►
From YouTube: Govern: Security Policies - Development Workflow
Description
Group page: https://about.gitlab.com/handbook/engineering/development/sec/govern/security-policies/
Planning Process: https://about.gitlab.com/handbook/engineering/development/sec/govern/sp-ti-planning.html
Priorities: https://about.gitlab.com/direction/govern/security_policies/#priorities
Group board: https://gitlab.com/groups/gitlab-org/-/boards/1754674?milestone_title=Started&label_name%5B%5D=group%3A%3Asecurity%20policies
EM README page: https://gitlab.com/mparuszewski
A
Hello,
my
name
is
Alan
porschevsky
and
I'm
engineering
manager
for
security
policies.
Group
and
I
would
like
to
welcome
you
to
our
team
I'm
happy
to
see
us
working
together
and
I'm
looking
forward
for
the
future
I'd
like
to
give
you
a
small
introduction
to
our
team
and
let
you
know
how
we're
operating
today
and
how
we
want
to
operate
in
the
future,
however,
feel
free
to
stress
any
changes
give
me
feedback
about
it
and
bring
new
ideas
to
improve
it.
A
These
processes
are
for
us
and
to
help
us
navigate
to
priorities
and
Achieve
our
goals,
and
it
must
help
us
and
not
stand
in
our
way.
I'll
go
through
a
few
pages
that
we
have
and
I
would,
like.
You,
give
you
just
few
information
you'll
be
able
to
read
more
about
it
in
the
handbook.
So,
first
of
all,
I'm
going
to
start
with
our
group
page
where
we'll
keep
all
important
links
and
information.
How
do
we
work,
prioritizations
and
so
on?
So
let
me
start
with
the
first
item,
which
is
security
policies.
A
Protest
list
keep
the
purchase
list
as
yaml
file
and
we
collaborate
with
the
product
manager
to
make
sure
we're
working
on
the
same
priorities
on
the
same
ad
base
that
they
would
like
us
to
work
on.
So
we
keep
them
in
order
list
where
we
keep
information
about
which
priority.
It
is
name
of
the
Epic,
the
selected
device
for
the
Epic
ties
and
and
t-shirt
sizes
for
a
given
epic
and
the
target
release.
A
A
So,
as
you
notice,
we
have
dries
and
what
does
dries
can
do.
Let's
take
a
look
at
the
threat,
insights
planning
planning
and
the
application
generic
dri
is
taking
care
of
creating
the
implementation
issues,
breaking
them
down,
requesting
feedback
around
them.
Writing
those
implementation
issues
identifying
if
there
is
any
additional
research
needed
and
creating
Spike
for
it,
making
technical
decisions
providing
status,
update
when
needed
and
also
identifying
and
communicating
all
blockers.
A
When
are
we
creating
those
implementation
issues
and
when
are
we
deciding
who
is
going
to
be
a
dri,
so
usually
epics
are
being
designed
or
being
discussed
within
between
PM
em
and
ux
designer,
and
at
some
point
the
Epic
is
ready
when
it's
ready,
it's
being
moved
to
planning
breakdown
State.
Just
like
this
one.
A
What
once
in
plain
breakdown
State,
we
can
discuss
it
on
our
synchronous
calls
or
we
can
discuss
the
testing
currency
as
well.
Once
it's
in
plain
radon
State,
we
can
also
select
who's
going
to
be
a
derived
for
it.
We
either
ask
her
to
volunteer
or
when
we
know
that
someone's
expert
and
given
area-
and
they
would
like
to
continue
working
on
this
area-
we're
asking
them
to
help,
and
then
we
also
specifying
the
probable
size
of
the
Epic
and
also
the
target
release
when
we
would
like
to
labor
it.
A
A
So
this
is
how
we
prioritize
and
then,
if
we
go
to
how
we
do
planning
after
playing
breakdown,
we
are
talking
about
refinement.
You
can
read
more
about
the
refinement
process
here.
The
important
thing
is
that
once
you
create
implementation
issues
and
they
are
in
the
refinement
state,
they
will
be
automatically
assigned
by
trashbot
by
based
on
our
policy
to
assign
refinements,
and
then
you
need
to
make
sure
it
has
all
important
details
that
they
need
to
have
to
start
working
on
given
issue
in
the
future.
A
A
So
you
can
see
during
implementation
like
when
we're
creating
limitation
issues,
we're
adding
this
information.
Why
we're
doing
this
during
the
refinement
section?
We
are
talking
about
non-functional
requirements
and
then
we're
adding
implementation
plan.
It
usually
looks
like
this,
so
what
files
would
like
to
modify
what
it
would
like
to
achieve
with
that
modification
and
then
we're
adding
verification
steps,
especially
for
more
complex
issues,
we're
adding
those
verification
steps
just
to
make
sure
that
once
we
are
verifying
them,
we're
we're
thinking
about
all
age
cases
beforehand
and
after
that.
A
So
if
you
want
to
read
more
about
refinement
process
and
what
kind
of
labels
you
should
add,
and
so
on,
you
can
read
about
it
here
here-
are
some
guidelines
what
to
do
and
who
to
ask
for
help
and
so
on,
and
these
are
all
available
here.
A
I
will
not
go
to
the
old
details
about
it
because
you
can
find
it
easily
here
in
the
handbook,
once
we
have
issues
created
and
we
have
something
in
our
backlog
before
each
Milestone
I'm
going
to
be
preparing
the
security
policies
planning
issue
and
this
planning
issue
when
including
two
things
that
are
important.
First
of
all
is
narrative
so
trying
to
explain
my
own
words:
how
what
do
we
want
to
achieve?
A
So,
first
of
all,
we
have
this
implementation
with
this
planning
issue,
where
we
keep
all
the
information
about
about
our
goals
about
our
issues.
We
like
delivered.
Second
thing
is
that
we
we
also
have
a
board,
since
those
issues
are
not
pre-assigned,
we
keep
a
board
and
board
is
prioritized
from
top
to
bottom
in
terms
of
priorities.
A
So
when
you're,
when
you're
looking
for
something
new
to
work
on,
you,
first
look
at
the
refinement
state.
You
look
at
the
issues
here
and
if
it's
not
pre-assigned
to
someone
else,
because
bot
is
doing
it
automatically,
you
can
take
the
next
item
from
that
list
and
you
can
start
working
on
this
one.
Once
it's
refined,
Premiere
perspective
you're
asking
someone
else
to
review
it
and
then,
once
it's
reviewed,
it's
getting
moved
to
ready
for
development
state.
A
Once
it's
verified
by
you,
you
leave
it
in
verification,
State,
you
adding
the
comment
that
it
was
verified.
You
add
some
proof
like
a
screenshot
or
video
and
then
you're
just
unassigning
yourself
and
and
asking
someone
else
to
either
verify
it
or
also
we
have
a
bot
that
will
automatically
find
someone
else
to
verify
the
issue.
Once
it's
verified,
it
can
be
moved
to
the
workflow
complete
state.
A
Okay,
you
can
have
more
information.
You
can
look
for
more
information
like
priorities,
group,
page
group
board
and
metrics
on
links
added
here,
but
also
on
your
onboarding
issue.
You'll
find
lots
of
links
that
you
will
read.
Thank
you
enjoy
your
time
and
then
we're
looking
forward
to
work
with
you.
Bye,
bye,.