GitLab Security and Governance Solution Helps Secure Organizations’ End-to-End Software Supply Chains
October 25 2022 - 8:00AM
All Remote -- Today at KubeCon + CloudNativeCon North America,
GitLab Inc., provider of The One DevOps Platform, announced
enhancements to its Security and Governance solution which enables
organizations to integrate security and compliance in every step of
the software development lifecycle (SDLC) and secure their software
supply chain.
GitLab’s 2022 Global DevSecOps Survey found that security was
the highest priority investment area for organizations, with 57% of
security professionals surveyed stating that their organizations
have already shifted security left or plan to this year. To meet
growing security needs, GitLab is enhancing its Security and
Governance solution to provide visibility and management over
security findings and compliance requirements, as well as deliver
what we believe is a first-class software supply chain security
experience.
With increasing regulatory and compliance requirements for
organizations, GitLab has increased its focus on governance to help
teams identify risks by providing them with visibility into their
projects' dependencies, security findings, and user activities.
This includes capabilities like security policy management,
compliance management, audit events, vulnerability management, and
an upcoming capability of dependency management, which will help
developers track vulnerable dependencies detected in their
applications. These governance capabilities, in conjunction with a
comprehensive set of security testing capabilities such as static
application security testing (SAST), secret detection, dynamic
application security testing (DAST), API security, fuzz testing,
dependency scanning, license compliance, and container scanning,
can help organizations achieve continuous security and compliance
of their software supply chain without compromising on speed and
agility.
“To stay competitive and propel digital transformation,
organizations need to be great at developing, operating, and
securing software. Security needs to be embedded in all stages of
the software development lifecycle, not treated as an
afterthought,” said David DeSanto, VP of Product at GitLab. “Our
enhanced security and governance capabilities make GitLab a
comprehensive DevSecOps solution to help secure an organization's
software supply chain.”
Securing Software Supply ChainsThe software
supply chain is all of the internal and external dependencies used
in modern software development. To properly secure the supply
chain, companies must put tools in place to not only secure the
code created in-house but also need ways to detect vulnerabilities
that may be introduced by third-party components. With so many
moving pieces, securing an organization’s software supply chain can
be complex. There needs to be an automated system of checks and
balances throughout the development lifecycle to make sure code is
efficiently and securely deployed. Implementing a DevSecOps
Platform can improve end-to-end security in part by reducing
handoffs and improving transparency surrounding ownership and
access.
- Software Bill of Materials (SBOMs): Introduced
earlier this year, GitLab helps organizations create SBOMs and
automatically scan for vulnerabilities within the discovered
components, and provide guidance on resolving those vulnerabilities
– all within the developer’s natural workflow.
- Ingest SBOM Reports: This upcoming feature is
anticipated to help GitLab more efficiently create SBOMs by parsing
and ingesting existing SBOM data from third parties to aggregate
data for ease of use and help secure developer workflows.
- Build Artifact Signing: To attest to build
artifact authenticity, we anticipate that this upcoming feature
will enable GitLab to cryptographically sign both the build
artifact and attestation file to prove that they have not been
altered after generation.
- SLSA-2 Attestation: When unchecked,
container-based architectures can introduce a risk of deploying
defective, vulnerable, or unauthorized software. SLSA-2
attestations were introduced following the launch of GitLab 15 to
protect against software tampering and add build integrity
guarantees. GitLab Runner is now capable of generating SLSA-2
compliant attestation metadata for build artifacts.
Proactively Identify Vulnerabilities GitLab
helps ensure that organizations can shift left by proactively
scanning for vulnerabilities and implementing controls to secure
applications. GitLab’s enhanced features can help organizations
automatically scan vulnerabilities in source code, containers,
dependencies, and running applications. Additionally, these
security features can help automate threat detection before and
after applications are deployed to production to minimize security
risk.
- DAST API and API Fuzzing: DAST API and API
Fuzzing allow developers to find both known and unknown issues in
their applications by scanning for them in CI/CD pipelines. With
the recent addition of GraphQL schema support in 15.4, these API
security scans help secure applications with minimal configuration
as compared to prior releases. Additional application security
scanners include Static Application Security Testing (SAST), Secret
Detection, Container Scanning, Dependency Scanning, IaC Scanning,
and coverage-guided fuzz testing.
- Integrated Security Training: The 2022
DevSecOps report found that 56% of respondents found it was
difficult to get developers to actually prioritize fixing code
vulnerabilities, leaving these threats for security professionals
to capture. With Integrated Security Training, developers have
access to actionable and relevant secure coding guidance within the
GitLab platform, which can reduce context switching and management
strain on security professionals.
Fulfill Compliance and Regulatory Standards
Operations professionals identify managing compliance and audit
requirements as activities within their scope of responsibility.
GitLab believes the new and upcoming features will help teams track
changes, implement controls to define what goes into production,
and ensure adherence to license compliance and regulatory
frameworks.
- Customizable Roles:
In an upcoming release, GitLab Admins/Group Owners will be able to
create new customized roles with granular permissions. This will
help role-based access control to more closely align with an
organization's security policies and support the principle of least
privilege.
- FIPS 140-2 Compliance: GitLab is now FIPS
140-2 compliant, which is required for some GitLab customers under
U.S. government regulatory guidelines. This compliance shows that
GitLab meets well-defined security standards governing the
development and use of cryptographic modules.
- Password Rules: Released earlier this year,
password rules establish password complexity requirements and can
prevent users from using insecure public keys to access
GitLab.
- Streaming Audit
Events: Released earlier this year, streaming audit events
capture information about event types, timelines, users, and
metadata associated with meaningful system events. This allows
organizations to consolidate their logs into one toolset and build
workflows centrally to take action when a specific event
occurs.
- Two-Person Approvals:
Released last year, GitLab allows users to specify group-level
merge request settings, including the ability to prevent an author
from approving their own merge request. This setting, combined with
other GitLab features, allows organizations to require two-person
approvals before allowing code to be merged in.
“Enterprises have experienced great success in embracing DevOps
principles and breaking down the siloes that separate software
development and IT operations teams. The next step to strengthen
the development process is to replicate this approach for security,
moving from DevOps to DevSecOps,” said Daniel Kennedy, Principal
Analyst, Information Security at 451 Research, part of S&P
Global Market Intelligence. “In order to shift security left, while
continuing deployment at an efficient cadence, organizations
require a single platform that integrates security and compliance
into their existing development workflows.”1
“HackerOne uses GitLab as a key component to maintain our
software security and ensure high confidence with the code we
deploy,” said Ben Willis, Principal Software Engineer at HackerOne.
“During development, we leverage automated and manual code review
checks, use GitLab integrations for continuous monitoring and
automated patching, and consistently rely on GitLab for support
with any audit requests.”
To learn more about the GitLab Security and Governance solution,
please visit the solution page. To read the 2022 DevSecOps survey,
please download the report here.
About GitLabGitLab is The One DevOps Platform
for software innovation. As The One DevOps Platform, GitLab
provides one interface, one data store, one permissions model, one
value stream, one set of reports, one spot to secure your code, one
location to deploy to any cloud, and one place for everyone to
contribute. The platform is the only true cloud-agnostic end-to-end
DevOps platform that brings together all DevOps capabilities in one
place.
With GitLab, organizations can create, deliver, and manage code
quickly and continuously to translate business vision into reality.
GitLab empowers customers and users to innovate faster, scale more
easily, and serve and retain customers more effectively. Built on
Open Source, GitLab works alongside its growing community, which is
composed of thousands of developers and millions of users, to
continuously deliver new DevOps innovations.
Media ContactChristina WeaverGitLab
Inc.press@gitlab.com
1 S&P Global Market Intelligence, DevSecOps: Breaking Down
Silos for Security, July 28, 2022
GitLab (NASDAQ:GTLB)
Historical Stock Chart
From Apr 2024 to May 2024
GitLab (NASDAQ:GTLB)
Historical Stock Chart
From May 2023 to May 2024