Draft: Add AppSec activities to the GL Continuous Security Framework
Why is this change being made?
This MR brings AppSec activities and requirement to the Security Framework page.
It's meant to be merged into !105792 (merged), so please check out the content of the main MR first, then add the AppSec content in this one to keep the discussion scoped.
Remember that everything should be automated as much as possible to keep the workflow lean.
Potential Activities
| Activity | When | Notes |
|---|---|---|
| Assigning a Stable Counterpart | Creating a new product category / group | Not sure if there's a process for this in the handbook yet? |
| AppSec Review | "The team owning the feature should proactively involve the Stable Counterpart in Epics, Issues, and/or MRs which might require a review or their attention. This is primarily the responsibility of the team's Engineering Manager(s) and the Engineer(s) working on the Issue / MR. Ideal trigger points (in order of preference) are when the Epic/Issue/MR is created/updated, when an engineering proposal is updated, or when an engineer is working on the MR." |
Those are the two main entry points really. Anything else - e.g. threat modelling, can be decided on a case by case basis. Deciding what scanners to enable could also be done at this point, and/or be mandated by a Compliance Policy.
Useful links
- Main MR: Add the GL Continuous Security Framework page (!105792 - merged)
- Main Issue: https://gitlab.com/gitlab-com/gl-security/security-department-meta/-/issues/1333
- CI/CD Template POC
Author Checklist
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR - If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Nick Malcolm