GitLab improves security and governance solution to strengthen software supply chain security


GitLab has revealed enhancements to its security and governance solution that enables organizations to integrate security and compliance into every stage of the software development lifecycle (SDLC) and secure their software supply chain.

GitLab’s 2022 DevSecOps Global Survey found security to be the highest priority area of ​​investment for organizations, with 57% of security professionals surveyed saying their organizations have already shifted security to the left or planned to do so. year.

To meet growing security needs, GitLab is enhancing its security and governance solution to provide visibility and management of security findings and compliance requirements, as well as deliver a software supply chain security experience.

With increasing regulatory and compliance requirements for organizations, GitLab has focused on governance to help teams identify risk by providing visibility into their projects’ dependencies, security outcomes, and activities. users.

This includes features such as security policy management, compliance management, audit events, vulnerability management, and an upcoming dependency management capability, which will help developers track vulnerable dependencies found in their applications.

These governance features, combined with a comprehensive set of security testing features such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency analysis, license compliance, and container analysis, can help organizations ensure the ongoing security and compliance of their software supply chain without compromising speed and agility.

“To stay competitive and propel digital transformation, organizations must excel in developing, operating and securing software. Security should be built into all stages of the software development lifecycle, not an afterthought,” said David DeSanto, vice president of product at GitLab.

“Our enhanced security and governance capabilities make GitLab a complete DevSecOps solution to help secure an organization’s software supply chain,” DeSanto continued.

Securing Software Supply Chains

The software supply chain is the set of internal and external dependencies used in modern software development. To properly secure the supply chain, companies must have tools in place not only to secure code created in-house, but also to detect vulnerabilities that can be introduced by third-party components.

With so many moving parts, securing an organization’s software supply chain can be complex. There must be an automated system of checks and balances throughout the development lifecycle to ensure code is deployed efficiently and securely.

Implementing a DevSecOps platform can improve end-to-end security in part by reducing handovers and improving transparency surrounding ownership and access.

Software Bill of Materials (SBOM): Introduced earlier this year, GitLab helps organizations create SBOMs and automatically scans for vulnerabilities in discovered components, and provides guidance on fixing those vulnerabilities, all within the developer’s natural workflow.

Ingest SBOM reports: This upcoming feature should help GitLab create SBOMs more efficiently by parsing and ingesting existing third-party SBOM data to aggregate the data for easy use and help secure developer workflows.

Build artifact signature: To attest to the authenticity of the build artifact, we anticipate that this upcoming feature will allow GitLab to cryptographically sign both the build artifact and the attestation file to prove that they have not have not been modified after generation.

SLSA-2 certification: When left unchecked, container-based architectures can present a risk of deploying faulty, vulnerable, or unauthorized software. SLSA-2 attestations were introduced after the launch of GitLab 15 to protect against software tampering and add build integrity guarantees. GitLab Runner is now able to generate SLSA-2 compliant attestation metadata for build artifacts.

Proactively identify vulnerabilities

GitLab helps ensure that organizations can move left by scanning for vulnerabilities and implementing controls to secure applications. GitLab’s enhanced features can help organizations automatically scan for vulnerabilities in source code, containers, dependencies, and running applications.

Additionally, these security features can help automate threat detection before and after deploying applications in production to minimize security risks.

DAST API and fuzzing API: The DAST API and Fuzzing API allow developers to find known and unknown issues in their applications by analyzing them in CI/CD pipelines. With the recent addition of GraphQL schema support in version 15.4, these API security scans help secure applications with minimal configuration compared to previous versions. Additional application security scanners include static application security testing (SAST), covert detection, container scanning, dependency scanning, IaC scanning, and coverage-guided fuzz testing.

Integrated safety training: The 2022 DevSecOps report found that 56% of respondents found it difficult to get developers to prioritize patching code vulnerabilities, leaving those threats to security professionals to capture. With Integrated Security Training, developers have access to actionable and relevant secure coding guidance within the GitLab platform, which can reduce context switching and management pressure on security professionals.

Meet compliance and regulatory standards

Operations professionals identify management of compliance and audit requirements as activities within their scope of responsibility. GitLab believes new and upcoming features will help teams track changes, implement controls to define what goes into production, and ensure compliance with licensing and regulatory frameworks.

Customizable roles: In a future release, GitLab group admins/owners will be able to create new custom roles with granular permissions. This will help role-based access control align more closely with an organization’s security policies and support the principle of least privilege.

FIPS 140-2 compliance: GitLab is now FIPS 140-2 compliant, which is required for certain GitLab customers under US government regulatory guidelines. This compliance shows that GitLab adheres to well-defined security standards governing the development and use of cryptographic modules.

Password rules: Released earlier this year, Password Rules establish password complexity requirements and can prevent users from using insecure public keys to access GitLab.

Broadcasting audit events: Launched earlier this year, Continuous Auditing Events captures information about event types, timelines, users, and metadata associated with significant system events. This allows organizations to consolidate their logs into a single set of tools and centrally create workflows to take action when a specific event occurs.

Two-way approvals: Released last year, GitLab allows users to specify merge request settings at the group level, including the ability to block an author from approving their own merge request. This setting, combined with other GitLab features, allows organizations to require two-person approval before allowing code to be merged.

“Companies have had great success in embracing DevOps principles and breaking down the silos that separate software development and IT operations teams. The next step to strengthen the development process is to replicate this approach to security, moving from DevOps to DevSecOps,” said Daniel Kennedy, Principal Analyst, Information Security at 451 Research, part of S&P Global Market. Intelligence.

“In order to move security to the left, while continuing to roll out at an efficient cadence, organizations need a single platform that integrates security and compliance into their existing development workflows,” continued Kennedy.

“HackerOne uses GitLab as a key component to maintain the security of our software and ensure high trust with the code we deploy,” said Ben Willis, principal software engineer at HackerOne.

“During development, we leverage automated and manual code review checks, use GitLab integrations for continuous monitoring and automated fixes, and consistently rely on GitLab for support of all audit requests,” added Willis.


Comments are closed.