Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How GitLab and HackerOne help organizations innovate faster without compromising security

0 views

Published on

In this webinar, GitLab’s Product Manager, Victor Wu, dives into how GitLab helps you ship secure code, the tools they use, and a few industry best practices they follow to protect data and secrets. Then, GitLab Security Lead, Brian Neel, will explain how they leverage their community using HackerOne to spot and prioritize security issues quickly.

Published in: Internet
  • Email:WIZARDCYPRUSHACKER@GMAIL.COM REACH US THROUGH THE EMAIL ABOVE, FOR SPYING AND HACKING PHONES, COMPUTER, EMAIL, FACEBOOK, WHATSAPP AND OTHER SOCIAL NETWORK ACCOUNTS, CANCEL PHONE TAPPING, CHANGE YOUR GRADES OR BOOST YOUR CREDIT SCORE. OUR SERVICES ARE THE BEST ON THE MARKET AND 100% SECURE AND GUARANTEED.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

How GitLab and HackerOne help organizations innovate faster without compromising security

  1. 1. Innovate faster without sacrificing security or quality Victor Wu - Product Manager, GitLab Brian Neel - Security Lead, GitLab
  2. 2. ● We will be recording this webinar and it will be available online. ● The slides will be sent with the recording via email. ● Please ask Victor and Brian questions! A few housekeeping items 2 Questions can be asked at any time by typing in the “Questions” tab on your screen and pressing send.
  3. 3. The World’s #1 Bug Bounty & Vulnerability Disclosure Platform
  4. 4. We connect organizations with the largest community of trusted hackers to discover security vulnerabilities before they can be exploited by criminals.
  5. 5. How HackerOne Works
  6. 6. Trusted By
  7. 7. Subscribe to our fresh newsletter: www.hackerone.com/zerodaily
  8. 8. 8 AGENDA 1. Introduction 2. Speed, Security, and Quality 3. Security across the SDLC 4. Why we work with the community 5. How GitLab leverages HackerOne 6. Q&A
  9. 9. 9 DEVELOPMENT DELIVERY PLAN Chat Issue Tracker Issue Weights Issue Board Time Tracking CODE Repository Management Merge Requests Code Review Diff Tools TEST GitLab CI Autoscale Runners Review Apps DEPLOY CI/CD Pipelines Auto or Manual Deploy Container Registry Chat Ops ANALYZE Contributor Analytics Release Cycle Analytics Prometheus Monitoring End-to-End Software Development Platform
  10. 10. Speed, Security & Quality 10 Yes, it’s possible!
  11. 11. But it requires finely-tuned processes and collaboration across stakeholders. 11 Source: 2016 Global Developer Survey
  12. 12. Innovate faster without sacrificing security 12 ● Make smaller changes & commit often ● Involve collaborators and approvers sooner ● Code review - “Shift Left” ● Security controls baked into each stage of your development process ● Security as a first-class citizen stakeholder
  13. 13. Security Across the Software Dev Lifecycle 13
  14. 14. Ship inherently secure code. 14 Security starts with code. Developers should always have security top of mind when writing code. Code review is a collaborative process that should begin early in the development phase. Depends on your code frameworks and your code architecture Expertise and resources Systems and data
  15. 15. Start the conversation early with diff tools and merge requests. 15 ● Make small, iterative changes ● Keep conversations in context ● Catch bugs or broken code early
  16. 16. Access Control & Approvals 16 Merge request approvals act as a quality gate to your master branch. ● Ensure the right experts are reviewing code before it’s merged ● Encourages cross-functional conversations to happen at an earlier stage in development ● Approvers may include a security stakeholder
  17. 17. Access Control & Approvals 17 Protected branches: ● Prevents pushes from everybody except users with permission ● Prevents anyone from force pushing to the branch ● Prevents anyone from deleting the branch ● E.g. feature touches sensitive customer data
  18. 18. Continuous Integration 18 Get code into different stages earlier by integrating code frequently to detect, locate and fix errors quickly. Making smaller changes leave teams with less variables to consider when fixing errors and bugs.
  19. 19. 19 ● Automatic dynamic scanning with automatic deployments to test environments ● Humans test for vulnerabilities ● Security testers ● Business users Get code into staging or test environment early.
  20. 20. Why we work with our community to spot & prioritize security issues and bug bounties 20
  21. 21. 21 Security Development Process - Evolution Idea v1 v2 Internal Security Audit Development Timeline Vulnerability Scan Penetration Test Developer Training Static Analysis Dynamic Analysis Bug Bounties Test Driven Dev.
  22. 22. 22 GitLab’s Case Study #1 Example Report received via HackerOne: https://hackerone.com/reports/186194 Researcher provides a brief summary of the vulnerability, proof of concept (not using production systems), a listing of the vulnerable code (nice!), and a proposed fix (also nice!).
  23. 23. 23
  24. 24. 24 GitLab’s Case Study #2 Example Report received via HackerOne: https://hackerone.com/reports/215384 This time a researcher found a vulnerability in the just released subgroups feature of GitLab 9.0. Report received on March 22nd. 9.0 had just been released that day. Our specs, feature tests, internal code reviews, static, and dynamic analysis tools failed to find this authorization vulnerability.
  25. 25. 25
  26. 26. Get started 26 How you can help your team innovate faster and maintain quality & security ● Ship inherently secure code ● Build a collaborative culture ● Encourage small, iterative changes and commit often! ● Start code review early in the development process ● Continuously integrate code & automate tests ● Leverage the hacker community to quickly and safely spot security vulnerabilities
  27. 27. Q & A 27 Victor Wu Product Manager, GitLab Brian Neel Security Lead, GitLab
  28. 28. Thank You 28 sales@hackerone.com luke@hackerone.com

×