Robert Beggs, CEO of Canadian incident response agency Digital Defence, stated that CSOs should do not forget that GitLab isn’t a passive folder the place a consumer deposits and later retrieves information or supply code. It’s a posh software that helps your complete DevOps lifecycle, from planning by to deployment and monitoring. To help this position, GitLab supplies numerous advanced capabilities. This function set will increase the assault floor. Together with the complexity of the applying, any misconfigurations or vulnerabilities may have a big impression for customers.
“As with all functions, CSOs have to concentrate to vendor stories of vulnerabilities and any patches or upgrades to the applying,” he stated in an electronic mail. “Additionally they should be aware of their very own safety hygiene and observe finest practices for GitLab use.”
These embody limiting entry and entry privileges to GitHub repositories — for instance, making certain that default visibility is ready to Non-public — enabling multi-factor authentication for entry and making certain that passwords observe typical complexity guidelines, implementing role-based entry controls and ceaselessly reviewing entry lists, implementing SSL and TLS certificates to safe communications, securing GitLab runners and pipeline variables, defending the codebase by implementing department safety guidelines and code signing, and extra.
