GitLab Releases Bevy of Security and Compliance Enhancements

If any good came out of the Log4j vulnerability and SolarWinds attacks, it was the fact that they dramatically increased awareness of software supply chain security. Software supply chain security is only as strong as the weakest exposed link; often, that’s a software library or third-party service.

To help organizations bolster their CI/CD pipelines and better address software supply chain security (and avoid another Log4j-type incident), GitLab released a number of enhancements the vendor hopes will help organizations better secure their environments. GitLab said capabilities include security policy management, compliance management, events auditing, vulnerability management and a soon-to-be-available dependency management capability to help developers track dependency vulnerabilities in their software.

GitLab believes these governance capabilities, in conjunction with a comprehensive set of security testing capabilities such as static application security testing, secret detection, dynamic application security testing, API security, fuzz testing, dependency scanning, license compliance and container scanning, can help organizations achieve continuous security and compliance.

Among the most noteworthy announcements are those enhancements aimed at improving the identification of vulnerabilities and secure development. The company said the upgrades help organizations automatically scan for vulnerabilities in source code, containers, dependencies, and applications in production specifically with a dynamic application security testing API and API fuzzing.

DAST API and API fuzzing enable developers to scan applications within CI/CD pipelines to find both known and unknown defects/flaws. “With the recent addition of GraphQL schema support in 15.4, these API security scans help secure applications with minimal configuration compared to prior releases. Additional application security scanners include static application security testing, secret detection, container scanning, dependency scanning, infrastructure-as-code scanning, and coverage-guided fuzz testing,” GitLab said.

GitLab has also announced security training integrated within the GitLab platform to give developers easy and immediate access to secure coding guidance.

GitLab previously announced the capability to create software bills of materials (SBOMs) on the platform, and now says it’s working on adding the ability to ingest SBOM reports so that teams can more readily gather existing third-party SBOM data. GitLab also promised to provide the ability to sign build artifacts and attestation files cryptographically.

The GitLab 2022 Global DevSecOps Survey, released earlier this year, found security to be the highest budget priority for organizations, and roughly 57% of security professionals reported that their organizations have either already shifted security deeper within the development pipelines or plan to this year.

Those findings diverged from the results of a ReversingLabs survey of 300 senior software staffers released earlier this year. That survey found organizations challenged when it comes to detecting supply chain attacks. For instance, the ReversingLabs survey found less than 10% of companies reviewing software for evidence of tampering or compromises at each product life cycle stage. Finally, that survey found less than 27% of organizations generate and review SBOMs.