GitLab / Security Department

No description provided.

No description provided.

No description provided.

No description provided.

No description provided.

Links:

- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/

Philippe Lafoucrière's weekly update on the GitLab Inventory Build.


Links:

- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/

Links:

- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/

Philippe Lafoucrière, Engineer in the Security Department, introduces the GitLab Inventory Build, and the current progress on the project.


Links:

- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/

No description provided.

Security Awards Program update by Philippe Lafoucrière, Distinguished Security Engineer. The leaderboards are now updated automatically via the project pipeline.

The Security Department discusses the threat modeling process we plan on adapting to the rest of GitLab.

Handbook: https://about.gitlab.com/handbook/security/threat_modeling/
Template for issues or docs: https://gitlab.com/gitlab-com/gl-security/security-research/threat-modeling-template
Real world example: https://gitlab.com/gitlab-com/gl-security/security-research/gitlab-standalone-instance

No description provided.

SCM Capabilities Demo - Protect and secure product assets

This is a discussion between Ryan Demmer - Technical Recruiter and Jan Urbanc - Director, Security Operations about what it's like to work all remote on the Security team at GitLab. We hope you enjoy!

Join our GitLab Talent Community!
https://about.gitlab.com/jobs/

Find more information about being a Security Engineer at GitLab here:
https://about.gitlab.com/job-families/engineering/security-engineer/

Security Team Page:
https://about.gitlab.com/handbook/engineering/security/

Everyone wants to shift security left, but how? Security scans are unwieldy and don't fit an iterative, agile development cycle. We will step through the developers’ workflow and show exactly where application security can be embedded and automated - and best practices for optimal results.

This approach will benefit developers and security pros alike. See what can be achieved with a brief demo of an actual developer pipeline then ride along for the perspective of the security team. Learn how your app sec can become iterative, automated and embedded into the automated DevOps processes.
www.gitlab.com

https://about.gitlab.com/blog/2020/04/02/security-trends-in-gitlab-hosted-projects/

Top security risks include using components with known vulnerabilities, XSS, lack of secret management, lack of CSP, CSRF, and SQLi

No description provided.

Presentation Slides: https://docs.google.com/presentation/d/1U8r5CJs9dLOLO2-hj_bHidRMXugUl3ejv8Hdw6bDMv4/

How could user setup security approval rules.

Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) and Jayson Salazar (Senior Security Engineer, Security Operations - https://about.gitlab.com/handbook/engineering/security/#security-operations) discuss what exactly the Security Operations Team Does at GitLab.

Jayson mentions several key links which are here:
- https://gitlab.com/gitlab-com/gl-security/secops/operations
- Slack: #security, #security-department, @secops-team, /security

Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) and Greg Johnson (Senior Security Engineer, Red Team. - https://about.gitlab.com/handbook/engineering/security/#red-team) discuss what exactly the External Security Communications Team does at GitLab.

Greg mentions several key links which are here:
- https://about.gitlab.com/handbook/engineering/security/red-team-roe.html
- Slack: #security, #security-department

Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) and Antony Saba (Senior Threat Intelligence Engineer - https://about.gitlab.com/handbook/engineering/security/#threat-intelligence) discuss what exactly the Threat Intelligence Team does at GitLab.

Antony mentions several key links which are here:
- https://about.gitlab.com/handbook/engineering/security/#engaging-the-security-on-call
- https://about.gitlab.com/handbook/engineering/security/#internal-application-security-reviews
-Slack: #security, #security-department, @sec-ops-team

Heather Simpson (Senior Security Analyst, External Communications - https://about.gitlab.com/handbook/engineering/security/#security-external-communications) and Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) discuss what exactly the Field Security Team does at GitLab.

- Slack: #security-department, #security

Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) and Heather Simpson (Senior Security Analyst, External Communications - https://about.gitlab.com/handbook/engineering/security/#security-external-communications) discuss what exactly the External Security Communications Team does at GitLab.

Heather mentions several key links which are here:
- https://gitlab.com/gitlab-com/gl-security/security-communications/communications/issues
- https://about.gitlab.com/blog/categories/security/

Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) and Jennifer Blanco (Senior Security Analyst, Compliance - https://about.gitlab.com/handbook/engineering/security/#compliance) discuss what exactly the Compliance Team does at GitLab.

Jennifer mentions several key links which are here:
- https://about.gitlab.com/handbook/engineering/security/sec-controls.html
- https://about.gitlab.com/2019/05/07/choosing-a-compliance-framework/
- https://about.gitlab.com/2019/04/10/gitlab-security-tools-and-the-hipaa-risk-analysis/
- Slack: @sec-compliance-team

Devin Harris (Senior Security Analyst, Field Security - https://about.gitlab.com/handbook/engineering/security/#field-security) and Charl de Wit (Security Analyst, Abuse Operations - https://about.gitlab.com/handbook/engineering/security/#abuse-operations) discuss what exactly the Anti-Abuse Team does at GitLab.

Charl mentions several key links which are here:
- https://about.gitlab.com/terms/
- https://docs.gitlab.com/ee/user/abuse_reports.html
- Slack: @abuse-team

Security is a critical part of automating the DevOps lifecycle. Join us to learn how can healthcare and insurance providers within the BCBS network are developing a faster DevOps lifecycle by integrated security directly into the process with GitLab.