This page is for all information regarding GitLab security trainings. Security training can take the form of training for specific groups, security awareness, and also training developed by the Security Department for the added security benefits to GitLab team members, GitLab customers, and the larger security community.
The Security Assurance sub department handles security training needs that involve Field Security, Security Governance, Security Compliance and Security Risk.
For more information on Security Assurance, visit the Security Assurance page.
GitLab team members are probably most familiar with security awareness training which is a handbook first GitLab-customized training + annual policy reviews provided via ProofPoint. GitLab requires all new hires to complete New Hire security orientation training as part of the onboarding process and annual training there after.
GitLab security awareness training has been developed by GitLab Security's Governance Program. The goal of the training is to:
You are strongly encouraged to engage the team behind the training and provide feedback, or ask any questions related to the content of the training. You can do that through:
As a DevOps company, it makes sense that we need to focus on producing secure code, and therefore training of our developers is a high priority item. There is an entire handbook page dedicated to Secure Coding training with numerous references to both required and recommended training.
There are additional training topics that do not fit into the Security Assurance and Secure Coding training areas. These are training opportunities that fall into these general categories:
These training resources are typically grouped together by access level and intended audience. As we are handbook first, we will try to make all training available for all, although there are times we will need to convey information that needs to be restricted for internal-only access. For example, a training course about "How to create a Security Training Course for GitLab" will be geared toward the Security Department, but as it will contain no internally sensitive material, it can be fully documented in the handbook and made public - benefitting GitLab as well as the security community at large. As we will develop these courses, we will list them here.
While developing security training courses for GitLab may seem somewhat daunting, it is not. And it is not restricted to the Security Department! If you are in another department and have an idea for training that involves security, you can still come up with training courses. The biggest question you might have is "how do I do this?" We've outlined some steps for you so that you can create training courses with a security aspect to them.
There are a few basics to keep in mind. They are as follows:
There are a few fundamental differences when creating training material vs non-security training material.
Here are a few examples to help illustrate the point:
Any questions about classifications, public vs non-public data, and what can be included in public training content, ask. You can ask us in the
#security Slack channel.
The Security Department vision is to be the leading example in security, innovation, and transparency. Our training should be as open as possible, and if it is viewable by the public it allows us to not only help GitLab's security, we're helping others by example. Conceivably it could also be a recruiting tool to show future GitLab team members why we're such a great place to work, allowing us to continue growing as a department and a company.