Blog Security Happy birthday, Secure by Design!
Published on: April 30, 2024
5 min read

Happy birthday, Secure by Design!

The U.S. government's initiative to ensure greater security in software products turns one. Find out what GitLab has done to align with this critical effort.


When the Cybersecurity and Infrastructure Security Agency (CISA) first published its Secure by Design software protection initiative on April 13, 2023, the industry paid close attention. The initiative urges all software manufacturers to take the steps necessary to ensure that the products they ship are, in fact, secure by design. At GitLab, we quickly assessed our alignment with the initiative and over the past year have continued to innovate in accordance with CISA's guidelines.

CISA's Secure by Design introduced three software security principles:

  1. Take ownership of customer security outcomes.

  2. Embrace radical transparency and accountability.

  3. Build organizational structure and leadership to achieve these goals.

A year of government guidance

The U.S. government has produced significant guidance throughout the past year that reflects the Secure by Design theme. Here are just a few highlights:

How GitLab has evolved with the Secure by Design initiative

GitLab has also continued to grow in alignment with the Secure by Design initiative over the past year. Here are some examples.

GitLab signed the Secure by Design Pledge

GitLab is proud to have signed the CISA Secure by Design Pledge.

"The Secure by Design concepts are well-aligned with GitLab's core values. As the most comprehensive AI-powered DevSecOps platform, GitLab offers its unwavering support towards CISA’s efforts to instill a Secure by Design mindset in software manufacturers. GitLab is proud to make the Secure by Design Pledge, and we firmly believe these efforts will help us enable everyone to innovate and succeed on a safe, secure, and trusted DevSecOps platform," said GitLab Chief Information Security Officer Josh Lemos.

"Secure by default" practices

Configuring and securing installations and users can be a challenge. GitLab developed granular user access with custom user roles and customizable permissions. Management of tokens, API service accounts, and credentials have been in focus with continuous improvements and more rigorous authentication security capabilities throughout the year.

Secure software development practices

With every release, GitLab has incrementally enhanced scanning accuracy, coverage, and capabilities across our entire suite of security analyzers.

Secure business practices

Each GitLab release demonstrated increased focus on compliance. Enhanced auditing and event streaming provide accountability across the entire SDLC. Compliance teams are now better equipped to proactively align to requirements, thanks to increased policy management, workflow automation, visibility via compliance reporting, and exportability of data.

GitLab's Secure by Design features

Here are some of the features and capabilities that align with Secure by Design.


GitLab’s dynamic software bill of materials focus improved SBOM generation while adding third-party SBOM intake capabilities. This also led to the ability to combine SBOMs, as well as to provide full attestation for standardized SBOM artifacts. Enhancements such as cross-project dependency visibility as well as dependency graphs enabled a better view of SBOM risk at scale. Continuous vulnerability scanning for SBOMs was also added during the past year, providing continuous insights for emergent risks for projects that are not under continuous development – no CI/CD pipeline required.

Vulnerability management

Notable improvements can be seen in vulnerability management as GitLab product updates increased visibility to vulnerabilities at scale, added flexibility to filtering, and added remediation detail options. With GitLab Duo, our AI-powered suite of features, AI-assisted vulnerability remediation is taking a dramatic step forward.

AI-powered workflows

Speaking of AI, we deployed many GitLab Duo features during the past year that can help expedite Secure by Design execution, including:

  1. Code Suggestions - Use natural language processing to generate new code.
  2. Code Explanation - Discover what that uncommented code does in order to properly maintain code bases and provide contextually aware product updates.
  3. Code Refactoring - Refactor legacy code bases into new libraries, functions, or memory-safe languages.
  4. Vulnerability Explanation - Understand the impact of a vulnerability and why it is creating risk to enable more accurate and thorough remediation.
  5. Vulnerability Resolution - Automatically resolve vulnerabilities to save significant amounts of time.
  6. Root Cause Analysis - Determine the root cause for a pipeline failure and failed CI/CD build.

Radical transparency

GitLab continues to embrace its Transparency value by creating the GitLab Trust Center and the GitLab AI Transparency Center. These public-facing pages provide radical transparency to GitLab's values, ethics, feature details, and compliance statements – including a NIST Secure Software Development Framework self-attestation letter.

What's next?

As Secure by Design enters its second year, we look forward to additional guidance and initiatives from CISA and other government agencies that will provide users around the world with more securely developed software.

Want to test-drive GitLab's security features? Try GitLab Ultimate for free for 30 days.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert