Security Shadow: Product Security

Completion of each course you will receive a certificate. At the completion of all 3 courses your name will be recognized on this page.

Restrictions

Please keep in mind that there are some restrictions on what can and cannot be shared as part of the shadow program, particularly related to high severity vulnerabilities or incidents.

For example if a shadow is watching an AppSec team member triage HackerOne issues and a High or Critical vulnerability is reported, the shadow call should end.

Application Security

Do you like complexity? Do you have a knack for identifying insecure edge cases, communicating them and helping provide alternative solutions? Do you enjoy spending time in confidential issues 🔒? How about sifting through false positives, duplicates, spam, and other invalid security reports to improve the signal to noise ratio? If your response to each of these questions is an enthusiastic “Yes,” then there’s a strong likelihood that the work of the AppSec Team will interest you.

Schedule / Topics Covered:

  • AS101.1: Intro to AppSec (1 hour)
  • AS101.2: HackerOne “The Program” (1-2 hours)
  • AS101.3: AppSec Review Ride-Along (1-2 hours)
  • AS101.4: Stable Counterparts and Working with Engineering Teams (1 hour)
  • AS101.5: Security “It’s Happening” Release (1-2 hours)

This schedule is a suggestion. The AppSec Engineer and the shadow are encouraged to communicate ahead of time or during the first session to understand the interests of the shadow to adapt the schedule in a way that provides as much value as possible to them.

It is also suggested to have a Google Doc to write down questions that might come between sessions. This captures questions and thoughts from the shadow and gives time to the AppSec Engineer to prepare quality answers before the next session.

Course Length:

5 days, 5-8 hours

Team Manager: Andrew Kelly @ankelly, Vitor Meireles De Sousa @vdesousa

Security Research

The Security Research Team is a multi-discipline team that seeks to answer the deep questions: “What can be done to detect malicious dependencies before they are known to be malicious?”; or “What is the attack surface of Kubernetes, and how does it apply to the GitLab Helm Chart?”; or “How can we do lightweight, but effective threat modeling as part of our SDLC?”. We enjoy asking, and answering the questions that need depth to be answered, and working with other teams, inside and outside of security, to apply the findings to GitLab problems. Like any good research organization, we also look to share our findings with the wider security community, be it through responsible disclosure, blog posts, or participation in conferences.

Schedule / Topics Covered:

  • SR101.1: Intro into Security Research w/ Ethan (1 hour)
  • SR101.2a: Rabbit Hole #1 w/ Joern (1-2 hours)
  • SR101.2b: Rabbit Hole #2 w/ Mark (1-2 hours)
  • SR101.2c: Rabbit Hole #3 w/ Dennis (1-2 hours)

Course Length:

2 days, 6-8 hours

Team Manager: Ethan Strike @estrike

Enrollment

Ready to enroll? Click here for more information.

Last modified April 10, 2024: Update product security section of the handbook to reflect current department structure (54e13e98)
View page source - Edit this page - please contribute. Creative Commons License