Published on: January 22, 2025
12 min read
Understand the application security features in the GitLab DevSecOps platform that map to System and Organization Controls 2 requirements.
For businesses that handle sensitive customer information, achieving SOC 2 (System and Organization Controls 2) compliance is not just a good practice — it's often a necessity. SOC 2 is a rigorous auditing standard developed by the American Institute of Certified Public Accountants that assesses a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy.
While SOC 2 is not legally mandated, it has become increasingly important, in part due to breaches consistently seen in news headlines. Obtaining SOC 2 compliance allows customers to build trust with service organizations because they know their data is being properly stored and security controls have been assessed by a third party.
In this guide, we'll review the requirements for obtaining SOC 2 compliance and how GitLab can help your organization meet the highest standards for application security.
The compliance process involves an audit by an independent auditor who evaluates the design and operating effectiveness of an organization's controls. This process can be very costly, and many organizations are not sufficiently prepared before an audit. With the SOC 2 audit process typically taking close to a year, it is important to establish an efficient pre-audit process.
To obtain SOC 2 compliance, an organization must meet requirements based on the Trust Services Criteria:
Criteria | Requirements |
---|---|
Security | - Implement controls to protect against unauthorized access - Establish procedures for identifying and mitigating risks - Set up systems for detecting and addressing security incidents |
Availability | - Ensure systems are accessible for operation as agreed - Monitor current usage and capacity - Identify and address environmental threats that could affect system availability |
Process integrity | - Maintain accurate records of system inputs and outputs - Implement procedures to quickly identify and correct system errors - Define processing activities to ensure products and services meet specifications |
Confidentiality | - Identify and protect confidential information - Establish policies for data retention periods - Implement secure methods for destroying confidential data after retention periods expire |
Privacy | - Obtain consent before collecting sensitive personal information - Communicate privacy policies clearly and in plain language - Collect data only through legal means and from reliable sources |
Note that these requirements are not one-time achievements, but rather a continuous process. Auditors will require control effectiveness over time.
GitLab provides several features off the board to get you started with assuring SOC 2 security needs are met:
Security Requirement | Addressing Feature |
---|---|
Implement controls to protect against unauthorized access | - Confidential Issues and Merge Requests - Custom Roles and Granular Permissions - Security Policies - Verified Commit - Signed Container Images - CodeOwners - Protected Branches |
Set up systems for detecting and addressing security incidents | - Vulnerability Scanning - Merge Request Security Widget - Vulnerability Insights Compliance Center - Audit Events - Vulnerability Report Dependency List - AI: Vulnerability Explanation - AI: Vulnerability Resolution |
Establish procedures for identifying and mitigating risks | All the above tools can be used by a security team to establish a procedure around what to do when security vulnerabilities are identified and how they are mitigated. |
Implementing robust access controls is essential for protecting an organization's assets, ensuring regulatory compliance, maintaining operational continuity, and fostering trust. GitLab allows you to implement controls to follow the principle of least privilege, securing against unauthorized access. I will briefly cover:
GitLab's security policies, known as guardrails, enable security and compliance teams to implement consistent controls across their organization, helping prevent security incidents, maintain compliance standards, and reduce risk by automatically enforcing security best practices at scale.
The following policy types are available:
Here is an example of ensuring compliance with the pipeline execution policy:
Learn how to create security policies with our security policy documentation.
Custom permissions in GitLab allow organizations to create fine-grained access controls beyond the standard role-based permissions, providing benefits such as:
Learn how to create custom roles with granular permissions using our custom role documentation.
GitLab helps you further control who can change your code using two key features:
Together, these features help keep your code secure and high-quality by making sure the right people review and approve changes.
Learn how to create protected branches along with CodeOwners using protected branch and codeowner documentation.
When you sign your commits digitally, you prove they really came from you, not someone pretending to be you. Think of a digital signature like a unique stamp that only you can create. When you upload your public GPG key to GitLab, it can check this stamp. If the stamp matches, GitLab marks your commit as Verified
. You can then set up rules to reject commits that aren't signed, or block all commits from users who haven't verified their identity.
Commits can be signed with:
Learn more about verified commits with our signed commits documentation.
Setting up systems for detecting and addressing security incidents is vital for maintaining a robust security posture, ensuring regulatory compliance, minimizing potential damages, and enabling organizations to respond effectively to the ever-evolving threat landscape.
GitLab provides security scanning and vulnerability management for the complete application lifecycle. I will briefly cover:
GitLab provides a variety of different security scanners that cover the complete lifecycle of your application:
These scanners can be added to your pipeline via the use of templates. For example, to run SAST and dependency scanning jobs in the test stage, simply add the following to your .gitlab-ci.yml:
stages:
- test
include:
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/SAST.gitlab-ci.yml
These jobs are fully configurable via environment variables and using GitLab job syntax. Once a pipeline kicks off, the security scanners run and detect vulnerabilities in the diff between the current branch and the target branch. The vulnerability can be seen in a merge request (MR), providing detailed oversight before the code is merged to the target branch. The MR will provide the following information on a vulnerability:
Developers can use this data to remediate vulnerabilities without slowing down security team workflows. Developers can dismiss a vulnerability with reasoning, speeding up the review process, or they can create a confidential issue to track the vulnerability.
If the code in an MR is merged to the default (usually production-level) branch, then the vulnerability report is populated with the security scanner results. These results can be used by security teams to manage and triage the vulnerabilities found in production.
When clicking on a vulnerability description within the vulnerability report, you are provided with the vulnerability page, which contains the same vulnerability data as the MR, allowing for a single source of truth when assessing impact and performing remediation. From the vulnerability page, GitLab Duo AI features can be used to explain the vulnerability and also create an MR to remediate, speeding up resolution time.
Learn more about the security scanners included with GitLab and how to manage vulnerabilities in our application security documentation.
GitLab can create a detailed list of everything your software uses – kind of like an ingredients list for your code. This list, called a software bill of materials (SBOM), shows you all the external code your project depends on, including the parts you directly use and their own dependencies. For each item, you can see which version you're using, what license it has, and whether it has any known security problems. This helps you keep track of what's in your software and spot potential risks.
Learn how to access and use the dependency list with our dependency list documentation.
GitLab keeps track of everything that happens in your system such as who made changes, what they changed, and when they did it. Think of it like a security camera for your code. This record helps you:
All of this information is stored in one place, making it easy to review and investigate when needed. For example, you can use audit events to track:
Learn more about audit events, see the audit events documentation.
GitLab's Security Dashboard works like a control room that shows you all your security risks in one place. Instead of checking different security tools separately, you can see all their findings together on one screen. This makes it easy to spot and fix security problems across all your projects.
Learn more about security dashboards with our security dashboard documentation.
Vulnerabilities go through a specific lifecycle. For example, a part of the procedure can be to require approval for any vulnerable code to be merged to protected branches using security policies. Then the procedure can state that vulnerable code detected in production must be prioritized, assessed, remediated, and then validated:
While every organization's needs are different, leveraging GitLab as a platform, risks can be quickly identified and addressed with reduced risk when compared to using a sprawl of disparate tools.
Achieving SOC 2 compliance is a significant undertaking, but the benefits are undeniable. By demonstrating your commitment to application security and operational excellence, you can build trust with customers, enhance your reputation, and gain a competitive edge in the marketplace.
To learn more about GitLab and how we can help achieve SOCv2 compliance while enhancing your security posture, check out the following resources: