►
Description
Andrew Kelly, manager of our AppSec team talks about his experience here at @Gitlab , including what makes GitLab a unique and exciting place to learn and grow.
See the GitLab handbook: https://about.gitlab.com/handbook/ and learn more about GitLab security programs at https://about.gitlab.com/security/.
We’re hiring! Check out our careers: https://about.gitlab.com/jobs/all-jobs/
A
A
The
gitlab
security
department
has
about
70
people
as
of
September
2022.
There
are
several
sub-departments
that
Encompass
different
security
functions,
including
the
security
Assurance
of
Department,
the
security
operations
sub-department,
the
threat
management
sub-department
and
the
security
engineering
sub-department.
My
team,
the
application
security
team
is
part
of
security
engineering.
Our
team
is
responsible
for
working
closely
with
Git
lab
team
members
in
development
product
and
other
security
teams,
as
well
as
third
party
groups,
such
as
bug
County
reporters
to
keep
gitlab
products
secure.
A
Some
of
the
tasks
we
perform
include
managing
the
bug,
Bounty
program,
performing
security,
focused
code
reviews
and
assisting
in
reproducing
triaging
and
addressing
application
security
vulnerabilities.
There's
a
number
of
other
things
that
we
do,
which
you
can
find
in
the
gitlab
handbook.
If
you're
interested.
A
One
of
the
most
exciting
or
interesting
things
about
working
in
a
git
lab
is
that
there's
always
something
new
to
learn.
There's
so
many
product
features,
there's
always
new
features
and
new
iterations
and
new
things
being
added
that
it's
it's
every
month.
There's
something
new
to
look
at
or
something
new
to
learn
about.
This
can
present
a
challenge
and
kind
of
an
opportunity
as
well
for
application
security
team
members.
It
can
be
challenging
to
keep
up
with
the
pace
at
which
the
other
teams
are
iterating,
making.
A
There's
always
something
new
to
look
at
and
new
to,
review
and
and
things
that
are
changing,
that
could
present
new
security
challenges,
but
also
there's
an
opportunity,
because
that
process
of
learning
something
new
allows
us
to
keep
our
different
skills
sharp
and
to
build
in-depth
knowledge
on
particular
topics
or
Technologies,
as
they
become
a
part
of
the
product
or
related
to
the
product.
It's
also
nice
that
there's
there's
so
many
incredible
and
talented
people
here
who
are
willing
to
share
their
knowledge
and
teach
us
to
teach
each
other
about
new
things.
A
Be
successful
at
gitlab,
you
really
need
to
embrace
the
spirit
of
iteration,
which
is
one
of
our
core
values.
That
means
making
the
smallest
viable
and
valuable
change
that
we
can
and
getting
it
out
and
then
getting
feedback
on
it.
This
applies
all
over
the
company
from
development
to
security,
to
people
Ops
and
Beyond,
and
it
can
be
a
really
big
shift
for
people,
especially
compared
to
other
workplaces.
A
It
can
feel
counter-intuitive
like
you're
not
doing
enough
and
in
the
end,
some
of
the
best
changes
that
we've
made
at
the
appsec
team
have
been
iterative.
So
it's
something
that
takes
time
to
practice
that,
but
it's
definitely
worth
worth
experimenting
with
and
worth
becoming.
Adjusted
to.
The
small
changes
are
really
what
have
helped
us
get
to
where
we
need
to
go
and
the
Temptation
can
be
to
try
and
plan
something
out
longer
term,
but
at
the
end
of
the
day,
just
choosing
something
to
try.
A
That's
new
and
different
that
actually
makes
an
impact
and
then
measuring
that
and
evaluating.
It
has
been
a
much
better
process
for
us
on
the
abstract
team,
and
that
applies
to
all
the
other
git
lab
teams
that
that
also
work
iteratively.
This
is
also
relatively
easy
to
do
at
gitlab,
because
we
dog
food
gitlab
the
product
and
that
allows
us
to
make
issues
and
epics
to
kind
of
break
the
work
done
down
into
different
tasks
and
write
things
step
by
step.
A
A
The
kitlab
value
that
I
really
identify
with
the
most
is
collaboration
that
means
working
together
effectively
and
making
it
a
priority
to
help
others,
especially
across
different
teams,
and
everything
we
do
at
gitlab
and
even
especially
on
the
appsec
team,
is
a
collaborative
effort
for
the
Aztec
team.
We
have
to
ask
each
other
for
ideas
or
sharing
knowledge
or
to
help
each
other
out.
A
If
we
don't
know
exactly
how
to
approach
a
particular
situation,
but
especially
outside
of
the
security
team,
we
really
need
to
have
a
whole
bunch
of
other
teams
involved
when
it
comes
to
fixing
a
vulnerability
or
evaluating
a
security
concern
or
performing
a
code
review.
There's
too
many
teams
to
name
but
some
examples.
You
know
the
development
teams
bring
subject
matter,
expertise
and
they
ultimately
fix
vulnerabilities.
So
we
have
to
collaborate
with
them
and
work
with
them
on
that.
A
The
product
teams
help
us
get
fixes
and
enhancements
prioritized
and
get
them
ultimately
scheduled
get
into
the
product.
Other
security
teams,
such
as
the
incident
Response
Team,
lead
us
when
there's
incidents
or
investigations,
and
we
assist
them
with
with
the
various
tasks
involved
with
that,
and
the
list
goes
on,
there's
just
there's
honestly
too
many
different
teams
to
name
we
work
with
so
many
different
parts
of
the
organization
on
the
application
security
team.
A
So
we
really
do
have
to
be
collaborative
with
each
other
and
I'm
really
proud
of
the
way
that
we
work
together
and
it's
it's
just
it's
one
of
the
best
things
about
working
at
gitlab.
Everyone
is
has
a
has,
an
attitude
that
we're
in
it
together
and
that
we
work.
You
know
towards
the
same
goals
and
I
really
appreciate
that.
That's
how
we
operate.