Secure Design & Development Team Services Overview
Last updated: May 27, 2025
Secure Design & Development Team Services Overview
The Secure Design & Development Team works with GitLab engineers and product teams to anticipate and prevent the introduction of vulnerabilities during design and development.
Our responsibility includes four of the five Secure Developer Experience (SDX) pillars. SDX is a developer UX centered approach to traditional DevSecOps practices.
- SDX: Learn: security training, governance, policy, documentation, and standards.
- SDX: Design: threat modeling, feature design guidance and consultation, and design reviews.
- SDX: Code: static analysis, software component analysis and supply chain security, use of approved tools and methodologies in development, deprecation of unsafe functions, etc.
- SDX: Verify: dynamic analysis testing, penetration testing, remediation of critical vulnerabilities, and final security reviews prior to release.
Helpful Quicklinks
- Application Security Reviews
- Application Security Stable Counterparts
- Threat modeling
- Backlog reviews: When necessary a backlog review can be initiated, please see the Vulnerability Management Page for more details.
- GitLab AppSec Inventory
- Responding to customers security scanners review requests
- Root Cause Analysis for Critical Vulnerabilities
Learn how to identify or remediate security issues using real examples with GitLab’s Reproducible Vulnerabilities.
Learn how GitLab is implementing Reproducible Builds for our build processes.
Learn more about the automation initiatives that the Application Security team uses on the Application Security Automation and Monitoring page
GitLab Secure Tools coverage
As part of our dogfooding effort, Secure Tools are set up on many different GitLab projects (see our policies). This list is too dynamic to be included in this page, and is now maintained in the GitLab AppSec Inventory.
Projects without the expected configurations can be found in the inventory violations list (internal link).
How to Contact the Secure Design & Development Team
- Find your Stable Counterpart on the Product sections, stages, groups, and categories page
- Mention
@gitlab-com/gl-security/product-security/appsecon GitLab - Submit an issue in the AppSec Team repository
- Ask in
#sec-appsecor mentioning@appsec-teamon Slack - For cross team collaboration improvement opportunities, use this template for collaboration improvement opportunities
Content Review and Updates
This page will be reviewed quarterly to ensure alignment with company and divisional priorities, the GitLab Security product roadmap, and relevant business and operational changes. Updates may occur more frequently as business operations evolve.
Next scheduled review: June 30, 2025
3960f16d)
