Browse posts from Security

GitLab, Second Front Systems speed secure development on DoD networks GitLab Ultimate leverages Second Front and AWS GovCloud to help orgs deliver software compliant with DoD Impact Levels 4 and 5. Author: Brian Mason Read Post

How GitLab's Red Team automates C2 testing

Learn how to apply professional development practices to Red Teams using open source command and control tools.

Security

Stealth operations: The evolution of GitLab's Red Team

We discuss how GitLab's Red Team has matured over the years, evolving from opportunistic hacking to stealth adversary emulation.

Security

Tips to configure browser-based DAST scans

Learn how to use the browser-based analyzer with common dynamic application security testing settings, based on web application attributes, to ensure successful scans.

Security

Enterprise-scale security and compliance policy management in the AI era

A look at how GitLab Security Policy Management can help your security and compliance keep up with the pace of software development.

Security

GitLab’s response to a high severity vulnerability impacting curl and libcurl

Learn about CVE-2023-38545, which leverages a heap buffer overflow through the SOCKS5 protocol, and what it means for GitLab customers.

Security

Introducing GitLab browser-based active checks in DAST

As of GitLab 16.4, or DAST 4.0.9, browser-based DAST active scans will search for path traversal vulnerabilities using the GitLab check 22.1 instead of the ZAP alert 6.

Security

Ask a hacker - 0xn3va

Vladislav Nechakhin or @0xn3va, one of our top 10 hacker contributors, joined us for an AMA and details his approach and strategy for bug bounty hunting.

Security

Unmasking password attacks at GitLab

Our security team has identified an increased volume of password attacks against GitLab.com on the OAuth API endpoint since September 22, 2023. Learn more.

Security

How GitLab supports NSA and CISA CI/CD security guidance

GitLab can support your alignment with NSA and CISA CI/CD recommendations and best practices for cloud-based DevSecOps environments.

Security

The ultimate guide to enabling SAML and SSO on GitLab.com

Learn how to make full use of SAML and SSO security features on the GitLab DevSecOps platform.

Security

Streamline security with keyless signing and verification in GitLab

Our partnership with Sigstore means that with just a few lines in a yml file, GitLab customers can make their development environment more secure.

Security

How GitLab can support your ISO 27001 compliance journey

As a strategic partner, GitLab's software security features can help support your ISO 27001 compliance.

Security

Meet regulatory standards with GitLab compliance & security policy management

Compliance is more than one-off audits; it's a continuous process of efficiently managing risk by implementing guardrails and monitoring specific metrics.

Security

Use GitLab and MITRE ATT&CK Navigator to visualize adversary techniques

This tutorial helps build and deploy a customized version of MITRE's ATT&CK Navigator using GitLab CI/CD and GitLab Pages.

Security

The backstory on GitLab's security hardening documentation

GitLab has detailed documentation about how to harden your instance, now as a part of GitLab itself. Here's how it came to be.

Security

How GitLab can help you prepare for your SOC 2 audit

Learn about features in the DevSecOps platform geared toward a SOC2 audit.

Security

SecureFlag integrated with GitLab for rapid vulnerability remediation

Empower developers with hands-on security training within the DevSecOps platform.

Security

How OIDC can simplify authentication of GitLab CI/CD pipelines with Google Cloud

OpenID Connect can sometimes be complex, but it's the safer and recommended way to authenticate your GitLab pipeline with Google Cloud. This tutorial shows you how.

Security

Managing multiple environments with Terraform and GitLab CI

This tutorial shows how to set up and manage three different environments in one project using GitLab CI and Terraform.

Security

How Secret Detection can proactively revoke leaked credentials

GitLab extends Secret Detection capabilities to customers on Google Cloud.

Security

The ultimate guide to securing your code on GitLab.com

This in-depth tutorial, complete with best practices, will help you secure your development environment.

Security

FinServ startup Constantinople uses DevSecOps to build in security

With a DevSecOps platform, Constantinople has minimized security and compliance risks while maximizing efficiency.

Security

Velocity with guardrails: AI, automation, and removing the security and speed tradeoff

Learn what 'velocity with guardrails' means for you and how the DevSecOps Platform's features support your need for security and speed.

Security

How to secure memory-safe vs. manually managed languages

Learn how GitLab reduces source code risk using scanning, vulnerability management, and other key features.

Security

How to action security vulnerabilities in GitLab Premium

Learn step-by-step how to process detected vulnerabilities and spawn merge request approval rules from critical vulnerabilities.

Security

Is the National Cybersecurity Strategy a wake-up call for software developers?

The new White House policy puts liability for poor security on software makers. Learn how DevSecOps can protect your organization.

Security

Software supply chain security practices seeing only modest adoption

DORA Accelerate State of DevOps report shows opportunity lies within better security practices, including a focus on culture.

Security

Git security audit: Inside the hunt for - and discovery of - CVEs

Get a behind-the-scenes look at how I helped discover the vulnerability that became CVE-2022-41903.

Security

Monitor your web attack surface with GitLab CI/CD and GitLab Pages

Use this tutorial to build an automated web application screenshot report.

Security

Why 2022 was a record-breaking year in bug bounty awards

Find out about the researchers who together earned more than $1 million USD in prizes and their bug hunting contributions.

Security

Achieve SLSA Level 2 compliance with GitLab

Compliance mandates call for controls to prevent software tampering, improve integrity of builds and artifacts, and support attestation. Here's how GitLab can help.

Security

How we boosted WebAuthn adoption from 20 percent to 93 percent in two days

With phishing campaigns on the rise across the industry, we accelerated rollout of a program to further enhance our security hygiene program. This is how we did it.

Security

Top challenges to securing the software supply chain

Learn what organizations should keep in mind while incorporating software supply chain security into their software development lifecycle.

Security

New OpenSSL 3.0 vulnerabilities: What you need to know to find and fix them

Learn how to identify your risk for CVE-2022-3786 and CVE-2022-3602.

Security

The ultimate guide to SBOMs

Learn what a software bill of materials is and why it has become an integral part of modern software development.

Security

Meet the demand for SBOMs and supply chain security with GitLab and Rezilion

Learn the role of SBOMs in helping to secure your software supply chain and how to generate them with the GitLab + Rezilion integration.

Security

GitLab and Let's Encrypt partner to improve website security

Learn how to add a Let's Encrypt TLS certificate to a website hosted and managed via GitLab Pages.

Security

Introducing the infrastructure bill of materials

Pair IBoMs and SBOMs for a more secure software supply chain.

Security

Give it a go: Capture the flag for $20K USD in our bug bounty program

We created a private project containing a file with a flag. Use a permission-related vulnerability to bypass access control (without user interaction) and read the flag for a $20K USD bonus.

Security

GitLab adds further measures to combat credential stuffing and other types of platform abuse

Integration of fraud detection and prevention tool into authentication flow increases risk reduction.

Security

Why DevOps and zero trust go together

Learn how DevOps and zero trust have matured into a solid pairing and the security considerations that come into play.

Security

The importance of compliance in DevOps

A basic understanding of what compliance means and how it impacts DevOps.

Security

Securing the software supply chain through automated attestation

Standards bodies want to know how orgs are protecting against software tampering. Learn how automating compliance attestation can help.

Security

Want to start hacking? Here's how to quickly dive in

We asked one of our top 10 hacker contributors, Johan Carlsson, to share his novel approach to bug bounty hunting.

Security

Top 5 compliance features to leverage in GitLab

Highlighting features we use daily, our security team outlines 5 ways to configure your GitLab instance for increased security and compliance.

Security

Tackle a Plan of Actions and Milestones with GitLab’s risk management features

The One DevOps Platform helps identify interdependencies and vulnerabilities as required by government compliance frameworks.

Security

Use Streaming Audit Events to connect your technology stack with GitLab and Pipedream

Automation lets your DevSecOps teams have logic in place for how to handle events as they come in.

Security

GitLab's commitment to enhanced application security in the modern DevOps world

Security abounds in our latest DevOps platform release, GitLab 15.

Security

Terraform as part of the software supply chain, Part 1 - Modules and Providers

We examine the supply chain aspects of Terraform, starting with a closer look at malicious Terraform modules and providers and how you can better secure them.

Security

How we run Red Team operations remotely

Our team shares the process and templates that drive our successful red team ops in our all-remote environment.

Security

Updates regarding Rubygems ‘Unauthorized gem takeover for some gems’ vulnerability CVE-2022-29176

Actions we've taken to investigate the Rubygems takeover vulnerability.

Security

One DevOps platform can help you achieve DevSecOps

GitLab drives innovation in the AST market to secure cloud-native applications.

Security

Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963

Actions we've taken to investigate the Spring RCE vulnerabilities.

Security

How to ensure separation of duties and enforce compliance with GitLab

Use your DevOps platform to help maintain compliance without compromising on development speed.

Security

Comply with NIST's secure software supply chain framework with GitLab

The U.S. government's Secure Software Development Framework has four key practices. GitLab's DevOps platform has features to address them all.

Security

How GitLab's integration with Rezilion reduces vulnerability backlog and identifies exploitable risks

The native integration helps developers detect and remediate vulnerabilities that are exploitable early on in the development process.

Security

Action we've taken in response to a potential Okta breach

Actions we've taken to investigate a potential Okta breach.

Security

Security hygiene best practices for GitLab users

Security hygiene measures that GitLab.com and Self-managed users should consider implementing.

Security

How GitLab handles security bugs (and why it matters)

Learn what makes our approach to handling and transparently disclosing security bugs unique.

Security

Introducing a community-driven advisory database for third-party software dependencies

The advisory data can be readily adopted, adapted, and exchanged. Learn more here.

Security

GitLab’s newest continuous compliance features bolster software supply chain security

Business leaders and DevOps teams can continuously mitigate the risk of cloud-native environments and use guard rails to automate software compliance.

Security

Using the GitLab GraphQL API for vulnerability reporting

Follow along as we teach you how to use GitLab GraphQL API to manage vulnerabilities programatically.

Security

Detecting and alerting on anomalies in your container host with GitLab + Falco

Learn how to install and use Falco to detect anomalies in your containers

Security

How elite DevOps teams secure the software supply chain

The time is now to integrate security into your DevOps processes - your business will be better for it.

Security

How to tailor SAST and Secret Detection to your application context with custom rulesets

How you can use GitLab custom rulesets to customize security scanners to your needs.

Security

GitLab Security in 2021: protect, enhance, certify and strengthen

Join our Security team as we review how we worked to keep GitLab, and our community, secure this past year.

Security

Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab

Actions we’ve taken to investigate and mitigate the impact of Log4j, and actions our users can take.

Security

2021: Smashing bugs and dropping names

We take a look at some of the big things that happened in our Bug Bounty program this last year and celebrate the contributions of the bug bounty hunters who make it all possible.

Security

How GitLab successfully expanded our SOC 2 Type II Trust Services Report Criteria

Here's how we expanded our SOC 2 Type 2 and SOC 3 reports.

Security

GitLab Technical Certifications program wins 5 awards at LearnX Conference

GitLab's Tech Certification programs won 5 different awards at this year's LearnX conference.

Security

Three things you might not know about GitLab security

There's so much more to GitLab's security offering than meets the eye. Here are three features you may have missed.

Security

Deep dive: the tech stack behind Spamcheck

We take a closer look at the tooling, technical choices, metrics and lessons learned behind our new anti-abuse tool.

Security

Top five actions engineers should take based on the OWASP Top 10 2021 security updates

Learn what actions engineers should take based on the OWASP Top 10 updates for 2021

Security

Action needed by self-managed customers in response to CVE-2021-22205

Self-managed users using outdated versions should update immediately.

Security

Our 3rd annual bug bounty contest: the swagtastic sequel to the sequel

We’re running a bug bounty contest November 1 thru December 3. Find a bug and be entered to win some sweet custom swag. What’s better than a contest? Increased bounty ranges!

Security

How we’re using DAST 2 for easier scan configuration and reduced noise

Our security team upgraded to GitLab’s DAST 2. Here’s how and why we did it.

Security

Threat modeling the Kubernetes Agent: from MVC to continuous improvement

Learn how we put our threat model into action iteratively and expanded the process into a full-fledged standalone activity.

Security

SemVer versioning: how we handled it with linear interval arithmetic

SemVer versioning made it difficult to automate processing. We turned to linear interval arithmetic to come up with a unified, language-agnostic semantic versioning approach.

Security

How to write and continuously test vulnerability detection rules for SAST

Interns with the Google Summer of Code helped GitLab transition from our old SAST tools to Semgrep.

Security

Why are developers so vulnerable to drive-by attacks?

The complexity of developer working environments make them more likely to be vulnerable to a drive-by attack. We talk about why and walk you through a real-life example from a recent disclosure here at GitLab, and provide tips to reduce the risk and impact of drive-by attacks.

Security