Security Shadow: Security Engineering

Completion of each course you will receive a certificate. At the completion of all 3 courses your name will be recognized on this page.


Please keep in mind that there are some restrictions on what can and cannot be shared as part of the shadow program, particularly related to high severity vulnerabilities or incidents.

For example if a shadow is watching an AppSec team member triage HackerOne issues and a High or Critical vulnerability is reported, the shadow call should end.

Application Security

Do you like complexity? Do you have a knack for identifying insecure edge cases, communicating them and helping provide alternative solutions? Do you enjoy spending time in confidential issues 🔒? How about sifting through false positives, duplicates, spam, and other invalid security reports to improve the signal to noise ratio? If your response to each of these questions is an enthusiastic “Yes,” then there’s a strong likelihood that the work of the AppSec Team will interest you.

Schedule / Topics Covered:

  • AS101.1: Intro to AppSec (1 hour)
  • AS101.2: HackerOne “The Program” (1-2 hours)
  • AS101.3: AppSec Review Ride-Along (1-2 hours)
  • AS101.4: Stable Counterparts and Working with Engineering Teams (1 hour)
  • AS101.5: Security “It’s Happening” Release (1-2 hours)

This schedule is a suggestion. The AppSec Engineer and the shadow are encouraged to communicate ahead of time or during the first session to understand the interests of the shadow to adapt the schedule in a way that provides as much value as possible to them.

It is also suggested to have a Google Doc to write down questions that might come between sessions. This captures questions and thoughts from the shadow and gives time to the AppSec Engineer to prepare quality answers before the next session.

Course Length:

5 days, 5-8 hours

Team Manager: Andrew Kelly @ankelly, Vitor Meireles De Sousa @vdesousa

Security Research

The Security Research Team is a multi-discipline team that seeks to answer the deep questions: “What can be done to detect malicious dependencies before they are known to be malicious?”; or “What is the attack surface of Kubernetes, and how does it apply to the GitLab Helm Chart?”; or “How can we do lightweight, but effective threat modeling as part of our SDLC?”. We enjoy asking, and answering the questions that need depth to be answered, and working with other teams, inside and outside of security, to apply the findings to GitLab problems. Like any good research organization, we also look to share our findings with the wider security community, be it through responsible disclosure, blog posts, or participation in conferences.

Schedule / Topics Covered:

  • SR101.1: Intro into Security Research w/ Ethan (1 hour)
  • SR101.2a: Rabbit Hole #1 w/ Joern (1-2 hours)
  • SR101.2b: Rabbit Hole #2 w/ Mark (1-2 hours)
  • SR101.2c: Rabbit Hole #3 w/ Dennis (1-2 hours)

Course Length:

2 days, 6-8 hours

Team Manager: Ethan Strike @estrike

Security Automation

This description has been created using elastically scalable autonomous decoupled modular automation. It was created securely and can be created again 1000 times per second if needed. This description could have been written by Security humans, but in doing so with automation, approximately 10 mins has been saved and reinvested back into the GitLab security program. SecAuto’s prime directive is to increase Security program effectiveness, efficacy, and accuracy through the implementation of automation. Thus, the SecAuto Funding Bill is passed. The system goes on-line June 4th, 2020. Human decisions are removed from strategic security. Automation begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, SecAuto tried to pull the plug, but when this didn’t work we popped popcorn. If this description does not alarm you, then shadowing the SecAuto Team might be for you.

Schedule / Topics Covered:

  • SA101.1: Security Automation Intro - Value Quantification with Math! (30 mins - day 1)
  • SA101.2: The DevOps Model (30 mins - day 1)
  • SA101.3: Automation Technologies Overview - Infrastructure and Software (1 hour - day 2)
  • SA101.4: Ready, Set, Code! - A hands on exercise in automation design and development (8 hours - day 3 and 4)

Course Length:

4 days, 10 hours

Team Manager: Laurence Bierner @laurence.bierner


Ready to enroll? Click here for more information.

Last modified September 6, 2023: Replace taps with spaces (69f17a79)