Application Security - Async Communication
As the Application Security team spans too many different time zones to have a reasonable schedule for a team-wide synchronous meeting we’ll try to handle most discussions asynchronous.
The main problem to solve is knowing that other team members have had a chance to respond to a given issue.
In order to point other AppSec team members we use the
needs-eyes label under
- Technical issues which need eyes should be create as meta-issues under gitlab-com/gl-security/appsec/appsec-reviews
- Non-technical should be created under gitlab-com/gl-security/appsec/appsec-team
Within the labeled issues any asynchronous discussion can take place. If a team member has read the issue but has no further input it should be marked acknowledged by a ✔️ emoji reaction.
When the team member which labeled the issue is happy with the results of the discussion the
needs-eyes label can be removed.
needs-eyes labeled issues team member can decide to switch to synchronous communication and schedule a Zoom meeting in order to resolve questions more quickly.
If this happens the date/time and Zoom URL should be noted in the issue to give other team member the chance to join in. Additionally the meeting should be recorded and made available to the whole AppSec team.