SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
GitLab aims to secure end-to-end software supply chains
Fri, 28th Oct 2022
FYI, this story is more than a year old

At KubeCon + CloudNativeCon North America, GitLab, provider of the One DevOps Platform, announced enhancements to its security and governance solution. It will enable organisations to integrate security and compliance in every step of the software development lifecycle (SDLC) and secure their software supply chain.

GitLab’s 2022 Global DevSecOps Survey found that security was the highest priority investment area for organisations, with 57% of security professionals surveyed stating that their organisations have already shifted security left or plan to this year. 

To meet growing security needs, GitLab is enhancing its Security and Governance solution to provide visibility and management over security findings and compliance requirements and deliver a first-class supply chain security experience.

With increasing regulatory and compliance requirements for organisations, GitLab has increased its focus on governance to help teams identify risks by providing visibility into their projects' dependencies, security findings, and user activities. 

This includes capabilities like security policy management, compliance management, audit events, vulnerability management, and an upcoming capability of dependency management, which will help developers track vulnerable dependencies detected in their applications. 

These governance capabilities, in conjunction with a comprehensive set of security testing capabilities such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency scanning, license compliance, and container scanning, can help organisations achieve continuous security and compliance of their software supply chain without compromising on speed and agility.

“To stay competitive and propel digital transformation, organisations need to be great at developing, operating, and securing software. Security needs to be embedded in all stages of the software development lifecycle, not treated as an afterthought,” says David DeSanto, Vice President of Product at GitLab. 

“Our enhanced security and governance capabilities make GitLab a comprehensive DevSecOps solution to help secure an organisation's software supply chain.”

The software supply chain is all the internal and external dependencies used in modern software development. To properly secure the supply chain, companies must put tools in place to not only secure the code created in-house but also need ways to detect vulnerabilities that third-party components
 may introduce. 

Securing an organisation's software supply chain can be complex, with many moving pieces. Therefore, an automated system of checks and balances must be implemented throughout the development lifecycle to ensure code is efficiently and securely deployed. 

Implementing a DevSecOps Platform can partly improve end-to-end security by reducing handoffs and improving transparency surrounding ownership and access.

Introduced earlier this year, GitLab helps organisations create SBOMs, automatically scan for vulnerabilities within the discovered components, and provide guidance on resolving those vulnerabilities within the developer's natural workflow.

An upcoming feature is Ingest SBOM Reports. This feature is anticipated to help GitLab more efficiently create SBOMs by parsing and ingesting existing SBOM data from third parties to aggregate data for ease of use and help secure developer workflows.

To attest to build artifact authenticity, an upcoming feature will enable GitLab to cryptographically sign both the build artifact and attestation file to prove that they have not been altered after generation.

Unchecked container-based architectures can introduce a risk of deploying defective, vulnerable, or unauthorised software. SLSA-2 attestations were introduced following the launch of GitLab 15 to protect against software tampering and build integrity guarantees. GitLab Runner can now generate SLSA-2 compliant attestation metadata for build artifacts.

GitLab helps ensure that organisations can shift left by proactively scanning for vulnerabilities and implementing controls to secure applications. GitLab’s enhanced features can help organisations automatically scan vulnerabilities in source code, containers, dependencies, and running applications. Additionally, these security features can help automate threat detection before and after applications are deployed to production to minimise security risk.

DAST API and API Fuzzing allow developers to find both known and unknown issues in their applications by scanning for them in CI/CD pipelines. With the recent addition of GraphQL schema support in 15.4, these API security scans help secure applications with minimal configuration as compared to prior releases. Additional application security scanners include Static Application Security Testing (SAST), Secret Detection, Container Scanning, Dependency Scanning, IaC Scanning, and coverage-guided fuzz testing.

The 2022 DevSecOps report found that 56% of respondents found it difficult to get developers to prioritise fixing code vulnerabilities, leaving these threats for security professionals to capture. With Integrated Security Training, developers have access to actionable and relevant secure coding guidance within the GitLab platform, reducing context switching and managing strain on security professionals.

Operations professionals identify managing compliance and audit requirements as activities within their scope of responsibility. GitLab believes the new and upcoming features will help teams track changes, implement controls to define what goes into production, and ensure adherence to licensing compliance and regulatory frameworks.

In an upcoming release, GitLab Admins/Group Owners will be able to create new customised roles with granular permissions. This will help role-based access control to align more closely with an organisation's security policies and support the principle of least privilege.

GitLab is now FIPS 140-2 compliant, which is required for some GitLab customers under U.S. government regulatory guidelines. This compliance shows that GitLab meets well-defined security standards governing the development and use of cryptographic modules.

Released earlier this year, password rules establish password complexity requirements and can prevent users from using insecure public keys to access GitLab.

Released earlier this year, streaming audit events capture information about event types, timelines, users, and metadata associated with meaningful system events. This allows organisations to consolidate their logs into one toolset and build workflows centrally to take action when a specific event occurs.

Released last year, GitLab allows users to specify group-level merge request settings, including the ability to prevent an author from approving their merge request. This setting, combined with other GitLab features, allows organisations to require two-person approvals before allowing code to merge.
 
“Enterprises have experienced great success in embracing DevOps principles and breaking down the siloes that separate software development and IT operations teams. The next step to strengthen the development process is to replicate this approach for security, moving from DevOps to DevSecOps,” says Daniel Kennedy, Principal Analyst, Information Security at 451 Research, part of S&P Global Market Intelligence. 

“In order to shift security left, while continuing deployment at an efficient cadence, organisations require a single platform that integrates security and compliance into their existing development workflows."

“HackerOne uses GitLab as a key component to maintain our software security and ensure high confidence with the code we deploy,” said Ben Willis, Principal Software Engineer at HackerOne. “During development, we leverage automated and manual code review checks, use GitLab integrations for continuous monitoring and automated patching, and consistently rely on GitLab for support with any audit requests.”

Bob Stevens, Vice President of Public Sector at GitLab, adds, “Government agencies contend with a plethora of requirements to achieve authority to operate, resulting in wariness around compliance among practitioners. The ability to integrate compliance metrics into the DevOps lifecycle and efficiently produce SBOMs creates a hassle-free process, reducing pain points and encouraging compliance.”