Security at GitLab

Security Vision and Mission

Our vision is to transparently lead the world to secure outcomes.

Our mission is to enable everyone to innovate and succeed on a safe, secure, and trusted DevSecOps platform. This will be achieved through 5 security operating principles:

  1. Accelerate business success with a focus on:
    • Prioritize ‘boring’, iterative solutions that minimize risk
    • Find ways to say Yes
    • Understand goals before recommending solutions
    • Use GitLab first
  2. Efficient operations with a focus on:
    • Technical controls over handbook rules
    • Leverage automation first (robots over humans)
    • Responsible decisions (Spending, Tooling, Staffing, etc) over low ROI (return on investment) decisions
    • Reusable or repeatable over singular solutions
  3. Transparency with a focus on:
    • Responsible protection of MNPI (material non-public information)
    • Evangelize dogfooding of GitLab publicly
    • Lead with metrics
    • Balance security with usefulness
  4. Risk Reduction with a focus on:
    • Secure by default
    • Preventative controls over detective controls
    • Solving root causes over treating symptoms
    • Visibility through Coverage, Discoverability, Observability
  5. Collaborative Culture with a focus on:
    • Working together on common solutions
    • Solve shared problems with shared solutions
    • Simplifying language for everyone to understand
    • Avoiding security jargon
    • Seek opportunities to help others succeed

To help achieve the vision of transparently leading the world to secure outcomes, the Security Division has nominated a Security Culture Committee.

Division Structure

The Security Division provides essential security operational services, is directly engaged in the development and release processes, and offers consultative and advisory services to better enable the business to function while minimising risk.

To reflect this, we have structured the Security Division around four key tenets, which drive the structure and the activities of our group. These are :

Product Security
Security Operations
Threat Management
Security Assurance

Secure the Product - The Product Security Department

The Product Security Department is primarily focused on Securing the Product. This reflects the Security Division’s current efforts to be involved in the Application development and Release cycle for Security Releases, Infrastructure Security, and our HackerOne bug bounty program.

The term “Product” is interpreted broadly and includes the GitLab application itself and all other integrations and code that is developed internally to support the GitLab application for the multi-tenant SaaS. Our responsibility is to ensure all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards, and to be proactive and responsive to ensure world-class security in anything GitLab offers.

Protect the Company - The Security Operations Department

Security Operations Department teams are primarily focused on protecting GitLab the business and GitLab’s platform. This encompasses protecting company property as well as to prevent, detect and respond to risks and events targeting the business and our platform. This department includes the Security Incident Response Team (SIRT) and the Trust and Safety team.

These functions have the responsibility of shoring up and maintaining the security posture of GitLab’s platform to ensure enterprise-level security is in place to protect our new and existing customers.

Lead with Data - The Threat Management Department

Threat Management Department teams are cross-functional. They are responsible for collaborating across the Security Division to identify, communicate, and remediate threats or vulnerabilities that may impact GitLab, our Team Members or our users and the community at large.

Assure the Customer - The Security Assurance Department

The Security Assurance Department is comprised of the teams noted above. They target Customer Assurance projects among their responsibilities. This reflects the need for us to provide resources to our customers to assure them of the security and safety of GitLab as an application to use within their organisation and as a enterprise-level SaaS. This also involves providing appropriate support, services and resources to customers so that they trust GitLab as a Secure Company, as a Secure Product, and Secure SaaS

Other groups and individuals

Security Program Management

Security Program Management is responsible for complete overview and driving security initiatives across Product, Engineering, and Business Enablement. This includes the tracking, monitoring, and influencing priority of significant security objectives, goals, and plans/roadmaps from all security sub-departments. Security Program Manager Job Family

Security Program areas of focus
  • Drive Accountability & Visibility for Program Objectives & Goals
  • Drive, Gather, & Examine Program Needs & Opportunities through Intra & Inter Organizational Collaboration
  • Provide Insights & Suggestions Impacting Program Strategy & Roadmap
  • Assist in Gathering & Prioritizing Program Risks, Requirements, & Alignment to Influence Remediation
  • Drive & Define Acceptance Criteria, Value Proposition, Milestones to Visualize and Communicate Program Effectiveness
  • Develop Repeatable, Scalable, Efficient, Effective, Processes & Procedures

Product development

In keeping with our core values and the belief that everyone can contribute, the Security Division is committed to dogfooding and contributing to the development of the GitLab product.


Contacting the Team

Reporting vulnerabilities and security issues

For information regarding GitLab’s HackerOne bug bounty program, and creating and scheduling security issues, please see our engaging with security page and our Responsible Disclosure Policy.

Reporting an Incident

If an urgent security incident has been identified or you suspect an incident may have occurred, please refer to Engaging the Security Engineer On-Call. Examples include, but are not limited to:

  • Lost or stolen devices
  • Leaked credentials
  • Endpoint compromise or infection
  • Exposure of sensitive GitLab data

GitLab provides a panic@gitlab.com email address for team members to use in situations when Slack is inaccessible and immediate security response is required.

This email address is only accessible to GitLab team members and can be reached from their gitlab.com or personal email address as listed in Workday. Using this address provides an excellent way to limit the damage caused by a loss of one of these devices.

Additionally if a GitLab team member experiences a personal emergency the People Group also provides an emergency contact email.

Sub-groups and projects

Many teams follow a convention of having a GitLab group team-name-team with a primary project used for issue tracking underneath team-name or similar.

Slack Channels

  • #security; Used for general security questions and posting of external links for the great discussions. Company wide security relevant announcements are announced in #whats-happening-at-gitlab and may be copied here.
  • #security-department - Daily questions and discussions focused on work internal to the Security Division. Can be used for reporting when unsure of where to go.
  • #abuse - Used for reporting suspected abusive activity/content (GitLab Internal) as well as general discussions regarding anti-abuse efforts. Use @trust-and-safety in the channel to alert the team to anything urgent.
  • #security-department-standup - Private channel for daily standups.
  • #incident-management and other infrastructure department channels
  • #security-alert-manual - New reports for the Security Division from various intake sources, including ZenDesk and new HackerOne reports.
  • #hackerone-feed - Feed of most activity from our HackerOne program.
  • Other #security-alert-* and #abuse* - Multiple channels for different notifications handled by the Security Division.
  • Use the @sirt-members mention in any Slack channel to tag the members of the Security Incident Response Team (SIRT).
  • Use the @sec-assurance-team mention in any Slack channel to tag the members of the Security Compliance, Risk, and Governance & Field Security teams.
  • Use the @field-security mention in any Slack channel to tag the members of the Field Security team.
  • Use the @appsec-team mention in any Slack channel to tag the members of the Application Security team.
  • Use the @trust-and-safety mention in any Slack channel to tag the members of the Trust & Safety team.
  • Use the @security-identity mention in any Slack channel (or #security-identity-ops) to tag members of the Identity team.

Division, Department, and Team updates

We believe it is important to share regular updates at various levels of the Security Division, and we use Slack as the primary mechanism for providing these updates. Our updates are open to all GitLab team members using the following process:

  • Start of each month: A thread per-department is started in #security-department by each department leader (CorpSec, ProdSec, SecAssurance, SecOps). These threads are pinned for the duration of the month.
    • Thread template:
      • <MONTH> <DEPARMENT> Weekly Updates
      • Example: August Product Security Weekly Updates
  • Weekly: At least once a week, teams provide updates they wish to share within the appropriate thread. For example, updates from Vulnerability Management would be placed in the Product Security thread for the given month.
    • These weekly updates, while highly encouraged, are strictly optional and should represent content that ICs and managers feel should be highlighted. Teams are encouraged to define processes and DRIs around these updates that work for them.
    • Individuals providing the weekly updates are encouraged to use the “Also send to #security-department” option within the thread to increase visibility.
  • End of each month: Departmental leaders prepare a monthly update, including no more than three updates per team, and post it in #ciso within the first week of the following month.
    • Each monthly update should include a brief preface written by the departmental leader covering any notable themes or other strategic updates.
    • Each of the three updates per-team should be no more than 2-3 sentences and include at least one link to allow readers to gain additional context. Links should be to GitLab Issues or Epics wherever possible. If information is confidential and not able to be added to an Issue or Epic, a note should be added indicating this.
    • It is recommended that departmental leaders build their monthly update over the course of the month via a GitLab issue (see an example) in collaboration with their managers and senior ICs.

Ransomware

For an overview of the communication and response process for a suspected ransomware attack, please see our Responding to Ransomware page.


Important topics

Tokens

The following best practices will help ensure tokens are handled appropriately at GitLab. For detailed requirements regarding the use of tokens at GitLab, please see our token management standard.

  1. When creating a Personal Access Token, be sure to choose the appropriate scopes that only have the permissions that are absolutely necessary.
  2. Oftentimes a Project Access Token might be sufficient instead of a Personal Access Token. Project Access Tokens have a much more limited scope and should be preferred over Personal Access Tokens whenever possible.
  3. Always set an expiration for your tokens when creating them. Tokens should preferably expire in a matter of hours or a day.
  4. Be mindful to keep these personal access tokens secret. Be particularly careful not to accidentally commit them in configuration files, paste them into issue or merge request comments, or otherwise expose them.
  5. Please consider periodically reviewing your currently active Personal Access Tokens and revoking any that are no longer needed.
  6. Personal Access Tokens will be highly discouraged within the GitLab production environment, and disallowed/disabled wherever possible. Existing tokens shall remain, but additional issuance will not be permissible/possible.
  7. If you believe a personal access token has been leaked, revoke it immediately (if possible) and contact the security team using the /security Slack command.

Receive notification of security releases

Resources

Tools

  • Incident-Tools (private) for working scripts and other code during or while remediating an incident. If the tool is applicable outside of the GitLab.com environment, consider if it’s possible to release when the ~security issue becomes non-confidential. This group can also be used for private demonstration projects for security issues.
  • security-tools (mostly private) contains some operational tools used by the security teams. Contents and/or configurations require that most of these projects remain private.

Calendar

We welcome GitLab team members to join meetings that are on our shared Security Calendar.

Other Frequently Used GitLab.com Projects

Security crosses many teams in the company, so you will find ~security labeled issues across all GitLab projects, especially:

When opening issues, please follow the Creating New Security Issues process for using labels and the confidential flag.

Other Resources for GitLab Team Members

AI in Security Learning Group

This group is setup to help interested Security team members get up to speed with AI technologies and how to secure them. For more information, see the AI in Security Learning Group page.


Access Management Policy

Purpose

This policy is intended to outline the access management controls implemented by GitLab.

Scope

These controls apply to information and information processing systems at the application and operating system layers, including networks and network services.

Roles & Responsibilities

Role Responsibility
Security Assurance Responsible for implementing and executing this policy
Business or System Owners Alignment to this policy and any related standards
Security Assurance Management (Code Owners) Responsible for approving significant changes and exceptions to this policy
Team Members Responsible for adhering to the requirements of this policy

Policy

Access requests and reviews

Access requests are opened for all new or changing access. (AC-2)

AI in Security Learning Group
This learning group is to help interested GitLab Security team members to learn and share what they have learned about artificial intelligence (AI) and machine learning (ML) technologies.
Change Management Policy

Purpose

This policy is intended to outline the change management controls implemented by GitLab.

Scope

Changes, in the context of this policy, are defined as modifications, including, but not limited to:

  • Creation/development/implementation of new systems, integrations, features, key reports, databases, etc.
  • Changes to configurations
  • Deployment of patches or vendor supplied changes not managed by the vendor
  • Modifications to data schemas
  • System deprecation
  • New access or role creation
  • Broadly speaking, any change that will impact how team members carry out their responsibilities

The policy applies to changes that are made to systems assigned a Critical System Tier of Tier 1 Mission Critical, Tier 2 Business Critical, and Tier 3 Business Operational.

Contributing to GitLab the Product as a Security Team Member

Product Security Code Contributions

Security Engineers typically act as Subject Matter Experts and advisors to GitLab’s engineering teams. Security Engineers may wish to make a larger contribution to GitLab products, for example a defense-in-depth measure or new security feature.

Like any contributor, follow the Contributor and Development Docs, paying particular attention to the issue workflow, merge requests workflow, style guides, and testing standards.

Security Engineers will need to collaborate with and ultimately hand over their work to a team in the Development Department. That team will be responsible for prioritisation, review, rollout, error budget, and maintenance of the contribution. Security Engineers should ideally open an Issue or Epic as early as possible, labeled with the candidate owning team. The team can inform implementation or architectural decisions, highlight existing or upcoming work that may impact yours, and let them plan capacity for reviewing your work.

Controlled Document Procedure
GitLab deploys control activities through policies and standards that establish what is expected and procedures that put policies and standards into action.
Corporate Security (CorpSec)

👋 Welcome to Corporate Security, we’re glad you’re here! You may also know us as the former IT Operations team that moved from the Finance to Security division in early 2024.

Need Help?

Please try exploring the following pages to see if your question has been answered in the handbook pages. If not, please ask in the #it_help channel and one of our Support Analysts will reply as soon as possible.

Critical Projects

How are critical projects defined?

These projects aren’t considered a function of OKRs (e.g., ambitious) but are considered critical because they

  • must be accomplished fully within a specific time frame; and
  • require cross-functional collaboration; and
  • address immediate-term risks within security or GitLab

Critical Projects must use the label sec-okr::p0.

Engaging with Security

Vulnerability Reports and HackerOne

GitLab receives vulnerability reports by various pathways, including:

  • HackerOne bug bounty program
  • Reports or questions that come in from customers through Zendesk.
  • Issues opened on the public issue trackers. The security team can not review all new issues and relies on everyone in the company to identify and label issues as ~bug::vulnerability and @-mention @gitlab-com/gl-security/product-security/appsec on issues.
  • Issues reported by automated security scanning tools

For any reported vulnerability:

External Security Communications Procedure
Procedures for handling communications regarding security
GitLab Audit Logging Policy

Purpose

To ensure the proper operation and security of GitLab.com, GitLab logs critical information system activity.

Scope

The audit logging policy applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.

Roles & Responsibilities

Role Responsibility
GitLab Team Members Responsible for following the requirements in this policy
Security Team Responsible for implementing and executing this policy
System Owners Definition of individual audit log criteria; Definition and execution of system audit log procedures
Security Management (Code Owners) Responsible for approving significant changes and exceptions to this policy

Policy

  • GitLab shall log and monitor critical information system activity.
  • Logs must be retained for a defined period of time.
  • Logs must not be modified and or deleted.
  • Access to audit log data must be limited based on the principle of least privilege.

Inline with GitLab’s Continuous Monitoring Controls System Owners are responsible for determining what constitutes “critical information system activity” in their respective system based on their experience and professional judgement

GitLab Continuous Security Framework
The GitLab Continuous Security Framework workflow
GitLab Cryptography Standard
This is the GitLab Cryptography Standard. It outlined cryptographic choices, including algorithms as well as important settings that may be associated with the algorithms. It applies to GitLab code and well as infrastructure configuration.
GitLab Data Classification Standard

Purpose

The Data Classification Standard defines data type and categories and provides the associated Data Classification of each for the purposes of determining the level of protection to be applied to GitLab and Customer data throughout its lifecycle.

Scope

The Data Classification Standard applies to all GitLab team members, contractors, consultants, vendors and other service providers that handle, manage, store or transmit GitLab data.

Roles & Responsibilities

Role Responsibility
GitLab Team Members Responsible for adhering to the requirements outlined in this standard
Data Owners Responsible for approving exceptions to this standard for their owned data types. These are generally the Business Owners of a system.
Security and Legal (Code Owners) Responsible for approving significant changes and exceptions to this standard

GitLab Responsibilities

  • GitLab team members, contractors, consultants, vendors and all other service providers acting on behalf of GitLab are required to review and understand this data classification standard, and how to handle data according to the classification levels below unless otherwise noted.

GitLab Password Guidelines

Passwords at GitLab

Passwords are one of the primary mechanisms that protect GitLab information systems and other resources from unauthorized use. GitLab’s password standard is based, in part, on the recommendations by NIST 800-63B. The password standard sets the requirements for constructing secure passwords and ensuring proper password management. GitLab utilizes 1Password for password management.

1Password

1Password is a password manager that can be used in two different ways - as a standalone application (by purchasing a standalone license) or as a hosted service (by subscribing). GitLab uses 1Password for Business which is a hosted service.

GitLab Password Standards

Purpose

This document outlines information security password standards intended to protect GitLab information systems and other resources containing confidential (Red and Orange) GitLab data from unauthorized use, where technically feasible.

Scope

Applies to all GitLab team members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing confidential data.

Roles & Responsibilities

Role Responsibility
GitLab Team Members Responsible for adhering to the requirements outlined in this standard
Security Responsible for defining and monitoring implementation of these standards for critical applications
Security Management (Code Owners) Responsible for approving significant changes and exceptions to these standards

Standard

Constructing secure passwords and ensuring proper password management is essential. GitLab’s password standards are based, in part, on the recommendations by NIST 800-63B. To learn what makes a password truly secure, read this article or watch this conference presentation on password strength.

GitLab Projects Baseline Requirements
The hb page outlines baseline configurations that should be setup for GitLab projects which impact the GitLab codebase.
GitLab Security Logging Standards

Purpose and Scope

The purpose of this security logging standard is to define GitLab’s requirements for security logging. This document covers both security logging in GitLab’s SIEM (Devo) as well as security logging requirements for systems not sending logs to GitLab’s SIEM.

Roles & Responsibilities

Role Responsibility
GitLab System Owners (as defined in GitLab’s tech stack) Directly Responsible for adhering to the requirements outlined in this standard
Security Operations Team Directly Responsible for the prioritization, onboarding and maintenance of logs in the Security team’s SIEM (Security Information Event Management) system, Devo.

Security Logging Requirements

Security logs are generated by applications and systems used on GitLab and are primarily used for security monitoring, security incident response and cyber threat hunting.

GitLab Security Resource Center
Provides an aggregated listing of popular and important links and information for GitLab's customers and prospects.
GitLab Security Secure Coding Training

This page contains information on secure training initiatives sponsored by the GitLab Security team.

Security Development Process

For information on developing security fixes in GitLab, please see the Patch Release runbook for preparing security fixes. (Required)

Secure Coding Guidelines

The GitLab Secure Coding Guidelines (Required) cover how to address specific classes of vulnerabilities that have been identified in GitLab.

Secure Code Warrior

GitLab uses Secure Code Warrior to provide ongoing secure coding training. Eligible team members can log in via Okta.

GitLab Token Management Standard
This is the GitLab Token Management Standard. It defines approved GitLab token usage, and distribution for the purposes of providing authentication and authorization within various systems and subsystems used by GitLab.
gitleaks on your laptop

gitleaks on your laptop

If you ended up on this handbook page it’s probably because you have been pointed here during a git commit by our gitleaks installation on your local machine. The tool gitleaks is being used on GitLab endpoints to prevent a common security issue, namely accidental commits of secrets like Personal Access Token or other credentials to public repositories. It is important that all repositories are covered as a leaked access token in one repository can impact all repositories and projects to which your account has access.

Google Cloud Security Best Practices

Google Cloud Resources

Some Google Cloud resources, if deployed with default settings, may introduce risk to shared environments. For example, you may be deploying a temporary development instance that will never contain any sensitive data. But if that instance is not properly secured, it could potentially be compromised and used as a gateway to other, more sensitive resources inside the same project.

Below are some steps you can take to reduce these risks.

Identity and Access Management v3
The Security Identity team is leading the technical strategy and automation implementation of next-generation identity and access management (IAM), role-based access control (RBAC), and administrative access controls for internal GitLab systems, cloud infrastructure, and tech stack applications.
Individual Development Plan

From FY24-Q2 - Individual Growth Plan

Since the launch of the company wide Individual Growth Plan in Workday per FY24-Q2 we recommend Security team members to leverage that tool in Workday to collaborate with their manager on their career path and growth opportunities. Team members can read all about that progress in this guide. We have deprecated the The Individual Development Plan (IDP) template

Till FY24-Q2 - Individual Development Plan

The Individual Development Plan (IDP) template was used by Security team members till FY24-Q1 to help collaborate on a team member’s career path and growth opportunities. The template was designed to document a team member’s personal choices and the direction they want to take their career while allowing their manager to provide guidance and assist with career growth. The use of this template is entirely voluntary and optional. In fact, the template format and process used are also both flexible and adaptable to each manager and team member. Feel free to adapt the template in manners that meet the needs of the manager and team member.

Information Security Management System

Purpose

GitLab has adopted the ISO/IEC 27001:2022, ISO/IEC 27017:2015 and ISO/IEC 27018:2019 standards for our information security management system (ISMS) to provide GitLab team members, customers and community members with a high level of assurance on the robustness of our information security policies, standards and procedures, and the strength of our control environment. The purpose of this document is to define the boundaries and objectives of GitLab’s ISMS.

Information System Contingency Plan (ISCP)
Provides procedures and capabilities for recovering an information system.
Isolating your work notebook from other devices in your home network

Why

There are various reasons why you might want to isolate your work notebook from other devices in your home network:

  • Security concerns. The security of individual devices on your home network might vary. Some are notoriously insecure (e.g. smart home devices) or some might simply lack the latest security patches. Isolating devices with poor security from your work notebook (and other sensitive private devices) can increase the security of your work notebook.
  • Privacy concerns. GitLab is an all-remote company, with many of its employees working from home. As a side-effect, our work notebooks typically end up being connected to the same network as our personal devices, which allows for network access between these two groups of devices and may raise privacy concerns.

How

Many home routers allow connected devices to be isolated, which prevents any direct network communication between selected devices. This section walks you through setting up an isolated WiFi specifically for your work notebook. The goals specifically are:

Penetration Testing Policy

A penetration test is a process to identify security vulnerabilities in an application or infrastructure in order to evaluate the security of the system.

Purpose

This policy is intended to outline the penetration testing controls implemented by GitLab.

Scope

These controls apply to the applications and systems that fall within the scope of each specific penetration test.

Roles & Responsibilities

Role Responsibility
GitLab Team Members Responsible for following the requirements in this policy
Security Team Responsible for implementing and executing this policy
Security Management (Code Owners) Responsible for approving significant changes and exceptions to this policy

Policy

Planning

A third-party penetration test is conducted at least annually. (CA-8, SC-7(10))

PGP Process

Install GPG Keychain and import PGP Keypair

On a Mac, download and install the GPG Keychain application. Download the keypair file from the Support vault. It’s attached to the ‘security@gitlab.com PGP Keypair’ item. Open the GPG Keychain application and import the keypair file. It will ask for a password. Use the password saved on the vault item.

Now you will be able to encrypt, decrypt, and share the public key with others.

Physical Security Standard for Company Assets

Purpose

This document defines asset management measures and requirements to support the protection of information assets in GitLab’s all remote environment. The measures and requirements noted within the standard are designed to create a secure infrastructure, work environment, and protect sensitive information from physical threats.

Scope

This standard applies to all GitLab team-members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing company or customer data.

Product Security

Aligned with GitLab’s overarching information security strategy and its three-year plan, the Product Security Department (PSD) within the Security Division is responsible for crafting and directing a comprehensive vision to bolster the cybersecurity posture of the GitLab platform.

What is Product Security at GitLab?

At GitLab, product security encompasses a broad range of cybersecurity disciplines that enable product and engineering teams to design, develop, deploy, maintain, and refine GitLab’s technologies securely. This goes beyond the conventional confines of security, covering everything from protecting developer workstations to ensuring the integrity of our production environments.

Providing assistance to GitLab.com customers during customer-based security incidents
Process outline on how to provide assistance to GitLab.com customers that have experienced a security incident as a the result of their implementation or use of GitLab.com
Records Retention & Disposal

Purpose

The GitLab records retention and disposal standard lists the specific retention and secure disposal requirements for critical GitLab records. These minimum requirements inform design and maintenance decisions for all GitLab tier 1 and tier 2 critical systems.

Scope

The below retention and secure disposal requirements apply to all GitLab records enumerated in the table below stored in GitLab tier 1 and tier 2 critical systems.

Roles & Responsibilities

Role Responsibility
GitLab Team Members Responsible for following the requirements in this controlled document.
Security Compliance Team Responsible for reviewing and maintaining this controlled document.
Control Owners Responsible for defining and implementing procedures to support the below requirements.
Security Assurance Management (Code Owners) Responsible for approving significant changes and exceptions to this controlled document.

Retention & Disposal Requirements Procedure

Record Retention Requirement Disposal Requirement
Business continuity plan approvals 3 years [GCP/AWS Secure Deletion]
Business continuity test results 3 years [GCP/AWS Secure Deletion]
Production backup tests 1 year [GCP/AWS Secure Deletion]
Production changes 3 years [GCP/AWS Secure Deletion]
Security policy review/approvals 3 years [GCP/AWS Secure Deletion]
Terms of service acceptance As long as user is active [GCP/AWS Secure Deletion]
Access request/change records 1 year [GCP/AWS Secure Deletion]
Team-member offboarding issues Varies by local laws [GCP/AWS Secure Deletion]
System access reviews 1 year 3 months [GCP/AWS Secure Deletion]
Shared and group authentication reviews 1 year 3 months [GCP/AWS Secure Deletion]
Production audit logs 1 year [GCP/AWS Secure Deletion]
GCP firewall configuration artifacts 1 year [GCP/AWS Secure Deletion]
Job roles and responsibilities 1 year [GCP/AWS Secure Deletion]
Security incident communication to customers 3 years [GCP/AWS Secure Deletion]
Personnel-file records Varies by local laws [GCP/AWS Secure Deletion]
1:1 meeting notes Varies by local laws [GCP/AWS Secure Deletion]
On-boarding tickets Varies by local laws [GCP/AWS Secure Deletion]
Annual risk assessment report 2 years [GCP/AWS Secure Deletion]
Risk treatment plans 3 years [GCP/AWS Secure Deletion]
Security observation issues 3 years [GCP/AWS Secure Deletion]
Board of Directors meeting minutes Indefinite N/A
Release notes 1 year [GCP/AWS Secure Deletion]
Critical system activity logs 60 days [GCP/AWS Secure Deletion]
Security monitoring alerts/metrics 3 years [GCP/AWS Secure Deletion]
Vendor security review issues 3 years [GCP/AWS Secure Deletion]
Customer-signed MSA’s Indefinite N/A
Vendor NDA’s Indefinite N/A
Annual security awareness training records 3 years [GCP/AWS Secure Deletion]
Secure coding training records 2 years [GCP/AWS Secure Deletion]
Penetration testing reports and remediation issues 2 years [GCP/AWS Secure Deletion]
System patch records 1 year [GCP/AWS Secure Deletion]
Source code scanning results 1 year [GCP/AWS Secure Deletion]
ZenDesk tickets 3 years [GCP/AWS Secure Deletion]
Nonpublic information review records 3 years [GCP/AWS Secure Deletion]
Role-based security training records 3 years [GCP/AWS Secure Deletion]
Audit log review records 3 years [GCP/AWS Secure Deletion]
Security assessment reports/observation 3 years [GCP/AWS Secure Deletion]
Security configuration reviews/alerts 3 years [GCP/AWS Secure Deletion]
Security authorization records 3 years [GCP/AWS Secure Deletion]
System connection requirements 3 years [GCP/AWS Secure Deletion]
Configuration change records 3 years [GCP/AWS Secure Deletion]
Security impact analysis records 3 years [GCP/AWS Secure Deletion]
Production asset inventory 3 years [GCP/AWS Secure Deletion]
BC training records 3 years [GCP/AWS Secure Deletion]
Production backups Organizationally-defined [GCP/AWS Secure Deletion]
Customer data backups Organizationally-defined [GCP/AWS Secure Deletion]
Employment applications and interview notes (US-based applicants only) 4 years (updated 2021-07) N/A
Temporary Files with PII data As long as needed for business purpose Per System’s default deletion schedule

Exceptions

Exceptions to these requirements will be tracked as per the Information Security Policy Exception Management Process.

Responding to Ransomware

Ransomware is a persistent threat to many organizations, including GitLab. In the event of a ransomware attack involving GitLab assets, it’s important to know the existing response procedures in place. Given the variability of targets in such attacks, it’s critical to adapt to existing circumstances and understand that disaster recovery processes are in place to avoid paying any ransom. GitLab’s red team has done extensive research to determine the most likely targets to be affected. As a result, the following guidelines are intended to help bootstrap an efficient response to protect the organization.

Root Cause Analysis for Critical Vulnerabilities

What is an RCA?

Root Cause Analysis (RCA) is a process to ultimately identify the root problem of an issue so that we may prevent it from occurring again. You can learn more about RCAs here.

To do this a DRI and all relevant other stakeholders from Security and the affected teams (as determined by the DRI) systematically work through a set of questions and discussion topics, as defined in our RCA Template.

Security and Technology Policies Management

Purpose

This policy is intended to establish requirements for the creation and management of security and technology related policies.

Scope

This policy applies to security and technology policies that fall within the scope of GitLab’s security compliance audits and assessments.

Roles & responsibilities

Role Responsibility
Security Governance Team Responsible for conducting annual controlled documents review and enforcing this policy
Security Assurance Management (Code Owners) Responsible for approving changes to this policy

Policy

Policy creation and requirements

All in-scope policies must be created as version controlled documents in GitLab.

Security and Technology Policy Exception Process

Exceptions

Exceptions to Security and Technology Policies must be tracked and approved by the policy approver(s) via an auditable format. An exception process should be defined in each policy.

Information security considerations such as regulatory, compliance, confidentiality, integrity and availability requirements are most easily met when companies employ centrally supported or recommended industry standards. Whereas GitLab operates under the principle of least privilege, we understand that centrally supported or recommended industry technologies are not always feasible for a specific job function or company need. Deviations from the aforementioned standard or recommended technologies is discouraged. However, it may be considered provided that there is a reasonable, justifiable business and/or research case for a security and technology policy exception; resources are sufficient to properly implement and maintain the alternative technology; the process outlined in this and other related documents is followed and other policies and standards are upheld.

Security Assurance

Overview

As a member of the Security department, the Security Assurance sub-department provides GitLab customers with a high level of assurance around the security of GitLab SaaS service offerings.

There are five teams in the Security Assurance sub-department.

Security Assurance Sub-Department

Governance & Field Security
Security Compliance
Security Risk

Core Competencies

Field Security Core Competencies

Security Governance Core Competencies

Security Risk Core Competencies

Security Compliance, Commercial Core Competencies

Core Tools and Systems

The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:

Security Change Management Procedure
Change management procedure for the Security Division.
Security Culture Committee

Mission Statement

The security department as a part of GitLab should follow and live up to the GitLab values and mission. The transparency value can be especially difficult for a security department to embrace and embody, as due to the confidentiality of their work, security people tend to be secretive and intransparent by default.

Intent and goals

The intent of the security culture committee is to maintain a welcoming and transparent environment within the security department.

Security Department Gearing Ratios
Gearing ratios are used as [Business Drivers](/handbook/finance/financial-planning-and-analysis/#business-drivers-also-known-as-gearing-ratios) to forecast long term financial goals by function.
Security Department Learning & Development

Overview

This page is created as a result of the FY21Q4 Culture Amp survey, where Security team members expressed a desire to improve on the currently available L&D opportunities at GitLab. In order to paint a holistic picture of L&D resources available to team members, some of the resources detailed on this page are not Security-specific and are already documented in the handbook.

L&D resources available to all team members

GitLab provides a multitude of opportunities to learn and develop new skills on the topics of leadership, management, and DIB. GitLab Learn is the platform of choice that allows self-paced, on-demand courses. It also contains trainings offered through LinkedIn Learning. If you’re looking for a more flexible approach to learning the aforementioned skills, then perhaps the learning initiatives provided by the L&D team are something for you to consider.

Security Department Performance Indicators
Security Division Dogfooding Program

Introduction and Purpose

The Security Division plays a critical role in ensuring the security of GitLab as a company, and of GitLab as a platform. In the pursuit of its charter, the division is committed to using (“dogfooding”) GitLab as much as possible in order to help improve the platform for all customers.

This dogfooding program aims to improve the effectiveness and efficiency of collaboration between Product Management and Security as it pertains to capabilities of the GitLab platform.

Security Division Ecosystem

Overview

This page outlines the Security Division ecosystem, by describing the different processes of our departments. These processes, represented with diagrams, highlight the data flows between our teams but also with external actors like the Product or the Engineering divisions.

Objectives

This page describe how to maintain the Security Division ecosystem.

Scope of the Security Ecosystem

Every process where Security is involved should be documented in this page. Each Security Department is represented and responsible for their own diagrams.

Security Division Maturity Models
This page describes how to maintain the Security Division maturity models.
Security Internship
The ultimate goal of this program is to transform an entry-level candidate into an Individual Contributor who could meet the requirements for a Security Engineer.
Security OKRs

Security OKRs

The Security organization executes quarterly Objectives and Key Results or OKRs.

How We Plan, Assign, and Execute Work

Four Mondays before the start of the fiscal quarter, in the days after the CEO shares OKRs with all of GitLab in the #okr channel, the CISO proposes OKRs for the Security Division in the OKR draft review meeting agenda for a maximum of 5 objectives. Security leaders are to propose draft OKRs to the CISO prior to the meeting for inclusion. From FY24 Q1 forward all Security OKRs are documented in the GitLab OKR project. For easy filtering, all Security Objective and KR issues have the division::Security label applied.

Security Operations
Security Planning

Security Planning

The Security Planning page catalogs the planning work prior to implementation offSecurity Department initiatives and projects that span multiple security teams and projects, or across the entire GitLab organization. This includes things from high level architecture designs for tools used by the Security to developing new or maturing organizational processes.

A Security Plan is done when the text is sufficient to create Epics, Milestones, and Issues with a enough detail to begin work. Requiring further work in the form of proof-of-concepts or spikes may also be an outcome of a “complete” Plan.

Security READMEs
Security Shadow Program

From converging on real-time critical events with SIRT, exploiting vulnerabilities with the Red Team or participating in live Customer Assurance calls with the Risk and Field Security team, you will have the opportunity to work next to security staff to gain valuable insight and working knowledge of security fundamentals across multiple domains. Each program includes hands-on activities to provide an authentic security team experience.

The Security Shadow program is designed to provide numerous benefits including

Security Shadow: Product Security

Completion of each course you will receive a certificate. At the completion of all 3 courses your name will be recognized on this page.

Restrictions

Please keep in mind that there are some restrictions on what can and cannot be shared as part of the shadow program, particularly related to high severity vulnerabilities or incidents.

For example if a shadow is watching an AppSec team member triage HackerOne issues and a High or Critical vulnerability is reported, the shadow call should end.

Security Shadow: Security Assurance

Completion of each course you will receive a certificate. At the completion of all 3 courses your name will be recognized on this page.

Security Compliance

Security Compliance: Where “Just do whatever you want” comes to die. Have you ever wondered where all those pesky security requests and requirements come from and why in the world you’re always being asked to provide evidence and talk through how systems are designed and configured? Well then good news! Come join the security compliance team for a shadow rotation where we’ll have you:

Security Threat Management

Security Threat Management Sub-Department

The Security Threat Management sub-department is responsible for identifying and remediating vulnerabilities or threats that may impact GitLab, our Team Members or our Customers and the community at large.

Security Threat Management Mission

The Security Threat Management sub-department’s mission is to support the business and our overall security efforts by ensuring that we are focused on real world threats and vulnerabilities that impact us. We accomplish this by:

Software Development Lifecycle Policy

Purpose

Secure software development is critical to developing and maintaining a safe and trusted application. This policy outlines the general components of GitLab’s software development lifecycle.

Scope

This policy applies to anyone developing, reviewing, and merging code at GitLab in support of GitLab’s production applications.

Roles and responsibilities

Role Responsibility
Security Governance Responsible for creating and implementing this policy
Team members Responsible for execution of the policy statements

Policy

In-scope development activities are performed in accordance with GitLab’s product development flow. (SA-3)

Software Development Lifecycle Standard

Purpose

Secure software development is critical to developing and maintaining a safe and trusted application. This standard outlines the general components of GitLab’s software development lifecycle.

Scope

This standard applies to anyone developing code at GitLab in support of GitLab’s production applications. For in depth view of development process, see product development flow.

Roles and responsibilities

Role Responsibility
Security Governance Responsible for creating and implementing this standard
Team members Responsible for execution of the standard statements

Standard

Inception and Requirements

This stage occurs across different mediums depending upon each team’s individual processes.

Transparency by Default

Purpose

In alignment with our company value of Transparency, one focus of the security organization is to lead the most transparent security organization in business today. Transparency by default requires us to challenge the status quo where security teams traditionally operate in a very private and closed-off manner. However, being open by default requires us to be even more diligent in our efforts of categorizing data in order to ensure the protection of our customers, company, and team member data. Therefore, our position is that all information and activities produced by the security team should be considered “Public by Default” unless defined below:

Women in Security

Women in Security Mission Statement

GitLab’s Women in Security group is established to provide support, skills and leadership development, and networking and mentorship opportunities for the women in GitLab’s security department. The group also seeks to inspire women and girls interested in entering or learning about the security industry.

Membership

While tailored for current female team members of the GitLab Security organization, we encourage and welcome the participation of all GitLab members who are dedicated to the support of women in the security industry.

Working in Security

Security Hiring

The company-wide mandate is justification for mapping Security headcount to around 5% of total company headcount. Tying Security Department growth headcount to 5% of total company headcount ensures adequate staffing support for the following (below are highlights and not the entire list of responsibilities of the Security Department):

  • Security releases. At GitLab, the Security Department is DRI for critical and non-critical security releases.
  • Detection/response for security incidents, which will increase as GitLab.com users increase.
  • Preparation for becoming a public company.
  • Running the GitLab public bug bounty program.
  • Dogfooding and contributing to our product.
  • Improving and maintaining the security of GitLab.com and related services.

Career Development and Opportunities at GitLab

Career opportunities at GitLab, personal growth, and development are important and encouraged. Security team members and managers are encouraged to use Individual Development Plans to help foster, guide, and assist with career growth.

Last modified October 29, 2024: Fix broken links (455376ee)