How GitLab built a security control framework from scratch