It is important to delineate who the EM and PM DRIs are for every functionality, especially where this may not be obvious. This is documented on a dedicated delineation page.
In general, we want to keep as few projects in security-products as necessary.
security-products should only contain :
Source code for applications that will run as part of a customer install
Demos
Historical projects that are difficult to move.
secure and govern should have projects for:
End-to-end testing
Benchmarks / Stats
Tooling
There may be projects that should belong in secure or govern but for technical reasons are much easier to have in security-products. In those cases, we can locate the project in security-products if reasonable efforts were made to get the project in secure or govern but were unsuccessful.
License approval policy
As of 2024-05-17, Analyzer projects (gitlab-org/security-products/analyzers) are subject to a security policy that requires approval for merge requests that introduce new licenses. The policy enforces our company-wide policy for open source software.
Excluded projects: the list includes test projects, other security policy projects, and any projects that can’t have license finding enabled. Members of the gitlab-org/secure/managers group can add exceptions as required.
This is a dogfooding experiment that we intend to eventually apply to all Sec projects.
Recommended settings
When creating a new project, all settings should be left to the default options, except for the following which are specific to the secure stage:
Add a CODEOWNERS file to the project, for example:
It leverages existing tools and infrastructure, such as having triage-ops and other bots executed against issues, without any additional configuration.
It provides a more consistent experience, since all labels and issue templates will be the same.
It’s easier to write automated scripts, such as using the Security triage automation tool to create/modify vulnerabilities.
There are some issues that apply to multiple projects. If each project has their own issue tracker, we’d need to figure out which issue tracker should “own” an issue that applies to multiple projects.
Settings -> General -> Visibility, project features, permissions -> Additional options -> Users can request access
Allowed to merge
Maintainers
Allowed to push and merge
No one
Allowed to force push
Disabled
Code owner approval
Enabled
Settings -> Repository -> Protected branches
Allowed to merge
Maintainers
Allowed to push and merge
No one
Allowed to force push
Disabled
Code owner approval
Enabled
Settings -> Repository -> Protected tags
Tag
v*
Allowed to create
Maintainers
Settings -> Merge Requests
Squash commits when merging
Require
Approval settings
Prevent approval by author
Prevent editing approval rules in merge requests
Remove approvals by Code Owners if their files changed
Merge request approvals -> Approval rules
Approvers
All eligible users
Target branch
All branches
Approvals required
1
Merge checks
All threads must be resolved
Pipelines must succeed
Merge commit message template
Merge branch '%{source_branch}' into '%{target_branch}'
%{title}
%{issues}
See merge request %{url}
Merged-by: %{merged_by}
%{approved_by}
%{reviewed_by}
%{co_authored_by}
Default description template for merge requests
## What does this MR do?
<!--
Describe in detail what your merge request does, why it does that, etc.
Please also keep this description up-to-date with any discussion that takes
place so that reviewers can understand your intent. This is especially
important if they didn't participate in the discussion.
Make sure to remove this comment when you are done.
-->## What are the relevant issue numbers?
## Does this MR meet the acceptance criteria?
- [ ] Changelog entry added
- [ ] [Documentation created/updated for GitLab EE](https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html), if necessary
- [ ] Documentation created/updated for this project, if necessary
- [ ] Documentation reviewed by technical writer *or* follow-up review issue [created](https://gitlab.com/gitlab-org/gitlab-ee/issues/new?issuable_template=Doc%20Review)
- [ ] [Tests added for this feature/bug](https://docs.gitlab.com/ee/development/testing_guide/index.html)
- [ ] Job definition updated, if necessary
- [ ] [Auto-DevOps template](https://gitlab.com/gitlab-org/gitlab-foss/tree/master/lib/gitlab/ci/templates)
- [ ] [Job definition example](https://docs.gitlab.com/ee/ci/examples/sast.html)
- [ ] [CI Templates](https://gitlab.com/gitlab-org/security-products/ci-templates/tree/master/includes)
- [ ] Ensure the report version [matches the equivalent schema version](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/CHANGELOG.md)
- [ ] Conforms to the [code review guidelines](https://docs.gitlab.com/ee/development/code_review.html)
- [ ] Conforms to the [Go guidelines](https://docs.gitlab.com/ee/development/go_guide/index.html)
- [ ] Security reports checked/validated by reviewer
/label ~"devops::secure" ~"Category:" ~"group::" ~"backend"
Each group also has a calendar for team-based discussions, such as the our weekly group syncs.
We encourage utilizing our available Google Groups instead of including individuals as attendees when possible. Along with ensuring the event is represented on individual’s calendars for visibility, new team members are automatically added to events (as well as removed when someone departs from a team).
The members of each google group consists of stable counterparts and the correct eng-dev-[sub-department]-[team] group of engineers. When stable counterparts change, or team members onboard/offboard the appropriate group should be updated.
Slack channels #s_secure and #s_govern are informative since they are all part of Sec Section.
Planning in the Section
In the vast majority of cases, work is scoped to individual groups within the section. However, there are times when the section needs to design
and execute solutions as a coordinated Section or risk creating poor and non-cohesive user experiences.
These initiatives will be orchestrated through epics and issues. Initiatives with the following labels are deemed to fall in this category of work.
At least once per milestone, Senior Engineering Managers in the section will do the following:
In partnership with Product Management, initiatives 6 months or older will be evaluated to determine if they’re still relevant.
New initiatives will be triaged, checking their requirements for understandability and completeness. Further, the group most impacted will be identified.
In situations where most impacted group is not clear, technical leadership via #sec-section will be engaged to help discern which group that might be.
Group most impacted will be declared DRI for that initiative and are expected to:
Produce a high-level implementation plan that will scale for the whole problem.
Create implementation issues that are broken down by feature category.
The original high-level implementation plan will be included, or at least directly linked, in the created issues.
Original issue where implementation plan was debated and created will also be linked to the generated issues.
Distribute implementation issues to the relevant groups.
Generated issues will be worked through normal prioritization processes as they are distributed to individual groups.
Page Performance
Our team monitors LCP (Largest Contentful Paint) to ensure performance is below our target (currently 2500ms).
The Sec engineering teams do not provide support directly to customers. Instead engineers collaborate with our Customer Support Engineers via the process on the Sec Sub-department support project.
How to work with the Quality team
Frontend Responsibilities
Being able to identify what code changes would likely break E2E or System level tests and informing Quality.
Not to write E2E tests, but to catch potential failures and communicate gaps in coverage before landing to master.
If you are working around code that contains a selector like data-qa-selector="<name>", then there is likely to be an existing E2E test. Tests can be found by searching our E2E tests in Secure.
Communicating changes that may break tests
Ping the DRI for quality assigned to Secure. You can find the person on the team page. If they are unavailable, then #quality on slack or the triage DRI dependent on severity.
Section Retrospectives
In addition to our group retrospectives, we facilitate an async Sec Section level retrospective each month. The goal of the section wide retrospective is to review topics that bubbled-up from our group/team retrospectives. Additionally, we identify themes that could be discussed synchronously. We use this doc and an issue created with this template to facilitate the section retrospective.
Key Dates
The Monday after the monthly release - Group async retrospective issues are generated. Groups should start contributing topics.
The week the milestone ends - Groups hold their retrospectives. Team members bubble-up identified topics and follow-up items (outcomes) to the section retrospective document.
The week of the release - Section wide retrospective async review shared in the #sec-section Slack channel.
DRI Responsibilities
The DRI for Section-wide retrospectives will be the Senior Engineering Manager. The SEM will find a volunteer if it is needed on specific milestones. The following tasks are executed each milestone:
Prior to the async section retrospective, review bubble-up topics and identify 2-3 themes to support async discussion topics.
The Govern sub-department teams are the engineering teams in the Govern Stage of the product.
Vision To support GitLab’s product vision through alignment with the Govern stage product direction.
Groups Authentication Authorization and Anti-abuse Compliance Security Policies Threat Insights Priorities Group priorities are reviewed collaboratively with product counterparts and published on the Govern direction pages
Anti-abuse Authentication Authorization Compliance Security Policies Threat Insights (16.x) Product Documentation Links Security Dashboard Vulnerability Pages Security scanner integration Secure and Govern terminology Govern testing priorities Sub-department development people leaders Name Role Phil Calder Director of Engineering, Govern Adil Farrukh Engineering Manager, Govern:Authentication Jay Swain Engineering Manager, Govern:Authorization and Anti-abuse Alan (Maciej) Paruszewski Engineering Manager, Govern:Security Policies Neil McCorrison Engineering Manager, Govern:Threat Insights Nathan Rosandich Engineering Manager, Govern:Compliance Ryan Wells Engineering Manager, Govern:Threat Insights To contact Govern sub-department development people leaders, use the following aliases:
The Secure engineering sub-department is responsible for the Secure Stage of the product.
Vision To provide content and tools to support the best possible assessment at the earliest possible moment.
Following our single application paradigm, we integrate and build scanning tools to supply security and compliance assessment data to the main GitLab application where we develop our vulnerability management system and other features. While it might be technically feasible, we do not aim at building standalone products that provide this data independently from the GitLab application.
