Welcome to the Security Team 🥳
Congrats on taking your first steps towards a new chapter in your cyber security career! Our team is here to support and guide you on this journey so never hesitate to reach out in the team Slack channel #security-internal.
Below you’ll find some steps to get your local development enviroment setup, common tools installed, access etc.
Sourcegraph as a whole uses Slack heavily for daily communication - our team also uses a journal to document work progress each week. Here are some recommended channels to join to make sure you’re kept in the loop.
- #security - This is our public channel where other teams can contact us with questions / support requests.
- #security-internal - This is our teams “private” channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello 😄
- #security-monitoring - This is where our automated monitoring alerts are posted.
- #incidents - This is where product incidents are posted. A useful channel if you get engaged for an incident and need context.
If you haven’t been given access to Sourcegraphs Organization on Github yet reach out to #it-tech-ops on Slack and provide your Github username.
We are an all-remote company and favor asynchronous communication, it is important to configure your notifications correctly so that you receive and read notifications that are important (e.g. someone makes a comment on one of your PRs, someone adds you as a reviewer to a PR) without being overwhelmed by notifications that don’t involve you.
- Request access to the services below via the listed teams:
- GCP (Google Cloud Platform) - GCP is where our Cloud infastructure exists.
- Buildkite - Our CI (Continuous Integration) pipelines host.
- Self-serve via google auth
- Cloudflare - Our CDN / WAF / DNS provider.
- Jira - Our teams kanban board for planned work management.
It’s much easier to test and debug code locally. Follow the below guide to get Sourcegraph up and running!
- SG local Setup [If you encounter any issues, ask for help in #dev-chat and then update the documentation to reflect the resolution (so the next engineer that we hire doesn’t run into the same problem)]
Our browser extension has a handy search shortcut letting you quickly search using Sourcegraph. This can be a life saver if you need to quickly find something!
Our private code repositories can only be searched using our internal dev instance of Sourcegraph (dogfood) so adding a second shortcut is recommended.
- Setup the google cloud CLI tool and authenticate.
- Required for terraform and kubectl.
- Set up Terraform
- Terraform is our infastructure as code tool which we use to modify our enviroments.
- Connect to dogfood with kubectl
- For prod and other clusters it’s just a matter of adding the other kubeconfigs
- Download and setup Burpsuite community edition on your laptop.
- You can use this Burp project already configured for Sourcegraph.
- Try to capture some traffic in your local sourcegraph instance such as logging in.
Tip: The browser extension FoxyProxy makes it much easier to quickly switch between Burps proxy 😉
Sourcegraph is built primarily using Golang if you are unfamiliar with Go it’s definitely worth spending some time here to ensure you understand the basics. Go is similar to C but has some syntax differences as well as a replacement for traditional threads called Goroutines. Take your time and step through the below tutorials:
Alright! Time to get our hands dirty 👷 Work through and complete the below onboarding tasks. It’s not expected for you to master these on your first run through so please reach out to the team if you’d like someone to pair with for support 😃
The more familiar you are with Sourcegraph and it’s components the better! Spend some time code surfing and try to step through a certain feature or component.
Explore our Continious Integration (CI) platform Buildkite. There’s no need to deepdive on the documentation but understanding the basics on a high-level and familiarizing yourself with our usage is recommended.
It’s a common ask of the Security team to rotate or help rotate production secrets. We have extensive documentation about Secret Management at Sourcegraph. Don’t worry about how to create new secrets unless you’re interested in the setup. For now what matters is focusing on the
Rotating Secrets and
Secret Types sections.
The goal is rotating two production secrets. You can choose any in these categories:
- A secret in sourcegraph.com site-config: Sourcegraph instances may contain secrets such as OAuth creds in the site-config file. Choose one secret from dotcom’s site-config and rotate. Hint: Avoid the GitLab OAuth creds - go for GitHub OAuth or SMTP credentials.
- Any secret in our production pods or CI: Besides site-config, it’s important to know how to rotate secrets that we use as env vars in our pods. Look for any secrets that you think are a good idea to rotate in the
infrastructurerepositories. This search can serve as a starting point to find some secrets to rotate.
Note: This requires having completed the set up part of your Security onboarding. Dig through our code, GCP, 1Password and especially the Secret Management doc.
Skim through our support rotation page in the handbook. This is meant as a reference so no need to memorize anything 🙂
- You are able to run Sourcegraph code locally with dev-private
- You are able to run tf plan on the sourcegraph/infrastructure repository
- You are able to kubectl into our clusters
- Complete onboarding tasks above and any other assigned tasks in Jira
- Capture traffic via Burpsuite for analysis