Blog security

Browse that include the security tag

gitlabflatlogomap.png
GitLab Trust Center: Welcome to self-service customer assurance The single, unified trust center provides access to security and privacy collateral, streamlined questionnaire submissions, an interactive knowledge base, and GitLab updates. Author: Joseph Longo Read Post
DevSecOps tanukilifecycle.png

Top 10 GitLab technical blogs of 2023

2023 was a big year! Catch up on expert insights into DevSecOps, AI, CI/CD, and more.

Security securitycheck.png

The 2023 bug bounty year in review

GitLab's bug bounty program had an incredible year. Learn more about the prizes awarded and the bug reporters who won them.

DevSecOps securitylifecycle-light.png

U.S. Navy Black Pearl: Lessons in championing DevSecOps

Sigma Defense built a managed service software factory environment for the military using GitLab as its DevSecOps platform. Here's what they learned.

AI/ML duo-blog-post.png

4 ways AI can help DevOps teams improve security

Find out how DevOps teams are using artificial intelligence and machine learning to improve security, minimize risk, and ship more secure code.

Security built-in-security.jpeg

How GitLab's Red Team automates C2 testing

Learn how to apply professional development practices to Red Teams using open source command and control tools.

Security security-cover-new.png

GitLab, Second Front Systems speed secure development on DoD networks

GitLab Ultimate leverages Second Front and AWS GovCloud to help orgs deliver software compliant with DoD Impact Levels 4 and 5.

Security securitycheck.png

Stealth operations: The evolution of GitLab's Red Team

We discuss how GitLab's Red Team has matured over the years, evolving from opportunistic hacking to stealth adversary emulation.

DevSecOps Platform group-collaboration

Dunelm strengthens business by enhancing its DevSecOps culture

Learn how a major UK retailer is using GitLab to ensure everyone in their DevSecOps teams can work together, increasing speed, security, and trust.

Security securitycheck.png

Tips to configure browser-based DAST scans

Learn how to use the browser-based analyzer with common dynamic application security testing settings, based on web application attributes, to ensure successful scans.

Security securityscreen.jpg

GitLab’s response to a high severity vulnerability impacting curl and libcurl

Learn about CVE-2023-38545, which leverages a heap buffer overflow through the SOCKS5 protocol, and what it means for GitLab customers.

Security cover-fotis-fotopoulos.png

Ask a hacker - 0xn3va

Vladislav Nechakhin or @0xn3va, one of our top 10 hacker contributors, joined us for an AMA and details his approach and strategy for bug bounty hunting.

Security security-checklist.png

Unmasking password attacks at GitLab

Our security team has identified an increased volume of password attacks against GitLab.com on the OAuth API endpoint since September 22, 2023. Learn more.

Security vaultimage.png

How GitLab supports NSA and CISA CI/CD security guidance

GitLab can support your alignment with NSA and CISA CI/CD recommendations and best practices for cloud-based DevSecOps environments.

Security cover-1800x945.png

The ultimate guide to enabling SAML and SSO on GitLab.com

Learn how to make full use of SAML and SSO security features on the GitLab DevSecOps platform.

Security security-checklist.png

Streamline security with keyless signing and verification in GitLab

Our partnership with Sigstore means that with just a few lines in a yml file, GitLab customers can make their development environment more secure.

Security security-cover-new.png

How GitLab can support your ISO 27001 compliance journey

As a strategic partner, GitLab's software security features can help support your ISO 27001 compliance.

Security built-in-security.jpeg

Use GitLab and MITRE ATT&CK Navigator to visualize adversary techniques

This tutorial helps build and deploy a customized version of MITRE's ATT&CK Navigator using GitLab CI/CD and GitLab Pages.

Security built-in-security.jpeg

The backstory on GitLab's security hardening documentation

GitLab has detailed documentation about how to harden your instance, now as a part of GitLab itself. Here's how it came to be.

Security cover_image_secureflag.png

SecureFlag integrated with GitLab for rapid vulnerability remediation

Empower developers with hands-on security training within the DevSecOps platform.

News cautionsign.jpg

What to know about a fake job scam impersonating GitLab

GitLab Security is aware of a fake GitLab job scam, ultimately requesting job seekers pay thousands of dollars for 'technology equipment.' Here's how to spot it.

News security-pipelines.jpg

GitLab extends Omnibus package signing key expiration to 2024

Our GPG key will now expire on July 1, 2024. Here's what you need to know.

Security security-checklist.png

How Secret Detection can proactively revoke leaked credentials

GitLab extends Secret Detection capabilities to customers on Google Cloud.

Engineering security-checklist.png

How to harden your self-managed GitLab instance

Learn seven easy steps to ensure your self-managed GitLab instance is as secure as possible.

Security investment.jpg

FinServ startup Constantinople uses DevSecOps to build in security

With a DevSecOps platform, Constantinople has minimized security and compliance risks while maximizing efficiency.

DevSecOps engineering.png

Protestware threats: How to protect your software supply chain

Some people protest for change by changing code others depend on throughout the software supply chain. Learn more about protestware, its impact, and how to protect against it.

Security built-in-security.jpeg

Velocity with guardrails: AI, automation, and removing the security and speed tradeoff

Learn what 'velocity with guardrails' means for you and how the DevSecOps Platform's features support your need for security and speed.

Security securityscreen.jpg

How to secure memory-safe vs. manually managed languages

Learn how GitLab reduces source code risk using scanning, vulnerability management, and other key features.

Security security-pipelines.jpg

How to action security vulnerabilities in GitLab Premium

Learn step-by-step how to process detected vulnerabilities and spawn merge request approval rules from critical vulnerabilities.

DevSecOps reduce-devops-cost.jpg

How to strengthen security by applying DevSecOps principles

Learn how to apply DevSecOps principles today and discover the power of DevSecOps.

DevSecOps lock.jpg

It’s time to really put the Sec in DevSecOps

Organizations may tack on security to DevOps but unless they wholly integrate it, they will miss out on DevSecOps benefits.

Security closeup-photo-of-black-and-blue-keyboard-1194713.jpg

Git security audit: Inside the hunt for - and discovery of - CVEs

Get a behind-the-scenes look at how I helped discover the vulnerability that became CVE-2022-41903.

Security aleks-dahlberg-glass-unsplash.jpeg

Monitor your web attack surface with GitLab CI/CD and GitLab Pages

Use this tutorial to build an automated web application screenshot report.

News michael-dziedzic-1bjsASjhfkE-unsplash.jpg

Secret Detection update: Leaked Personal Access Tokens will soon be revoked

Learn about upcoming changes to better protect GitLab users and organizations.

Security inside-gitLab-public-bug-bounty-program.png

Why 2022 was a record-breaking year in bug bounty awards

Find out about the researchers who together earned more than $1 million USD in prizes and their bug hunting contributions.

Security webauthn.jpg

How we boosted WebAuthn adoption from 20 percent to 93 percent in two days

With phishing campaigns on the rise across the industry, we accelerated rollout of a program to further enhance our security hygiene program. This is how we did it.

Security faster-cycle-times.jpg

Top challenges to securing the software supply chain

Learn what organizations should keep in mind while incorporating software supply chain security into their software development lifecycle.

Security locks.jpg

New OpenSSL 3.0 vulnerabilities: What you need to know to find and fix them

Learn how to identify your risk for CVE-2022-3786 and CVE-2022-3602.

Security blog-compliance.jpg

The ultimate guide to SBOMs

Learn what a software bill of materials is and why it has become an integral part of modern software development.

Security jessica-lewis-fJXv46LT7Xk-unsplash.jpeg

Meet the demand for SBOMs and supply chain security with GitLab and Rezilion

Learn the role of SBOMs in helping to secure your software supply chain and how to generate them with the GitLab + Rezilion integration.

Security ibom.jpg

Introducing the infrastructure bill of materials

Pair IBoMs and SBOMs for a more secure software supply chain.

DevOps Platform container-security.jpg

The ultimate guide to software supply chain security

Coupling DevSecOps with software supply chain security results in the advanced protection organizations need.

Security sigmund-i2VgGp5BwJg-unsplash.jpeg

Give it a go: Capture the flag for $20K USD in our bug bounty program

We created a private project containing a file with a flag. Use a permission-related vulnerability to bypass access control (without user interaction) and read the flag for a $20K USD bonus.

Security hack-gtlab-keyboard.png

Want to start hacking? Here's how to quickly dive in

We asked one of our top 10 hacker contributors, Johan Carlsson, to share his novel approach to bug bounty hunting.

Security pexels-5strike.jpeg

Top 5 compliance features to leverage in GitLab

Highlighting features we use daily, our security team outlines 5 ways to configure your GitLab instance for increased security and compliance.

Security gl15.jpg

GitLab's commitment to enhanced application security in the modern DevOps world

Security abounds in our latest DevOps platform release, GitLab 15.

Security pexels-mateusz-dach-353641.jpeg

Terraform as part of the software supply chain, Part 1 - Modules and Providers

We examine the supply chain aspects of Terraform, starting with a closer look at malicious Terraform modules and providers and how you can better secure them.

News Blog fallback hero

GitLab extends Omnibus package signing key expiration by one year

Our GPG key will now expire on July 1, 2023. Here's what you need to know.

Security pexels-andrey-grushnikov-707676_crop.jpeg

How we run Red Team operations remotely

Our team shares the process and templates that drive our successful red team ops in our all-remote environment.

Security security-cover.png

Updates regarding Rubygems ‘Unauthorized gem takeover for some gems’ vulnerability CVE-2022-29176

Actions we've taken to investigate the Rubygems takeover vulnerability.

Security security-cover.png

Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963

Actions we've taken to investigate the Spring RCE vulnerabilities.

Security maarten-van-den-heuvel-8EzNkvLQosk-unsplash.jpg

How to ensure separation of duties and enforce compliance with GitLab

Use your DevOps platform to help maintain compliance without compromising on development speed.

Security container-security.jpg

Comply with NIST's secure software supply chain framework with GitLab

The U.S. government's Secure Software Development Framework has four key practices. GitLab's DevOps platform has features to address them all.

Security faster-cycle-times.jpg

How GitLab's integration with Rezilion reduces vulnerability backlog and identifies exploitable risks

The native integration helps developers detect and remediate vulnerabilities that are exploitable early on in the development process.

Security security-cover.png

Action we've taken in response to a potential Okta breach

Actions we've taken to investigate a potential Okta breach.

Security security-cover.png

Security hygiene best practices for GitLab users

Security hygiene measures that GitLab.com and Self-managed users should consider implementing.

Engineering Blog fallback hero

How to enhance supply chain security with GitLab and TestifySec

New alliance partner TestifySec makes Witness available in GitLab

Insights cover-image-unsplash.jpg

Fantastic Infrastructure as Code security attacks and how to find them

Learn about possible attack scenarios in Infrastructure as Code and GitOps environments, evaluate tools and scanners with Terraform, Kubernetes, etc., and more.

Security aleks-dahlberg-glass-unsplash.jpeg

How GitLab handles security bugs (and why it matters)

Learn what makes our approach to handling and transparently disclosing security bugs unique.

Security handshake.png

Introducing a community-driven advisory database for third-party software dependencies

The advisory data can be readily adopted, adapted, and exchanged. Learn more here.

Company GitLab-Sec.png

Introducing GitLab’s supply chain security direction and landscape

Learn about software supply chain security at GitLab.

Security tanuki-bg-full.png

Detecting and alerting on anomalies in your container host with GitLab + Falco

Learn how to install and use Falco to detect anomalies in your containers

Security customize.png

How to tailor SAST and Secret Detection to your application context with custom rulesets

How you can use GitLab custom rulesets to customize security scanners to your needs.

Security security-year-in-review-2021.png

GitLab Security in 2021: protect, enhance, certify and strengthen

Join our Security team as we review how we worked to keep GitLab, and our community, secure this past year.

Security security-cover.png

Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab

Actions we’ve taken to investigate and mitigate the impact of Log4j, and actions our users can take.

Company security-cover.png

How to use GitLab security features to detect log4j vulnerabilities

Detailed guidance to help customers detect vulnerabilities.

Security 3-bug-bounty-3-years-blog.png

2021: Smashing bugs and dropping names

We take a look at some of the big things that happened in our Bug Bounty program this last year and celebrate the contributions of the bug bounty hunters who make it all possible.

Security security-cameras.jpg

How GitLab successfully expanded our SOC 2 Type II Trust Services Report Criteria

Here's how we expanded our SOC 2 Type 2 and SOC 3 reports.

Security vincent-toesca-KnK98ScsZbU-unsplash.jpeg

Deep dive: the tech stack behind Spamcheck

We take a closer look at the tooling, technical choices, metrics and lessons learned behind our new anti-abuse tool.

Security security-cover.png

Action needed by self-managed customers in response to CVE-2021-22205

Self-managed users using outdated versions should update immediately.

Security BB-3rd-Anniversary-blog-header.png

Our 3rd annual bug bounty contest: the swagtastic sequel to the sequel

We’re running a bug bounty contest November 1 thru December 3. Find a bug and be entered to win some sweet custom swag. What’s better than a contest? Increased bounty ranges!

Security pexels-chernaya-575.jpeg

How we’re using DAST 2 for easier scan configuration and reduced noise

Our security team upgraded to GitLab’s DAST 2. Here’s how and why we did it.

Security pexels-jesus-miron-garcia-3043592.jpeg

Threat modeling the Kubernetes Agent: from MVC to continuous improvement

Learn how we put our threat model into action iteratively and expanded the process into a full-fledged standalone activity.

Security Blog fallback hero

SemVer versioning: how we handled it with linear interval arithmetic

SemVer versioning made it difficult to automate processing. We turned to linear interval arithmetic to come up with a unified, language-agnostic semantic versioning approach.

Security anomaly-detection-cover.png

How to write and continuously test vulnerability detection rules for SAST

Interns with the Google Summer of Code helped GitLab transition from our old SAST tools to Semgrep.

Security pexels-pixabay-434450.jpg

Why are developers so vulnerable to drive-by attacks?

The complexity of developer working environments make them more likely to be vulnerable to a drive-by attack. We talk about why and walk you through a real-life example from a recent disclosure here at GitLab, and provide tips to reduce the risk and impact of drive-by attacks.

Security venafi_coverimage.jpg

How to secure your software build pipeline using code signing

The Venafi plugin for GitLab enables single sign-on and digital signatures to better secure your app.

Engineering Blog fallback hero

How a new integration helps GitLab customers secure their code

GitLab Ultimate customers can use CodeSonar from GrammaTech for SAST and to bake protection into every stage of software development.

Security lionello-delpiccolo-unsplash.jpeg

Introducing Spamcheck: A data-driven, anti-abuse engine

How we built, tested and deployed a new tool on GitLab that fights spam and abuse.

Engineering Understand-Highly-Technical-Spaces.jpg

How I use analogy to design for highly technical spaces

Just how much does a designer need to know about a technical space or product to design for it?

Security package-hunter.png

Meet Package Hunter: A tool for detecting malicious code in your dependencies

We developed, tested and open sourced a new tool to analyze program dependencies and protect the supply chain.

Insights devops.png

Are you ready for the newest era of DevSecOps?

DevSecOps is about more than shifting security testing to developers. Can you secure your software development end-to-end?

Security pexels-nathan-j-hilton.jpeg

How we’re creating a threat model framework that works for GitLab

As usual, we’re creating our own path in how we handle our threat modeling, approaching development both iteratively and collaboratively, and seriously shifting left with our framework and processes.

Security closeup-photo-of-black-and-blue-keyboard-1194713.jpg

A brief look at Gitpod, two bugs, and a quick fix

Our security researcher takes a look at Gitpod and finds some access tokens under the carpet.

News default-blog-image.png

GitLab extends Omnibus package signing key expiration date from 2021 to 2022

Our GPG key will now expire on July 1, 2022. Here's what you need to know.

News default-blog-image.png

The GPG key used to sign GitLab Runner packages has been rotated

Out of an abundance of caution we’ve rotated the impacted keys and tokens.

Security gitlab-to-help-my-hack.png

How do bug bounty hunters use GitLab to help their hack?

We know GitLab is a complete open source DevOps platform, but can it improve your hack? We chat with three bug bounty hunters to find out.

Security gabriel-sollmann-unsplash.png

A deep dive into how we investigate and secure GitLab packages

Supply chain attacks aren't new, but that doesn't mean extra vigilance and protection aren't needed. We take a look at how we secure our packages and registries.

Security security-awards-blog.png

How we used GitLab values to develop a successful Security Awards Program

We built a program that encourages, recognizes, and awards a shared responsibility for security.

Security Sec-Culture-Committee-blog.png

How the Security Culture Committee is strengthening GitLab values

Learn how this group of team members works to preserve and reinforce GitLab values in the Security department and beyond.

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert