Blog Security

Browse posts from Security

gitlabflatlogomap.png
GitLab Trust Center: Welcome to self-service customer assurance The single, unified trust center provides access to security and privacy collateral, streamlined questionnaire submissions, an interactive knowledge base, and GitLab updates. Author: Joseph Longo Read Post
Security securitycheck.png

The 2023 bug bounty year in review

GitLab's bug bounty program had an incredible year. Learn more about the prizes awarded and the bug reporters who won them.

Security security-cover-new.png

GitLab Security Release: 16.6.2, 16.5.4, 16.4.4

Learn more about GitLab Security Release: 16.6.2, 16.5.4, 16.4.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Security built-in-security.jpeg

How GitLab's Red Team automates C2 testing

Learn how to apply professional development practices to Red Teams using open source command and control tools.

Security security-cover-new.png

GitLab, Second Front Systems speed secure development on DoD networks

GitLab Ultimate leverages Second Front and AWS GovCloud to help orgs deliver software compliant with DoD Impact Levels 4 and 5.

Security securitycheck.png

Stealth operations: The evolution of GitLab's Red Team

We discuss how GitLab's Red Team has matured over the years, evolving from opportunistic hacking to stealth adversary emulation.

Security securitycheck.png

Tips to configure browser-based DAST scans

Learn how to use the browser-based analyzer with common dynamic application security testing settings, based on web application attributes, to ensure successful scans.

Security securitycheck.png

Enterprise-scale security and compliance policy management in the AI era

A look at how GitLab Security Policy Management can help your security and compliance keep up with the pace of software development.

Security securityscreen.jpg

GitLab’s response to a high severity vulnerability impacting curl and libcurl

Learn about CVE-2023-38545, which leverages a heap buffer overflow through the SOCKS5 protocol, and what it means for GitLab customers.

Security applicationsecurity.png

Introducing GitLab browser-based active checks in DAST

As of GitLab 16.4, or DAST 4.0.9, browser-based DAST active scans will search for path traversal vulnerabilities using the GitLab check 22.1 instead of the ZAP alert 6.

Security cover-fotis-fotopoulos.png

Ask a hacker - 0xn3va

Vladislav Nechakhin or @0xn3va, one of our top 10 hacker contributors, joined us for an AMA and details his approach and strategy for bug bounty hunting.

Security security-checklist.png

Unmasking password attacks at GitLab

Our security team has identified an increased volume of password attacks against GitLab.com on the OAuth API endpoint since September 22, 2023. Learn more.

Security vaultimage.png

How GitLab supports NSA and CISA CI/CD security guidance

GitLab can support your alignment with NSA and CISA CI/CD recommendations and best practices for cloud-based DevSecOps environments.

Security cover-1800x945.png

The ultimate guide to enabling SAML and SSO on GitLab.com

Learn how to make full use of SAML and SSO security features on the GitLab DevSecOps platform.

Security security-checklist.png

Streamline security with keyless signing and verification in GitLab

Our partnership with Sigstore means that with just a few lines in a yml file, GitLab customers can make their development environment more secure.

Security security-cover-new.png

How GitLab can support your ISO 27001 compliance journey

As a strategic partner, GitLab's software security features can help support your ISO 27001 compliance.

Security securitycompliance.jpeg

Meet regulatory standards with GitLab compliance & security policy management

Compliance is more than one-off audits; it's a continuous process of efficiently managing risk by implementing guardrails and monitoring specific metrics.

Security built-in-security.jpeg

Use GitLab and MITRE ATT&CK Navigator to visualize adversary techniques

This tutorial helps build and deploy a customized version of MITRE's ATT&CK Navigator using GitLab CI/CD and GitLab Pages.

Security built-in-security.jpeg

The backstory on GitLab's security hardening documentation

GitLab has detailed documentation about how to harden your instance, now as a part of GitLab itself. Here's how it came to be.

Security security-pipelines.jpg

How GitLab can help you prepare for your SOC 2 audit

Learn about features in the DevSecOps platform geared toward a SOC2 audit.

Security cover_image_secureflag.png

SecureFlag integrated with GitLab for rapid vulnerability remediation

Empower developers with hands-on security training within the DevSecOps platform.

Security security-pipelines.jpg

How OIDC can simplify authentication of GitLab CI/CD pipelines with Google Cloud

OpenID Connect can sometimes be complex, but it's the safer and recommended way to authenticate your GitLab pipeline with Google Cloud. This tutorial shows you how.

Security cicd-2018_blogimage.jpg

Managing multiple environments with Terraform and GitLab CI

This tutorial shows how to set up and manage three different environments in one project using GitLab CI and Terraform.

Security security-checklist.png

How Secret Detection can proactively revoke leaked credentials

GitLab extends Secret Detection capabilities to customers on Google Cloud.

Security security-pipelines.jpg

The ultimate guide to securing your code on GitLab.com

This in-depth tutorial, complete with best practices, will help you secure your development environment.

Security investment.jpg

FinServ startup Constantinople uses DevSecOps to build in security

With a DevSecOps platform, Constantinople has minimized security and compliance risks while maximizing efficiency.

Security built-in-security.jpeg

Velocity with guardrails: AI, automation, and removing the security and speed tradeoff

Learn what 'velocity with guardrails' means for you and how the DevSecOps Platform's features support your need for security and speed.

Security securityscreen.jpg

How to secure memory-safe vs. manually managed languages

Learn how GitLab reduces source code risk using scanning, vulnerability management, and other key features.

Security security-pipelines.jpg

How to action security vulnerabilities in GitLab Premium

Learn step-by-step how to process detected vulnerabilities and spawn merge request approval rules from critical vulnerabilities.

Security akshay-nanavati-Zq6HerrBPEs-unsplash.jpg

Is the National Cybersecurity Strategy a wake-up call for software developers?

The new White House policy puts liability for poor security on software makers. Learn how DevSecOps can protect your organization.

Security cicd-2018_blogimage.jpg

Software supply chain security practices seeing only modest adoption

DORA Accelerate State of DevOps report shows opportunity lies within better security practices, including a focus on culture.

Security closeup-photo-of-black-and-blue-keyboard-1194713.jpg

Git security audit: Inside the hunt for - and discovery of - CVEs

Get a behind-the-scenes look at how I helped discover the vulnerability that became CVE-2022-41903.

Security aleks-dahlberg-glass-unsplash.jpeg

Monitor your web attack surface with GitLab CI/CD and GitLab Pages

Use this tutorial to build an automated web application screenshot report.

Security inside-gitLab-public-bug-bounty-program.png

Why 2022 was a record-breaking year in bug bounty awards

Find out about the researchers who together earned more than $1 million USD in prizes and their bug hunting contributions.

Security container-security.jpg

Achieve SLSA Level 2 compliance with GitLab

Compliance mandates call for controls to prevent software tampering, improve integrity of builds and artifacts, and support attestation. Here's how GitLab can help.

Security webauthn.jpg

How we boosted WebAuthn adoption from 20 percent to 93 percent in two days

With phishing campaigns on the rise across the industry, we accelerated rollout of a program to further enhance our security hygiene program. This is how we did it.

Security faster-cycle-times.jpg

Top challenges to securing the software supply chain

Learn what organizations should keep in mind while incorporating software supply chain security into their software development lifecycle.

Security locks.jpg

New OpenSSL 3.0 vulnerabilities: What you need to know to find and fix them

Learn how to identify your risk for CVE-2022-3786 and CVE-2022-3602.

Security blog-compliance.jpg

The ultimate guide to SBOMs

Learn what a software bill of materials is and why it has become an integral part of modern software development.

Security jessica-lewis-fJXv46LT7Xk-unsplash.jpeg

Meet the demand for SBOMs and supply chain security with GitLab and Rezilion

Learn the role of SBOMs in helping to secure your software supply chain and how to generate them with the GitLab + Rezilion integration.

Security container-security.jpg

GitLab and Let's Encrypt partner to improve website security

Learn how to add a Let's Encrypt TLS certificate to a website hosted and managed via GitLab Pages.

Security ibom.jpg

Introducing the infrastructure bill of materials

Pair IBoMs and SBOMs for a more secure software supply chain.

Security sigmund-i2VgGp5BwJg-unsplash.jpeg

Give it a go: Capture the flag for $20K USD in our bug bounty program

We created a private project containing a file with a flag. Use a permission-related vulnerability to bypass access control (without user interaction) and read the flag for a $20K USD bonus.

Security workflow-tips-security-quality-cover.jpg

GitLab adds further measures to combat credential stuffing and other types of platform abuse

Integration of fraud detection and prevention tool into authentication flow increases risk reduction.

Security devopszerotrust.jpg

Why DevOps and zero trust go together

Learn how DevOps and zero trust have matured into a solid pairing and the security considerations that come into play.

Security auto-deploy-google-cloud.jpg

The importance of compliance in DevOps

A basic understanding of what compliance means and how it impacts DevOps.

Security blog-compliance.jpg

Securing the software supply chain through automated attestation

Standards bodies want to know how orgs are protecting against software tampering. Learn how automating compliance attestation can help.

Security hack-gtlab-keyboard.png

Want to start hacking? Here's how to quickly dive in

We asked one of our top 10 hacker contributors, Johan Carlsson, to share his novel approach to bug bounty hunting.

Security pexels-5strike.jpeg

Top 5 compliance features to leverage in GitLab

Highlighting features we use daily, our security team outlines 5 ways to configure your GitLab instance for increased security and compliance.

Security blog-compliance.jpg

Tackle a Plan of Actions and Milestones with GitLab’s risk management features

The One DevOps Platform helps identify interdependencies and vulnerabilities as required by government compliance frameworks.

Security gl15.jpg

Use Streaming Audit Events to connect your technology stack with GitLab and Pipedream

Automation lets your DevSecOps teams have logic in place for how to handle events as they come in.

Security gl15.jpg

GitLab's commitment to enhanced application security in the modern DevOps world

Security abounds in our latest DevOps platform release, GitLab 15.

Security pexels-mateusz-dach-353641.jpeg

Terraform as part of the software supply chain, Part 1 - Modules and Providers

We examine the supply chain aspects of Terraform, starting with a closer look at malicious Terraform modules and providers and how you can better secure them.

Security pexels-andrey-grushnikov-707676_crop.jpeg

How we run Red Team operations remotely

Our team shares the process and templates that drive our successful red team ops in our all-remote environment.

Security locks.jpg

One DevOps platform can help you achieve DevSecOps

GitLab drives innovation in the AST market to secure cloud-native applications.

Security security-cover.png

Updates regarding Rubygems ‘Unauthorized gem takeover for some gems’ vulnerability CVE-2022-29176

Actions we've taken to investigate the Rubygems takeover vulnerability.

Security security-cover.png

Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963

Actions we've taken to investigate the Spring RCE vulnerabilities.

Security maarten-van-den-heuvel-8EzNkvLQosk-unsplash.jpg

How to ensure separation of duties and enforce compliance with GitLab

Use your DevOps platform to help maintain compliance without compromising on development speed.

Security container-security.jpg

Comply with NIST's secure software supply chain framework with GitLab

The U.S. government's Secure Software Development Framework has four key practices. GitLab's DevOps platform has features to address them all.

Security faster-cycle-times.jpg

How GitLab's integration with Rezilion reduces vulnerability backlog and identifies exploitable risks

The native integration helps developers detect and remediate vulnerabilities that are exploitable early on in the development process.

Security security-cover.png

Action we've taken in response to a potential Okta breach

Actions we've taken to investigate a potential Okta breach.

Security security-cover.png

Security hygiene best practices for GitLab users

Security hygiene measures that GitLab.com and Self-managed users should consider implementing.

Security aleks-dahlberg-glass-unsplash.jpeg

How GitLab handles security bugs (and why it matters)

Learn what makes our approach to handling and transparently disclosing security bugs unique.

Security handshake.png

Introducing a community-driven advisory database for third-party software dependencies

The advisory data can be readily adopted, adapted, and exchanged. Learn more here.

Security GitLab-Sec.png

GitLab’s newest continuous compliance features bolster software supply chain security

Business leaders and DevOps teams can continuously mitigate the risk of cloud-native environments and use guard rails to automate software compliance.

Security jeremy-bishop-FzrlPh20l7Q-unsplash.jpg

Using the GitLab GraphQL API for vulnerability reporting

Follow along as we teach you how to use GitLab GraphQL API to manage vulnerabilities programatically.

Security tanuki-bg-full.png

Detecting and alerting on anomalies in your container host with GitLab + Falco

Learn how to install and use Falco to detect anomalies in your containers

Security GitLab-Sec.png

How elite DevOps teams secure the software supply chain

The time is now to integrate security into your DevOps processes - your business will be better for it.

Security customize.png

How to tailor SAST and Secret Detection to your application context with custom rulesets

How you can use GitLab custom rulesets to customize security scanners to your needs.

Security security-year-in-review-2021.png

GitLab Security in 2021: protect, enhance, certify and strengthen

Join our Security team as we review how we worked to keep GitLab, and our community, secure this past year.

Security security-cover.png

Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab

Actions we’ve taken to investigate and mitigate the impact of Log4j, and actions our users can take.

Security 3-bug-bounty-3-years-blog.png

2021: Smashing bugs and dropping names

We take a look at some of the big things that happened in our Bug Bounty program this last year and celebrate the contributions of the bug bounty hunters who make it all possible.

Security security-cameras.jpg

How GitLab successfully expanded our SOC 2 Type II Trust Services Report Criteria

Here's how we expanded our SOC 2 Type 2 and SOC 3 reports.

Security Blog fallback hero

GitLab Technical Certifications program wins 5 awards at LearnX Conference

GitLab's Tech Certification programs won 5 different awards at this year's LearnX conference.

Security gitlabultimatesecurity.jpg

Three things you might not know about GitLab security

There's so much more to GitLab's security offering than meets the eye. Here are three features you may have missed.

Security vincent-toesca-KnK98ScsZbU-unsplash.jpeg

Deep dive: the tech stack behind Spamcheck

We take a closer look at the tooling, technical choices, metrics and lessons learned behind our new anti-abuse tool.

Security joshua-golde-qIu77BsFdds-unsplash.jpg

Top five actions engineers should take based on the OWASP Top 10 2021 security updates

Learn what actions engineers should take based on the OWASP Top 10 updates for 2021

Security security-cover.png

Action needed by self-managed customers in response to CVE-2021-22205

Self-managed users using outdated versions should update immediately.

Security BB-3rd-Anniversary-blog-header.png

Our 3rd annual bug bounty contest: the swagtastic sequel to the sequel

We’re running a bug bounty contest November 1 thru December 3. Find a bug and be entered to win some sweet custom swag. What’s better than a contest? Increased bounty ranges!

Security pexels-chernaya-575.jpeg

How we’re using DAST 2 for easier scan configuration and reduced noise

Our security team upgraded to GitLab’s DAST 2. Here’s how and why we did it.

Security security-cover.png

Notice for GitKraken users with GitLab

How we responded to Axosoft’s GitKraken software vulnerability affecting SSH keys and actions users should take.

Security pexels-jesus-miron-garcia-3043592.jpeg

Threat modeling the Kubernetes Agent: from MVC to continuous improvement

Learn how we put our threat model into action iteratively and expanded the process into a full-fledged standalone activity.

Security Blog fallback hero

SemVer versioning: how we handled it with linear interval arithmetic

SemVer versioning made it difficult to automate processing. We turned to linear interval arithmetic to come up with a unified, language-agnostic semantic versioning approach.

Security anomaly-detection-cover.png

How to write and continuously test vulnerability detection rules for SAST

Interns with the Google Summer of Code helped GitLab transition from our old SAST tools to Semgrep.

Security pexels-pixabay-434450.jpg

Why are developers so vulnerable to drive-by attacks?

The complexity of developer working environments make them more likely to be vulnerable to a drive-by attack. We talk about why and walk you through a real-life example from a recent disclosure here at GitLab, and provide tips to reduce the risk and impact of drive-by attacks.

Security venafi_coverimage.jpg

How to secure your software build pipeline using code signing

The Venafi plugin for GitLab enables single sign-on and digital signatures to better secure your app.

Security lionello-delpiccolo-unsplash.jpeg

Introducing Spamcheck: A data-driven, anti-abuse engine

How we built, tested and deployed a new tool on GitLab that fights spam and abuse.

Security solarpanels.jpg

How DevSecOps can protect businesses from future supply chain attacks

Learn how GitLab's all-in-one DevSecOps solution can help businesses keep their supply chains secure.

Security package-hunter.png

Meet Package Hunter: A tool for detecting malicious code in your dependencies

We developed, tested and open sourced a new tool to analyze program dependencies and protect the supply chain.

Security pexels-nathan-j-hilton.jpeg

How we’re creating a threat model framework that works for GitLab

As usual, we’re creating our own path in how we handle our threat modeling, approaching development both iteratively and collaboratively, and seriously shifting left with our framework and processes.

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert