►
From YouTube: TT301: Security as a Differentiator
Description
This is FY2022 SKO session repurposed for Tanuki Tech. Uploaded 2/1/2022.
For more on Tanuki Tech, see here: https://about.gitlab.com/handbook/marketing/revenue-marketing/sdr/tanuki-tech/
For more on the speaker, see here: https://www.linkedin.com/in/christopher-wang-0835b226/
A
A
So
one
of
the
big
startling
statistics
that
I
want
to
start
this
conversation
off
with
is
the
fact
that
we
are
expected
as
a
global
society,
to
have
around
six
trillion
dollars
in
wealth
transfer
due
to
a
cyber
attack
in
our
current
year,
and
so
this
is
unprecedented,
and
this
is
the
highest
it's
ever
been
at
any
point
in
time.
We
have
to
ask
ourselves
the
question
of
why
this
is
happening,
because
this
is
ultimately
a
problem
that
all
of
our
customers
are
facing.
A
And
to
put
this
number
into
a
little
bit
more
context,
this
is
going
to
be
the
greatest
transfer
of
economic
wealth
in
history.
From
a
sheer
monetary
point
of
view,
we're
talking
about
amount
of
money
that
is
greater
than
all
of
the
natural
disasters
combined
together
in
a
given
year
and
also
more
profitable
than
all
of
the
entire
global
illegal
drug
trade.
So
this
is
an
absolutely
massive
problem
that
many
of
our
customers
are
facing.
A
A
If
the
bitcoin
isn't
paid,
then
they're
going
to
wipe
all
the
databases
of
many
of
these
hospital
networks,
basically
shutting
down
really
essential
public
infrastructure.
We've
also
seen
that
this
has
gone
up
a
very
large
amount
during
coronavirus,
simply
because
of
how
important
hospital
networks
are
at
this
point
in
time.
A
Over
1
million
children
have
experienced
identity
theft
4
years
ago,
costing
families
around
half
a
billion
dollars
in
out-of-pocket
expenses.
So
this
is
a
huge
problem,
that's
affecting
every
layer
of
our
society
and
before
we
really
start
talking
about
you
know
some
of
our
differentiation
stuff.
We
have
to
basically
ask
ourselves
the
question
of.
Why
is
this
happening
in
the
first
place
and
the
reason
is
actually
pretty
simple
at
a
fundamental
level?
A
The
reason
why
is
because,
if
you
went
back
to
the
year
1980,
then
a
simple
website
like
this,
maybe
several
thousand
lines
of
code
may
run
on
a
couple
hundred
servers,
but
everything
is
generally
pretty
simple.
A
And
ultimately,
what
we're
talking
about
is
the
difference
between
securing
a
private
residence,
something
that
you
could
do
in
a
couple
of
months
and
securing
something
like
a
four
thousand
mile
border.
That's
the
world
that
we're
in
today,
all
of
those
millions
lines
of
code,
those
hundreds
of
thousands
of
servers,
that's
just
so
much
stuff
to
secure.
A
This
is
the
reason
why
cyber
attack
is
now
greater
at
any
point
in
human
history,
and
all
of
this
has
brought
us
to
a
point
in
which
the
best
practice
in
cyber
resilience
is
to
assume
that
you've
already
been
compromised.
So
right
now,
a
lot
of
it.
Professionals
aren't
focused
in
making
sure
that
people
don't
get
into
their
network.
A
What
they're
focused
on
is
making
sure
that
if
someone
does
get
into
their
network
that
they're
not
going
to
get
all
of
the
data,
so
maybe
they
might
separate
the
data
out
into
many
different
data
centers-
and
this
is
just
a
startling
fact
that
it's
just
so
hard
to
secure
your
network
in
your
data
center
that
this
is
something
that
people
have
to
do.
This
is
the
world
that
we
live
in
today.
A
A
Many
of
these
businesses
are
really
focused
on
becoming
profitable
coming
up
with
their
first
application
and
so
they're
really
development
focused
you
don't
really
become
security,
conscious
until
you
have
a
large
number
of
customers,
and
so
for
many
of
these
small
businesses
they're
low
cost
operations,
they
probably
don't
have
any
security
engineers
may
not
have
any
security
tools
at
all
in
their
environment
and
ultimately,
for
these
businesses,
security
really
means
just
hiring
good
developers.
A
A
If
you
don't
have
enough
work
to
warrant
one
full
time,
then
it
makes
more
sense
to
contract
out
maybe
160
200
hours
of
work
every
couple
of
months,
and
so
it's
a
cost
cutting
measure.
The
other
reason
why
people
go
to
manage
services
route.
A
lot
of
the
time
is
because
it's
so
hard
to
get
up
and
running
in
cyber
security,
we're
talking
about
something
that's
extraordinarily
complicated
to
even
like
recruit
the
talent
to
manage.
All
of
that
requires
someone
who's
very,
very,
very
dedicated.
A
A
Let's
talk
about
the
enterprise,
so,
as
corporations
get
very
large,
typically,
they
end
up
building
their
own
internal
teams.
They
don't
want
to
pay
someone
else
to
do
this,
and
so
what
they
end
up
with
is
expansive
dedicated
security
teams.
Many
of
the
times
these
security
teams
will
be
spread
out
across
many
different
geographic
locations.
So
you
may
have
one
in
austin
texas.
A
You
may
have
one
in
france,
you
may
have
one
in
india
and
what
ends
up
happening
is
many
of
these
security
teams
turn
into
silos,
ultimately
fighting
with
developers,
and
so
what
we're
talking
about
this
fundamentally
is
a
lack
of
communication,
and
so
what
I
mean
by
this
is
imagine
if
your
development
team
is
in
san
francisco,
chicago
and
new
york,
and
your
cyber
security
teams
are
in
india
and
if
they're
in
france
well,
just
because
of
that
lack
of
coordination,
sometimes
geographical
distance,
many
other
things,
then
there's
just
going
to
be
problems
that
happen
because
of
a
lack
of
communication.
A
The
number
three
thing
that
happens
in
many
of
these
large
organizations:
it's
a
proliferation
of
tools,
we'll
talk
a
little
bit
more
about
that
and
ending
up
with
a
very
large
budget.
We'll
talk
a
little
bit
about
that
too.
So,
if
you
think
about
finance
healthcare,
the
government-
these
are
the
three
industries
that
we're
talking
about
today.
A
Let's
talk
about
tool
proliferation
now,
and
so
I'm
going
to
give
you
some
numbers
to
put
this
into
perspective,
and
so
what
we've
found
using
consulting
research
is
that
the
average
small
organization
has
around
15
to
20
cyber
security
tools.
The
average
medium-sized
business
has
around
50
to
60
and
the
average
large
enterprise
has
over
130
tools.
A
And
going
a
little
bit
more
into
ballooning
cost,
so
this
is
a
huge
issue
that
is
based
across
our
industry.
The
big
problem
is
that,
even
though
cyber
attack
is
the
threat
of
cyber
attack
is
only
increasing
year
after
year.
Many
of
these
budgets
that
these
companies
have
are
linear
are
flat,
and
so
they're
being
asked
to
do
more
with
less.
A
A
The
other
way
in
which
we
can
really
start
pitching
security
for
the
smb
space
is
the
fact
that,
once
again,
many
of
these
businesses
are
really
really
really
focused
on
developing
software
quickly.
They
know
that
they
have
a
finite
of
time
amount
of
time
before
their
funding
runs
out,
and
so
one
of
their
main
goals
is
to
make
sure
that
they're
efficient
with
devsecops.
A
Let's
talk
about
enterprise
now,
so
as
a
review
of
the
four
problems
that
many
of
these
enterprises
face,
number
one
is
that
they
have
siloed
teams.
It
could
be
a
geographic
problem,
it's
also
one
of
those
things
in
which,
if
you
think
about
sales
and
marketing,
it's
very
similar
to
that
in
which
they
just
have
different
goals,
a
lot
of
the
time
and
when
they're
not
aligned,
they
end
up
just
like
creating
wasted
work.
A
So
if
you
think
about
the
difference
between
security
and
development,
it's
a
similar
thing
where
developers
their
entire
job
is
to
make
sure
that
applications
are
up
and
running
and
that
they
make
project
deadlines.
But
the
problem
is
that
security's
job
is
often
to
be
the
bad
guy
in
the
push
back
and
to
make
them
do
more
work,
and
then
so
often
times
these
teams
are
naturally
in
conflict
with
each
other.
A
Another
big
problem
with
many
enterprises
is
that
security
is
verified
in
an
inefficient
manner
after
development,
and
so
what
I'm
talking
about
this
is
all
the
development
happens,
maybe
happens
across
four
to
six
months
and
at
the
end
of
that,
security
is
verified.
For
these
applications
after
everything's
already
done,
this
is
an
inefficient
way
of
developing
software
and
something
that
we
can
improve.
A
A
So
solution
number
one
for
breaking
down
silos.
What
we
bring
to
the
table
here
is
the
fact
that
we
allow
all
different
types
of
engineers,
regardless
of
your
specialty,
to
collaborate
on
the
gitlab
platform
and
so
with
something
like
github.
Typically,
you
just
have
developers
on
it,
but
with
something
like
gitlab,
you
can
have
operations,
you
can
have
security
you
can
have
test
and
because
of
that,
we
can
allow
organizations
to
systematically
have
better
collaboration
ultimately
becoming
more
efficient.
A
Let's
talk
about
dev
set
gobs,
so
the
number
two
problem
with
many
of
these
organizations
is
the
fact
that
they
are
verifying
security
after
development
has
already
happened.
The
big
problem
with
this
is
that
changes
are
happening
so
from
a
developer
perspective,
you're
being
asked
to
fix
something
that
you
did
three
months
ago.
You
probably
don't
even
remember
what
you
were
doing
three
months
ago
and
then
so.
A
How
we
solve
this
is
through
allowing
organizations
to
implement
devsecops,
and
so
this
is
an
example
of
the
merge
request
screen.
What
this
is
showing
is
that,
for
every
single
time
a
developer
is
trying
to
change
something.
Then
we
actually
show
all
of
the
security
issues
that
these
changes
are
proposing,
and
so
developers
have
feedback
now
to
solve
security
issues
during
development.
Ultimately,
this
allows
organizations
to
become
more
efficient
throughout
the
board
and
so
to
really
bring
this
home.
A
All
this
happens
through
our
automated
ci
cd,
and
this
is
an
example
chart
of
the
cost
that
we
save
an
organization.
If
you
fix
a
security
issue,
when
it's
already
in
production,
you
have
to
basically
now
roll
out
and
revisit
all
of
those
servers,
tear
them
down
rebuild
them.
In
addition
to
making
the
software
fix
in
the
first
place
versus.
A
If
you
catch
a
security
issue
during
the
test
phase
during
development,
then
you
don't
have
to
deal
with
redeploying
all
of
those
servers
and
the
best
way
to
do
this
is
to
catch
issues
during
the
coding
phase
itself.
The
reason
why
is
because,
if
I'm
a
developer,
I'm
writing
something
and
within
four
hours
I
have
security
feedback,
then
I
can
fix
that
issue
when
that
issue
is
fresh
in
my
mind,
I
just
wrote
that
code.
A
Let's
talk
about
tool,
chain
proliferation.
This
is
something
that
we
talk
about
all
the
time,
but
one
of
the
things
that
we
really
do
that's
kind
of
unique
is,
and
something
that
I
already
alluded
to
is
the
fact
that
for
many
of
these
large
organizations
they
have
over
100
security
tools,
and
so
that's
a
hundred
and
thirty
different
inputs
of
data
and
so
to
even
have
like
a
bird's
eye
view
of
what's
happening
in
your
organization
is
really
hard.
A
A
A
Let's
talk
about
cost
reductions,
the
main
ways
in
which
we
do
this
is
that
we
make
all
of
engineering
more
efficient
with
devstock
ops,
and
so
what
we're
talking
about
is
fixing
vulnerabilities
when
they
are
fresh
in
the
developers
minds,
as
opposed
to
four
six
nine
months
later,
and
so
we
may
make
an
organization,
fifteen
twenty
20,
more
efficient
across
the
board,
simply
because
of
devsecops,
and
when
you
think
about
some
of
these
large
organizations,
maybe
have
several
hundred
million
dollars
engineering
budget
saving
fifteen
twenty
percent
is
a
huge
cost
reduction.
A
A
That
being
said,
there
are
some
ways
to
hook
in
security
into
jenkins.
You
can
do
this
through
either
plug-ins
or
integrations
that
you
write,
but
the
big
problem
with
all
these
things
is
that
now
you
have
a
plug-in
we've
already
discussed
about
how
plug-ins
lead
to
just
like
complexity,
in
your
it
environment
in
the
first
place,
and
all
the
integrations
are
something
that
you
have
to
write
that
takes
people
time
with
git
lab.
This
is
something
that
we
give
you
out
of
the
box.
A
One
additional
sales
motion
to
be
aware
of
is
that
you
can
actually
use
get
lab
ci
and
our
devsecops
with
jenkins.
So
if
you,
if
you
have
a
customer,
is
interested
in
gitlab
security,
maybe
is
stuck
with
jenkins
because
of
some
sort
of
organizational
mandate,
then
we
can
combine
them
together
so
that
they
can
keep
their
jenkins
and
still
get
the
benefit
of
get
lab.
Secure.
A
Let's
talk
about
github,
so
one
of
the
things
to
really
keep
in
mind
with
github
is
that
they
really
are
trying
to
copy
our
roadmap
right
now,
and
so
we
have
around
10
different
things
that
we
use
for
security
and
from
my
research
they
have
around
three,
and
so
things
that
they
have
in
particular,
is
sas
dependency
scanning
and
secret
scanning.
Now
compare
that
with
what
we
bring
to
the
table.
A
So
in
our
secure
phase,
we
have
seven
different
items
that
we
offer
the
three
that
they
bring
to
the
table
are
highlighted
here
and
in
addition
to
the
protect
phase,
they
don't
have
any
of
this
stuff
too.
Github
does
not
do
anything
with
server
protection;
they
are
all
on
the
application,
security
side
and
so
they're
behind
us
right
now.
A
One
other
thing
to
keep
in
mind
with
github
security
is
that
just
how
they
do
things
a
little
bit
differently
than
us?
What
we
do
is
that,
if
you
want
security,
it's
generally
all
in
the
ultimate
tier,
they
actually
give
their
security
features
to
all
of
their
pricing
tiers,
and
so
they
don't
differentiate.
Their
pricing
tiers
by
the
security
features
that
they
offer.
A
A
They
also
realize
that
they
have
the
largest
open
source
user
base,
and
so
what
they
did
is
they
created
an
ecosystem
where
other
people
in
the
open
source
community
could
actually
extend
github
itself.
So
if
there's
something
missing
from
github
from
a
features
perspective
chances
are
you
can
get
it
from
the
github
marketplace
now
there
are
really
big
problems
with
the
marketplace.
A
A
You
have
to
make
sure
that
they're,
updated
and
number
three
is
the
fact
that
many
of
these
actions
actually
cost
money
and
then
so
you
have
a
bill
for
your
github
and
then
in
addition,
maybe
half
of
your
actions
add
on
to
that
bill,
and
so
it
actually
increases
your
overall
cost
versus.
If
you
just
have
a
gitlab
subscription,
then
you
have
one
price
for
everything
for
gitlab.
A
A
The
problem
with
this
is
that,
if
I
go
to
the
verified
section
out
of
that
7
000
actions,
only
77
of
them
are
currently
verified,
and
so
what
we're
talking
about
is
that
if
a
customer
goes
out
and
gets
some
of
these
actions,
they're
really
out
there
on
their
own,
I
did
some
research
to
find
out
how
someone
can
become
a
verified
creator
of
a
github
action
and
then
so
someone
from
github.
This
is
what
they
said.
A
A
We
are
currently
continuing
to
evaluate
this
process
and
we
may
open
it
up
more
broadly
in
the
future,
so
in
other
words,
77
of
these
actions
are
verified.
They
are
verified
for
both
microsoft
and
the
vendor,
but
for
the
remaining
almost
7
000
actions
out
there
you're
on
your
own
right,
there's
no
real
organization
that
is
verifying
the
security
of
many
of
these
actions,
unless
this
is
done
by
an
enterprise
vendor.
A
If
any
of
those
action
vendors
have
a
compromise,
then
all
of
a
sudden
I've
lost
my
most
valuable
asset,
and
so
the
idea
here
is
that
github
actions
increases
the
number
of
companies
that
are
looking
at
my
code
and
it
increases
my
overall
attack
surface.
So
if
I
just
google
github
action
security,
let's
actually
see
what
the
community
is
saying
at
the
first
10
results.
A
Everything
looks
good.
We
would
expect
in
general
to
find
a
bunch
of
github
actions
on
application
security,
but
now,
let's
take
a
look
at
some
of
the
other
results.
Number
four
is
use.
Github
actions
at
your
own
risk
number
five
is
github
actions.
Design
flow
leaves
security
whole
next.
One
is
important
security
implications
for
github
actions.
A
Let's
look
at
the
next
set
of
tests
of
excuse
me.
Google
results
our
github
action
safe
to
use
the
security
of
github
actions,
github
actions,
vulnerable
platform,
vulnerable
to
code
injection
attacks,
and
so
one
of
the
things
that
you
can
tell
your
customers
is
don't
just
take
our
word,
for
it
take
a
look
and
do
some
research
on
your
own
show
them.
The
google
results
show
them
what
other
people
are
saying.
This
is
something
that
I
do
on
my
calls
all
the
time.
A
The
other
thing
that
I
want
to
talk
about
for
github
action
security
risk
is
going
back
to
the
fact
that
out
of
that
7
000
actions,
the
vast
ma,
a
huge
number
of
these
are
open
source
projects
and
then
so.
The
problem
with
this
is
that
there's
no
one
who's
responsible
for
maintaining
and
updating
this
open
source
project,
someone
could
build
it
and
then
retire.
A
If
you're
using
that
action,
then
it's
never
going
to
get
updated
and
then
so.
The
big
problem
with
this
is
that
you
are
much.
You
have
a
lot
more
work
and
responsibility
for
making
sure
that
your
github
setup
remains
secure,
and
so
this
is
very
similar
motion
and
problem
with
maintaining
jenkins
plug-ins,
it's
maintaining
the
github
actions,
so
you
can
think
about
it
as
something
similar
to
jenkins
plug-ins.
A
A
That
gives
you
baseline
application
security
testing,
and
so
once
again,
the
vendor
for
azure
devops
is
the
same
as
the
vendor
for
microsoft,
and
so
they
built
out
an
extensions
marketplace
for
azure
devops
as
well,
and
so
because
of
this
there
are
similar
problems
as
with
github
actions,
and
so
we're
talking
about
increasing
security
risk
for
the
same
reasons
as
with
github
we're
talking
about
more
extensions
to
evaluate
integrate
procure
and
ultimately,
the
fact
that
now
you
have
a
license
fee
for
azure
devops
and
you
could
potentially
be
paying
additional
money
for
some
of
the
extensions
that
you're
getting
out
of
the
marketplace.
A
Let's
talk
about
some
of
the
questions
that
we
can
ask
for
small
medium
business.
Many
of
these
businesses
are
really
trying
to
move
as
quickly
as
possible.
So
one
of
the
things
that
I
recommend,
depending
on
what
their
goals
are,
is
let's
not
talk
about
security.
First,
let's
actually
talk
about
scm
and
ci,
because
this
is
generally
what
they're
more
interested
in,
but
if
they
are
interested
in
security.
After
some
good
qualifying
questions,
we
can
ask
things
like
what
are
applications.
What
does
application
security
look
like
for
your
organization?
A
A
A
A
Are
you
happy
with
the
cost
of
these
contracted
services?
Are
you
happy
with
the
quality
of
work?
Many
of
these
companies
feel
like
they're.
They
know
that
there
is
a
better
way
of
doing
it,
but
they
think
it's
cost
prohibitive,
and
then
so
you
can
now
say
something
like
hey,
there's,
actually
a
less
expensive
way
of
doing
this,
we
can
help
you
become
more
efficient
in
your
application
security
while
not
breaking
the
bank.
A
It
is
a
way
to
uncover
pain,
and
so
that's
another
question
that
I
like
to
ask.
A
Let's
talk
about
enterprise
and
things
like
public
sector
as
well,
so
what
is
the
relationship
between
development
and
security?
Look
like
in
your
organization.
Have
you
ever
had
any
misses
because
of
a
lack
of
communication
misses
because
of
a
lack
of
communication
are
very
common
in
large
organizations.
A
A
A
Let's
talk
about
personas
too,
so
in
terms
of
prospecting
new
accounts,
it's
the
same
thing
that
we
generally
use
so
focusing
on
the
development
side
and
the
reason
why
is
because
the
vast
majority
of
security
pain
is
felt
on
the
development
side?
These
are
the
people
that
are
writing
code
really
stressed
for
deadlines
and
being
told
over
and
over
again
hey.
You
need
to
go
fix
your
stuff,
maybe
something
that
you
wrote
four
months
ago,
and
so
the
majority
of
the
pain
is
felt
on
the
development
side.
A
That
being
said,
one
good
way
that
I've
seen
this
done
shout
out
to
kitty
ramos
is:
let's
start
that
conversation
going
on
the
development
side
after
you
have
that
conversation
going
then
hook
in
the
security
decision
makers
and
then
combine
them
into
the
conversation
and
then
all
of
a
sudden.
Now
you
have
an
opportunity
for
ultimate.
A
Let's
bring
everything
home
security
testing
is
one
of
the
defining
problems
of
our
time.
This
is
something
that
I
firmly
believe
in.
I
think
that
something
has
to
systematically
change
across
our
global
society
and
how
we
are
doing
things
because
right
now,
the
solution
that
we
have
isn't
working
in
protecting
the
most
vulnerable
of
our
planet.