Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Security Shorts / 28 Sep 2022
GitLab / Security Shorts / 28 Sep 2022
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: What it's like to work in Security at GitLab with Nick Malcolm, AppSec Engineer

Description

@GitLab AppSec Engineer Nick Malcolm talks about what makes him proud to work at GitLab and what makes the experience unique, as well as what helps someone succeed on the team.

See the GitLab handbook: https://about.gitlab.com/handbook/ and learn more about GitLab security programs at https://about.gitlab.com/security/.

We’re hiring! Check out our careers: https://about.gitlab.com/jobs/all-jobs/

A

Thank you Ora hello. My name is Nick and I live in aotearoa New, Zealand, I, work in gitlab's application, security team and my role as an appsec engineer is to work on the security of the products that we make. Other teams work on organizational security assurance and threat Intel. My role is focused more on the code and the features themselves.

A

I do that, primarily by working alongside gitlab's development teams and by responding to reports from security researchers through our bug, Bounty program.

A

The size, scale and Geographic diversity of gitlab means that I really do close my laptop and switch off from work at the end of the day. The skill we practice of asynchronous communication is really important here, while I'm enjoying time on Hobbies with family or sleeping the teams.

A

I work with are awake and crafting code fixing issues and asking me questions when I come online again, I can work through those interact with people in this time zone crossover and, if not use gitlab issues or Google docs to capture what I think the next steps are even during a security incident. The same process applies. I know that the next appsec team member can pick up where I left off and I don't need to think about it.

A

To be successful here at gitlab, you need to be self-motivated and a good communicator to work. Remote and asynchronously propose a solution to a problem and even start working on the first iteration of a solution. Instead of waiting around for consensus with people who might not even be awake, provide clear recommendations with context so that when someone does come online, they know immediately what you're asking of them and why I'd recommend taking a look at gitlab's handbook page for lots of examples of how to do this and within security, specifically gitlab or not I.

A

Think Curiosity has to be one of the key attributes of an appsec team member. When something looks off, you need to pull on that thread. Figure out. Hey! Is there something wrong here, something that could be exploited, keep pulling on that thread or similarly, the Curiosity to find a solution which solves a class of recurring problems instead of solving things one by one as they pop up.

A

I'm really proud of how transparent, gitlab's Security Department is it's easy to keep things in-house, especially security incidents or security processes? We try our hardest to make these things public. The security section of our handbook is full of security run books. It's been iterated and honed over time.

A

It makes it much easier to work asynchronously, especially for me. Not a lot of my colleagues are awake when I am and respond to high pressure situations. When you know there's a process, that's established and being followed by everyone.

A

Other organizations can take our handbook and adapt these run books if they want all of the security flaws that we find in our product are publicly disclosed using cve identifiers and the gitlab issue that shows us triaging and working on those vulnerabilities all the way through to a solution. Those are made public 30 days after a patch that can show some really interesting insight into how gitlab operates and there's a great example of us living our transparency value and that's something I'm really proud of.