Secure / Govern sub-department delineation

Definition of what engineering group is responsible for features in the Secure and Govern stages of the GitLab product

Why does this page exist?

In the spirit of establishing a DRI for each set of functionality where this may not be obvious, the purpose of this page is to explicitly define which engineering group has reponsibility for which portions of the product and for specific decisions.

Page/Function responsibilities

Page/Function PM Primary Group Example
Secure Partner Onboarding Docs Alana BellucciAlana Bellucci Sec by their categories
Security Configuration Sec by their categories
Vulnerability ingestion and DB storage Alana BellucciAlana Bellucci Govern:Threat Insights
Dependency ingestion and DB storage Alana BellucciAlana Bellucci Govern:Threat Insights
Dependency List Alana BellucciAlana Bellucci Govern:Threat Insights Example
License Compliance Page Alana BellucciAlana Bellucci Govern:Threat Insights
Interact with findings and vulnerabilities Alana BellucciAlana Bellucci Govern:Threat Insights
Merge Request Security Widget Alana BellucciAlana Bellucci Govern:Threat Insights Example
Merge Request License Compliance Widget John CrowleyJohn Crowley Secure:Composition Analysis Example
Pipeline Security Tab Alana BellucciAlana Bellucci Govern:Threat Insights Example
Security Dashboards Alana BellucciAlana Bellucci Govern:Threat Insights Example
Security Scanner Integration Documentation Alana BellucciAlana Bellucci Govern:Threat Insights
Vulnerability Pages Alana BellucciAlana Bellucci Govern:Threat Insights Example
Vulnerability Report Alana BellucciAlana Bellucci Govern:Threat Insights Example
Policies Grant HickmanGrant Hickman Govern:Security Policies Example
Advisories ingestion and DB storage John CrowleyJohn Crowley Secure:Composition Analysis
External License ingestion and DB storage John CrowleyJohn Crowley Secure:Composition Analysis
Vulnerability Match Job John CrowleyJohn Crowley Secure:Composition Analysis
License Match Job John CrowleyJohn Crowley Secure:Composition Analysis
CVE ID Request - Workflow and automation Sarah WaldnerSarah Waldner Secure:Vulnerability Management
CVE ID Request - Platform UI Alana BellucciAlana Bellucci Govern:Threat Insights
User Invitation Flows Hannah SutorHannah Sutor Govern:Authentication

Technical Boundaries

Ownership of the end-to-end technical solution spans multiple groups. This section clarifies cross-group maintainership of code artifacts between Threat Insights and the remaining groups in the Sec Section.

Ownership means that the responsible group:

  1. Is responsible for maintenance of the code.
  2. Receives attribution in their error budget associated with the relevant code.
  3. Must be consulted before changes are made, and should review them before being merged.
  4. Receives priority when requesting maintenance and fixes to changes introduced by another group.

Owners by project/function

This is not a comprehensive list, but includes the main projects and areas of functionality under the Sec Section umbrella.

Comparison and tracking logic

The logic to compare and track vulnerabilities is owned by Threat Insights.

Customisation of this logic that is not generic to all report types is owned by the corresponding group(s) (e.g. Static Analysis group would be the maintainer of any improvement to track SAST vulnerabilities).

It is not always possible to promptly identify the group that owns some code. In the absence of an attribution through error budget, CODEOWNERS, code comments or other means, Threat Insights will idenfity the owner and, if necessary, handover to the appropriate group.

Security Report Schema

The schemas are owned by the backend team in the analyzer groups responsible for the corresponding categories.

Threat Insights owns the base schema and the generic details schema.

For instance, the Static Analysis group is responsible for the SAST category, so its backend team is responsible for the sast report JSON schema.

Regardless of ownership, Threat Insights must review all changes as they are the consumer of reports that conform to the schemas.

For more information on who to request a review from, see the project guidelines.

Vulnerability Management

This includes all items assigned to Threat Insights under Page/Function responsibilities, and also:

  • Database Management System objects
  • Object-relational mappings
  • Integration points
    • APIs
    • Security report ingestion framework

AI Vulnerability Explanation and Vulnerability Resolution

These workflows are owned by Threat Insights as part of Vulnerability Pages (see above). This includes integration into the monorepo, display in Vulnerability pages, the merge request interface for Vulnerability Resolution, and integration into Duo Chat for Vulnerability Explanation. Threat Insights collaborates with AI Framework and Duo Chat to support integration into areas these teams own.

Prompts, test data set curation, and verifying quality of responses for Vulnerability Explanation and Vulnerability Resolution are owned by the relevant groups in Secure based on the type of vulnerability. These groups communicate and collaborate with Vulnerability Research, AI Framework for prompt engineering support, and Model Validation for testing at scale, as needed. These features are currently available for SAST only.

While prompts are owned by teams in Secure, prompt engineering is an important part of software development at GitLab, the AI-Powered DevSecOps platform. Teams within Govern - including Threat Insights - are expected to onboard and be able to support prompt engineering for these features, and assist as needed with updating the prompts in the monorepo through follow the sun coverage.

Metrics and usage monitoring within the application are owned by Govern: Threat Insights. Related issue.

Last modified September 19, 2024: Fix broken links (38406a39)