Security Shadow: Security Assurance

Completion of each course you will receive a certificate. At the completion of all 3 courses your name will be recognized on this page.

Security Compliance

Security Compliance: Where “Just do whatever you want” comes to die. Have you ever wondered where all those pesky security requests and requirements come from and why in the world you’re always being asked to provide evidence and talk through how systems are designed and configured? Well then good news! Come join the security compliance team for a shadow rotation where we’ll have you:

  • Reading through information security framework documentation
  • Reviewing system access
  • Creating information security policies and standards
  • Testing security controls to see if what we want to have happen within our systems is what’s actually happening

After a couple weeks with the team you’ll have a basic understanding of where these requirements come from and you’ll make compliance friends for the rest of your life when auditors come to you in the future and you can say “Let’s talk about the spirit of this control and figure out the easiest way to get you the evidence you need.”

If you have any questions please reach out in #sec-assurance and we’ll be happy to tell you more!

Schedule / Topics Covered:

SC101.1: Security Control Testing

  • Understanding the spirit of a security control
  • Common control requirements mapping
  • Control implementation statements
  • Evidence requests
  • Test of design (TOD)
  • Test of operating effectiveness (TOE)
  • Observations, notes, and information output

SC101.2: Terminated User Access Review

  • Overview of process
  • Review of compliance requirements
  • User listing requests
  • Identifying terminated users
  • Reporting back to system owners
  • Review of access review automation

Course Length:

3 days, 6-9 hours

Team Manager:

Jeff Burrows @jburrows001

Field Security and Governance

Our goal on the Field Security team is to be the liaison between GitLab’s Security Department and outside requests. We do this by providing sales enablement, evalngalism and educational activities, and responding to customer concerns related to security. By proactively positioning the Field Security team in this way, we can effectively triage requests and facilitate communication while supporting our GitLab teammates.

Schedule / Topics Covered:

FSG101: Sales Support and Self- Service Security

  • Review various types of customer requests
  • Demo of RFP repository of common questions
  • Review of ZenDesk queue and requests
  • Try it out- Pretend you are answering a questionnaire for a customer. Complete a mini questionnaire using the resources discussed in this lesson.

FSG102: The Face of Security

  • Review ways we represent security in the public light (blog posts, events, training)
  • Discuss certification requests and how we triage/review those requests
  • Review a new request and discuss the gap analysis process
  • Try it out- Write a paragraph (or full blog post) about something you learned during this course. Spread the GitLab security story!

FSG103: Intro to Governance, Risk, and Compliance (GRC) Application

  • Overview of the purpose of GRC tools
  • Tour of GitLab’s specific GRC application
  • Inputs that feed into the GRC application
  • Outputs generated by the GRC application
  • Audit/assessment demo
  • GRC application dashboarding/reporting

Course Length:

3 days, 4-6 hours

Team Manager:


Security Risk

The Security Risk team acts as a shield between GitLab and the dangers lurking within our environment. We do this by conducting third party assessments and security operational risk management activities to proactively identify and analyze risk early and often. This allows GitLab to iterate and improve quicker and ultimately provide our customers with a secure and scalable product.

Schedule / Topics Covered:

RSK101: Risk Management

  • Review the different types of risks and their sources- StORM and Third Party Risk
  • Learn the main components of risk management
  • Discuss the “hand off” process- where does Risk Management end?
  • Try it out- You will be given a risk scenario to traige, document a root cause, and create a risk treatement plan

Course Length:


Team Manager:



Ready to enroll? Click here for more information.