Product Security

Aligned with GitLab’s overarching information security strategy and its three-year plan, the Product Security Department (PSD) within the Security Division is responsible for crafting and directing a comprehensive vision to bolster the cybersecurity posture of the GitLab platform.

What is Product Security at GitLab?

At GitLab, product security encompasses a broad range of cybersecurity disciplines that enable product and engineering teams to design, develop, deploy, maintain, and refine GitLab’s technologies securely. This goes beyond the conventional confines of security, covering everything from protecting developer workstations to ensuring the integrity of our production environments.

The Product Security Mission

Our mission is to set the standard for product security by fostering a culture of rapid innovation and secure product delivery. We are committed to leveraging the GitLab platform, embodying the pinnacle of internal usage (‘dogfooding’) practices. By maintaining close collaboration with product teams and contributing significant security features and capabilities to the GitLab codebase, we aim to enhance our operations and be a vital driver of the broader GitLab vision.

Multi-Year Product Security Mission

Our comprehensive, multi-year product security mission can be found in our internal handbook.

Collaboration is Key

Success in product security is not confined to PSD or even the Security Division. It requires a concerted effort across the entire GitLab ecosystem. Collaboration is crucial, involving not just our security counterparts but the broader organization. Key disciplines and capabilities, from Security Operations to Site Reliability Engineering, while not directly under PSD’s purview, are vital to our strategy’s success.

Guiding Principles

  • Business Enablement: PSD’s role is to facilitate GitLab in achieving its business goals by ensuring product teams can operate both efficiently and securely, bolstering customer trust, and utilizing transparency as a strategic advantage. This includes providing insightful product feedback through extensive dogfooding.
  • Empathy and Accessibility: Recognizing that the optimal security solution may not always align with business or customer needs, PSD prioritizes understanding and empathizing with these unique perspectives. This empathetic approach guides our security practices and engagements, aiming to align our methods with the preferences of our customers and internal teams.
  • Pragmatism Over Perfection: Addressing current challenges quickly and effectively is preferred over waiting for a perfect solution. PSD focuses on delivering incremental, tangible value through rapid, short-cycle initiatives, aiming for partial solutions that immediately benefit our long-term goals.
  • Design for Rapid Iteration: Our strategy and roadmaps are crafted to quickly identify and learn from suboptimal decisions by engaging with customers and stakeholders early and maintaining a tight feedback loop. This approach helps us adapt and refine our strategies and approaches efficiently.
  • Data-Driven Decision Making: Data drives our objectives, priorities, and actions, reducing the risk of failure or scope creep. Example useful metrics include root cause analyses of incidents (data within), threat modeling outcomes, and production readiness assessments, among others.
  • Scalability and Repetition: PSD emphasizes scalable, repeatable processes over bespoke solutions, ensuring we can meet growing demands without proportional increases in resources.
  • Decentralization and Empowerment: Acknowledging that product and engineering teams possess deep, specialized knowledge of their domains, PSD advocates for these teams to take ownership of security tasks like secure code reviews and threat modeling. This decentralization fosters a more integrated and effective security posture across GitLab.
  • Integration with Reliability, Quality, Infrastructure, and Platform Engineering: PSD’s mission to mitigate product security flaws is inherently tied to improving overall product quality and reliability. We aim to leverage and integrate with the practices of existing teams to enhance both security and product excellence.

Teams

The Product Security sub-department includes the following teams. Learn more about each by visiting their Handbook pages.


Application Security
The application security team's mission is to support the business and ensure that all GitLab products securely manage customer data.
Data Security
GitLab's Data Security team investigates and remediates known unknowns in our data security and privacy posture.
Infrastructure Security
GitLab's Infrastructure Security provides security oversight of the SaaS.
Product Security Engineering
The Product Security Engineering team's mission is to create proactive and preventative controls which will scale with the organization and result in improved product security.
Security Architecture

Overview

Security Architects are the trusted security advisors of GitLab Engineering. Security Architecture is a natural extension of the greater Architecture initiative at GitLab. It is the preliminary and necessary work to build software with security considerations.

Objectives

Security Architecture protects the organization from cyber harm, and support present and future business needs by:

The process is designed with these constraints in mind:

Security Logging Overview
Security Logging supports and develops GitLab's security log ingestion platform.
Security Research

Team Focus

The Security Research team contributes to the Security Vision and Mission through projects that focus on identifying, quantifying, and developing solutions for complex security risks facing GitLab and its users. This work aims to improve the security posture of the product and the company, but always with an eye for contributing new functionality as a differentiator. Additionally, we aim to share our results widely in order to educate and bring awareness to the GitLab Security program.

Vulnerability Management

Vulnerability Management is the continual process of identifying, prioritizing, mitigating and remediating vulnerabilities. At GitLab we identify vulnerabilities in a number of different ways depending on the component being analyzed. This process and associated tooling is owned by the Vulnerability Management team.

+This page primarily outlines our vulnerability management policies and procedures at GitLab. The policies and procedures used to manage vulnerabilities at GitLab are collectively referred to as the Vulnerability Management Standard.

Last modified October 23, 2024: Adding the Data Security team. (4655804d)