Our AppSec team built and ran a CTF, and now it's available for you to play at home.

When tasked to compare security tools, it's critical to understand what's a fair benchmark. We take you step-by-step through WebGoat's lessons and compare them to SAST and DAST results.

We walk you through how to configure WhiteSource in your GitLab instance to enhance your application security.

Containers are increasingly popular – and increasingly vulnerable. Using four threat scenarios, we step through how GitLab's built-in security features will make containers safer.

Learn how to call Jenkins jobs from GitLab and configure deterministic security jobs.

Learn about GitLab's commitment to security and compliance, our security program maturity and accreditations.

Default settings on products can be massively helpful. However, when it comes to hardening your GitLab instance, we’ve got some helpful configuration recommendations from our security team.

We’re transparent by default, and just completed our first SOC 2 Type 1 audit! How does our public-first stance affect our compliance efforts and impact an audit?

Open source software presents unique security challenges. Here’s what you need to know.

Your guide to abusing 'language barriers' between web components.

From why we chose Okta to issues around data fluidity, here are answers to your most-asked ZT questions.

A Red Team exercise on exploiting design decisions on GCP.

GitLab is thrilled to announce our membership in the OWASP Foundation.

Our bug bounty program has grown, expanded and matured in the past 5 years. A lot can happen in a million dollars’ time.

Our red team has created a new tool to find sensitive data in the vast, wide-open.

Cheers, our bug bounty program is celebrating one year!

How to exploit a path traversal issue to gain an admin account

Use GitLab to control your toolchain sprawl, improve team communication and productivity, and secure your DevOps lifecycle.

We're now offering higher bounties for critical and high severity reports.

We take a look back at how far we've come in our ZTN implementation, and at the progress we still need to make.

Implementing change in an already working environment always brings its fair share of growing pains. What happens when that change is Zero Trust?

You talked. We listened. Quicker bug bounty payouts and we're holding a contest for our hackers!

How we’re defining and aligning data zones in our Zero Trust implementation.

The classification of data is a huge step in the right direction when it comes to handling Zero Trust, but it comes with its own set of challenges.

An example of how to automate instrumented fuzzing with American Fuzzy Lop using pipelines.

We map out our Zero Trust goals, the challenges we expect to encounter along the way, and how we plan to address them.

Six months into our public bug bounty program, we're taking stock of what's working and where we can make improvements.

We’ve implemented and adapted an open source compliance framework. Now we're sharing our process and tools so you can adapt and customize it too.

What are the challenges and rewards of working security for a growing, cloud native company? We grill one of our senior security engineers.

What’s it like working day and night to kill spam, Bitcoin mining, malware and more? Meet our security team.

Where does today's tech transformation leave tomorrow's security compliance? A senior security analyst tackles the question.

What’s it like working to secure one of the most transparent organizations in the world? Meet our security team.

Independent vs aggregate? Determining the most effective security controls approach for any organization has many considerations.

Four months since going public with our bug bounty program, we dive into where we’re at, what success looks like, and what to expect down the road.

How I learned to iterate quickly during my first week at GitLab.

A closer look at GitLab’s security scanning tools and the HIPAA risk analysis.

How we responded to a vulnerability in group runner registration tokens.

Zero Trust may be one of the hottest topics in security today, but it's not exactly new. Here's a history.

How we responded to a vulnerability in quick actions for issues that can expose project runner registration tokens to unauthorized users.

See how we created our new Security Analyst persona, and how we are already putting it to use.