[{"data":1,"prerenderedAt":795},["ShallowReactive",2],{"/en-us/blog/you-asked-and-our-red-team-answered":3,"navigation-en-us":39,"banner-en-us":439,"footer-en-us":449,"blog-post-authors-en-us-Heather Simpson":691,"blog-related-posts-en-us-you-asked-and-our-red-team-answered":705,"assessment-promotions-en-us":747,"next-steps-en-us":785},{"id":4,"title":5,"authorSlugs":6,"body":8,"categorySlug":9,"config":10,"content":14,"description":8,"extension":26,"isFeatured":12,"meta":27,"navigation":28,"path":29,"publishedDate":20,"seo":30,"stem":34,"tagSlugs":35,"__hash__":38},"blogPosts/en-us/blog/you-asked-and-our-red-team-answered.yml","You Asked And Our Red Team Answered",[7],"heather-simpson",null,"unfiltered",{"slug":11,"featured":12,"template":13},"you-asked-and-our-red-team-answered",false,"BlogPost",{"title":15,"description":16,"authors":17,"heroImage":19,"date":20,"body":21,"category":9,"tags":22},"You asked, and our Red Team answered","We held a public, ask me anything with our Red Team. Here’s what people asked.",[18],"Heather Simpson","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749670889/Blog/Hero%20Images/security-ama-blog-header.png","2021-01-29","> [\"Transparency is only a value if you do it when it is\nhard\"](https://handbook.gitlab.com/handbook/values/#transparency-is-only-a-value-if-you-do-it-when-it-is-hard)\n👁\n\n\nThat's one of the lines that has stuck with me from my GitLab Inc.\nonboarding nearly 2 years ago. You know where practicing transparency is\ntypically \"hard\"?\n\n**Security.**\n\nThankfully, I can honestly say that I work on a Security team that not only\npushes the transparency boundaries in the industry, but also within GitLab\nitself. Take our [RedTeam](https://handbook.gitlab.com/handbook/security/security-operations/red-team/),\nthey’ve put out a whole public project called [Tech\nNotes](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes)\nwhich contains deep dives on some of the challenges and vulnerabilities\nthey’ve encountered in their work.  They also just held their first-ever,\nlive and public [AMA/Ask Me\nAnything](https://handbook.gitlab.com/handbook/communication/ask-me-anything/#purpose) on January 26,\n2021 and responded to over a dozen questions about the work that they do and\nhow they go about doing it here at GitLab.  If you joined us, thank you!  If\nyou missed it, check out the replay below.  We’d love to hear from you on\nwhether you’d like to see an event like this in the future with our Red Team\n(or [another group within\nSecurity](https://handbook.gitlab.com/handbook/security/#security-department)) -- just drop a comment\nbelow, tweet/DM one of us on twitter or message [GitLab Red Team\nemail](mailto:redteam@gitlab.com).\n\n\u003C!-- blank line -->\n\n\u003Cfigure class=\"video_container\">\n  \u003Ciframe src=\"https://www.youtube.com/embed/FCu7MiRX5Lw\" frameborder=\"0\" allowfullscreen=\"true\"> \u003C/iframe>\n\u003C/figure>\n\n\u003C!-- blank line -->\n\n## Who’s on the team\n\n![GitLab Red\nTeam](https://about.gitlab.com/images/blogimages/gl-red-team.png)\n\n## Here’s what you asked\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> Considering you're a full remote\ncompany, persistence on endpoints is still relevant in your activity or\nhunting tokens or credentials make more sense? Some Cloud services do not\nrequire you to reach them with VPN, so SSO tokens or credentials can be\nenough in some cases to reach sensitive information.\n\n**Note:** Added for clarity: “endpoint” refers to laptops and mobile\ndevices.\n\n\n**Steve Manzuik**: I think the security of our endpoints is still very\nimportant but you are right about SSO tokens / auth cookies being a bit\nhigher priority for us. This is why Greg spent some time creating tooling,\n[gitrob](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gitrob)\nand [token\nhunter](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/token-hunter),\naround finding secrets that get accidentally leaked in code. In addition,\nmany of the other scenarios we have tested have been focused on obtaining\nauth tokens or credentials.\n\n**Greg Johnson**:  You’re definitely making a good point about initial\naccess here. Early on, there weren’t very many options for tooling in terms\nof hunting for the types of tokens you mentioned.  We’ve put a lot of time\nand iterations into improving our ability to find sensitive leaks quickly.\nThe tools that Steve mentioned are constantly being honed, changed, and\nreimagined completely to improve our techniques and the accuracy of the\ntools.\n\n**Chris Moberly**: I have a bit of a non-technical, non-operation take on\nthis as well. We’re an internal Red Team, meaning that our “targets” are\noften our colleagues and friends. These are people that we work with every\nday. Just in terms of efficiency, it is important to gain and maintain trust\nwith them. For example, if we have a question about how a tricky bit of code\nworks, we can just pop into an internal development Slack room and ask. We\ndo this all the time, and our colleagues have been amazing at trusting our\npositive intentions and helping us out. But, even beyond efficiency, it\nsimply would make for an unpleasant work environment if our colleagues were\nconstantly worried about us trying to exploit their laptops. This is\nespecially true in an all-remote company where those laptops are inside\ntheir homes and often double up as personal machines. Because of this, I\nreally prefer emulating endpoint exploitation and persistence; either with a\ndummy device or a willing target who is 100% aware of what is going on. This\nis where the concept of an “assumed breach” can also come into play. We need\nto understand the threat model for an endpoint compromise, demonstrate the\nextraction of credentials, cookies, etc that would exist there, and then\nmove on to attacking the cloud services as others have mentioned above. I\nthink a bit of persistence emulation would be good for testing the efficacy\nof endpoint management tools: like, can we keep an implant running on a\nstandard endpoint build for the duration of an operation without triggering\nalerts? If so, what can be fixed to get those alerts happening sooner?\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> To evaluate an insider threat, do\nyou consider to run exercises from authorized users? I mean, run an exercise\nto simulate a legit change in your system but with some malicious effects?\nFor eg. spin-up a new web service or whatever with some backdoors in order\nto be able to keep access?\n\n\n**Steve Manzuik**: Yes, we also run exercises that we call “assumed\ncompromise scenarios” which fall in line with this exact question. The\nhigh-level premise is focused on what happens once an attacker gains access:\nlegitimate or otherwise. Then we look at what that attacker may do, where\nthey may pivot, and what actions we can detect and alert on.\n\n**Frederic Loudet**: As an example, we will start an operation from a shell\ninside our infrastructure (on a VM or a container), assuming a rogue\ninternal user is starting from there or someone managed to compromise some\nof our defenses and get this shell access.\n\n**Greg Johnson**: We also model many of the ways an attacker may try to\nachieve persistence with these operations.\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> When conducting adversarial\nsimulation and/or exploratory penetration testing operations, what systems /\nplatforms do you use to store, collaborate on, and manage testing related\nintelligence (execution times, commands, findings, etc.)?\n\n\n**Steve Manzuik**: We leverage our own product, GitLab, as well as a product\nknown as [Vectr](https://vectr.io/) that helps us map our attacks and\nrelated detection/response.\n\n**Chris Moberly**: We also leverage our own self-managed GitLab instance to\nmake TTPs (Tactics, Techniques, and Procedures) automated and repeatable.\nThis is done by hosting our custom attack tooling in projects and writing CI\njobs that run them on demand and/or at scheduled intervals. We have one tool\nthat builds and executes in CI and outputs the results onto a [GitLab\nPages](https://docs.gitlab.com/ee/user/project/pages/) site that requires\nmulti-factor authorization to access; which is a pretty cool usage of our\navailable tools. Just to echo Steve’s mention of Vectr - that tool is\nawesome, I highly recommend checking it out. And if you want to brainstorm\ncreative ways to use GitLab for tracking the operational bits, you can type\n“GitLab for project management” into your favorite search engine to find\nsome cool blogs and videos on the topic.\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> How do you promote collaborations\nbetween your team and other security / application groups within your\norganization? What sort of collaborative operations does your team work on?\n\n\n**Steve Manzuik**: This is an area where our Red Team is a bit different\nthan a traditional one. We try to be as transparent and open about our\noperations as possible. There are of course always going to be cases where\nwe need to be stealthy and share less but we attempt to limit those as much\nas possible. Typically, when we are performing an operation we will pull in\na resource from impacted teams to at least be aware of what we are doing. So\nfor example, we recently worked on an operation focusing on our development\nprocesses and had resources from our [AppSec\nteam](https://handbook.gitlab.com/handbook/security/security-engineering/application-security/) working\ndirectly with us and helping us with ideas and knowledge. Same goes when we\nare touching infrastructure things -- we will involve someone from the\ninfrastructure team.\n\n**Fred Loudet**: As another collaboration example, on some operations, we\nwill create a dedicated chat channel and invite team members (infrastructure\nor others depending on the operation) so they can follow the operation\n“live” as we try to comment on what we do/what we find. It works really\nwell, we even get ideas from those other members. They see we are not hiding\nanything from them and not doing it to make them look bad (ok, we may\nrefrain from saying “yoohoo” if we manage to gain something good!).\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> How do you break the stigma of ‘red\nteamers are here to attack us’ within your organization? How do you promote\nan environment of trust when certain teams may go into\ncollaborations/operations with the mindset of ‘these people are going to\ntell me my baby is ugly’?\n\n\n**Steve Manzuik**: This is why we try to be as transparent as possible when\nwe are planning our operations. Before we even start work, we document the\ngeneral test plan and goals and then typically meet with stakeholders to\nensure that they are on the same page. It also helps that our Red Team is\nexperienced enough to be able to deliver bad news without attaching ego or\njudgement to it as well. We make sure that everyone knows that we are here\nto help vs. just here to judge their technical work.\n\n**Fred Loudet**: As Steve says, we are lucky Gitlab is pushing\n“transparency”, so it makes everyone more open to reviews and remarks from\nvarious teams. As mentioned in question 4, when it makes sense, we really\ntry to involve the “targeted” teams fully into the operation, including if\npossible within the execution phase. And so far it works well, everyone sees\nwhat could be seen as “bad news” as “opportunities to improve” (It also\nhelps Gitlab promote the “right to make mistakes and learn from them”).\n\n**Greg Johnson**: There is a very human aspect to red teaming you can’t\nignore.  Building trust with people is in essence a very simple formula.  We\ntry to make sure that the people we interact with expect a positive\nexperience through the planning and preparation steps that Steve and Fred\nmentioned, first and foremost.  We also do our best to make sure that this\nexpectation of a positive experience is met in the end through all phases of\nthe operation including remediation so there are as few gaps as possible\nbetween the positive experience people expect and what they actually get.\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> When planning an adversarial\nsimulation operation, do you try to mimic the TTP usage patterns of known\nactors or do you tailor TTP usage to your organization?\n\n\n**Steve Manzuik**: Both. We leverage MITRE’s ATT&CK framework where we can,\nbut have also had to adjust to some more cloud specific TTPs that are not\nwell documented in ATT&CK. From our perspective, both leveraging the known\nTTPs as well as being crafty and coming up with our own are both very\nimportant to help raise the security bar.\n\n**Greg Johnson**: In the end, we don’t limit our creativity, but we do make\nan effort to try to mimic attacks that leverage known vectors as often as we\ncan.  We draw from a lot of different sources to inspire our operations as\nlegitimate attackers will do the same.\n\n**Chris Moberly**: To add to Steve’s point, ATT&CK is organized by Tactics,\nwhich are high level things like “Initial Access” or “Persistence” and then\nTechniques, which are very specific things like “create a systemd service”\nor “abuse set-uid binary”. The Tactics are a really solid foundation for\npretty much everything we do, and we try to use those wherever we can. For\nthe Techniques, though, MITRE prefers to include only items that have been\ndiscovered in the wild and have some level of attribution. That makes sense\nfor the framework, but at GitLab we’re working with an environment that is\nquite modern (no physical networks, no Active Directory, etc). We need to be\na bit ahead of the curve in terms of developing our own techniques: because\nwe know they will work, and we want to be able to detect and respond to them\nnow. So, we put in some serious time researching possible post-exploitation\ntechniques for the various environments we use. We try to write about those\nthings publicly in our [Tech\nNotes](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes),\nas well, so that others can use them. Personally, I find this one of the\nmore “fun” parts of the job.\n\nI think we’ll probably also take a look at replaying known-attacks that hit\nmajor news headlines. One of the primary goals of security is to basically\nstay out of the news, so we can look at things like the recent drama with\nSolarWinds and say “how did it happen to them, could it happen to us, and\nwhat would happen if it did?”. That type of operation would look much more\nclosely emulating the known tactics of known actors.\n\n\n_**Follow up question**: Are any of those cloud TTPs that aren't tracked in\nMITRE ATT&CK published outside of vectr or where the public can access\nthem?_\n\n\n**Steve Manzuik**: This is something that we need to take a look at and\nif/when we do, we’d be publishing them in our [Tech\nNotes](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes).\n\n**Chris Moberly**: Some of these are already published there, in a blog-like\nformat, but we could certainly produce more ATT&CK-like formatting if there\nis an appetite for it. If so, let us know!\n[mailto:](mailto:redteam@gitlab.com)\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> What exceptional/unusual skills do\nyou have in your Red Team and how diverse is the skillset across the team?\n\n\n**Steve Manzuik**: I don’t know if we have any “unusual skillsets” that\nrelate directly to our work. But our team has a variety of experiences and\nskills across all the security domains. Something that I know I look for\nwhen we are bringing in new team members is the ability to learn quickly.\nThe fun but also hard part of our job is that things are always changing and\nthere is always something new for us to quickly learn.\n\n**Greg Johnson**: I will say that our skill sets seem to compliment each\nother very well.  We each have areas of strengths and weaknesses.  Usually\nif I have a knowledge gap I can fill it on the immediate team I work with.\n\n**Fred Loudet**: There are however some “traditional” skillsets that are not\nuseful at all here 😄! Anything Active Directory/Microsoft related is\n“useless”, same for “physical office” related skills like wireless or\nbreaking into buildings. Our core skills basically revolve around\ncoding/web/cloud computing.\n\n**Chris Moberly**: I would say I’m probably the best on the team at writing\nlow-quality code lacking in any tests. :)\n\n**Fred Loudet**: I am pretty certain I write crappier code!\n\n**Greg Johnson**: We’ll see about that!\n\n\n\u003C!-- blank line -->\n\n\u003Cfigure class=\"video_container\">\n  \u003Ciframe src=\"https://giphy.com/embed/ule4vhcY1xEKQ\" frameborder=\"0\" allowfullscreen=\"true\"> \u003C/iframe>\n\u003C/figure>\n\n\u003C!-- blank line -->\n\n_**Note:** in our Jan 26 live AMA we ran out of time before being able to\nanswer all the great questions we received.  We’ll answer them below!_\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> Does any of your testing focus on\nproduct security? (e.g. Testing if using GitLab would make a good c2\nchannel)?\n\n\n**Steve Manzuik**: Yes, in a lot of cases our exercises will either use\nfunctionality of our product or will be directly against the product. That\nsaid, we do stay away from doing appsec type testing which would overlap\nwith what both our [Bug Bounty](https://hackerone.com/gitlab) and AppSec\nteam focus on.\n\n**Chris Moberly**: Ha! I love this question as it starts out pretty basic\nand then drops a really interesting bombshell at the end there. To start\nwith the basic part, of course leveraging new or known bugs in a core\nproduct is always useful for a Red Team, so we definitely do that. But,\npersonally, I find that the way a product is customized tends to be what\nintroduces the most risk. So we look at the various dials people can turn,\nand how that could potentially provide an entry point into a system. Mark\nLoveless wrote a great blog recently about [making sure your self-managed\nGitLab instance is\nsecure](/blog/gitlab-instance-security-best-practices/), that one\nis worth a read\n\n_Note from Mark: also see [this\nproject](https://gitlab.com/gitlab-com/gl-security/security-research/gitlab-standalone-instance)_.\n\n**Chris Moberly**: On to your next point. To start with, please do not try\nto use gitlab.com as a covert C2 channel. I'd have to read through the terms\nto find how many that breaks, but I imagine a few. I will say, GitLab can be\nself-managed, and there are some amazing things you can do with CI jobs and\nthe \"GitLab Runner\" agent.\n\n**Greg Johnson**: GitLab is used in very creative ways to manage all kinds\nof projects and while we don’t want to discourage creative uses, we also\ndon’t want it to impact other users etc.  We look at abuse scenarios as well\nto help us improve our detection capabilities and defenses.\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> How do you address conflict in your\nteam? Is it something that’s encouraged and if you have a diverse set of\nskills then differences in opinion stand to exist correct?\n\n\n**Chris Moberly**: I think we often have different ideas on how to approach\nthings, but personally I've never felt that tread into the territory of\n\"conflict\". Because we are a small team (1x manager, 3x engineers) that is\nspread across time zones, we do a lot of work asynchronously. I think this\nsetup actually has some built-in ways to work through differences in\nopinion. For example, instead of just bouncing ideas back and forth at the\nbeginning of a project, we'll often take the time to come up with an initial\nproof-of-concept for an idea before sharing. If someone has a different take\non it, it might take too long to simply say \"I think we should do x\ninstead\", as we'd have to cycle through a day or two to get everyone to\nchime in. So, instead, that person will also come up with a proof-of-concept\n(PoC) for their idea. At this point, we have several working methods to\ncompare and choose from - or, often we will discover while working on a new\nPoC that maybe the original idea was best after all.\n\n**Fred Loudet**: On top of what Chris said, there is also the human factor\nand I think we are lucky no one in the team is particularly stubborn or has\na strong ego 😉! I don’t recall that we’ve had real“conflicts”,  just\ndifferent ideas but so far (crossing fingers!), we’ve managed to discuss in\na non conflicting manner and chose what looked like the best solution to all\nof us. The Gitlab handbook even has a section regarding\n[conflict](https://handbook.gitlab.com/handbook/leadership/managing-conflict/).\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> In terms of the make-up of your\nteam, is diversity in gender, background and race something that’s important\nand a factor in your team when considering the candidates, or do you find\nyourself picking from the same pool of candidates?\n\n\n**Steve Manzuik**: One of the advantages of GitLab being an all remote\ncompany is the fact that we can literally hire a candidate from anywhere in\nthe world. Having this huge talent pool to pick from means that we can\nabsolutely focus on diversity for our teams. Today, as you may have noticed\nfrom the AMA our team is not all that diverse when it comes to gender and\nrace. However, we do have a diverse set of experiences to bring to the\ntable. We of course want to become much more diverse in all of the other\nareas and will consider these factors as we grow the team. In addition, it’s\nworth checking out this blog post, [“What it's like to work in Security at\nGitLab”](https://about.gitlab.com/blog/whats-it-like-to-work-security-at-gitlab/)\nfrom [Heather Simpson](https://gitlab.com/heather) on our security team that\nhighlights other team members across security and our efforts to build a\ndiverse team.\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> Does Gitlab as a company and\noverall executive management, understand the value the Red Team brings to\nthe success of the company and how do you communicate the impact/successes\nof your Red Team activities? In some organisations, the security team is\nconsidered a cost to the business and a necessary evil but that’s about it.\n\n\n**Steve Manzuik**: In almost an overwhelming way our executives are always\nvery interested in what our Red Team is up to. We find ourselves to be very\nlucky to have the support from my direct manager, his manager and then our\nexecutive team all the way up to our CEO. I think for GitLab it helps that\neveryone in that chain is technical and understands not only the value that\nwe can bring but also that we can help reduce risk. That doesn’t mean that\nwe have free reign though, we alway make sure that we communicate what we\nwant to do and why we want to do it. Before any exercise begins we have\nalready built a skeleton methodology / approach and defined what it is that\nwe are trying to accomplish and why that matters to the company. When we hit\nroadblocks or snags we are quick to communicate those as well. GitLab’s\n[value of transparency](https://handbook.gitlab.com/handbook/values/#transparency) really helps us out\nhere a lot.\n\n\n#### \u003Ci class=\"fas fa-question-circle\" style=\"color:rgb(252,109,38); font-size:.85em\" aria-hidden=\"true\">\u003C/i> With regards to career growth, how\nsupportive has Gitlab been to the different members on the team and the\ndifferent career paths they want to take which may be non-traditional?\n\n\n**Chris Moberly**: GitLab has a great [handbook entry on career\ngrowth](https://handbook.gitlab.com/handbook/people-group/learning-and-development/career-development/),\nit's worth a read. One of the things I really like about GitLab is that the\ndesire to remain technical doesn't result in an early career dead-end. For\nstarters, there are individual-contributor roles beyond \"Senior\" that allow\none to continue progressing without taking on a management position. Next,\nthere is a HUGE focus on taking time for learning and development; I try to\nspend most Fridays focused on taking online courses, reading books, and\ndoing research that could be leveraged by the team. Beyond that, every other\ngroup at GitLab is always extremely helpful when it comes to knowledge\nsharing. So, I make sure to spend time with our friends on the Blue Team\n([SIRT](https://handbook.gitlab.com/handbook/security/#sirt))",[23,24,25],"security","security research","inside GitLab","yml",{},true,"/en-us/blog/you-asked-and-our-red-team-answered",{"ogTitle":15,"ogImage":19,"ogDescription":16,"ogSiteName":31,"noIndex":12,"ogType":32,"ogUrl":33,"title":15,"canonicalUrls":33,"description":16},"https://about.gitlab.com","article","https://about.gitlab.com/blog/you-asked-and-our-red-team-answered","en-us/blog/you-asked-and-our-red-team-answered",[23,36,37],"security-research","inside-gitlab","pzct6T1RhW_0ohIAlCNNbrdG53KOHpZxArk4_RN8lPc",{"data":40},{"logo":41,"freeTrial":46,"sales":51,"login":56,"items":61,"search":369,"minimal":400,"duo":419,"pricingDeployment":429},{"config":42},{"href":43,"dataGaName":44,"dataGaLocation":45},"/","gitlab logo","header",{"text":47,"config":48},"Get free trial",{"href":49,"dataGaName":50,"dataGaLocation":45},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":52,"config":53},"Talk to sales",{"href":54,"dataGaName":55,"dataGaLocation":45},"/sales/","sales",{"text":57,"config":58},"Sign in",{"href":59,"dataGaName":60,"dataGaLocation":45},"https://gitlab.com/users/sign_in/","sign in",[62,89,184,189,290,350],{"text":63,"config":64,"cards":66},"Platform",{"dataNavLevelOne":65},"platform",[67,73,81],{"title":63,"description":68,"link":69},"The intelligent orchestration platform for DevSecOps",{"text":70,"config":71},"Explore our Platform",{"href":72,"dataGaName":65,"dataGaLocation":45},"/platform/",{"title":74,"description":75,"link":76},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":77,"config":78},"Meet GitLab Duo",{"href":79,"dataGaName":80,"dataGaLocation":45},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":82,"description":83,"link":84},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":85,"config":86},"Learn more",{"href":87,"dataGaName":88,"dataGaLocation":45},"/why-gitlab/","why gitlab",{"text":90,"left":28,"config":91,"link":93,"lists":97,"footer":166},"Product",{"dataNavLevelOne":92},"solutions",{"text":94,"config":95},"View all Solutions",{"href":96,"dataGaName":92,"dataGaLocation":45},"/solutions/",[98,122,145],{"title":99,"description":100,"link":101,"items":106},"Automation","CI/CD and automation to accelerate deployment",{"config":102},{"icon":103,"href":104,"dataGaName":105,"dataGaLocation":45},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[107,111,114,118],{"text":108,"config":109},"CI/CD",{"href":110,"dataGaLocation":45,"dataGaName":108},"/solutions/continuous-integration/",{"text":74,"config":112},{"href":79,"dataGaLocation":45,"dataGaName":113},"gitlab duo agent platform - product menu",{"text":115,"config":116},"Source Code Management",{"href":117,"dataGaLocation":45,"dataGaName":115},"/solutions/source-code-management/",{"text":119,"config":120},"Automated Software Delivery",{"href":104,"dataGaLocation":45,"dataGaName":121},"Automated software delivery",{"title":123,"description":124,"link":125,"items":130},"Security","Deliver code faster without compromising security",{"config":126},{"href":127,"dataGaName":128,"dataGaLocation":45,"icon":129},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[131,135,140],{"text":132,"config":133},"Application Security Testing",{"href":127,"dataGaName":134,"dataGaLocation":45},"Application security testing",{"text":136,"config":137},"Software Supply Chain Security",{"href":138,"dataGaLocation":45,"dataGaName":139},"/solutions/supply-chain/","Software supply chain security",{"text":141,"config":142},"Software Compliance",{"href":143,"dataGaName":144,"dataGaLocation":45},"/solutions/software-compliance/","software compliance",{"title":146,"link":147,"items":152},"Measurement",{"config":148},{"icon":149,"href":150,"dataGaName":151,"dataGaLocation":45},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[153,157,161],{"text":154,"config":155},"Visibility & Measurement",{"href":150,"dataGaLocation":45,"dataGaName":156},"Visibility and Measurement",{"text":158,"config":159},"Value Stream Management",{"href":160,"dataGaLocation":45,"dataGaName":158},"/solutions/value-stream-management/",{"text":162,"config":163},"Analytics & Insights",{"href":164,"dataGaLocation":45,"dataGaName":165},"/solutions/analytics-and-insights/","Analytics and insights",{"title":167,"items":168},"GitLab for",[169,174,179],{"text":170,"config":171},"Enterprise",{"href":172,"dataGaLocation":45,"dataGaName":173},"/enterprise/","enterprise",{"text":175,"config":176},"Small Business",{"href":177,"dataGaLocation":45,"dataGaName":178},"/small-business/","small business",{"text":180,"config":181},"Public Sector",{"href":182,"dataGaLocation":45,"dataGaName":183},"/solutions/public-sector/","public sector",{"text":185,"config":186},"Pricing",{"href":187,"dataGaName":188,"dataGaLocation":45,"dataNavLevelOne":188},"/pricing/","pricing",{"text":190,"config":191,"link":193,"lists":197,"feature":277},"Resources",{"dataNavLevelOne":192},"resources",{"text":194,"config":195},"View all resources",{"href":196,"dataGaName":192,"dataGaLocation":45},"/resources/",[198,231,249],{"title":199,"items":200},"Getting started",[201,206,211,216,221,226],{"text":202,"config":203},"Install",{"href":204,"dataGaName":205,"dataGaLocation":45},"/install/","install",{"text":207,"config":208},"Quick start guides",{"href":209,"dataGaName":210,"dataGaLocation":45},"/get-started/","quick setup checklists",{"text":212,"config":213},"Learn",{"href":214,"dataGaLocation":45,"dataGaName":215},"https://university.gitlab.com/","learn",{"text":217,"config":218},"Product documentation",{"href":219,"dataGaName":220,"dataGaLocation":45},"https://docs.gitlab.com/","product documentation",{"text":222,"config":223},"Best practice videos",{"href":224,"dataGaName":225,"dataGaLocation":45},"/getting-started-videos/","best practice videos",{"text":227,"config":228},"Integrations",{"href":229,"dataGaName":230,"dataGaLocation":45},"/integrations/","integrations",{"title":232,"items":233},"Discover",[234,239,244],{"text":235,"config":236},"Customer success stories",{"href":237,"dataGaName":238,"dataGaLocation":45},"/customers/","customer success stories",{"text":240,"config":241},"Blog",{"href":242,"dataGaName":243,"dataGaLocation":45},"/blog/","blog",{"text":245,"config":246},"Remote",{"href":247,"dataGaName":248,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":250,"items":251},"Connect",[252,257,262,267,272],{"text":253,"config":254},"GitLab Services",{"href":255,"dataGaName":256,"dataGaLocation":45},"/services/","services",{"text":258,"config":259},"Community",{"href":260,"dataGaName":261,"dataGaLocation":45},"/community/","community",{"text":263,"config":264},"Forum",{"href":265,"dataGaName":266,"dataGaLocation":45},"https://forum.gitlab.com/","forum",{"text":268,"config":269},"Events",{"href":270,"dataGaName":271,"dataGaLocation":45},"/events/","events",{"text":273,"config":274},"Partners",{"href":275,"dataGaName":276,"dataGaLocation":45},"/partners/","partners",{"backgroundColor":278,"textColor":279,"text":280,"image":281,"link":285},"#2f2a6b","#fff","Insights for the future of software development",{"altText":282,"config":283},"the source promo card",{"src":284},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":286,"config":287},"Read the latest",{"href":288,"dataGaName":289,"dataGaLocation":45},"/the-source/","the source",{"text":291,"config":292,"lists":294},"Company",{"dataNavLevelOne":293},"company",[295],{"items":296},[297,302,308,310,315,320,325,330,335,340,345],{"text":298,"config":299},"About",{"href":300,"dataGaName":301,"dataGaLocation":45},"/company/","about",{"text":303,"config":304,"footerGa":307},"Jobs",{"href":305,"dataGaName":306,"dataGaLocation":45},"/jobs/","jobs",{"dataGaName":306},{"text":268,"config":309},{"href":270,"dataGaName":271,"dataGaLocation":45},{"text":311,"config":312},"Leadership",{"href":313,"dataGaName":314,"dataGaLocation":45},"/company/team/e-group/","leadership",{"text":316,"config":317},"Team",{"href":318,"dataGaName":319,"dataGaLocation":45},"/company/team/","team",{"text":321,"config":322},"Handbook",{"href":323,"dataGaName":324,"dataGaLocation":45},"https://handbook.gitlab.com/","handbook",{"text":326,"config":327},"Investor relations",{"href":328,"dataGaName":329,"dataGaLocation":45},"https://ir.gitlab.com/","investor relations",{"text":331,"config":332},"Trust Center",{"href":333,"dataGaName":334,"dataGaLocation":45},"/security/","trust center",{"text":336,"config":337},"AI Transparency Center",{"href":338,"dataGaName":339,"dataGaLocation":45},"/ai-transparency-center/","ai transparency center",{"text":341,"config":342},"Newsletter",{"href":343,"dataGaName":344,"dataGaLocation":45},"/company/contact/#contact-forms","newsletter",{"text":346,"config":347},"Press",{"href":348,"dataGaName":349,"dataGaLocation":45},"/press/","press",{"text":351,"config":352,"lists":353},"Contact us",{"dataNavLevelOne":293},[354],{"items":355},[356,359,364],{"text":52,"config":357},{"href":54,"dataGaName":358,"dataGaLocation":45},"talk to sales",{"text":360,"config":361},"Support portal",{"href":362,"dataGaName":363,"dataGaLocation":45},"https://support.gitlab.com","support portal",{"text":365,"config":366},"Customer portal",{"href":367,"dataGaName":368,"dataGaLocation":45},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":370,"login":371,"suggestions":378},"Close",{"text":372,"link":373},"To search repositories and projects, login to",{"text":374,"config":375},"gitlab.com",{"href":59,"dataGaName":376,"dataGaLocation":377},"search login","search",{"text":379,"default":380},"Suggestions",[381,383,387,389,393,397],{"text":74,"config":382},{"href":79,"dataGaName":74,"dataGaLocation":377},{"text":384,"config":385},"Code Suggestions (AI)",{"href":386,"dataGaName":384,"dataGaLocation":377},"/solutions/code-suggestions/",{"text":108,"config":388},{"href":110,"dataGaName":108,"dataGaLocation":377},{"text":390,"config":391},"GitLab on AWS",{"href":392,"dataGaName":390,"dataGaLocation":377},"/partners/technology-partners/aws/",{"text":394,"config":395},"GitLab on Google Cloud",{"href":396,"dataGaName":394,"dataGaLocation":377},"/partners/technology-partners/google-cloud-platform/",{"text":398,"config":399},"Why GitLab?",{"href":87,"dataGaName":398,"dataGaLocation":377},{"freeTrial":401,"mobileIcon":406,"desktopIcon":411,"secondaryButton":414},{"text":402,"config":403},"Start free trial",{"href":404,"dataGaName":50,"dataGaLocation":405},"https://gitlab.com/-/trials/new/","nav",{"altText":407,"config":408},"Gitlab Icon",{"src":409,"dataGaName":410,"dataGaLocation":405},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":407,"config":412},{"src":413,"dataGaName":410,"dataGaLocation":405},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":415,"config":416},"Get Started",{"href":417,"dataGaName":418,"dataGaLocation":405},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/compare/gitlab-vs-github/","get started",{"freeTrial":420,"mobileIcon":425,"desktopIcon":427},{"text":421,"config":422},"Learn more about GitLab Duo",{"href":423,"dataGaName":424,"dataGaLocation":405},"/gitlab-duo/","gitlab duo",{"altText":407,"config":426},{"src":409,"dataGaName":410,"dataGaLocation":405},{"altText":407,"config":428},{"src":413,"dataGaName":410,"dataGaLocation":405},{"freeTrial":430,"mobileIcon":435,"desktopIcon":437},{"text":431,"config":432},"Back to pricing",{"href":187,"dataGaName":433,"dataGaLocation":405,"icon":434},"back to pricing","GoBack",{"altText":407,"config":436},{"src":409,"dataGaName":410,"dataGaLocation":405},{"altText":407,"config":438},{"src":413,"dataGaName":410,"dataGaLocation":405},{"title":440,"button":441,"config":446},"See how agentic AI transforms software delivery",{"text":442,"config":443},"Watch GitLab Transcend now",{"href":444,"dataGaName":445,"dataGaLocation":45},"/events/transcend/virtual/","transcend event",{"layout":447,"icon":448},"release","AiStar",{"data":450},{"text":451,"source":452,"edit":458,"contribute":463,"config":468,"items":473,"minimal":680},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":453,"config":454},"View page source",{"href":455,"dataGaName":456,"dataGaLocation":457},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":459,"config":460},"Edit this page",{"href":461,"dataGaName":462,"dataGaLocation":457},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":464,"config":465},"Please contribute",{"href":466,"dataGaName":467,"dataGaLocation":457},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":469,"facebook":470,"youtube":471,"linkedin":472},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[474,521,575,619,646],{"title":185,"links":475,"subMenu":490},[476,480,485],{"text":477,"config":478},"View plans",{"href":187,"dataGaName":479,"dataGaLocation":457},"view plans",{"text":481,"config":482},"Why Premium?",{"href":483,"dataGaName":484,"dataGaLocation":457},"/pricing/premium/","why premium",{"text":486,"config":487},"Why Ultimate?",{"href":488,"dataGaName":489,"dataGaLocation":457},"/pricing/ultimate/","why ultimate",[491],{"title":492,"links":493},"Contact Us",[494,497,499,501,506,511,516],{"text":495,"config":496},"Contact sales",{"href":54,"dataGaName":55,"dataGaLocation":457},{"text":360,"config":498},{"href":362,"dataGaName":363,"dataGaLocation":457},{"text":365,"config":500},{"href":367,"dataGaName":368,"dataGaLocation":457},{"text":502,"config":503},"Status",{"href":504,"dataGaName":505,"dataGaLocation":457},"https://status.gitlab.com/","status",{"text":507,"config":508},"Terms of use",{"href":509,"dataGaName":510,"dataGaLocation":457},"/terms/","terms of use",{"text":512,"config":513},"Privacy statement",{"href":514,"dataGaName":515,"dataGaLocation":457},"/privacy/","privacy statement",{"text":517,"config":518},"Cookie preferences",{"dataGaName":519,"dataGaLocation":457,"id":520,"isOneTrustButton":28},"cookie preferences","ot-sdk-btn",{"title":90,"links":522,"subMenu":531},[523,527],{"text":524,"config":525},"DevSecOps platform",{"href":72,"dataGaName":526,"dataGaLocation":457},"devsecops platform",{"text":528,"config":529},"AI-Assisted Development",{"href":423,"dataGaName":530,"dataGaLocation":457},"ai-assisted development",[532],{"title":533,"links":534},"Topics",[535,540,545,550,555,560,565,570],{"text":536,"config":537},"CICD",{"href":538,"dataGaName":539,"dataGaLocation":457},"/topics/ci-cd/","cicd",{"text":541,"config":542},"GitOps",{"href":543,"dataGaName":544,"dataGaLocation":457},"/topics/gitops/","gitops",{"text":546,"config":547},"DevOps",{"href":548,"dataGaName":549,"dataGaLocation":457},"/topics/devops/","devops",{"text":551,"config":552},"Version Control",{"href":553,"dataGaName":554,"dataGaLocation":457},"/topics/version-control/","version control",{"text":556,"config":557},"DevSecOps",{"href":558,"dataGaName":559,"dataGaLocation":457},"/topics/devsecops/","devsecops",{"text":561,"config":562},"Cloud Native",{"href":563,"dataGaName":564,"dataGaLocation":457},"/topics/cloud-native/","cloud native",{"text":566,"config":567},"AI for Coding",{"href":568,"dataGaName":569,"dataGaLocation":457},"/topics/devops/ai-for-coding/","ai for coding",{"text":571,"config":572},"Agentic AI",{"href":573,"dataGaName":574,"dataGaLocation":457},"/topics/agentic-ai/","agentic ai",{"title":576,"links":577},"Solutions",[578,580,582,587,591,594,598,601,603,606,609,614],{"text":132,"config":579},{"href":127,"dataGaName":132,"dataGaLocation":457},{"text":121,"config":581},{"href":104,"dataGaName":105,"dataGaLocation":457},{"text":583,"config":584},"Agile development",{"href":585,"dataGaName":586,"dataGaLocation":457},"/solutions/agile-delivery/","agile delivery",{"text":588,"config":589},"SCM",{"href":117,"dataGaName":590,"dataGaLocation":457},"source code management",{"text":536,"config":592},{"href":110,"dataGaName":593,"dataGaLocation":457},"continuous integration & delivery",{"text":595,"config":596},"Value stream management",{"href":160,"dataGaName":597,"dataGaLocation":457},"value stream management",{"text":541,"config":599},{"href":600,"dataGaName":544,"dataGaLocation":457},"/solutions/gitops/",{"text":170,"config":602},{"href":172,"dataGaName":173,"dataGaLocation":457},{"text":604,"config":605},"Small business",{"href":177,"dataGaName":178,"dataGaLocation":457},{"text":607,"config":608},"Public sector",{"href":182,"dataGaName":183,"dataGaLocation":457},{"text":610,"config":611},"Education",{"href":612,"dataGaName":613,"dataGaLocation":457},"/solutions/education/","education",{"text":615,"config":616},"Financial services",{"href":617,"dataGaName":618,"dataGaLocation":457},"/solutions/finance/","financial services",{"title":190,"links":620},[621,623,625,627,630,632,634,636,638,640,642,644],{"text":202,"config":622},{"href":204,"dataGaName":205,"dataGaLocation":457},{"text":207,"config":624},{"href":209,"dataGaName":210,"dataGaLocation":457},{"text":212,"config":626},{"href":214,"dataGaName":215,"dataGaLocation":457},{"text":217,"config":628},{"href":219,"dataGaName":629,"dataGaLocation":457},"docs",{"text":240,"config":631},{"href":242,"dataGaName":243,"dataGaLocation":457},{"text":235,"config":633},{"href":237,"dataGaName":238,"dataGaLocation":457},{"text":245,"config":635},{"href":247,"dataGaName":248,"dataGaLocation":457},{"text":253,"config":637},{"href":255,"dataGaName":256,"dataGaLocation":457},{"text":258,"config":639},{"href":260,"dataGaName":261,"dataGaLocation":457},{"text":263,"config":641},{"href":265,"dataGaName":266,"dataGaLocation":457},{"text":268,"config":643},{"href":270,"dataGaName":271,"dataGaLocation":457},{"text":273,"config":645},{"href":275,"dataGaName":276,"dataGaLocation":457},{"title":291,"links":647},[648,650,652,654,656,658,660,664,669,671,673,675],{"text":298,"config":649},{"href":300,"dataGaName":293,"dataGaLocation":457},{"text":303,"config":651},{"href":305,"dataGaName":306,"dataGaLocation":457},{"text":311,"config":653},{"href":313,"dataGaName":314,"dataGaLocation":457},{"text":316,"config":655},{"href":318,"dataGaName":319,"dataGaLocation":457},{"text":321,"config":657},{"href":323,"dataGaName":324,"dataGaLocation":457},{"text":326,"config":659},{"href":328,"dataGaName":329,"dataGaLocation":457},{"text":661,"config":662},"Sustainability",{"href":663,"dataGaName":661,"dataGaLocation":457},"/sustainability/",{"text":665,"config":666},"Diversity, inclusion and belonging (DIB)",{"href":667,"dataGaName":668,"dataGaLocation":457},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":331,"config":670},{"href":333,"dataGaName":334,"dataGaLocation":457},{"text":341,"config":672},{"href":343,"dataGaName":344,"dataGaLocation":457},{"text":346,"config":674},{"href":348,"dataGaName":349,"dataGaLocation":457},{"text":676,"config":677},"Modern Slavery Transparency Statement",{"href":678,"dataGaName":679,"dataGaLocation":457},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":681},[682,685,688],{"text":683,"config":684},"Terms",{"href":509,"dataGaName":510,"dataGaLocation":457},{"text":686,"config":687},"Cookies",{"dataGaName":519,"dataGaLocation":457,"id":520,"isOneTrustButton":28},{"text":689,"config":690},"Privacy",{"href":514,"dataGaName":515,"dataGaLocation":457},[692],{"id":693,"title":18,"body":8,"config":694,"content":696,"description":8,"extension":26,"meta":700,"navigation":28,"path":701,"seo":702,"stem":703,"__hash__":704},"blogAuthors/en-us/blog/authors/heather-simpson.yml",{"template":695},"BlogAuthor",{"name":18,"config":697},{"headshot":698,"ctfId":699},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659488/Blog/Author%20Headshots/gitlab-logo-extra-whitespace.png","hsimpson",{},"/en-us/blog/authors/heather-simpson",{},"en-us/blog/authors/heather-simpson","4CpsZWXsBE_aB4RLpF20WPoTR1QnmwDhrVLV8WUGGTk",[706,717,732],{"content":707,"config":715},{"title":708,"description":709,"authors":710,"heroImage":712,"date":713,"body":714,"category":9},"CEO Shadow Takeaways from Jacie","Recap of my experience in the CEO Shadow Program.",[711],"Jacie Bandur","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749664102/Blog/Hero%20Images/gitlab-values-cover.png","2021-05-18","\n\n{::options parse_block_html=\"true\" /}\n\n\nHi! I’m Jacie Bandur. I completed GitLab’s CEO Shadow program from 2021-04-26 through 2021-05-07. It was a really enlightening experience. I generally work in Learning and Development and consider myself a lifelong learner. I can’t even explain how much I learned in such a short about of time. I learned a lot about the business. I learned a lot about the product. But learned even more about the importance of iteration in everything we do.\n\n### Qualifications to Participate\n\nI wanted to start this off with touching on qualifications to participate in the program.\n\nI am the type of person that has gone through most of my life thinking I’m not qualified for things. I’m not qualified for that job, that promotion, that program. The list goes on and on.\n\nWhen I saw the [CEO Shadow program](/blog/ceo-shadow-impressions-takeaways/) kick off in 2019, I really wanted to participate. I was a little intimidated. Who wouldn’t be, spending 2 weeks with the CEO of any company? But time passed and all the sudden it was 2021 and I had not taken any steps to participating in the program.\n\nIf you are sitting there waiting for someone to tell you that you are qualified to participate in this program, I’m not big on giving “pep talks,” but here’s me telling you - You are qualified for this program. There’s never going to be a good or perfect time to do it. Tell your manager you want to do the CEO Shadow program. Stop waiting. Sign up today.\n\nNote: Take a look at the [eligibility](https://handbook.gitlab.com/handbook/ceo/shadow/#eligibility) section of the CEO Shadow page for more information on signing up.\n\n### Pre-Program Tips\n\nThere are many things recommended for shadows to do pre-program outlined on the CEO Shadow handbook page. As I was going through the program there were things that I thought helped me (or would have helped me).\n\nHere are my top 6 recommendations:\n\n1. Make sure your team knows you will be unavailable for 2 weeks. This isn’t a program that can or should be done alongside your normal day to day work. I found catching up from the 2 weeks away kind of difficult because I was trying to keep up on what was going on and I had a bunch of half done things.\n1. Talk with people who have done the shadow program - schedule at least 3 coffee chats with CEO Shadow Alumni.\n1. Have food that is easy to eat quickly. Sid’s meetings are back to back most days, so you will have small amounts of time to eat throughout the day. Sid does eat during calls, which you are welcome to do, too, but if you are taking notes, it is difficult to eat. And this will make you realize why speedy meetings are so important!\n1. Listen to the [Executive Leadership LinkedIn Learning course](https://www.linkedin.com/learning/executive-leadership/).\n1. Be prepared to ask questions. When doing the program virtually, there isn’t a ton of time for asking questions, so when one would come up, I would add it to a note on my computer and ask if there was ever time with just the shadows and Sid.\n1. Take at least 1 day off after the program. Take even a couple of days off if you can! This is recommended on the handbook page, but I can’t stress this enough.\n\n\n### Takeaways\n\n**Group Conversations**\n\nI’ve been at GitLab for almost 4 years. When I joined, I made it a point to attend as many GC’s as I could. I had gotten out of the habit of attending Group Conversations. After attending them again for 2 weeks, I realized how important they are to understand better what is going on across the business. Everything in the organization is so intertwined. It’s helpful to understand what other teams are working on and succeeding in.\n\n**Feedback**\n\nWe should all be giving and receiving feedback often. We have a whole [handbook page on giving and receiving feedback](https://handbook.gitlab.com/handbook/people-group/guidance-on-feedback/). Read the handbook page and watch the videos, as well. Practice giving feedback. I recommend using the [1-1 agenda](https://handbook.gitlab.com/handbook/leadership/1-1/suggested-agenda-format/) Sid uses, because Feedback is an essential piece of that agenda, and it makes feedback more of a routine thing.\n\n**Biggest Takeaway**\n\nWe have an incredible team here at GitLab, from Engineering to Product to Sales to People and all the groups in between. There are so many great ideas. I observed the constant reinforcement by Sid to start with something small and build on it. You can ALWAYS make something more complex. It’s hard to go back to something more simple when you start with something complex.\n\nA couple of quotes that I heard from Sid during the program that reinforced this point:\n\n- “Every complex system evolves from a simple system that worked.”\n- “It’s very clear what is the simple solution. We can always make it more complicated as we go on.”\n\nI know they are very similar, but they happened in different meetings on different days, so the point was reinforced repeatedly.\n\nDuring the program, I reflected on the projects that I’am working on. How many of them am I trying to do too much on before releasing. Probably all of them. When I’m working on projects in the future, I will break them down into smaller, more doable chunks. Iteration is hard - it’s a skill to be practicing constantly.\n\n\n### Overall\n\nOverall, the program was really insightful and impactful. If you haven’t participated in it yet, I cannot encourage you enough to do so!\n",{"slug":716,"featured":12,"template":13},"ceo-shadow-recap",{"content":718,"config":730},{"title":719,"description":720,"authors":721,"heroImage":723,"date":724,"body":725,"category":9,"tags":726},"Why I love contributing to GitLab","Making small meaningful changes is what it's all about.",[722],"Austin Regnery","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749679501/Blog/Hero%20Images/new-feature.png","2021-05-11","It was mid-morning on a Tuesday in February, and I had 10 minutes in between meetings. So I decided to try and solve a pain point of mine.\nYou see, I had to memorize this HTML snippet to create a collapsible section in GitLab Issue descriptions and comments, but I kept forgetting it. Was it `summary` or `section`? I could never remember.\n```html\n\u003Cdetails>\n\u003Csummary>Insert Title\u003C/summary>\nHidden content\n\u003C/details>\n```\nEven though it is not vanilla Markdown, GitLab knows how to interpret some HTML. I used this formatting trick fairly often since full-page screenshots can occupy a lot of screen space, which leads to excessive scrolling.\nSo I decided to poke around our codebase to see how the other Markdown shortcuts worked. To my surprise, it was pretty straightforward. Each shortcut had a simple text input that mapped to each button. This implementation was simple to replicate since I just needed to copy/paste and replace a few words.\n![Image of Vue and Haml files with editor shortcuts](https://about.gitlab.com/images/blogimages/why-i-love-contributing-to-gitlab/vue-haml.png){: .shadow}\nThe Vue and Haml files with the new shortcut\n\nI started a branch and began hacking away at the code. Now, I would never call myself a Software Engineer, but I like to try and make things from time to time. I was able to add a new shortcut to the toolbar to insert this code snippet for me in less than 10 minutes. No more memorizing! Making contributions like this is what makes working at GitLab so special.\nNow, it wasn't ready for production, but I at least had something that worked. I shared it with my UX colleagues in Slack, and it started to gain traction with several up-votes and few constructive comments on how to make it better.\nWith the functionality flushed out, a few other designers helped me get a better icon added to our SVG library. Using clear iconography is critical for communicating information more clearly.\n| Initial Icon | Final Icon |\n| - | - |\n| ![SVG of chevron right icon](https://about.gitlab.com/images/blogimages/why-i-love-contributing-to-gitlab/chevron-right.svg) | ![SVG of details block icon](https://about.gitlab.com/images/blogimages/why-i-love-contributing-to-gitlab/details-block.svg) |\n\nThe last thing to do was resolve my failing tests, and I had several teammates help me do that.\n![Gif of the shortcut being used](https://about.gitlab.com/images/blogimages/why-i-love-contributing-to-gitlab/demo.gif)\n\nToday [this change](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54938) merged! Now I solved a pain point for me and others. It took a few months to go from idea to production, but the effort was super low. I'd say the return on my initial investment, 10 minutes, is super high.\n> Having a direct impact on a product was never an option for me before joining GitLab.\n\n![Image of participants in the Merge Request](https://about.gitlab.com/images/blogimages/why-i-love-contributing-to-gitlab/participants.png)\n\n\nThank you to everyone that helped me deploy this\n",[727,728,729],"UX","product","AWS",{"slug":731,"featured":12,"template":13},"why-i-love-contributing-to-gitlab",{"content":733,"config":745},{"title":734,"description":735,"authors":736,"heroImage":738,"date":724,"body":739,"category":9,"tags":740},"Placebo Lines on the Pipeline Graph","Have you noticed the connecting lines missing on your pipelines lately? Here's why",[737],"Sam Beckham","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749679507/Blog/Hero%20Images/ci-cd.png","\n\n{::options parse_block_html=\"true\" /}\n\n\n\nHave you ever pressed the close door button on the elevator, in the hope that you'll save a few precious seconds?\nOr got frustrated at the person stood next to you at the cross-walk, neglecting to press the button?\nWell, maybe they know something you don't, or perhaps you know this already.\nMany buttons in our society lie to us.\n[David McRaney](https://youarenotsosmart.com/2010/02/10/placebo-buttons/) dubbed these, \"Placebo buttons\" and they're everywhere.\nThose elevator doors won't close any faster and the cross-walk button has no effect on the lights.\nThe only lights they control are the lights on the buttons themselves.\nThey give you the feedback you crave, but that's all they're doing.\n\nThese placebos aren't constrained to the physical world, they're prevalent in [UI design](/blog/the-evolution-of-ux-at-gitlab/) too.\nFrom literal placebo buttons like [YouTube's downvote](https://www.quora.com/Does-downvoting-a-comment-on-YouTube-even-do-anything), to more subtle effects like Instagram always [pretending to work](https://www.fastcompany.com/1669788/the-3-white-lies-behind-instagrams-lightning-speed), or progress bars that have a [fixed animation](https://www.theatlantic.com/technology/archive/2017/02/why-some-apps-use-fake-progress-bars/517233/).\nThey're everywhere if you know where to look.\n\nAt GitLab, we created a placebo of our own in one of our core features; the pipeline graph.\n\nThose of you who have used our pipeline graph, will be familiar with its appearance.\nThere's a series of jobs, grouped by stages, connected by a series of lines depicting the relationships between the jobs.\nBut these lines might be lying to you.\nThese lines are indiscriminately drawn between each job in a stage, regardless of their relationship.\nThese lines are placebos.\n\n![The old pipeline rendering with lines connecting every job in a stage](https://about.gitlab.com/images/blogimages/placebo-lines_old-graph.png)\n\nThis wasn't a problem to begin with.\nA basic pipeline has several jobs across a handful of stages.\nJobs in each stage would run parallel to each other, but each stage would run sequentially.\nIn the image shown above, all the jobs in the test stage would trigger at the same time. Once those jobs had finished, all the jobs in the build stage would trigger.\nWe used rudimentary CSS to draw lines connecting each job in one stage to each job in the next.\nThese lines weren't calculated based on their connections, but still reflected the story they were telling.\n\nSince the introduction of `needs` relationships in [v12.2](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/47063), pipelines got a bit more complicated.\nNow you could configure a job in a later stage to trigger as soon as a job in an earlier stage completed.\nLooking at our old example, we could set the API deployment to run as soon as our spec tests passed.\nThis skips the remaining tests and the entire build stage, turning our lines into pretty little liars.\n\nWe had many internal discussions about these lines, and how to show the relationships between jobs.\nThere's the [`needs` visualization](https://docs.gitlab.com/ee/ci/directed_acyclic_graph/#needs-visualization), which does an excellent job of displaying these relationships, but the main pipeline graph was still inaccurate.\nFor the past few months, we've been [refactoring the pipeline graph](https://gitlab.com/gitlab-org/gitlab/-/issues/276949), giving it a new lease of life and fixing some of its issues along the way.\nOne of those issues were the faked lines.\nIn the new version, we can accurately draw lines between jobs.\nLines that actually depict the relationships jobs have with each other.\nNow the lines no-longer lie!\n\n![The newer pipeline graph showing the correct needs links between jobs](https://about.gitlab.com/images/blogimages/placebo-lines_new-graph.png)\n\nThe above image shows an unreleased version of the pipeline graph.\nYou can see the lines drawn between the jobs to show that the `deploy:API` job can start as soon as the `rspec` job is successful.\nSomething the old lines (shown earlier in this post) would have been unable to depict.\n\nOne unfortunate downside of this is that these lines can be quite expensive to calculate.\nThey're actual DOM nodes, drawn deliberately and placed precisely.\nOn smaller graphs this isn't a problem, but some of our initial tests have found pipelines with a potential 8000+ job connections.\nThat kind of calculation would grind the browser to a halt, and nobody wants that.\n\nAt GitLab, we believe in boring solutions.\nWe make the simple change that sets us on the path towards where we want to be.\nShip it, get feedback, and iterate.\nSo that's what we did.\nIn the first phase of this rollout, we shipped the new pipeline graph with no lines connecting the jobs.\nWe don't have to worry about the expensive calculations, and we still get to roll out the refactored pipeline graph.\n\n![The current (v13.11) pipeline graph showing no links between jobs](https://about.gitlab.com/images/blogimages/placebo-lines_current-graph.png)\n\nWe know some of you will miss them, but fear not.\nBoring solutions are just technical debt if you don't iterate on them.\nSo the [improved lines are coming](https://gitlab.com/groups/gitlab-org/-/epics/4509) in a future release, along with several other improvements to the pipeline graph.\nWe're already starting to roll out the new [Job Dependencies](https://gitlab.com/gitlab-org/gitlab/-/issues/298973) view which shows the jobs in a (much closer to) execution order.\nStay tuned for more updates, and watch [Sarah Groff Hennigh Palermo's talk](https://www.youtube.com/watch?v=R2EKqKjB7OQ) for the technical side of this effort and a deeper dive into some of the decisions we made.\n",[741,742,743,744],"CI","frontend","agile","design",{"slug":746,"featured":12,"template":13},"placebo-lines-on-the-pipeline-graph",{"promotions":748},[749,763,774],{"id":750,"categories":751,"header":753,"text":754,"button":755,"image":760},"ai-modernization",[752],"ai-ml","Is AI achieving its promise at scale?","Quiz will take 5 minutes or less",{"text":756,"config":757},"Get your AI maturity score",{"href":758,"dataGaName":759,"dataGaLocation":243},"/assessments/ai-modernization-assessment/","modernization assessment",{"config":761},{"src":762},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/qix0m7kwnd8x2fh1zq49.png",{"id":764,"categories":765,"header":766,"text":754,"button":767,"image":771},"devops-modernization",[728,559],"Are you just managing tools or shipping innovation?",{"text":768,"config":769},"Get your DevOps maturity score",{"href":770,"dataGaName":759,"dataGaLocation":243},"/assessments/devops-modernization-assessment/",{"config":772},{"src":773},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138785/eg818fmakweyuznttgid.png",{"id":775,"categories":776,"header":777,"text":754,"button":778,"image":782},"security-modernization",[23],"Are you trading speed for security?",{"text":779,"config":780},"Get your security maturity score",{"href":781,"dataGaName":759,"dataGaLocation":243},"/assessments/security-modernization-assessment/",{"config":783},{"src":784},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/p4pbqd9nnjejg5ds6mdk.png",{"header":786,"blurb":787,"button":788,"secondaryButton":793},"Start building faster today","See what your team can do with the intelligent orchestration platform for DevSecOps.\n",{"text":789,"config":790},"Get your free trial",{"href":791,"dataGaName":50,"dataGaLocation":792},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":495,"config":794},{"href":54,"dataGaName":55,"dataGaLocation":792},1772652088376]