Commit 9ed1cc30 authored by Ethan Strike's avatar Ethan Strike
Browse files

Add Security Capabilities Engineering team charter

parent 5b4dbc58

content/handbook/security/product-security/security-capabilities-engineering/_index.md

0 → 100644
+151 −0
Original line number Diff line number Diff line 
---

title: "Security Capabilities Engineering"

description: "Security Capabilities Engineering Team Charter"

---



## Organizational Structure



Security Capabilities Engineering consists of three complementary teams:



### Vulnerability Management



- Focus: Vulnerability detection, workflow automation, and risk visibility

- Key Deliverables: Automated triage, scanning coverage, customer artifacts, FedRAMP automation



### Product Security Incident Response Team (PSIRT)



- Focus: Vulnerability triage, coordinated remediation & disclosure, and security releases

- Key Deliverables: Bug bounty program management, variant hunting, coordinated vulnerability remediation, and security releases coordination



### Product Security Engineering (ProdSecEng)



- Focus: Security automation, product contributions, and tooling integration

- Key Deliverables: Security features, process automation, custom tooling maintenance and migration



## Mission Statement



Security Capabilities Engineering enables GitLab through collaborative processes, data insights, and automation to build customer trust. We serve as the force multiplier for Product Security by transforming vulnerability intelligence into actionable insights, creating scalable security capabilities, and establishing the processes and tooling that enable GitLab to ship secure software at velocity.



## Value Proposition



We provide comprehensive vulnerability lifecycle management, scalable automation solutions, and data-driven security insights so that GitLab's engineering teams can build and ship secure software with confidence, customers receive transparent and timely security information, and Product Security teams can focus on high-value strategic initiatives rather than manual operations.



## Strategic Vision



Security Capabilities Engineering operates at the intersection of three critical capabilities:



- **Data Insights That Inform Decisions**: Transform vulnerability data into actionable intelligence and transparent customer artifacts

- **Product-First Automation That Scales**: Build security capabilities to support using GitLab to secure GitLab, validating solutions before customer adoption

- **Processes That Enable Others**: Establish standardized, documented workflows that create consistency and efficiency across the security lifecycle



## Scope and Responsibilities



### Primary Areas of Ownership



Security Capabilities Engineering owns the end-to-end vulnerability lifecycle and enabling automation across GitLab:



#### Vulnerability Intelligence & Lifecycle Management



- **Detection & Correlation**: Comprehensive vulnerability scanning across GitLab-hosted environments, artifacts, and their associated supply chains

- **Triage & Assessment**: Technical evaluation of vulnerability severity, exploitability, and business impact

- **Remediation Coordination**: Collaboration with Engineering teams to prioritize and verify security fixes

- **Coordinated Disclosure**: Management of bug bounty program and responsible vulnerability disclosure



#### Security Automation & Engineering



- **Product Security Tooling**: Development and maintenance of specialized automation that enables scalable Product Security operations

- **Security Enhancement Features**: Product contributions that reduce GitLab's risk and enhance customer security capabilities

- **Tooling Integration & Sunsetting**: Migration of custom security tooling into GitLab product features



#### Data & Metrics



- **Vulnerability Metrics & Reporting**: Strategic and operational metrics for security posture visibility

- **Compliance Artifacts**: Automated generation of compliance-facing security documentation

- **Risk Communication**: Data-driven narratives that inform strategic decisions across GitLab



### Interface Points



#### Internal Security Team Collaboration



- Application Security (AppSec): Knowledge sharing, specialized product knowledge during incidents

- Security Platforms & Architecture (SPA): Exploitability POC development, Product Security Risk Register (PSRR) alignment

- Infrastructure Security: Cloud/infrastructure vulnerability triage, Wiz integration

- Security Operations (SecOps): Incident support, threat detection IOC/POC development

- Security Assurance: Compliance artifacts



#### Engineering & Product Collaboration



- Development Teams: Vulnerability issues in GitLab, remediation collaboration

- Product Teams: Early engagement on security features, user story validation, tooling integration planning

- Release Management: Security patch coordination, version compatibility assessment



#### External Stakeholders



- Customers: Transparent vulnerability disclosure, security advisories, compliance artifacts

- Security Researchers: HackerOne program management, coordinated disclosure process

- Security Community: Public disclosure coordination, industry best practices sharing



### Out of Scope



Not owned by Security Capabilities Engineering:



- Feature security reviews and threat modeling (owned by AppSec)

- Infrastructure and cloud security architecture (owned by InfraSec)

- End-user system vulnerabilities and patching (owned by CorpSec)

- Direct vulnerability remediation (owned by Engineering)

- Security compliance programs (owned by Security Assurance)

- GitLab Security product features (owned by Sec Section product teams)



## Operating Model



### Core Processes



**Vulnerability Lifecycle Workflow:**



1. **Detection**: Automated scanning across environments using Wiz, Trivy, and custom tooling

2. **Correlation & Enrichment**: VulnMapper normalizes findings and adds contextual data

3. **Triage**: Distributed model based on vulnerability type and team expertise

4. **Remediation**: Coordination with Engineering, tracking through GitLab issues

5. **Verification**: Validation that fixes are complete and not bypassable

6. **Disclosure**: Customer communication through security releases, CVEs, and advisories



**Automation Development:**



1. **Intake & Evaluation**: Requests assessed against automation criteria and product fit

2. **Use Case Documentation**: Clear problem statement and success criteria

3. **Product Alignment**: Assessment of fit with GitLab product vision

4. **Development**: Iterative development following GitLab workflow labels

5. **Validation**: Testing with security team stakeholders (Customer Zero)

6. **Handoff**: Transition to appropriate product team or operations maintenance



**Metrics & Reporting:**



1. **Data Collection**: Automated capture from VulnMapper, GitLab issues, and HackerOne

2. **Analysis**: Contextual enrichment and trend identification

3. **Stakeholder Communication**: Tailored reporting for different audiences

4. **Continuous Improvement**: Feedback loops to refine processes and priorities



### Communication Channels



**GitLab:**



- Issue trackers in respective team projects

- MR reviews and collaboration on security fixes

- Epic tracking for cross-team strategic initiatives

- `@gitlab-com/gl-security/product-security/vulnerability-management` (Vulnerability Management)

- `@gitlab-com/gl-security/product-security/psirt-group` (PSIRT)

- `@gitlab-com/gl-security/product-security/product-security-engineering` (ProdSecEng)



**Slack:**



- `#security_help` - Primary channel for security questions and requests

- `#security-discuss` - Broader security discussions and knowledge sharing

- `@vulnerability-management` - Slack handle for VM team

- `@psirt-team` - Slack handle for PSIRT team

- `@product-security-engineering` - Slack handle for ProdSecEng team



## FY27 Initiatives



- Use Data as a Strategic Asset

- Establish a Unified Vulnerability Lifecycle

- Build a Product-First Mindset