Don't miss our GitLab experts taking the stage at OSCON!

OSCON date icon svg

July 15-18, 2019

OSCON location icon svg

Portland, OR, USA

OSCON booth icon svg

Booth # 611

Join us for our speaking sessions taking place at the conference

If you haven’t registered for OSCON yet, get started with your registration here.

Daniel Gruesso

Extreme Open Source: Building an Entire Product in the Open

Daniel Gruesso

“Product Manager"

Thursday, July 18


2:35 pm - 3:15 pm PT



We’ve all heard about the new startup operating in stealth mode. They’ve got their reasons to keep things quiet: stay lean, keep competitors in the dark, avoid upsetting customers who are waiting on a feature. But there is a better path out there that relies on the principles of open source. At GitLab, we build our product in the open.

In this talk, I define what building a product in the open means, how that dovetails perfectly with open source as a strategy, and share best practices. Topics covered include why and how to create public roadmaps and strategy docs; how they benefit sales, development, partnerships, and marketing; and how to co-develop in open source with, in our case 150,000+, user organizations.

Whether you’re founding a startup that is debating full transparency or your job requires top-secret security clearance, you’ll leave this talk inspired to be as transparent as possible in your work and better prepared to take advantage of the opportunities that being more open can provide.

Lucas Charles

Integrating security into modern software development: A workflow study

Lucas Charles

“Senior Software Engineer "

Wednesday, July 17


11:50 am - 12:30 pm PT



Application security testing has been around for a long time, yet successful attacks continue despite significant investments in application security. Should we be surprised when we’re applying testing tools developed more than 12 years ago to software development methods only made commonplace in the last 3–5 years? In addition, application security is least understood and often takes a back seat to perimeter and endpoint security. At the same time, there is a misconception that the cloud provider takes care of all the security, and few people have considered new attack surfaces introduced by containers and orchestration. Tesla showed us the fallacy here.

Traditional application security testing has been targeted to security professionals and is regarded as a separate process from development. This separation and delay creates friction in the process, with many trade-offs required. In an effort to improve application security testing, the new chant has been “shift left” to remove more vulnerabilities earlier and empower the developers.

Lucas examines the shortcomings of most shift-left efforts and how cloud native environments, agile DevOps processes, and minimum viable products with rapid iteration wreaks havoc on traditional security methodologies. He dives into how to bring security into DevOps while avoiding a complex DevOps tool chain that must be integrated with security testing and explores new ways of thinking of app security to turn the industry on its head by using concurrent DevOps—a method that makes it possible for product, development, QA, security, and operations teams to work at the same time. You’ll learn the three key requirements of your application security process needed to get you onto the road of an efficient and secure software development life cycle (SDLC).