We like GitPod. We’re also ISO27001, which means we need to do a vendor assessment of GitPod.
I don’t think it’ll be too bad.
- Authentication is handled by GitLab which I’ve already risk assessed and have Two Factor on
- Data is ephemeral so I don’t have to worry about backups etc. - again that’s all stored in GitLab
So I can just scope GitPod out to something low-risk - no customer data involved etc. So really all I need to do is talk about the company and app. “All data hosted in data centres with SOC2 etc” along with “Regular penetration tests”.
Has anyone done anything similar? I’ve looked on the GitPod site and I can’t find anything obvious about security etc.
Happy to share my results and rationale once done etc.