Since the May beta release of our GitHub-curated Dependabot policies that detect and close false positive alerts, over 250k repositories have manually opted in, with an average improvement of over 1 in 10 alerts. The impact so far: auto-dismissal of millions of alerts that would have otherwise demanded a developer’s attention to manually assess and […]
GitLab’s compliance management capabilities are designed to integrate compliance into development and deployment processes from the start. As a tenured compliance professional and member of our Security Compliance team here at GitLab, I can tell you from experience it is always easiest to design your processes to be secure and compliant from the start than […]
With GitLab 14, we saw deep emphasis on modernizing our DevOps capabilities. This modernization enabled enhanced application security and strenghtened collaboration between developers and security professionals. We saw enhancments such as: global rule registry and customization for policy requriements with support for separation of duties a newly developed browser-based Dynamic Application Security Testing (DAST) scanner […]
When talking about Terraform security, there are many resources covering the security aspects of the infrastructure surrounding certain Terraform configurations. Looking at the security of Terraform itself and the things which could go wrong when running it, however, have very little coverage so far. Some previously published work I’m aware of includes: “Terraform providers and […]
GitLab uses a GPG key to sign all Omnibus packages created within the CI pipelines to insure that the packages have not been tampered with. This key is seperate from the repository metadata signing key used by package managers and the GPG signing key for the GitLab Runner. The Omnibus package signing key is set […]
At GitLab, our Red Team conducts security exercises that emulate real-world threats. This gives us an opportunity to assess and improve our ability to deal with cyber attacks. These types of exercises require a lot of planning, which is traditionally done by getting folks from multiple departments into the same room at the same time […]
We want to share the actions we’ve taken in response to the critical Rubygems ‘Unauthorized gem takeover for some gems’ vulnerability (CVE-2022-29176). Upon becoming aware of the vulnerability within Rubygems.org, we immediately began our investigation and contacted Rubygems who quickly patched the vulnerability. Our Security team tested the usage of gems within our product and […]
We want to share the actions we’ve taken in response to the critical Spring remote code execution vulnerabilities (CVE-2022-22965 and CVE-2022-22963). Upon becoming aware of the vulnerabilities, we immediately mobilized our Security and Engineering teams to determine usage of this software component and its potential impact within our product, across our company, and within our […]
InterBase in 2020 will continue to be, one of the hidden gems of the relational database world. From its inception in the early 1980s, through mainstream adoption and evolution under Borland, InterBase looks back at a track-record that spend decades; at times defining the standard that all other databases were measured against. With Embarcadero acquiring the Borland […]
