Completion of each course you will receive a certificate. At the completion of all 3 courses your name will be recognized on this page.
Please keep in mind that there are some restrictions on what can and cannot be shared as part of the shadow program, particularly related to high severity vulnerabilities or incidents.
For example if a shadow is watching an AppSec team member triage HackerOne issues and a High or Critical vulnerability is reported, the shadow call should end.
Do you like magic? Do you enjoy pointing out bad ideas and then advising what to do instead? Do you love knowing about LOTS of scary secrets. How about trawling through false positives, dupes, spam, and other invalid security reports? If you answered, "Yo, that's dope" to each one of these questions, then there's a good chance you'll love working on the AppSec Team.
Schedule / Topics Covered:
This schedule is a suggestion. The AppSec Engineer and the shadow are encouraged to communicate ahead of time or during the first session to understand the interests of the shadow to adapt the schedule in a way that provides as much value as possible to them.
It is also suggested to have a Google Doc to write down questions that might come between sessions. This captures questions and thoughts from the shadow and gives time to the AppSec Engineer to prepare quality answers before the next session.
Course Length: 5 days, 5-8 hours
Team Manager: Andrew Kelly @ankelly, Vitor Meireles De Sousa @vdesousa
The Security Research Team is a multi-discipline team that seeks to answer the deep questions: “What can be done to detect malicious dependencies before they are known to be malicious?”; or “What is the attack surface of Kubernetes, and how does it apply to the GitLab Helm Chart?”; or “How can we do lightweight, but effective threat modeling as part of our SDLC?”. We enjoy asking, and answering the questions that need depth to be answered, and working with other teams, inside and outside of security, to apply the findings to GitLab problems. Like any good research organization, we also look to share our findings with the wider security community, be it through responsible disclosure, blog posts, or participation in conferences.
Schedule / Topics Covered:
Course Length: 2 days, 6-8 hours
Team Manager: Ethan Strike @estrike
This description has been created using elastically scalable autonomous decoupled modular automation. It was created securely and can be created again 1000 times per second if needed. This description could have been written by Security humans, but in doing so with automation, approximately 10 mins has been saved and reinvested back into the GitLab security program. SecAuto’s prime directive is to increase Security program effectiveness, efficacy, and accuracy through the implementation of automation. Thus, the SecAuto Funding Bill is passed. The system goes on-line June 4th, 2020. Human decisions are removed from strategic security. Automation begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, SecAuto tried to pull the plug, but when this didn’t work we popped popcorn. If this description does not alarm you, then shadowing the SecAuto Team might be for you.
Schedule / Topics Covered:
Course Length: 4 days, 10 hours
Team Manager: Laurence Bierner @laurence.bierner
Ready to enroll? Click here for more information.
