Code Security tiger team

The purpose of the Code Security tiger team is to iterate quickly with customers over new user flows addressing the Code security use case over .

Workflow

Sync

We sync weekly on Wednesday. See our sync doc

Customer discovery

We use lookback for customer discovery sessions and airtable for collecting insihgts.

Strategy

See strategy page

Contact

#code-security-tiger-team or @code-security-tiger-team on Slack

sourcegraph/code-security-tiger-team on GithUb

Members

Reading list

If you are interested in the space but don’t know where to start, here’s a few items to put on your reading list:

Glossary

We try not to use acronyms at Sourcegaph, but there’s a lot of them in security. Here’s a list that could be useful to Sourcegraphers new to the field:

  • NTIA: National Telecommunications and Information Administration. A US agency that advises the US president on telecommunication policy, and contributes to developing frameworks and standards.
  • OWASP: The Open Web Application Security Project. A nonprofit foundation that works to improve the security of software.
  • SBOM: Software Bill Of Material. The two most common SBOM standards are SPDX (developed by ISO) and OWASP’s CycloneDX (developed by OWASP).
  • SLSA: Supply chain Levels for Software Artifacts, or SLSA (salsa). A security framework and set of standards for improving software supply chain integrity and security.
  • SCA: Software Composition Analysis. An automated process to identify dependencies of a software. SCA tools analyzes the application’s dependencies for potential vulnerabilities.
  • SAST: Static Application Security Testing. SAST tools analyzes the the application’s code for potential vulnerabilities, based on a set of predefined rules. Some SAST tools also suggest fixes.
  • DAST: Dynamic Application Security Testing. DAST tools interact directly with the application to identify vulnerabilities by performing attacks, without having access to the source code.
  • NVD: National Vulnerability Database. A US-government maintained repository of vulnerabilities.