Commit 4b455aa9 authored by David DeSanto's avatar David DeSanto
Browse files

Merge branch 'ddesanto-update-secure-direction-whats-next' into 'master'

Secure Direction -- Update Direction With "What's Next For Secure"

See merge request gitlab-com/www-gitlab-com!37024
parents 13682cf8 47dc5146
......@@ -67,7 +67,23 @@ As a result, in three years, Gitlab will:
* Introduce categories that enable real-time and continuous verification of operations / production
* Expand focus within preexisting categories to apply knowledge / results from one scan type to optimize another scan type's configuration
 
## What's Next for Secure
## 1 Year Plan: What's Next for Secure
To meet our [audacious goals](https://about.gitlab.com/company/strategy/#big-hairy-audacious-goal), the Secure Section will focus on the following over the next 12 months:
* **Dogfooding** - We will [“practice what we preach”](https://www.dictionary.com/browse/practice-what-you-preach), including leveraging Secure Categories in all things GitLab does. This tight circle will provide immediate feedback and increase our rate of learning.
* **Security for everyone** - In order to make security accessible to everyone across the DevOps lifecycle, we will bring all Secure OSS scanners to Core (self-hosted) / Free (GitLab.com).
* **API first** - API proliferation will continue as more companies focus on ways to integrate technologies. As such, we will focus on security testing of APIs including verifying standards like the [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) and [API fuzz testing](https://gitlab.com/gitlab-org/gitlab/issues/33906).
* **Historical trending** - Provide a focus on identifying patterns in security findings with a goal of helping everyone code securely. Make recommendations on remediation with a goal of providing automatic remediation wherever possible.
* **Provide Dynamic Analysis in production** - Enable Dynamic Analysis Categories to empower users to scan and assess applications and services deployed to production / operations.
* **Integrations** - Enable third parties to easy integrate their security solutions into Ultimate (self-hosted) / Gold (GitLab.com). This includes providing APIs and a standard reporting framework so everyone can bring their preferred security tools into Ultimate (self-hosted) / Gold (GitLab.com).
* **Differentiate** on value in Ultimate and Gold - Running a security test is just the beginning. We want to provide a first-class experience and enable users to make data-driven decisions to secure their applications and services as well as their enterprise.
The following will NOT be a focus over the next 12 months:
* **Machine learning (ML)** - ML techniques and modeling is planned as part of Secure’s 3 Year Strategy; however, other areas must be invested in first. This includes updating how we store security findings such that historical trends can be identified and reported.
* **Protocol fuzzing** - Fuzzing the entire application technology stack is part of Secure’s 3 Year Strategy; however, we will focus on applications and APIs first. The shift to protocol fuzzing will occur as Viable and Complete [maturities](https://about.gitlab.com/direction/maturity/#legend) are achieved on DAST and API security testing.
* **Responsible disclosure** - GitLab will become both a CVE Numbering Authority (CNA) for GitLab applications as well as for researchers and technologists to use when reporting new vulnerabilities (within any application, service, or operating system). As part of Secure’s 3 Year Strategy, we want to support the entire vulnerability lifecycle to enable ease-of-use when it comes to [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure).
Please explore the individual [Category](https://about.gitlab.com/direction/secure/#categories) Direction pages for more information on 12 month plans.
 
## Security Paradigm
 
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment