Search This Blog

Showing posts with label Software Supply Chain. Show all posts

GitLab: Security and Governance Solutions Enhanced to Secure Software Supply Chain


GitLab has confirmed new security and compliance features and a number of enhancements in its platform to aid organizations to secure their software supply chain. 

A Global DevSecOps Survey by GitLab in 2022 found that security was amongst the highest priority investment areas for an organization, with 57% of security experts’ surveys indicating that their organizations have already shifted security left or plan to this year. 

GitLab has increased its focus on governance to help teams identify risks by offering visibility into their projects' dependencies, security findings, and user activities with increasing regulatory and compliance needs for the organization. 

The new enhancements on the other hand provide developers with tools that could scan any vulnerability and deploy controls in order to secure applications. Additionally, the developers have access to secure coding guidance involved in the GitLab platform. 

The new capabilities include security policy management, compliance management, events auditing, and vulnerability management. A dependency management capability to help developers track vulnerabilities in dependencies they are using will be available at a later date. Organizations will be able to automatically scan for vulnerabilities in source code, containers, dependencies, and applications in production, says Gitlab. 

These capabilities, along with a broad range of security testing capabilities such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency scanning, license compliance, and container scanning, aids the organization to acquire security and compliance of their software supply chain constantly, without giving in on speed and agility. 

In regards to the recent enhancement in the security and compliance features, VP of Product at GitLab David DeSanto says, “To stay competitive and propel digital transformation, organizations need to be great at developing, operating, and securing software. Security needs to be embedded in all stages of the software development lifecycle, not treated as an afterthought.” 

“Our enhanced security and governance capabilities make GitLab a comprehensive DevSecOps solution to help secure an organization’s software supply chain”, he continued.

NSA and CISA Share Tips to Secure the Software Supply Chain

Recently, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published a 64 long pages document in which the institutions gave tips on securing the software supply chain. 

The guidelines are framed by the Enduring Security Framework (ESF)—a public-private partnership that works on intelligence-driven, shared cybersecurity challenges and addresses threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers. 

"Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said. 

State-sponsored cyberattacks like the SolarWinds supply-chain attack and FireEye which led to exploitation of several US federal agencies, and took advantage of software vulnerabilities like Log4j brought the Enduring Security Framework into the course. 

Following the cyber threats, US President Biden signed an executive order in May 2021 to advance the country's mechanism against cyberattacks. Additionally, the Biden cabinet released a new Federal strategy against cyber threats in January, pushing its government to adopt a "zero trust" security model. Later, NSA and Microsoft recommended this approach in February 2021 for large enterprises and critical networks. 

“The developer holds a critical responsibility to the security of our software. As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer,” reads NSA’s statement. 

Following are some of the mitigation tips that have been recommended in the report: 

• Generate architecture and design documents
• Create threat models of the software product
• Gather a trained, qualified, and trustworthy development team
• Define and implement security test plans
• Establish product support and vulnerability handling policies and procedures
• Define release criteria and evaluate the product against it
• Document and publish the security procedures and processes for each software release
• Assess the developers’ capabilities and understanding of the secure development process and assign training

Furthermore, the report recommends that the supplier and developer management team should set policies and security-focused principles that ensure the growth and protection of the company’s infrastructure against cybercrimes.