►
From YouTube: Secure:Threat Insights Group Discussion 2020-10-13
Description
Last few minutes of discussion was removed since we discussed orange matters (https://about.gitlab.com/handbook/engineering/security/data-classification-standard.html#orange)
A
Welcome
to
the
weekly
group
discussion
for
threatened
sites-
I
am
thiago
I'll,
be
your
host
for
today
and
we'll
start
with
the
highlighting
the
accomplishments
that
we
always
do.
And
unfortunately
we
didn't
fill
out
the
list,
but
we
did
accomplish
plenty
of
stuff.
B
C
B
C
I
think
he's
he's
actually
out
this
afternoon,
so
this
is
something
andy
and
I
talked
about
late
last
week.
The
long
and
the
short
of
it
is.
We
have
been
conducting
another
round
of
user
interviews.
We've
been
doing
a
lot
of
discussions
with
security,
appsec
professionals
outside
of
get
lab
and
one
of
the
things
that
I'll
call
part
a
little
bit
of
a
concern
on
my
part
and
more
of
a
kind
of
a
realization.
C
We'd
like
to
look
at
moving
what
andy
broke
out
of
steps
two
through
four,
which
is
basically
the
security
tab
on
the
mr
redesign
to
a
later
milestone.
So
just
focusing
on
step,
one
which
is
improving
the
actual
just
a
little
widget
piece
itself,
so
not
work
that
we're
going
to
throw
away
by
any
stretch.
But
I
think
we
want
to
make
sure
that
that's
still
necessary
and
that
the
timing
is
is
correct
on
that
one.
C
So
one
of
the
things
that
we're
actually
doing
at
the
end
of
this
month
or
early
november
is
we're
doing
sort
of
a
light
touch
pass
of
the
validation
for
the
jobs
to
be
done,
which
is
required.
The
ux
team
does
a
formal
evaluation
to
move
a
maturity
up,
so
we're
getting
kind
of
a
litmus
test
from
the
appsec
team
and
then
some
engineering
teams
internally
to
see.
C
A
A
A
Andy
was
going
to
do
la
on
the
last
call.
We
we
talked
about
doing
the
proper,
the
proper
process
for
development,
which
included
creating
some
some
design.
There's
an
issue
there.
Now
I
invite
everyone
to
check
it
out.
A
I'm
not
gonna
go
through
it
in
detail.
We
can
do
that
asynchronously.
I
think,
unless
anybody
wants
to
no
alexander
has
a
question.
D
Yeah
last
time
there
was
talk
that
the
other
secure,
front-end
team
kind
of
needed
this
a
lot
more
than
we
did,
and
so
they
were
gonna
potentially
bring
on
their
resource
to
look
at
james's
work
as
well.
Has
there
any
progress
on
that.
B
That's
a
great
question
and
I
think
they've
been
focused
on
other
things
right
now
and
I've
not
gotten
an
update
from
neil.
You
know
he
was
sort
of
asking
what
are
some
areas
where
we
could,
where
they
could
contribute
in
ways
that
would
remove
blockers
for
secure,
and
this
was
one
that
came
up
so
to
be
determined.
Let
me
follow
up
with
you
on
that
or
with
everyone
on
that.
D
D
This
work
with
other
work
because
of
that
and
so
andy
made
the
design
is
that
design
in
a
place
where
I
I
you
know,
I
started
looking
at
james's
work
and
it's
I
don't
know
what
I'm
comparing
it
against
like.
I
don't
know
what
the
requirements
are,
and
so
it's
like
it
feels
like
a
code
review,
but
I
can't
actually
don't
feel
comfortable,
giving
sort
of
like
a
high
level
architecture.
Look
if
I
don't
know
what
we
want,
and
so
I
was
just
wondering
if
the
design
issue
was
far
enough
along
to.
A
Sort
of
it's
not
and
and
you're
completely
right
that
that
that
that
epic
came
from
a
proof
of
concept
from
from
the
research
team
doing
what
they
they
are
here
to
do.
I
suppose
it's
gonna
happen
again,
so
we
we
it's
good
that
we're
going
through
this.
We
figure
out
a
sort
of
blueprint
to
to
handle
these
in
the
future.
A
No,
the
the
design
issue,
I've
just
labeled
this
workflow
design.
To
be
honest,
I
don't
know
if
I
should
be
doing
that,
but
I
did
it
andy.
If
I
shouldn't,
I
apologies,
there
isn't
a
lot
there
right
now,
so
right,
there's
just
the
prop
problem.
Statement
and
designs
are
not
in
there.
So,
let's
see
tight,
it
sounds
like
we're
not
going
to
be
able
to
to
start
anything
on
the
generic
security
report
in
136.,
okay,.
C
C
I
thought
it
was
a
numbered
list,
but
no
that's
not
that's
not
what
it
is
and
if
you
look
at
the
example
from
james
it's
kind
of
a
complex
type
like
it's,
it's
almost
like
a
table,
but
there
are
labels
and
formatting
so
anyway,
so
he
needs
to
actually
clarify
what
the
intent
of
that
data
structure
is
before
you
can
move
forward,
but
it
it
should
actually
be
pretty
quick.
This
is
mostly
just
pulling
existing
styles.
So
then,
alexander,
I
think
the
work
is
mostly
around.
What
has
james
constructed?
A
I
did
not
mean
design
work,
so
design
work
might
actually
be
finished
before
matt
from
what
he's
saying
and
there
could
be
some
back
end
work
there
lindsay,
but
but
mammoth
and
alan
are
off
this
week
and
there
was
a
bit
of
a
planning
for
power.
My
on
my
part,
because
if
there
are
no
issues
refined
there,
we
we
shouldn't
get
to
it.
So
if
we're
happy
to
to
to
get
to
them
through
thirteen
six,
that's
okay
by
me.
A
Otherwise,
there's
plenty
of
work
in
the
backlog.
I've
started
having
a
look
yesterday,
but
we
digress
digress.
The
second
point,
alexander:
did
you
cover
that.
D
Okay,
so
it
sounds
like
I
will
familiarize
myself
with
the
code,
but
nothing
too
hard
about
it.
A
Yet,
moving
on
to
three
some
demos,
from
from
the
sorting
that
allen
did
before
he
went
on,
leave
the
demo
for
the
special
references
for
vulnerabilities,
I
did
add
a
note
that
we
we
caused
a
small
small
plug
in
there,
which
alan
fixed
before
he
left
hasn't
been
merged.
Yet
I
think
I
haven't
checked
it
today,
but
yesterday
it
hadn't
been.
So
if
you,
if
you
try
to
put
an
emoji
like
colon
plus
one,
which
is
the
thumbs
up,
it'll
it'll
render,
as
as
a
vulnerability
reference
as
instead
of
an
emoji.
A
So
there's
that
one
and
then
in
parallel
as
part
of
the
review
of
fixing
all
the
back
end
engineers
have
have
mentioned.
What
we
already
knew
is
that
we're
running
out
of
special
references
and
there's
a
bit
of
a
movement
to
create
ex
scalable
special
references,
so
a
pattern
that
scales
out
a
pattern
that
we
won't
run
out.
We
we
did
briefly
investigate
that.
For
for
for
this
mat,
we
asked
the
questions
there,
but
we
decided
to
go
with
plus,
because
it
was
there-
and
you
know,
made.
C
A
bit
of
a
land
grab,
we
kind
of
yeah
we
kind
of
wanted
it,
although
thiago
not
to.
I,
don't
want
to
derail
too
much.
The
ip
actually
found
another
variant
of
a
bug
with
the
plus.
He
pointed
out,
if
you're
trying
to
indicate
like
an
increase
in
the
number
like
that
added
plus
48,
it's
also
turning
those
into
vulnerability
references.
In
fact,
it
was
his
example,
was
plus
48
point
something
well.
B
A
C
Do
we
need
to
keep
pushing
forward
with
this?
I'm
worried
that
that
pattern
matching
is
going
to
be
impossible
because
we
won't
be
able
to
distinguish
between
an
integer
and
a
low
id
vulnerability
if
we
start
at
you
know
one,
but
if
we
start
the
volumes
at
a
you
know
five
digit
number,
maybe
less
so
we
could
actually
validate.
But
I
guess
the
question
is:
should
we
throw
the
brakes
on
it
now
and
look
at
a
different
pattern?
That's
less
likely
to
collide
and
be
unfixable
once
it's
in
the
wild.
A
Well,
it's
in
the
wild!
Now
right!
Oh
oh,
you
mean
for
13.5
yeah
yeah,
because
it's
live
now
in
dot-com.
I
don't
know
we
could
be
playing
guacamole
on
it
for
for
a
while.
C
A
I
I
don't
know
the
answer
so,
if,
if
you
want
to
take
a
chance
on
it
as
product,
it's
your
call
math.
But
if
you
want
to
pull
the
brakes
and
we
could
wrap
that
in
a
future
toggle,
maybe
that's
something
we
can
do
quickly
before
13.5
is
out.
C
Yeah,
maybe
we
should
have
a
specific
follow-up
on
this
and
involve
a
little
bit
more
cross-stage
input
as
well,
because
I
am
worried,
there's
going
to
be
use
cases
that
we're
not
thinking
of
that
are
going
to
materially
impact
workflows
for
people
that
maybe
aren't
even
using
vulnerability
management,
which
is
going
to
confuse
the
hell
out
of
them
if
it's
hyperlinking
things
to
vulnerabilities
and
they're
like.
But
what
is
this?
I
don't
even
use
scanning
so
yeah.
I'm
concerned
enough
at
this
point
I'll.
A
C
A
Up
next
issues
for
planning
breakdown,
I
added
a
lot
of
these
yesterday.
I
I,
I
don't
think
there
were
any
there,
so
maybe
not
everybody
has
had
time
to
review
them.
B
You
know,
we've
asked
people
to
go
and
do
the
planning
breakdown
for
the
epics
that
are
associated
with
this
larger
mvc
and
as
this
issue
was
created,
it
was
identified
after
the
fact
I
think
andy
said:
hey
we've
already
covered
these
error
use
cases
and
the
design
steps
for
this.
This
larger
design
issues
just
because
it
made
sense
and
we
didn't
want
to
lose
it-
we
just
kind
of
shoved
it
under
that
epic.
B
So
we
can
keep
this
one
open,
daniel
you're
on
the
call,
and
you
helped
kind
of
create
the
one
implementation
issue
that
was
under
step
one
for
this,
this
larger
epic.
Did
you
notice
that
this
particular
error
case
issue?
Was
there
when
you
did
that.
B
B
B
So
I
don't
know
if
it
was
totally
clear
even
when
you
were
looking
at
that
epic,
that
hey
some
of
these
requirements
are
already
represented
by
this
one
issue:
that's
there.
So
we
do
keep
this
issue.
Maybe
we
want
to
make
it
a
little
more
broad
and
say
hey.
This
issue
represents
a
number
of
these
error
cases,
or
maybe
we
blow
it
out
all
together
and
say:
let
the
engineers
break
this
down
just
from
the
initial
requirements.
B
B
Yeah,
but
I'm
looking,
I
know
you
know
moe's
here
we
got
no
one
else
on
the
back
end
team
here,
so
maybe
this
is
something
we
can
handle
asynchronously
thiago.
I
know
you
guys.
You
know,
there's
folks
out
on
the
back
end
team
this
week,
if
there's
somebody
that
has
some
time,
given
that
we're
trying
to
get
this
ready
for
13.6
to
take
a
look
at
the
issue
that
daniel
created
and
see
you
know
one
or
more
back
in
issues
that
might
need
to
be
spun
off.
Of
that.
B
C
Just
a
clarification
tiago
to
your
comment
when
you're
talking
about
scoping
to
the
target
versus
source
branch
or
other
use
cases,
are
you
talking
about
other
use
cases
on
the
time
diff
or
just
error
cases
in
general,
yeah?
Okay,
I
would
say
discretion
of
the
team.
I
think
it
makes
sense
to
cut
it
wherever
as
small
as
possible.
I
find
having
just
one
error
case
since
we're
adding
the
new.
E
A
A
B
To
talk
about
it,
search
down,
it
was
on
the
agenda
before,
but
it
came
to
us
as
an
early
glimpse
of
a
design
issue
from
andy.
So
I
do
think
that
this
has
been
something
that's
been
brought
up
on
this
agenda
before
and
there's
been
some
other
questions
not
just
from
myself.
I
think
daniel
had
some
part
in
the
conversation
on
this
one
as
well.
So
I
think
the
questions
that
I
were
asking
around.
B
Well,
what
happens
if
you
try
and
update
the
status
of
an
issue
to
its
existing
status
status
right
if
something's
already
dismissed
and
you
as
part
of
the
bulk
options,
you
select,
try
and
dismiss
it
again.
Are
we
keeping
that
as
a
record?
Are
we
ignoring
it?
I
think
andy
says
we
want
to
keep
that
as
a
record,
I'm
trying
to
remember
what
some
of
the
other
questions
are,
but
I
can
go
out
there
after
yeah.
Let's
go
see.
C
It's
the
other
state
changes.
It
does
two
well
say
three
major
things:
it
builds
on
the
state
change
today
for
the
bulk
action.
It
adds
in
the
ability
to
actually
comment
in
line
when
you're
doing
that
from
the
main
vulnerability
list,
and
then
it
also
brings
that
consistency
to
the
vulnerability
details
page
so
right
now,
there's
there's
an
inconsistency
between
the
state
changes,
so
same
thing
same
options
both
places
and
we
will
persist
all
of
that
information,
including
the
reason
so
the.
B
C
It's
going
to
bring
it
in
line
with
that,
because,
right
now
you
can
pick
reasons
from
the
individual
details:
page,
okay,
yeah.
So
that's
so
the
again
again
in
talking
with
andy.
This
isn't
100
done,
but
the
design
is
very,
very
close.
D
D
Right
but
oh
no
on
the
reports
page
the
vulnerability
reports
when
you
dismiss
something
you
can
choose
between
three
reasons
that
you're
dismissing
it
and
now
you're
doing
free
form.
C
E
Do
we
have
a
another
issue
to
add
that
free
form
or
the?
I
guess
the
comments
into
the
vulnerability
details,
page
wow?
That's
it.
C
I
think
it's
the
dismissal
types
reasons
one,
because
if
not,
then
that
is
the
intent
to
it's
to
bring
us
to
normalize
the
reasons
and
the
status
changes
between
both
of
those
pages
and
also
persistent.
So
I
think
that
was
alexander.
You
observed
that
it
doesn't
seem
to
show
the
dismissal
reasons
and
that's
because
I
don't
think
we're
actually
persisting
those.
C
D
D
B
E
D
I
think
I
saw
actually
savage
working
on
a
split
button
thing.
I
can
verify
whether
that
does
anything
with
for
the
dismissal
reason.
B
Well,
james
james
johnson
created
a
poc
because
he's
so
good
at
that
that
you
can
see
linked
to
from
this
bulk
dismissal
dismissal.
That
was
adding
that
dismissal
reason
to
the
details
page
and
I
think
andy
was
still
kind
of
in
the
solution-
validation
piece
of
it.
So
we
do
have
that
code
there
available
to.
However,
we
decide
to
integrate
it,
so
it
was
exactly
that
that
might
have
been
what
you're
thinking
of.