Vulnerability Management on Romano Roth

GitHub DevSecOps Part 12: Our Recommendations and Lessons Learned

Tue, 13 Jun 2023 00:00:00 +0000

After eleven sessions building a full DevSecOps pipeline with GitHub — covering Software Composition Analysis, License Compliance, SAST, Container Scanning, Secret Detection, DAST, Pull Requests, Scheduled Pipelines, and Vulnerability Management — Patrick Steger and I close the series with our recommendations. What works on GitHub, where the gaps are, and what we would tell anyone setting out to build the same pipeline.

GitHub DevSecOps Part 9: Vulnerability Management

Mon, 22 May 2023 00:00:00 +0000

We have spent the previous eight sessions adding scanners to our GitHub DevSecOps pipeline — SCA, SAST, container scanning, secret detection, DAST. The scanners now produce a steady stream of findings, and the question is: where do we manage them? In Part 9, Patrick Steger and I look at GitHub’s built-in Vulnerability Management — the Security Tab — and call out what it does well and what is still missing.

GitHub DevSecOps Part 3: Software Composition Analysis with Dependabot and CRDA

Thu, 19 Jan 2023 00:00:00 +0000

GitHub does not ship a default SCA tool the way GitLab does. You have to combine two things: a platform feature called Dependabot and an SCA action from the Marketplace. In Part 3 of the GitHub DevSecOps series, Patrick Steger and I wire both into our pipeline — and find out the hard way that the Marketplace path is not as smooth as the slides suggest.

GitLab vs. GitHub: DevSecOps Pipeline

Wed, 28 Dec 2022 11:25:25 +0000

by Romano Roth and Patrick Steger

This video series will show you how to build up an enterprise-ready DevSecOps Pipeline with GitLab and GitHub and compare the two platforms.

GitLab DevSecOps Part 12: Our Recommendations and Lessons Learned

Wed, 16 Nov 2022 00:00:00 +0000

After eleven sessions building a full DevSecOps pipeline with GitLab — from Software Composition Analysis to Container Scanning, SAST, Secret Detection, DAST, merge request integration, and scheduled pipelines — Patrick Steger and I close the series with our recommendations. What worked, what tripped us up, and what we would tell anyone setting out to build the same pipeline today.

GitLab DevSecOps Part 10: How to Do a Merge Request the Right Way

Wed, 02 Nov 2022 00:00:00 +0000

In the previous nine sessions Patrick Steger and I built a GitLab DevSecOps pipeline that runs SAST, secret detection, software composition analysis, container scanning and DAST. Useful — but only if it actually catches issues before they reach the default branch. In Part 10 we close that loop: we wire the pipeline into Merge Requests so every change is scanned, the deltas against the default branch are visible, and approvals are required when new high or critical vulnerabilities appear.

GitLab DevSecOps Part 9: Overcoming Vulnerability Management Challenges

Wed, 12 Oct 2022 00:00:00 +0000

After eight sessions of adding scanners to our GitLab pipeline — SAST, secret detection, SCA, license compliance, container scanning, DAST — we now have a different problem. We have hundreds of vulnerability findings. In Part 9, Patrick Steger and I look at GitLab’s built-in Vulnerability Management: what it gives you, where it falls short, and how to actually triage findings without losing your mind.

GitLab DevSecOps Part 3: Software Composition Analysis with Gemnasium

Wed, 17 Aug 2022 00:00:00 +0000

Your code is the small part. The libraries you pull in are the big part — and that is where most of your CVEs live. In Part 3 of the GitLab DevSecOps series, Patrick Steger and I bring up a tiny Spring Boot demo, wire it into a GitLab pipeline, and then add Software Composition Analysis with a single include line.