2020 was a highly-productive year, and one with high impact, which brought a number of security enhancements across GitLab’s product and environment.
Our primary goal of strengthening GitLab’s enterprise grade security was accomplished through the implementation of numerous security controls and led to the successful completion of our first SOC 2 Type 2 attestation. We completed a 2 month field security study which consumed and aggregated data from current and prospective customers, the broader community, industry and several internal stakeholders (sales, support and product) to generate a report with prioritized areas of focus for our SaaS service. Our teams have started strategic work aligned to these priorities and designed to further enhance security in our enterprise service, strengthen our competitive position and bolster the trust and confidence of our customers.
We also saw advancements in our goal of reducing the threat landscape. Vulnerability management was dramatically improved across all aspects of security including application security (reduced: time to mitigate, total overall vulnerabilities, and number of high severity vulnerabilities), infrastructure security (improved scanning capabilities and accuracy of detection as well as reduced time to patching and mitigation) and bug bounty (increased engagement, improved response and remediation). We implemented an industry leading governance, risk and compliance tool which improved the effectiveness and efficiency of risk management and third-party vendor reviews. As a result, we saw a substantial improvement in customer adoption and third party security scoring.
As we look ahead into 2021, we will continue to focus on strengthening the security of GitLab Core and SaaS through a number of new and improved security features and services. Further, we will ambitiously pursue a host of compliance certifications to independently validate implemented security controls designed to protect company and customer data. Lastly, we continue to strive for and assert ourselves as the most transparent security organization in the world. We are committed to finding creative and innovative ways of sharing our approach to security openly in our publicly available handbook and blogs.
Stronger intel for increased visibility, detection and response
Next gen SIEM
In October, our [Security Incident Response team (SIRT)](/handbook/security/#sirt