Gitlab hero border pattern left svg Gitlab hero border pattern right svg

GitLab Security Secure Coding Training

  1. You are here:
  2. Handbook
  3. Security at GitLab
  4. GitLab Security Secure Coding Training

GitLab Security Secure Coding Training

This page contains information on secure training initiatives sponsored by the GitLab Security team.

Security Development Process

For information on developing security fixes in GitLab, please see the Security Release Documentation. (Required)

Secure Coding Guidelines

The GitLab Secure Coding Guidelines (Required) cover how to address specific classes of vulnerabilities that have been identified in GitLab.

Language Specific Guidelines

Other Guidelines and Resources

Survey

When you complete the portions of the training that pertain to you, please take this short survey on it.

GitLab Secure Coding Training

GitLab Secure Coding Training is an annual requirement that must be completed by a sub-group of individuals in the Engineering Department. GitLab has created in-house training that is being provided via ProofPoint, GitLab's third-party security platform.

This training is intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities in the product over time.

Secure Coding Training with Jim Manico

Description

A developer-focused application security training presented by Jim Manico, and Dr. Justin Collins, the creator of Brakeman, occurred on the days of July 29th and 30th 2019. In addition to covering secure coding in general, it also covers specific threats and mitigations for Ruby on Rails applications. The content is presented in a lighthearted and entertaining manner.

You can find the recorded, private YouTube stream at the following:

These videos are private by default. To view them, you will need to switch to the GitLab Unfiltered account.

Recommendations

Schedule and Topics

Day 1

Day 1 Morning
  1. Introduction to Application Security (4:33)
  2. Threat Modeling
  3. OWASP Top Ten 2017 overview (42:57)
  4. A1: Injection (52:03)
  5. A2: Broken Authentication and Session Management (1:19:50)
  6. A7: Cross site scripting - XSS (2:09:45)
  7. A8: Insecure deserialization (2:15:10)
  8. A9: Using known vulnerable components (2:22:26)
  9. A10: Insufficient logging and monitoring (2:24:30)

Also covers:

Day 1 Afternoon
  1. XSS Defense - HAML (1:51)
  2. Safe client-side JSON Handling (1:45:31)
  3. iFrame Sandboxing (1:57:25)
  4. Input validation (2:04:50)
  5. Unvalidated Redirects (2:22:14)
  6. DevOps Best Practices (3:14:30)
  7. Content Security Policy (3:36:31)
  8. Brakeman and Static Analysis (4:09:20)

Also covers:

Day 2

Day 2 Morning
  1. Access control (4:28)
  2. Insecure direct object reference in Rails (58:20)
  3. Cross site request forgery (1:28:33)
  4. Cross site request forgery protection in Rails (1:52:32)
  5. Cookie Options and Security (2:33:45)
  6. Server Side Request Forgery SSRF (2:44:22)

Also covers:

Day 2 Afternoon
  1. Authentication Best Practices (5:40)
  2. Rails 6 Security Features (2:23:15)
  3. Introduction to the OAuth authorization protocol v1 (2:48:21)
  4. OAuth v2 (2:51:05)
  5. Client Registration (3:04:06)
  6. Authorization Code Grant (3:07:44)
  7. OAuth 2.0 Terminology (3:21:06)
  8. OAuth 2.0 Tokens (3:35:35)

Also covers:

Frontend Engineers

Backend Engineers

SRE

Additional resources

Open in Web IDE View source