Token Management Working Group
Attributes
| Property | Value |
|---|---|
| Date Created | August 16, 2022 |
| Date Ended | April 25, 2023 |
| Slack | #wg_token (only accessible from within the company) |
| Google Doc | Token Management Working Group Agenda (only accessible from within the company) |
Direction
Out of due diligence and responsibility to GitLab users, the Token Management Working Group will work towards building a foundation and path forward for future token management security enhancements. This will be accomplished through the creation and publication of a token management security policy and proposed fixes for the high risk and low effort token management issues. With this, the Token Management Working Group will set up the fast follow on mid to long term token management security enhancement effort for success. For additional detail please visit our Token Leaks internal handbook page. All the tokens will be stored in GitLab the application as we ship it to users and customers. By dogfooding these enhancements and making improvements to meet our own security needs, we will improve token management and protection of secrets for all users, becoming better stewards of our user’s secrets.
Exit Criteria
The Token Management Working Group will deliver:
- Publish the first iteration of an official token and secrets management policy that is based on the Token Standard previously created
- Status: Complete
- Results: GitLab Token Management Standard
- Proposed fixes, with risk assessments, for each identified low effort high risk item
- Status: Complete
- Results: Risk assessments and effort estimations
- Propose possible out-of-product workaround mitigations for the top 2 high effort high risk items
- Status: Complete
- Results: Proposed out-of-product workarounds
Retrospective
The retrospective for the Token Working Group was conducted on 2023-04-25 and details can be found in the retro issue.
Roles and Responsibilities
| Working Group Role | Person | Title |
|---|---|---|
| Facilitator | James Ritchey | Sr. Manager, Product Security |
| Member | Joaquin Fuentes | Director Security Operations |
| Member | Valentine Mairet | SIRT Manager |
| Member | Philippe Lafoucrière | Security Architect |
| Member | Andrew Kelly | AppSec Manager |
| Member | Chris Moberly | Red Team Manager |
| Member | Connor Gilbert | Sr. Product Manager, Secure:Static Analysis |
| Member | Grzegorz Bizon | Principal Engineer, Ops |
| Member | Stan Hu | Engineering Fellow |
| Member | Michelle Gill | Senior Engineering Manager, Manage |
| Member | Hannah Sutor | Senior Product Manager, Manage:Auth |
| Member | Alex Hanselka | Senior Site Reliability Engineer |
| Member | Dominic Couture | Staff Security Engineer, Application Security |
| Member | Thomas Woodham | Senior Engineering Manager, Secure |
| Member | Amar Patel | Engineering Manager, Secure:Static Analysis |
| Member | Zach Rice | Senior Backend Engineer, Secure:Static Analysis |
| Member | Lucas Charles | Staff Backend Engineer, Secure:Static Analysis |
| Member | Dennis Appelt | Staff Security Engineer, Security Research |
| Member | Mark Loveless | Staff Security Engineer, Security Research |
455376ee)
