Follow Us

Featured Post

Threat modeling the Kubernetes Agent: from MVC to continuous improvement

Learn how we put our threat model into action iteratively and expanded the process into a full-fledged standalone activity. Read on

Recent Posts

Post Image

Notice for GitKraken users with GitLab

Oct 11, 2021

How we responded to Axosoft’s GitKraken software vulnerability affecting SSH keys and actions users should take.

Post Image

SemVer versioning: how we handled it with linear interval arithmetic

Sep 28, 2021

SemVer versioning made it difficult to automate processing. We turned to linear interval arithmetic to come up with a unified, language-agnostic semantic versioning approach.

Post Image

How to write and continuously test vulnerability detection rules for SAST

Anshuman Singh and Julian Thome and Ross Fuhrman
Sep 8, 2021

Interns with the Google Summer of Code helped GitLab transition from our old SAST tools to Semgrep.

Post Image

Why are developers so vulnerable to drive-by attacks?

Sep 7, 2021

The complexity of developer working environments make them more likely to be vulnerable to a drive-by attack. We talk about why and walk you through a real-life example from a recent disclosure here at GitLab, and provide tips to reduce the risk and impact of drive-by attacks.

Post Image

How to secure your software build pipeline using code signing

Eddie Glenn
Aug 30, 2021

The Venafi plugin for GitLab enables single sign-on and digital signatures to better secure your app.

Post Image

Introducing Spamcheck: A data-driven, anti-abuse engine

Ethan Urie, Juliet Wanjohi, Jayson Salazar, Alex Groleau and Alexander Dietrich
Aug 19, 2021

How we built, tested and deployed a new tool on GitLab that fights spam and abuse.

Post Image

How DevSecOps can protect businesses from future supply chain attacks

Pedro Fortuna
Aug 18, 2021

Learn how GitLab's all-in-one DevSecOps solution can help businesses keep their supply chains secure.

Post Image

Meet Package Hunter: A tool for detecting malicious code in your dependencies

Jul 23, 2021

We developed, tested and open sourced a new tool to analyze program dependencies and protect the supply chain.

Post Image

How we’re creating a threat model framework that works for GitLab

Jul 9, 2021

As usual, we’re creating our own path in how we handle our threat modeling, approaching development both iteratively and collaboratively, and seriously shifting left with our framework and processes.

Post Image

A brief look at Gitpod, two bugs, and a quick fix

Jul 8, 2021

Our security researcher takes a look at Gitpod and finds some access tokens under the carpet.

Post Image

How do bug bounty hunters use GitLab to help their hack?

Jun 11, 2021

We know GitLab is a complete open source DevOps platform, but can it improve your hack? We chat with three bug bounty hunters to find out.

Post Image

A deep dive into how we investigate and secure GitLab packages

Supply chain attacks aren't new, but that doesn't mean extra vigilance and protection aren't needed. We take a look at how we secure our packages and registries.

Post Image

How we used GitLab values to develop a successful Security Awards Program

May 14, 2021

We built a program that encourages, recognizes, and awards a shared responsibility for security.

Post Image

How the Security Culture Committee is strengthening GitLab values

Dominic Couture, Mark Loveless, Joern Schneeweisz, Heather Simpson and Steve Truong
May 7, 2021

Learn how this group of team members works to preserve and reinforce GitLab values in the Security department and beyond.

Post Image

Inside the Bug Bounty Council at GitLab

Mar 16, 2021

We improve consistency across severity ratings and payouts in our bug bounty program with collaboration, iteration, and async communication.

Open in Web IDE View source