Application Security - Async Communication

Overview

As the Application Security team spans too many different time zones to have a reasonable schedule for a team-wide synchronous meeting we’ll try to handle most discussions asynchronous.

The main problem to solve is knowing that other team members have had a chance to respond to a given issue.

needs-eyes Label

In order to point other AppSec team members we use the needs-eyes label under https://gitlab.com/gitlab-com/gl-security/product-security/appsec/

• Technical issues which need eyes should be create as meta-issues under gitlab-com/gl-security/product-security/appsec/appsec-reviews
• Non-technical should be created under gitlab-com/gl-security/product-security/appsec/appsec-team

Within the labeled issues any asynchronous discussion can take place. If a team member has read the issue but has no further input it should be marked acknowledged by a ✔️ emoji reaction.

When the team member which labeled the issue is happy with the results of the discussion the needs-eyes label can be removed.

Synchronous meetings

Within the needs-eyes labeled issues team member can decide to switch to synchronous communication and schedule a Zoom meeting in order to resolve questions more quickly.

If this happens the date/time and Zoom URL should be noted in the issue to give other team member the chance to join in. Additionally the meeting should be recorded and made available to the whole AppSec team.