Update priorities based on direction change
Why is this change being made?
- After changes in our direction for Security Policies (!137610 (merged)), following Sec realignment and our team now structured under Security Risk Management, this MR works to re-prioritize our plans and better reflect new priorities.
- We'll continue to complete/address any remaining gaps in pipeline execution policies, easing the process of migration from compliance pipelines. However, we will look for boundary lines and reduce emphasis on new features for compliance enforcement for the time being.
- We will increase our emphasis/priority first on some of the known usability issues that will help make using policies much simpler for all of the future policies and policy enhancements we add, easing adoption and overall efficiency of managing policies at scale.
- We have some existing plans with designs, such as adding exceptions for packages in license approval policies, that will provide improvements for vulnerability management. With designs/validation complete, we'll proceed with execution and for the quick win in this category. We'll want to continue with improvements around audit mode / warn mode, and then adding new filters, exceptions, and automations for vulnerability management workflows.
- New vulnerability management plans we'll be exploring/refining include - taking ownership of auto-resolve policies and any improvements necessary there. Introducing an auto-dismiss policy which will help AppSec teams cut through the noise of vulnerabilities that are not actionable or a priority based on business context (e.g. CVE and file path filters). We'll explore how to filter license findings by severity (dependent on SCA for this). And we'll look at filters for MR approval policies that are based on EPSS and KEV that help better understand risk.
- Note: For "Improve compatibility between security policies and security analyzers", we may see a path to shift ownership to SPM, so putting on hold until we have more information, but we will continue to look at how to improve here based on that decision.
- This covers the main highlights but not every item added. We'll continue to refine and share more context/updates as we go!
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-
Commits
- Update priorities based on direction change
Edited by Grant Hickman