►
Description
@GitLab AppSec Engineer Nick Malcolm talks about what makes him proud to work at GitLab and what makes the experience unique, as well as what helps someone succeed on the team.
See the GitLab handbook: https://about.gitlab.com/handbook/ and learn more about GitLab security programs at https://about.gitlab.com/security/.
We’re hiring! Check out our careers: https://about.gitlab.com/jobs/all-jobs/
A
Thank
you
Ora
hello.
My
name
is
Nick
and
I
live
in
aotearoa
New,
Zealand,
I,
work
in
gitlab's
application,
security
team
and
my
role
as
an
appsec
engineer
is
to
work
on
the
security
of
the
products
that
we
make.
Other
teams
work
on
organizational
security
assurance
and
threat
Intel.
My
role
is
focused
more
on
the
code
and
the
features
themselves.
A
A
I
work
with
are
awake
and
crafting
code
fixing
issues
and
asking
me
questions
when
I
come
online
again,
I
can
work
through
those
interact
with
people
in
this
time
zone
crossover
and,
if
not
use
gitlab
issues
or
Google
docs
to
capture
what
I
think
the
next
steps
are
even
during
a
security
incident.
The
same
process
applies.
I
know
that
the
next
appsec
team
member
can
pick
up
where
I
left
off
and
I
don't
need
to
think
about
it.
A
To
be
successful
here
at
gitlab,
you
need
to
be
self-motivated
and
a
good
communicator
to
work.
Remote
and
asynchronously
propose
a
solution
to
a
problem
and
even
start
working
on
the
first
iteration
of
a
solution.
Instead
of
waiting
around
for
consensus
with
people
who
might
not
even
be
awake,
provide
clear
recommendations
with
context
so
that
when
someone
does
come
online,
they
know
immediately
what
you're
asking
of
them
and
why
I'd
recommend
taking
a
look
at
gitlab's
handbook
page
for
lots
of
examples
of
how
to
do
this
and
within
security,
specifically
gitlab
or
not
I.
A
Think
Curiosity
has
to
be
one
of
the
key
attributes
of
an
appsec
team
member.
When
something
looks
off,
you
need
to
pull
on
that
thread.
Figure
out.
Hey!
Is
there
something
wrong
here,
something
that
could
be
exploited,
keep
pulling
on
that
thread
or
similarly,
the
Curiosity
to
find
a
solution
which
solves
a
class
of
recurring
problems
instead
of
solving
things
one
by
one
as
they
pop
up.
A
I'm
really
proud
of
how
transparent,
gitlab's
Security
Department
is
it's
easy
to
keep
things
in-house,
especially
security
incidents
or
security
processes?
We
try
our
hardest
to
make
these
things
public.
The
security
section
of
our
handbook
is
full
of
security
run
books.
It's
been
iterated
and
honed
over
time.
A
A
Other
organizations
can
take
our
handbook
and
adapt
these
run
books
if
they
want
all
of
the
security
flaws
that
we
find
in
our
product
are
publicly
disclosed
using
cve
identifiers
and
the
gitlab
issue
that
shows
us
triaging
and
working
on
those
vulnerabilities
all
the
way
through
to
a
solution.
Those
are
made
public
30
days
after
a
patch
that
can
show
some
really
interesting
insight
into
how
gitlab
operates
and
there's
a
great
example
of
us
living
our
transparency
value
and
that's
something
I'm
really
proud
of.