Between May and August 2020, I had the wonderful opportunity of being part of the Engineering Internship Pilot Program. Specifically, I was an intern in the Security department at GitLab. This was my first all-remote role, and I must say it was an extremely worthwhile experience. 😄
Getting to work remotely at GitLab offered a lot of flexibility as I could choose my own working hours where I was most productive, and at the same time learn how to become a manager of one in my day-to-day tasks. Additionally, due to the team being fully-distributed, I was able to meet and collaborate with a diverse group of individuals from all over the world. The team was very helpful each step of the way, and I could always reach out to my manager and mentors if I required any assistance. What surprised me the most was that I was able to have chats with senior leadership in GitLab, which I think is great since one may not have such opportunities in a normal office setup.
The internship enabled me to grow exponentially in different aspects: technical skills, accountability, and within the GitLab values of collaboration, efficiency and transparency to name but a few areas.
Cross-functional exposure and understanding
A goal for my internship experience was to gain exposure to different security teams and develop an understanding of the key functions performed to ensure and enhance the overall security posture of GitLab.
GitLab’s Security department is organized around three key tenets that drive the structure and activities of the group, including: secure the product, protect the company and assure the customer. I had the opportunity to work across each of these teams and want to share some key learnings from each rotation.
Securing the product
This team works closely with engineering and product teams to ensure that all GitLab products securely handle the customer data with which we are entrusted. I was able to work with the teams in the Application Security, Security Research and Security Automation functions to gain a deeper appreciation of how they ensure all aspects of GitLab exposed to customers or that host customer data are held to the highest security standards.
Working with security engineers on our Application Security team, I had the chance to contribute directly to GitLab the product! 🎉 This involved improving the current path traversal checks on user controlled file names and file paths. It was a collaborative effort between myself and other engineers through multiple code reviews and iterations that also helped me to sharpen my skills in coding with Ruby and produce well-written tests. Furthermore, I was able to triage a couple of reports in GitLab’s bug bounty program. This enabled me to learn more about vulnerability identification and how the team handles bug reports from the first stage, where a bug is reported, to the last stage, where a security release is created to fix the bug. By reviewing past issues that the Application Security team had handled, I was able to develop a better understanding of the security fix process. With respect to ‘shift left’, this enabled me to see how the team collaborates with other engineering and product teams to integrate security early in the development process by carrying out code security reviews on features.
In addition, I had pairing sessions with members of the Security Research team where I was able to learn about different bug-hunting approaches and current security vulnerability research areas being undertaken such as SAST/DAST tooling and dependency scanning. We also worked together to solve a couple of challenges from the 2020 GitLab capture the flag (CTF). Read about the CTF in “How to play GitLab's Capture the Flag at home” and try your hand!
The time I spent working with the Security Automation team exposed me to the SaaS infrastructure that GitLab relies on with a special emphasis on Google Cloud Platform (GCP). I collaborated with another security engineer to design and implement automation efforts to assist with the management of anomalous resources in GCP, and further assist with the triage process of the reports on these resources. Through coffee chats with the rest of this team, I was able to gain an understanding of the current Security Automation initiatives surrounding the building of tools and services geared towards increasing efficiency and assisting other security teams in their work.
Protect the company
This group is responsible for “shoring up and maintaining the security posture of GitLab.com to ensure enterprise-level security is in place to protect our new and existing customers” and I was fortunate to work across all three functional areas within this group: [Security Incident Response Team](/handbook/security/#sirt