►
From YouTube: Threat Management Team: Office Hours
Description
Open office hours for topics related to Threat Management groups - Secure:Threat Insights & Protect:Container Security
A
Welcome
to
our
bi-weekly
threat
management
office
hours.
This
is
an
opportunity
for
anyone
to
come
and
ask
us
questions
or
start
discussions
with
the
threat
management
team,
which
includes
the
threat,
insights
group,
the
container
security
group
and
anything
that's
just
about
the
sub
department
that
threat
management
is
involved
in
so
philippe.
You
have.
B
C
I
feel
like
a
special
guest
today.
That's
great
thank
you
lindsay
so
yeah
we're
trying
to
deal
with
the
ci
configurations.
C
Lately
we
discovered
that
some
of
the
secure
jobs
were
not
running
in
the
way
that
we
were
expecting
them
to
run
so
we're
trying
to
correct
the
course
here
and
one
of
the
first
steps
that
we're
going
to
do
is
try
to
own
these
jobs
and
that's
probably
going
to
cross
another
issue
that
you're
working
on
I'm
thinking
of
the
one
where
we
can
see
the
failures
directly
in
the
dashboard
like
if
some
of
the
secure
jobs
were
failing-
and
I
probably
asked
some
questions
in
that
issue,
but.
D
C
Exactly
because,
right
now,
the
process
on
our
side
is
very
manual.
It's
a
bit
tedious,
we're
going
through
the
dashboards
one
by
one
and
we
have
a
rotation
among
the
engineers
who
are
one
engineer
every
week
and
every
day
we
go
to
every
dashboard,
checking
that
everything
is
fine,
so
I'm
pretty
sure
if
we
don't
rise
job
failures
and
everything
in
there.
That
could
be
unnoticed
for
for
a
while,
and
we
definitely
don't
want
to
have
jobs
failing
going
under
the
radar,
especially
with
the
number
of
projects
that
we
are
monitoring.
C
So
we
we're
going
to
create
a
road
map
around
this
topic.
Managing
the
ci
configuration
making
sure
that
everything
is
working
the
way
we
are
expecting
it
to
work.
So
that's
that's
one
of
the
steps
as
well
and
one
of
the
other
steps
just
to
share
that
with
you
would
be
to
write
some
requirements
on
our
site
to
say,
okay,
if,
if
you
want
to
enable
sas
on
the
project
at
gitlab,
that
means
you
need
to
include
the
template,
the
official
template.
C
If
you
touch
anything
like
the
the
after
script
or
the
v4
script,
we
need
to
be
looped
in
you
know
all
that
kind
of
things,
and
the
problem
is
if
we
use
the
code
on
earth
features,
even
if
we
put
all
the
secure
jobs
in
a
specific
file,
you
could
always
define
a
new
variable
at
the
pipeline
level
or
directly
in
the
cell
configuration
you
can
update
rules
somewhere
else
in
some
other
files.
That
would
also
impact
these
jobs.
C
So
we
want
to
have
this
global
overview
that
we
will
programmatically
check
and
enforce
so
that
if
you
change
a
rule
in
the
ci
configuration
and
that
breaks
what
we
want
to
see
in
the
secure
jobs,
that's
going
to
break
the
pipeline
directly.
We're
going
to
tell
you
you're
doing
something
wrong
there.
C
Even
if
you
are
not
doing
that
in
purpose,
you
can
just
update
a
global
rule
in
the
ci
configuration,
and
that
would
mean
no
job
is
working
anymore,
and
I'm
sharing
that
with
you,
because
this
week
last
week,
we've
seen
some
configurations
where
the
jobs
were
there
in
the
ci
configuration.
C
So
everything
was
checked
on
our
side,
with
a
very
nice
screen
check
and
actually
nothing
was
running,
and
we
didn't
see
that
until
last
week,
when
we
were
deeply
involved
in
the
ci
configuration
trying
to
understand
why
this
new
job
that
we
were
configuring
was
not
reporting
anything.
That's
because
actually
no
job
was
reporting
anything,
and
that
was
an
issue.
So
we
can't
we.
D
D
D
D
So
that
way,
you
can
be
confident
that,
if
you've
configured
it
in
the
policy
ui
that
that's
going
to
overrule
anything
that
someone
else
may
have
introduced
in
a
before
or
after
script,
so
again
we're
still
figuring
out
a
lot
of
details
there,
that's
just
the
latest
and
greatest
thinking,
but
the
good
news
is
that
we're
working
on
it.
D
The
bad
news
is
that
it's
going
to
be
a
long
time
before
we
actually
have
a
solution
for
you
just
because
you
know
right
now,
we're
ramping
up
the
team
we're
working
to
get
fully
staffed.
We've
got
a
lot
of
underlying
design
that
we
need
to
work
out.
You
know
it's
not
something.
That's
going
to
come
out
in
the
next
two
or
three
milestones
for
you,
but
longer
term.
We
hope
to
address
that.
D
C
I
I
would
say
yes,
but
that's
very,
very
high
levels.
So
it's
not
to
say
it's
going
to
solve
our
problem
in
any
way
where
already
planned
to
solve
that
problem.
With
with
the
issue
that
I've
shared,
that's
not
a
lot
of
work,
the
only
thing
that
is
missing
for
us
is
the
ability
to
define
dynamic
approvals.
Let
me
share
that
issue
with
you.
So
that's
the
kind
of
flexibility,
that's
that
is
missing
for
us.
D
So
you,
the
security
team,
would
no
longer
have
to
gate
those,
because
there
are
going
to
be
a
lot
of
gitlab
ci
diamo
file,
changes
that
you
don't
care
about
at
all
that
have
nothing
to
do
with
security,
so
we
would
be
making
it
so
that
instead,
you
just
gate
the
changes
that
happen
to
the
database
through
the
policy
ui
and
you
don't
have
to
worry
about
the
gitlab
ci
dot
yaml
file
anymore.
D
So
our
proposed
solution
would
remove
the
need
to
use
code
owners
in
this
case,
if
you're
trying
to
make
sure
that
a
secure
job
stays
on.
C
Perfect,
so
that
that's
definitely
something
that
that
will
be
interesting
for
us
that
answers
this
problem
that
we
have
currently,
but
again,
we
will
probably
find
something,
but
it's
not
going
to
be
a
product.
It's
going
to
be
something
that
we
will
develop.
You
know
it's
just
a
few
jobs
there
and
there
to
validate
the
configurations,
but
right
now
it's
a
blind
spot
and
I'm
a
bit
worried
that
we
are
missing
some
data.
That's
that's
not
great,
especially
with
the
again
when
the
number
of
projects
that
we
have
to
monitor.
C
It's
it's
really
hard
to
figure
out.
If
everything
is
going,
fine
or
not,
I'm
only
even
sure
the
absence
engineers
are
checking
this
new
section
that
we
have
in
the
in
the
dashboard
to
see
what's
the
latest
pipeline
that
was
that
was
used
to
generate
that
I'm
not
even
sure
that
they
click
on
it.
To
validate
that.
It's
it's
fresh
that
it's
right.
D
It's
yeah.
That
makes
sense,
I
would
say
you
know,
continue
with
your
plans
to
solve
your
own
problem
because
it's
going
to
be
a
while
before
we
have
something
ready
for
you,
but
eventually
we'll
want
to
have
a
solution
that
solves
that
problem
for
you
that
you
can
dog
food
and
give
us
feedback
on,
but
yeah
timing.
If
you're
running
into
that
today,
I
would
say:
go
ahead
with
your.
C
A
B
A
E
C
Yes,
I
haven't
done
anything
with
opa
so
far,
but
it's
definitely
something
on
my
roadmap.
Unless
we
come
up
with
something
that
would
be
more
generic,
maybe
ruby,
but
I'm
not
even
sure.
C
So
do
we
need
to
give
you
some
context
here,
I'm
talking
about
how
we
should
monitor
and
validate
the
ci
configuration
when
it
comes
to
the
secure
jobs
that
we're
configuring.
The
problem
that
I've
seen
last
week,
especially
working
with
with
micro
on
configuring
secret
detection,
is
that
some
jobs
are
configured
in
the
in
the
ci
configuration
files,
but
actually
they
don't
run
because
some
there
are
some
collisions
between
the
rules
or
things
like
that
and
we
think
everything
is
configured.
B
Yeah
I
mentioned
that
to
forgot
her
name.
Someone
interviewed
me
for
a
sas
like
the
usability,
the
ux
of
how
setting
it
up
is
easy
and
all
that-
and
that
was
one
of
my
points
where
yes
like
setting
it
up
in
the
sense
of
just
copy
paste.
The
template
and
calling
it
today
is
super
easy,
but
making
sure
like
integrating
it
in
an
existing
project
with
complicated
rules.
For
mrs
for
when
do
each
job
run
as
someone
who's
kind
of
external
to
those
projects
not
very
familiar
with
any
specific
ci
files.
B
B
Sometimes
they'll
have
like
they
plan
to
have
the
the
sas
running
before
they
they
create
the
container,
but
container
scanning
obviously
has
to
be
after
so
you
just
introduce
a
whole
new
concept
in
their
workflows.
So
just
integrating
existing
workflows
is
very
complicated
and
probably
introduces
those
kinds
of
oversight.
C
Yeah
there's
a
good
example
in
this
documentation
page.
If,
in
your
project
you
are
using
the
second
version,
so
the
mergerquest
pipeline
workflow,
and
you
include
that
template
you
can
include
your
sas
template
your
dividend-
see
scanning
template
whatever
it's
never
going
to
run
for
any
branch
or
enumerance
request.
C
Silently
just
nothing
happens,
the
jobs
are
not
even
scheduled,
so
it's
still
running
in
master.
So
that's
the
good
news,
but
that
means
everything
is
going
to
fall
on
us,
the
abstract
team,
because
everything
is
going
to
be
in
the
dashboard
and
we're
not
getting
anything
at
the
merge
request
level.
So
if
we
introduce
a
new
dependency
and
that
dependencies
is
vulnerable,
we
would
not
see
that
in
the
merge
request.
B
Yeah
completely
topic
just
something
that
pop
in
my
mind,
and
I
don't
know
if
this
is
on
plan.
One
day
we
recently
had
someone
raised
the
fact
that
an
issue
about
minimum
tls
version
not
being
enforced
blah
blah
blah.
I
know
this
is
something
that
gosek
catches
and
I've
seen
that
issue
in
our
dashboards,
and
I
was
going
I
would
have
liked
instead
of
going
to
the
dashboard
to
see
if
the
issue
exists,
I
would
have
like
in
the
file.
B
B
Is
this
something
you
had
felt
about
just
wondering
like
I
said
we
we
started
in
mars
to
have
test
coverage
being
highlighted
like
some.
Some
lines
are
green.
Some
are,
are
red
just
to
see
how
tests
actually
cover
this
line.
Some
sort
of
similar
annotation
saying
this
line
hasn't,
has
a
security
issue
that
would
be
fun.
E
E
B
B
B
E
C
B
C
Almost
three
years
old,
that's
one
of
the
the
oldest
issue
that
issues
that
we
have
created.
Having
the
and
I've
been
telling
that
to
hindi
thousands
of
times.
We
need
to
see
the
code,
even
if
in
the
dashboard,
when
we
see
something
that
would
be
very
useful
for
us
to
see
the
portion
of
code
that
is
affected
and
being
able
to
switch
from
one
generability
generating
another
in
the
code
directly
pretty
much
like
what
you
would
have
in
the
in
the
div
tab
of
the
the
merge
request.
E
So
philip,
we
actually
were
just
talking
about
that
pretty
recently
having
that
idea
of
expanding
the
snippet.
Basically
using
the
same
thing,
we
have
in
the
mr
that
snippet
view
when
there
is
a
line
number
referenced
on
the
vulnerability
object,
so
that
one
is
definitely
on
a
radar.
This
other
way
around-
I
don't
I
andy-
may
have
heard
of
this
before
it's
certainly
new
to
me,
but
if
there
is
not
a
good
issue
for
that,
that
is
definitely
a
cool
feature.
A
A
A
D
You
know
thinking
philippe.
If
you
have
time
it
would
be
nice
to
go
back
to
point
number
one
and
validate
some
of
the
prototypes
that
we
have
in
place,
but
I
don't
want
to
rabbit
hold
this
meeting.
I
think
lindsay.
We
should
probably
take
your
question
on
feedback.
First
and
foremost,
if
you
have
time,
I
would
love
to
stay
on
and
chat.
A
Sure
so
my
question
was
just:
this:
is
our
second
office
hours
that
we've
had
philippe
you
came
to
the
first
one.
Dominic
welcome
we're
glad
you
joined
us.
If
anyone
on.
D
Effective
know,
I
was
thinking
about
it
today
and
I'm
wondering
if
we
should
put
a
link
to
this
on
some
of
our
product
direction
pages
or
maybe
socialize
it.
I
I
don't
know
where
else
to
socialize
it
but
find
some
other
ways
to
socialize.
I
think
it'd
be
nice
to
have
more
members
of
the
community
coming
in.
A
Even
within
the
gitlab
community,
I
see
some
other
office
hours
getting
shared
in
more
broad
channels,
and
I
think
I
could
take
on
some
of
the
actions
there
as
far
as
maybe
community
contributors
or
other
security
audiences.
I'm
you
know
I'm
hoping
to
put
some
footwork
in
but
need
suggestions.
B
I
mean
we
tried
to
solve
the
same
problem
because
philip
was
the
only
person
in
our
office
hours
and
now
he's
more
on
our
side.
So
actually
we
just
wrapped
all
security
teams
office
hours
into
one.
We
had
big
attendance
issues
and
even
posting
and
what's
happening
at
gitlab.
Didn't
do
much
only
have
two
or
three
people
most.
So
I
wish
I
had
answers
to
ways
to
improve
it.
I
mean
the
format
is
good,
but
we
just
need
people
to
feel
involved
and
have
stuff
to
bring,
but.
A
Of
day
it's
this
time
of
day
every
two
weeks,
so
there's
a
question
about
cadence
and
whether
we
should
do
you
know
more
omega
friendly
hours
versus
apec
friendliers,
which
might
be
kind
of
in
the
middle
of
both
right
now.
A
B
A
A
All
right,
so
I'm
going
to
take
a
couple
of
actions
from
that
and
I'm
going
to
try
and
share
this
more
broadly,
whether
it
be
in
social,
media
or
other
channels,
and
then
also
change
the
schedule
to
try
and
alternate
to
at
least
have
an
ama,
a
friendly
and
apac
friendly
call
every
month.
So
I'll.
Let
you
guys
reconvene
your
discussion.
Sam
and
philippe
about
agenda
item
number
one,
but
I'm
gonna
drop
I'll.
Leave
the
okay,
hopefully
I'll,
leave
it
recording
too.