Security Assurance

Security Assurance Mission and Vision

Our mission is to provide a high level of assurance that Gitlab (the platform and company) is secure.

Our vision is to be a trusted sales enablement partner that is recognized internally and externally for its collaborative and transparent security assurance program, powered by AI and automation. This will be achieved through 10 strategic objectives:

  1. Establish GitLab as a thought leader in DevSecOps and AI.
  2. Accelerate the sales cycle to enable Sales to acquire new customers and reduce customer churn.
  3. Align Security Assurance with strategic business objectives and develop oversight for continuous alignment
  4. Enhance the efficiency and effectiveness of Security Assurance through automated and custom-built solutions
  5. Facilitate strategic initiatives to expand and improve GitLab’s external Security brand.
  6. Identify, manage, and reduce security risk through cross-functional collaboration, strategic prioritization, and proactive mitigation including governance over data security and resilience programs.
  7. Proactive compliance initiatives to maintain competitive advantage and enable customer acquisition through alignment with regulatory and industry specific requirements.
  8. Intra-division collaboration to enable successful, timely, and cost effective program and project initiation, management, and delivery through repeatable and scalable processes with consistent measurement and actionable reporting.
  9. Influence product development and enhancement through deliberate use and delivery of actionable feedback.
  10. Intra and Inter-division collaboration to enable effective and efficient identification and remediation of compliance findings.

Security Assurance Department Structure

There are four teams in the Security Assurance department.

Governance & Field Security
Security Compliance
Security Risk
Security Program Management
  • Security Program Management Team Page

Core Competencies

Field Security Core Competencies

Security Governance Core Competencies

Security Risk Core Competencies

Security Compliance Core Competencies

Core Tools and Systems

The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:

  • Configuration changes
  • Onboarding/offboarding/transfers (ie Access)
  • Upgrades/patching/incidents
  • Migrations to new environments
  • Restores from backup
  • Admin level audit evidence
  • Quality oversight (limited scope)

All other actions are the responsibility of the assigned DRI.

System Name System Description Admin DRI
Hyperproof Key system utilized for initiating, tracking/documenting, and completing Governance, Risk, and Compliance related activities. Donovan Felton Security Compliance - Madeline Lake
Security Risk - Ty Dilbeck
Authomize Key system utilized by Security Compliance for User Access Reviews Alex Frank Platform - Alex Frank
Custom Connectors - Byron Boots
Safebase Trust center solution to host security collateral for customers to request. Donovan Felton Joe Longo
ProofPoint Key system utilized for the creation and distribution of our security training and phishing simulations to provide ongoing testing for adherence of various compliance frameworks. Donovan Felton Joe Longo
BitSight BitSight is used to assess and monitor software vendors as part of our Security Third Party Risk Management Program. Ryan Lawson Ty Dilbeck
GitLab - Security Assurance Projects Primarily used to engage stakeholders via issues, updates to Security Assurance related handbook pages, etc. Security Assurance Senior Director Each Team is responsible for their Projects, but everyone can contribute

Contacting the Team

Team READMEs

References

Check out these great security resources built with our customers in mind:


Automation and Compliance
Purpose The goal of this handbook page is to document the goals and priorities for the automation in …
Field Security Team
Governance and Field Security team charter Field Security Team The Field Security team serves as the …
Observation Management Procedure
This procedure details the and remediation process for observations.
Production Readiness: Compliance Assessment
The Compliance Production Readiness Assessment is a process designed to make it clear what obligations systems owners have for configuring and hardening a system/tool/service in order for GitLab to meet its compliance and regulatory obligations.
Security Compliance Team
Security Compliance Team
Security Enablement Team Charter
Team Charter Mission The mission of the Security Enablement team is to: (i) drive the development of …
Security Governance Program
Security Governance Program
Security Risk Team
Security Risk Team Charter
Security Terms Glossary
A glossary of common Security Terms that may be encountered in Security Assurance documentation.
Technical and Organizational Security Measures for GitLab Cloud Services
Technical and Organizational Security Measures for GitLab Cloud Services
Technical Security Validation
Technical Security Validation
Last modified February 18, 2025: Adding updated vision to handbook (b61b39aa)