How GitLab's Red Team automates C2 testing
Learn how to apply professional development practices to Red Teams using open source command and control tools.
Stealth operations: The evolution of GitLab's Red Team
We discuss how GitLab's Red Team has matured over the years, evolving from opportunistic hacking to stealth adversary emulation.
Tips to configure browser-based DAST scans
Learn how to use the browser-based analyzer with common dynamic application security testing settings, based on web application attributes, to ensure successful scans.
Enterprise-scale security and compliance policy management in the AI era
A look at how GitLab Security Policy Management can help your security and compliance keep up with the pace of software development.
GitLab’s response to a high severity vulnerability impacting curl and libcurl
Learn about CVE-2023-38545, which leverages a heap buffer overflow through the SOCKS5 protocol, and what it means for GitLab customers.
Introducing GitLab browser-based active checks in DAST
As of GitLab 16.4, or DAST 4.0.9, browser-based DAST active scans will search for path traversal vulnerabilities using the GitLab check 22.1 instead of the ZAP alert 6.
Ask a hacker - 0xn3va
Vladislav Nechakhin or @0xn3va, one of our top 10 hacker contributors, joined us for an AMA and details his approach and strategy for bug bounty hunting.
Unmasking password attacks at GitLab
Our security team has identified an increased volume of password attacks against GitLab.com on the OAuth API endpoint since September 22, 2023. Learn more.
How GitLab supports NSA and CISA CI/CD security guidance
GitLab can support your alignment with NSA and CISA CI/CD recommendations and best practices for cloud-based DevSecOps environments.
The ultimate guide to enabling SAML and SSO on GitLab.com
Learn how to make full use of SAML and SSO security features on the GitLab DevSecOps platform.
Streamline security with keyless signing and verification in GitLab
Our partnership with Sigstore means that with just a few lines in a yml file, GitLab customers can make their development environment more secure.
How GitLab can support your ISO 27001 compliance journey
As a strategic partner, GitLab's software security features can help support your ISO 27001 compliance.
Meet regulatory standards with GitLab compliance & security policy management
Compliance is more than one-off audits; it's a continuous process of efficiently managing risk by implementing guardrails and monitoring specific metrics.
Use GitLab and MITRE ATT&CK Navigator to visualize adversary techniques
This tutorial helps build and deploy a customized version of MITRE's ATT&CK Navigator using GitLab CI/CD and GitLab Pages.
The backstory on GitLab's security hardening documentation
GitLab has detailed documentation about how to harden your instance, now as a part of GitLab itself. Here's how it came to be.
How GitLab can help you prepare for your SOC 2 audit
Learn about features in the DevSecOps platform geared toward a SOC2 audit.
SecureFlag integrated with GitLab for rapid vulnerability remediation
Empower developers with hands-on security training within the DevSecOps platform.
How OIDC can simplify authentication of GitLab CI/CD pipelines with Google Cloud
OpenID Connect can sometimes be complex, but it's the safer and recommended way to authenticate your GitLab pipeline with Google Cloud. This tutorial shows you how.
Managing multiple environments with Terraform and GitLab CI
This tutorial shows how to set up and manage three different environments in one project using GitLab CI and Terraform.
How Secret Detection can proactively revoke leaked credentials
GitLab extends Secret Detection capabilities to customers on Google Cloud.
The ultimate guide to securing your code on GitLab.com
This in-depth tutorial, complete with best practices, will help you secure your development environment.
FinServ startup Constantinople uses DevSecOps to build in security
With a DevSecOps platform, Constantinople has minimized security and compliance risks while maximizing efficiency.
Velocity with guardrails: AI, automation, and removing the security and speed tradeoff
Learn what 'velocity with guardrails' means for you and how the DevSecOps Platform's features support your need for security and speed.
How to secure memory-safe vs. manually managed languages
Learn how GitLab reduces source code risk using scanning, vulnerability management, and other key features.
How to action security vulnerabilities in GitLab Premium
Learn step-by-step how to process detected vulnerabilities and spawn merge request approval rules from critical vulnerabilities.
Is the National Cybersecurity Strategy a wake-up call for software developers?
The new White House policy puts liability for poor security on software makers. Learn how DevSecOps can protect your organization.
Software supply chain security practices seeing only modest adoption
DORA Accelerate State of DevOps report shows opportunity lies within better security practices, including a focus on culture.
Git security audit: Inside the hunt for - and discovery of - CVEs
Get a behind-the-scenes look at how I helped discover the vulnerability that became CVE-2022-41903.
Monitor your web attack surface with GitLab CI/CD and GitLab Pages
Use this tutorial to build an automated web application screenshot report.
Why 2022 was a record-breaking year in bug bounty awards
Find out about the researchers who together earned more than $1 million USD in prizes and their bug hunting contributions.
Achieve SLSA Level 2 compliance with GitLab
Compliance mandates call for controls to prevent software tampering, improve integrity of builds and artifacts, and support attestation. Here's how GitLab can help.
How we boosted WebAuthn adoption from 20 percent to 93 percent in two days
With phishing campaigns on the rise across the industry, we accelerated rollout of a program to further enhance our security hygiene program. This is how we did it.
Top challenges to securing the software supply chain
Learn what organizations should keep in mind while incorporating software supply chain security into their software development lifecycle.
New OpenSSL 3.0 vulnerabilities: What you need to know to find and fix them
Learn how to identify your risk for CVE-2022-3786 and CVE-2022-3602.
The ultimate guide to SBOMs
Learn what a software bill of materials is and why it has become an integral part of modern software development.
Meet the demand for SBOMs and supply chain security with GitLab and Rezilion
Learn the role of SBOMs in helping to secure your software supply chain and how to generate them with the GitLab + Rezilion integration.
GitLab and Let's Encrypt partner to improve website security
Learn how to add a Let's Encrypt TLS certificate to a website hosted and managed via GitLab Pages.
Introducing the infrastructure bill of materials
Pair IBoMs and SBOMs for a more secure software supply chain.
Give it a go: Capture the flag for $20K USD in our bug bounty program
We created a private project containing a file with a flag. Use a permission-related vulnerability to bypass access control (without user interaction) and read the flag for a $20K USD bonus.
GitLab adds further measures to combat credential stuffing and other types of platform abuse
Integration of fraud detection and prevention tool into authentication flow increases risk reduction.
Why DevOps and zero trust go together
Learn how DevOps and zero trust have matured into a solid pairing and the security considerations that come into play.
The importance of compliance in DevOps
A basic understanding of what compliance means and how it impacts DevOps.
Securing the software supply chain through automated attestation
Standards bodies want to know how orgs are protecting against software tampering. Learn how automating compliance attestation can help.
Want to start hacking? Here's how to quickly dive in
We asked one of our top 10 hacker contributors, Johan Carlsson, to share his novel approach to bug bounty hunting.
Top 5 compliance features to leverage in GitLab
Highlighting features we use daily, our security team outlines 5 ways to configure your GitLab instance for increased security and compliance.
Tackle a Plan of Actions and Milestones with GitLab’s risk management features
The One DevOps Platform helps identify interdependencies and vulnerabilities as required by government compliance frameworks.
Use Streaming Audit Events to connect your technology stack with GitLab and Pipedream
Automation lets your DevSecOps teams have logic in place for how to handle events as they come in.
GitLab's commitment to enhanced application security in the modern DevOps world
Security abounds in our latest DevOps platform release, GitLab 15.
Terraform as part of the software supply chain, Part 1 - Modules and Providers
We examine the supply chain aspects of Terraform, starting with a closer look at malicious Terraform modules and providers and how you can better secure them.
How we run Red Team operations remotely
Our team shares the process and templates that drive our successful red team ops in our all-remote environment.
Updates regarding Rubygems ‘Unauthorized gem takeover for some gems’ vulnerability CVE-2022-29176
Actions we've taken to investigate the Rubygems takeover vulnerability.
One DevOps platform can help you achieve DevSecOps
GitLab drives innovation in the AST market to secure cloud-native applications.
Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963
Actions we've taken to investigate the Spring RCE vulnerabilities.
How to ensure separation of duties and enforce compliance with GitLab
Use your DevOps platform to help maintain compliance without compromising on development speed.
Comply with NIST's secure software supply chain framework with GitLab
The U.S. government's Secure Software Development Framework has four key practices. GitLab's DevOps platform has features to address them all.
How GitLab's integration with Rezilion reduces vulnerability backlog and identifies exploitable risks
The native integration helps developers detect and remediate vulnerabilities that are exploitable early on in the development process.
Action we've taken in response to a potential Okta breach
Actions we've taken to investigate a potential Okta breach.
Security hygiene best practices for GitLab users
Security hygiene measures that GitLab.com and Self-managed users should consider implementing.
How GitLab handles security bugs (and why it matters)
Learn what makes our approach to handling and transparently disclosing security bugs unique.
Introducing a community-driven advisory database for third-party software dependencies
The advisory data can be readily adopted, adapted, and exchanged. Learn more here.
GitLab’s newest continuous compliance features bolster software supply chain security
Business leaders and DevOps teams can continuously mitigate the risk of cloud-native environments and use guard rails to automate software compliance.
Using the GitLab GraphQL API for vulnerability reporting
Follow along as we teach you how to use GitLab GraphQL API to manage vulnerabilities programatically.
Detecting and alerting on anomalies in your container host with GitLab + Falco
Learn how to install and use Falco to detect anomalies in your containers
How elite DevOps teams secure the software supply chain
The time is now to integrate security into your DevOps processes - your business will be better for it.
How to tailor SAST and Secret Detection to your application context with custom rulesets
How you can use GitLab custom rulesets to customize security scanners to your needs.
GitLab Security in 2021: protect, enhance, certify and strengthen
Join our Security team as we review how we worked to keep GitLab, and our community, secure this past year.
Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab
Actions we’ve taken to investigate and mitigate the impact of Log4j, and actions our users can take.
2021: Smashing bugs and dropping names
We take a look at some of the big things that happened in our Bug Bounty program this last year and celebrate the contributions of the bug bounty hunters who make it all possible.
How GitLab successfully expanded our SOC 2 Type II Trust Services Report Criteria
Here's how we expanded our SOC 2 Type 2 and SOC 3 reports.
GitLab Technical Certifications program wins 5 awards at LearnX Conference
GitLab's Tech Certification programs won 5 different awards at this year's LearnX conference.
Three things you might not know about GitLab security
There's so much more to GitLab's security offering than meets the eye. Here are three features you may have missed.
Deep dive: the tech stack behind Spamcheck
We take a closer look at the tooling, technical choices, metrics and lessons learned behind our new anti-abuse tool.
Top five actions engineers should take based on the OWASP Top 10 2021 security updates
Learn what actions engineers should take based on the OWASP Top 10 updates for 2021
Action needed by self-managed customers in response to CVE-2021-22205
Self-managed users using outdated versions should update immediately.
Our 3rd annual bug bounty contest: the swagtastic sequel to the sequel
We’re running a bug bounty contest November 1 thru December 3. Find a bug and be entered to win some sweet custom swag. What’s better than a contest? Increased bounty ranges!
How we’re using DAST 2 for easier scan configuration and reduced noise
Our security team upgraded to GitLab’s DAST 2. Here’s how and why we did it.
Threat modeling the Kubernetes Agent: from MVC to continuous improvement
Learn how we put our threat model into action iteratively and expanded the process into a full-fledged standalone activity.
SemVer versioning: how we handled it with linear interval arithmetic
SemVer versioning made it difficult to automate processing. We turned to linear interval arithmetic to come up with a unified, language-agnostic semantic versioning approach.
How to write and continuously test vulnerability detection rules for SAST
Interns with the Google Summer of Code helped GitLab transition from our old SAST tools to Semgrep.
Why are developers so vulnerable to drive-by attacks?
The complexity of developer working environments make them more likely to be vulnerable to a drive-by attack. We talk about why and walk you through a real-life example from a recent disclosure here at GitLab, and provide tips to reduce the risk and impact of drive-by attacks.
How to secure your software build pipeline using code signing
The Venafi plugin for GitLab enables single sign-on and digital signatures to better secure your app.
Introducing Spamcheck: A data-driven, anti-abuse engine
How we built, tested and deployed a new tool on GitLab that fights spam and abuse.
How DevSecOps can protect businesses from future supply chain attacks
Learn how GitLab's all-in-one DevSecOps solution can help businesses keep their supply chains secure.
Meet Package Hunter: A tool for detecting malicious code in your dependencies
We developed, tested and open sourced a new tool to analyze program dependencies and protect the supply chain.
How we’re creating a threat model framework that works for GitLab
As usual, we’re creating our own path in how we handle our threat modeling, approaching development both iteratively and collaboratively, and seriously shifting left with our framework and processes.
A brief look at Gitpod, two bugs, and a quick fix
Our security researcher takes a look at Gitpod and finds some access tokens under the carpet.
How do bug bounty hunters use GitLab to help their hack?
We know GitLab is a complete open source DevOps platform, but can it improve your hack? We chat with three bug bounty hunters to find out.
A deep dive into how we investigate and secure GitLab packages
Supply chain attacks aren't new, but that doesn't mean extra vigilance and protection aren't needed. We take a look at how we secure our packages and registries.