►
From YouTube: Threat Insights Weekly Group Discussion
Description
Weekly meeting for the Secure:Threat Insights group
A
A
There's
a
couple
of
items:
there's
a
couple
of
follow-up
items
from
previous
discussion.
I
added
both
of
them.
There
have
been
a
lot
of
conversations
and
thiago's,
not
here,
and
I
know
that
philippe
has
strong
opinions
about
this
as
well.
I
wanted
to
make
sure
this
was
discussed
around
the
group
search.
A
I
know
this
was
around
the
project
filter,
but
I
think
thiago
is
tying.
You
know
the
this.
Some
of
the
other
observations
we've
had
around
configuring,
the
instance
level
dashboard
and
I
think
there
might
have
been
one
other.
I
think
they're
all
linked
to
from
this
issue
now,
so
I
don't
actually
have
a
lot
to
add
to
this
conversation.
A
I
just
feel
like
I've,
seen
a
lot
of
discussion
and
comments,
and
in
slack
so
I
wanted
to
see
if
this
was
something
that
we
should
be
tackling
synchronously,
as
a
group
to
understand
you
know
is
this:
is
this
a
bigger
problem?
Is
this
a
gitlab
wide
problem?
Is
it
something
with
our
implementation?
Is
this
something
that
should
be?
We
should
be
putting
some
more
priority
on.
B
C
A
A
But
they
are
different.
End
impacts
on
the
customer,
and
I
know
alan
took
a
look
at
this
and
alan.
You
had
some
feedback
around
them.
The
number
of
results
that
were
attorney
where
you
were
returning,
which
is
what
made
me
start
to
question.
You
know
how
much
of
this
was
shared
and
how
much
of
this
was
our
implementation.
D
We,
whenever
we
use
graphql
and
there's
a
pagination,
used,
we're
always
limiting
to
100,
but
I
believe
we
might
like
other
parts
or
other
components
of
the
of
the
gitlab
are
not
yet
using
all
like
graphql
apis.
So
that's
why,
for
example,
when
you
do
autocomplete
first,
like
suggestions
like
for
users
or
for
merch
requests
or
issues
you're
gonna
you're,
just
calling
the
api
that
will
give
you
the
whole
list
of
all
items.
D
A
So
it's
kind
of
a
growing
pain
of
adopting
this
technology
before
other
groups.
Have
you
had
a
suggestion
around
modifying
this
to
send
the
requests
with
the
value
from
the
input
field,
and
I
know
that
that
raises
a
lot
of
questions
around
type
ahead
and
such
you
know
what
point
do
we
send
that
request?
Is
it
with
every
key
stroke
but
versus
retrieving
one
list
and
then
filtering
down
that
list,
making
the
call
back
out
to
the
graphql
endpoint
as
the
customer
inputs?
A
What
they're
searching
for
there's
definitely
performance
considerations
there,
but
I
I
know
that
that's
why
most
big
search
engines
work
right.
I.
E
Mean
that's!
That's
how
that
excuse.
Excuse
me
that's
how
that
security
dashboard
feature
that
I
permitted
we're
searching
by
similarity
it.
It
sends
a
search
field
along
with
it
as
the
the
user
types.
So
I
mean
we're
already
using
that
there,
that
is
behind
a
feature
flag
at
the
moment,
to
make
sure
that
we're
not
going
to
adversely
impact
the
system
all
right,
jonathan.
Where
are
we
already.
A
E
Right,
I've
got
it
on
in
staging
staging
to
check
that
out
there,
but
we
can
turn
it
on
per.
You
know
we
can
turn
on
the
user,
I'm
not
sure
about
group,
but
it's
not
can't
be
at
the
project
level,
because
it's
like
all
the
projects.
A
So
that
improves
the
the
results,
the
experience
for
the
that
larger
dashboard.
We
could
take
those
same
approaches
with
this
as
well.
E
I
would
think
so
it's
it
has
to
do
with
the
similarity
sort
and
looking
looking
at
this.
I
don't
know
if
it
searches
for
the
the
the
ones
that
are
in
security.
I
haven't
looked
at
the
back
end
of
this
thing
if
it's
actually
going
through
graphql
at
the
moment
or
if
it's
just
a
straight
api
call
right
now.
A
Well,
we'll
leave
this
bug
open,
and
I
know
you
guys
have
already
added
these
comments,
and
this
is
really
helpful.
You
know
we'll
make
sure
that
does
it
make
sense
to
keep
this
bug
as,
what's
tracking
the
the
longer
term
fix
of
applying
those
same
findings
that
we've,
whether
depending
on
whether
they
work
for
the
instance
level
dashboard
applying
those
same
approaches
to
this
project
filter
through
this
ticket.
E
It
might
be
worth
to
go
ahead
and
use
the
same
approach
that
we've
got
on
the
on
the
global
security
dashboard
because
it
and
just
again
put
it
behind
the
feature
flag
so
that
you
know
we're
still
yeah
same
feature
flag
same
similarity,
although
this
allen
did
you
say
that
this
would
be
a
new.
The
the
search
field
would
be
a
new
parameter,
sending.
A
E
A
There
I
don't
want
to
stand
this
too
long,
because
we
only
have
a
half
hour,
but
thank
you
for
your
feedback,
jonathan
and
alan.
A
We
don't
need
to
get
into
this
and
discuss
it
in
this
call.
I
just
wanted
to
point
everyone
to
the
dismissal
types
reason
issue
that
andy
is
ready
for
some
early
design
review
on.
So
I
don't
we're
not
it's
not
in
planning
breakdown
state
yet
so
this
would
be
asking
him
questions
around
the
designs
in
an
early
phase.
So
just
a
heads
up
for
everyone
there
and
alexander
demo.
F
C
A
F
Yeah
definitely
sorry,
sorry,
I
apologize
that
was
not
clear,
but
basically
so
on
the
vulnerability
list.
Now,
at
the
top,
there
is
a
widget
there
of
the
pi
the
pipeline
that
was
last
run
on
the
default
branch,
and
that
gives
you
the
time
that
was
last
updated
and
a
link
to
it.
So
you
know
how
recently
that
your
these
vulnerabilities
have
been
found.
Okay
got
it
awesome,
so.
C
F
Yeah,
if
it,
if
it
hasn't,
been
run
in
a
month,
then
it'll
say
you
know
a
month
there
and
you'll
be
like
a
user
may
be
like.
Oh,
I
wonder
if
things
have
changed
awesome
there's
also
and
then,
in
addition,
after
the
link,
there's
going
to
be
a
badge
where
it
shows,
if
there's
been
any
failed
jobs
in
your
the
latest
pipeline.
That
way,
you
know
hey,
maybe
the
vulnerabilities
we
see
here
aren't
all
of
them.
Maybe
there's
a
failed
job
that,
if
it
were
passing,
would
give
us
some
critical
ones
or
something
like
that.
F
And
then
matt
has
shared
the
issue
below.
C
F
I
do
not
remember
off
the
top
of
my
head
if
it's
the
last
successful
or
the
last
run,
that's
been
on
the
default
branch,
I
would
think
it's
the
last
one.
That's
been
on
the
default
branch
even
now,
so
but
again
we'll
have
that
badge
up
very
shortly.
F
C
Here
we
have
absolutely
no
control
today
whatsoever
on
whether
the
jobs
are
configured
correctly,
if
they're
running
well
or
if
anything
goes
wrong,
we're
just
going
through
the
dashboard
manually.
It's
it's
a
rotation
process.
We
have
one
eptic
engineer
doing
that.
C
Without
assuming
that
everything
is
still
working
smoothly,
I'm
thinking,
for
example,
the
job
seems
okay,
it
doesn't
report
any
any
problem,
but
we
have
a
rule
somewhere
because
someone
changed
the
ci
configuration
and
for
some
reason
the
job
is
not
running
in
certain
conditions.
So
we
would
not
see
that
very
easily.
We
would
see
that
from
time
to
time,
but
not
all
the
time.
C
F
Sense
so
I
apologize,
I
don't
understand.
Where
does
the
api
accessibility
factor
into
this?
Well,
we
will.
C
C
F
F
C
We're
not
doing
that
today,
I'm
100
sure
that
in
the
rotation,
where
we
barely
have
time
to
deal
with
the
vulnerabilities
that
we
have
there
to
drive
shots
and
pretty
sure
no
one
is
paying
attention
to
the
configuration
itself.
So
that's
that's
something
that
is
on
the
radar
right
now
and
there's
one.
A
A
C
C
There
is
absolutely
no
way
we
will
deal
with
that,
so
the
discussions
that
we
have
about
this
is
we're
going
to
just
remove
somehow
all
these
vulnerabilities,
because
they're
just
sitting
there,
it's
not
good
and
once
the
fix
that
we're
expecting
from
dust
is
going
to
be
there,
we're
not
even
sure
that
it's
going
to
fix
the
existing
data,
so
we're
completely
fine
starting
fresh,
but
we
don't
know
how
to
do
that.
Is
there
an
api
endpoint
that
we
can
use
for
that.
C
G
We
do
have
a
merge
request
from
magma.
That
basically
says
hey.
Can
we
truncate
this
table
and
the
database
reviewer
said
that
now
we
can
truncate
tables,
we
have
to
do
background
jobs
will
which
will
delete
records
in
batches,
and
I
expect
this
to
be
the
same
case
for
vulnerabilities,
so
we
will
have
to
schedule
a
background
job
to
delete
this
in
batches.
C
G
B
Yeah,
I
don't
know
this
has
come
up
a
couple
of
times.
In
fact,
it
was
a
customer
that
did
something
similar
and
they
rather
than
use
a
test
project
used.
A
live
project
ran
a
bunch
of
scanners
and
it
it
found
a
ton
of
stuff,
and
then
they
said.
Oh,
we
want
to
start
over
and
yeah.
That
was
actually
the
resolution
was
they
had
to
do.
Database
cleanup
directly
and
philippe.
Your
point
was
kind
of
my
pushback.
B
F
And
philippe,
what
you're
talking
about
is
not
the
same
as
like
clicking
the
check
all
box
in
the
list
and
just
dismissing
them
all
that's
different
than
what
you're
talking
about
right.
C
C
C
That's
the
problem
that
we
have
right
now,
it's
so
much
noise
that
we
don't
know
what
is
true
from
what
is
first
positive,
so
dating
at
least
would
bring
us
to
a
position
where
everything
is
clean
again
and
we
can
start
fresh
with
something
that
is
manageable
and
I'm
sorry,
I'm
talking
a
lot
of
your
time
here.
So
we
can.
I
have
my
answer.
You
can
proceed
with
your
next
point
and
say
sorry
for
now:
okay,.
A
This
is
educational,
and
I'm
glad
that
you
found
your
answer
philippe
and
if
there's
an
issue
around
this
database,
cleanup
that
any
of
us
could
help
with,
or
this
conversation
needs
to
continue
there.
Please
feel
free
to
share
it,
and
you
know
this.
C
A
And
the
slack
channel
thanks
thanks,
we
do
have
a
few
items
for
planning
breakdown
and
I
think
we'll
probably
be
lucky.
If
we
make
it
to
one
the
first
one,
I
don't
actually
think
we
need
to
discuss
very
much.
So
alexander
has
broken
down
the
step.
One
of
the
mr
widget
refactor
from
the
front
end
perspective.
We
just
need
someone
to
do
it
from
the
back
end.
So
me
how
I
think
I
accidentally
I
mentioned.
I
met
last
week
while
he
was
out,
but
it
was
intended
for
you.
A
F
I
was
just
looking
at
the
front-
I
just
refined
them
this
morning
and
it
looks
like
we
have
like.
The
messages
are
just
sort
of
being
updated
a
little
bit.
Maybe
there's
a
few
states
with
the
like
info
air
states
that
we
maybe
need
more
information,
but
I
think
meow
could
probably
just
wait
until
I'm
like.
Oh,
we
don't
have
this
information.
F
In
dev,
okay,
I
because
I
refined
it
and
yeah-
I
only
went
so
deep.
I
was
like
I
don't
know.
This
looks
like
a
three.
F
We're
so
sorry
fine,
that's!
I
was
supposed
to
refine
it
right.
We
just
sort
of
look
at
and
go.
This
seems
like
a
three.
A
A
Okay,
as
long
as
from
a
bandwidth
perspective
and
priority
perspective,
we
don't
get
to
a
place
where
we're
not
able
to
deliver
on
things,
because
we've
already
committed
the
back-end
dean
to
other
things.
This
makes
me
a
little
uncomfortable
I'll,
go
ahead
and
say
that,
but
we
can
continue
that
conversation
in
the
epic.
If
you
have
a
strong,
it
sounds
like
you
have
a
strong
level
of
confidence
that
there
won't
be
very
much
if
any
back
end.
Work,
though,
based
on
what
you've
seen.
F
Yeah
there's
already
several
of
the
states
there
regarding,
like
the
pipeline's,
outdated
or
there's
one
other
state,
that's
already
there,
and
so
it's
adding
just
like
two
more
and
I
think
it'll
be
fine.
Okay,.
A
A
We
can
slowly
move
through
the
refinement
process,
but
we're
not
going
to
be
seeing
them
in
the
upcoming
couple
of
milestones,
right,
matt.
F
Sorry
perfect,
then
we
have
I'm
sorry.
Man
go
ahead.
F
Okay,
well
then,
we
have
plenty
of
time
if,
if
I'm
wrong.
A
Okay,
well,
then,
again,
you
were
just
talking
about
step,
one,
I'm
saying
step
two
three
and
four
as
we've
broken
down,
this
larger
epic
already
have
been
de-prioritized,
we'll
still
want
to
take
those
epics
and
make
sure
that
they're
ready
for
when
they
do
become
the
priority.
Again,
I
just
don't
believe
that's
going
to
happen
for
the
next
at
least
two
milestones
based
on
some
of
the
items
that
we've
got
listed
here.
B
A
Okay,
well,
we
have
five
minutes.
Andy
has
created
the
design
issue
for
the
generic
report
schema
display
on
the
vulnerability
details
page
I
reached
out
to
I
know
alexander
asked
last
week
during
this
meeting.
If
there's
been
any
updates
on
whether
the
front-end
team
from
secure
could
help
to
contribute
to
this
effort,
given
that
it's
blocking
things
like
their
fuzz
testing
results
today-
and
I
talked
to
neil
about
that
yesterday-
he
sounded
very
positive
about
that
him
and
fernando
are
going
to
start
to
get
involved.
A
Unfortunately,
he
wasn't
able
to
make
it
to
this
call,
but
I
want
to
make
sure
that
they're
involved
in
the
refinement
and
breakdown
of
that
issue.
That
being
said,
what
I'm
still
unclear
of
is
whether
there's
back
end
work
required
for
this.
I
thought
there
was
tiago
has
kind
of
led
me
to
believe.
Otherwise.
We
have
a
poc
that
should
answer
this
question.
A
The
problem
is,
is
that
james's
poc
is
quite
large,
so
it's
a
little
hard
to
as
someone
who
doesn't
have
a
lot
of
ruby
experience
go
through
and
look
at
what
pieces
of
that
are
about
this
display
versus
the
other
components
of
that
poc.
So
this,
like
I
said
this,
is
ready
for
planning
breakdown.
I
don't
want
to
do
that
today.
We
don't
have
time
today
on
this
call.
We
want
to
make
sure
that
neil
and
fernando
are
here
from
a
front-end
perspective,
but
miho
and
jonathan.
A
If
you
guys,
could
take
a
look
at
this
or
have
you
had
a
chance
to
take
a
look
at
james's
poc
specific
to
this
area
of
being
able
to
display
the
vulnerability
details
from
this
generic
schema
on.
You
know
so
that
new
scanners
can
introduce
sorry,
so
scanners
could
start
to
use
the
schema
and
they'll
be
able
to
introduce
new
data
points,
and
we
can
just
eloquently
display
them
out
on
the
page.
A
A
So
it's
just
an
ask
for
the
next
time
we
talk
I'll,
put
it
here
on
the
agenda.
I
will
actually
also
put
an
app
mentioned
in
the
comments
of
this
issue
as
a
reminder,
but
I
think
that's
a
kind
of
a
big
that'd
be
a
big
answer
for
our
planning
and
moving
forward
with
this.
A
It
looks
huge
the
poc
is
huge.
He
was
tackling
some
also
in
addition
to
this
generic
report
schema
fingerprinting
and
how
we
identify
whether
a
vulnerability
is
new
or
not
as
part
of
that
same
change.
So
I
don't
know
what
percentage
of
it
has
to
do
with
this
generic
report
schema
and
what
percentage
of
it
has
to
do
with
that
fingerprinting.
It
all
looked
big.
So
that's
why
I
assumed
there
was
a
good
amount
of
back-end
work.
Even
in
this
generic
report
schema
display,
maybe
even
database
changes,
but
I'm
not
confident
on
that.
F
F
How,
if
you
could
guess
a
full
report
by
the
end
of
the
day,
explaining
every
line
that
that
would
just
be
great.
A
Is
that
all
it
takes
pizza
will
be
on
its
way?
I
had
a
coffee.
B
A
With
james
yesterday
about
this
approach
and
how
we're
doing
this,
you
know
we're
creating
design
issues
off
this
poc
and
then
we're
gonna
break
it
down
like
we
do
with
our
normal
workflow,
and
I
just
wanted
to
feel
it
out
like
is
james.
Are
we
hurting
his
feelings
that
we're
not
just
taking
his
coat
and
dropping
in
it
and
move
forward,
and
he
very
much
expected
this?
A
You
know
his
his
impression
is:
is
that
we'll
use
it
as
a
reference
and
we'll
pull
out
what
code
we
want
to,
but
then
we
will
deconstruct
it
and
implement
it,
how
we
see
fit,
and
he
built
this
poc
as
an
illustrative.
A
A
E
A
For
this
templated
component
piece,
I'm
assuming
there's
back
in
work,
can
you
confirm
that
and
then.
E
E
G
Okay,
if
this
change,
if
this
only
changes
the
way
we
display
things,
then
we
might
have
to
add
a
field
or
remove
one,
but
I
don't
expect
more
work
to
come
only
from
the
perspective
that
we
are
changing
the
way
how
we're
displaying
things
we
might
have
to
shuffle
the
a
keys
in
the
hash
around.
But
I
don't
expect
anything
like
this.
E
G
Particular
view
I
think,
still
uses
the
rail
helpers.
Is
there.
E
A
Okay,
all
right
so
we'll
very
least
need
one
back-end
issue
and
then,
like
I
said,
let's
wait
till
neil
and
fernando
and
the
folks
from
the
front
end
team
are
available
for
the
discussion
for
the
planning
breakdown
on
the
front
end,
and
we
are
one
minute
over.
So
I'm
sorry.
I
took
that
time
from
you
guys
because
you're
all
supposed
to
be
playing
draw
source
now,
so
please
feel
free
to
join
us
on
draw
stories.
I
know
there's
been
a
lot
of
call
this
calls
this
morning.
If
you
don't
make
it.