12.0 Secure retrospective
This is an asynchronous retrospective for the 12.0 release, following the process described at https://about.gitlab.com/handbook/engineering/management/team-retrospectives/.
This issue is private (confidential) to the Secure team, plus anyone else
who worked with the team during 12.0, to ensure everyone feels
comfortable sharing freely. On 2019-07-19 2019-06-26, the day of the engineering-wide
12.0 Retrospective, the issue will be opened up to the public, as long
as everyone is comfortable with this. You're free to redact any comments that
contain information that you'd like to stay private before that date.
Please look at back at your experiences working on this release, ask yourself
For each point you want to raise, please create a new discussion with the relevant emoji, so that others can weigh in with their perspectives, and so that we can easily discuss any follow-up action items in-line.
If there is anything you are not comfortable sharing here, please message your manager directly. Note, however, that 'Emotions are not only allowed in retrospectives, they should be encouraged', so we'd love to hear from you here if possible.
Issues we shipped
- Implement Pagination according to Pajamas
- Dependency List - follow-up to preliminary frontend implementation
- Dependency List - Connect frontend to backend
- DAST moved to a monthly updated instead of a weekly one
- Open Gemnasium Advisories Database
- Dependency List - Preliminary Frontend implementation
- Update process for Dependency Scanning vulnerabilities (PHP)
- Update process for Dependency Scanning vulnerabilities (Java)
- Get rid of dind for DAST
- File path overflow issue in vulnerability info modal
- Extract all the dependencies in the project
- Remove a backend limit for report types
- Revisit Data model for vulnerabilities
- Document SAST / DAST / license_management JSON format
- Product discovery for inline vulnerability management
- Align group and project level security dashboard UX
- Outdated python/pip in License Management yields InsecurePlatformWarning
- More issues - this list only includes deliverables!
Issues that slipped
- Dependency List private API endpoint
- Document Docker requirements for Security features
- Dependency List - follow-up to preliminary frontend implementation
- Dependency List - Connect frontend to backend
- Define process and tools to publish advisories to Gemnasium DB, try to automate the process
- SAST job is timing out
- Container Scanning doesn't work behind a proxy
- Follow-up from "Copy and merge the existing DAST docs to a new location"
- Investigate why ZAP does not report more findings for WebGoat
- Document all the available options for DAST
- Dependency List MVC
- Security approval in merge requests MVC
- OWASP WebGoat project support: Dependency Scanning
- Ensure security features can be tested in GitLab review apps
- Total deliverables closed: 17
- Total issues closed: 38
- Total MRs merged: 79