Preparation
"Phase Zero" activities
Process
(Enablement as required throughout)
- Set expectations
- Everything will be red at first
- Continuous improvement
- Requires research, decisionmaking, collaboration, and additional coding
- Establish a cross-functional team
- Executive sponsor
- InfoSec
- DevOps
- Product
- Application team roles- Technical Architect and Dev Leads
- Identify and prioritize pilot projects/teams
Collaboration focus:
- Select pilot team(s)
- Determine integration requirements (Jira, 3rd party scanners, etc)
- Determine current state (i.e., some scans already running)
- Summarize languages and frameworks used (to determine scanner applicability)
Pilot Project Selection
Characteristics of a pilot team/project
- Already using GitLab, Merge Requests, and CI/CD
- Already partially familiar with concepts like SAST and Secret Management
- Publishing a web application or API service, to provide effective confirmation of DAST capabilities
- Having projects in standard conventions like containerization via Dockerfile or package management with package managers like poetry,maven,yarn etc. in order to use Container Scanning or Dependency Scanning capabilities
- A standard model, for how most other teams work. Especially how branches and merge request approvals are managed should be matching overall setup
Custom role
The security team will need the ability to work with vulnerabilities and compliance frameworks in order to do their work. Fortunately, the Custom Roles capability supports such activity. Specifically, we need a Custom role at the top-level group with the following properties:
- Name:
Application Security(or similar) - Description:
Manage application security policies, vulnerabilities, and workflow(or similar) - Base role:
Reporter - Custom permissions:
- Admin compliance framework
- Admin merge request
- Admin vulnerability
- Manage security policy link
- Read dependency
- Read vulnerability
(Note there is an active issue to standardize such a role in GitLab.)