Security Assurance

Security Assurance Mission and Vision

Our mission is to provide a high level of assurance that GitLab (the platform and company) is secure.

Our vision is to be a trusted sales enablement partner that is recognized internally and externally for its collaborative and transparent security assurance program, powered by AI and automation. This will be achieved through 10 strategic objectives:

1. Establish GitLab as a thought leader in DevSecOps and AI.
2. Accelerate the sales cycle to enable Sales to acquire new customers and reduce customer churn.
3. Align Security Assurance with strategic business objectives and develop oversight for continuous alignment
4. Enhance the efficiency and effectiveness of Security Assurance through automated and custom-built solutions
5. Facilitate strategic initiatives to expand and improve GitLab’s external Security brand.
6. Identify, manage, and reduce security risk through cross-functional collaboration, strategic prioritization, and proactive mitigation including governance over data security and resilience programs.
7. Proactive compliance initiatives to maintain competitive advantage and enable customer acquisition through alignment with regulatory and industry specific requirements.
8. Intra-division collaboration to enable successful, timely, and cost effective program and project initiation, management, and delivery through repeatable and scalable processes with consistent measurement and actionable reporting.
9. Influence product development and enhancement through deliberate use and delivery of actionable feedback.
10. Intra and Inter-division collaboration to enable effective and efficient identification and remediation of compliance findings.

Security Assurance Department Structure

There are four teams in the Security Assurance department.

Core Competencies

Field Security Core Competencies

• Sales Training (Security)
• Sales Enablement (Security)
• Customer Assurance (Security)
• Security Evangelization

Security Governance Core Competencies

• Security Policies, Standards and Control maintenance
• Security Assurance Metrics
• Regulatory Landscape Monitoring
• Security Awareness and Training
• Security Assurance Application Administration
• Security Assurance Automation

Security Risk Core Competencies

• Security Third Party Risk Management
• Tier 2 Operational Security Risk Management
• Business Impact Assessments
• Critical System Tiering

Security Compliance Core Competencies

• Continuous Control Monitoring
• Security Certifications and Attestations
• User Access Reviews (non-SOX)
• Observation management for control failures and Tier 3 (system-level) risks
• GitLab Production Readiness: Compliance Assessment

Core Tools and Systems

The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:

• Configuration changes
• Onboarding/offboarding/transfers (ie Access)
• Upgrades/patching/incidents
• Migrations to new environments
• Restores from backup
• Admin level audit evidence
• Quality oversight (limited scope)

All other actions are the responsibility of the assigned DRI. See the internal handbook page here

Contacting the Team

• Join the #security-help slack channel and tag @security-assurance
• Email: security-assurance@gitlab.com

Team READMEs

• Byron’s README

References

Check out these great security resources built with our customers in mind:

• GitLab’s Customer Assurance Package
• GitLab’s Security - Trust Center
• GitLab’s Security Team Page

View page source - Edit this page - please contribute.