What it's like to intern on the GitLab Security team

Between May and August 2020, I had the wonderful opportunity of being part of the Engineering Internship Pilot Program. Specifically, I was an intern in the Security department at GitLab. This was my first all-remote role, and I must say it was an extremely worthwhile experience. 😄

Getting to work remotely at GitLab offered a lot of flexibility as I could choose my own working hours where I was most productive, and at the same time learn how to become a manager of one in my day-to-day tasks. Additionally, due to the team being fully-distributed, I was able to meet and collaborate with a diverse group of individuals from all over the world. The team was very helpful each step of the way, and I could always reach out to my manager and mentors if I required any assistance. What surprised me the most was that I was able to have chats with senior leadership in GitLab, which I think is great since one may not have such opportunities in a normal office setup.

The internship enabled me to grow exponentially in different aspects: technical skills, accountability, and within the GitLab values of collaboration, efficiency and transparency to name but a few areas.

Cross-functional exposure and understanding

A goal for my internship experience was to gain exposure to different security teams and develop an understanding of the key functions performed to ensure and enhance the overall security posture of GitLab.

GitLab’s Security department is organized around three key tenets that drive the structure and activities of the group, including: secure the product, protect the company and assure the customer. I had the opportunity to work across each of these teams and want to share some key learnings from each rotation.

Securing the product

This team works closely with engineering and product teams to ensure that all GitLab products securely handle the customer data with which we are entrusted. I was able to work with the teams in the Application Security, Security Research and Security Automation functions to gain a deeper appreciation of how they ensure all aspects of GitLab exposed to customers or that host customer data are held to the highest security standards.

Working with security engineers on our Application Security team, I had the chance to contribute directly to GitLab the product! 🎉 This involved improving the current path traversal checks on user controlled file names and file paths. It was a collaborative effort between myself and other engineers through multiple code reviews and iterations that also helped me to sharpen my skills in coding with Ruby and produce well-written tests. Furthermore, I was able to triage a couple of reports in GitLab’s bug bounty program. This enabled me to learn more about vulnerability identification and how the team handles bug reports from the first stage, where a bug is reported, to the last stage, where a security release is created to fix the bug. By reviewing past issues that the Application Security team had handled, I was able to develop a better understanding of the security fix process. With respect to ‘shift left’, this enabled me to see how the team collaborates with other engineering and product teams to integrate security early in the development process by carrying out code security reviews on features.

In addition, I had pairing sessions with members of the Security Research team where I was able to learn about different bug-hunting approaches and current security vulnerability research areas being undertaken such as SAST/DAST tooling and dependency scanning. We also worked together to solve a couple of challenges from the 2020 GitLab capture the flag (CTF). Read about the CTF in “How to play GitLab's Capture the Flag at home” and try your hand!

The time I spent working with the Security Automation team exposed me to the SaaS infrastructure that GitLab relies on with a special emphasis on Google Cloud Platform (GCP). I collaborated with another security engineer to design and implement automation efforts to assist with the management of anomalous resources in GCP, and further assist with the triage process of the reports on these resources. Through coffee chats with the rest of this team, I was able to gain an understanding of the current Security Automation initiatives surrounding the building of tools and services geared towards increasing efficiency and assisting other security teams in their work.

Protect the company

This group is responsible for “shoring up and maintaining the security posture of GitLab.com to ensure enterprise-level security is in place to protect our new and existing customers” and I was fortunate to work across all three functional areas within this group: Security Incident Response Team (SIRT), Trust and Safety team and Red Team.

Working with the SIRT team was exciting as I got to learn how security incidents are managed by shadowing the security engineers on-call. This can be a very time-sensitive and fast-paced operation as incidents need to be handled quickly, but at the same time, precisely to avoid any further escalations. Additionally, I had the privilege to work with the team to help create detection rules using Python; I particularly enjoyed this since one of my favorite aspects of software engineering is coding! This gave me insight into how we can proactively detect threats in our environment and design appropriate response approaches.

The Trust and Safety team’s main objective is to ensure that GitLab.com is not abused by malicious users. I was able to contribute to this team’s efforts by developing an algorithm that could help to detect file obfuscation, which is a trending abuse methodology used to hide malicious content. This was particularly interesting as we got to leverage the power of machine learning in the security domain. More about this project can be seen further down in this post!

GitLab’s Red Team actively examines the security posture of the organization by carrying out exercises to establish threat models and escalate any security gaps that may be discovered during testing. My time spent on this team gave me the opportunity to get the team members’ perspectives on what it takes to be a ‘Red Teamer’ and how they support GitLab’s value of transparency in their day-to-day work. An interesting project that I was able to contribute to involved research on a machine learning algorithm that can help with secret scanning in GitLab repositories. This proof-of-concept was geared towards reducing the large number of false positives in the current state-of-the-art secret searching tools.

Assure the customer

This sub-department focuses on the mission to “provide assurance to GitLab customers that any data shared with GitLab will be kept safe and our customer's privacy will be respected” and includes the functions and subteams of Field Security and Security Compliance.

Interning within this group was a unique experience for me as I had not yet had the chance to try my hand at a security analyst role. Through this engagement, I gained visibility into how risk and compliance relate to the bigger security picture and became familiar with the various security compliance certifications and their relationship to the internal GitLab Control Framework. Specifically, I was able to look at the SOC2 industry standard and help to test controls such as data management, with respect to current vendor security review assessments.

A deeper dive: machine learning in security

As part of my internship here, I had the opportunity to focus more deeply on an area of specific interest to me: machine learning. GitLab is actively pursuing novel ways of integrating machine learning into its overall security model. Machine learning can offer multiple benefits in security-based use cases including detection of malicious activity and automation of repetitive security tasks.

As part of the anti-abuse efforts ongoing at GitLab, senior security engineer in Automation, Melissa Rodriguez and I worked on creating an algorithm that could help to detect obfuscation in certain files. This involved research and learning how to build models that could find patterns in text, and using this to correctly classify regular files versus obfuscated files. I'm proud to say the algorithm I helped to develop with Melissa is going to be used in the detection of abusive activities such as cryptomining, where attackers tend to obfuscate their mining configurations.

Machine learning is a fast-growing trend that has a myriad of applications in the security space, and it is important to consider how to take advantage of it to improve overall security posture and better protect customers.

Interested in joining GitLab?

If you would like to be a part of this amazing team and get to contribute to the GitLab product while enjoying the perks of all-remote, check out the career opportunities page and join our talent community. You can also learn more about GitLab’s culture and values in order to get an understanding of what it might be like to work here!

Cover image by Christopher Gower on Unsplash