Happy birthday, Secure by Design!

When the Cybersecurity and Infrastructure Security Agency (CISA) first published its Secure by Design software protection initiative on April 13, 2023, the industry paid close attention. The initiative urges all software manufacturers to take the steps necessary to ensure that the products they ship are, in fact, secure by design. At GitLab, we quickly assessed our alignment with the initiative and over the past year have continued to innovate in accordance with CISA's guidelines.

CISA's Secure by Design introduced three software security principles:

1. Take ownership of customer security outcomes.

2. Embrace radical transparency and accountability.

3. Build organizational structure and leadership to achieve these goals.

A year of government guidance

The U.S. government has produced significant guidance throughout the past year that reflects the Secure by Design theme. Here are just a few highlights:

• August 2023: ONCD in partnership with several other agencies kicked off the OS3i Initiative to prioritize focus areas related to open source software security.
• August 2023: NIST produced SP 800-204D to provide practical software supply chain security strategies for DevSecOps CI/CD pipelines.
• October 2023: CISA released a second iteration of the Secure by Design document.
• October 2023: The AI Executive Order was issued by the Biden Administration. Since then, AI engagement guidelines have been produced by most government agencies.
• December 2023: CISA produced Memory Safe Roadmap guidance.
• February 2024: NIST released the CyberSecurity Framework 2.0.
• March 2024: CISA and OMB published the Secure Software Development Attestation Form and opened a repository for collection of the attestations.

How GitLab has evolved with the Secure by Design initiative

GitLab has also continued to grow in alignment with the Secure by Design initiative over the past year. Here are some examples.

GitLab signed the Secure by Design Pledge

GitLab is proud to have signed the CISA Secure by Design Pledge.

"The Secure by Design concepts are well-aligned with GitLab's core values. As the most comprehensive AI-powered DevSecOps platform, GitLab offers its unwavering support towards CISA’s efforts to instill a Secure by Design mindset in software manufacturers. GitLab is proud to make the Secure by Design Pledge, and we firmly believe these efforts will help us enable everyone to innovate and succeed on a safe, secure, and trusted DevSecOps platform," said GitLab Chief Information Security Officer Josh Lemos.

"Secure by default" practices

Configuring and securing installations and users can be a challenge. GitLab developed granular user access with custom user roles and customizable permissions. Management of tokens, API service accounts, and credentials have been in focus with continuous improvements and more rigorous authentication security capabilities throughout the year.

Secure software development practices

With every release, GitLab has incrementally enhanced scanning accuracy, coverage, and capabilities across our entire suite of security analyzers.

• Some scan results are presented in developer context (like the IDE) simplify workflows and shift security further left.

• CI/CD pipeline capabilities, which have been expanded and simplified, ensure better functionality while also bolstering security and compliance with enforcement and policies.

• Vulnerability management provides better views at scale, improved filtering, and more options to take action against vulnerability findings.

• Artifact attestations provide a trustworthy authentication of each software artifact.

Secure business practices

Each GitLab release demonstrated increased focus on compliance. Enhanced auditing and event streaming provide accountability across the entire SDLC. Compliance teams are now better equipped to proactively align to requirements, thanks to increased policy management, workflow automation, visibility via compliance reporting, and exportability of data.

GitLab's Secure by Design features

Here are some of the features and capabilities that align with Secure by Design.

SBOMs

GitLab’s dynamic software bill of materials focus improved SBOM generation while adding third-party SBOM intake capabilities. This also led to the ability to combine SBOMs, as well as to provide full attestation for standardized SBOM artifacts. Enhancements such as cross-project dependency visibility as well as dependency graphs enabled a better view of SBOM risk at scale. Continuous vulnerability scanning for SBOMs was also added during the past year, providing continuous insights for emergent risks for projects that are not under continuous development – no CI/CD pipeline required.

Vulnerability management

Notable improvements can be seen in vulnerability management as GitLab product updates increased visibility to vulnerabilities at scale, added flexibility to filtering, and added remediation detail options. With GitLab Duo, our AI-powered suite of features, AI-assisted vulnerability remediation is taking a dramatic step forward.

AI-powered workflows

Speaking of AI, we deployed many GitLab Duo features during the past year that can help expedite Secure by Design execution, including:

1. Code Suggestions - Use natural language processing to generate new code.
2. Code Explanation - Discover what that uncommented code does in order to properly maintain code bases and provide contextually aware product updates.
3. Code Refactoring - Refactor legacy code bases into new libraries, functions, or memory-safe languages.
4. Vulnerability Explanation - Understand the impact of a vulnerability and why it is creating risk to enable more accurate and thorough remediation.
5. Vulnerability Resolution - Automatically resolve vulnerabilities to save significant amounts of time.
6. Root Cause Analysis - Determine the root cause for a pipeline failure and failed CI/CD build.

Radical transparency

GitLab continues to embrace its Transparency value by creating the GitLab Trust Center and the GitLab AI Transparency Center. These public-facing pages provide radical transparency to GitLab's values, ethics, feature details, and compliance statements – including a NIST Secure Software Development Framework self-attestation letter.

What's next?

As Secure by Design enters its second year, we look forward to additional guidance and initiatives from CISA and other government agencies that will provide users around the world with more securely developed software.

Want to test-drive GitLab's security features? Try GitLab Ultimate for free for 30 days.