Security Onboarding đŸ§‘â€đŸ’»

Welcome to the Security Team đŸ„ł

Congrats on taking your first steps towards a new chapter in your cyber security career! Our team is here to support and guide you on this journey so never hesitate to reach out in the team Slack channel #security-internal.

Below you’ll find some steps to get your local development enviroment set up, common tools installed, access etc.

Useful Slack Channels

Sourcegraph as a whole uses Slack heavily for daily communication - our team also uses a journal to document work progress each week. Here are some recommended channels to join to make sure you’re kept in the loop.

  • #discuss-security - This is our public channel where other teams can contact us with questions / support requests.
  • #team-security - This is our teams “private” channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello 😄
  • #security-monitoring - This is where our automated monitoring alerts are posted.
  • #security-terraform - Our infrastructure is managed using Terraform, and notifications regarding changes to security-related infrastructure go here.
  • #incidents - This is where product incidents are posted. A useful channel if you get engaged for an incident and need context.
  • #security-code-monitoring - This is where our Code scanning monitoring alerts are posted that includes Semgrep SAST, Dependabot, Hackerone.
  • #security-infra-observability - This is where alerts go related to the availability of our security systems. This includes alerts from Google Monitoring and uptime checks.

GitHub Setup

If you haven’t been given access to Sourcegraph’s Organization on GitHub yet reach out to #it-tech-ops on Slack and provide your GitHub username.

We are an all-remote company and favor asynchronous communication, it is important to configure your notifications correctly so that you receive and read notifications that are important (e.g. someone makes a comment on one of your PRs, someone adds you as a reviewer to a PR) without being overwhelmed by notifications that don’t involve you.

Other Access

Sourcegraph - Local Enviroment Setup

It’s much easier to test and debug code locally. Follow the below guide to get Sourcegraph up and running!

  • SG local Setup [If you encounter any issues, ask for help in #dev-chat and then update the documentation to reflect the resolution (so the next engineer that we hire doesn’t run into the same problem)]

Sourcegraph - Browser Search Engine

Our browser extension has a handy search shortcut letting you quickly search using Sourcegraph. This can be a life saver if you need to quickly find something!

Our private code repositories can only be searched using our internal dev instance of Sourcegraph (dogfood) so adding a second shortcut is recommended.

Tools Setup

  1. Setup the google cloud CLI tool and authenticate.
    • Required for terraform and kubectl.
  2. Set up Terraform
    • Terraform is our infastructure as code tool which we use to modify our enviroments.
  3. Connect to dogfood with kubectl
    • For prod and other clusters it’s just a matter of adding the other kubeconfigs
  4. Download and setup BurpSuite Community Edition on your laptop.
    • You can use this Burp project already configured for Sourcegraph.
    • Try to capture some traffic in your local sourcegraph instance such as logging in.

Training

Golang

Sourcegraph is built primarily using Golang if you are unfamiliar with Go it’s definitely worth spending some time here to ensure you understand the basics. Go is similar to C but has some syntax differences as well as a replacement for traditional threads called Goroutines. Take your time and step through the below tutorials:

Onboarding Tasks

Alright! Time to get our hands dirty đŸ‘· Work through and complete the below onboarding tasks. It’s not expected for you to master these on your first run through so please reach out to the team if you’d like someone to pair with for support 😃

Explore the Product

The more familiar you are with Sourcegraph and it’s components the better! Spend some time code surfing and try to step through a certain feature or component.

Buildkite

Explore our Continuous Integration (CI) platform Buildkite. There’s no need to deepdive on the documentation but understanding the basics on a high-level and familiarizing yourself with our usage is recommended.

Secret Rotation

It’s a common ask of the Security team to rotate or help rotate production secrets. We have extensive documentation about Secret Management at Sourcegraph. Don’t worry about how to create new secrets unless you’re interested in the setup. For now what matters is focusing on the Rotating Secrets and Secret Types sections.

The goal is rotating two production secrets. You can choose any in these categories:

  • A secret in sourcegraph.com site-config: Sourcegraph instances may contain secrets such as OAuth creds in the site-config file. Choose one secret from dotcom’s site-config and rotate. Hint: Avoid the GitLab OAuth creds - go for GitHub OAuth or SMTP credentials.
  • Any secret in our production pods or CI: Besides site-config, it’s important to know how to rotate secrets that we use as env vars in our pods. Look for any secrets that you think are a good idea to rotate in the deploy-sourcegraph-dotcom or infrastructure repositories. This search can serve as a starting point to find some secrets to rotate.

Note: This requires having completed the set up part of your Security onboarding. Dig through our code, GCP, 1Password and especially the Secret Management doc.

Security Support Rotation

Skim through our support rotation page in the handbook. This is meant as a reference so no need to memorize anything 🙂

Resources:

Acceptance Criteria

  • You are able to run Sourcegraph code locally with dev-private
  • You are able to run tf plan on the sourcegraph/infrastructure repository
  • You are able to kubectl into our clusters
  • You have BurpSuite set up on your local machine
  • You have installed the OpsGenie app on your phone