2021 has turned out to be another … interesting year, especially for those of us in the security industry. Like so many software companies in the business, much of our recent focus has shifted to collective, cross-organizational research efforts to identify, mitigate and help resolve the threat posed by the Log4j vulnerability (See our response, as well as our post where we detail how to use GitLab to detect Log4j vulnerabilities).
Thankfully though, 2021 was also focused on growing the Security department and adding additional teams and roles, bolstering enterprise SaaS security, reducing our threat landscape with improvements to supply chain security and APT threat protection, and fulfilling our mission of working to enable GitLab to succeed in the most secure way possible (see our vision and mission statements). We achieved impressive results through expansion of our security third-party certification and self-attestation portfolio, contribution of GitLab and customer impacting product security features and improved security across all teams and domains in our security program. Our security teams also focused on improving processes and programs that enable customers on their trust journey, educate and engage team members to contribute toward improving our security posture, and encourage and enable collaboration from our community to strengthen GitLab. These efforts have been successful due to the contributions of our talented and dedicated Security team members, as well as the groups and individuals we partner with each day; including our wider community. THANK YOU for making GitLab stronger!
Improving assurance for the GitLab community
Our Security Assurance sub-department spent the last year working across our organization to pursue and complete certifications, test and strengthen governance, assess and manage risk, and provide overall support and enablement to GitLab teams and our customers through a number of initiatives.
Certification portfolio expansion
Our Security Assurance team built on a successful 2020 by focusing on our ambitious pursuit of compliance certifications with the issuance of GitLab’s first SOC 2 Type 2/SOC 3 reports for the Security Trust Service Criteria (TSC) dated December 2020. Then, to support customers who need reports by the end of the calendar year, we adjusted our 2021 SOC reporting period to end on October 31st. For our most recent SOC reports we also added the Confidentiality TSC to further highlight the maturity of our operating environment.
In addition, we delivered our very first ISO/IEC 27001:2013 certification in 2021. Certification against this highly-regarded baseline security standard recognizes our proven commitment to the highest level of information security management.
Lastly, in alignment with our continued commitment to transparency we publish all of our security certifications and attestation as part of GitLab’s Customer Assurance Package (learn more below).
True, continuous control monitoring
Our Security Compliance team upgraded our GitLab Control Framework (GCF) in 2021 by adopting the Secure Control Framework (SCF) and moving into a new GRC tool: ZenGRC. This upgraded control framework has increased testing efficiency and allowed GitLab to achieve our external compliance and regulatory obligations with minimized impact to our teams. This, along with our system/profile-based approach to testing, enabled us to achieve successful external audits and the implementation of strong IT general controls (ITGCs) for SOX with a small team of highly-skilled compliance engineers.
We believe our approach to control monitoring has a natural bias towards automation which allows our program to scale, along with GitLab. We’ve continued automating our compliance and regulatory workflows and, where possible, testing evidence as we work towards true continuous control monitoring with proactive alerting of control risks.
Next generation customer assurance services
Our Field Security team deployed GitLab’s Trust Center and next generation Customer Assurance Package to further support our customers on their GitLab trust journey. As part of this effort we expanded our Customer Assurance Package to include the Standard Information Gathering (SIG) Lite pre-completed questionnaire, completed an ISO 20243 Self-Assessment for both our SaaS and Self Managed service offerings, and became a CSA STAR Trusted Cloud Service Provider. To support this program internally we dogfooded GitLab’s Service Desk module to deliver a more efficient way of monitoring, completing and responding to customer assurance requests.
For this group, 2022 will bring a heavy focus on tooling and automation in support of continued control monitoring, certification expansion and regulated market specialization.
Shoring up our defenses
Our team of “breakers, builders, and defenders” in our [Security Operations sub-department](/handbook/security/#protect-the-company