►
From YouTube: Technical Bootcamp - Application Security
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
everyone,
my
name,
is
kurt
tusak
and
in
today's
technical
bootcamp,
I'm
going
to
be
talking
about
application
security
now
revisiting
our
diagram
again,
just
to
illustrate
that
application
security
is
baked
right
into
the
change
process
and
just
like
the
other
workflows,
the
merge
request,
houses,
everything
we
need
to
scan
and
respond
to
security
issues
before
we
get
into
the
specific.
Let's
talk
about
some
of
the
challenges
facing
organizations
that
want
to
integrate
security
into
their
devops
practice
at
the
organizational
level.
A
The
trend
is
to
move
security
to
earlier
in
the
development
cycle
and
to
adopt
agile
methodologies.
In
addition
to
what
the
organization
wants
to
achieve.
New
technologies,
like
cloud
native
serverless,
architectures
and
multi-cloud
deployments,
expand
the
scope
of
your
security
teams
now,
at
the
same
time,
most
security
tools
have
not
caught
up
with
the
organizations
and
technologies.
A
And
if
we
look
at
the
landscape
of
security
coverage
today,
we'll
see
many
different
components
from
simple
tools,
bundled
into
your
ide
to
various
static
and
dynamic
code
scanners
that
can
be
utilized
at
various
parts
of
the
development
process.
Now,
ultimately,
getting
full
coverage
means
piecing
together,
several
different
tools,
each
with
their
own
configuration
licensing
and
output
with
gitlab.
We
use
merge,
requests
to
execute
all
of
these
scans
automatically
in
one
place
at
the
same
time,
and
then
we
view
the
output
right
in
the
merge
request.
A
We
can
even
spin
up
an
instance
of
the
app
with
the
code
changes
in
a
development
environment
and
then
use
that
to
run
dynamic,
scans
and
fuzz
testing
against
now.
Here's
a
pipeline
that
illustrates
code
scans,
like
dependency
scanning,
license
management
and
static
scanning
on
the
left
and
then
dynamic
scans,
which
require
a
running
application
on
the
right
between
the
two
is
the
deployment
of
a
review
app
which
happens
automatically
as
part
of
this
pipeline,
and
because
all
of
this
is
within
a
merge
request.
A
These
cat
scans
are
all
happening
on
the
code
before
it's
merged.
In
now,
after
the
scans
are
run,
we
can
view
the
results
directly
in
the
merge
request.
We
can
click
into
each
of
these
and
we're
presented
with
several
different
ways
of
handling
it.
We
can
dismiss
the
vulnerability.
We
can
create
a
new
issue
specifically
to
fix
this
at
a
later
time,
or
we
can
go
back
to
our
code,
make
a
fix
and
that'll
trigger
another
scan,
and
we
can
verify.
We've
made
the
fix
now,
there's
several
different
types
of
scans,
bundled
with
gitlab.
A
A
Results
from
your
dependency
scan
are
shown
directly
in
the
merge
request
where
you
have
the
option
to
make
the
upgrade
or
accept
the
change
container
scanning
performs
static
analysis
on
docker
images
to
spot
pulse
possible
vulnerabilities
in
the
application
environment.
This
analyzes
your
image
content
against
publicly
known
vulnerability,
databases
and
uses
the
open
source
tool
clear.
That's
able
to
scan
any
type
of
docker
image
again
once
your
image
has
been
scanned,
you're
able
to
view
the
change
or
vulnerabilities
directly
within
your
merge
request,
now
dynamic
application
security
testing
is
a
little
bit
more
advanced.
A
The
results
of
your
das
scans
are
included
directly
in
your
merge
request.
License
compliance
scanning
is
included
within
your
security
scans.
This
searches,
your
project,
dependencies
for
approved
and
blacklisted
licenses,
and
these
are
custom
license
policies
that
can
be
defined
for
each
individual
project.
You
can
show
the
license,
that's
being
used
and
whether
or
not
that's
in
alignment
with
your
policy
and,
like
all
the
other
scans,
the
results
are
shown
directly
in
your
merge
request.
Now
we
can
provide
visibility
into
the
security
risk
via
the
security
dashboard.
A
This
allows
you
to
quickly
understand
which
projects
are
at
the
highest
risk.
This
is
designed
for
your
directors
of
security
or
chief
information
security
officers,
and
these
metrics
are
aggregated
at
the
group
or
instant
level,
and
this
will
allow
you
to
take
direct
action
to
either
create
new
issues
or
comment
on
the
status
of
updates.