This blog post is Unfiltered
We sat down with senior application security engineer, Dominic Couture to talk about the challenges of working in AppSec, why the principle of least privilege works, and why our level of transparency makes our product more, not less, secure.
Name: Dominic Couture
Title: Senior security engineer, Application Security
How long have you been at GitLab? I started in November 2019
GitLab handle: @dcouture
Tell us what you do here at GitLab:
I read a lot of GitLab code! I look for vulnerabilities or simply code improvements before it is shipped, as part of defense in depth. I also review issues when they’re in the planning stage for potential vulnerabilities, help maintain our secure coding guidelines, write new tests and automation to support team workflows, and triage bugs that come through our bug bounty program.
What’s the most challenging or rewarding aspect of your role?
The most challenging thing is trying to keep an eye on everything. There are tons of new features being worked on at all times and we know we can’t review every single one of them, so we prioritize and review what appears to be the most security critical. However, sometimes vulnerabilities will slip by in issues that didn’t seem to be security-sensitive at first. When this happens, we need to find ways to optimize our processes to ensure we catch potential issues the next time we’re in a similar situation.
The most rewarding thing is when we do the above successfully! When we identify a common flaw in our code or process and we successfully put automation in place that eliminates it. It makes the product safer and the workload lighter so we can concentrate on new things.
And, what are the top 2-3 initiatives you’re currently focused on?
Many of the things we work on in the Application Security team are not public until they are finished so I can’t link to the detailed issues, but with that in mind…
- I’m currently working on getting some automated testing in place to catch permission bugs in a specific part of our app. This will cover existing code and make it easy to test future code in that part of the application.
- We’re also starting on a code review in another part of GitLab to find information leaks in APIs that might return more than the user asked for. We’re looking for issues similar to the leaks we’ve seen previously through Elasticsearch results.
- I’m getting to know the teams and features in the Verify and Release stages as I’m the stable counterpart for them. I’m developing an expertise in those specific areas so I can have more context and provide more insightful comments when those teams ask for application security reviews.
What is the most significant piece of security advice you could provide to a colleague or friend?
I think everyone on our security team who’s been asked this question has answered to use a password manager and I completely agree. A password manager and a unique password (and MFA!) on every service you use is the difference between a relatively harmless leak on that small niche forum you participate in and a full identity theft due to a credential stuffing attack that pivots to your bank account.
For a more technical piece of advice, I think the principle of least privilege is something to keep in mind at all times. When applied to APIs, the idea is to have the strictest permission requirements as a default. This ensures that if the permissions aren’t verified properly in the code, the result would be a bug which wouldn’t allow access to an asset by a user who should have access rather than a security bug that results in a data breach.
How did you get into security?
Hackers have always fascinated me. As a child I had the desire to understand how what they were doing was possible and it is what got me interested in computers in the first place. I was in my early teens when I got my first computer and I quickly taught myself how to build websites. When talking to people about my programming projects I was warned about things like SQL injection and other types of security vulnerabilities. That piqued my curiosity and while researching those topics I discovered that wargames existed. Since then, “hacking for fun” has always been a hobby for me. I’ve been a software developer for most of my career and while security has always been a part of that job, it was only when I joined GitLab that I became a security professional and transformed my hobby into a career.
What do you look forward to most in security in the next 5 years?
While automation will never solve all the problems, it can certainly solve some of them! I’m both curious and excited about security scanners moving to the next level with more insightful analysis and fewer false positives. AI and machine learning are the usual buzzwords we hear around this topic but I mainly look forward to SAST tools having a better understanding of the code flow and being able to tell if my
os.Open(path) call really involves user input and is indeed risky; instead of just flagging it for me to review in case it is.
What mainstream or industry propagated security myth would you like to be better understood?
Virtual Private Networks (VPNs) are highly praised in online advertising lately and the claims around the safety they provide seem to be a bit exaggerated. In fact, GitLab doesn’t even have a corporate VPN! I really enjoy Tom Scott’s video about the subject. In brief: VPNs nowadays provide little more security than the near-ubiquitous https protocol already does in many of the everyday use cases, and that includes using your laptop at the coffee shop. Don’t get me wrong, VPNs are very relevant and there are many valid reasons to use one, I just feel like the advertising around them isn’t completely truthful and people with no technical knowledge might be led to buy things they don’t need.
GitLab is very unique in that we strive to be incredibly transparent…about everything. What sort of challenges or opportunities does that present to you as a security professional?
Transparency is a part of everything we do here at GitLab and most things are public by default. This transparency-driven approach can lead to some occasional share of things that should not be public. Keeping an eye on those things to catch them before someone else does is challenging. Luckily for us, we run a public bug bounty program and have reporters that are very skilled at finding those things before the “bad people” do, should something slip through our fingers. While we’d rather keep those bounty payments to a minimum, it’s still a better outcome for GitLab than if someone had abused the leaked information.
With our open-source code base, the blog articles the security research team publishes about their findings, and our disclosure of the bugs that come in through our bug bounty program 30 days after being fixed, external researchers get an almost unparalleled level of insight and information about GitLab. This allows them to find and report much better vulnerabilities than if they were doing their testing in a black-box environment. The security risks associated with our level of transparency are usually the first thing to come to people’s mind, but in fact, our transparency makes our software more secure.
The security risks associated with our level of transparency are usually the first thing to come to people’s mind, but in fact, our transparency makes our software more secure.
What sources make up your daily newsfeed to keep up to date in the industry?
I try to use social media as little as possible, but I can’t deny that Twitter is the best place for security news. There are great blogs and websites to follow (our GitLab Security blog, PortSwigger’s research blog and Google Project Zero come to mind) but there are also tons of independent researchers that publish only once or twice a year and Twitter is the place to find out about all that good content.
Now, for the questions you really want to have answered:
Favorite Linux distro?
Arch Linux! The installation process isn’t as hard as the memes pretend it is, the documentation is wonderful and you have a lot of power over what runs on your system. Arch uses systemd which has been a polarizing topic in recent years but if you don’t mind that it’s a great distro.
What’s your favorite season?
Winter. Luckily for me, I live in a place that’s covered in snow nearly 6 months a year so there’s a lot of winter to enjoy! There’s nothing like the freedom and fun of exploring the local forest and mountains on my nordic touring skis.
When you’re not working, what do you enjoy doing?
I run, bike, ski and hike a lot (always with my 2 australian shepherds by my side) and that serves as permanent training for the one or two ultramarathons I run each year. I love camping out in the forest with as little equipment as possible and basically just spending time in the forest. When inside, I like to hunt for security bugs on companies that run bug bounty programs (if it’s not on GitLab, it’s not work anymore, right?).
Have a favorite quote?
The best time to plant a tree was 20 years ago. The second best time is now.
The internet says it’s a Chinese proverb though there’s nothing to back that up. We could probably all point to things we could/should have done differently in life but all that time spent thinking about it is time that isn’t spent actually doing it and benefiting from the change. It’s not too late!