Security Architecture review process


Security Architecture review is a holistic assessment of security layers across infrastructure, application, people, and processes.


When to conduct a Security Architecture review?

The review process is integrated into the broader Architecture workflow, but can be triggered for:

  • New large projects and initiatives
  • New large features
  • New significant services
  • Cross teams/stage technical changes

And more generally:

  • Everything built by GitLab, and meant to be deployed in our infrastructure or our customers' infrastructure.
  • New or updated architectures processing, storing, or transferring any kind of RED or ORANGE data

How to request a Security Architecture review?

Create an issues in the Security Architecture general project (internal only.


  • Cloud infrastructure and services
    • Data encryption in transit over the cloud (example: from customer, through our WAF/CDN, terminating into GCP)
  • Network
  • Systems
    • Instances
    • Clusters
    • Virtual machines
    • Hardening
  • Application
    • Third party (integrations, APIs, data transfers)


The Security Architecture review is conducted by a Security Architect who will:

  • Identity and isolate components
  • Start with external facing ones
  • Go inward, deeper
  • What have component access to?
    • Data → If not minimal data, can we move it?
    • Authentication (credentials)
  • Follow our Security Architecture Principles
  • Maintain a list of actors

The threats identified can be avoided (different architecture) or mitigated (security controls).


Depending on the type of change being reviewed, the Security Architect can involve:

  • the Application Security team:
    • to create [Threat Models]
    • to conduct [AppSec reviews]
  • the InfraSec team:
    • to review and make recommendations:
      • Network
      • Cloud infrastructure and services
      • Systems
  • The Security Compliance team
  • The Cryptography Officer

Threat Models AppSec reviews


Report (markdown file should be enough: searchable, collaborative, authoritative, like for threat modeling: Validation of the solution:

  • Requirements are met
  • Risk assessment
Last modified September 6, 2023: Replace taps with spaces (69f17a79)