Application Security Operations
Last updated: May 27, 2025
The Application Security Subdepartment is made up of two teams, the Secure Development and Design Team and the Product Security Incident Response Team (PSIRT). These two teams work together to anticipate and prevent the introduction of vulnerabilities during design and development, as well as identify, assess, and respond to security vulnerabilities discovered in GitLab products and services.
Helpful Quicklinks for GitLab Engineers
- Application Security Reviews
- Application Security Stable Counterparts
- Threat modeling
- Backlog reviews: When necessary a backlog review can be initiated, please see the Vulnerability Management Page for more details.
- GitLab AppSec Inventory
- Responding to customers security scanners review requests
- Root Cause Analysis for Critical Vulnerabilities
Learn how to identify or remediate security issues using real examples with GitLab’s Reproducible Vulnerabilities.
Learn how GitLab is implementing Reproducible Builds for our build processes.
Learn more about the automation initiatives that the Application Security team uses on the Application Security Automation and Monitoring page
GitLab Secure Tools coverage
As part of our dogfooding effort, Secure Tools are set up on many different GitLab projects (see our policies. This list is too dynamic to be included in this page, and is now maintained in the GitLab AppSec Inventory.
Projects without the expected configurations can be found in the inventory violations list (internal link).
Useful resources for AppSec engineers
Application Security Engineer Runbooks
Application Security Engineer Job Families
PTO
Team members that are taking PTO for 5 days or more must both discuss time off with their manager prior to scheduling to ensure visibility and adequate team operational coverage and create a PTO coverage issue to organize their coverage during their time off. The PTO coverage issue should :
- List any potential requests that could come to the team while on PTO
- The team member taking PTO should organize their work accordingly and ensure the PTO coverage issue contains the context required to handle the work
- Assign primary and secondary responsible team members
AppSec team members should add any important information related to the work they are covering for the person on PTO and AppSec manager(s) should add any important announcement to see upon their return.
Team Bookmarks
- The AppSec private group that contains other private subgroups and projects
- The
appsec-labgroup on Staging. This has an Ultimate license. - Bug bounty council search
- Upcoming patch release
- GitLab Project Security dashboard
- Security issue board that tracks ongoing issues (HackerOne and others)
- The latest releases
- Overview of a project member permissions
- The DevOps stages and their different groups. This page contains information on the development teams, their areas of focus, and their team members as well as the AppSec stable counterparts. It is used to assign issues to the stable counterparts.
- The product features listed by groups that own them
- List of merged security issues in
gitlab-org. Note: It can include results from the security mirrorgitlab-org/security/. - Application Security KPIs & Other Metrics - Embedded KPIs which can be filtered by section, stage, or group.
- Milestone Planning - The GitLab Application Security team plans work based around Milestones, see this page for a description of that process
The list above is not exhaustive and is subject to be modified as our processes keep evolving.
Meeting Recordings
The following recordings are available internally only:
Content Review and Updates
This page will be reviewed quarterly to ensure alignment with company and divisional priorities, the GitLab Security product roadmap, and relevant business and operational changes. Updates may occur more frequently as business operations evolve.
Next scheduled review: June 30, 2025
3960f16d)
