Security Onboarding đ§âđ»
Welcome to the Security Team đ„ł
Congrats on taking your first steps towards a new chapter in your cyber security career! Our team is here to support and guide you on this journey so never hesitate to reach out in the team Slack channel #security-internal.
Below youâll find some steps to get your local development enviroment set up, common tools installed, access etc.
Useful Slack Channels
Sourcegraph as a whole uses Slack heavily for daily communication - our team also uses a journal to document work progress each week. Here are some recommended channels to join to make sure youâre kept in the loop.
- #security - This is our public channel where other teams can contact us with questions / support requests.
- #security-internal - This is our teams âprivateâ channel (all channels are visible to all) where our team can collaborate with each other asynchronously, share interesting news, ocassional memes, or to just say hello đ
- #security-monitoring - This is where our automated monitoring alerts are posted.
- #security-terraform - Our infrastructure is managed using Terraform, and notifications regarding changes to security-related infrastructure go here.
- #incidents - This is where product incidents are posted. A useful channel if you get engaged for an incident and need context.
GitHub Setup
If you havenât been given access to Sourcegraphâs Organization on GitHub yet reach out to #it-tech-ops on Slack and provide your GitHub username.
We are an all-remote company and favor asynchronous communication, it is important to configure your notifications correctly so that you receive and read notifications that are important (e.g. someone makes a comment on one of your PRs, someone adds you as a reviewer to a PR) without being overwhelmed by notifications that donât involve you.
Other Access
- Ensure you have access to the following services. If not, request access via the listed teams:
- Buildkite - Our CI (Continuous Integration) pipelines host.
- Self-serve via google auth
- Cloudflare - Our CDN / WAF / DNS provider.
- #security or you can reach out in #security-internal
- GCP (Google Cloud Platform) - GCP is where our Cloud infastructure exists.
- Google Workspaces investigation tool
- OpsGenie
- Security Team 1Password shared vault - where we store credentials used by the team
- HackerOne - used for bug bounty management
- Buildkite - Our CI (Continuous Integration) pipelines host.
Sourcegraph - Local Enviroment Setup
Itâs much easier to test and debug code locally. Follow the below guide to get Sourcegraph up and running!
- SG local Setup [If you encounter any issues, ask for help in #dev-chat and then update the documentation to reflect the resolution (so the next engineer that we hire doesnât run into the same problem)]
Sourcegraph - Browser Search Engine
Our browser extension has a handy search shortcut letting you quickly search using Sourcegraph. This can be a life saver if you need to quickly find something!
Our private code repositories can only be searched using our internal dev instance of Sourcegraph (dogfood) so adding a second shortcut is recommended.
- To search our private code, log in to our internal dogfood instance (
k8s.sgdev.org
) and add another entry:https://k8s.sgdev.org/search?q=%s
.
Tools Setup
- Setup the google cloud CLI tool and authenticate.
- Required for terraform and kubectl.
- Set up Terraform
- Terraform is our infastructure as code tool which we use to modify our enviroments.
- Connect to dogfood with kubectl
- For prod and other clusters itâs just a matter of adding the other kubeconfigs
- Download and setup BurpSuite Community Edition on your laptop.
- You can use this Burp project already configured for Sourcegraph.
- Try to capture some traffic in your local sourcegraph instance such as logging in.
Training
Golang
Sourcegraph is built primarily using Golang if you are unfamiliar with Go itâs definitely worth spending some time here to ensure you understand the basics. Go is similar to C but has some syntax differences as well as a replacement for traditional threads called Goroutines. Take your time and step through the below tutorials:
Onboarding Tasks
Alright! Time to get our hands dirty đ· Work through and complete the below onboarding tasks. Itâs not expected for you to master these on your first run through so please reach out to the team if youâd like someone to pair with for support đ
Explore the Product
The more familiar you are with Sourcegraph and itâs components the better! Spend some time code surfing and try to step through a certain feature or component.
- Run some sample searches with help from our product documentation.
- Run a Batch Change to update multiple repos at once!
Buildkite
Explore our Continuous Integration (CI) platform Buildkite. Thereâs no need to deepdive on the documentation but understanding the basics on a high-level and familiarizing yourself with our usage is recommended.
Secret Rotation
Itâs a common ask of the Security team to rotate or help rotate production secrets. We have extensive documentation about Secret Management at Sourcegraph. Donât worry about how to create new secrets unless youâre interested in the setup. For now what matters is focusing on the Rotating Secrets
and Secret Types
sections.
The goal is rotating two production secrets. You can choose any in these categories:
- A secret in sourcegraph.com site-config: Sourcegraph instances may contain secrets such as OAuth creds in the site-config file. Choose one secret from dotcomâs site-config and rotate. Hint: Avoid the GitLab OAuth creds - go for GitHub OAuth or SMTP credentials.
- Any secret in our production pods or CI: Besides site-config, itâs important to know how to rotate secrets that we use as env vars in our pods. Look for any secrets that you think are a good idea to rotate in the
deploy-sourcegraph-dotcom
orinfrastructure
repositories. This search can serve as a starting point to find some secrets to rotate.
Note: This requires having completed the set up part of your Security onboarding. Dig through our code, GCP, 1Password and especially the Secret Management doc.
Security Support Rotation
Skim through our support rotation page in the handbook. This is meant as a reference so no need to memorize anything đ
Resources:
- Docs.sourcegraph.com
- Secret Management Doc
- Security support rotation
- Sourcegraph demo video
Acceptance Criteria
- You are able to run Sourcegraph code locally with dev-private
- You are able to run
tf plan
on the sourcegraph/infrastructure repository - You are able to
kubectl
into our clusters - You have BurpSuite set up on your local machine
- You have installed the OpsGenie app on your phone