As part of the Security Engineering sub-department, the application security team's mission is to support the business and ensure that all GitLab products securely manage customer data. We do this by working closely with both engineering and product teams.
Please see the Security Engineering Program Strategy document.
Please see the Application Security Job Family page.
gitlab-org, particularly useful to nominate issues for the Security Awards Program. Note: It can include results from the security mirror
The list above is not exhaustive and is subject to be modified as our processes keep evolving.
Please see the Application Security Stable Counterparts page.
Please see the Application Security Reviews page.
Please see the Root Cause Analysis for Critical Vulnerabilities page
Please see the Application Security Engineer Runbooks page index
The following recordings are available internally only:
When necessary a backlog review can be initiated, please see the Vulnerability Management Page for more details.
As part of our dogfooding effort, the Secure Tools are set up on many different GitLab projects (see our policies). This list is too dynamic to be included in this page, and is now maintained in the GitLab AppSec Inventory.
Projects without the expected configurations can be found in the inventory violations list (internal link).
Learn more about the GitLab AppSec Inventory.
Learn how to identify or remediate security issues using real examples with GitLab's Reproducible Vulnerabilities.