how gitlab and hackerone help organizations innovate faster without compromising security
TRANSCRIPT
Innovate faster without sacrificing security or quality
Victor Wu - Product Manager, GitLab
Brian Neel - Security Lead, GitLab
● We will be recording this webinar and it will be available online.● The slides will be sent with the recording via email.● Please ask Victor and Brian questions!
A few housekeeping items
2
Questions can be asked at any time by typing in the “Questions” tab on your screen and pressing send.
We connect organizations with the largest community of trusted hackers
to discover security vulnerabilities before they can be exploited by
criminals.
8
AGENDA 1. Introduction
2. Speed, Security, and Quality
3. Security across the SDLC
4. Why we work with the community
5. How GitLab leverages HackerOne
6. Q&A
9
DEVELOPMENT DELIVERY
PLAN
Chat
Issue Tracker
Issue Weights
Issue Board
Time Tracking
CODE
Repository Management
Merge Requests
Code Review
Diff Tools
TEST
GitLab CI
Autoscale Runners
Review Apps
DEPLOY
CI/CD Pipelines
Auto or Manual Deploy
Container Registry
Chat Ops
ANALYZE
Contributor Analytics
Release Cycle Analytics
Prometheus Monitoring
End-to-End Software Development Platform
But it requires finely-tuned processes and collaboration across stakeholders.
11
Source: 2016 Global Developer Survey
Innovate faster without sacrificing security
12
● Make smaller changes & commit often
● Involve collaborators and approvers sooner
● Code review - “Shift Left”● Security controls baked into
each stage of your development process
● Security as a first-class citizen stakeholder
Ship inherently secure code.
14
Security starts with code. Developers should always have security top of mind when writing code. Code review is a collaborative process that should begin early in the development phase.
Depends on your code frameworks and your code architecture
Expertise and resources
Systems and data
Start the conversation early with diff tools and merge requests.
15
● Make small, iterative changes● Keep conversations in context● Catch bugs or broken code early
Access Control & Approvals
16
Merge request approvals act as a quality gate to your master branch.
● Ensure the right experts are reviewing code before it’s merged
● Encourages cross-functional conversations to happen at an earlier stage in development
● Approvers may include a security stakeholder
Access Control & Approvals
17
Protected branches:
● Prevents pushes from everybody except users with permission
● Prevents anyone from force pushing to the branch● Prevents anyone from deleting the branch● E.g. feature touches sensitive customer data
Continuous Integration
18
Get code into different stages earlier by integrating code frequently to detect, locate and fix errors quickly. Making smaller changes leave teams with less variables to consider when fixing errors and bugs.
19
● Automatic dynamic scanning with automatic deployments to test environments
● Humans test for vulnerabilities● Security testers● Business users
Get code into staging or test environment early.
21
Security Development Process - Evolution
Idea v1 v2
Internal Security Audit
DevelopmentTimeline
Vulnerability Scan
Penetration Test
Developer Training
Static Analysis
Dynamic Analysis
Bug Bounties
Test Driven Dev.
22
GitLab’s Case Study #1
Example Report received via HackerOne:
https://hackerone.com/reports/186194
Researcher provides a brief summary of the vulnerability, proof of concept (not using production systems), a listing of the vulnerable code (nice!), and a proposed fix (also nice!).
24
GitLab’s Case Study #2
Example Report received via HackerOne:
https://hackerone.com/reports/215384
This time a researcher found a vulnerability in the just released subgroups feature of GitLab 9.0.
Report received on March 22nd. 9.0 had just been released that day.
Our specs, feature tests, internal code reviews, static, and dynamic analysis tools failed to find this authorization vulnerability.
Get started
26
How you can help your team innovate faster and maintain quality & security
● Ship inherently secure code
● Build a collaborative culture
● Encourage small, iterative changes and commit often!
● Start code review early in the development process
● Continuously integrate code & automate tests
● Leverage the hacker community to quickly and safely spot security vulnerabilities