How GitLab and HackerOne help organizations innovate faster without compromising security
1 like7,248 views
The document outlines a webinar focused on how to innovate quickly while maintaining security and quality in software development, featuring insights from GitLab's product manager and security lead. Key topics include the importance of integrating security throughout the software development lifecycle, employing collaborative code reviews, and leveraging the hacker community for vulnerability discovery. The presentation emphasizes the need for smaller changes, early security involvement, and continuous integration to enhance both security and development efficiency.
How GitLab and HackerOne help organizations innovate faster without compromising security
- 1. Innovate faster without sacrificing security or quality Victor Wu - Product Manager, GitLab Brian Neel - Security Lead, GitLab
- 2. ● We will be recording this webinar and it will be available online. ● The slides will be sent with the recording via email. ● Please ask Victor and Brian questions! A few housekeeping items 2 Questions can be asked at any time by typing in the “Questions” tab on your screen and pressing send.
- 3. The World’s #1 Bug Bounty & Vulnerability Disclosure Platform
- 4. We connect organizations with the largest community of trusted hackers to discover security vulnerabilities before they can be exploited by criminals.
- 6. Trusted By
- 7. Subscribe to our fresh newsletter: www.hackerone.com/zerodaily
- 8. 8 AGENDA 1. Introduction 2. Speed, Security, and Quality 3. Security across the SDLC 4. Why we work with the community 5. How GitLab leverages HackerOne 6. Q&A
- 9. 9 DEVELOPMENT DELIVERY PLAN Chat Issue Tracker Issue Weights Issue Board Time Tracking CODE Repository Management Merge Requests Code Review Diff Tools TEST GitLab CI Autoscale Runners Review Apps DEPLOY CI/CD Pipelines Auto or Manual Deploy Container Registry Chat Ops ANALYZE Contributor Analytics Release Cycle Analytics Prometheus Monitoring End-to-End Software Development Platform
- 10. Speed, Security & Quality 10 Yes, it’s possible!
- 11. But it requires finely-tuned processes and collaboration across stakeholders. 11 Source: 2016 Global Developer Survey
- 12. Innovate faster without sacrificing security 12 ● Make smaller changes & commit often ● Involve collaborators and approvers sooner ● Code review - “Shift Left” ● Security controls baked into each stage of your development process ● Security as a first-class citizen stakeholder
- 13. Security Across the Software Dev Lifecycle 13
- 14. Ship inherently secure code. 14 Security starts with code. Developers should always have security top of mind when writing code. Code review is a collaborative process that should begin early in the development phase. Depends on your code frameworks and your code architecture Expertise and resources Systems and data
- 15. Start the conversation early with diff tools and merge requests. 15 ● Make small, iterative changes ● Keep conversations in context ● Catch bugs or broken code early
- 16. Access Control & Approvals 16 Merge request approvals act as a quality gate to your master branch. ● Ensure the right experts are reviewing code before it’s merged ● Encourages cross-functional conversations to happen at an earlier stage in development ● Approvers may include a security stakeholder
- 17. Access Control & Approvals 17 Protected branches: ● Prevents pushes from everybody except users with permission ● Prevents anyone from force pushing to the branch ● Prevents anyone from deleting the branch ● E.g. feature touches sensitive customer data
- 18. Continuous Integration 18 Get code into different stages earlier by integrating code frequently to detect, locate and fix errors quickly. Making smaller changes leave teams with less variables to consider when fixing errors and bugs.
- 19. 19 ● Automatic dynamic scanning with automatic deployments to test environments ● Humans test for vulnerabilities ● Security testers ● Business users Get code into staging or test environment early.
- 20. Why we work with our community to spot & prioritize security issues and bug bounties 20
- 21. 21 Security Development Process - Evolution Idea v1 v2 Internal Security Audit Development Timeline Vulnerability Scan Penetration Test Developer Training Static Analysis Dynamic Analysis Bug Bounties Test Driven Dev.
- 22. 22 GitLab’s Case Study #1 Example Report received via HackerOne: https://hackerone.com/reports/186194 Researcher provides a brief summary of the vulnerability, proof of concept (not using production systems), a listing of the vulnerable code (nice!), and a proposed fix (also nice!).
- 23. 23
- 24. 24 GitLab’s Case Study #2 Example Report received via HackerOne: https://hackerone.com/reports/215384 This time a researcher found a vulnerability in the just released subgroups feature of GitLab 9.0. Report received on March 22nd. 9.0 had just been released that day. Our specs, feature tests, internal code reviews, static, and dynamic analysis tools failed to find this authorization vulnerability.
- 25. 25
- 26. Get started 26 How you can help your team innovate faster and maintain quality & security ● Ship inherently secure code ● Build a collaborative culture ● Encourage small, iterative changes and commit often! ● Start code review early in the development process ● Continuously integrate code & automate tests ● Leverage the hacker community to quickly and safely spot security vulnerabilities
- 27. Q & A 27 Victor Wu Product Manager, GitLab Brian Neel Security Lead, GitLab