Application Security

Maintained by:

Application Security Mission
Contacting us
Application Security Roadmap
Roles & Responsibilities
Useful resources for AppSec engineers
Application Security KPIs & Other Metrics in Sisense
General Role Functions
Application Security Engineer Runbooks
Meeting Recordings
Backlog reviews
GitLab Secure Tools coverage
GitLab Inventory
Reproducible Vulnerabilities
Application Security Automation and Monitoring

Application Security Mission

As part of the Security Engineering sub-department, the application security team's mission is to support the business and ensure that all GitLab products securely manage customer data. We do this by working closely with both engineering and product teams.

Contacting us

Team members can reach the AppSec team by:

Asking in #sec-appsec or mentioning @appsec-team on Slack
Mentioning @gitlab-com/gl-security/appsec on GitLab
Finding your Stable Counterpart on the Product sections, stages, groups, and categories page

Application Security Roadmap

Please see the Security Engineering Program Strategy document.

Roles & Responsibilities

Please see the Application Security Job Family page.

Useful resources for AppSec engineers

The AppSec private group that contains other private subgroups and projects
Bug bounty council search
Upcoming security release
GitLab Project Security dashboard
Security issue board that tracks ongoing issues (hackerone and others)
The latest releases
Overview of a project member permissions
The DevOps stages and their different groups. This page contains information on the development teams, their areas of focus, and their team members as well as the AppSec stable counterparts. It is used to assign issues to the stable counterparts.
The product features listed by groups that own them
List of merged security issues in gitlab-org. Note: It can include results from the security mirror gitlab-org/security/.

The list above is not exhaustive and is subject to be modified as our processes keep evolving.

Application Security KPIs & Other Metrics in Sisense

For KPIs and other metrics, please see this page.
For Embedded KPIs which you filter by section, stage, or group, please see this page.

General Role Functions

Application Security Engineer Runbooks

Please see the Application Security Engineer Runbooks page index

Meeting Recordings

The following recordings are available internally only:

Backlog reviews

When necessary a backlog review can be initiated, please see the Vulnerability Management Page for more details.

GitLab Secure Tools coverage

As part of our dogfooding effort, the Secure Tools are set up on many different GitLab projects (see our policies). This list is too dynamic to be included in this page, and is now maintained in the GitLab AppSec Inventory.

Projects without the expected configurations can be found in the inventory violations list (internal link).

GitLab Inventory

Learn more about the GitLab AppSec Inventory.

Reproducible Vulnerabilities

Learn how to identify or remediate security issues using real examples with GitLab's Reproducible Vulnerabilities.

Application Security Automation and Monitoring

Please see the Application Security Automation and Monitoring page