Secure Composition Analysis Priorities 2020

Priorities

Complete

Remove Docker and Docker

Support Offline Security Scanning (Offline / Limited Connectivity / Air-gapped vulnerability analysis and license compliance for on-prem instances) MVC

Support Offline Security Scanning (Offline / Limited Connectivity / Air-gapped vulnerability analysis and license compliance for on-prem instances) post-mvc

MVC - *MAU Usage Data product metrics

We need to know more about how our users use the product and what our product is doing to better prioritize bugs, requests and work.

• 13.7
• 13.8

AST Leadership

We wish to become recognized as a leader in Application Security Testing (AST)

AST Leadership

Dependency Scanning - Viable to Complete

Many customers make buying decisions based on the Gartner magic quadrant, so we want to focus on ~"Category:Dependency Scanning" primarily as that is a key factor in the AST MQ. We would like to move this to Complete Maturity in 2020.

5 - GitLab on GitLab Dogfooding Dependency Scanning

6 - Azure / OpenShift

Will not have time

7 - .Net Core and Framework support

8 - Stability and Reliability

This includes preventing technical debt (keeping components up to date), as well as bugs and addressing technical debt)

This means to me - ~performance ~availability Application Limits ~P1 ~S1 ~bug UX Dev Team

We'll need to continue to hit ~"technical debt" that is blocking us from moving forward on our big goals.

We need to be careful to add relevant test as we go forward, and take some time to add missed historic tests.

9 - Enterprise Ready

The company has a goal to be enterprise ready. This will be partially addressed by items above, but calling it out below:

• Enable 3rd Parties to integrate their own scanners aka security reports integration
• (from above) ~performance ~availability Application Limits
• (from above)Air-Gap
• (from above)Support .Net
  • Improve support of .NET in Dependency Scanning
  • Improve support of .NET in License Compliance
  • .NET Applications Development

11 - License Compliance

• ~"Category:License Compliance" research on group settings will continue as this research is applicable for all scanners as we want each to have group options
• urgent ~p1 ~s1 ~bug will be addressed

anything else will be %Backlog for now

12 - dependency list aka Software Bill of Materials or SBoM

• Anything deemed required as part of getting ~"Category:Dependency Scanning" to complete will be covered
• urgent ~p1 ~s1 ~bug

anything not directly related to that effort will be %Backlog

14 Languages

Check the coverage of languages in secure, for Dogfooding, and against utilization found here

15 OSS Scanners to Core

Epic: Move selected security features to Core

Support Offline Security Scanning (Offline / Limited Connectivity / Air-gapped vulnerability analysis and license compliance for on-prem instances) usability improvements

Support Offline Security Scanning (Offline / Limited Connectivity / Air-gapped vulnerability analysis and license compliance for on-prem instances) License Compliance backlog

Post-MVC Usage Data product metrics

References

• https://about.gitlab.com/direction/secure/
• https://about.gitlab.com/handbook/product/categories/#composition-analysis-group

changed the description

changed the description

changed the description

mentioned in merge request gitlab-com/www-gitlab-com!41593 (merged)

changed the description

marked the checklist item Update ~"Category:Dependency Scanning" and ~"Category:License Compliance" and Category:Container Scanning categories.yml to update maturity - gitlab-com/www-gitlab-com!41593 (merged) as completed

changed the description

mentioned in issue gitlab-org/gitlab#9329 (closed)

mentioned in issue gitlab-org/gitlab#10534

mentioned in issue gitlab-org/gitlab#13489 (closed)

mentioned in issue gitlab-org/gitaly#1522 (closed)

mentioned in issue gitlab-org/gitlab#10385 (closed)

mentioned in issue gitlab-org/gitlab#31036 (closed)

mentioned in issue gitlab-org/gitlab#32600 (closed)

mentioned in issue gitlab-org/gitlab#34210

mentioned in issue gitlab-org/gitlab#34209 (closed)

mentioned in issue gitlab-org/gitlab#37968 (closed)

mentioned in issue gitlab-org/gitlab#37999 (closed)

mentioned in issue gitlab-org/gitlab#13137

mentioned in issue gitlab-org/gitlab#35661 (closed)

mentioned in issue gitlab-org/gitlab#198152 (closed)

mentioned in issue gitlab-org/gitlab#36887 (closed)

mentioned in issue gitlab-org/gitlab#33870 (closed)

mentioned in issue gitlab-org/gitlab#29101 (closed)

mentioned in issue gitlab-org/gitlab#12685 (closed)

mentioned in issue gitlab-org/gitlab#8428 (closed)

mentioned in issue gitlab-org/gitlab#33050 (closed)

mentioned in issue #57 (closed)

changed the description

changed the description

mentioned in issue gitlab-org/gitlab#198516 (closed)

mentioned in issue gitlab-org/gitlab#205302 (closed)

added devopssecure groupcomposition analysis labels

mentioned in issue #69 (closed)

Removing

10 - security reports aka "Pipeline and Merge request Security Reports"

• Anything deemed needed as part of getting ~"Category:Dependency Scanning" to complete will be covered
• urgent ~p1 ~s1 ~bug

anything not directly related to that effort will be %Backlog

as this belongs to @matt_wilson now right?

Removing

12 - security reports integration

• Anything deemed required as part of getting to enterprise readiness above will be covered
• urgent ~p1 ~s1 ~bug

anything not directly related to that effort will be %Backlog

as belongs to @stkerr now right?

@stkerr @david just confirming as it's currently still SCA here - https://about.gitlab.com/handbook/product/product-categories/#other-functionality-in-secure-stage

@NicoleSchwartz I will do an MR tonight. It was waiting for the Protect change and that is now official.

And it belongs to @matt_wilson and the groupthreat insights team.

changed the description

changed the description

changed the description

mentioned in issue #80 (closed)

changed the description

mentioned in issue #87 (closed)

mentioned in issue #94 (closed)

mentioned in issue gitlab-org/gitlab#216645 (closed)

mentioned in issue gitlab-org/gitlab#215622 (closed)

mentioned in issue gitlab-org/gitlab#215635

13.0 #69 (closed)

13.1 #80 (closed)

13.2 #87 (closed)

13.3 #94 (closed)

mentioned in issue #98 (closed)

changed the description

changed the description

Removed "3rd parties integration"

per

2020-07-07

David: Internally focused is Matt, external/bizdev is SamK

mentioned in issue gitlab-org/gitlab#227633 (closed)

mentioned in issue gitlab-com/Product#1335

added Enterprise Edition GitLab Ultimate labels

added backend frontend labels

added typefeature label

added Planning Issue label

added Category:Container Scanning Category:Dependency Scanning [DEPRECATED] Category:License Compliance [DEPRECATED] labels

changed milestone to %Backlog

added meta label

mentioned in issue #107 (closed)

changed the description

changed the description

added sectionsec label

changed the description

mentioned in issue #113 (closed)

mentioned in issue #116 (closed)

added to epic gitlab-org&4488

mentioned in epic gitlab-org&1664

mentioned in issue gitlab-org/gitlab#255989 (closed)

per Realignment from Defend Stage to Protect Stage

removed

10 - Container Scanning

• Category:Container Scanning we will finish up the auto remediation MVC
• check Anchore
• urgent ~p1 ~s1 ~bug will be addressed

anything else will be %Backlog for now

also removed

13 - Policy Settings

epic

Secure, Defend, Compliance, and Policy Settings area in GitLab is %Backlog due to resource constraints

I assume an MR is on it's way to update this will check back later https://about.gitlab.com/handbook/product/product-categories/#other-functionality-in-secure-stage

removed Category:Container Scanning label

added Category:Container Scanning [deprecated] 🍎 labels

changed the description

removed [deprecated] 🍎 label

removed Category:Container Scanning label

changed the description