Security Threat Management

Security Threat Management Sub-Department

The Security Threat Management sub-department is responsible for identifying and remediating vulnerabilities or threats that may impact GitLab, our Team Members or our Customers and the community at large.

Security Threat Management Mission

The Security Threat Management sub-department’s mission is to support the business and our overall security efforts by ensuring that we are focused on real world threats and vulnerabilities that impact us. We accomplish this by:

  • working closely with engineering, product, infrastructure, and other security department teams
  • designing and deploying vulnerability and threat management processes
  • conducting in-depth security related research and assessments
  • transparently communicating important information externally to customers and the community alike

Teams

The Security Threat Management sub-department includes the following teams. Learn more about each by visiting their Handbook pages.

  • Security Identity Engineering leads the technical strategy and automation implementation of next-generation identity and access management (IAM), role-based access control (RBAC), and administrative access controls for internal GitLab systems, cloud infrastructure, and tech stack applications.
  • Security Red Team conducts real word adversarial exercises and collaborates with our defensive and detection teams.
Identity Engineering Team
The Identity Engineering team leads the technical strategy and automation implementation of identity and access management (IAM), role-based access control (RBAC), and administrative access controls for internal GitLab systems, cloud infrastructure, and tech stack applications. The Security team focuses on customer and product trust, while the Business Technology and IT team focuses on compliance and financial trust.
Red Team
GitLab’s internal Red Team conducts security exercises that emulate real-world threats. We do this to help assess and improve the effectiveness of the people, processes, and technologies used to keep our organization secure. The Red Team does not perform penetration tests, and the work we do is not focused on delivering a list of vulnerabilities in a specific application or service. Malicious actors are not constrained by the narrow focus of traditional security testing.
Last modified April 10, 2024: Update product security section of the handbook to reflect current department structure (54e13e98)
View page source - Edit this page - please contribute. Creative Commons License