API Security team in the Dynamic Analysis Group

API Security

The API Security team is a standalone team which is part of the Dynamic Analysis group at GitLab. It is charged with developing solutions which perform Fuzzing.

Repo Purpose
API Fuzzer - Private GitLab’s API Fuzzing scanner.

Important Fuzzing repositories

Repo Purpose
API Security Private - The API Security tool performs API Fuzzing and API DAST scans
API Fuzzing E2E Tests Private - API End to End Tests
DAST API demos Public - DAST API demos linked from the documentation.
API Fuzzing demos Public - API Fuzzing demos linked from the documentation.
API Fuzzing demos Public - API Fuzzing demos linked from the documentation (har/openapi branches).

How to Contact Us

  • Slack channel: #g_ast-dynamic-analysis
  • Slack alias: @secure_dynamic_analysis_be
  • Google groups: dynamic-analysis-be@gitlab.com
  • GitLab mention: @gitlab-org/secure/dynamic-analysis-be

How We Work

The Dynamic Analysis group largely follows GitLab’s Product Development Flow.

Issues worked by this team are backend-centric and are typically in one the above repos, vendored templates, and GitLab’s Rails monolith. At times, issues can require support from AST’s frontend team if UI changes are required. We will require more notice for initiatives like these.

Repeated tasks

There are several maintenance tasks that need to be completed each milestone. Each iteration, an issue is opened and assigned to an engineer on a rotating basis. Those rotating tasks are:

  • Review upstream changes, and open an issue to upgrade DAST if the upstream changes provide important improvements
  • Review the security dashboard for DAST and address all critical and high issues. Review the dashboards for upstream projects, ZAP and ZAP Extensions

Fuzzing Technologies

  • The API Security product is built using mostly C# with some small amounts of Python. Our engineers use Windows VMs for development.

Specialized Labels

When opening up issues, the following label snippet often added:

/label ~"Category:API Security"
/label ~"group::dynamic analysis"
/label ~"devops::application security testing"
/label ~"backend"
/label ~"section::sec"

Dashboards

Targets

For our Merge Request types, we have an initial soft target ratio of 60% features, 30% maintenance, and 10% bugs based on the cross-functional prioritization process. This is not a hard target and we expect to see variation in this ratio as we mature and our focus evolves.

Support Requests

The Dynamic Analysis engineering team provides support to GitLab Support Engineers following the process outlined in the Sec Section support project.

Issue Boards