Security

Learn what actions engineers should take based on the OWASP Top 10 updates for 2021

Self-managed users using outdated versions should update immediately.

We’re running a bug bounty contest November 1 thru December 3. Find a bug and be entered to win some sweet custom swag. What’s better than a contest? Increased bounty ranges!

Our security team upgraded to GitLab’s DAST 2. Here’s how and why we did it.

Learn how we put our threat model into action iteratively and expanded the process into a full-fledged standalone activity.

How we responded to Axosoft’s GitKraken software vulnerability affecting SSH keys and actions users should take.

SemVer versioning made it difficult to automate processing. We turned to linear interval arithmetic to come up with a unified, language-agnostic semantic versioning approach.

Interns with the Google Summer of Code helped GitLab transition from our old SAST tools to Semgrep.

The complexity of developer working environments make them more likely to be vulnerable to a drive-by attack. We talk about why and walk you through a real-life example from a recent disclosure here at GitLab, and provide tips to reduce the risk and impact of drive-by attacks.

The Venafi plugin for GitLab enables single sign-on and digital signatures to better secure your app.

How we built, tested and deployed a new tool on GitLab that fights spam and abuse.

Learn how GitLab's all-in-one DevSecOps solution can help businesses keep their supply chains secure.

We developed, tested and open sourced a new tool to analyze program dependencies and protect the supply chain.

As usual, we’re creating our own path in how we handle our threat modeling, approaching development both iteratively and collaboratively, and seriously shifting left with our framework and processes.

Our security researcher takes a look at Gitpod and finds some access tokens under the carpet.