 Okay, welcome to our second tutorial of the Q1 hackathon. Excited to have David DeSanto from the Secure and Defend team. I don't think we had a tutorial in the past on the security arena at GitLab. So glad to have you here, David. I'll let you introduce yourself and I'll let you take it from here. Thanks, Ray. I'm excited to be here as well and excited to see what the community does with Secure and Defend. So as Ray mentioned, David DeSanto, I'm director of product for Secure and Defend. Secure and Defend are our security focused stages, DevOps lifecycle. And so there's a lot of really fun, exciting things going on with them. So I'll share my screen here so we can start talking about it. Okay, so as I mentioned, we're gonna talk about Secure and Defend, but we'll first talk about Secure. And when we think about Secure, we look at that as the offensive security or proactive security component of the DevOps lifecycle. And so we're focused on identifying vulnerabilities and weaknesses so people can reduce their risk. And you can see in the diagram here, Secure lives underneath the dev section of the DevOps lifecycle. Over the next year or two, it'll begin to go into the ops side as well. But today we're primarily focused on bringing security as close to developer as possible. The Secure team includes myself as well as four product managers and an ever-growing engineering org. It includes multiple technical writers, dedicated UX, we can make sure security is being done right within the product. Again, we have multiple focuses and we'll talk about those in a minute, but again, the team is rather large. If you're wanting to look at ways to communicate with the team, we do have a good lab group that you can mention as well as some tags focused on Secure. And of course we have a long playlist of videos and demos over the last several months of the group being together. Our direction page is a really great place to look to kind of understand what is going on within Secure. I kind of scroll down a little bit. First we define our groups. And actually let me refresh that, make sure we've got this copy, there we go. And so when looking at it, we first have a stack analysis group. So that's focusing on testing the code, not running. So just scanning the repository for known issues within the code. We have a dynamic analysis group that actually focuses on the application as it runs. So we will use the GitLab review app. It comes online and then we scan that app just the way any other user would use it. And we have a composition analysis team. They're also focused on the components that go into the product. And so if your application is using dependencies, open source licensing, those can be checked to make sure they're free from vulnerabilities or they're a license that you want used within your project. And then finally, from the products that we have an attack surface team, they're focused on testing applications and services for vulnerabilities or weaknesses in their configuration. And this is a brand new team. They're first focuses on expired or weak SSL TLS settings. So if you think about traffic, you're watching this maybe on YouTube, you're communicating HTTPS that requires encryption. And this team's first charter is to make sure that like weak cipher suites, things that would be easily crackable or expired certificates are not being used. We have one non-product team, vulnerability research team, they're focused on adding vulnerabilities into our database such that the four groups I just mentioned can leverage that as part of their testing. And there's a lot more going on with it. I don't wanna spend our entire time just looking at this. The next area just to highlight for you is you think about areas you wanna contribute. We've defined multiple themes for secure. One is we want secure to be a team effort. So we wanna include secure in the core level of the license or in the FOS offering, depending on which one you're using. We wanna continue to move security left, make sure we're getting those data back to the developers in the view they're used to using. And the last one I would highlight for you is bring your own tools. So being able to integrate in third party products in such a way that they feel as if they're part of that DevOps lifecycle that we at Lab here offer. As you begin to think about areas you would want to potentially look at, the best way to kind of look at what we have today is on the categories page in our handbook. And in here we list out contact information. And so you can say like, hey, I'm thinking about doing something on the SaaS side or stack analysis side, but I really wanna talk to the product manager for that. You can go in and find the product manager and then be able to comment on an issue and interact with them. And don't have to be a GitLab employee to add comments to issues that you see in our UI. You can add comments, you can tag an entire team and you can see we have some tags for that as well or you can just add the product manager or one of the developers that you may wanna interact with. And same thing, so if you go down you can also see the individual category. So let's say you wanna look at what we plan on fuzzing. You can click on strategy and it'll take you into what we're thinking as part of that. If you're wanting to then say not contribute something that new but you wanna dive in and see what you can contribute on the secure side outside of that, you can go into our issues and you can actually search. And here I filtered by accepting merge requests. So you can see things that are available for improvements. In this case, I filtered on our stack analysis group and you can see the category is asked. And the last thing I added was a milestone of waiting for their detail. So here you can see there's nine items that we're awaiting more feedback on to prioritize and put into the backlog. So let's say you really care about ReactJS and security-related ReactJS. You actually come in here and look at the SAST issue that's been filed, see what our thoughts are, and you can then immediately contribute merge request to this issue and then have it be reviewed by the team and get it integrated into the platform. That's a really high level of SAST and secure as a whole. Next, I just wanna kinda give you a rundown of what's in defend. So when we talk about defend, we're talking about the operational side. You can see that here on the life cycle. So it's sitting underneath the ops side. And our goal is to protect cloud-native application services and infrastructure. And today, defend's very new. So we only have one category that's available today for use and that's our WAF. And that is available in the core level of the licensing. But we have lots of really cool and exciting things to come up, including container-native, I'm sorry, container network security. So providing firewalling and intrusion prevention at the container level. We're also looking at extending usability and anomaly detection with our UEBA offering. And so there's a lot of stuff that's really cool coming up. And I'm actually really excited on the call. We have our director of engineering for defend, Wayne. And we'll let Wayne kind of make some suggestions here as to areas that he would love to see the community contribute. Thanks, David. So we are working on all the things David mentioned and also vulnerability management, which is being able to manage the vulnerabilities, work them, mark them as open, closed, comment on them, et cetera. So many of these things are still very new. And we've brainstormed on where the community can really contribute. And right now it's more on feedback on the user interface designs and our plans. We've tried to take out some specific initiatives that the community could work on, but we feel it's a little bit premature at the current time, but we definitely want feedback. We want ideas, file issues with ideas on how we can better put in defend features. We'd love to see those things. We're not ready just yet for contributing code. And let's folks find some great places to do it. But currently when we brainstorm with the team, we did. And again, as David mentioned, it's with Web App Firewall, which we've done via using Mod Security, LinkedIn to NGNX, NGNX with Cilium integrated for doing network policies inside Kubernetes, vulnerability management, which is inside the GitLab product itself and other things coming as well. Thanks, Wayne. As I mentioned, it defends newer and Wayne just touched on that as well. So the team is still growing, here you can see the people we have as part of the team. And to kind of show you kind of what we're focused on, as Wayne mentioned, our direction page is a great place to do that. So if you hop down and look at the categories, you can see what Wayne was just mentioning. So WAF is the only thing currently released, it's minimal. We do have plans to add intrusion prevention as well as things like RASP. But everything is still very new. Container network security will be shipping soon, but we're very excited to be growing the defense side of our portfolio. Same thing if you wanted to search the backlog. I know Wayne just mentioned, there's not a lot of areas yet that they think that can contribution be done yet. But here what I did was I searched by again, accepting merge requests. I select a container network security. And then the milestone I noticed that was heavily used for things that haven't been looked at was backlog. So that was my milestone. And one of the items I was looking at actually last night when thinking about areas that maybe the community could contribute is the auto notify of on-call personnel. This is a ability to monitor the logs. And if an event occurs, be able to message it out. Again, you could always go in and just kind of review it. And then begin to add in potential community contribution for notifications. Yeah, that would be a potential good one. Could be via notifying on-call via Slack, via pager duty or whatever other methods are deemed appropriate. So that one is a potential good one. Again, all the contact information is on that categories page. And you can see the individual product managers. Wayne is here as well. But I'll just use my profiles examples. You're like, hey David, great kickoff to the hackathon. I wanna contribute to secure and defend how I get a hold of you. You can actually just click on the names that you see and it takes you over to our team profile. And from there, you'll see all the contact information. So we'll give it a second to load them out hotel this morning. If you can't tell by the background and my internet's super slow. But you can see a little bit about me. See Twitter. I'll tell you it's very boring. I almost never tweet, but it's there. And then of course, you can look at my GitHub profile. And then from there, you can see my contact information. You can see a little bit about me. And you can see the things that I'm commenting on that are public. And I will highlight that there I do say I live with two dogs and my wife in Texas. And here's that dynamic go that's mentioned in my profile. So I'll tell you they're very bad coders. I think it's because they don't have opposable thumbs. However, I'm sure at some point they would love to be community contributors as well. The last thing I just wanted to highlight for you. I noticed that this was how I had a couple of other kickoff calls. But if you wanted to say contribute. It's just bad, David, that we haven't written GitLab in rough on Rails. There you go. Sorry, bad joke. What you can do is just look at general issues that aren't assigned to a group. That means that no team has picked them up. And what I did here is I searched again inside the GitLab org group for accepting merge requests and not, or group not owned. And then in here you can see that there are other areas that may be of interest to you that you would want to work on as well. And as Wayne said, and I'll speak on behalf of Todd who's the director of engineering for secure. We're very open to you making suggestions, as Wayne said, and filing issues and tagging us so we can review it. It could become a priority. We could get it in. Also, you could file it and we'll say that's a great idea as well. We would love that to be a community contribution. And then we could work with you as part of that as well. To kind of wrap things up here I just wanted to thank everybody for taking the time to watch the video. I see a couple of people have joined since the recording started. But at this point I'd love to open it up for any questions that might be. Well, thanks, David and Wayne. Yeah, so I mean, I definitely see like now three community members that are online. I mean, if you have any questions feel free to verbalize them or if you want to type it into chat window if that's your preference, that's completely acceptable. Yeah, and also want to reiterate like David just said, I mean, this is something that I repeat. I mean, I never get tired of repeating this. Like if you need to ping somebody at GitLab it's a completely fair game. Like you don't have to be an employee to be able to ping anybody at GitLab if you have any questions to Wayne or others on the engineering side about what about this feature on Defend? I mean, we love having interactions with community members again, your insights. So feel free to like reach out to us anytime. Yeah, it's a very good point. You can actually see community contributions on the maturity pages of the stages. And in the case of Secure we've had several good community contributions to approve upon it. The other thing I do want to highlight too I just realized I forgot to do is that we're also focusing on contributing to the community. So it's not just the work that we're doing and making a community edition or a FOSS version of the product but we're also now contributing back upstream to the open source projects that we are using to extend what we're doing with our solutions. And Wayne, since you're on the call I don't know if there's anything you want to highlight about what you did with Sillium but I think it was very exciting that we began to help out the broader community not just the GitLab community. Yeah, so we use Sillium for implementing network policies inside of Kubernetes when we use AutodevOps to push that for our customers. And Sillium has a lot of great features. We've looked at a lot of different open source projects and settled on Sillium but not everything. So we've been able to make changes to the Sillium open source project which I think all but one have been accepted already or actually all been accepted one hasn't been released just yet. And for example, Sillium allowed blocking and logging of traffic but didn't allow logging only and that's something that we feel is important. So we added that to the Sillium open source project so it can do that. We made some other changes as well but that's been a great experience working with that open source project. Thank you, Wayne. That's great. So yeah, so we're open to any questions you may have. If you don't, I'll just take that as Wayne and I did a such a phenomenal job on this that you have zero questions and we'll pat ourselves in the back. Right. Yeah, I mean one more call for questions and I mean quick request to you David if you don't mind sending me the link to the presentation I'll post it along with the recording on the hackathon page after we're done here. Yeah, absolutely. The same sort of contact information is in there for defend it goes we didn't really talk about that. But yeah, same thing you can mention the defend team and I'll get to the entire stage. Right. But I will provide you the deck and I'll make it accessible by everybody in the world so that way anybody as part of the hackathon can do it. Right. Yeah and just one other caveat I guess the Slack is I mean not available to the wider community. Is that correct? That's GitLab only. That's correct. I left it in there because it's in all of our public classrooms with group conversation. Right. But yeah, I mean as usual people can ping me on Gitter and then if I need to forward the question over to one of these Slack channels I'll be more than happy to do them. Do it. Cool. I guess there are no questions from the participants so we'll just wrap it up. And yeah, if you have any questions feel free to ping me on Gitter and then we'll thank you, Wayne and David for the session. Appreciate it. Absolutely. Good luck with the hackathon and let us know how we can help. All right. Cheers. Have a good one. Bye. Bye. See you.