Security Threat Management

Security Threat Management Sub-Department

The Security Threat Management sub-department is responsible for identifying and remediating vulnerabilities or threats that may impact GitLab, our Team Members or our Customers and the community at large.

Security Threat Management Mission

The Security Threat Management sub-department’s mission is to support the business and our overall security efforts by ensuring that we are focused on real world threats and vulnerabilities that impact us. We accomplish this by:

  • working closely with engineering, product, infrastructure, and other security department teams
  • designing and deploying vulnerability and threat management processes
  • conducting in-depth security related research and assessments
  • transparently communicating important information externally to customers and the community alike

Teams

The Security Threat Management sub-department includes the following teams. Learn more about each by visiting their Handbook pages.

  • Security Identity Engineering leads the technical strategy and automation implementation of next-generation identity and access management (IAM), role-based access control (RBAC), and administrative access controls for internal GitLab systems, cloud infrastructure, and tech stack applications.
  • Security Research specialists conduct internal testing and research against GitLab assets, against FOSS that is critical to GitLab products and operations, and against vendor products being considered for purchase and integration with GitLab.
  • Security Red Team conducts real word adversarial exercises and collaborates with our defensive and detection teams.
  • Security Threat & Vulnerability Management focuses on ensuring that vulnerabilities are identified and mitigated in an easy but consistent manner. This team covers our infrastructure, code base and other pieces of GitLab’s infrastructure.

Identity Engineering Team
The Identity Engineering team leads the technical strategy and automation implementation of identity and access management (IAM), role-based access control (RBAC), and administrative access controls for internal GitLab systems, cloud infrastructure, and tech stack applications. The Security team focuses on customer and product trust, while the Business Technology and IT team focuses on compliance and financial trust.
Red Team
GitLab’s internal Red Team conducts security exercises that emulate real-world threats. We do this to help assess and improve the effectiveness of the people, processes, and technologies used to keep our organization secure. The Red Team does not perform penetration tests, and the work we do is not focused on delivering a list of vulnerabilities in a specific application or service. Malicious actors are not constrained by the narrow focus of traditional security testing.
Security Research
Team Focus The Security Research team contributes to the Security Vision and Mission through projects that focus on identifying, quantifying, and developing solutions for complex security risks facing GitLab and its users. This work aims to improve the security posture of the product and the company, but always with an eye for contributing new functionality as a differentiator. Additionally, we aim to share our results widely in order to educate and bring awareness to the GitLab Security program.
Vulnerability Management
Vulnerability Management is the continual process of identifying, prioritizing, mitigating and remediating vulnerabilities. At GitLab we identify vulnerabilities in a number of different ways depending on the component being analyzed. This process and assosciated tooling is owned by the Vulnerability Management team. This page primarily outlines our vulnerability management standards and processes at GitLab. The GitLab Vulnerability Management Standard defined on this page is a consistent process to identify, document, categorize, manage, and remediate all vulnerabilities that impact in-scope GitLab-managed systems and software projects.
Last modified January 18, 2024: Add cross-links to Identity team pages (f24f946c)