How GitLab and HackerOne help organizations innovate faster without compromising security

Innovate faster without sacrificing security or quality

Victor Wu - Product Manager, GitLab

Brian Neel - Security Lead, GitLab

● We will be recording this webinar and it will be available online.● The slides will be sent with the recording via email.● Please ask Victor and Brian questions!

A few housekeeping items

2

Questions can be asked at any time by typing in the “Questions” tab on your screen and pressing send.

The World’s #1 Bug Bounty & Vulnerability Disclosure Platform

We connect organizations with the largest community of trusted hackers

to discover security vulnerabilities before they can be exploited by

criminals.

How HackerOne Works

Trusted By

Subscribe to our fresh newsletter: www.hackerone.com/zerodaily

8

AGENDA 1. Introduction

2. Speed, Security, and Quality

3. Security across the SDLC

4. Why we work with the community

5. How GitLab leverages HackerOne

6. Q&A

9

DEVELOPMENT DELIVERY

PLAN

Chat

Issue Tracker

Issue Weights

Issue Board

Time Tracking

CODE

Repository Management

Merge Requests

Code Review

Diff Tools

TEST

GitLab CI

Autoscale Runners

Review Apps

DEPLOY

CI/CD Pipelines

Auto or Manual Deploy

Container Registry

Chat Ops

ANALYZE

Contributor Analytics

Release Cycle Analytics

Prometheus Monitoring

End-to-End Software Development Platform

Speed, Security & Quality

10

Yes, it’s possible!

But it requires finely-tuned processes and collaboration across stakeholders.

11

Source: 2016 Global Developer Survey

Innovate faster without sacrificing security

12

● Make smaller changes & commit often

● Involve collaborators and approvers sooner

● Code review - “Shift Left”● Security controls baked into

each stage of your development process

● Security as a first-class citizen stakeholder

Security Across the Software Dev Lifecycle

13

Ship inherently secure code.

14

Security starts with code. Developers should always have security top of mind when writing code. Code review is a collaborative process that should begin early in the development phase.

Depends on your code frameworks and your code architecture

Expertise and resources

Systems and data

Start the conversation early with diff tools and merge requests.

15

● Make small, iterative changes● Keep conversations in context● Catch bugs or broken code early

Access Control & Approvals

16

Merge request approvals act as a quality gate to your master branch.

● Ensure the right experts are reviewing code before it’s merged

● Encourages cross-functional conversations to happen at an earlier stage in development

● Approvers may include a security stakeholder

Access Control & Approvals

17

Protected branches:

● Prevents pushes from everybody except users with permission

● Prevents anyone from force pushing to the branch● Prevents anyone from deleting the branch● E.g. feature touches sensitive customer data

Continuous Integration

18

Get code into different stages earlier by integrating code frequently to detect, locate and fix errors quickly. Making smaller changes leave teams with less variables to consider when fixing errors and bugs.

19

● Automatic dynamic scanning with automatic deployments to test environments

● Humans test for vulnerabilities● Security testers● Business users

Get code into staging or test environment early.

Why we work with our community to spot & prioritize security issues and bug bounties

20

21

Security Development Process - Evolution

Idea v1 v2

Internal Security Audit

DevelopmentTimeline

Vulnerability Scan

Penetration Test

Developer Training

Static Analysis

Dynamic Analysis

Bug Bounties

Test Driven Dev.

22

GitLab’s Case Study #1

Example Report received via HackerOne:

https://hackerone.com/reports/186194

Researcher provides a brief summary of the vulnerability, proof of concept (not using production systems), a listing of the vulnerable code (nice!), and a proposed fix (also nice!).

23

24

GitLab’s Case Study #2

Example Report received via HackerOne:

https://hackerone.com/reports/215384

This time a researcher found a vulnerability in the just released subgroups feature of GitLab 9.0.

Report received on March 22nd. 9.0 had just been released that day.

Our specs, feature tests, internal code reviews, static, and dynamic analysis tools failed to find this authorization vulnerability.

25

Get started

26

How you can help your team innovate faster and maintain quality & security

● Ship inherently secure code

● Build a collaborative culture

● Encourage small, iterative changes and commit often!

● Start code review early in the development process

● Continuously integrate code & automate tests

● Leverage the hacker community to quickly and safely spot security vulnerabilities

Q & A

27

Victor Wu Product Manager, GitLab

Brian Neel Security Lead, GitLab

Thank You

28

[email protected]

[email protected]