Software Supply Chain Security Sub-department
The Software Supply Chain Security sub-department teams are the engineering teams in the Software Supply Chain Security Stage of the product.
Vision
To support GitLab’s product vision through alignment with the Software Supply Chain Security stage product direction.
Groups
Priorities
Group priorities are reviewed collaboratively with product counterparts and published on the Software Supply Chain Security direction pages
Product Documentation Links
- Security Dashboard
- Vulnerability Pages
- Security scanner integration
- Security glossary
- Software Supply Chain Security testing priorities
- Pipeline Security
All Team Members
Authentication
| Name | Role |
|---|---|
 Adil Farrukh
|
Engineering Manager, Software Supply Chain Security:Authentication |
 Andrew Evans
|
Senior Backend Engineer, Software Supply Chain Security:Authentication |
 Bogdan Denkovych
|
Senior Backend Engineer, Software Supply Chain Security:Authentication |
 Drew Blessing
|
Senior Backend Engineer, Software Supply Chain Security:Authentication |
 Eduardo Sanz-Garcia
|
Senior Frontend Engineer, Software Supply Chain Security:Authentication |
 Hakeem Abdul-Razak
|
Associate Backend Engineer, Software Supply Chain Security:Authentication |
 Imre Farkas
|
Staff Backend Engineer, Software Supply Chain Security:Authentication |
 Smriti Garg
|
Senior Backend Engineer, Software Supply Chain Security:Authentication |
 Aboobacker MK
|
Senior Backend Engineer, Software Supply Chain Security:Authentication |
Authorization and Anti-abuse
| Name | Role |
|---|---|
 Jay Swain
|
Engineering Manager, Software Supply Chain Security:Authorization |
 Ayush Billore
|
Backend Engineer, Software Supply Chain Security:Authorization |
 Alex Buijs
|
Senior Fullstack Engineer, Software Supply Chain Security:Authorization |
 Daniel Tian
|
Senior Frontend Engineer, Software Supply Chain Security:Authorization |
 Eugie Limpin
|
Senior Fullstack Engineer, Software Supply Chain Security:Authorization |
 Hinam Mehra
|
Fullstack Engineer, Software Supply Chain Security:Authorization |
 Ian Anderson
|
Staff Backend Engineer, Software Supply Chain Security:Authorization |
 Jarka Košanová
|
Staff Backend Engineer, Software Supply Chain Security:Authorization |
 Mo Khan
|
Senior Backend Engineer, Software Supply Chain Security:Authorization |
Compliance
| Name | Role |
|---|---|
 Nathan Rosandich
|
Engineering Manager, Software Supply Chain Security:Compliance |
 Andrew Jung
|
Backend Engineer, Software Supply Chain Security:Compliance |
 Harsimar Sandhu
|
Senior Backend Engineer, Software Supply Chain Security:Compliance |
 Hitesh Raghuvanshi
|
Senior Backend Engineer, Software Supply Chain Security:Compliance |
 Huzaifa Iftikhar
|
Senior Backend Engineer, Software Supply Chain Security:Compliance |
 Illya Klymov
|
Staff Frontend Engineer, Software Supply Chain Security:Compliance |
 Nataliia Radina
|
Frontend Engineer, Software Supply Chain Security:Compliance |
 Sam Figueroa
|
Fullstack Engineer, Software Supply Chain Security:Compliance |
Pipeline Security
| Name | Role |
|---|---|
 Scott Hampton
|
Engineering Manager, Govern:Pipeline Security |
 Aaron Huntsman
|
Senior Backend Engineer, Software Supply Chain Security:Pipeline Security |
Stable Counterparts
The following members of other functional teams are our stable counterparts:
| Name | Role |
|---|---|
|
Adil Farrukh
|
Engineering Manager, Software Supply Chain Security:Authentication |
|
Aaron Huntsman
|
Senior Backend Engineer, Software Supply Chain Security:Pipeline Security |
 Camellia X. Yang
|
Senior Product Designer Software Supply Chain Security:Compliance and Security Risk Management:Security Policies |
 Evan Read
|
Senior Technical Writer, Software Supply Chain Security:Compliance, Manage:Import and Integrate, Systems:Distribution, Systems:Gitaly |
 Hannah Sutor
|
Principal Product Manager, Software Supply Chain Security:Authentication and Authorization |
|
Jay Swain
|
Engineering Manager, Software Supply Chain Security:Authorization |
 Joe Randazzo
|
Product Manager, Software Supply Chain Security:Authorization |
 Ian Khor
|
Product Manager, Software Supply Chain Security:Compliance |
|
Nathan Rosandich
|
Engineering Manager, Software Supply Chain Security:Compliance |
Software Supply Chain Security staff meeting
The Software Supply Chain Security stage engineering department leaders meet weekly to discuss stage and group topics in the Software Supply Chain Security staff meeting. This meeting is open to all team members and is published on the Software Supply Chain Security stage calendar.
Meetings have an agenda and are async-first, where the aim is to resolve discussions async and leave time in the meeting to deep dive into topics that require more discussion.
We use the Software Supply Chain Security Sub-department Board to better organize our discussions.
Weekly updates
The Software Supply Chain Security development teams provide weekly status updates using an issue template and CI scheduled job. As priorities change, engineering managers update the template to include areas of interest such as priorities, opportunities, risks, and security and availability concerns. The updates are GitLab internal.
Quarterly review updates
Every quarter, an engineering manager for each group in the Software Supply Chain Security Sub-department prepares the quarterly review update using the issue template and records approximately 5 minutes to summarize the last quarter from the engineering perspective and present a high-level plan for the group for the next one to respond to quarterly Product strategy and explain our goals for next quarter.
We aim to foster collaboration and communication between engineering managers in the Software Supply Chain Security Sub-department, align groups on product priorities for the next quarter, and celebrate our successes together.
Quarterly review update template can be found here).
OKR planning
Our OKRs are a mixture of top down, aligned with Company-wide, Product, or Engineering Division OKRs, and bottom up engineering-led initiatives driven by our team members in Software Supply Chain Security. Any team member can propose an OKR for Software Supply Chain Security by creating a proposal issue in our internal OKR project. The issue can be used to collaborate and discuss the proposal. When we are ready to commit, we can create or align to an existing Objective, and add specific key results to track through the quarter.
Labels:
Sub-Department::software supply chain security- for top-level sub-department Objectives.devops::software supply chain security- for Objectives and key results for the stage, and stage groupsgroup::- for Objectives and key results for a specific group
Each Objective and Key Result should have an assignee who is DRI for providing status updates throughout the quarter. Regular updates are preferred. At a minimum these should be updated
- By end of day, the second Friday of every month
- Ay the end of the quarter
OKRs can be changed or closed during the quarter if they are completed, or as our goals change. This ensures we are focusing on areas that are revelant to our current and future priorities.
PTO
To support our teams, and commitments made to internal and external customers, team members in Software Supply Chain Security are encouraged to create a PTO issue before going on leave lasting a week or longer.
The issue provides a place to discuss and document coverage for any work in progress, or projects where the team member is the directly responsible individual (DRI), and support the Paid Time Off at GitLab policy.
We use an internal issue tracker as team member PTO is not public information, and a PTO template
When a team-member takes some time off, it is important that their work is still being followed up on if needed. We want to make sure that any MR that lands in staging and production environments while we are out gets proper attention and is verified by a counterpart. Therefore, when getting close to our time-off period, we should do the following:
- Any MR that can be put on hold until we’re back from PTO should be put in the
Draftstatus. This ensures that the MR won’t be merged accidentally without a clear DRI to follow up on it. - Other non-draft MRs and freshly merged MRs, which need to be verified on staging, should be assigned to another engineer. The additional DRI will be responsible to verify the changes if they land in staging while we’re out. When doing this, we must ensure that enough context has been provided in the MR’s description and/or the related issue (setup, testing, potential impact, design decisions, etc.).
Keep in mind that, while we strongly recommend following this process when taking some time off, it might not be relevant all the time. For example, if our time-off period is going to be short and/or our active MRs are minor enough, it might make sense to ignore these recommendations and follow up when we’re back.
Engineering Leadership - PTO or unavailable
Team members should contact any Software Supply Chain Security Engineering Manager by mentioning in #sd_sscs_engineering or #sscs-development-people-leaders if they need management support for a problem that arises, such as a production incident or feature change lock, when their direct manager is not available. The Software Supply Chain Security manager can provide guidance and coordination to ensure that the team member receives the appropriate help.
Some people management tasks, including Workday and Navan Expense, may require for escalation or delegation.
Skills
Because we have a wide range of domains to cover, it requires a lot of different expertise and skills:
| Technology skills | Areas of interest |
|---|---|
| Ruby on Rails | Backend development |
| Go | Backend development |
| Vue, Vuex | Frontend development |
| GraphQL | Various |
| SQL (PostgreSQL) | Various |
| Docker/Kubernetes | Threat Detection |
Everyone can contribute
At GitLab our goal is that everyone can contribute. This applies to GitLab team members and the wider community through community contributions. We welcome contributions to any and all features, but recognize that first time contributors may prefer to start with smaller features. To support this we maintain a list of quick wins that may be more suitable for first time contributors, and contributors new to the domains in Software Supply Chain Security.
If the contributor needs an EE license, we can point towards the Contributing to the GitLab Enterprise Edition (EE) section on the Community contributors workflows page.
Testing
During the planning phase of a milestone, the EM for each group will create a new issue using the template in epic, for any major new features and tag Software Engineer in Test from Software Supply Chain Security. SETs from Test Engineering and EMs can periodically review/discuss the list of open issues, and add appropriate priority labels.
The intent of shifting left and testing at the right level is that teams are responsible for testing and to have engineers doing the feature coverage reviews and adding specs or E2E test as needed. The reason for including the SET is to give oversight across the groups and provide guidance/support. If the SET has capacity then they can contribute as needed, using the priority labels, but this is not the expectation.
Metrics
Links and resources
- Stage links
- Discussions and issues are located at
gitlab-org/software-supply-chain-security - General Slack #s_software-supply-chain-security
- Social channel #sec-section-social
- Engineering Slack #sd_sscs_engineering
- Software Supply Chain Security Shared Calendar ID
gitlab.com_ed6207uel78de0j1849vjjnb3k@group.calendar.google.com - GitLab Managers:
@gitlab-org/software-supply-chain-security/managers
- Discussions and issues are located at
Technical Documentation Links
320d8823)
