Design: MVC Security code review experience
Problem to solve
Identified from the baseline recommendations (gitlab-design#479 (closed)) We've uncovered that the workflow when managing vulnerabilities in the MR is not optimal.
Intended users
- Developers
- Security Engineers
- MR Reviewers
JTBD: When conducting a security review, I want to address new vulnerabilities and manage their resolution in the MR, so that I can approve the MR and feel these changes don't put my org at risk.
Further details
Security Code Reviews are becoming an industry best practice for DevSecOps. We need to adopt and refine this feature to better support organizations and customers who are Shifting Left.
Proposal
Undefined. Research will take place first.
What does success look like, and how can we measure that?
- Adoption and use of the Security Review feature.
- An improvement to the Baseline score for this area.
Links / references
Code reviews increase developer accountability and provide
transparency into changes. Mandatory reviews ensure that a change
can’t be pushed out without at least one other person being aware of
what was done and why it was done. This significantly reduces the
risk of insider threats; for example, someone trying to introduce a
logic bomb or a back door in the code. Just knowing that their code
will be reviewed also encourages developers to be more careful in
their work, improving the quality of the code.
Edited by Andy Volpe