Published on: April 30, 2024
5 min read
The U.S. government's initiative to ensure greater security in software products turns one. Find out what GitLab has done to align with this critical effort.
When the Cybersecurity and Infrastructure Security Agency (CISA) first published its Secure by Design software protection initiative on April 13, 2023, the industry paid close attention. The initiative urges all software manufacturers to take the steps necessary to ensure that the products they ship are, in fact, secure by design. At GitLab, we quickly assessed our alignment with the initiative and over the past year have continued to innovate in accordance with CISA's guidelines.
CISA's Secure by Design introduced three software security principles:
Take ownership of customer security outcomes.
Embrace radical transparency and accountability.
Build organizational structure and leadership to achieve these goals.
The U.S. government has produced significant guidance throughout the past year that reflects the Secure by Design theme. Here are just a few highlights:
GitLab has also continued to grow in alignment with the Secure by Design initiative over the past year. Here are some examples.
GitLab is proud to have signed the CISA Secure by Design Pledge.
"The Secure by Design concepts are well-aligned with GitLab's core values. As the most comprehensive AI-powered DevSecOps platform, GitLab offers its unwavering support towards CISA’s efforts to instill a Secure by Design mindset in software manufacturers. GitLab is proud to make the Secure by Design Pledge, and we firmly believe these efforts will help us enable everyone to innovate and succeed on a safe, secure, and trusted DevSecOps platform," said GitLab Chief Information Security Officer Josh Lemos.
Configuring and securing installations and users can be a challenge. GitLab developed granular user access with custom user roles and customizable permissions. Management of tokens, API service accounts, and credentials have been in focus with continuous improvements and more rigorous authentication security capabilities throughout the year.
With every release, GitLab has incrementally enhanced scanning accuracy, coverage, and capabilities across our entire suite of security analyzers.
Some scan results are presented in developer context (like the IDE) simplify workflows and shift security further left.
CI/CD pipeline capabilities, which have been expanded and simplified, ensure better functionality while also bolstering security and compliance with enforcement and policies.
Vulnerability management provides better views at scale, improved filtering, and more options to take action against vulnerability findings.
Artifact attestations provide a trustworthy authentication of each software artifact.
Each GitLab release demonstrated increased focus on compliance. Enhanced auditing and event streaming provide accountability across the entire SDLC. Compliance teams are now better equipped to proactively align to requirements, thanks to increased policy management, workflow automation, visibility via compliance reporting, and exportability of data.
Here are some of the features and capabilities that align with Secure by Design.
GitLab’s dynamic software bill of materials focus improved SBOM generation while adding third-party SBOM intake capabilities. This also led to the ability to combine SBOMs, as well as to provide full attestation for standardized SBOM artifacts. Enhancements such as cross-project dependency visibility as well as dependency graphs enabled a better view of SBOM risk at scale. Continuous vulnerability scanning for SBOMs was also added during the past year, providing continuous insights for emergent risks for projects that are not under continuous development – no CI/CD pipeline required.
Notable improvements can be seen in vulnerability management as GitLab product updates increased visibility to vulnerabilities at scale, added flexibility to filtering, and added remediation detail options. With GitLab Duo, our AI-powered suite of features, AI-assisted vulnerability remediation is taking a dramatic step forward.
Speaking of AI, we deployed many GitLab Duo features during the past year that can help expedite Secure by Design execution, including:
GitLab continues to embrace its Transparency value by creating the GitLab Trust Center and the GitLab AI Transparency Center. These public-facing pages provide radical transparency to GitLab's values, ethics, feature details, and compliance statements – including a NIST Secure Software Development Framework self-attestation letter.
As Secure by Design enters its second year, we look forward to additional guidance and initiatives from CISA and other government agencies that will provide users around the world with more securely developed software.
Want to test-drive GitLab's security features? Try GitLab Ultimate for free for 30 days.