Anti-Abuse Group
Vision
Our goal is to provide Insider Threat features for your applications as well as GitLab itself. We will help proactively identify malicious activity, accidental risk, compromised user accounts or infrastructure components, anomalous use of the GitLab platform, and various high-risk behaviors where actionable remediation steps are possible.
Direction
Planning
Our planning issues are the SSOT of what we’re working on now, and what we’re working on next. We also have an issue board to view these from a workflow perspective. To maintain the issue lists leadership (EM+PM) will keep the lists triaged.
Workflow
We follow the same workflow pattern as our friends in Govern::Authorization.
Iteration
When planning how to construct our MVC, we need to be aware of the tradeoffs of slicing MR’s vertically vs horizontally. Reducing scope for each iteration is encouraged.
As requirements can shift, and complexity can increase when uncovering challenging areas in the codebase, we strive to keep issue requirements updated for clarity.
We follow the iteration process outlined by the Engineering function.
Weekly async issue updates
We use the same weekly async issue template as our friends in Govern::Authorization.
Group members
Anti-abuse group can be @ mentioned on GitLab with @gitlab-org/modelops/anti-abuse.
The following people are permanent members of the group:
| Name | Role |
|---|---|
 Jay Swain
|
Engineering Manager, Govern:Authorization and Anti-abuse |
 Eugie Limpin
|
Senior Fullstack Engineer, Govern:Anti-Abuse |
 Ian Anderson
|
Staff Backend Engineer, Govern:Anti-Abuse |
Team Meetings
Our group holds synchronous meetings to gain additional clarity and alignment on our async discussions. We aspire to record all of our meetings as our team members are spread across several time zones and often cannot attend at the scheduled time.
We have a weekly team sync meeting with rotating AMER and AMER/APAC friendly time slots: Tues 18:30 UTC and Weds 00:00 UTC.
Collaboration
You are encouraged to work as closely as needed with our stable counterparts.
Other teams that we might collaborate with include but are not limited to:
- Govern:Authentication and Authorization
- Growth:Acquisition and Activation
- Fulfillment:Fulfillment Platform
Here are some examples of when to engage with your counterpart:
- Seeking a Govern:Authentication and Authorization review when making a significant change to the registration flow
- Seeking a Fulfillment review when making a change involving Zuora
- Discussing in
#f_signup_registration(Slack, GitLab internal) when making a change that affects how our users signup or login
Abuse Maintenance
The Anti-abuse team works closely with Trust and Safety to mitigate abuse on our platform. It’s not uncommon for Trust and safety to request features or maintenance from our team to assist their effort of mitigating abuse. Prioritized requests are organized in our Abuse Maintenance epic.
Pipeline Validation Service responsibility
PVS is an internal service that belongs to the Anti-abuse team. It’s a combination of heuristic-based (text matching, etc) and behavior-based rules (duplicate builds, etc). The Trust and Safety team leverages this service the most, and acts as the customer for feature requests.
Heuristic rules
Due to the nature of cryptomining attacks, heuristics are going to change quickly and need to be implemented rapidly. Accordingly, T&S is invited to submit MR’s to PVS that are heuristic based, or alternatively request these changes from the Anti-abuse team.
Behavior rules
Behavior rules are more slow to change and potentially cast a much wider net (vs a very targeted heuristic rule). Changes to behavior rules are expected to come from T&S, and implemented by the Anti-abuse team.
Severity and Priority
Severity and priority will be added on all issues/merge requests created by T&S so that Anti-abuse can act on them accordingly.
Priority will be based on impact and likelihood of the attacker returning.
Iteration
Anti-abuse will periodically review the accuracy of PVS alerts to see where there are opportunities to reduce the False Positive rate, without impacting the true positives, and Trust and Safety will help provide the required information to do this.
Links and resources
- Our Slack channels
- Govern:Authorization #g_govern_anti-abuse
Metrics
abcd372f)
