GitLab Enhances Security and Governance Solution
November 07, 2022

GitLab announced enhancements to its Security and Governance solution which enables organizations to integrate security and compliance in every step of the software development lifecycle (SDLC) and secure their software supply chain.

To meet growing security needs, GitLab is enhancing its Security and Governance solution to provide visibility and management over security findings and compliance requirements, as well as deliver a first-class software supply chain security experience.

With increasing regulatory and compliance requirements for organizations, GitLab has increased its focus on governance to help teams identify risks by providing them with visibility into their projects' dependencies, security findings, and user activities. This includes capabilities like security policy management, compliance management, audit events, vulnerability management, and an upcoming capability of dependency management, which will help developers track vulnerable dependencies detected in their applications. These governance capabilities, in conjunction with a comprehensive set of security testing capabilities such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency scanning, license compliance, and container scanning, can help organizations achieve continuous security and compliance of their software supply chain without compromising on speed and agility.

“To stay competitive and propel digital transformation, organizations need to be great at developing, operating, and securing software. Security needs to be embedded in all stages of the software development lifecycle, not treated as an afterthought,” said David DeSanto, VP of Product at GitLab. “Our enhanced security and governance capabilities make GitLab a comprehensive DevSecOps solution to help secure an organization's software supply chain.”

Enhancements include:

- Software Bill of Materials (SBOMs): Introduced earlier this year, GitLab helps organizations create SBOMs and automatically scan for vulnerabilities within the discovered components, and provide guidance on resolving those vulnerabilities – all within the developer’s natural workflow.

- Ingest SBOM Reports: This upcoming feature is anticipated to help GitLab more efficiently create SBOMs by parsing and ingesting existing SBOM data from third parties to aggregate data for ease of use and help secure developer workflows.

- Build Artifact Signing: To attest to build artifact authenticity, this upcoming feature will enable GitLab to cryptographically sign both the build artifact and attestation file to prove that they have not been altered after generation.

- SLSA-2 Attestation: When unchecked, container-based architectures can introduce a risk of deploying defective, vulnerable, or unauthorized software. SLSA-2 attestations were introduced following the launch of GitLab 15 to protect against software tampering and add build integrity guarantees. GitLab Runner is now capable of generating SLSA-2 compliant attestation metadata for build artifacts.

GitLab helps ensure that organizations can shift left by proactively scanning for vulnerabilities and implementing controls to secure applications. GitLab’s enhanced features can help organizations automatically scan vulnerabilities in source code, containers, dependencies, and running applications. Additionally, these security features can help automate threat detection before and after applications are deployed to production to minimize security risk.

- DAST API and API Fuzzing: DAST API and API Fuzzing allow developers to find both known and unknown issues in their applications by scanning for them in CI/CD pipelines. With the recent addition of GraphQL schema support in 15.4, these API security scans help secure applications with minimal configuration as compared to prior releases. Additional application security scanners include Static Application Security Testing (SAST), Secret Detection, Container Scanning, Dependency Scanning, IaC Scanning, and coverage-guided fuzz testing.

- Integrated Security Training: With Integrated Security Training, developers have access to actionable and relevant secure coding guidance within the GitLab platform, which can reduce context switching and management strain on security professionals.

Operations professionals identify managing compliance and audit requirements as activities within their scope of responsibility. GitLab believes the new and upcoming features will help teams track changes, implement controls to define what goes into production, and ensure adherence to license compliance and regulatory frameworks.

- Customizable Roles: In an upcoming release, GitLab Admins/Group Owners will be able to create new customized roles with granular permissions. This will help role-based access control to more closely align with an organization's security policies and support the principle of least privilege.

- FIPS 140-2 Compliance: GitLab is now FIPS 140-2 compliant, which is required for some GitLab customers under U.S. government regulatory guidelines. This compliance shows that GitLab meets well-defined security standards governing the development and use of cryptographic modules.

- Password Rules: Released earlier this year, password rules establish password complexity requirements and can prevent users from using insecure public keys to access GitLab.

- Streaming Audit Events: Released earlier this year, streaming audit events capture information about event types, timelines, users, and metadata associated with meaningful system events. This allows organizations to consolidate their logs into one toolset and build workflows centrally to take action when a specific event occurs.

- Two-Person Approvals: Released last year, GitLab allows users to specify group-level merge request settings, including the ability to prevent an author from approving their own merge request. This setting, combined with other GitLab features, allows organizations to require two-person approvals before allowing code to be merged in.

Share this

Industry News

May 25, 2023

Red Hat announced new capabilities for Red Hat OpenShift AI.

May 25, 2023

Pipedrive announced the launch of Developer Hub, a centralized online app development platform for technology partners and developers.

May 25, 2023

Delinea announced the latest version of Cloud Suite, part of its Server PAM solution, which provides privileged access to and authorization for servers.

May 24, 2023

Red Hat announced Red Hat Service Interconnect, simplifying application connectivity and security across platforms, clusters and clouds.

May 24, 2023

Teleport announced Teleport 13, the latest version of its Teleport Access Platform to enhance security and reduce operational overhead for DevOps teams responsible for securing cloud infrastructure.

May 24, 2023

Kasten by Veeam announced the release of its new Kasten K10 V6.0 Kubernetes data protection platform.

May 23, 2023

Red Hat announced Red Hat Developer Hub, an enterprise-grade, unified and open portal designed to streamline the development process through a supported and opinionated framework.

May 23, 2023

Pegasystems announced Pega GenAI™ – a set of 20 new generative AI-powered boosters to be integrated across Pega Infinity™ ‘23, the latest version of Pega’s product suite built on its low-code platform for AI-powered decisioning and workflow automation.

May 23, 2023

Appdome announced Build-to-Test which enables mobile developers to streamline the testing of cybersecurity features in mobile apps.

May 23, 2023

Garden released major product advancements to make it easier to write and automate portable pipelines for Kubernetes.

May 22, 2023

Check Point Software Technologies announced the general availability of its industry-leading Next-Generation Cloud Firewall natively integrated with Microsoft Azure Virtual WAN to provide customers with top-notch security.

May 22, 2023

The International Business and Quality Management Institute LLC (IBQMI®) introduced the IBQMI CERTIFIED DEVOPS MANAGER® certification program.

May 22, 2023

GitLab announced the launch of GitLab 16, its latest major release.

May 22, 2023

Mendix, a Siemens business, will unveil Mendix 10, the next major release of the low-code development platform, on June 27, 2023.

May 18, 2023

Opsera announced Patty Hatter as President and Chief Operating Officer (COO).