
together.
C
So
the
solution
is
really
taking
it
out
of
that
sort
of
which
you
would
really
call
it
through
that
little
stacked
table
where
all
the
various
different
widgets
run
and
display
data
in
the
mr
and
we're
going
to
pull
it
into
a
totally
new
tab,
a
security
tab
in
the
mr.
So
it's
going
to
be
closer
to
like
the
pipeline
view.
F
Yeah,
I
can
share
my
screen,
so
this
is
it.
That's
all.
I'm
just
gonna
move
the
blue
stuff
to
the
I'm
just
kidding.
F
So
today,
like
that
said
right,
we
can
kind
of
each
individual's
report
is
in
its
own
line
item
and
its
own
collapse
expand
row.
We
want
to
smash
all
those
together
in
the
same
list
almost
like
we
do
with
the
security
dashboards
pipelines.
Basically,
security
report
vulnerability
report
full
stop.
F
We
can
almost
consider
what
we're
doing
in
the
security
tab
as
the
mr
security
report,
so
it
kind
of
helps
with
our
classifications,
but
to
do
that,
we
need
to
kind
of
work
in
this
new
paradigm
of
kind
of
communicating
in
this
very
tight
small
space,
a
bunch
of
information
and
accounting
for
a
ton
of
edge
cases
that
I'm
sure
I
haven't
even
really
scratched
the
surface
of
and
how
we'll
do
that
is:
let's
go
into
the
first
design,
that's
a
wireframe!
F
Let's
go
into
this
design
so
to
tomorrow,
whenever
we
we
want
to
get
this
done.
We'll
begin
with
just
this
kind
of
widget
area
like
we
have
today,
but
we're
going
to
take
all
the
action
and
kick
it
over
to
a
tab,
and
so
in
this
case
here
there's
no
vulnerabilities,
no
vulnerabilities.
It
gets
no
action,
there's
nothing
to
look
at.
We
remove
that
button.
F
Today
we
have
this
mechanism
of
like
viewful
report,
don't
suspect
that
that's
as
valuable
here
as
you're
just
going
to
the
pipeline
report,
it's
not
doing
anything
for
your
merge
request
as
an
engineer
developer,
someone
who
just
wants
to
get
their
work
done.
It's
not
really
part
of
their
task
to
go
babysit
the
pipeline
for
old
vulnerabilities.
The
task
is,
get
this
thing
merged
our
next
screen.
So
now,
in
the
past,
we
have
this.
F
Like
long,
syntax
of
security
scanning
has
detected
one
high
one
critical
vulnerability,
maybe
there's
some
that
have
been
fixed,
maybe
something
else,
and
it's
a
kind
of
like
a
laundry
list.
We
really
just
want
to
clean
that
up
into
security
scanning
has
done
something
think
about
it.
That
way,
so
security
scanning
detected
45
potential
vulnerabilities,
it's
kind
of
what
we
landed
on
in
this
space,
we're
going
to
call
these
potential,
and
then
we
just
call
out
how
many
of
what
so
two
critical
three
high
and
forty
others.
D
F
We
didn't
really
tie
that
directly
to
it,
because
I
expect
that
when
we
move
past
this
iteration
we
will
be
tying
in
a
like
security
gate
feature
where
you
can
control.
What's
going
to
be
blocking
or
adding
that
approver
and
there's
other
stuff,
that's
kind
of
like
in
flight
from
the
sca
team
on
approvals
right
now,
I
will
probably
not
impact
but
help
emphasize
that
that
makes
sense
yeah
the
when
we
did
solution
validation.
F
These
two
items,
like
we
asked
like
what
are
the
most
like
important
things
for
you
to
see.
We
always
heard
critical
high,
like
everything
else,
indexed
so
much
lower
in
that
study.
So
that's
why
we
wanted
to
kind
of
make
this
bucket
and
then
our
call
to
action
is
view
results.
F
And
so
when
we
have
errors-
or
we
have
anything,
that's
kind
of
security,
job
fail
pipeline's
out
of
date,
the
can't
the
source
branch
and
the
target
branch
don't
know
what
they're
doing
with
each
other
like.
We
are
just
going
to
be
messaging
that
with
an
alert
down
here,
so
we'll
be
nesting.
The
banners
underneath
here
vulnerabilities
that
are
remediated.
You
get
a
success
banner.
It
goes
right
under
here
as
well,
and
most
of
those
cases
are
documented,
saying,
can't
generate
a
report.
Security
reports
out
of
date.
F
And
here
are
those
kind
of
non-error
cases
that
we
have
so
we'll
have
like
your
scanning
results
are
kind
of
pending
today,
if
you
go
in
there,
you'll
see
that
the
results
are
kind
of
pending.
It
says
no
vulnerabilities
detected
security,
jobs
running
or
some
odd
language
we're
going
to
clean
that
up.
F
F
I
tried
my
best
to
combine
all
of
the
error
cases
into
as
few
as
possible,
so
we
aren't
managing
and
maintaining
like
400
different
cases
with
different
language
and
text.
So
I
got
to
around
four.
There
might
be
more
so
there
may
be
dragons
there.
F
We
can
also
help
people
with
this
little
tool
tip
like.
Why
am
I
seeing
this
error?
So
we
can
pre-populate
like
a
pop
over
with
some
more
precise
messaging
based
on
the
error.
A
Do
you
have
a
general
catch-all
for
those
dragons
that
you
referred
to
sort
of
a
generic
something
wonky
happened
message
andy.
F
Yeah
kind
of
like
this
to
generate
an
accurate
security
port,
but
we
do
say
you
know,
security
scanning
results
are
out
of
date
out
of
date
out
of
date,
same
message
say
a
message
same
message:
if
we
can
do
more
prescriptive
things
with
the
pop
over
and
this
question
mark,
that's
great.
We
always
want
to
help
people
with
their
error
messages.
F
How
do
I
fix
this
thing?
Or
what
is
this
all
about?
I
believe
the
sas
team
or
the
sca
team
had
documentation
somewhere
around
these
specific
error
cases
that
can
no
longer
find
in
our
documentation,
but
they
are
there.
F
They're
all
just
these
two,
so
these
two
are
those
like
finicky,
user,
enabled
security
scanners
after
the
source,
like
that's
kind
of
a
wild
edge
case,
but
it
probably
would
happen
once
for
every
project.
So
we
would
probably
want
specific
messaging
for
this
one
too.
So.
F
F
So
here's
all
the
icon
states
that
we
would
want
to
manage
and
handle
fairly
simple
straightforward,
so
we
got
four
really
duplicates
and
then
our
security
tab,
so
the
user
can
either
go
right
to
the
security
tab
like
they
can
do
with
changes
or
they
can
go
there
from
clicking
that
the
results
button
in
the
mr
widget.
F
F
This
is
kind
of
like
a
nice
to
have
you'll
see
that,
in
kind
of,
like
my
point
of
view,
I'm
breaking
this
down.
What
this
does
is
it
tells
people
if
there's
like
a
written
plain
text,
solution
like
update
to
4.1.3
or,
if
there's
actually
like
an
implementable
patch
or
something
to
download.
F
This
would
be
like
the
guidance.
Actually
we
had
these.
We
have
the
discussion
that
we
did.
I
have
mocks
for
the
tool
tip.
F
If
there's
a
patch
or
something
to
download,
it
would
just
be
this,
but
they
do
also
have
plain
text,
but
if
so
patch
takes
for
rc,
yes
patch
always
takes
solution
or
priority.
F
F
Yeah,
I
think
that
that's
something
we
found
out
too
and
I
think
there's
a
lot
more
juice
to
squeeze
around
this
experience,
and-
and
this
too
right,
I
think,
matt-
was
identifying
that
too,
as
like
a
great
target
for
like
increasing
our
iacvs
and
stuff.
C
So
that's
where
our
real
usage
numbers
are
going
to
come
from
and
we
want
people
to
be,
I
don't
say,
excited
about
security
as
part
of
the
development
process,
but
hate
it
a
little
bit
less
right
and
some
of
the
things
that
andy's
included
in
here
like
those
icons
to
show.
If
there's
a
patch
or
a
solution
available,
this
already
came
directly
from
feedback
where
people
were
using
and
saying
you
know,
I
got
to
click
into
the
vulnerability
detail
to
see.
If
there's
a
patch,
can
I
just
see
it?
C
F
This
is
our
rug,
so
I
took
a
swing
at
how
this
could
be
broken
down
while
maintaining
a
consistent
experience,
because
what
I
showed
that's
a
ton
of
work,
I
don't
think
there's
an
expectation
to
do
all
that
in
one
milestone.
F
I
don't
think
that's
I
mean
if
it's
possible
that'd
be
great
to
see
if
we
could
prove
me
wrong,
but
what
we
could
do
is
we
just
update
some
of
our
like
logic
and
language,
just
in
the
widget
keep
everything
the
same
step,
one
just
more
of
like
a
visual
update,
then
step
two
get
rid
of
these
lists
and
move
to
the
single
widget
paradigm,
while
at
the
same
time
creating
the
security
tab
and
importing
just
the
list.
F
We
have
and
then
accounting
for
these,
like
four
urls
scanned
from
das,
we
don't
want
to
leave
desk
out
and
then
next
we
would
have
the
addition
of
the
solution,
column,
a
solution,
filter
and
would
be
super
cool
if
we
could
get
counts
in
here,
because
we
don't
have
those
nice
counters
up
top.
F
Maybe
this
could
be
cool,
I
don't
know
like
a
little
hover
state
that
shows
you
exactly
like
which
jobs
failed
or
which
jobs
succeeded
instead
of
like
digging
through
the
pipeline
itself.
Just
click
on
the
icon.
We
have,
and
that's
all.
E
And,
as
I
said,
the
breakdown
looks
totally
reasonable.
It's
nice
that
it's
so
so
we're
basically
have
the
pipeline
security.
Tab
in
two
places
then
correct,
we're
like
leaving
it
in
the
pipeline
view
as
well,
and
then
adding
it
to
the
that.
Mr
view,.
D
You
mentioned
the
order
of
of
the
mr
widget,
the
evolution
there.
Do
you
and
matt
have
an
idea
of
the
order
of
the
general
thing
of
everything
together.
What
comes
first,
do
we
start
with
the
widget?
Do
we
start
with
the
the
view,
or
you
don't
really
mind?
Do
you
want
to
see
this
as
a
giant
epic?
I'm
thinking
about
the
breakdown
for
engineering.
F
Yeah,
it
would
probably
make
sense
to
start
with
a
widget,
because
that's
probably
where
all
the
like
edge
case
and
use
case
actions
happening
right
now.
So
how
do
we
do
errors?
And
how
are
we
handling
those?
Because
we
want
to
handle
those
differently
it?
The
list,
since
it
should
be
a
component,
seems
rather
trivial,
but
can't
I'm
not
gonna
yeah
yeah.
Let's
see
it
alex
there
nope!
F
No,
it
is.
I
don't
want
to
speak
for
anyone
over
that,
but
I
think
that
that
is
probably
not
as
complex.
In
my
opinion,
what
do
you
think
about
having.
C
E
No,
I
was
just
going
to
add
like
thinking
about
just
adding
the
tab
there,
because
it
still
shows
all
the
security
scanning
for
the
pipeline
pretty
much.
I
would
think
it
has
pretty
much
as
much
context
as
like
the
pipeline
security
tab.
It
has
currently.
E
F
A
I
I
get
the
feeling
we're
going
to
need
more
time
for
this
discussion.
Sorry
alexander,
I
want
to
be
respectful
of
everyone's
time
and
you
know
I
know
tiago
just
dropped
off.
We
only
have
one
minute
left.
This
is
a
big
vc
and
I
know
that
I've
got
a
few
questions
that
I'd
like
to
ask
too.
Do
you
want
to
wrap
up
this
point,
and
then
we
can
bring
this
back
up
next
week.
C
I
think
it's
good
to
to
remind
everyone.
This
is
not
our
area
of
the
application
we
are
playing
inside
of
another
stages
component,
so
we
do
need
to
be
very
careful
about
rolling
out
things
that
look
polished
and
complete,
because
I
know
that
there's
a
lot
of
sensitivities
around
it,
since
the
mr
is
already
at
the,
I
believe,
complete
or
lovable
stage,
even.
B
Iterative
development-
which
I
know
that
is
those
can
pop
very
polished
and
very
iterative,
sometimes
we're
at
the
opposite
ends
of
the
spectrum.
So
we
need
a
balance
there,
maybe
more
towards
the
polished
side
than
we
generally
do,
but
still
be
very
iterative
and.
A
A
All
right
well
we'll
leave
this
on
the
agenda
for
next
week
and
we'll
share
this
recording
for
folks
who
weren't
able
to
attend,
so
it
can
spark
some
questions
in
their
heads
around
this.
You
know.
I
know
that
before
we
pick
up
this
effort,
we're
going
to
have
the
the
mvc
that
we
reviewed
last
week
around
failed
jobs
on
the
project
level.
Security
dashboard,
so
we
have
some
time
is
why
I'm
bringing
that
up
all
right.
Everyone
we're
one.