►
From YouTube: Secure & Defend Section Group Conversation 2020-05-05
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
The
first
thing
we
want
to
highlight
for
you
is
the
is
to
show
that,
when
we're
talking
about
the
security
stages
within
get
lab
and
what
our
customers
can
use,
we're
focused
on
secure
and
defend
when
talking
about
secure
and
defend
they
kind
of
fit
across
the
entire
security
story.
So
secure
is
a
shift
left
play
which
brings
security.
A
Testing
is
close
to
developer
as
possible,
and
that's
where
you
see
things
like
SAS,
secret
detection
tasks
and
dependency
scanning
with
a
lot
of
exciting
things
coming
up,
such
as
fuzz
testing,
which
we
expect
to
start
rolling
out
in
the
next
couple
of
months.
When
we
talk
about
defend
we're
talking
about
security,
operational
visibility
and
that
you
can
see
there
on
the
right-
and
today
we
do
have
web
application
firewall
and
container
network
security
available,
we
will
have
vulnerability
management
moving
to
minimal
and
13.0,
and
a
lot
of
other
really
exciting
things
coming
on.
A
So
we,
when
we
talk
about
secure,
we're,
focused
on
again
that
proactive
side
of
the
equation
and
on
here
there's
lots
of
information
which
you
can
go
through
on
the
slides
yourself.
However,
the
thing
I
do
want
to
highlight,
for
you
is
that
the
intent
was
secure
is
to
not
make
it
an
additional
step
in
the
existing
workflow.
It's
actually
woven
directly
and
using
CI
and
allows
developers
to
work
with
security
as
opposed
to
security
needing
to
be
additional
set.
They
have
to
learn
so
ultimately
adapting
your
security
to
the
developer.
A
Today,
on
the
maturity
side,
you
can
see
that
a
lot
of
our
categories
are
enviable,
but
we
do
have
a
lot
of
really
big
plans
this
year.
So
the
first
you
can
see
we're
looking
to
bring
out
fuzz
testing
in
q3
or
the
end
of
q2,
and
then
by
the
end
of
the
year.
We
want
to
move
sass
test
and
dependency
scanning
to
complete
I'd
like
to
hand
it
over
to
Todd
to
talk
a
little
bit
about
ok,
ours,
alright,.
B
Thanks
David
for
our
first
ok,
RI
I
had
two
key
points.
One
was
to
increase
the
rolling
average
of
our
mr
rates
to
2
greater
than
200
for
our
April
April
actual.
We
came
up
at
256
and
the
other
I
guess
kind
of
key
point.
2
to
point
out
on
this.
One
is
that
we
finally
have
what
we're
considering
to
be
a
comprehensive
data
set
for
our
CVEs,
so
we're
caught
up
on
our
backlog
of
CV
ease
back
to
2016
and
so
just
worth
calling
that
out.
B
The
the
second
point
was
around
say:
do
ratios
and
we
were
targeting
between
70
and
80%
and
for
1210.
We
made
it
to
73
percent.
All
right
next
slide,
please
and
then
for
my
the
second
okay,
our
for
the
secure
stage.
It
was
really
around
hiring,
and
so
we
do
have
a
venerable
D
research
manager.
That's
going
to
be
starting
in
May
and
we're
going
to
be
building
out
the
fuzz
testing
team
in
May
as
well.
A
Thank
You
Todd
on
the
product
side
of
the
okay
ours.
There
are
two
primary
ones.
The
first
is
providing
at
least
two
validation
cycles
per
PM,
focusing
on
either
the
validation,
prom
validation
or
the
solution
validation.
We
were
able
to
complete
two
of
those
in
the
quarter,
one
on
fuzz
testing
and
one
on
the
peak
management's
on
the
newer
areas.
We
did
problem
validation
on
those
and
the
team
as
a
whole
is
on
track
to
be
able
to
get
to
that
cadence
that
we
want
across
the
company.
A
A
A
So
if
somebody
uses
the
two
different
scanners
during
the
month
say
they
ran
SAS
and
SCC
only
count
as
one
user,
and
so
that
way
we
were
able
to
remove
all
the
duplication
that
was
occurring
previously,
but
at
a
sizable
growth
and
small
usage,
so
in
March
we're
at
3500
the
last
time
we
did
a
group
conversation
we
got
close
to
5,000
in
the
month
of
April.
A
lot
of
this
has
to
do
with
the
hard
work
of
the
engineering
team
and
the
product
team
and
the
sales
team
evangelizing
secure
more.
A
We
had
a
lot
of
really
good
evaluations
in
April,
and
several
of
them
are
now
in
negotiation
to
become
gold
or
ultimate
users.
You
can
also
see
this
on
our
dashboard
in
periscope
or
now
known
as
license.
You
can
see
that
SAST
and
DAST
have
actually
crossed
I'm.
Sorry
SAS
to
independents
can
have
crossed
over
a
million
scans
run
within
a
year
period,
which
is
a
very
cool
percentage
or
number,
and
that
SAS
is
not
leveled
off
at
about
a
hundred
thousand
active
scans
a
month.
A
So
those
are
some
huge
jumps
for
us
in
our
user
or
users.
Usage
of
our
Stefaniuk
scale,
those
look
really
nice.
They
go
up
to
the
top
right
from
a
cool
stuff.
There's
some
really
cool
things
that
came
out
in
1210.
The
things
I
would
want
to
highlight
is
severity
levels
have
been
added
to
our
dependency
scanning
for
the
gymnasium
engine,
which
means
all
dependency
scanning
can
now
give
you
the
vulnerability
severity
as
part
of
the
reporting.
We
also
extended
to
support
REST
API.
A
So
now
we
offer
both
desks
as
a
standard
area
as
well
as
API,
which
is
a
very
hot
area
for
security.
Today,
I,
won't
and
and
I
would
be
remiss
to
not
point
out
the
offline
or
limited
connectivity
support
as
well
for
secure.
That
was
a
big
accomplishment
and
multiple
months
of
work
on
the
thing.
I
would
highlight
that's
kind
of
big,
that's
coming
out
here
and
soon
versus
remove
we're,
adding
dotnet
support
for
SAS,
as
well
as
we're
looking
to
bring
two
of
our
open-source
scanners
from
ultimate
down
to
court.
B
Thank
you,
and,
and
so
in
our
retrospection
z--.
What
we've
we
we
like
to
celebrate
our
victories
as
well
as
talk
about
things
that
we
can
improve
upon,
so
the
things
that
went
well
this
time
around
was
composition.
Analysis
worked
as
a
team
to
research
the
application
limits.
They
found
it
to
be
a
very
good
experience
and
and
they're
gonna
continue
to
to
work
away
at
it
to
basically
help
the
performance
of
these
secure
features,
and
then
what
can
be
improved
are,
as
as
the
secure
stage
grows.
B
We
are
finding
that
we're
also
outgrowing
our
current
format
for
for
conducting
our
retrospectives.
So
what
we've?
What
we've
decided
to
do
is
we're
we're
actually
having
a
couple
retrospectives
now
for
for
each
iteration
to
better
accommodate
the
the
different
time
zones.
So
those
are
the
the
primary
ones
that
I'd
like
to
call
out
on
these
slides
I.
Think.
A
You're
Todd
on
the
last
two
things
related
to
secure.
We
added
a
new
non
marketing
marketing
category
that
was
a
well
tongue
twister
there
to
help
do
security,
benchmarking
of
our
scanners.
We're
very
excited
about
this
because
we're
being
able
to
get
data
now,
that's
showing
how
effective
our
scanners
are
against
different
targets
and
that's
gonna
help
us
hone
in
the
quality
of
the
scanners
and
ultimately
help
our
customers
have
better
findings.
A
And
then
the
last
thing
is
the
offline
environment.
Support
is
available
today.
This
is
a
snapshot
of
the
released
post.
If
you've
not
seen
it
check
out
the
released
post
and
read
all
about
it.
Oh
and
I
guess
I
should
say,
and
then
finally,
cuz
I
forgot.
This
one
was
here
as
well,
but
our
focus
is
becoming
an
application
security
testing
leader
this
year.
Our
focus
is
on
moving
sass
sass
and
dependency
scanning
to
complete
and
moving
fuzzing
to
viable.
A
So
if
you
have
a
curious
as
to
what
that
means
in
the
slides
list
out
the
maturity
epochs,
as
well
as
the
category
Direction
pages,
where
applicable-
and
you
can
read
all
about
the
goals
that
we're
trying
to
accomplish-
to
bring
our
scanners
to
complete
and
viable
and
with
that,
let's
switch
over
to
defend
again
a
lot
of
information
here
for
you
to
go
through.
The
main
thing
I
want
to
leave
you
with
is
for
defend
we're,
focusing
on
protecting
cloud
native
application,
services
and
infrastructure,
and
the
initial
focus
is
on
kubernetes
from
maturity
standpoint.
A
We
now
have
two
categories
that
are
at
minimal
maturity
that
be
whacking.
A
teener
network
security
I
mentioned
that
we're
also
gonna,
have
owner
ability,
management
become
minimally
valuable
here
shortly
and
then
last
we're
working
on
long
term
plans
for
container
behavioral
analytics
so
adding
intrusion,
prevention
and
malware
scanning
within
that
kubernetes
cluster
on
the
product,
ok,
ours,
we
did
achieve
one
of
our
two
category.
Maturity
goals,
the
one
that
slipped
was
vulnerability
management
and
we
actually
missed
off
day-date
by
just
two
days.
A
It
talks
to
tells
you
how
closely
were
at
achieving
that,
but
network
confidents
gonna
come
out
in
the
next
release.
We
also
were
able
to
complete
all
four
of
our
expected
validation
cycles
and
again
those
are
available
for
you
to
look
at
as
you
like,
and
then
finally
and
I
can't
stress
this
enough.
If
you
you
watch
one
thing
on
the
unfiltered
channel
as
a
get
a
lot
of
employee
I
would
highly
recommend
watching
Sam
White's
walkthrough
of
a
laughs,
competitor,
very
detailed,
and
it
really
shows
you
where
we
need
to
go
as
a
company.
C
Over
to
Wayne
David,
so
David
already
mentioned
the
two
features
to
go
from
plan
to
minimal
we
basically
the
same
okay
are
in
both
development
and
product
management.
We
were
really
close
up,
we
got
one
and
we
were
really
close
on
the
other.
We
also
want
to
accelerate
defend
productivity
with
the
defend
team
is
relatively
new.
C
Everybody
on
the
team,
except
for
one
person,
has
been
less
than
six
months,
so
we
wanted
to
get
more,
maintain
errs
on
the
team
and
we
have
a
number
now
that
are
in
the
maintainer
trainee
process,
and
we
also
want
to
increase
our
monthly
Amara
rate.
We
actually
have
more
than
doubled
it
from
four
point,
two
to
nine
point:
six.
C
In
terms
of
what
went
well
and
what
can
be
improved
for
the
most
recent
retrospective,
so
our
onboarding
process
went
really
well,
it's
actually.
What
is
a
lot?
One
of
the
one
of
the
reasons
that
has
allowed
us
to
increase
our
mr
rate
as
new
engineers
have
been
able
to
get
up
to
speed
and
start
committing
very
quickly,
and
we
also
completed
a
number
features
that
are
a
great
positive
impact.
So
what
didn't
go
well,
is
you
know?
C
So
all
sorts
of
good
things
going
on,
and
we
also
published
a
blog
on
the
top
six
security
trends
and
get
lab
hosted
projects
which
was
a
pretty
and
other
other
companies
that
focus
on
security
of
code
and
containers
and
applications.
Do
things
like
this
and
that
we
have
this
and
we're
planning
to
update
this
every
six
months,
a
pretty
good
reception
from
the
security
community.
A
Here
to
cover
this
one
David
sure
and
then
finally,
we've
begun
to
extend
the
threat
monitoring
component
of
our
platform.
You
can
see
here
at
a
high
level.
You
can
now
see
drop
packets,
a
total
amount
of
transactions
available
for
both
laugh,
which
is
as
every
one
is
where
we're
using
mod
security.
A
For
that
there
are
network
policies
is
actually
cilium
and
again
you
can
see
that
traffic
there
we're
gonna
kind
of
wrap
the
call
here
as
the
rest
of
it
just
focused
more
on
on
the
staff,
but
before
we
disconnect
Wayne
or
toss
or
anything,
you
want
to
finish
up
with
I
think.