Blog Security Secure by Design principles meet DevSecOps innovation in GitLab 17
Published on: June 5, 2024
6 min read

Secure by Design principles meet DevSecOps innovation in GitLab 17

GitLab reinforced a commitment to Secure by Design principles across key aspects of the software development lifecycle in latest release, further protecting the software supply chain.

Secure migration - cover

Secure by Design just turned one! Introduced by the Cybersecurity and Infrastructure Security Agency (CISA) a little over a year ago, Secure by Design principles serve as a directive for technology providers to embed security at the heart of their products from the outset of development. This approach is the clearest answer to address cyber attacks, dramatically reducing the number of exploitable flaws before they are introduced to the market for broad use or consumption. Cyberattacks can be more prevalent when businesses and vendors “bolt on” security as an afterthought, amplifying the need for Secure by Design solutions. With the launch of GitLab 17, we have strengthened our commitment to Secure by Design principles across five key aspects of the software development lifecycle. Although no supply chain is 100% immune to cyber threats, it is imperative to embrace a proactive security strategy to protect against persistent threats from malicious actors.

Discover the future of AI-driven software development with our GitLab 17 virtual launch event. Watch today!

How GitLab 17 aligns with Secure by Design principles

1. Enhance secure coding practices

Fostering secure software development practices is a key element to CISA’s Secure by Design framework. CISA recommends alignment to the Secure Software Development Framework (SSDF) from the National Institute of Standards and Technology (NIST). GitLab’s robust application security scanners demonstrate strong default alignment to this framework. In GitLab 17, we added streamlined Static Application Security Testing (SAST) analyzer coverage for more languages, offering a simpler, more customizable scan experience. The recent acquisition of Oxeye enhances SAST accuracy, reducing false positives and offering actionable insights to tackle application-layer risks proactively. Other related improvements in GitLab 17 include API Security Testing analyzer updates, advanced vulnerability tracking for Secret Detection, and Dependency Scanning support for Android. GitLab also continues to improve its dynamic software bill of materials (SBOM) management capabilities.

2. Manage vulnerabilities at scale

Malicious actors capitalize on cost-effective tactics, leveraging basic vulnerabilities to cause widespread disruption. GitLab’s Vulnerability Report enables you to quantify risk across your portfolio in a single view, identifying key vulnerability details throughout your supply chain. Improvements to Vulnerability Report filtering in GitLab 17 increased usability of the report at scale. Actionable security findings are vital for developers to address critical weaknesses. GitLab provides vulnerability insights, security training for vulnerabilities, and vulnerability explanation.

3. Transition to memory-safe languages with AI

In a recent virtual panel with the Atlantic Council, CISA Senior Technical Advisor Jack Cable stated, “Technology manufacturers must focus on eliminating entire classes of vulnerability, rather than playing “whack-a-mole” with their defects.” In CISA’s Secure by Design whitepaper, they recommend that manufacturers take steps to eliminate one of the largest classes of vulnerabilities by migrating existing products and building new products using memory-safe languages. A memory-safe language is a language where memory allocation and garbage collection are abstracted away from the developer and handled by the programming language itself. Such languages include Python, Java, and Go, to name a few. Vulnerabilities related to memory safety are the most common and dangerous. Technology manufacturers can effectively address vulnerabilities by integrating memory-safe language development practices. GitLab Duo, our suite of AI-powered features, provides AI-accelerated assistance for memory-safe code conversions:

  • Accelerate application development: GitLab Duo Code Explanation succinctly articulates code functionality in everyday language, helping developers understand code quickly and add value faster. GitLab Duo Code Suggestions assists developers in writing secure code efficiently and speeding up cycle times by handling repetitive coding tasks effectively.
  • Convert to memory-safe code: GitLab Duo Chat can help expedite memory-safe language refactoring by suggesting changes based on coding patterns, libraries, functions, algorithms, programming languages, performance, or vulnerabilities.
  • Secure AI-generated code: GitLab Duo Vulnerability Explanation provides clear insights into identified security issues, while GitLab Duo Vulnerability Resolution can automatically generate a merge request to mitigate a vulnerability.

In GitLab 17, we also have added the means to validate and track AI impact to your development progress through AI Impact Analytics.

4. Align to the principle of least privilege

Aligning product deployment guides with zero trust architecture, such as the CISA Zero Trust Maturity Model, is a key recommendation in Secure by Design. In zero trust security, the principle of least privilege (PoLP) is a key element within the overarching framework. The PoLP is a concept in which a user's access rights should be limited to the bare minimum needed for them to complete the tasks required within their respective roles. By keeping a tight rein on user access rights, granting only the necessary permissions for their tasks, organizations uphold the core tenet of zero trust. Maintaining a clear separation of duties is the first step in upholding this principle. GitLab's policy management features empower security and compliance teams to oversee operations while defining responsibilities among security, compliance, legal, and engineering units. By implementing GitLab's security policies, development teams gain process flexibility, ensuring the delivery of stable, reliable, and high-quality code. With the ability to establish rules and policies tailored to the organization's unique needs, teams can utilize granular user roles, permissions, and customizable compliance settings for specific projects, groups, and individuals. GitLab 17 introduces enhanced governance controls via permissions customizations, reducing unnecessary privilege escalation.

How we are committed to Secure by Design principles

One of the principles of Secure by Design business practices is the notion of leading from the top. It's imperative for organizations to secure executive buy-in that places Secure by Design at the forefront of business priorities, nurturing an environment where security takes precedence. GitLab recently joined the ranks of technology leaders who signed CISA’s Secure by Design Pledge, showcasing our commitment to uphold CISA’s Secure by Design goals. This public commitment, paired with strategic investments, a culture of transparency, and product designs that prioritize security, fosters a robust security ethos that directly benefits end users. With the launch of GitLab 17, GitLab propels security and compliance solutions forward, harnessing AI advancements to empower clients to embrace a Secure by Design methodology with confidence.

Get familiar with GitLab's secure-by-design platform today with a free 30-day trial of GitLab Ultimate.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert