Application Security

1. You are here:
2. Engineering
3. Security
4. Security Engineering & Research
5. Application Security

On this page

• Application Security Mission
• Application Security Roadmap
• Roles & Responsibilities
• Useful resources for AppSec engineers
• Application Security KPIs & Other Metrics in Sisense
• SpamCheck
• General Role Functions
  • Stable Counterparts
  • Application Security Reviews
  • RCAs for Critical Vulnerabilities
• Project ownership
• Application Security Engineer Runbooks
• Meeting Recordings
• Backlog reviews
• GitLab Secure Tools coverage
• GitLab Inventory

Application Security Mission

As part of the Security Engineering & Research sub-department, the application security team's mission is to support the business and ensure that all GitLab products securely manage customer data. We do this by working closely with both engineering and product teams.

Application Security Roadmap

Please see the Security Engineering and Research Program Strategy document.

Roles & Responsibilities

Please see the Application Security Job Family page.

Useful resources for AppSec engineers

• The AppSec private group that contains other private subgroups and projects
• Bug bounty council search
• Upcoming security release
• GitLab Project Security dashboard
• Security issue board that tracks ongoing issues (hackerone and others)
• The latest releases
• Overview of a project member permissions
• The DevOps stages and their different groups. This page contains information on the development teams, their areas of focus, and their team members as well as the AppSec stable counterparts. It is used to assign issues to the stable counterparts.
• The product features listed by groups that own them
• List of merged security issues in gitlab-org, particularly useful to nominate issues for the Security Awards Program. Note: It can include results from the security mirror gitlab-org/security/.

The list above is not exhaustive and is subject to be modified as our processes keep evolving.

Application Security KPIs & Other Metrics in Sisense

• For KPIs and other metrics, please see this page.
• For Embedded KPIs which you filter by section, stage, or group, please see this page.

SpamCheck

• SpamCheck

General Role Functions

Stable Counterparts

Please see the Application Security Stable Counterparts page.

Application Security Reviews

Please see the Application Security Reviews page.

RCAs for Critical Vulnerabilities

Please see the Root Cause Analysis for Critical Vulnerabilities page

Project ownership

Please see the Appsec project owners page

Application Security Engineer Runbooks

Please see the Application Security Engineer Runbooks page index

Meeting Recordings

The following recordings are available internally only:

• AppSec Sync
• AppSec Leadership Weekly

Backlog reviews

When necessary a backlog review can be initiated, please see the Vulnerability Management Page for more details.

GitLab Secure Tools coverage

As part of our dogfooding effort, the Secure Tools are set up on many different GitLab projects (see our policies). This list is too dynamic to be included in this page, and is now maintained in the GitLab AppSec Inventory.

Projects without the expected configurations can be found in the inventory violations list (internal link).

GitLab Inventory

Learn more about the GitLab AppSec Inventory.