Key Responsibilities

• Proactively improve the security of our application and infrastructure, including Continuous Review Process.
• Define, plan, and prioritize security work that needs to be done (and then go do that work).
• Directly contribute to our codebase (i.e., Go, TypeScript, Kubernetes, Docker, Google Cloud Platform) to secure our application and deployments, and help other engineers on our team make the necessary changes.
• Respond to security vulnerability reports
  • https://github.com/sourcegraph/security-issues
• Increase our security posture by running traditional security tools such as vulnerability scanners, SAST, and DAST tools.
• Create a culture of security at Sourcegraph that empowers all of our engineers to write secure code.
• Respond to Security Incidents as per our Security Incident Response Policy

In Detail

Make sure that we release our product without high or critical vulnerabilities

• We scan our containers and IaC as defined in the CI/CD Pipeline Vulnerability Scanning section below.
• As part of the release process, we will conduct a full scan of our product using Trivy and Checkov.
• Any high and critical vulnerabilities will need to be addressed before releasing.
• The artifacts from the scans are then archived.

Improve and invest in our product's security

We're always happy for teams to Requesting a security review. Besides directly looking at code to improve our security, we also:

• Keep growing our security team to expand, develop and mature the security program
• Embed new security practices to improve our secure SDLC
• Continue with improving our internal security training for developers
• Have a security ambassador program where a security engineer is involved in the early stages of the design of new features to give input and help identifying potential weaknesses of the product