 Hey, my name is Fernando and I'm a technical marketing manager here at GitLab. I am part of the strategic marketing team and today I wanted to go over the simply simple notes application that I developed to showcase GitLab secure features. So I'm gonna go through how to actually set this up in your environment and then use it to give demos to customers or to anyone. So let me go ahead and share my screen. Okay, so here we have the simply simple notes application and I'll link it in the video. So what this application is is just a simple Python Flask web application and it's powered by a SQL light backend. So that SQL light backend is used just to store notes and it just pretty much adds, deletes and gets the various different notes. So let me just show you what this looks like. So it has a GUI but it also has an API that can be accessed and you can add a note. So I can say, hey, add it and you see it'll all come with a pop-up that the note has been added. It'll add the note. It'll give it a one and then if I put in another note, it'll show that displayed as a second and then if I needed to delete a note, I can go ahead and just put its ID and delete the note. So a very basic application but it has enough code where we can make significant changes or make even that make small changes that will go ahead and run off our security scanners and showcase what the security scanners actually find. So to give you an example, I've created a merge request and once you click on this merge request, you can see the security scans have detected SQL injection. They've detected a permissive mass. They found issues in the dependencies in the container within the DAST. So you can see that there's a lot of issues that have been found within this application and it even has a license issue. So what I'm gonna do is I'm gonna go ahead and show you how you can recreate this whole environment within your own namespace and as well as run through creating the Kubernetes cluster and getting all this together. Now let me just kind of just explain the pipeline. So the pipeline has build which builds the container then it runs every single one of our static security scans which scan static files. So that'll include the SAST. It will include dependency scanning which in this case scans the requirements.txt file. Since it's Python, it'll include scanning the licenses, secrets, and our container image and finding any vulnerabilities in that. Then it'll deploy to our Kubernetes cluster and it will also enable GitLab's Protect. So it'll enable container network security and container host security within GitLab's Protect and it will also apply create the ingress resource and everything that we need to deploy our application. And then we run DAST on this application. So it'll run the DAST, which I'm gonna call it, Dynamic Application Static Testing. So and then I'll just show you what that looks like. It's just including a bunch of the different templates to enable the security scans and then it's adding just some Docker commands to build the container and push it to our container registry. And then just it'll just have a little configuration for SAST. This is just to show that the environment variables can be changed and I'm just adding a debug trace. And then we just deployed a staging using Helm and then we run DAST on the DAST website. And I've enabled the full scan. So I'll go over all of that in detail after I've shown you how to create the cluster and clone the namespace. So first thing that we need to do to clone this into your own workspace is to go ahead and clone with HTTPS. So let's add that to the clipboard. And now in projects, so I create new, sorry, go to projects, your projects. And I'm going to create a new project. So I am going to import project repo by URL. And I'm going to type this in. And you can see it's already copied over simply simple notes. I'm going to go ahead and make this public. And I'm going to create this project within my namespace. So now it's importing should take two seconds. And there we go. So now simply simple notes has been cloned into my namespace. So have everything set up. Now the next thing I need to do is I need to actually add a Kubernetes cluster to get this working. So I am going to go to the Google Cloud platform. I'm going to go to Kubernetes clusters. Then I'm going to create a cluster. And what you need to run this is very small. I'll go ahead and show you. So I'll name this cluster, I give it a descriptive name, burn demo one, let's say. And I don't need to touch anything else. I know that this is the zone I wanted in. I know I just want to use the static version. In the node pool, we're going to keep it at three nodes. And the nodes that we're going to select can be small. There's not really much needed for this application to be running. So I'll just create a small instance. I can probably even get away with a micro instance, but just because other things are running within the... Well, actually, I'll make a medium one just for the additional memory that it has, because just in case later on, I want to add different things from Gitlabs Protect. So I'm going to keep it at four gigs, but it can probably use a smaller one. Then under security, under cluster security, I'm going to enable basic authentication. I know it is deprecated, but right now I don't have the IAM permissions for cluster role bindings, and that's something that I'll request. But if you have permissions to perform cluster role bindings through the IAM, then you won't need to check this box. And what this does is it'll just enable being able to create something as an administrator. It'll allow you to create cluster role bindings as an administrator by just passing in a username and password. That's an admin username and password. And then one more thing within the network. If you have your own network, you can select that one, and it'll be a lot better, and you won't get duplicate IP issues. And then I will just press create, and you can see it's being created now. So we'll give that a few seconds, and we'll jump back into here. So what you're going to do here now is you are going to add the Kubernetes cluster. So I'm going to connect an existing cluster. I know it's called burn-demo1. Looks like it's still being created. All right, the cluster finished. So let's go click on it, and we can see the endpoint here. So we're going to go ahead and copy that to the API URL. Make sure it's HTTPS. We are going to go ahead and show the credentials, and we're going to copy the certificate. And now to obtain the service token, this is where we need to actually create cluster roles and cluster role bindings. So let's go ahead and do that. So we connect using the Google Cloud Terminal, the Cloud Shell. So now I'm in the demo1 cluster. I am going to apply the essay.yaml file that I created, and I'll show you that in just a moment. And in order to, so see if I tried to apply it, it's going to give me an issue saying I don't have permission. So this is where I'll use the credentials here. So I'll use this basic authentication. So I'll perform the same thing, that username and password. Perfect. So now it's been created. So now what I'm going to do is I'm going to actually get that service token. So kubectl get secret dash n cube system. And we're going to grep for admin. So now that we have that admin token, we are going to show that secret. And we're going to get the token value. And we're going to base 64 and code it. So echo. And here we have it. So I'm going to copy that. And I'm going to go back to my cluster. And I'm going to paste that's right in there. And I will click on add kubernetes cluster. And there you have it. Now we have the cluster added. Clear this. Okay. Now just to show you this file, you can see that just creates a service account called get love admin. It creates a cluster role binding, which is a role for the whole entire cluster. And it's going to give cluster admin role to the GitLab service account. So, so yeah, the role cluster admin already exists. It's a cluster role. And we're going to give that permission to the GitLab admin service account. So going from there, one more thing, now that we have the cluster configured, we can go ahead and do cluster management project alpha and select our simply simple notes, save it. And what this does is it allows the protect applications to be installed via GitLab managed apps. So cluster management project can be used to run deployment jobs with kubernetes cluster admin privileges. So in order to install psyllium for the container network security and all the things that we need, we need to check this so that way it runs as a cluster admin. So now after these changes have been saved, we go back to simply simple notes. And then now we can go ahead and run a job. So let's go ahead and run the pipeline. Let's run it on master. All right, so the scans are almost done. I'm going to go ahead and cancel Das just because it won't be scanning the right URL. So now that everything has been applied and you know, we can see that the jobs are running properly, we're going to go back to our Google cloud console. And we are going to get the service and dash and GitLab managed apps, which is the namespace created for the managed apps. And we're going to do dash a wide. So we're going to look at the ingress engine X controller. And we're going to go ahead and look at its external IP. So this is what's listening out. So we're going to go ahead and create a DNS name for our DNS for our application. So let's go ahead and do that. Now we have the external IP. So I am going to go to networking. I'm going to go to network services. I'm going to go to Google cloud DNS. And then from here, I'm going to click on a zone that I have, which is Tanuki host. And I'm going to go ahead and add two entries. So my entries will be will be firm. Tanuki dot host. And I'll add the IP address from the ingress controller. Now create this. I'm also going to create one or anything in front of that. So star dot firm. And I'll add the IP address. And I will create that as well. Okay. Now that that's there, I'm going to go back to my project. I'm going to go to operations and Kubernetes. I am going to add my base domain as firm dot Tanuki dot host. And I'm going to save the changes. And then now I'm going to change a few things on the project. So I'm going to go ahead and just open the Web IDE. I am going to open the GitLab CIML. And I'm going to change this to firm dot Tanuki dot host slash notes. And the reason slash notes is because when I'm deploying it, I'm giving it the path slash notes. So that's one thing to change. Another thing to change is the notes in the site map dot YAML, which is found. And to change these items to firm. Okay. So that's all changed. I'm going to go into Helm. And in my values, I'm going to change this host to firm as well. Dot Tanuki dot host. And I'll show you. So Helm is used to deploy this application into the Kubernetes cluster. So this is pretty much the file that it uses to deploy notes. So it creates a deployment with the notes application. And this will be the image that's created. This will be the target port that you specify in values.YAML. So it's using the image that we built from the Docker file that loads the application, the flask application, and the application is running on port 5000. So we are targeting port 5000. Then we create a service which exposes it within the cluster. And what we do here is we anytime that the port at which is values dot port, so 80, so anytime you send a request to port 80 on the cluster IP, what's going to happen is it's going to route that to the target port, which is port 5000, to on the deployment notes. So it'll go ahead and route the traffic on the internal traffic cluster networking from 80 up until 5000 within that container. And then we create an ingress to expose it to the outside. And that means that anytime request is sent to this host with this path, we're going to go ahead and hit the note service on port 80. And then the note service, since it's on port 80, it'll hit that. And then it'll send it to the target port on the application container, which is port 5000. So the routing will happen that way. And the reason why we changed this host was so that we actually use the one that we have for our DNS. Okay, so that's about what we need to change. I'm going to, oh, and I can change the read me to another big deal, but just so you don't get confused, I would have changed the read me to the host slash notes. And I'm going to go ahead and commit this. I'm going to commit it directly to the master branch. And wait for the pipeline to run yet again. Right now that the deploy stage finished, let's go ahead and see if it's running. So we're going to go ahead and click here. Oh, there we go. And our application is working. It has been deployed. Nice. Okay. So, and we can see that's out for in dot to new data host. So now we have the project working completely configured. And, and now we can go ahead and go ahead and test the security scans and create a merger quest. So in this part, I've actually added lots of documentation on this. So let's open up the web ID and do some editing. But the documentation that I've added within docs, you can see creating vulnerabilities. And this will go over the different vulnerabilities that you can create. So I have it broken down to different sections or sass and secret detection, their dynamic application security testing, dependency scanning container scanning and license scan. And so now let me go ahead and create this, this merge request. So actually before creating this merge request, let me just do one thing. And that will be just setting up the merger quest approvals. So I just go into general merger cost approvals, enabled vulnerability check. So I'm just going to say the approvals that I want, I'm just going to type in security. And it's going to search for the GitLab security team. I'll go ahead and search for that once it's been populated. So right here. So I'm going to add the approval rule. And I can see the security team has been added for a vulnerability check. And what this happens is that someone from this group that I just added must approve. If there's a vulnerability detector that's high critical or unknown. And I'm going to add one for a license check. And the license check is we'll block the merge request from being merged if denied license is detected. So we do this here, I can just put approvals and I'll just put the support team. This would be maybe the security team or someone from legal but then then how you're structured. I'll go ahead and add that approval rule. Okay, so that's been configured. Let's go back and start creating those vulnerabilities. So I am going to open the application. I'm going to go into db.py. And I am going to go ahead and add a new function that's vulnerable to SQL injection. I am going to give permissions to the database file. So here, I connect to a database file. And I'll go ahead and change the permission of that file. Then I'm going to add some keys, some secrets and add it straight to the file. So I'll go to run.py. And where the application is run, I'm just going to throw in some random strings that look like keys, IDs and secrets. Then I'm going to go ahead and add a new route that tasks can pick up on. So I will go ahead and add it to routes. Adding this route as well, get with vulnerability. I also need to remember to edit my site map. So I will edit the site map to then include that new path, which is get to a full add that. Then coming back, I will add two insecure dependencies on requirements.txt. So instead of flask, I'm going to use an old version of flask. And I'm going to use an old version of Django. Even though I'm not using Django, I'm just adding it just to pick up vulnerabilities. Let's see. Then I'm going to go into the Docker image. And I'm going to change that Docker image to 3.4. So 3.7, so that's a vulnerable version. And then I'm also going to add a client that has a new license that we haven't seen before. So I'll add that to our dependencies. So let me go ahead and do that. Okay. So now what I can do, I don't think I'm missing anything. But now what I can do is commit. And I can create a new branch. Let's say testing scanners, test the scanners. Okay. And I'll go ahead and start a new merge request. So testing scanners, we can write some information and submit the merge request. And now it's running the pipeline. And you can see that we have the license check and vulnerability check displayed. So that'll be one thing that we can see. And we know that that's working. So we can show that off in the demo. We can say, you know, look, now this is a developer's view within this MR. They'll have the license check and vulnerability check. And while this is running, let me go ahead and show you the security dashboard. So the security dashboard will be enabled. And you can see exactly what's shown. So you can see all the issues that were picked up within the master branch are here within the security dashboard. So we can go ahead and just click on one. We can see the status. We can show that there's lots of information that an APSEC, a member of the APSEC team can use to determine how to find the vulnerability, how to resolve it, how to do more research. They can see what the CWE is. There's a lot that can be done with this. And they can change the status and confirm this once they've confirmed it. And you can see that it'll give you a timestamp as well as who confirmed the vulnerability and its status. And within the security dashboard, you can also sort through the different statuses. So I'll see what was actually confirmed. And you can see that it's the one I just confirmed. And you can also go by severity and by scanner type. So that'll be loading. And the merger request will now be loading. And you pretty much have your environment completely set up and completely configured to go ahead and demo. Now I'll just wait for this pipeline to pass. And then I'll start showing you what the demo shows and what you should see. Yes. All right. Now that the security scans have completed and the pipeline is done running successfully, you can see that there's these two different tabs. We can expand one for security scanning, one for license complaints. So here you can show off the different features and the actionable vulnerabilities where you click on it. You can go ahead and dismiss this vulnerability with a comment. Like hello. Or this function doesn't have access to the real database. You can go ahead and add a comment and dismiss that. And you can show that it's crossed out. And if this does get merged, then the status of the vulnerability will be dismissed. Once it's merged and it'll appear in the security dashboard. You can also show that there are identifiers which lead you to more information so it enables developer education, educates a security team on what the vulnerability is and ultimately makes better, more security aware developers. You can also show it goes to the exact line of code where the vulnerability was found. So that way developers know that this is what needs to be changed. And another feature would be creating an issue so you can see that an issue can be created off of a vulnerability. And one thing to highlight is that this contains all the information of the vulnerability. And it's confidential. So you're not going to be showing this to any malicious actors. And then that way the developers and app site team can collaborate within this confidential issue to resolve it. You know what I mean without letting anyone know. So what'll happen is it'll be resolved. It'll be something that, let's say it needed to be fixed that was pushed to production but exposed something, then they can work on it confidentially until they find the solution. And same can be said with the confidential merger costs. It's the same concept except the code is in a merger cost. And for the license set up, the license scanning compliance report, you would expand this and you would just deny this license. And then you can just show that on the fly. We found an odd of compliance license. So this can be done before showing it to the user. And then you can just come in here and then now when you're showing it to your user, you can say, well, this was part of a policy and since it's denied, then we see that it's out of compliance. And if you want to just see that in depth, you can just go to security and compliance license configuration. You can see the policies and here you can see that actually 2.0 has been denied and you can go ahead and add licenses and different things. But yeah, that's pretty much a general guide on setting this up in your own infrastructure and your own namespace. And so that way you can go ahead and mess with it however you like and make any alter any changes and have it ready just because we're not able to maintain it on our own namespace. We're not able to constantly keep up with these changes and keep cleaning the projects. So this is a good way to just get started and then that way you can make whatever changes you want. Also, I'm happy for any contributions to this project. So please feel free to contribute and please feel free to give any suggestions. You can give them on the hashtag tech marketing channel and look at the description and there'll be lots of links to relevant material on this, to all the projects, everything that we use and just to give a kind of a sense of what's available out there to you. So yeah, thank you very much. Hope you have a good day.