►
From YouTube: Secure & Defend Group Conversation Preview: 2020-09-17
Description
Thank you for watching this preview of the upcoming Secure & Defend Section Public Livestream on 2020-09-17!
A
A
Before
we
get
going
too
far
into
the
group
conversation,
I
wanted
to
take
a
moment
to
acknowledge
what
is
happening
within
the
united
states
right
now.
The
secure
defense
team's
heart
go
out
to
everyone.
Who's
impacted
by
the
wildfires,
hear
screenshots
from
space
of
what
that
looks
like
and
what's
happening
with
inside
the
country
learn
more
about
how
you
can
help
out.
People
are
impacted
by
going
to
the
red
cross
website
or
any
non-profit
disaster
relief
organization
of
your
choice.
A
We
also
have
a
very
packed
couple
of
releases
coming
up.
This
includes
the
continued
redesign
of
the
security
dashboards
and
the
vulnerability
report
rolling
out
api
fuzzing
mvc,
as
well
as
getting
the
things
such
as
improving
the
mr
experience,
ui
configurations,
additional
language
support
lots
of
very
exciting
things
coming
out.
A
A
Using
this
new
category
I
mentioned
a
couple
minutes
ago:
the
improvements
to
the
project
level
dashboard,
here's
a
screenshot
of
it
there's
lots
of
great
information
on
it
today
includes
everything
down
to
the
line
number
any
public
references
to
the
vulnerability
which
scanner
it
is
and
currently
the
state
of
it,
and
that
includes,
as
you
can
see
there,
we
now
see
it's
remediating,
we're
asking
for
the
user
to
validate
that
it
is
heated.
Remediated.
A
We've
talked
a
lot
about
our
themes
over
the
last
several
calls.
We've
changed
those
really
being
strategic
objectives
and
they're
supported
by
themes.
The
first
one
we've
already
completed,
which
is
our
offline
environment,
support
our
application
security
testing
leadership
goal
we're
behind
by
on
a
couple
of
months.
A
This
does
not
mean
that
we're
not
delivering
value
as
you're
saying
it
just
means
that
it's
taking
us
a
little
bit
longer
than
we
expected,
because
we
have
very
lofty
goals,
as
we
do
across
all
of
the
product
teams
here
at
gitlab
and
finally
secure
dog
fooding.
That
is
now
rolled
out.
A
As
we
talked
about
last
time
within
the
security
team
and
then
todd
wayne's
teams
are
now
dog,
fooding
todd
sections
components
within
their
development
life
cycle,
we'll
both
touch
on
that
a
little
bit
as
we
get
to
the
sub
department
updates
this
as
a
touch
base.
Here,
here's
all
the
information
of
what
we're,
including
in
that
application,
security
test
of
leadership.
A
One
thing
that
kind
of
goes
unnoticed,
but
is
worth
calling
out.
The
engineering
team
is
doing
a
very
good
job
burning
down
their
backlog
of
customer
related
defects.
Here
you
can
see
the
monthly
report
for
the
sca
team
and
how
they've
had
zero
p1s1
bugs
for
the
majority
this
year,
with
the
exception
of
one
month,
we
recently
did
our
secure
stage
strategy
review.
You
can
check
that
out
on
youtube
at
the
link
that's
provided
below
and
to
kind
of
wrap
up
the
secure
side.
A
Today,
that's
fast
and
you
can
see
there
on
the
screenshot.
What
das
looks
like
when
you're
running
an
on-demand
scan
and
the
team
is
beginning
to
bring
in
things
like
container
scanning,
so
you
can
scan
containers
you're,
putting
in
your
registry
that
you're,
not
necessarily
building
with
gitlab
to
switch
over
to
defend
defense
focus,
is
protecting
cloud
native
applications,
services
and
infrastructure,
and
this
is
a
very
new
category
or
a
very
new
stage
for
us,
but
there
are
exciting
things
going
on
the
two
strategic
objectives
set
for
this
year.
A
One
is
focusing
on
usability
and
convention
over
configuration
and
we
actually
shipped
our
first
policy
manager
and
thirteen
four
has
some
really
great
exciting
updates
to
that.
The
next
one
is
visibility,
first
protection.
Second,
we
are
working
on
integrating
in
alerts
and
other
types
of
management
components,
so
we're
a
little
bit
behind
on
where
we
would
like
to
be.
A
However,
it
is
worth
noting
that
you
can
actually
take
those
logs
and
export
them
out
to
an
external
seam
and
be
able
to
get
that
visibility
you're
looking
for
and
that
kind
of
ties
into
recent
things
that
have
come
out
and
things
that
we
have
planned
just
mentioned.
The
policy
management
ui
shipped
a
couple
of
releases
ago,
clear,
host
security
reached
minimal
maturity,
which
is
also
very
exciting,
and
then
what
we
have
coming
up
is
the
ability
to
begin
to
edit
create
delete
policies
that
you
want
applied
to
your
kubernetes
environment.
A
Again,
we
had
a
talk
at
commit,
a
very
great
presentation
from
two
of
our
own
wayne.
Philippe
was
our
distinguished
engineer
and
one
of
our
customers
nico.
They
basically
went
and
attacked
the
kubernetes
environment
and
showed
how
defend
provide
value
and
then
niko
followed
up
with
a
blog
on
it.
If
you
haven't
seen
it,
it's
an
amazing
video
to
watch
and
wait.
Is
there
anything
you
want
to
add
about
the
presentation
in
general.
B
No
it's
great
stuff.
The
other
thing
that
is
thiago
also
on
the
team
did
a
blog
post
on
related
topics,
mapping
the
defend
and
actually
some
of
the
secure
features
to
the
mitre
attack
matrix,
which
is
pretty
interesting.
A
C
All
right,
thanks
david
for
the
engineering
okrs
for
this
quarter,
we
are
on
target
for
the
first
one,
which
is
increasing
throughput
by
10
percent
on
the
rolling
average
for
the
say,
do
ratio
we
are
at
83
percent
for
13-3,
actually
a
little
bit
higher
than
what
we
were
targeting
and
it's
it's
just
coming
down
to
having
to
work
with
the
teams
to
to
help
them
go
for
more
stretch
goals.
Basically,
next
slide,
please
david.
C
There
we
go
okay
and
then
the
the
third
okr
is
around
dog
fooding
secure.
C
We've
already
had
a
bunch
of
great
discoveries
in
using
the
security
dashboards,
and
what
have
you,
of
course,
with
dog
fooding,
there's
always
going
to
be
some
some
mistakes
made
and
things
we
did
wrong,
which
we
we
were
able
to
quickly
readjust,
but
it
also
led
to
putting
in
more
issues
for
safeguards
and
and
things
of
that
nature
and
I
believe,
for
the
secure,
okrs
and
metrics
that
is
it
then
going
into
the
what
can
what's
going
well
having
some
great
cross-team
collaboration,
the
the
whip
limits
on
issues
is
really
helping
the
static
analysis,
team
get
more
velocity
and
then
of
of
course
the
yaml-based
feature
flag
is,
is
super
handy
and
that's
thank
you
and
moving
to
the
next
slide
here.
C
Oh
there
we
go
for
what
can
be
improved.
The
downstream
pipeline
approach
for
qa
doesn't
scale
well,
and
we've
got
a
retro
topic
and
issues
on
that.
The
deployment
process,
type
timeline
and
how
to
abort
one
is
not
clear
and
then
the
fewer
desk
jobs
running
and
we
didn't
notice
it
quickly
for
actions
we're
going
to
prioritize
the
qa
expectations
with
the
corresponding
analyzers
and
then
investigate
our
product.
Metrics
ability
to
raise
alerts
and
validate
the
data
source
and
logic.
B
So,
for
thanks,
john
so
for
threat
management,
sub
department
in
terms
of
okrs,
we're
dog
footing
the
secure
scanners
and
security
approvals
and
the
dashboards
which
my
team
is
responsible
for
the
dashboards
on
the
threat
management
projects
as
well.
We've
got
one
on
five
projects
completed
and
it's
on
track.
Very
similar
feedback
and
insight
is
what
todd's
team
has
found
with
what
they've
been
doing.
B
We
also
have
goals
around
using
pajamas
components
and
we're
on
track
for
those
in
terms
of
expanding
the
capabilities
of
the
team.
We
wanted
to
raise
the
team,
mr
per
team
member,
get
that
team
member
rate
to
greater
than
eight
we're
pretty
close
on
that
at
seven
seven
and
change
that's
going
in
the
right
direction.
We
also
want
the
people
leaders
making
contributions
to
the
product
itself,
so
either
the
product
or
the
documentation,
not
the
handbook,
that's
important,
but
separate,
and
we're
close
to
being
on
track
with
that.
B
We're
also
bringing
more
things
to
iteration
office
hours
and
encouraging
more
community
office
community
contributions,
so
we're
doing
more
office
hours
there
and
we've
seen
a
significant
increase
in
community
contributions
to
the
threat
management
portion
of
the
code
base,
which
is
great
in
terms
of
what
well
in
the
recent
recent
releases,
we
really
learned
quite
well
how
to
use
sentry
properly
to
detect
and
fix
errors,
whether
customers
have
noticed
them
or
not,
which
we
weren't
fully
versed
on.
B
So
we
were
able
to
use
that
learn
about
that
and
use
that
to
find
problems
and
fix
them
before
customers
notice
them,
which
is
great
in
terms
of
what
didn't
go.
Well,
we
had
a
security
issue
that
we
were
working
on,
reported
the
hacker
one
where
we
missed
the
slo
for
it,
which
was
not
a
not
a,
not
a
big
deal,
because
we
were
just
a
little
bit
late
and
we
informed
the
security
researcher
of
the
time
frame.
We
didn't
make
it
public
until
it
was.
B
The
fix
was
available
to
customers,
but
we
wanted
to
get
better
at
meeting
those
slos.
So
it's
not
as
straightforward
as
a
process
or
as
easy
to
fall
as
we'd
like
so
now.
We
know
how
to
do
it
and
we're
going
to
use
this
concept
of
a
buddy
system
when
we
get
the
next
one
and
lastly,
what
can
be
improved
upon
is
self-contained
issue
descriptions.
B
Is
we
have
details
in
sub
issues
that
don't
always
take
the
enough
of
the
detail
from
the
parent
issue,
so
we
want
to
copy
a
portion
of
that
and
make
sure
they're
always
referencing,
so
that
developers
already
always
know
what
the
details
are
on?
What
they're
planning
to
work
on
and
the?
Why
they're
working
on
right.
B
Thanks
wayne
and
todd
you
know
I'll
cover
the
last
one
here
unless
you
want
to
do
dave
sorry,
so
we've
also
we're
doing
an
experiment
where
we
have
a
people
on
secure
and
in
threat
management,
working
on
secure
and
defend
stages,
and
we
wanted
to
be
able
to
have
people
do
internships
where
we
swap
people
between
teams,
if
they're
interested
in
doing
so
so
they
get
to
try
out
the
other
team,
and
I
don't
think
we
have
any
in
flight
just
yet.
But
it's
it's
an
interesting
experiment.
A
Yeah,
so
we
actually
just
had
someone
complete
the
internship
related
to
product
for
secure
and
defend
that
went
very
well.
There's
information
available
here
on
the
slide
included
connecting
upstream
dependencies
that
we
have
to
build.
The
secure
and
defend
features
are
now
being
scanned
by
secure
and
reporting
in
issues
that
they
can
fix
prior
to
us,
taking
up
the
package
downstream
so
very
exciting.
A
It
is
international
talk
like
a
pirate
day
is
coming
up
this
saturday,
exactly
maybe
so
we
want
you
to
take
a
moment
to
just
have
a
little
bit
of
fun
with
everything.
That's
going
on
in
the
world
today
have
a
little
bit
of
a
break
and,
of
course,
there's
lots
of
other
pirate
puns.
We
could
be
using
right
now,
but
we're
gonna
save
you
that
pain,
but
thank
you
very
much
for
watching
the
video.
We
look
forward
to
answering
your
questions
on
thursday
and
enjoy
international
talk
like
a
pirate
day.