Commit 7009463b authored by James Ritchey's avatar James Ritchey 💬
Browse files

Migrate AppSec under the Product Security namespace

parent 8d815abd

content/handbook/ceo/office-of-the-ceo/jihu-support/release-certification.md

+1 −1
Original line number Diff line number Diff line
@@ -37,7 +37,7 @@ no new JiHu contributions will be included in the release. The recommended time 


Once it is certain that no new JiHu contributions will be added, follow the steps below:



1. [On the release date of each month](/handbook/engineering/releases/) the [jh-upstream-report repository](https://gitlab.com/gitlab-org/jh-upstream-report) should run a scheduled pipeline that automatically creates the release certification issue. This will create an issue in the [jh-upstream-report issue tracker](https://gitlab.com/gitlab-org/jh-upstream-report/-/issues) with a checklist containing each JiHu contribution associated with the upcoming release. If something went wrong, the [release certification tools script](https://gitlab.com/gitlab-com/gl-security/appsec/tooling/release-certification-tools) may need to be ran manually by following the directions in the `README.md`

1. [On the release date of each month](/handbook/engineering/releases/) the [jh-upstream-report repository](https://gitlab.com/gitlab-org/jh-upstream-report) should run a scheduled pipeline that automatically creates the release certification issue. This will create an issue in the [jh-upstream-report issue tracker](https://gitlab.com/gitlab-org/jh-upstream-report/-/issues) with a checklist containing each JiHu contribution associated with the upcoming release. If something went wrong, the [release certification tools script](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/tooling/release-certification-tools) may need to be ran manually by following the directions in the `README.md`

1. Verify that every JiHu contribution going into the release is on this list. This can be done by looking at the [status report](https://gitlab.com/gitlab-jh/status-reports/-/issues) repository information in addition to searching for the `JiHu Contribution` labels in [each repository](/handbook/ceo/office-of-the-ceo/jihu-support/#projects) (the certification issue should have a link available). Be sure to look for both open and closed merge requests. The most likely reason a MR would be in the release but not in the checklist is the appropriate milestone had not been set for it.

1. For each JiHu contribution on the checklist:

    - Look at the merge request and verify that an AppSec reviewer has indicated it has been reviewed and is acceptable

content/handbook/company/working-groups/token-management.md

+1 −1
Original line number Diff line number Diff line
@@ -36,7 +36,7 @@ The Token Management Working Group will deliver: 
    - Results: [GitLab Token Management Standard](/handbook/security/token-management-standard.html)

- Proposed fixes, with risk assessments, for each identified low effort high risk item

    - Status: Complete

    - Results: [Risk assessments](https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/354) and [effort estimations](https://docs.google.com/spreadsheets/d/1selwO27d-Tk2KMlSy5ozY1DnHu7GmGxKO6o7axO7omc/edit#gid=0)

    - Results: [Risk assessments](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/appsec-team/-/issues/354) and [effort estimations](https://docs.google.com/spreadsheets/d/1selwO27d-Tk2KMlSy5ozY1DnHu7GmGxKO6o7axO7omc/edit#gid=0)

- Propose possible out-of-product workaround mitigations for the top 2 high effort high risk items

    - Status: Complete

    - Results: [Proposed out-of-product workarounds](https://gitlab.com/gitlab-com/gl-security/security-department-meta/-/issues/1565)

content/handbook/engineering/development/dev/manage/import-and-integrate/index.md

+1 −1
Original line number Diff line number Diff line
@@ -247,7 +247,7 @@ from PM or UX. 


### Working with Security



The group has an existing [threat model](https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/blob/master/gitlab-org/gitlab/GitLab%20Migration.md) to assist in identifying issues that may have security implications, but there are other considerations.

The group has an existing [threat model](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/blob/master/gitlab-org/gitlab/GitLab%20Migration.md) to assist in identifying issues that may have security implications, but there are other considerations.



An [Application Security Review](/handbook/security/product-security/application-security/appsec-reviews/) should be requested when the issue or MR might have security implications. These include, but aren't limited to, issues or MRs which:

- falls under the threat model

content/handbook/engineering/development/ops/project-plans/ci-catalog/index.md

+1 −1
Original line number Diff line number Diff line
@@ -124,7 +124,7 @@ CI Catalog GA Epic: [https://gitlab.com/groups/gitlab-org/-/epics/12153](https:/ 
- Spikes

  - [Spike issue](https://gitlab.com/gitlab-org/gitlab/-/issues/434260) to distributed components for Self managed customers.

  - [Spike issue](https://gitlab.com/gitlab-org/gitlab/-/issues/438409) to calculate number of times a component is used.

- [Threat Model](https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/43#note_1738526551) diagrams in-progress to be provided to security. - waiting on security feedback.

- [Threat Model](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/43#note_1738526551) diagrams in-progress to be provided to security. - waiting on security feedback.



#### Other milestone goals:

content/handbook/engineering/development/ops/project-plans/secrets-manager.md

+4 −4
Original line number Diff line number Diff line
@@ -162,7 +162,7 @@ description: "Secrets Manager - Weekly Project Plan - Pipeline Security Group" 
- 1 Designer



#### Goals:

- [https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34) Initialize the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34) Initialize the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-org/gitlab/-/issues/424452](https://gitlab.com/gitlab-org/gitlab/-/issues/424452) Merge MR which creates feature flag and base page for the frontend.

- [https://gitlab.com/gitlab-org/ux-research/-/issues/2470](https://gitlab.com/gitlab-org/ux-research/-/issues/2470) Continue receiving assignment 2 feedback.
@@ -174,7 +174,7 @@ description: "Secrets Manager - Weekly Project Plan - Pipeline Security Group" 
- 1 Designer



#### Goals:

- [https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34) Complete the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34) Complete the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-org/gitlab/-/issues/424453](https://gitlab.com/gitlab-org/gitlab/-/issues/424453) Create an MR for creating the root Vue component.

- [https://gitlab.com/gitlab-org/ux-research/-/issues/2470](https://gitlab.com/gitlab-org/ux-research/-/issues/2470) Present feedback findings from assignment 2.
@@ -186,7 +186,7 @@ description: "Secrets Manager - Weekly Project Plan - Pipeline Security Group" 
- 1 Designer



#### Goals:

- [https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34) Address feedback from the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34) Address feedback from the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-org/gitlab/-/issues/424453](https://gitlab.com/gitlab-org/gitlab/-/issues/424453) Merge MR for creating the root Vue component.

- [https://gitlab.com/gitlab-org/ux-research/-/issues/2470](https://gitlab.com/gitlab-org/ux-research/-/issues/2470) Present new design changes.
@@ -197,7 +197,7 @@ description: "Secrets Manager - Weekly Project Plan - Pipeline Security Group" 
- 1 FE



#### Goals:

- [https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/appsec/threat-models/-/issues/34) Complete the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/threat-models/-/issues/34) Complete the [threat model](/handbook/security/threat-modeling/) process.

- [https://gitlab.com/gitlab-org/gitlab/-/issues/416701](https://gitlab.com/gitlab-org/gitlab/-/issues/416701) Create an MR with updated architecture design based on feedback from threat model.

- [https://gitlab.com/groups/gitlab-org/-/epics/11776](https://gitlab.com/groups/gitlab-org/-/epics/11776) Begin working on first backend POC for using GCP key management for key storage.

- [https://gitlab.com/gitlab-org/gitlab/-/issues/424452](https://gitlab.com/gitlab-org/gitlab/-/issues/424452) Merge MR which creates feature flag and base page for the frontend