►
From YouTube: TT211: GitLab Verify and Security
Description
YouTube description:
This is a Tanuki Tech session on 9/28/2020.
For more on Tanuki Tech, see here: https://about.gitlab.com/handbook/marketing/revenue-marketing/sdr/tanuki-tech/
For more on the speaker, see here: https://www.linkedin.com/in/christopher-wang-0835b226/
A
Welcome
to
verify
and
secure
so
what's
the
goal
of
this
session
very
simple:
it's
the
articulate,
gitlab
verifying,
secure
functionality
better
so
that
you
can
have
more
effective
sales
conversations.
That's
kind
of
the
theme
of
every
single
session
that
I
put
out,
so
you
can
guess
what
the
goal
of
every
session
is.
So
what's
our
plan
for
doing
this,
I
want
to
understand.
A
A
This
is
what
this
actually
is
right
and
the
whole
goal
of
this
is
that
once
you
can
see
it,
then
hopefully
you
can
articulate
it
with
more
confidence
yeah,
and
so
that
ties
back
into
seeing
all
the
stuff
in
action
in
gitlab,
we'll
explain
the
abstract
principles
of
what
is
a
unit
test,
what's
integration
test
and
then
we'll
also
see
how
gitlab
does
all
this
stuff
so
that,
ultimately,
you
can
have
a
better
sales
conversation,
that's
entire
goal.
A
So
what
have
we
discussed
so
far?
10
product
stages,
very
deep
product,
we've
talked
about
plan
and
create,
and
what
we're
talking
about
today
is
these
two
stages
before
I
jump
in.
I
know
that
some
of
you
all
have
been
here
for
a
long
time,
so
standard
disclaimer
always
applies
if
this
is
something
that
you've
already
heard
of,
or
you
want
to
hear
something
more.
Just
let
me
know
and
interrupt
me
make
this
conversation
your
own
all
right.
So
this
is
something
that
I
think
is
really
really
really
important
for
us
to
understand.
A
Yes,
it
is
absolutely
true
that
we
have
10
product
stages,
but
for
command
of
the
message.
The
top
three
things
on
the
actual
sheet
all
have
to
do
with
verify
and
secure.
It
really
literally,
is
like
intrinsic
to
our
value
proposition.
So,
yes,
one
tool
for
the
entire
devops
life
cycle.
That
is
true,
but
in
actuality,
people
really
only
care
mostly
about
four
of
these
product
stages,
so
they
care
about
issues,
scm,
ci
and
security.
A
That
is
like
almost
every
single
conversation
I've
ever
been
on,
and
so
I
think
it's
really
important
to
just
sort
of
like
lead
with
our
strength
of
like
those
are
our
four
things.
Yes,
you
get
all
this
other
stuff,
but
you
know
this
is
where
we
shine
right.
This
is
our
fundamental
value
proposition.
A
Why
is
this
so
important?
Is
that
we,
this
is
our
unique
differentiator
right
and
I
might
actually
build
out
sessions
for
all
of
these,
these
different
product
categories,
but
I
just
want
to
let
you
know
that,
like
as
an
engineer,
we
have
all
this
other
stuff
configured
monitor
defend,
and
I've
spoke
to
a
bunch
of
different
engineers
in
the
company
and
they
actually
other
engineers
advise,
and
we
don't
even
use
some
of
this
stuff
for
our
own
things.
A
In
other
words,
we
use
what
amazon
cloud
or
google
cloud
actually
provides
for
releasing
all
the
time,
and
so
that
just
goes
back
to
the
fact
that,
like
this
is
our
maturity
chart
right.
Some
of
these
have
a
heart
in
front
of
them,
and
some
of
these
have
circles
which
ones
have
circles
in
heart.
Sem
does
ci.
Does
you
know?
Security
is
half,
but
we're
still
better
than
a
lot
of
other
people,
and
so
these
are
relative
strengths.
A
Some
of
these
other
ones
are
just
not
as
mature,
so
yeah
and
understanding
in
security
is
really
really
functional,
really
really
important.
Because
of
this,
this
is
the
thing
that,
like
we
are
best
at
right,
so
fcmn
plan
just
to
put
this
into
perspective.
Yeah
do
we
have
differentiators
absolutely
right?
A
But
if
you
look
at
all
these
tape
measures,
if
you
just
imagine
someone
going
into
a
store
like
the
number
one
thing
that
they're
really
thinking
about
is
like
brand
and
then
number
two
price
right
like
if
it's
some
knockoff
brand
I've
never
heard
of-
I
probably
don't
want
to
get
it,
but
if
one's
like,
I
just
generally
want
the
cheapest
option
and
as
someone
who's
been
on
the
other
side
of
the
fence,
who's
like
selected
tools
before
like
there
are
certain
things
that
yeah
so
I'll.
A
Just
give
you
an
example
of
this
so
type
into
google
like
best
project
management
software.
So
this
is
our
issue
tracking
stuff
right
and
then
you
get
this
list
of
like
40
best
project
management
tools.
You
never
want
to
be
one
vendor
among
a
list
of
40
right,
it's
a
crowded
market,
but
if
we
stick
to
the
fact
of
our
unique
differentiators,
which
is
that
you're
we're
one
tool
for
the
entire
devops
life
cycle,
you
get
integrated,
scmci
and
security.
A
Then
that's
where
we
really
shine
and
that's
something
that
no
one
else
really
does
right
now,
so
diving
into
verify
and
really
understanding
what
this
is.
So
imagine
you're
writing
a
book.
I
think
that
a
lot
of
people
here
have
written
long
papers
before
and
imagine
writing
it
without
spelling
and
grammar
checker,
so
fast
forward
or
rewind.
Like
a
hundred
years
ago,
no
computers,
you
write
some
really
big
manuscript
and
then
you
hand
it
into
an
editor.
A
Probably
a
large
chunk
of
what
the
editor
does
is
just
correct,
your
writing
and
grammar
right,
and
then
you
get
it
back
like
maybe
a
month
later
you
have
to
go
edit
it
a
bunch.
Then
then
you
iterate
and
go
back
and
forth
like
five
six
times
before
the
editor
is
finally
happy
with
it
and
then
that
entire
process
might
take
like
half
a
year.
If
each
time
you
go
back
and
forth,
it
takes
one
month.
So
this
is
super
time
intensive
right
now.
Let's
just
check
change
this
situation.
A
So
now
imagine
you
had
an
automated
spelling
grammar
checker.
How
would
this
speed
up
your
project
so
now?
You're.
Writing
on
google
word
all
of
the
things
that
don't
make
sense
and
spelling
stuff
you
can
just
right,
click
and
change.
So
you
know,
like
the
version
that
you
hand,
the
editor
now
is
going
to
be
way
higher
quality
and
ultimately
this
is
going
to
speed
up
this
entire
editing
process.
A
So,
ultimately,
what
the
verify
stage
gives
you
is
automated
quality
checks
for
software.
That's
what
it
does
so
once
again,
all
of
software
is
just
a
bunch
of
text
files,
that's
something
that
we
need
to
keep
back
to.
So
it's
like
netflix,
amazon,
hulu
gitlab.
Fundamentally,
all
of
these
things
are
is
just
a
bunch
of
text
files,
and
so
the
you
know
like
this
sort
of
syntax
checking
and
spell
checking.
This
analogy
actually
applies
way
more
than
it's,
not
just
some
sort
of
hack
need,
like
analogy:
that's
a
stretch
it
actually
literally.
A
What
it's
doing
is
it's
checking.
What's
you
know
if
the
stuff
that
you're
saying
syntactically
makes
sense-
and
this
allows
you
to
write
better
software
quicker
right,
which
is
our
fundamental
value
proposition,
so
quick
reminder
on
agile,
so
yeah
so
like
agile?
Is
this
thing
that
we
we
hear
about
a
lot
right?
Imagine
you're
building
a
house,
and
so
you
know
you
come
up
like
one
way
in
which
you
can
do
it.
Is
you
write
up
this
like
10
page
document
to
the
builder,
and
you
say
I
want
three
bedrooms.
A
I
want
the
bedrooms
here.
I
want
granite
countertops,
all
this
stuff,
a
b
and
c,
and
then
you
left-
and
you
came
back
six
months
later.
So
the
big
problem
with
this
is
that
there's
always
room
for
interpretation
for
any
sort
of
set
of
requirements,
and
inevitably
what
happens
is
that
the
builder
is
going
to
misinterpret
some
stuff.
A
Are
your
requirements
weren't
completely
clear
right
and
then
so
one
room
might
be
built
where
you
didn't
expect
it
or
you
know
the
painter
might
be
using
like
a
different
color
than
what
you
expected
and
then
so.
What
happens
now
is
that
you
have
to
fix
things
at
the
end
when
it's
most
expensive.
So
if
you
had
to
move
one
rumor
out
all
the
way
at
the
end,
then
that
would
involve
ripping
out
a
lot
of
other
stuff
from
the
house.
A
It
is
most
expensive
to
fix
any
project
at
the
end,
and
so
just
going
back
into
history,
software
engineering
was
really
started,
taking
off
around
1970
and
the
first
way
in
which
we
made
software
was
exactly
like
this.
You
had
people
come
in,
give
a
list
of
requirements
for
a
website
or
something
like
that.
Come
back
six
months
later,
and
then
you
handed
him,
you
know
you're,
basically
like
your
finished
product
and
then
there
would
always
be
misinterpretation
and
you
had
to
iterate
when
it
was
most
expensive.
A
So
that's
the
waterfall
way
of
developing
software
agile
is
the
newer
way
of
developing
software,
in
which
you
iterate
right.
So
the
whole
idea
is
now.
I
lay
the
foundation
and
then
the
builder
basically
says
come
back.
Is
this
how
you
like
it,
there's
something
that
you
want
to
change
great?
So
now
we
change
it
in
like
at
that
point
in
time
in
which
it's
really
easy
to
change
right
and
then
so
then
I
build
a
scaffolding.
Hey
do
you
like
it,
then
I
start
putting
in
some
of
like
you
know
the
piping,
hey.
A
Do
you
like
it
and
then
so.
The
whole
idea
is
you
have
tests
all
throughout
the
process
and
you
can
correct
things
when
it's
least
expensive
to
change.
So
some
of
this
terminology,
I
think
it's
really
important
to
use
the
terminology
correct.
If
I
think
that
engineers
are
generally
like
they're,
very,
very
peculiar
to
the
terminology
that
you
use
in
a
sense
that
like,
if
you
use
some
of
these
terms
a
little
bit
incorrectly,
then
it
triggers
off
an
alarm
in
their
mind.
A
So
it
is
important
to
go
over
what
some
of
these
terms
mean
right,
so
agile
and
agile
is
like
and
waterfall
they're,
just
sort
of
like
philosophies.
Just
like
hey,
we
should
have
voting
area
like
we
should
have
social
justice
as
a
philosophy
right,
but
behind
every
philosophy
you
actually
need
some
plan
to
implement
this.
So
how
you
implement
agile,
which
is
a
set
of
principles,
is
that
you
engage
in
what
we
call
cicd,
which
is
a
bunch
of
engineering
rules.
So
the
whole
idea
is
agile's
principles.
A
We
want
more
communication,
we
want
iteration,
we
value
cross-team
collaboration
and
ci
cd
is
how
you
do
it.
So
how
do
you
do
it?
You
merge
your
merge
requests
very
quickly.
You
continuously
deploy
stuff
into
production,
so
it's
like
where
the
rubber
actually
meets
the
road,
and
then
you
know
how
why
does
this
impact
a
business?
Why
does
this
matter
to
every
single
person
that
we
talk
to?
A
A
I
know
that
that's
sort
of
like
one
of
these
things
that
you
hear
and
you
kind
of
erase
the
eyebrow
a
little
bit,
but
I've
talked
with
people
like
all
across
the
country.
For
years
back
when
I
was
at
red
hat
and
I
was
doing
sales
consulting-
and
I
do
actually
think
that
this
is
true-
that's
why
I
wrote
it
so
you
have
I've
talked
with
teams
at
microsoft
and
google
that
they're
literally
like
deploying
like
30
times
per
day,
and
I've
also
talked
with
like
a
lot
older.
A
A
So
it's
one
tool
all
of
the
fact
that
everything
is
one
tool
for
the
entire
devops
life
cycle
and
all
the
automation
that
we
include
in
this
is
our
basic
value.
Prop
our
customers
want
agile.
They
want
ci
cd
get
lab
makes
this
easy.
We
are
one
of
the
best
companies
out
there
for
this
benefits
of
agile.
A
Instead
of
going
down
the
wrong
path,
walking
five
miles
down
the
wrong
road
and
then
having
to
go
back
when
you're,
continually
iterating
and
checking
on
where
you
are
and
things
like
that,
then,
if
you
go
off
track,
you
can
find
out
sooner
and
then
course
correct
when
saving
yourself
a
bunch
of
time.
The
businesses
want
agile
because
they
want
to
have
more
effective
engineering
teams
because
they
want
to
remain
competitive,
all
right,
so
how's
all
this
work.
A
It
works
because
we
include
lots
of
automation
that
fundamentally
saves
our
customers
a
lot
of
time
so
like,
as
you
can
imagine,
just
from
a
sheer
work
perspective
like
workflow
perspective.
It's
a
lot
easier
for
a
builder
in
our
house
analogy
to
get
a
30-page
document.
Go
out,
build
an
entire
thing,
because
you
don't
have
meetings,
you
don't
have
check-ins,
you
don't
have
quality
control
throughout
you'll
pay
for
in
the
long
run,
but
in
the
actual
work
process
itself.
It's
a
lot
more
simple
right.
It's
just
you
get
this
document.
A
You
build
your
house
you're,
theoretically
done
until
you
have
to
correct
a
bunch
of
stuff.
Agile
is
a
lot
more
complicated.
Agile,
you
have
to
have
all
of
these
check-ins.
You
have
to
have
cross-team
collaboration.
You
have
to
go
find
out
who
your
stakeholders
are.
You
have
to
go
communicate
with
them.
You
have
to
have
a
lot
more
meetings
and
so
on
the
surface.
Implementing
agile
requires
a
lot
more
work.
This
is
why
most
people
are
unsuccessful
at
implementing
agile,
and
so
how
do
we
allow
people
to
do
this
easily?
A
Well,
I'll
show
you
this
in
a
couple
of
slides,
but
what
people
get
out
of
it
is
saving
time
and
money,
eliminating
human
error
and
actually
implementing
agile
in
a
way
that
provides
value
to
your
organization.
So,
let's
show
off
how
this
works.
In
a
demo,
here's
git
lab.
A
I'm
an
engineer.
I
get
an
issue.
This
issue
is
to
like
create
some
sort
of
new
button,
or
something
like
that
after
I
go
work
on
this,
I
spend
a
week
on
it.
I
create
my
merge
request.
This
merge
request
is
going
to
solve
this
issue
and
that's
how
I
get
credit
and
that's
why
I
get
paid
so
here's
some
merch
requests
that
come
in
and
one
of
the
things
that
happens
with
all
these
merge
requests
is
that
all
of
our
ci
runs
in
the
background.
In
an
automated
fashion.
A
A
So
here's
the
merch
request
that
comes
in
the
changes
that
are
these
are
the
changes
that
are
being
proposed.
It's
all
this
green
text
on
the
right
and
that's
how
the
engineer
gets
paid
right
and
so
over
here
you
can
see
that
there
is
this
tab
called
pipelines.
If
I
click
on
this
pipelines
view
I
get
all
of
this
stuff.
That
happened
in
an
automated
fashion,
no
like
completely
for
free,
and
the
main
thing
that
I
want
to
show
you
all
over
here
is
the
number
of
tests
that
have
been
run.
A
There
are
over
a
hundred
thousand
tests
that
have
been
run
because
as
part
of
this
ci,
and
just
like
how
you
know
like
in
our
google
document,
like
word
analogy,
just
sort
of
like
hey
we're
testing
for
spelling
we're
testing
for
grammar
we're
testing
for
all
this
other
stuff
there
are
literally
over.
There
are
127
000
things
that
we
are
testing
for
as
part
of
our
ci.
So
that's
basically
going
to
very
very
powerfully
make
sure
that
our
software
project
stays
on
track.
What
are
some
of
the
things
that
we
test
for?
A
A
So,
just
like
an
example
of
like
this
house
there's
a
lot
of
things
that
we
need
to
make
sure
that
you
know
if
we're
gonna
like
test
this
house
and
make
sure
that
we're
doing
a
good
job
right.
So
a
lot
of
these
are
going
to
come
from.
You
know
the
guidelines
for
housing.
You
have
to
have
certain
number
of
fire
alarms.
A
A
Your
unit
tests
are
basically
your
smallest
test,
and
then
you
have
these
things:
called
integration
tests
and
end-to-end
tests.
So
an
example
of
like
a
inter
like
a
gui
test
or
graphical
user
interface.
Is
that's
really
do
our
buttons
work,
I'm
going
to
write
some
sort
of
automated
thing,
that's
going
to
click
on
all
of
our
buttons.
Does
it
take
me
to
the
right
screen?
If
I
log
out,
does
that
like
take
me
to
the
right
screen?
A
Can
I
like
hijack
this
website
if
I
like,
try
to
log
in
5
000
times
quickly
right
end
to
end
tests?
That's
like
can.
If
I
turn
my
computer
off
500
times
turn
it
back
on
then.
Does
the
server
like
restart?
Does
it
have
any
problems
with
that
unit
tests
I'll
show
you
a
little
bit
about
in
the
sec
in
a
second,
so
here's
a
actual
how
I
got
hired
as
an
engineer
is:
I
didn't
go
to
school
for
engineering.
A
I
had
to
basically
code
a
bunch
of
stuff
on
my
own
and
then
that's
how
I
proved
to
my
future
employer
that,
like
I
could
code,
so
this
is
one
of
the
things
that
I
actually
built.
This
is
the
game
of
chess
from,
like
you
know,
a
python
perspective,
and
so
I
just
like
wrote
all
this
stuff
showed
people
that
I
could
code.
That's
how
I
got
a
job
over
here.
There's
this
file,
that's
test.pi!
This
is
where
all
of
their
tests
live.
A
So
tests
in
general
aren't
something
that
you
get
for
free
some
of
the
tests
that
you
get
with
gitlab.
They
are
for
free,
but
in
general
you
have
to
write
all
of
your
tests,
so
examples
of
tests
that
you
could
write
with
this
chess
game
is:
can
my
pawn
move
forward
one
space?
Can
it
move
forward
two
spaces
right?
What
happens?
If
I
try
to
move
it
three
spaces,
then
it
shouldn't
work
right.
What
happens
if
I
try
to
move
it
20
spaces
forward?
Well,
that's
off
the
board.
A
You
know,
checks
that
happen
every
time
you're
trying
to
submit
a
merge
request
to
make
sure
that
nothing
broke,
and
so
we
can
actually
see
some
of
the
tests
that
are
over
here.
So
this
first
test
is
verifying.
If
I
can,
I
can
move
pieces
in
some
sort
of
expected
way.
What
are
some
of
the
things
that
we're
testing?
A
One
thing
is:
can
I
move
my
pawn
forward
one
space
right,
rook,
that's
like
the
castles.
Can
I
move
it
forward
several
spaces,
and
then
we
have
to
do
like
the
exact
opposite.
So
we
have
to
check
if
things
are
illegal
right.
So
what
happens
when
we
try
to
move
upon
forward
three
spaces?
Well,
it
shouldn't
work
right
and
so
on
and
so
forth.
How
all
of
this
stuff,
like
actually
looks
like
if
we
were
to
run
it
is
so
over.
Here
I
have
my
chests.
A
I
have
like
my
my
chest
like
game
and
if
I
just
like
run
everything,
then
it
runs
through
all
my
tests,
as
you
can
see
that
took
0.03
seconds
and
all
31
tests
passed,
because
I
didn't
do
anything,
you
created
a
bunch
of
virtual
boards
and
then
it
tried
to
see
if,
like
things
made
sense
and
that's
fundamentally
what
all
the
software
tests
are
doing
so
over
here
I
had
a
you
know
like
the
knight
or
horse.
Did
it
move
over
here
successfully?
Well,
it
did
so.
A
You
know
like
we're
happy
about
that,
and
our
test
checked
so
like
going
back
to
what
gitlab
is
doing.
I'm
just
sort
of
like
bringing
everything
home.
B
You
said
that
gitlab
supplies
some
tests,
but
obviously
you
have
to
create
most
of
your
own.
Are
we
talking,
like
templates
for
certain
functions,
that
you're
you're
trying
to
run
and
is
that
universal
across
different
different
solutions
that
you
might
find
on
the
marketplace,
or
is
that
unique
to
gitlab.
A
A
Maybe
someone's
designing
a
database,
a
bunch
of
there's
and
there's
all
sorts
of
weird
stuff
that
people
use
gitlab
for
right,
so
some
people
are
hold
housing
like
yeah
like
I
don't
even
need
to
articulate
that
to
y'all
like
you
all
talk
to
customers
more
than
I
do
so
we
cannot
supply
tests
that
are
universal
to
every
software
application
out
there
and
every
engineering
team
as
they
develop
a
software
application.
They
are
writing
the
tests
themselves.
So
let
me
give
you
an
example
of
that.
I'm
designing
some
website.
A
A
Now
I
build
a
test
and
that's
just
what
I
keep
on
doing
throughout
the
entire
development
process,
so
there's
no
way
that
gitlab
can
build
all
of
those
for
you
just
because
we
don't
know
what
your
application
is
and
just
as
an
analogy
for
our
housing
analogy
like
I
can't
like
there's.
No
one
building
template
for
there
are
things
that
are
universal
to
every
building
right.
Every
building
needs
fire
alarms.
A
Every
building
you
know
needs
to
have
a
water
here,
that's
a
certain
number
of
like
inches
off
like
the
ground
or
something
like
that.
So
those
are
universal
tests.
Those
are
things
that
we
give
you
as
part
of
gitlab
for
free,
but
in
terms
of
actually
like
testing
your
application
itself,
because
we
don't
know
what
your
application
is.
Fundamentally,
we
have
to
people
have
to
build
additional
tests.
On
top
of
that,
and
that's
what
your
unit
tests
and
your
end-to-end
tests
are.
A
A
So,
fundamentally,
all
software
is
text
files
and,
as
someone
who's
been
on
a
software
team
for
like
a
really
long
time,
I
can
tell
you
that
there's
always
going
to
be
the
one
person
on
the
team
that,
just
like,
writes
like
really
really
really
long
sentences
or
things
that
is
just
sort
of
like
it
makes
it
really
confusing
for
everyone
else
and
then
so,
just
like
how
there's
like
the
mla
guideline
of
chicago
guideline
for
writing.
Essays,
there's,
actually
style
guidelines
for
coding
in
every
coding
language.
A
So
for
python,
there's
this
thing
called
pepvate,
but
every
single
programming
language
has
style
guidelines,
and
this
literally
says,
like
you
know
like
things
over
here.
How
many
times
should
you
indent?
Should
I
use
tabs
or
spaces?
So
it's
just
like
really
really
really
like
granular
things
that
you
need
to
pay
attention
to.
Does
this
actually
matter?
It
actually
matters
a
huge
deal
because
otherwise,
like
the
one
person
who
writes
like
crazy
stuff,
is
going
to
end
up
like
making
confusing
everyone,
so
something
else
review
applications
in
the
merge
request
view
over
here.
A
A
You
actually
get
a
new
version
of
your
application.
That's
running
all
the
latest
code.
So
as
opposed
to
me
guessing
what
that
change.
Does
I
can
see
the
new
button
that
this
changes
corresponding
to
the
whole
value,
add
for
business
as
to
why
they
want
review
applications?
Is
that
it
speeds
up
the
peer
review
process.
So
all
of
these
merge
requests
come
in
it's
a
lot
of
times.
A
It's
really
hard
to
understand
what
this
stuff
is
and
then
so
sometimes
the
merge
requests
wait,
but
if
I
can
just
like
create
a
new
version
of
my
application,
that's
running
somewhere
with
all
these
changes
in.
I
can
speed
up
the
process
of
merging
and
evaluating
these
changes,
and
that
fundamentally
just
makes
my
one
of
our
fundamental
value.
Props
is
develop
better
software
faster.
So
this
is
an
example
of
how
we
can
speed
up
the
entire
development
process.
How
powerful
is
this?
A
If
people
are
using
kubernetes,
it's
very
powerful,
it's
actually
a
huge
huge
deal.
These
review
applications
all
right,
so
that's
fair,
find
secure.
I
hope
that
helped
you
know
now,
let's
talk
about
reducing
security
and
compliance
risk
security.
This
is
something
that
I
think
is
really
really
really
important
to
understand.
I
think
that
one
of
the
things
that
I
told
you
all
before
is
that
software
teams
generally
don't
like
each
other.
So
I
wasn't
a
test
team.
The
developers
did
not
like
me,
a
matter
of
fact.
A
Sometimes
they
they
went
on
their
way
to
be
really
nasty
to
the
people.
On
my
team,
that's
very
common
generally
developers
also
don't
like
security
people
and
security
is
almost
like
one
of
those
things
where
it's
like.
We
know
that
we
should
be
doing
it,
but
we
don't.
It's
almost
like
the
united
states
understands
that
we
should
be
polluting
less
but
like
we
just
never
really
like
put
that
much
effort
into
it,
for
whatever
reason
not
trying
to
get
too
political,
but
yeah
so
get
lab
special.
A
In
that
we
offer
security
scanning
as
part
of
the
development
process
through
our
ci.
We
have
to
understand
what
the
before
state
is.
A
The
before
state
before
get
lab
is
generally-
and
this
is
especially
true
for
smb
and
commercial-
is
that
they
don't
have
enough
money
for
dedicated
security,
people
right
and
so
what
they
do
is
they
go
develop
all
their
stuff
security's
this
afterthought,
and
then
it's
the
same
problem
with
that
house
analogy
that
I
I
thought
I
had
been
mentioning
before
so
it's
like,
because
we're
checking
security
all
the
way
at
the
end.
A
A
These
contractors
get
paid
300
an
hour
or
something
exorbitant,
and
so
the
value
that
we
offer
is
that
it's
several
fold,
one
a
lot
of
people
can
save
money,
so
the
smb
people
they
don't
have
to
hire
out
for
all
these
contractors,
the
enterprise
people.
We
can
complement
their
existing
tools.
You
know.
Sometimes
we
can.
You
can
eliminate
some
of
those
tools
in
general
for
enterprise.
A
We
like
to
integrate
with
whatever
the
rest
of
their
stuff
has
that's
there's
that's
like
a
generally
accepted
sales
motion
among
the
cells
that
I
talk
to
and
then
so
save
money.
The
other
thing
is
that
we
can
speed
stuff
up
right
so
as
opposed
to
testing
security
all
the
way
at
the
end,
if
I'm
testing
security
in
the
testing
process
itself,
this
allows
me
to
find
problems
sooner,
which
allows
me,
to
course
correct
sooner
so
our
fundamental
value
proposition
of
developing
better
software
faster.
That's
how
we
do
it
we'll
talk
about.
A
So
like
we'll
talk
about
shifting
left
in
a
bit.
Can
I
clear
anything
on
verify
or
security
that
I've
mentioned
so.
A
A
Sounds
good
I'll
continue,
then
so
merge
requests,
people,
collaborate,
people
are
going
back
and
forth.
Gitlab
also
improves
the
quality
of
the
collaboration
that
we
have
so
as
opposed
to
a
typical
solution
like
github,
where
all
of
your
developers
are
on
it.
Because
all
of
these
different
teams,
your
test
people,
your
security
people-
can
be
on
git
lab.
A
Then
you
know
if
a
developer
is
creating
something
and
they're
going
to
merge
something
in
that's
going
to
negatively
impact
the
rest
of
the
product,
then,
all
of
a
sudden,
our
security
people
can
chime
in
how
much
does
this
matter?
It
actually
matters
a
lot
I'll.
Give
you
an
example
of
how
this
would
matter.
A
A
Django
2.1
actually
has
you
know
some
sort
of
like
security,
vulnerability
or
something
wrong
with
it,
and
then
you
know
so
just
continuing
the
story,
so
the
developers
now
writing
all
this
code
with
django
2.1.
Writing
hundreds
of
files,
thousands
of
lines
of
code,
all
using
django
2.1.
Finally,
the
development
process
is
done.
Security
takes
a
look
at
it
and
then
security
realizes
dang.
A
You
use
django
2.1,
you
can't
use
django
dot,
one,
it
doesn't
pass
your
security
compliance
stuff,
and
so
now
this
developer
needs
to
edit
that
100
files
that
he
just
wrote
in
the
last
two
months
first
is
like
you
could
catch
it
all
the
way
in
the
beginning,
if
it
with
lab,
because
all
of
your
different
teams
are
looking
at
the
same
stuff.
We
have
better
cross-team
collaboration
because
everyone's
on
the
same
platform
with
gitlab,
it's
the
same
concept
of
silos.
A
It
labs
one
shared
table
right,
so
I
think
I've
definitely
shown
you
all
this
picture
before.
But
typically
your
developers
are
talking
about
your
stuff.
Your
securities
are
talking
about
different
stuff,
you
know,
but
by
having
one
big
table,
everyone
knows
what
everyone
else
is
doing
and
that's
one
of
the
fundamental
value
props
of
gitlab
security
contracting,
as
you
can
see
over
here.
I
actually
think
that
this
is
like
a
medium
grade
engineer
for
this:
the
advanced
grade
engineers,
especially
with
top
secret
clearance.
A
A
So,
let's
talk
about,
you
know
some
of
the
things
that
we
actually
do.
So
it's
really
important
to
understand
some
of
these
things
in
a
high
level,
sas
and
desk.
The
important
thing
to
know
about
this
is
that
these
are
complementary.
A
It's
just
like
just
trying
to
think
about
this,
like
if
you
have
salsa
without
chips
that
doesn't
no
one
really
wants
to
eat
chips
by
themselves.
If
you
have
salsa
by
itself,
people
definitely
don't
want
to
eat
salsa
by
itself.
So
these
are
complementary.
Sast
is
like
85
percent.
The
value
dast
is
15,
but
you're
incomplete
with
just
one
of
these
categories.
A
If
some
of
our
customers,
if
they
have
anything
they
have
sas.
So
let's
talk
about
what
these
actually
are.
Sas
does
static
application
security
testing
and
what
I
mean
by
this
is
it
doesn't
note
your
application
literally.
What
it
does
is.
It
looks
at
your
code
and
then
it
looks
for
vulnerabilities
in
your
code
itself.
So,
like
here's,
all
of
these
chunks
of
code,
it'll
run
like
stuff
through
this
code
to
try
to
break
it
and
that's
fundamentally
what
sas
is
trying
to
do.
A
Dest,
however,
needs
a
live
version
of
your
application
running
so
that
and
then
what
it
does
is,
after
so
there's
a
live
version
of
your
application.
It's
going
to
bang
on
it
right,
so
it's
going
to
turn
your
application
on
and
off
5
000
times
and
then
see
if,
like
it
like,
falls
over
and
if
I
can
like
break
into
it.
If
I
like
try
to
log
in
like
while
that's
happening
or
something
like
that,
there's
all
sorts
of
obscure
stuff
that
das
does
to
try
to
break
into
your
website.
A
Other
things
is
like
here's.
This
login
form
right.
I
used
to
actually
design
login
forms
and
test
these,
so
it's
expecting
two
things
right,
so
a
username
and
password
what
happens
if
I
log
in
to
the
same
set
of
credentials
using
like
five
different
browser
sessions
at
the
same
time
right
so
it's
like.
I
have
different
chrome
sessions
and
I
try
to
log
in
using
the
same
username
and
password.
Can
I
break
it
like?
Sometimes
you
can?
A
What
happens
if
I
put
the
password
section
blank
or
what
happens
if
I
like
inject
some
sort
of
like
json
or
something
into
these
fields?
I'll
show
you
what
that
means
in
a
second
but
yeah.
So
the
difference
is
sas.
Just
looks
at
your
code
tries
to
break
it.
There's
no
running
version
of
your
application
dash.
C
D
What's
up
I'm
asking
about
the
dynamic
testing?
Is
it
more
like
a
sandbox
type
of
environment
when
it's
doing
that
or
is
it
running,
live.
A
It'll
be
a
sandbox
version,
okay
for
sure,
thanks
for
asking
all
right
so
container
scanning.
This
matters
a
lot
and
most
people
don't
know
about
how
important
this
is.
They
might
have
some
understanding
of
how
important
this
is,
but
in
general
it's
just
sort
of
like
our
it's
like
our
global
response
to
like
global
warming.
It's
like
people
know
we
should
care
about
it,
but,
like
people
don't
put
enough
effort
into
it,.
A
Okay,
so
basically
what
people
do
with
containerized
applications-
and
this
is
what
the
vast
majority
of
businesses
do-
is
they
go
on
this
one
website
called
docker
hub
and
then
they
download
stuff
that
they
want.
So
if
they
wanted
like
a
mysql
database,
they
want
a
web
server.
Whatever
they'll
go
over
here,
then
they'll
literally
just
like
download
it
and
start
using
it
the
big
problem,
and
then
we
can
just
check
out
like
how
many
different,
how
many,
how
like
how
like
popular
some
of
these
are
right.
A
This
has
been
downloaded
over
10
million
times
postgres
another
database
downloaded
over
10
million
times.
If
I
see
all
the
official
images,
I
have
to
scroll
all
the
way
down.
If
I
keep
on
scrolling
down
wordpress,
very
popular
application
downloaded
over
10
million
times,
so
this
is
being
used
very,
very,
very
heavily
by
businesses
around
the
world.
Now
the
big
problem
with
this
is
that
anyone
can
upload
stuff
onto
docker
hub
and
people
do
upload,
whatever
they
want
on
the
docker
hub.
So
that's
problem
number
one
is
that
people
are
getting
stuff.
A
That's
you
know,
you
just
don't
know
if
you
can
trust
it
or
not.
So
what
gitlab
does?
Is
it
basically
scans
whether
your
containers
are
trustworthy
or
not
so
over
here
I'll
give
you
an
example
of
this
going
back
to
docker
hub,
I
forget
which
tab
it
is
it's
this
one
all
right
so
mongodb.
This
is
a
database
right
and
there's
all
sorts
of
different
versions
of
this
right.
A
So,
like
version
3.6
version
4.0.20
whatever,
and
then
it
knows
whether
or
not
these
versions
are
safe
right
and
then
so
it
will
scan
scan
your
container,
identify
it
find
out
which
version
it
is
and
it'll,
let
you
know
which
ones
are
safe
and
which
ones
are
not.
The
vast
majority
of
containers
that
are
being
used
by
businesses
in
the
world
today
are
not
safe
and
most
people
are
just
getting
stuff
off
of
docker
hub.
A
It's
a
really
really
big
problem,
and
I
actually
think
that
this
is
going
to
be
a
huge
market
need
in
the
future.
A
There's
no
like
great
solution
in
that
space
right
now,
all
right
so
just
showed
off
docker
hub
dependency
scanning.
So
this
is
another
thing
that
we
do.
Obviously
this
image
is
not
of
the
software
applications
of
a
car.
Let's
just
use
an
analogy
here.
So
in
a
car
you
have
a
bunch
of
different
parts
right,
so
you
have
wheels.
You
have
your
transmission,
your
engine
and
they
all
fit
together.
A
You
have
like
buttons,
which
is
another
component.
You
generally
have
an
api
which
is
another
component
and
they
all
fit
together.
Somehow
the
problem
is
that,
like
just
like
how,
with
a
car
every
once
in
a
while,
there's
like
some
awful
thing
that
they
find
out
airbags,
do
not
deploy
safety
recall
if
you
have
a
honda
accord.
2009
through
2015
then
bring
it
to
your
honda
dealership.
So
we
can
fix
this
thing
or
whatever
just
like
how
their
safety
recalls
for
car
parts.
There's
problems
with
the
individual
components
that
you
have.
A
So
if
you
are
using
postgres
as
your
database
version
2.1
and
then
there's
some
awful
security
thing,
that's
found
out
about
it,
then
what
you
want
to
do
is
you
want
to
update
your
postgres
version
and
you
want
to
be
notified
that
this
component
has
some
vulnerability.
That's
what
we
do
for
our
customers
when
a
customer,
like
uploads,
all
of
like
gitlab,
smart
enough
to
find
out
what
sort
of
components
are
in
your
application
and
then
it
will,
let
you
know
which
components
aren't
safe.
A
So
if
you're
running
some
website
has
components
a
b
and
c
c
has
some
vulnerability.
We'll
tell
you
what
that
vulnerability
is.
So
let
me
show
you
what
this
actually
looks
like
here's
git
lab
and
as
you
can
see,
this
is
the
git
lab
code
itself
and
get
lab
code
actually
has
a
bunch
of
vulnerabilities
in
it.
Here
are
vulnerabilities,
so
we
use
this
thing
called
acorn
5.7.3
and
what's
the
problem
with
it,
the
problem
is,
you
know,
like
we
say
the
severity.
How
important
is
it
it's
high
severity?
A
And
what
is
this
problem?
Well,
it's
some
technical
thing
right
and
but
an
engineer
would
understand
what
this
is.
The
other
thing
that
we
tell
you
is
like
all
right:
acorn
5.7.3:
where
did
this
like
dependency,
even
come
from?
Well,
we
show
you
where
it
comes
from.
It
comes
through
from
this
file
right,
so
yarn.lock
and.
A
A
So,
just
to
recap,
software
applications
are
made
of
individual
components.
They
are
called
dependencies.
We
are
smart
enough
to
let
our
customers
know
one
what
dependencies
they're
using
and
whether
or
not
they're
safe.
This
is
get
lab
code
itself.
We
have
all
of
these
dependencies
that
aren't
safe,
that
we're
using
right
now.
One
question
that
immediately
comes
to
mind
is
like:
why
are
we
using
dependencies
that
aren't
safe,
there's?
Actually,
a
lot
of
reasons?
Why
that's
the
case-
and
this
is
sort
of
like
simplified
answer-
is
we're
working
on
it?
A
So
we're
not
perfect.
A
Fuzz
testing
fuss
testing
is
new.
It's
something
that's
a
big
deal,
but
it's
really
important
to
position
this
correctly,
because
90
of
people
that
you
speak
to
don't
know
what
fuzz
testing
is.
But
if
you
talk
to
the
right
audiences
and
explain
what
fuzz
testing
is
they're
going
to
be
really
interested
in
this?
Why?
Because
you
can,
if
you
educate
them?
Okay,
so
like
we
got
to
talk
about
what
fuzz
testing
is
first,
otherwise
it's
just
like.
A
Plus
testing
is
basically
this.
This
is
instagram
here's
the
login
site
and
what
I'm
going
to
try
to
do
as
a
hacker.
Is
I'm
going
to
try
to
break
into
a
site
like
instagram
by
putting
stuff
that
it's
not
expecting
into
these
fields?
So
it's
expecting
a
phone
number,
a
username
or
email
right,
but
what
happens
if
I
type
in
like
a
bunch
of
numbers
or
what
happens
if
I
type
in
like
true
false
or,
like
you
know,
some
like
binary
stuff,
so
that's
like
kind
of
like
a
simplified
example.
A
A
real
example
would
be
like
if
I
were
to
do
some
like
injection
type
of
thing.
Dot.
Json,
like
you
know,
like
something
input
thing
whatever,
like:
whatever
python
dot,
lib
dot
thing
right
and
then
all
of
a
sudden.
This
runs
and
breaks
the
website,
and
I
get
data
out
of
it.
There's
all
sorts
of
injections
that
you
can
use.
There's
my
sequel
injections,
there's
also
command
line
injections
and
fundamentally,
what
these
things
are
doing
is
inputting
code
where
application
isn't
expecting
it
so
that
I
can
hijack
your
website
very,
very
common.
This
happens.
A
This
is
a
really
really
fundamentally
like
big
security
problem.
So
why?
What's
the
value
in
fuzz
testing,
so
there
was
actually
a
task
group
that
did
research
on
applications
and
they
found
that
injecting
random
stuff
into
your
forms
breaks
around
one
quarter
of
all
of
your
applications.
So
not
just
in
terms
of
getting
customer
data,
you
can
actually
break
someone's
website
crash.
A
Your
server-
and
you
know
like
make
things
unresponsive
if
you,
if
it's
expecting
like
a
phone
number
and
you
put
in
like
true
false,
false,
true
or
something
like
that
out
of
about
one
quarter
of
all
the
applications
that
were
under
this
study.
As
someone
who
is
working
in
engineering
before
this
is
totally
true
around,
I
had
to
basically
do
this
and
I
did
this
manually
so
as
opposed
to
having
automation
that
does
all
this.
For
for
you,
what
I
did
was.
A
I
went
into
the
website
that
I
was
using
and
then
I
would
type
in
like
well
what
happens
if,
like
you
know,
I
type
in
the
wrong
stuff.
So
like
what
happens
if
I
type
in
this-
and
it
was
very
boring
and
monotonous
to
go
through
all
these
forms
typing
in
all
these
things,
and
if
I
could
have
done
an
automated
fashion,
it
would
have
really
simplified
my
job
and
given
me
a
lot
of
time
back,
that's
something
that
gitlab
does
for
people.
A
So
yeah,
that's
what
fuzz
testing
is
just
to
recap:
fuzz
testing
is
putting
unexpected
inputs
into
an
application,
so
if
it's
expecting
a
username,
you
give
like
true
false
or
like
binary,
zero
one,
one
zero
right
and
this.
If
you're
talking
to
like
a
test
engineer
or
an
engineering
leader
or
someone
security,
they
would
definitely
see
the
value
of
this,
but
we
have
to
educate
our
customers
on
this,
because
the
vast
majority
of
people
do
not
know
what
fuzz
testing
is
all
right.
So
now
we
gotta
talk
about
messaging.
A
This
is
really
important.
Super
super
super
important
that
we
get
this
right.
So
first
thing
I
want
to
talk
about
is
devsecops
right.
We've
already
talked
about
what
devsecops
is
so
it's
like.
There's
the
idea
of
devops
throwing
security
in
there.
How
do
we
do
that?
Well,
you
know,
as
opposed
to
just
running
ci,
and
you
know
like
testing
stuff.
Now
we
also
test
for
security.
Therefore,
we
have
devsecops
right
so
as
part
of
your
devops
like
flow
you're,
also
testing
for
security.
Therefore
devsecops.
A
Now
it's
really
important
to
understand
how
this
term
is
received
by
industry.
This
term
isn't
widely
adopted,
so
we
have
to
take
the
approach
that,
like
most
people,
don't
know
what
devstock
secops
is.
The
other
thing
is
that,
if
you're
talking
to
a
technical
audience,
I
tell
people
to
advise
to.
I
advise
against
using
these
like
overly
marketing
terms,
I'll
explain
why
and
in
general.
The
best
practice
is
to
avoid
using
these
terms
with
technical
people
and
introduce
it
as
a
new
concept
to
people
in
leadership.
A
A
A
A
So
I
think
it's
really
important
to
understand
what
is
happening
here
in
our
space
and
in
technology
companies
in
general,
people
want
to
be
seen
as
an
innovator
and
if
they
prove
that
they're
an
innovator
and
if
the,
if
the
investors
buy
it,
then
all
of
a
sudden
they
get
these
huge
valuations
right
and
then
so.
In
general,
people
want
to
make
something
new,
so
it's
like
the
problem
with
this
is
that
people
make
all
sorts
of
new
terms
all
the
time.
A
Devsecops
is
an
example
of
this,
and
so
the
real
question
is:
is
there
substance
or
not
engineers,
in
general,
they're,
very,
very
good,
on
calling
out
the
ones
that
don't
actually
have
substance
and
it's
just
sort
of
like
they
can
tell
that
it's
like
fluff?
Do
I
think
that
the
term
devstock
ops
is
fluff?
A
So
if
we
are
to
use
these
terms,
we
need
to
teach
people
about
them,
and
we
also
need
to
understand
that,
like
some
people
are
not
going
to
be
receptive
of
these
terms,
if
it's
a
leader
like
senior
manager,
director
or
vp,
they
may
or
may
not
have
heard
of
this
before
so
we
can
seem
as
like
a
digital
leader
and
educate
them
on
these
new
trends
and
technology.
That's
fair!
A
If
I
were
talking
to
like
an
architect
or
you
know
a
devops
lead
or
something
I
would
probably
avoid
devsecops
to
term
it
depends
on
the
person
but,
as
we've
seen,
devsecops
has
less
than
five
percent
the
adoption
as
the
term
devops.
So
it's
just
like
that's
that's
like
some
of
the
nuances
behind
using
the
term.
A
A
So
here's
like
the
development
life
cycle
right,
so
we
talk
about
requirements.
Then
we
develop
something.
Then
we
test
it
and
then
we
deliver
the
product
and
then
we
maintain
and
support
it
where
security
into
here
it's
usually
here.
So
it's
not
actually
in
this
diagram,
but
part
of
stabilization
is
security
testing.
So
the
big
problem
with
this
development
flow
is
because
stabilization
and
security
testing
isn't
part
of
the
development
process.
It's
like
that
house
building
analogy
right,
so
I
build
my
house.
All
the
development
and
building
happens.
I
go
away
now.
I
test
it.
A
Now.
I
see
if
I'd
secure,
when
the
cost
to
change
this
product
to
my
organization
is
the
most
expensive
right.
So
the
idea
of
shifting
left
is
as
opposed
to
security
testing.
Here
we
security
test
and
development
process
itself.
So
in
this
diagram
we
have
literally
shifted
security
from
over
here
to
over
here
in
the
development
process.
A
So
is
this
something
that's
powerful?
Is
this
something
that's
real?
Yes!
Is
it
a
market?
Is
it
a
term
that
was
probably
created
by
marketing?
Probably
do
engineers
think
that
this
is
the
case,
probably
so
yeah.
I
think
that
it's
it's
a
new
concept.
The
idea
of
shifting
left
it
really
came
out
in
the
last
like
I'd,
say,
12
months
same
caveats,
apply
it's
a
term
created
by
marketing.
A
What's
the
point
of
marketing
so
that
we
can
seem
like
a
digital
leader
and
then
the
problem
is
that,
like
everyone's
doing
this
in
our
entire
space
and
then
so
the
engineers
when
they
hear
it,
you
know
their
red
flag
goes
off
like
you,
can
only
have
so
much
like
digital
transformation,
innovation
things,
the
vast
majority
of
like
the
terms
that
you
hear
are
feds
and
they
don't
even
like
they
will.
Not
these
terms
would
disappear
in
six
months
right.
A
So
shifting
left
is
not
like
a
fed,
it's
something
that
is
here
to
stay,
but
we
have
to
be
cognizant
of
the
fact
that
engineering
people
they're
constantly
hearing
all
these
new
terms
and
the
fact
that
a
lot
of
people
haven't
heard
of
this
before.
If
we
talk
to
someone,
never
assume
that
they
know
what
shifting
left
means
instead
take
an
education
approach
where
it's
like
hey.
Let's
talk
about
how
you
can
speed
up
your
development
process,
there's
this
principle
of
shifting
left
and
what
that
basically
means
is
so
on
and
so
forth.
A
And
now
you
seem
like
a
trusted
advisor,
which
is
the
goal
all
right.
So,
just
tying
things
up,
we
got
to
talk
about
some
other
stuff.
This
is
just
a
help
y'all
in
your
conversations,
so
all
of
this
automation
and
tests
and
everything
it
has
to
run
somewhere.
You
don't
get
it
for
free
right
and
then
so.
There's
some
server
somewhere,
that's
running
all
the
automation,
that's
what
we
call
a
gitlab
runner,
a
gitlab
runner
is
a
server
that
like
actually
runs
all
the
ci
and
stuff
like
that.
A
D
A
Gitlab
ci
dot,
yaml
file,
so
there's
literally
one
file
that
determines
all
of
the
stuff
that
happens
in
my
ci
over
here.
You
can
see
the
stages
sync
prepare
build
images
over
here.
What's
happening
is
sync
prepare
build
images
right,
so
these
are
the
first
three
stages,
so
this
file
determines
what
happens
in
our
ci,
and
the
really
great
thing
about
this
is
that
I
was
a
github
user
for
about
half
a
decade.
I
was
a
jenkins
user
for
about
four
years.
We
are
by
far
the
most
configurable
right
now.
A
The
fact
that
we
can
just
like
have
one
file
in
which
you
can
put
everything
in,
and
you
know
just
edit
everything
over
here.
All
of
a
sudden,
you
know
things
are
changed.
This
is
really
really
really
customizable
and
very,
very
intuitive
for
engineers
to
use.
So
it's
really
great.
A
So
that's
the
end
of
the
presentation,
for
you
know
verifying
secure
I'd
love
to
see.
If
I
can
clarify
anything
to
anyone,
there
is
a
homework
that
I'm
gonna
send
out.
Please
get
it
in
by
you
know
this
friday
and
if
you
people
keep
on
asking
me
like
hey,
can
I
have
additional
time
or
whatever?
The
answer
is
always?
Yes,
I'm
not
a
stickler
to
it,
but
you
know
like
yeah,
it's
just
trying
to
make
sure
that
the
messaging
is
like
a
hundred
percent.
A
Can
I
can
I
help
clarify
anything
with
anyone.
I
know
that
that
was
a
ton
of
information,
especially
the
security
stuff,.
E
A
Yeah,
so
I
think
that,
for
his
particular
instance
coming
in
introducing
a
new
term,
all
of
a
sudden
now
we're
the
digital
innovator
and
we're
the
leader
right.
So
we
can
use
that
term
as
that
we
believe
in
devsecops.
Devsecops.
Is
this
new
thing
that
gitlab
and
other
companies
are
pioneering
our
approach,
for
it
is
x,
y
and
z?
Let
me
show
you
about
why
you
get
stuff
out
of
it
now,
all
of
a
sudden
you're,
a
digital
innovator
and
your
trusted
advisor.
A
So
I
think
that
that,
for
that
space,
that's
fine
if
I
were
doing
outreach
sequences
to
engineers
and
companies,
I
wouldn't
use
the
term
devsecops
just
because,
like
it
does
trigger
off
that,
like
marketing
fluff
like
red
flag
trigger
I'd,
be
really
curious
to
see
what
the
data
shows,
but
at
least
like
that
one
article
that
I
found
on
reddit.
A
So
let
me
talk
about
like
my
my
approach
right,
like
obviously,
I
think
certain
things
I
need
to
make
sure
it's
substantiated,
so
I
actually
typed
it
into
reddit,
and
there
was
about
like
seven
or
eight
articles
that
were
basically
saying
the
exact
same
thing
out
of
the
eight
that
like
appeared
in
the
top
and
the
reason
why
I
picked
that
one
was
because
the
other
ones
were
using
too
many
f-bombs
in
them,
and
I
wasn't
gonna
put
it
into
my
slides
so
like.
I
do
think
that
that
is
like
a
really
like.
A
I
mentioned
it,
for
a
reason.
Is
that,
like
a
lot
of
technical
people,
they're
like
they're,
inundated
with
all
like
these
new,
like
technical
jargon
that
comes
from
marketing?
So
I
would
say
that
like
yeah
yourself
right
and
I
think
your
cell's
in
his
position
for
a
reason
right,
but
I
do
think
that,
like
space
persona
definitely
applies
in
terms
of
using
this
terminology,.
B
A
Oh,
the
vast
majority
of
people
don't
know
what
devsecops
and
shifting
left
is.
If
I
guarantee
you
like,
if
I
went
to
go,
I
like
start
texting
like
my
engineering
friends,
hey
how
many
of
you
have
heard
of
devsucops,
like
I'd
say,
maybe
10
of
them
have.
Some
of
them
would
say
that
they
have
because
they
want
to
seem
smart,
but
like
most
of
them,
like
haven't
heard
of
the
term
before.
B
A
No,
it's
not,
especially
because
engineers
are
so
hyper
specific,
focused
on
their
individual
stuff
right.
So
it's
like
shifting
left
that
comes
from
a
project
management
point
of
view.
You
have
your
development
phases
right
and
so
developers,
not
even
thinking
that
way.
In
the
first
place
the
developer
is
thinking.
How
do
I
get
my
buttons,
and
so
I
can
get
paid
a
project
manager
may
understand
what
shifting
left
is.
You
know
from
a
security
perspective,
but,
like
engineers
aren't
even
like
thinking
about
that
whole
timeline
in
the
first
place.
E
I
mean
that
just
from
you
know
from
sdr
perspective
because
we're
all
stairs
here,
it's
it
is
cr,
it's
so
critical
to
what
we
do,
because
sometimes
we
are
reaching
out
to
engine.
You
know
below
manager
level.
We
want
to
reach
out
to
the
senior
team
leaders
the
senior
application
developer.
A
F
All
right
question
about
another
feature:
kubernetes
monitoring
is
that
sort
of
under
security
and
verify
well
definitely
not
under
verified,
but
I
how
how
I
know
it's
part
of
the
sort
of
powder
security,
so
we
didn't
really
get
a
touch
on
it.
So
I
just
kind
of
want
to
hear
your
thoughts
on
how
that
is
a
differentiator
or
or
not.
A
Yeah,
that's
a
great
question
thanks
for
asking
it
so
basic
like
monitor
stage
is
covered
in
a
different
presentation
and
if
anyone's
interested
in
learning
more
about
monitoring,
then
just
you
know
I'm
happy
to
do
that.
So
so,
like
the
whole
idea
with
monitoring,
is
I'm
a
business
right?
We
talked
about
how
if
my
website
is
slower,
then
that
means
that
I
get
millions
of
less
dollars
on
some
large
like
web
service
like
netflix,
so
that,
like
absolutely
matters
to
me,
I
need
to
have
a
good
gauge
in
my
environment.
A
How
does
my
environment
fundamentally
slow
down
is
that
I
don't
have
enough
servers
that
are
running
by
environment
right.
So
I
think
I'm
answering
your
question,
but
what
monitoring
does
is
it
gives
you
the
charts
that
shows
you
like
over
here?
We
have
spikes
at
nine
every
day
you
know,
and
then
so
it
gives
you
the
graphic,
visualization
data,
so
that
engineers
can
like
plan
accordingly
to
the
ebbs
and
flows,
and
you
know
the
the
usage
of
their
web
service
or
whatever
application
that
they
have.
F
A
Yeah,
I
I
see
them
as
like
different
things.
So
if
there's
a
vulnerability
to
a
web
application,
then
you
can
do
it
if
generally
like
the
problem
with
security,
is
that
it's
so
vast,
but
in
general,
if
there's
some
sort
of
vulnerability,
you
can
take
advantage
of
that
vulnerability.
Whether
or
not
one
person's
using
the
site
or
like
5000
million
people
are
using
the
site
all
at
once.
So
the
amount
of
web
traffic
generally
does
not
make
a
web
service
less
secure.
A
It
can
also
be
about
cost
savings
too.
So
if
you
find
out
all
your
data
in
terms
of
performance
and
then
you
find
out
that
like
oh
wait,
we're
actually
have
all
these
servers
that
are
underutilized
and
you
can
get
rid
of
stuff
as
well.
So
I
I
think
that
monitoring
is
the
value.
Add
for
business,
for
our
monitoring,
software
and
capabilities
is
generally.
Do
we
have
enough
stuff?
We
don't
want
to
have
a
performance
problem.
A
performance
problem
is
going
to
cost
our
business
money
right.
Number
two
is:
can
we
save
money
right?
A
Do
we
have
too
much
stuff
and
then
number
three
I'd
say?
Is
it's
really
just
those
two?
It's
just
making
sure
that,
like
we
are
doing
our
part
to
make
sure
that
we
have
like
the
best
web
service
so
like,
if
you
imagine
hulu
versus
youtube
versus
netflix.
If
netflix,
what
had
like
was
really
laggy,
then
in
one
year
they
wouldn't
have
any
business
it'd
go
all
to
like
google,
you
know
so
it
matters
for
a
lot
of
these
businesses.
A
All
right
well
happy
monday,
everyone,
nothing
like
a
good
monday
morning
session
I'll,
see
you
all
on,
say
all
around
and
happy
end
of
september.
If
I
can
do
anything
to
help
you
all
get
saos.
Let
me
know.