Code Security tiger team

The purpose of the Code Security tiger team is to iterate quickly with customers over new user flows addressing the Fixing security vulnerabilities use case over FY23Q2.

Workflow

Sync

We sync weekly on Wednesday. See our sync doc

Customer discovery

We use lookback for customer discovery sessions and airtable for collecting insihgts.

Strategy

See strategy page

Contact

#code-security-tiger-team or @code-security-tiger-team on Slack

sourcegraph/code-security-tiger-team on GithUb

Members

Malo Marrec, Product Manager
Loïc Guychard, Engineering Manager, Code Security tiger team
Quinn Keast, Product Designer
Alex Isken, Product Marketing Manager
Ryan Scott, Product Manager
Dan Diemer, Customer Engineer
Thorsten Ball, Software Engineer
André Eleuterio, Security Engineer

Reading list

If you are interested in the space but don’t know where to start, here’s a few items to put on your reading list:

The log4j vulnerability, and how Sourcegraph helped
Blogs from well known companies in the application security space provide good perspectives. For example (non-exhaustive list!), Snyk’s, Veracode’s, Sonatype’s.
Software supply chain is a key area of interest:
- Allan Friedman - someone set us up the SBOM
- SBOMs explained

Glossary

We try not to use acronyms at Sourcegaph, but there’s a lot of them in security. Here’s a list that could be useful to Sourcegraphers new to the field:

NTIA: National Telecommunications and Information Administration. A US agency that advises the US president on telecommunication policy, and contributes to developing frameworks and standards.
OWASP: The Open Web Application Security Project. A nonprofit foundation that works to improve the security of software.
SBOM: Software Bill Of Material. The two most common SBOM standards are SPDX (developed by ISO) and OWASP’s CycloneDX (developed by OWASP).
SLSA: Supply chain Levels for Software Artifacts, or SLSA (salsa). A security framework and set of standards for improving software supply chain integrity and security.
SCA: Software Composition Analysis. An automated process to identify dependencies of a software. SCA tools analyzes the application’s dependencies for potential vulnerabilities.
SAST: Static Application Security Testing. SAST tools analyzes the the application’s code for potential vulnerabilities, based on a set of predefined rules. Some SAST tools also suggest fixes.
DAST: Dynamic Application Security Testing. DAST tools interact directly with the application to identify vulnerabilities by performing attacks, without having access to the source code.
NVD: National Vulnerability Database. A US-government maintained repository of vulnerabilities.