Team Member Upskilling

Team Member Upskilling Runbook

This runbook is a collection of resources for new or existing Product Security Engineers, or for those looking to build a body of work to enhance their skills and knowledge in product security. This runbook is designed to provide guidance and resources for continuous learning and professional development.

1. Core Competencies

Team members should work to become proficient in the following core competencies:

  • Web application security
  • Secure coding practices
  • Threat modeling
  • Risk assessment and management

Team members should also have ‘good’ knowledge of the following areas; enough to know how to go and learn more should the need arise:

  • Cloud / network security
  • Cryptography

2. Learning Paths

These learning paths are designed to help new team members in Product Security Engineering get up to speed and make meaningful contributions. They provide a balance of quick wins and longer-term skill development, focusing on core competencies essential to our mission. Choose one or more paths that align with your interests and the team’s current priorities.

1. “Paved Road & Defense-in-Depth” Learning Path

Essential:

  • Analyze a historic GitLab vulnerability (from release posts or our internal or public Reproducible Vulnerabilities page) or identify a class of recurring issues from Bug Bounty Stats or HackerOne
  • Design a solution that makes it easier for developers to avoid this class of bug (“paved road”), and/or prevents or mitigates the class of bug (defense-in-depth)
  • Document your solution design in an issue (and/or epic & child items)
    • Have the solution peer reviewed by a teammate
    • Iteratively refine it until it’s in the ~workflow::ready for development state

Recommended:

  • Add it to a milestone and implement your solution
  • Reproduce a historic vulnerability on a local version of GitLab
  • Create a threat model that encompasses the vulnerability you chose
  • Compare your designed solution to our actual patches and defense-in-depth measures

2. “Secure GitLab with GitLab” Learning Path

Essential:

  • Identify an existing issue off our issue board or select a ~ProdSecEngCandidate issue which will help one of the Product Security teams better secure GitLab (the org) with GitLab (the product)
  • Document your solution design in an issue (and/or epic & child items)
    • Have the solution peer reviewed by a teammate
    • Iteratively refine it until it’s in the ~workflow::ready for development state

Recommended:

  • Add it to a milestone and implement your solution
  • Conduct a post-implementation review and propose improvements
  • Collaborate with the Application Security team to identify other high-impact automation opportunities

3. “Security Upskilling and Collaboration” Learning Path

Essential:

  • Review the following and identify areas that you want to learn more about:
  • Create an issue or epic to track your learning efforts. Include:
    • Type of training / URL(s)
    • Your goal, estimated effort, & milestone
    • Links to G&D issues if you need to apply for budget (certifications, online courses, etc)

Recommended:

  • Update this page with resources or processes you found helpful!
Last modified September 24, 2024: Add a runbook for new team members (7cdd7f25)
View page source - Edit this page - please contribute. Creative Commons License