@@ -69,6 +69,18 @@ As a result, in three years, Gitlab will:
## What's Next for Secure
To meet our [audacious goals](https://about.gitlab.com/company/strategy/#big-hairy-audacious-goal), the Secure Section will focus on the following over the next 12 months:
***Dogfooding** - We will [“practice what we preach”](https://www.dictionary.com/browse/practice-what-you-preach), including leveraging Secure Categories in all things GitLab does. This tight looped circle will provide immediate feedback and increase our rate of learning.
***Security for everyone** - In order to make security accessible to everyone across the DevOps lifecycle, we will bring all Secure OSS scanners to Core (self-hosted) / Free (GitLab.com).
*
The following will NOT be a focus over the next 12 months:
***Machine learning (ML)** - ML techniques and modeling is planned as part of Secure’s 3 Year Strategy however other areas must be invested in first. This includes updating how we store security findings such that historical trends can be identified and reported.
***Protocol fuzzing** - Fuzzing the entire application technology stack is part of Secure’s 3 Year Strategy however we will focus on applications and APIs first. The shift to protocol fuzzing will occur as viable and complete maturities are achieved on DAST and API security testing
***Responsible disclosure** - GitLab will become both a CVE Numbering Authority (CNA) for GitLab applications as well as for researchers and technologists to use when reporting new vulnerabilities (within any application, service, or operating system). As part of Secure’s 3 Year Strategy, we want to support the entire vulnerability lifecycle to enable ease-of-use when it comes to [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure).
Please explore the individual [Category](https://about.gitlab.com/direction/secure/#categories) Direction pages for more information on 12 month plans.
## Security Paradigm
We want to provide feedback during development and before your application is in production to reduce production vulnerabilities, and to reduce cycle time of releases by providing relevant point in time information. Think back on the recent breaches in the news, in most cases these were not the result of complex attacks, but rather teams who were unable for a variety of reasons to strictly follow best practices. We plan to assist you and your team to cover these, so your Security teams time and energy can focus on the more unique and advanced problems that you face in your risk profile, rather than spending time on things that are low hanging fruit.
