Penetration testing is performed for both the application and infrastructure annually. Results are evaluated and remediated according to risk rating.
This control is meant to formalize the way GitLab prioritizes our penetration tests. The rating assignment mentioned in this control is detailed in a separate control linked below. It isn't feasible to test 100% of GitLab systems and since penetration tests are meant to reduce risk to the organization, it makes sense that risk is the method we use for prioritizing which systems we test in a given year.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
We will need to share our methodology for determining which systems to pen test and that methodology should align with the related control.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Application & Infrastructure Penetration Testing control issue.