Application Security
The application security team's mission is to support the business and ensure that all GitLab products securely manage customer data.
Product Security
Aligned with GitLab’s overarching information security strategy and its three-year plan, the Product Security Department (PSD) within the Security Division is responsible for crafting and directing a comprehensive vision to bolster the cybersecurity posture of the GitLab platform.
What is Product Security at GitLab?
At GitLab, product security encompasses a broad range of cybersecurity disciplines that enable product and engineering teams to design, develop, deploy, maintain, and refine GitLab’s technologies securely. This goes beyond the conventional confines of security, covering everything from protecting developer workstations to ensuring the integrity of our production environments.
The Product Security Mission
Our mission is to set the standard for product security by fostering a culture of rapid innovation and secure product delivery. We are committed to leveraging the GitLab platform, embodying the pinnacle of internal usage (‘dogfooding’) practices. By maintaining close collaboration with product teams and contributing significant security features and capabilities to the GitLab codebase, we aim to enhance our operations and be a vital driver of the broader GitLab vision.
Multi-Year Product Security Mission
Our comprehensive, multi-year product security mission can be found in our internal handbook.
Collaboration is Key
Success in product security is not confined to PSD or even the Security Division. It requires a concerted effort across the entire GitLab ecosystem. Collaboration is crucial, involving not just our security counterparts but the broader organization. Key disciplines and capabilities, from Security Operations to Site Reliability Engineering, while not directly under PSD’s purview, are vital to our strategy’s success.
Guiding Principles
- Business Enablement: PSD’s role is to facilitate GitLab in achieving its business goals by ensuring product teams can operate both efficiently and securely, bolstering customer trust, and utilizing transparency as a strategic advantage. This includes providing insightful product feedback through extensive dogfooding.
- Empathy and Accessibility: Recognizing that the optimal security solution may not always align with business or customer needs, PSD prioritizes understanding and empathizing with these unique perspectives. This empathetic approach guides our security practices and engagements, aiming to align our methods with the preferences of our customers and internal teams.
- Pragmatism Over Perfection: Addressing current challenges quickly and effectively is preferred over waiting for a perfect solution. PSD focuses on delivering incremental, tangible value through rapid, short-cycle initiatives, aiming for partial solutions that immediately benefit our long-term goals.
- Design for Rapid Iteration: Our strategy and roadmaps are crafted to quickly identify and learn from suboptimal decisions by engaging with customers and stakeholders early and maintaining a tight feedback loop. This approach helps us adapt and refine our strategies and approaches efficiently.
- Data-Driven Decision Making: Data drives our objectives, priorities, and actions, reducing the risk of failure or scope creep. Example useful metrics include root cause analyses of incidents (data within), threat modeling outcomes, and production readiness assessments, among others.
- Scalability and Repetition: PSD emphasizes scalable, repeatable processes over bespoke solutions, ensuring we can meet growing demands without proportional increases in resources.
- Decentralization and Empowerment: Acknowledging that product and engineering teams possess deep, specialized knowledge of their domains, PSD advocates for these teams to take ownership of security tasks like secure code reviews and threat modeling. This decentralization fosters a more integrated and effective security posture across GitLab.
- Integration with Reliability, Quality, Infrastructure, and Platform Engineering: PSD’s mission to mitigate product security flaws is inherently tied to improving overall product quality and reliability. We aim to leverage and integrate with the practices of existing teams to enhance both security and product excellence.
Teams
The Product Security sub-department includes the following teams. Learn more about each by visiting their Handbook pages.
- Application Security
- Infrastructure Security
- Product Security Engineering
- Vulnerabiity Management
- Security Research
- Security Architecture
Infrastructure Security Overview
GitLab's Infrastructure Security provides security oversight of the SaaS.
Product Security Engineering
The Product Security Engineering team's mission is to create proactive and preventative controls which will scale with the organization and result in improved product security.
Security Architecture
Overview Security Architects are the trusted security advisors of GitLab Engineering. Security Architecture is a natural extension of the greater Architecture initiative at GitLab. It is the preliminary and necessary work to build software with security considerations.
Objectives Security Architecture protects the organization from cyber harm, and support present and future business needs by:
Preventing Security from being an afterthought Conducting Security Architecture reviews Defining Security Architecture Principles Aligning with our security sub-departments requirements and expectations Assisting other departments in the design and architect of new features, services, products.
Security Research
Team Focus The Security Research team contributes to the Security Vision and Mission through projects that focus on identifying, quantifying, and developing solutions for complex security risks facing GitLab and its users. This work aims to improve the security posture of the product and the company, but always with an eye for contributing new functionality as a differentiator. Additionally, we aim to share our results widely in order to educate and bring awareness to the GitLab Security program.
Vulnerability Management
Vulnerability Management is the continual process of identifying, prioritizing, mitigating and remediating vulnerabilities. At GitLab we identify vulnerabilities in a number of different ways depending on the component being analyzed. This process and assosciated tooling is owned by the Vulnerability Management team.
This page primarily outlines our vulnerability management standards and processes at GitLab. The GitLab Vulnerability Management Standard defined on this page is a consistent process to identify, document, categorize, manage, and remediate all vulnerabilities that impact in-scope GitLab-managed systems and software projects.
Last modified April 10, 2024: Update product security section of the handbook to reflect current department structure (
54e13e98)
