We think that security is an enabler for the business. Sourcegraph is committed to proactive security, and addressing vulnerabilities in a timely manner. We approach security with a can-do philosophy, and look to achieve product goals while maintaining a positive posture, and increasing our security stance over time.
- New members onboarding guide
- Proactively improve the security of our application and infrastructure.
- Define, plan, and prioritize security work that needs to be done (and then go do that work).
- Directly contribute to our codebase (i.e., Go, TypeScript, Kubernetes, Docker, Google Cloud Platform) to secure our application and deployments, and help other engineers on our team make the necessary changes.
- Respond to security vulnerability reports
- Increase our security posture by running traditional security tools such as vulnerability scanners, SAST, and DAST tools.
- Create a culture of security at Sourcegraph that empowers all of our engineers to write secure code.
- Respond to Security Incidents as per our Security Incident Response Policy
- We are growing our security team to expand, develop and mature the security program
- We are embedding new security practices to improve our secure SDLC
- We are improving our internal security training for developers
- We have a security ambassador program where a security engineer is involved in the early stages of the design of new features to give input and help identifying potential weaknesses of the product
- We have developed a new vulnerability management process which will limit the number of open vulnerabilities as we will have a much closer follow up with a new SLA
- We are currently using Checkov.io to scan our IaC
We’re always happy for teams to request security code reviews.
Security questions and support requests should be raised in #security:
- Click the lightning bolt below the Slack message box in #security
- Select an option at the top of the menu
- Fill out the questions
- Tag @security-support in the resulting thread if urgent
Reach out to us on #security if you have any doubts, or for any reason feel like our process can’t work for you in a particular case.
In an effort to work closely with our teammates and shift security focus more into the development process, we are pleased to introduce the Security Ambassador program which will align each one of our security engineers with an engineering organization.
What does this mean?
- The ambassador assigned to your organization will become very knowledgable on your team’s work.
- The ambassador will help you integrate security thought-processes into your workflow.
- The ambassador will become your primary point of contact regarding any security concerns that may arise in your development process.
- The ambassador will be available to join any planning, testing and implementation meetings where their input might be beneficial.
- This will allow you to get quicker responses to your security questions and concerns from someone who has a deeper understanding of your team’s work.
- This will allow us to produce a more secure product by integrating security into the early stages of product development.
Does this mean I can’t talk to anyone else on the security team?
- Absolutely not. You are welcome to reach out to anyone in the security team at anytime. We encourage everyone to use the #security slack channel.
Who is the ambassador for my team?
Org Division/Team Assignee Code Graph Search Core André Code Graph Search Product Lauren Code Graph Code intelligence André Code Graph Batch Changes Lauren Code Graph Code insight André Enablement Repo management David Enablement Delivery Mohammad Enablement Dev Experience Mohammad Enablement Front End Platform Lauren Cloud Growth Mohammad Cloud Growth and Integrations David Cloud Devops André Cloud Cloud Saas David