GitLab Documentation

The following security review of the GitLab Geo feature set focuses on security aspects of the feature as they apply to customers running their own GitLab instances. The review questions are based in part on the application security architecture questions from owasp.org.

Business Model

What geographic areas does the application service?

Data Essentials

What data does the application receive, produce, and process?

How can the data be classified into categories according to its sensitivity?

What data backup and retention requirements have been defined for the application?

End-Users

Who are the application's end‐users?

How do the end‐users interact with the application?

What security expectations do the end‐users have?

Administrators

Who has administrative capabilities in the application?

What administrative capabilities does the application offer?

Network

What details regarding routing, switching, firewalling, and load‐balancing have been defined?

What core network devices support the application?

What network performance requirements exist?

Systems

What operating systems support the application?

What details regarding required OS components and lock‐down needs have been defined?

Infrastructure Monitoring

What network and system performance monitoring requirements have been defined?

What mechanisms exist to detect malicious code or compromised application components?

What network and system security monitoring requirements have been defined?

Virtualization and Externalization

What aspects of the application lend themselves to virtualization?

What virtualization requirements have been defined for the application?

What aspects of the product may or may not be hosted via the cloud computing model?

If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)?

Environment

What frameworks and programming languages have been used to create the application?

What process, code, or infrastructure dependencies have been defined for the application?

What databases and application servers support the application?

How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?

Data Processing

What data entry paths does the application support?

What data output paths does the application support?

How does data flow across the application's internal components?

What data input validation requirements have been defined?

What data does the application store and how?

What data is or may need to be encrypted and what key management requirements have been defined?

What capabilities exist to detect the leakage of sensitive data?

What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?

Access

What user privilege levels does the application support?

What user identification and authentication requirements have been defined?

What user authorization requirements have been defined?

What session management requirements have been defined?

What access requirements have been defined for URI and Service calls?

Application Monitoring

What application auditing requirements have been defined? How are audit and debug logs accessed, stored, and secured?


Leave a comment below if you have any feedback on the documentation. For support and other enquiries, see getting help.