security audit for gitlab instance
I recently joined a start up company that specializes in software development as a cybersecurity risk management for an internship of 6 months, my first task was to audit the company's gitlab page since all they use for their coding work is gitlab.
Since I have 0 practical experience, I am very lost on how to start, what should I do, how can I actually check the security of the company's gitlab, are there any tools that can help me do that?
Note: There is no Cybersecurity department or team in the company, so far I am the only one working on this and there is no one else to teach me the ins and outs of the job. Not the most optimal internship experience, but I have to get through it I guess, too late for me to change.
So far, I have tried to already define the scope, identify the assets. I want to identify threats and vulnerabilities by using third-party software; I am still lost on which one would be the optimal one, I found Synk and thought it would be good. I have tried to assess the best version of gitlab to use since they are still using a deprecated version of it, 11.2.5 to be precise, which has a lot of vulnerabilities. I am also checking the access controls and the rights given to the users, I want to do a secret scan as well but I am not sure how. Where to go next, what to do.
