►
From YouTube: TT211 - Verify and Secure
Description
This is a Tanuki Tech session on 8/31/2023.
For more on Tanuki Tech, see here: https://about.gitlab.com/handbook/marketing/revenue-marketing/sdr/tanuki-tech/
For more on the speaker, see here: https://www.linkedin.com/in/christopher-wang-0835b226/
A
Okay,
so
today
we
will
jump
into
TT,
2
11..
This
is
for
verify
and
secure.
The
goal
of
this
session
is
to
better
understand
our
sales
messaging
behind
here
and
to
understand
what
it
does.
So
one
part
is
how
to
use
it
in
your
conversations,
the
other
part
is
next
time
someone
talks
about
their
cicd
or
their
devsecops.
I
want
to
share
with
you
what
this
stuff
actually
does,
so
that
you
can
have
more
confident
conversation
when
it
comes
up.
Okay,
all.
A
So,
last
time
what
we
talked
about
is
our
project
management
and
our
sem
continuing
this
story,
we're
moving
on
to
RCI
CD
and
our
devsecops
okay.
So
just
sort
of
like
talking
about
how
important
these
things
are.
This
is
the
main
reason
why
people
buy
gitlab
right
if
someone
is
just
using
us
for
SCM,
a
lot
of
these
people
are
going
to
stay
in
the
free
tier.
What
the
product
data
actually
shows
is
when
people
start
adopting
verify
insecure.
That's
when
people
move
from
free
to
premium
a
lot
of
the
time.
Okay
and.
B
A
A
B
A
That's
that's
exactly
what
I
do
too,
like
I'm
thinking,
price
and
functionality
right.
One
of
the
things
that
I
want
to
share
is
that
Source
control,
management
and
project
management
is
kind
of
like
this.
So
what
I
mean
by
this
is
It's
a
crowded
Market.
A
You
can
go
and
Google
and
search
for
40,
best
project
management
tools
right
and
we
might
not
even
be
on
this
list.
So
what
we
really
don't
want
to
do
is
try
to.
A
When
we
talk
about
SCM
and
plan,
we
are
one
solution
among
many
different
companies
out
there.
You
don't
want
to
be
one
solution
among
40
right.
What
you
really
want
to
do
is
to
be
one
of
two
okay
and
then
so.
What
we're
talking
about
is
the
platform
Story.
How
many
tools
right
now
have
sem
cicd
project
management,
devsecops
all
built
into
a
single
application?
It's
really
two!
A
Maybe
three
right
now
and
that's
us
at
Microsoft,
okay,
so
yeah,
just
doubling
down
the
Great
Value
driver
that
we
have
is
this
single
application
with
semci
and
devsecops
built
in
okay,
so
I
never
really
lead
with
like
STM
and
project
management,
differentiators.
A
A
So
that's
where
verify
comes
in
so
imagine
it's
a
hundred
years
ago
and
you're
a
author
you're.
Writing
these
books.
Okay,
you
write
a
300
page
manuscript
with
pen
and
paper
and
then,
if
you
mail
it
to
an
editor
right,
the
editor
lives
in
a
different
city,
and
then
this
editor
then
just
goes
through.
Your
entire
manuscript
gives
you
all
sorts
of
Corrections
revisions
mails
it
back
to
you.
You
fix
a
lot
of
the
things
they
say
you
mail
it
back
to
the
editor.
A
A
Exactly
right,
so
that's
like
what
what
verify
is
for
software
Engineers
really
is
sort
of
like
if
you
think
about
like
Google
Docs
every
time
you
spell
a
word
wrong
or
if
you
say
something
that
doesn't
make
sense.
It
gives
you
like
the
green
line,
the
blue
line,
where
it
tells
you
something
in
real
time.
That
is
not
right.
What
verify
is
is
its
automated
quality
checks
for
software,
so
just
to
share
this
with
you
right
now,
every
time
someone
wants
to
write
new
software,
they
submit
a
merge
request.
A
A
We
have
all
this
automation.
That
runs
as
an
example.
Here,
127
000
tests
were
run,
code,
quality
ran
to
and
then
so.
What
we're
doing
is
this
is
checking
that
your
software
runs
that
it's
good
and
that
your
code
is
high
quality.
Okay,
so
just
to
give
an
analogy,
just
like
how,
when
you're
writing
Google
Docs,
there's
your
green
line,
there's
the
blue
line
when
you're
writing
software,
our
verify
gives
you
real-time
feedback
on
the
quality
of
the
software,
you're,
writing
and
then
just
like
how
you
know
that
story
about
the
editor.
A
A
Cool
can
I
help
clarify
anything
here
or
is.
Is
that
okay?
A
Okay,
all
right
so
the
next
thing
I
talk
about
is
agile,
just
a
review
most
people,
they
I,
don't
want
to
say
most
people
but
a
lot
of
people.
They
write
software
in
a
waterfall
manner.
What
that
means
is
you
give
like
a
bunch
of
Engineers
design
document
saying
like
hey
I,
want
a
website.
A
I
want
my
website
to
do
a
b
and
c
here's
some
pictures,
here's
examples
of
similar
websites,
here's
my
logo
right
and
then
I
go
away
and
come
back
six
months
later,
and
then
they
give
me
my
website,
okay.
So
the
challenge
with
that
is
that
it's
just
sort
of
like
do.
They
have
custom
houses
in
in
Germany,
like
people
buy
custom
houses,
you.
A
Cool
so
it's
sort
of
like
if
you
get
a
custom
house,
you
have
a
big
design
document,
you
give
it
to
the
Builder,
you
go
away
and
then
you
come
back
six
months
later
when
the
house
is
built.
The
problem
is
that
if
they
make
a
mistake
in
the
first
floor,
you
might
have
to
rip
off
the
second
floor
and
the
third
floor
to
get
it
fixed
right.
So.
A
Agile
is
different
because
agile
is
an
example
where
every
you
you
build
the
foundation,
and
then
your
Builder
comes
back
with
the
buyer.
They
see
it
if
it
needs
to
get
fixed
and
they
do
that
before
they
put
up
the
wood
planks
and
then
Builder
comes
back
with
buyer
again
and
they're
doing
this
constantly
throughout
the
build
process.
If
a
mistake
is
found,
they'll
fix
it
before
the
next
layer
starts,
you
see
what
I
mean
right.
A
So
how
does
gitlab
actually
help
out
with
this
number
one?
We
have
all
the
tooling
that
you
need
to
have
agile
workflows,
so
I'll
just
give
you
an
example
of
this.
A
So
over
here
you
can
see.
Iterations
and
iteration
is
basically
like
stage
one
build
the
foundation
stage,
two
put
up
the
wood
planks
stage
three
put
in
the
electricity
right,
so
we
have
a
lot
of
the
software
that
you
need
to
really
do
this
well
and
ultimately,
the
business
value
of
why
someone
wants.
This
is
because
you
ever
like
go
hiking
and
you
go
hiking
in
the
wrong
direction.
You
realize
I
hiked,
three
kilometers
in
the
wrong
direction.
I
need
to
go
back.
Three
kilometers
just
so
that
I
could
go
the
right
way.
B
A
B
A
Exactly
cool
awesome,
so
just
sort
of
review
some
of
these
things,
CI
CD,
it's
our
automated
software
testing
CI
is
our
automated
software
testing.
Cd
is
really
for
more
automation
of
redeploying
of
your
applications.
What
that
means
is,
like
you,
changed
your
code
right,
there's
still
now
a
step
for
getting
this
code
onto
the
computers
that
run
your
website.
A
So
if
you
accept
the
merge
request,
the
code
is
now
in
gitlab.
You
still
have
a
second
step
for
getting
your
code
into
the
computers
to
run
your
application,
so
CD
really
stands
for
getting
the
code
into
the
computers
that
run
your
application.
Okay,
but
yeah
so
just
to
recap
verify
what
it's
about
automated
software
testing
and
if
you
have
things
like
automated
software
testing,
automated
security
testing,
agile
you're,
going
to
have
a
big
advantage
over
other
people,
all
right
and
then
so
going
back
to.
How
do
we
make
people
more
efficient?
A
How
do
we
help
them
to
deliver
better
products?
Faster
verify
is
a
huge
part
of
this
because,
if
I
have,
if
I'm
getting
real-time
feedback
on
the
software,
I'm,
writing
and
then
you're
doing
this
write
this
manuscript
and
then
someone
else
checks
it
and
then
you
have
to
fix
it
and
going
back
and
forth
I'm
going
to
have
an
advantage
over
you.
You
see
what
I
mean
right.
B
A
A
A
They
actually
did
a
study
a
long
time
ago,
and
then
they
found
out
that,
like
how
much
business
value
are
people
actually
getting
out
of
things
like
Agile
development
and
then
the
answer
was
a
lot
of
people
were
disappointed
by
it
and
the
reason
why
is
because
they
started
out
trying
to
do
it,
but
a
lot
of
people
don't
know
to
do
it
right.
You
know
what
I
mean
so
the
valid
just
a
sort
of
recap,
our
automation.
A
It
helps
people
get
these
best
practices
right,
so
cicd,
running
automation,
having
verified
quality
checks.
Okay,
other
things
is
our
automation,
helps
people
save
time,
money,
reduce
human
error,
and
so
just
as
an
example
of
this,
this
automation,
it
takes
70
minutes
six
seconds
to
run
okay.
So
now,
as
an
engineer,
that's
70
minutes
that
I
can
be
doing
something
else.
You
know
what
I
mean
exactly:
okay,
cool
all
right,
so
now
Switching
gears
a
little
bit
talking
a
little
bit
about
some
of
these
things.
It's
a
little
bit
more
technical.
A
A
So
it's
going
to
be
a
little
bit
more
academic,
but
we'll
just
go
from
one
topic
to
the
next
okay,
so
number
one
people
are
going
to
talk
about
software
tests.
In
your
conversations,
a
lot
I
want
to
talk
about
what
this
is.
So
when
we
look
at
this
pipeline,
there's
127
000
tests
that
are
run.
So
what
actually
is
a
software
test
right?
A
A
They're
writing
a
software
test
for
every
single.
Like
you
know,
if
I
hover
my
mouse
over
here,
does
this
appear
if
I
hover
it
back
over
here?
Does
it
go
away?
That's
another
software
test,
so
every
like
what
they'll
do
is
they'll
break
your
application
down
into
small
pieces
and
then
write
out
software
tests,
which
is
actually
code
for
every
part
of
your
application.
So
literally,
there's
two
tests
around
this
button.
There's
two
tests
around
this
button.
There's
two
tests
around
this
button,
like
every
single
one,
has
its
own
tests
right.
A
A
long
time
ago,
I
wrote
a
piece
of
I
wrote,
an
application
which
is
chess
so
over
here.
This
is
a
chess
board.
That's
why
it's
an
eight
by
eight
grid
right
and.
B
A
So
it's
a
I
wrote
the
game
of
chess
using
using
Code,
okay
and
so
I
just
want
to
share
with
you
some
of
the
tests
that
we
wrote.
So
if
you
think
about
a
game,
there's
certain
things
that
each
piece
should
be
able
to
do
like
one
piece
moves
up
one
space,
the
other
one
only
moves
sideways.
One
piece,
only
moves
up
and
down
and
to
the
left
and
the
right
right.
B
A
So
each
of
these
is
like
one
component
of
my
application.
I'm
writing
all
of
these
tests.
So
this
is
verifying
that
a
player,
the
game.
It
should
only
allow
a
piece
to
move
in
a
legal
direction
if
it's
moving
in
an
illegal
Direction,
the
game
should
be
smart
enough
to
say
hey.
You
can't
do
this
right
right,
so
I
had
to
write
all
of
this
code
to
verify
that
the
pieces
are
still
working
as
they
should.
So
this
is
testing
that
legal
moves.
Work.
I
also
need
to
test
that
illegal
moves
are
rejected.
A
A
All
of
this,
which
is
just
like
testing
my
chess
application.
So
this
is
like
several
hundred
software
tests
just
for
something
simple,
like
chess:
okay,
okay,
so
many
different
types
of
software
tests,
I'm
not
going
to
go
into
all
of
them,
but
when
people
say
integration
tests,
you
want
user
interface
tests
unit
like
unit
test.
What
you
just
need
to
know
is
that
there's
many
different
types:
okay
and
then
they're
just
talking
about
the
different
types
moving
on
to
what
code
quality
is
code.
A
Quality
is
something
that
comes
up
in
your
conversations
from
time
to
time
too.
So
what
I
want
to
what
code
quality
really
is
is
imagine
if
everyone
wrote
their
code
differently.
So
just
like
how,
in
any
language,
you
have
to
have
a
common
set
of
roles
for
what
you
know.
What
like
makes
good
and
bad,
let's
just
say,
English,
and
when
you're
writing
code,
you
also
need
to
have
common
set
of
rules
as
to
I'll.
Just
show
you
an
example,
but
it's
like
how
do
you
indent
your
codes?
A
A
So
if
you
have
too
many
blank
lines,
your
code
will
still
run
it's
just
that
if
everyone's
writing
their
code
differently,
then
the
next
person
who's
reading
your
code,
it
could
look
kind
of
weird
for
them
and
then
so
to
have
a
common
framework
where
everyone's
writing
their
code.
Similarly,
it
helps
people
to
read
and
edit
other
people's
code.
Okay,
yeah
has
that
come
up
in
any
of
your
conversations
out
of
curiosity.
A
So
far,
okay,
so
the
value
that
we
have
over
here
is
code
qualities
built
in
every
time.
You're
writing
new
code,
we'll
scan
it
for
Quality.
Okay.
So
if
you
do
something
where
it's
like,
you
have
too
many
spaces,
you
have
too
many
blank
lines.
The
code
quality
will
tell
you
okay,
okay,
next
thing,
I
want
to
talk
about,
is
review.
Applications
review
applications
come
up
more
in
the
POC
stage,
but
they
make.
If
you
have
a
trial,
they
may
come
up
where
people
want
to
know
about
it.
A
So
so
a
lot
of
people
think
that
developers
code
all
day.
The
truth
is
that
developers
do
code,
but
they're
actually
spending
a
lot
of
time
doing
other
stuff,
one
of
the
things
that
they
do
is
they
actually
edit
and
review
other
people's
code.
So
when
I
was
an
engineer,
probably
around
15
20
of
my
time
was
spent
reviewing
other
people's
code.
Okay,
so
imagine
it's
your
job
and
you
need
to
go
see
this.
This
person,
Jesse
Lee,
wants
to
get
this
code
in
right.
A
Imagine
if
you're
at
your
job
to
figure
out,
if
you
should
get
this
in
or
not
right,
if
you're
not
familiar
with
this
code,
it
might
be
a
little
bit
hard
to
understand
because
it's
all
of
this
like
complicated
stuff
right
so
regularly
when
you
are
trying
to
see
if
this
code
works
or
not,
then
you're,
just
looking
at
the
code
change
right,
that's
kind
of
complicated
what
a
review
application
is.
Is
it's
a
live
running
version
of
your
website
so
that
you
can
actually
visually
see
the
change.
A
So,
let's
just
say
that
this
code
change
changed
the
color
of
the
button
from
Blue
to
red,
as
opposed
to
you
looking
at
this
code,
trying
to
figure
it
out,
you
can
just
see
the
button,
you
can
click
on
it.
It
works
you
like
it.
Your
reviews
know
faster.
Okay,
that's
what
a
review
app
is
cool,
can
I
help
clarify
anything.
Are
everything.
A
Great
all
right
cool.
So
now,
let's
move
on
to
our
next
value,
driver
security
and
compliance
risk.
This
has
to
do
with
the
secure
stage
so
now
moving
on
to
this
section.
Okay,
so
talking
a
little
bit
about
what
secure
does
so
just
to
review.
A
When
I
was
an
engineer,
we
would
write
code
for
nine
months
and
then
a
separate
team
would
come
in
the
security
team
and
then
they
would
try
to
simulate
being
a
hacker
and
then
they
would
try
to
bang
on
the
window.
They
try
to
Rattle
the
door
they
try
to
sneak
in
through
the
second
floor
and
they
try
to
break
into
our
application
right.
At
the
end
of
this,
they
would
try
to
test
everything.
They'd
give
you
a
list
of
20
things
that
you
need
to
fix.
B
Well,
if
it's
something
in
the
first
floor,
you
have
to
break
it
down
and
start
over
again.
No
because
if
there's
an
issue-
and
it
affects
also
the
other
flaws-
I
mean,
if
you
they
have
somebody
already
breaking
in
well,
then
it
affects
also
the
upper
floors.
So
you
have
to
start
over.
A
Right,
oh
so,
do
you
think
so,
if
I,
if
I'm
getting
so
like,
if
they
tell
me
hey
your
windows,
are
broken
right
and
I
put
I
put
I
like
put
these
windows
in
four
months
ago.
Do
you
think
that's
fresh
in
my
mind,
so
it's
like
constantly
when
I
was
an
engineer.
Here's
your
list
of
things
to
fix.
Well,
I
wrote
this
thing
five
months
ago.
Do
you
think
that's
fresh
in
my
mind
or
do
you
think
I?
Don't
really
remember
that
what
I
wrote
five
months
ago.
B
A
Right
so
that's
the
value
of
real-time
feedback,
there's
two
main
issues
and
you
identified
both
of
them
number
one.
If
you're
getting
feedback
at
the
end,
you
might
have
to
break
off
large
chunks
of
your
application
right.
So
if
there's
a
problem
in
the
foundation
of
your
app,
you
might
have
to
rip
off
large
chunks
to
fix
it.
So
I'll
give
you
an
example.
A
Let's
just
say,
I
wrote
an
application
using
a
database
database
is
like
a
foundational
layer
of
your
app
right.
You
wrote
10
000
lines
of
code
using
postgres
2.11,
but
the
security
team
comes
back
and
says:
2.11
is
not
safe.
You
need
to
use
3.2
or
higher
okay.
A
So
the
challenge
there
is.
You
might
now
need
to
update
10
000
lines
of
code
right
because
you
move
from
one
version
to
the
next
of
database
layer,
which
is
the
foundation
of
your
app
and,
like
you
said,
if
I'm
constantly
being
asked
to
fix
stuff,
I
wrote
five
months
ago,
I,
probably
don't
remember
what
I
wrote
five
months
ago.
You
see
what
I
mean
okay,
so
let's
talk
a
little
bit
about
security.
A
A
Just
like
that
story
of
what
you
really
don't
want
to
do
is
to
spend
nine
months
writing
an
app
for
postgres
two
to
eleven
when
it's
not
safe,
you'd
rather
find
out
really
quickly
and
then
so
you
continue
moving
in
the
right
direction.
Our
security
scanners,
they're
gonna,
go
pick
up
on
that
and
give
you
that
feedback.
So
you
can
keep
them
moving
in
the
right
direction.
You
see
what
I
mean
yeah
okay,
so
a
lot
of
people
don't
have
this.
A
This
is
what
we
call
devsec
Ops
devsecops
has
automated
security
scanning,
okay
and
then
so
that's
what
we
do.
The
other
thing
that
we
do
is
because
gitlab
is
a
Consolidated
platform
for
multiple
teams.
You
can
have
different
teams
collaborating
together
so
for
many
businesses,
here's
your
developers,
here's
your
operations,
people,
here's
your
QA
people
right
and
that's,
like
you
know,
they're
operating
in
a
silo
from
each
other
in
git
lab,
because
Operations
Security,
devops
they're
all
on
the
same
platform,
then
you
can
get
feedback
from
people
on
different
teams
right.
B
A
And
ultimately,
so
that
this
won't
apply
to
you
as
much
because
you're
in
an
Enterprise
space.
But
when
people
start
out
in
security
they
usually
get
contractors,
sometimes
Enterprise
people
get
contractors,
but
it
can
help
to
you
to
avoid
having
to
hire
a
lot
of
like
this
extra
security.
Spend
you
see
what
I
mean.
B
A
A
Cool
all
right,
so
I
want
to
talk
to
you
new
now
a
little
bit
more
about
what
this
stuff
is.
It's
going
to
help
you
to
be
able
to
talk
about
it
in
a
sales
conversation
and
when
someone
else
mentions
it,
you
can
now
respond
with
more
confidently.
Okay,
so
we're
just
going
to
go
talk
through
like
when
someone
buys
gitlab.
What
do
they
get?
I'm
gonna
go
start!
It's
we're
just
going
to
start
going
through
these
one
at
a
time.
Okay,.
B
A
A
It
okay,
because
this
is
like
something
that
people
know
about:
they
want
it:
it's
special
okay.
So
what
saston
dast
is
it's
the
two
main
security
scanners?
I,
don't
want
to
say
main,
but
it's
two
very
important
security
scanners.
So
what
SAS
is
is
it
looks
at
your
code
and
because
of
just
sort
of
like
it's
just
analyzing
your
code
for
patterns
and
if
it
sees
something
that
doesn't
make
sense,
then
it
gives
you
like
the
squiggly
line,
saying
like
hey.
This
doesn't
make
sense.
You
know
what
I
mean.
A
B
A
A
A
A
type
of
different
type
of
like
injection
techniques
right,
so
it's
going
to
try
to
like
give
you
feedback
that
way,
but
it
requires
the
difference
between
test
and
dust.
Is
SAS
is
looking
at
your
code.
Dast
has
a
live
running
version
of
your
app
that
it
is
is
trying
to
get
into
okay,
okay,
all
right.
So
next
thing
is
container
scanning,
so
so
so
containers
what
they
are
is
just
like
how,
when
you
want
a
movie,
you
can
get
a
DVD,
you
can
get
a
VHS,
but
you
can
get
Blu-ray
disc.
A
You
can
stream
it
everyone's
streaming.
It
now
right,
but
it's
like
there's
different
formats
for
getting
your
movie.
When
you
get
an
application,
you
can
get
it
for
different
formats.
One
is
called
a
virtual
machine.
The
second
one
is
called
a
container.
It's
just
a
different
format
for
running
your
application.
Okay,
so
container
is
like
one
way
of
getting
apps.
A
What
a
lot
of
people
are
doing.
Is
they
just
download
them
off
the
internet?
So
if
you've
ever
like
downloaded
music
or
like
movies
off
the
internet,
what
Engineers
do
is
they
go
to
this
website
called
Docker?
Hub
and
then
they
download
containers
that
are
for
apps,
so,
let's
just
say,
I
want
an
nginx
application
or
an
Ubuntu
or
a
python
or
redis
like
environment
right
I
can
just
go
on
this
community
website
called
Docker,
Hub
and
download
it
and
then,
as
you
can
see,
this
has
been
downloaded
over
1
billion
times.
A
All
of
these
have
been
downloaded
over
one
billion
times,
so
a
lot
of
people
are
doing
this.
Okay,
the
problem
with
this
is
that
if
I
filter
there
are
there
there's
over
ten
thousand
of
these
things,
you
can
download
right.
But
now,
let's
just
go,
look
at
how
many
of
these
have
a
verified
publisher.
B
B
A
A
So
here
so
here's
another
example.
So
it's
like
some
of
these
container
images
they
had
like
you
know
background.
It
was
just
like
mining
Bitcoin
for
the
people
and
then
a
billion
people
go
download
it.
You
actually
got
a
lot
of
Bitcoin
now
you
know
what
I
mean
so
so
long
story
short.
How
do
you
know
that
these
containers
that
you
downloaded
that
they're
safe?
Well,
you
need
to
have
some
sort
of
scanner
for
that.
A
Okay,
great
so
moving
on
to
the
next
container.
What
kind
of
car
do
you
drive.
A
B
Well
so
far
we
had
it
once,
but
the
the
car
must
say
we
just
bought
it
new
last
year,
okay,
but
we
always
have
issues
with
getting
wrong.
Informations,
actually
yeah.
A
So
maybe
cars
are
better
where
you
are
than
where
we're
at
we
get.
It's
called
a
safety
recall
in
English,
but
it's
like
the
manufacturer
discovers
that
there's
a
problem
a
defective
part
and
then
so
they
want
to
fix
it
and
then
so
you
can
bring
your
car
in
to
the
dealership.
They
fix
it
for
free
right.
A
So
just
like
how
a
car
has
many
different
components,
your
application
also
has
many
different
components,
so
it
has
an
API.
It
has
a
database,
it
has
a
user
interface.
There
are
all
these
different
components
right
and
just
like
how,
with
your
car
every
once
in
a
while,
they
discover
hey,
there's
a
problem
with
your
airbag.
You
need
to
go,
get
this
airbag
fixed
right,
then
every
once
in
a
while
your
application,
it's
like!
Oh
wait.
Your
database,
we
found
out
that
there's
a
vulnerability
in
it.
A
A
What
what
so
literally
one
of
the
things,
that's
very
important
for
us
to
understand
is.
A
Is
that
it
so
you
need
to
have
some
way
of
knowing
hey
this
part
of
your
car
needs
to
get
updated
right.
A
So
that's
what
dependency
scanning
is
what
dependency
scanning
is
number
one
we're
going
to
list
off
all
the
parts
of
your
application
number
two.
If
any
of
the
parts
of
your
application,
you
know
are
out
of
date,
we're
gonna,
let
your
teams
know
you
see
what
I
mean.
A
Cool
okay,
so
number
three
are
I.
Actually
I
think
this
is
like
number
five.
Is
this
thing
called
fuzz
testing
fuzz
testing
is
something
that
when
I've
mentioned
it
in
sales
conversations,
it's
almost
like
people
are
like
wow,
I
didn't
realize
you
had
this,
because
this
is
something
that's
a
little
bit
special.
It's
like
other
people
have
sassed.
Some
companies
have
dashed.
Not
very
many
companies
have
fuzz
testing
okay,
but
what
fuzz
testing
is
is
that
what
they
realized
is
that
many
of
your
applications?
A
When
you,
when
you
go,
and
then
you
put
another
language
in
or
let's
just
say
that
like
this
is
expecting
phone,
email
or
username,
what,
if
I,
put
in
numbers,
what,
if
I,
put
in
Japanese?
What,
if
I
put
in
like
you,
know
something
like
weird
right
that
literally
because
the
form
was
expecting
phone,
email
or
username
a
lot
of
times
the
application
just
breaks
right
it
just
like
shuts
down.
A
So
just
a
recap:
fuzz
testing,
what
it
does
is
it
just
sort
of
like
it
will
go
to
the
different
parts
of
your
application
and
then
it's
going
to
insert
a
bunch
of
junk.
So
it's
gonna
like.
B
A
So
it's
going
to
do
it
automatically
when
I
was
an
engineer
around
30
of
all
of
the
quality
issues
with
our
application
had
to
do
with
someone
didn't
discover
this
so
now
we
have
to
go
in
and
fix
it
because
we're
a
bunch
of
English
Engineers.
We
designed
our
application
to
run
for
English.
We
actually
have
an
international
user
base.
We
constantly
made
this
mistake.
You
know
what
I
mean.
A
Fuzz
testing:
that's
what
it
is.
It's
automated
check
to
make
sure
that
it
works
for
different
types
of
inputs
for
your
application:
okay,
Okay
cool.
So
let's
just
talk
about
how
to
talk
about
Premium
versus
free
versus
Ultimate.
This
is
very
important.
So
what
do
you
get
in?
Free
you
get
sassed
SAS
is
very
good
and
very
important,
so
it's
important
for
everyone
to
know
that
they
get
sassed
in
the
free
tier
's.
The
thing
that
I
want
to
talk
about
gitlab,
so
gitlab
pricing
get
out
of
the
pricing.
A
So
one
of
the
things
about
our
pricing
is
over.
Here
you
can
see
it's
a
big
jump
from
premium
to
Ultimate
right,
and
so
why
is
that
right?
A
If
you
look
at
github's
pricing,
it's
a
similar
thing,
their
Enterprise
tiers
like
six
times
what
their
team
their
basic
tier,
is
right.
Well,
actually,
this
is
a
bad
example.
Take
that
back
so
part
of
the
reason
why
our
ultimate
here
is
so
expensive
is
just
take
a
look.
Their
security
is
an
add-on
fee.
B
A
Paying
for
19
per
user
per
month,
but
if
you
want
the
security
scanning,
you
have
to
pay
49
per
user
per
month
too,
on
top
of
the
19
per
user
per
month,
you
see
what
I
mean
yeah,
so
security
is
just
very
expensive.
That's
the
reason
why
our
pricing
jumps
like
this,
and
you
can
see
it
in
our
competitors,
pricing
too.
Okay,
so
ultimate!
This
is
where
the
vast
majority
of
the
Enterprise
security
features.
Are
we
give
SAS
so
that
people
can
get
started?
A
But
if
you
really
want
to
do
this
and
you
want
devsecops-
and
you
want
to
do
this
well,
you
need
ultimate
period.
Okay.
So
what
I
mean
by
that?
Is
you
want
all
the
scanners?
You
want
to
be
able
to
configure
the
scanners.
You
want
dashboards
and
you
want
reporting
for
your
Executives.
If
you
want
that
stuff,
you
need
ultimate
okay,
so
the
benefit
is.
Why
do
you
want
it
number
one
devsecops!
You
want
full
devsecops
which
will
allow
you
to
write
fat,
better
software
faster.
A
That
is
more
secure,
right,
okay,
cool,
okay,
so
just
sort
of
moving
the
end
of
the
presentation.
Just
talking
about
messaging,
sometimes
where
this
doesn't
work
as
well,
so
I
want
to
talk
about
some
of
these
terms.
Devsecops
devsecops
is
security
scanning
within
development.
So
a
lot
of
people
have
automated
tests.
Not
everyone
has
automated
security
tests.
When
I
was
an
engineer,
we
did
not
have
automated
security
tests,
which
is
why
we
tested
everything
at
the
end
right.
B
A
So
here's
some
of
the
things
I've
noticed
about
it.
It's
getting
more
accepted
as
a
term,
but
not
everyone
has
accepted
it.
So
some
people
actually
don't
like
the
term
devsecops.
They
think
it's
a
buzzword.
The
approach
that
I
do
in
2023
is
I
mentioned
it
to
Executives
for
more
technical
people.
If
I'm
ever
talking
to,
like
chief
engineer,
are
like
someone
who's
more
into
implementation
level,
more
technical,
like
a
level
one
manager,
I
I,
won't
use
the
term
devsecops
a
lot
of
the
time.
A
B
A
B
A
Just
give
you
an
example:
it's
not
uncommon
that
you
sequence
a
bunch
of
people
and
then
someone
says
Dev
suck
cops
is
a
buzzword
that
is,
it's
happened
to
a
lot
of
the
bdrs
on
the
mayor
side,
okay,
one
more
thing
about
security
scanning:
we
actually
did
a
data
analysis
of
our
different
go
to
market
topics,
and
then
we
found
out
the
meeting
conversion
rate.
A
If
you
lead
your
emails
talking
about
RCI
CD
versus
our
devops
versus
our
devsecops,
and
what
we
found
is
that
the
highest
converting
sales
messaging
in
2023
is
our
devsecop
security
scanning.
So
that's
also
important
to
know
this
is
a
really
big
deal
for
a
lot
of
people
right
now:
okay,
okay,
so
just
to
give
you
an
example:
devops
widely
accepted
term
43
million
search
results
devsecops
it's
around
25
percent
of
that
right.
A
So
it's
not
as
accepted
so
just
know
that
going
in
okay,
all
right,
so
the
next
thing
I
want
to
talk
about
is
Shifting
left
I,
don't
use
this
term.
This
term
has
not
been
as
accepted
in
our
industry,
but
our
marketing
a
lot
of
times.
It
does
use
it
so
I.
My
personal,
when
I
sell
I
will
not
use
the
term
shifting
left.
A
A
Left
is
as
opposed
to
testing
for
security
here
with
devsecond
option:
you're
testing
it
as
you
develop
it.
So
we
have
shifted
left
you
see
what
I
mean
yeah
the
reality
of
the
situation
is
that
I?
Don't
think
that
this
term
really
like
has
a
lot
of
traction,
so
I
I
would
avoid
using
this
term
personally.
B
I
mean
you
always
have
to
also
explain,
or
you
have
to
ask
if
they
know
what
it
means,
at
least,
because
what
I
realized
yeah.
If
it's
a
technical
person
they
they
know
it
better,
but
but
still
also,
you
have
technical
persons
who
who
do
not
know
yeah
the
the
idea
behind,
but
they
feel
a
little
bit
embarrassed
to
us.
You
know
what
I
mean
so
they're,
not
they're,
not
and
say:
yeah
I
know
what
it
means,
but
they
don't
whatever.
A
B
It
is
but
yeah
compared
with
AI.
A
Cool
okay,
one
more
slide
and
then
we'll
just
review
real
quick
This
is
Gonna.
I
get
asked
this
question
like
50
of
the
time
in
my
intro
calls,
which
is
basically
I,
will
try
to
share
my
screen.
A
lot
of
people
are
visual
people,
there's
two
screens
that
I
almost
always
share.
A
One
is
I
share
this
screen,
so
you
say:
hey
we're
a
single
application,
everyone's
like
cool,
but
if
I
show
them
this
screen,
people
are
like
wow.
I
didn't
realize
that
you
have
XXX
I
want
to
hear
about
this
more
right,
so
I
usually
share
this
screen.
The
other
screen
that
I
share
a
lot
of
the
time
is
I
share,
are
are
automation
screen
because
people
are
impressed
by
like
how
many
things
we've
automated
and
what
this
looks
like
so
I
share
this
screen
a
lot
too.
A
The
first
question
that
I
get
after
I
share.
This
is
I.
Don't
want
this
stage
this
stage,
how
do
I
customize
it?
Okay,
so
the
way
to
customize.
This
is.
A
A
So
this
file
just
controls
the
automation.
You
want
your
own
stuff.
You
want
different
stuff
cool
you
just
edit
this
file
right,
all
right,
so
number
one
get
Labs
ci.yaml!
That's
the
file
that
controls
what
happens.
Most
people
understand
that
for
a
trial,
one
of
the
things
that
I
will
mention
to
people
is.
A
A
The
last
thing
I
want
to
talk
about
is
a
gitlab
runner.
It's
going
to
come
up
in
some
of
your
conversations,
not
a
lot
but
I
just
want
you
to
be
prepared
for
it.
So
what
a
gitlab
runner
is
is
here's
the
computer
that
runs
gitlab.
B
A
So,
as
you
know,
one
of
the
main
things
that
gitlab
does
is
running
all
this
automation
and
if
you
can
see
like
just
the
amount
of
automation
that
our
site
is
running
right
now,
all
of
this
automation
is
running
like
a
lot
of
automation
is
running
right,
just
think
about
how
like
intense
this
is
right.
So,
if
the
same
computer,
that's
running
all
these
automated
jobs
is
also
running
the
website.
A
B
A
B
A
Awesome,
so
just
this
presentation
in
like
one
line
is
just
to
summarize
the
way
that
we're
special
is
really
the
fact
that
we're
a
single
application
with
CI
and
security
built
in
our
product
data
shows
that
once
people
get
started
and
start
seeing
CI
and
our
security,
that's
when
people
up
tier
from
free
to
premium
and
that's
also
when
people
go
from
premium
to
Ultimate,
okay,
so
very,
very,
very
important.
You
also
have
a
pipeline
contribution
part
of
your
quota.