The document outlines a webinar focused on how to innovate quickly while maintaining security and quality in software development, featuring insights from GitLab's product manager and security lead. Key topics include the importance of integrating security throughout the software development lifecycle, employing collaborative code reviews, and leveraging the hacker community for vulnerability discovery. The presentation emphasizes the need for smaller changes, early security involvement, and continuous integration to enhance both security and development efficiency.

1. Innovate faster without
sacrificing security or
quality
Victor Wu - Product Manager, GitLab
Brian Neel - Security Lead, GitLab

2. ● We will be recording this webinar and it will be available online.
● The slides will be sent with the recording via email.
● Please ask Victor and Brian questions!
A few housekeeping items
2
Questions can be
asked at any time by
typing in the
“Questions” tab on
your screen and
pressing send.

3. The World’s #1
Bug Bounty &
Vulnerability Disclosure
Platform

4. We connect organizations with the
largest community of trusted hackers
to discover security vulnerabilities
before they can be exploited by
criminals.

5. How HackerOne Works

6. Trusted By

7. Subscribe to our fresh newsletter: www.hackerone.com/zerodaily

8. 8
AGENDA
1. Introduction
2. Speed, Security, and Quality
3. Security across the SDLC
4. Why we work with the community
5. How GitLab leverages HackerOne
6. Q&A

9. 9
DEVELOPMENT DELIVERY
PLAN
Chat
Issue Tracker
Issue Weights
Issue Board
Time Tracking
CODE
Repository Management
Merge Requests
Code Review
Diff Tools
TEST
GitLab CI
Autoscale Runners
Review Apps
DEPLOY
CI/CD Pipelines
Auto or Manual Deploy
Container Registry
Chat Ops
ANALYZE
Contributor Analytics
Release Cycle Analytics
Prometheus Monitoring
End-to-End Software Development Platform

10. Speed, Security &
Quality
10
Yes, it’s possible!

11. But it requires finely-tuned
processes and collaboration
across stakeholders.
11
Source: 2016 Global Developer Survey

12. Innovate faster
without
sacrificing
security
12
● Make smaller changes &
commit often
● Involve collaborators and
approvers sooner
● Code review - “Shift Left”
● Security controls baked into
each stage of your
development process
● Security as a first-class citizen
stakeholder

13. Security Across the
Software Dev Lifecycle
13

14. Ship inherently secure code.
14
Security starts with code. Developers should always
have security top of mind when writing code. Code
review is a collaborative process that should begin
early in the development phase.
Depends on your code frameworks and your code
architecture
Expertise and resources
Systems and data

15. Start the conversation early with diff tools
and merge requests.
15
● Make small, iterative changes
● Keep conversations in context
● Catch bugs or broken code early

16. Access Control & Approvals
16
Merge request approvals act
as a quality gate to your
master branch.
● Ensure the right experts are
reviewing code before it’s merged
● Encourages cross-functional
conversations to happen at an
earlier stage in development
● Approvers may include a security
stakeholder

17. Access Control & Approvals
17
Protected branches:
● Prevents pushes from everybody except users
with permission
● Prevents anyone from force pushing to the branch
● Prevents anyone from deleting the branch
● E.g. feature touches sensitive customer data

18. Continuous Integration
18
Get code into different stages earlier by
integrating code frequently to detect, locate and
fix errors quickly. Making smaller changes leave
teams with less variables to consider when fixing
errors and bugs.

19. 19
● Automatic dynamic scanning with
automatic deployments to test
environments
● Humans test for vulnerabilities
● Security testers
● Business users
Get code into staging or test
environment early.

20. Why we work with our
community to spot &
prioritize security
issues and bug
bounties
20

21. 21
Security Development Process - Evolution
Idea v1 v2
Internal Security Audit
Development
Timeline
Vulnerability Scan
Penetration Test
Developer Training
Static Analysis
Dynamic Analysis
Bug Bounties
Test Driven Dev.

22. 22
GitLab’s Case
Study #1
Example Report received via HackerOne:
https://hackerone.com/reports/186194
Researcher provides a brief summary of the
vulnerability, proof of concept (not using
production systems), a listing of the vulnerable
code (nice!), and a proposed fix (also nice!).

23. 23

24. 24
GitLab’s Case
Study #2
Example Report received via HackerOne:
https://hackerone.com/reports/215384
This time a researcher found a vulnerability in
the just released subgroups feature of GitLab
9.0.
Report received on March 22nd. 9.0 had just
been released that day.
Our specs, feature tests, internal code reviews,
static, and dynamic analysis tools failed to find
this authorization vulnerability.

25. 25

26. Get started
26
How you can help your team innovate faster
and maintain quality & security
● Ship inherently secure code
● Build a collaborative culture
● Encourage small, iterative changes and commit often!
● Start code review early in the development process
● Continuously integrate code & automate tests
● Leverage the hacker community to quickly and safely spot security vulnerabilities

27. Q & A
27
Victor Wu
Product Manager, GitLab
Brian Neel
Security Lead, GitLab

28. Thank You
28
sales@hackerone.com
luke@hackerone.com