►
From YouTube: UX Showcase: Risk-based merge request widget
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hey
everyone,
it's
Andy
from
the
secure
and
defend
side
of
things
and
I
want
to
talk
to
you
all
a
little
bit
about
a
concept.
We've
been
kicking
around
called
the
risk-based
merge
request:
widget,
not
trademarked
where
I
said
is
a
long
name,
but
first
I'm
gonna
tell
you
a
short
story.
So,
let's
imagine
you
work
for
a
company
as
a
developer.
Now
this
company's
highly
regarded
as
the
industry
leader
on
multiple
fronts
and
you
consider
working
for
them
an
amazing
opportunity
as
a
developer,
you're,
constantly
meeting
goals
and
you
rise
above
the
data.
A
Your
artists
are
generally
regarded
as
a
rock
star.
Then
one
day
it
happens.
You
hear
the
news.
First,
in
an
internal
email,
followed
by
multiple
press
outlets
covering
the
story,
your
company
has
been
act.
Someone
has
obtained
all
of
your
user
data.
This
isn't
great.
So
then
you
start
wondering
to
yourself
like
how
could
this
happen
right?
You're
doing
this
like
Inception
style,
retro
in
your
brain
and
then
it
gets
worse.
You
realize
the
last
significant
change
to
the
site.
Was
your
change
rush
to
your
machine
check
out
your
mr
you're?
Looking
back
at
it?
A
You're
like
well
I,
see
some
vulnerabilities,
but
I,
don't
know
if
they
were
mine
or
I,
don't
know
if
there
was
someone
else's
and
if
the
organization
really
have
a
policy
in
place
to
like
remediate
those
anyways
and
I'm,
just
like
left
confused
as
to
like
well
who's
really
to
blame.
And
what
is
there
really
to
do
about
this?
And
so
this
is
where
I
want
to
start
talking
a
little
bit
about
the
concept
of
shifting
left.
A
When
may
may
have
heard
this
before
early
traditional
security
testing
happens,
post
deployment
in
the
application,
where
the
security
professional
is
gonna,
be
testing
and
what's
live,
and
what's
there,
it's
pretty
reactive,
let's
and
get
lab
general
is
in
a
very
unique
situation
where
we
can
be
a
little
more
proactive,
and
we
already
do
this
today
by
bringing
in
our
testing
through
the
build
stage.
So
here
we
can
also
allow
the
developers
to
resolve
new
vulnerabilities
or
vulnerabilities
they've
introduced,
but
really
a
lot
of
like
meat
on
those
bones
right.
A
A
So
if
we
take
a
look
at
the
job
to
be
done,
say
when
committing
changes
to
my
project,
I
want
to
be
made
aware
from
adding
risks
through
vulnerable
code
so
that
my
changes
can
be
merged
without
increasing
the
risk
of
my
project.
So
the
problem
we're
facing
is:
how
might
we
communicate
to
the
user?
The
merge
request
is
safe
to
merge
or
unsafe,
and
action
is
required.
A
A
A
So
let's
take
a
look
at
our
solution
so
today
this
is
like
the
merge
request,
widget
that
we
have
for
secure.
We
give
you
information,
but
if
I
was
a
developer,
I
saw
114
vulnerabilities
I'd,
be
like
nope.
That's
a
lot
and
you're
not
really
sure
like
what
the
organization
is
even
asking
you
to
do
or
what's
required,
if
you
right.
A
So
what
we
want
to
propose
is
drastically
simplifying
this
experience
into
something
as
simple
as
just
like
one
defined
area
where
we
signal
the
user,
like
hey,
need
to
look
at
this
right,
so
we
give
you
an
icon
and
by
also
saying
like
your
security
scans,
have
completed
so
a
lot
of
organizations
have
processes
and
controls.
That's
saying
like
the
scans
must
happen.
The
jobs
must
pass.
I
think
wasn't
mean
like
it
didn't
find
a
vulnerability,
but
it
means
they
didn't
encounter
an
error.
The
scans
didn't
pass.
Well,
it's
not
giving
us
accurate
results.
A
So
we
can't
really
trust
what
we're
seeing
we
want
those
to
happen.
We
want
those
to
succeed,
but
then
also
you
see
the
security
gate
right.
It's
failed.
You
already
know
like
I
need
to
stop
here.
I
can't
keep
going
down
like
this
needs
to
be
addressed.
Well
as
the
merge
risk.
If
I
merge
this
now,
it's
not
gonna
be
good
bad
things
may
happen,
you're
adding
risk
into
your
project,
but
furthermore
we
can
start
answering
why
right
so,
why
did
it
fail
without
diving
in
or
doing
some
expands
collapse?
A
Then
you
can
start
asking
well
what
so
you
can
do,
click
hover
on
see.
Well,
in
the
last
experience
we
saw,
we
saw
114
vulnerabilities,
but
here
we
see
oh
there's,
three
critical
for
high
and
three
unknown:
okay,
that's
not
as
bad
and
it
kind
of
gives
the
user
a
little
bit
of
like
what
am
I
gonna,
get
into
when
I
click
view
results
and
if
they
do
that,
they'll
be
taken
to
the
Security
tab,
which
is
still
available.
A
You'll
see
this
number
here
which
correlates
to
the
required
actions
that
are
necessary
to
get
this
security
gate
to
pass,
and
this
is
where
that
idea
of
security
analysts
as
proxy
right.
So
imagine
in
this
risk
summary
area
security
analyst
is
saying
like
hey
by
the
way
a
security
gate
failed.
This
is
the
risk
right
now,
but
we
just
need
you
to
do
12
things.
12
is
way
better
than
114
and
really
that's
kind
of
how
Security's
kind
of
works.
It's
not
a
volume
business.
A
It's
a
criticality
business
like
if
114
vulnerabilities
are
a
glow
and
info
merge
all
day,
because
there's
never
keeping
up
it's
just
too
hard
right
and
another
interesting
thing
we
can
do
is
say:
if
a
scan
needs
to
be
rerun
or
a
job,
then
we
should
flag
that
here
as
well
and
as
whomever
is
working
through.
This
list
continues
resolving
and
continue
communicating
that
and
then,
once
it's
all
resolved,
we
reinforce
that
good.
You
did
a
good
job.
Your
security
gate
is
past.
A
Your
current
risk
is
acceptable
deemed
by
the
organization
you're
done,
12
or
12
things
awesome,
and
if
you
move
back
into
the
overview,
we
give
you
that
reinforcement
right
now.
Our
iconography
is
a
Czech
green
and
you
tell
you
the
security
gate
past
again.
The
merge
risk
is
acceptable
and
you
can
keep
going
like
you
got
code,
reviews
and
you've
got
things
to
you
know
comments
to
deal
with,
like
your
main
priority.
Isn't
security,
but
security
should
be
a
priority,
and
now
our
story
about
risk.
There's
a
story
about
confidence.
A
So
our
next
steps
here
would
be
to
implementing
a
low-risk
flow
where
we
have
some
foundational
changes
built
up,
were
thinking
about
the
security
tab
and
thinking
about
some
changes
to
that
widget
area
and
then
as
well.
We're
doing
that
we'll
take
this
risk
based
mr
widget,
through
solution,
validation,
trying
to
button
it
up
a
little
bit
more
and
that's
all.
I
have.