Problem validation: Why GitLab customers need a dependency firewall

What’s this issue all about?

Discussion guide

In &5133 we propose an MVC for the dependency firewall to help GitLab customers prevent malicious packages or dependencies from infiltrating their SDLC.

Although we've outlined an MVC, we need a more robust understanding of what is useful for Developers, Platform Engineers, and Security professionals. This issue is intended to define a research plan to understand the space, challenges, and requirements better.

Who is the target user of the feature?

• This feature will impact developers because they are the ones who are downloading packages.
• Platform engineers are more impacted because they must ensure their development teams work efficiently and securely.
• Security professionals will be impacted because it will be up to them to review dashboards and reports to improve their organization's security posture.

What questions are you trying to answer?

• What is more useful:
  • A firewall that filters known vulnerabilities and quarantines or warns users based on those results
  • A firewall that flags suspicious packages by analyzing the metadata and code associated with a given package
• What data is most important when creating firewall policies?
• What data is most useful for summarizing the results of the firewall

Additional questions

What hypotheses and/or assumptions do you have?

My original assumption is that filtering vulnerabilities would be most important. But, I've been learning since that many teams are innondated with vulnerabilities already and they need a different lens into their security posture.

What decisions will you make based on the research findings?

• Pick a direction that is both useful and feasible for the MVC
• Help to design the UX and UI for the feature so that we can conduct solution validation

What's the latest milestone that the research will still be useful to you?

ASAP