The API Security team is a standalone team which is part of the Dynamic Analysis group at GitLab. It is charged with developing solutions which perform Fuzzing.
|API Fuzzer - Private||GitLab's API Fuzzing scanner.|
|API Security||Private - The API Security tool performs API Fuzzing and API DAST scans|
|API Fuzzing E2E Tests||Private - API End to End Tests|
|DAST API demos||Public - DAST API demos linked from the documentation.|
|API Fuzzing demos||Public - API Fuzzing demos linked from the documentation.|
|API Fuzzing demos||Public - API Fuzzing demos linked from the documentation (har/openapi branches).|
The Dynamic Analysis group largely follows GitLab's Product Development Flow.
Issues worked by this team are backend-centric and are typically in one the above repos, vendored templates, and GitLab's Rails monolith. At times, issues can require support from Secure's frontend team if UI changes are required. We will require more notice for initiatives like these.
There are several maintenance tasks that need to be completed each milestone. Each iteration, an issue is opened and assigned to an engineer on a rotating basis. Those rotating tasks are:
When opening up issues, the following label snippet often added:
/label ~"Category:API Security" /label ~"group::dynamic analysis" /label ~"devops::secure" /label ~"backend" /label ~"section::sec"
(Sisense↗) We also track our backlog of issues, including past due security and infradev issues, and total open System Usability Scale (SUS) impacting issues and bugs.
(Sisense↗) MR Type labels help us report what we're working on to industry analysts in a way that's consistent across the engineering department. The dashboard below shows the trend of MR Types over time and a list of merged MRs.
(Sisense↗) Flaky test are problematic for many reasons.
For our Merge Request types, we have an initial soft target ratio of 60% features, 30% maintenance, and 10% bugs based on the cross-functional prioritization process. This is not a hard target and we expect to see variation in this ratio as we mature and our focus evolves.
The Dynamic Analysis engineering team provides support to GitLab Support Engineers following the process outlined in the Sec Section support project.