[{"data":1,"prerenderedAt":1101},["ShallowReactive",2],{"/en-us/the-source/security/":3,"footer-en-us":35,"the-source-banner-en-us":342,"the-source-navigation-en-us":354,"the-source-newsletter-en-us":381,"the-source-security-resources-en-us":392,"security-articles-list-authors-en-us":435,"security-articles-list-en-us":467,"security-page-categories-en-us":1100},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"type":8,"config":9,"seo":10,"content":14,"slug":28,"_id":29,"_type":30,"title":7,"_source":31,"_file":32,"_stem":33,"_extension":34},"/en-us/the-source/security","the-source",false,"","category",{"layout":5},{"title":11,"description":12,"ogImage":13},"Security & Compliance","Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",[15,20],{"componentName":16,"type":16,"componentContent":17},"TheSourceCategoryHero",{"title":11,"description":12,"image":18},{"config":19},{"src":13},{"componentName":21,"type":21,"componentContent":22},"TheSourceCategoryMainSection",{"config":23},{"gatedAssets":24},[25,26,27],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age","security","content:en-us:the-source:security:index.yml","yaml","content","en-us/the-source/security/index.yml","en-us/the-source/security/index","yml",{"_path":36,"_dir":37,"_draft":6,"_partial":6,"_locale":7,"data":38,"_id":338,"_type":30,"title":339,"_source":31,"_file":340,"_stem":341,"_extension":34},"/shared/en-us/main-footer","en-us",{"text":39,"source":40,"edit":46,"contribute":51,"config":56,"items":61,"minimal":330},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":41,"config":42},"View page source",{"href":43,"dataGaName":44,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":47,"config":48},"Edit this page",{"href":49,"dataGaName":50,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":52,"config":53},"Please contribute",{"href":54,"dataGaName":55,"dataGaLocation":45},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":57,"facebook":58,"youtube":59,"linkedin":60},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[62,89,161,229,291],{"title":63,"links":64,"subMenu":70},"Platform",[65],{"text":66,"config":67},"DevSecOps platform",{"href":68,"dataGaName":69,"dataGaLocation":45},"/platform/","devsecops platform",[71],{"title":72,"links":73},"Pricing",[74,79,84],{"text":75,"config":76},"View plans",{"href":77,"dataGaName":78,"dataGaLocation":45},"/pricing/","view plans",{"text":80,"config":81},"Why Premium?",{"href":82,"dataGaName":83,"dataGaLocation":45},"/pricing/premium/","why premium",{"text":85,"config":86},"Why Ultimate?",{"href":87,"dataGaName":88,"dataGaLocation":45},"/pricing/ultimate/","why ultimate",{"title":90,"links":91},"Solutions",[92,97,101,106,111,116,121,126,131,136,141,146,151,156],{"text":93,"config":94},"Digital transformation",{"href":95,"dataGaName":96,"dataGaLocation":45},"/topics/digital-transformation/","digital transformation",{"text":98,"config":99},"Application Security Testing",{"href":100,"dataGaName":98,"dataGaLocation":45},"/solutions/application-security-testing/",{"text":102,"config":103},"Automated software delivery",{"href":104,"dataGaName":105,"dataGaLocation":45},"/solutions/delivery-automation/","automated software delivery",{"text":107,"config":108},"Agile development",{"href":109,"dataGaName":110,"dataGaLocation":45},"/solutions/agile-delivery/","agile delivery",{"text":112,"config":113},"Cloud transformation",{"href":114,"dataGaName":115,"dataGaLocation":45},"/topics/cloud-native/","cloud transformation",{"text":117,"config":118},"SCM",{"href":119,"dataGaName":120,"dataGaLocation":45},"/solutions/source-code-management/","source code management",{"text":122,"config":123},"CI/CD",{"href":124,"dataGaName":125,"dataGaLocation":45},"/solutions/continuous-integration/","continuous integration & delivery",{"text":127,"config":128},"Value stream management",{"href":129,"dataGaName":130,"dataGaLocation":45},"/solutions/value-stream-management/","value stream management",{"text":132,"config":133},"GitOps",{"href":134,"dataGaName":135,"dataGaLocation":45},"/solutions/gitops/","gitops",{"text":137,"config":138},"Enterprise",{"href":139,"dataGaName":140,"dataGaLocation":45},"/enterprise/","enterprise",{"text":142,"config":143},"Small business",{"href":144,"dataGaName":145,"dataGaLocation":45},"/small-business/","small business",{"text":147,"config":148},"Public sector",{"href":149,"dataGaName":150,"dataGaLocation":45},"/solutions/public-sector/","public sector",{"text":152,"config":153},"Education",{"href":154,"dataGaName":155,"dataGaLocation":45},"/solutions/education/","education",{"text":157,"config":158},"Financial services",{"href":159,"dataGaName":160,"dataGaLocation":45},"/solutions/finance/","financial services",{"title":162,"links":163},"Resources",[164,169,174,179,184,189,194,199,204,209,214,219,224],{"text":165,"config":166},"Install",{"href":167,"dataGaName":168,"dataGaLocation":45},"/install/","install",{"text":170,"config":171},"Quick start guides",{"href":172,"dataGaName":173,"dataGaLocation":45},"/get-started/","quick setup checklists",{"text":175,"config":176},"Learn",{"href":177,"dataGaName":178,"dataGaLocation":45},"https://university.gitlab.com/","learn",{"text":180,"config":181},"Product documentation",{"href":182,"dataGaName":183,"dataGaLocation":45},"https://docs.gitlab.com/","docs",{"text":185,"config":186},"Blog",{"href":187,"dataGaName":188,"dataGaLocation":45},"/blog/","blog",{"text":190,"config":191},"Customer success stories",{"href":192,"dataGaName":193,"dataGaLocation":45},"/customers/","customer success stories",{"text":195,"config":196},"Remote",{"href":197,"dataGaName":198,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":200,"config":201},"GitLab Services",{"href":202,"dataGaName":203,"dataGaLocation":45},"/services/","services",{"text":205,"config":206},"TeamOps",{"href":207,"dataGaName":208,"dataGaLocation":45},"/teamops/","teamops",{"text":210,"config":211},"Community",{"href":212,"dataGaName":213,"dataGaLocation":45},"/community/","community",{"text":215,"config":216},"Forum",{"href":217,"dataGaName":218,"dataGaLocation":45},"https://forum.gitlab.com/","forum",{"text":220,"config":221},"Events",{"href":222,"dataGaName":223,"dataGaLocation":45},"/events/","events",{"text":225,"config":226},"Partners",{"href":227,"dataGaName":228,"dataGaLocation":45},"/partners/","partners",{"title":230,"links":231},"Company",[232,237,242,247,252,257,262,266,271,276,281,286],{"text":233,"config":234},"About",{"href":235,"dataGaName":236,"dataGaLocation":45},"/company/","company",{"text":238,"config":239},"Jobs",{"href":240,"dataGaName":241,"dataGaLocation":45},"/jobs/","jobs",{"text":243,"config":244},"Leadership",{"href":245,"dataGaName":246,"dataGaLocation":45},"/company/team/e-group/","leadership",{"text":248,"config":249},"Team",{"href":250,"dataGaName":251,"dataGaLocation":45},"/company/team/","team",{"text":253,"config":254},"Handbook",{"href":255,"dataGaName":256,"dataGaLocation":45},"https://handbook.gitlab.com/","handbook",{"text":258,"config":259},"Investor relations",{"href":260,"dataGaName":261,"dataGaLocation":45},"https://ir.gitlab.com/","investor relations",{"text":263,"config":264},"Sustainability",{"href":265,"dataGaName":263,"dataGaLocation":45},"/sustainability/",{"text":267,"config":268},"Diversity, inclusion and belonging (DIB)",{"href":269,"dataGaName":270,"dataGaLocation":45},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":272,"config":273},"Trust Center",{"href":274,"dataGaName":275,"dataGaLocation":45},"/security/","trust center",{"text":277,"config":278},"Newsletter",{"href":279,"dataGaName":280,"dataGaLocation":45},"/company/contact/","newsletter",{"text":282,"config":283},"Press",{"href":284,"dataGaName":285,"dataGaLocation":45},"/press/","press",{"text":287,"config":288},"Modern Slavery Transparency Statement",{"href":289,"dataGaName":290,"dataGaLocation":45},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":292,"links":293},"Contact Us",[294,299,304,309,314,319,324],{"text":295,"config":296},"Contact an expert",{"href":297,"dataGaName":298,"dataGaLocation":45},"/sales/","sales",{"text":300,"config":301},"Get help",{"href":302,"dataGaName":303,"dataGaLocation":45},"/support/","get help",{"text":305,"config":306},"Customer portal",{"href":307,"dataGaName":308,"dataGaLocation":45},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":310,"config":311},"Status",{"href":312,"dataGaName":313,"dataGaLocation":45},"https://status.gitlab.com/","status",{"text":315,"config":316},"Terms of use",{"href":317,"dataGaName":318,"dataGaLocation":45},"/terms/","terms of use",{"text":320,"config":321},"Privacy statement",{"href":322,"dataGaName":323,"dataGaLocation":45},"/privacy/","privacy statement",{"text":325,"config":326},"Cookie preferences",{"dataGaName":327,"dataGaLocation":45,"id":328,"isOneTrustButton":329},"cookie preferences","ot-sdk-btn",true,{"items":331},[332,334,336],{"text":315,"config":333},{"href":317,"dataGaName":318,"dataGaLocation":45},{"text":320,"config":335},{"href":322,"dataGaName":323,"dataGaLocation":45},{"text":325,"config":337},{"dataGaName":327,"dataGaLocation":45,"id":328,"isOneTrustButton":329},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":343,"_dir":344,"_draft":6,"_partial":6,"_locale":7,"visibility":329,"id":345,"title":346,"button":347,"_id":351,"_type":30,"_source":31,"_file":352,"_stem":353,"_extension":34},"/shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18","banner","The Economics of Software Innovation","The Economics of Software Innovation—AI’s $750 Billion Opportunity",{"config":348,"text":350},{"href":349},"/software-innovation-report/","Get the research report","content:shared:en-us:the-source:banner:the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18",{"_path":355,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"logo":356,"subscribeLink":361,"navItems":365,"_id":377,"_type":30,"title":378,"_source":31,"_file":379,"_stem":380,"_extension":34},"/shared/en-us/the-source/navigation",{"altText":357,"config":358},"the source logo",{"src":359,"href":360},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":362,"config":363},"Subscribe",{"href":364},"#subscribe",[366,370,373],{"text":367,"config":368},"Artificial Intelligence",{"href":369},"/the-source/ai/",{"text":11,"config":371},{"href":372},"/the-source/security/",{"text":374,"config":375},"Platform & Infrastructure",{"href":376},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":382,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":383,"description":384,"submitMessage":385,"formData":386,"_id":389,"_type":30,"_source":31,"_file":390,"_stem":391,"_extension":34},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":387},{"formId":388,"formName":280,"hideRequiredLabel":329},1077,"content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",[393,409,422],{"_path":394,"_dir":395,"_draft":6,"_partial":6,"_locale":7,"config":396,"title":398,"description":399,"link":400,"_id":406,"_type":30,"_source":31,"_file":407,"_stem":408,"_extension":34},"/shared/en-us/the-source/gated-assets/application-security-in-the-digital-age","gated-assets",{"id":27,"formId":397},1002,"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":401,"config":402},"Read the report",{"href":403,"dataGaName":404,"dataGaLocation":405},"/developer-survey/2024/security-compliance/","Application Security in the Digital Age","thesource","content:shared:en-us:the-source:gated-assets:application-security-in-the-digital-age.yml","shared/en-us/the-source/gated-assets/application-security-in-the-digital-age.yml","shared/en-us/the-source/gated-assets/application-security-in-the-digital-age",{"_path":410,"_dir":395,"_draft":6,"_partial":6,"_locale":7,"config":411,"title":412,"description":413,"link":414,"_id":419,"_type":30,"_source":31,"_file":420,"_stem":421,"_extension":34},"/shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience",{"id":26},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":415,"config":416},"Download the guide",{"href":417,"dataGaName":418,"dataGaLocation":405},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience","content:shared:en-us:the-source:gated-assets:source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience",{"_path":423,"_dir":395,"_draft":6,"_partial":6,"_locale":7,"config":424,"title":425,"description":426,"link":427,"_id":432,"_type":30,"_source":31,"_file":433,"_stem":434,"_extension":34},"/shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms",{"id":25},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":428,"config":429},"Read the guide",{"href":430,"dataGaName":431,"dataGaLocation":405},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs","content:shared:en-us:the-source:gated-assets:source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms",{"amanda-rueda":436,"andre-michael-braun":437,"andrew-haschka":438,"ayoub-fandi":439,"bob-stevens":440,"brian-wald":441,"bryan-ross":442,"chandler-gibbons":443,"dave-steer":444,"ddesanto":445,"derek-debellis":446,"emilio-salvador":447,"erika-feldman":448,"george-kichukov":449,"gitlab":450,"grant-hickman":451,"haim-snir":452,"iganbaruch":453,"jlongo":454,"joel-krooswyk":455,"josh-lemos":456,"julie-griffin":457,"kristina-weis":458,"lee-faus":459,"ncregan":460,"rschulman":461,"sabrina-farmer":462,"sandra-gittlen":463,"sharon-gaudin":464,"stephen-walters":465,"taylor-mccaslin":466},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Joel Krooswyk","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"allArticles":468,"visibleArticles":1099,"showAllBtn":6},[469,491,531,570,588,631,670,689,724,758,791,826,845,864,897,916,937,974,993,1013,1047,1082],{"_path":470,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":471,"seo":475,"content":479,"type":486,"slug":487,"category":28,"_id":488,"_type":30,"title":476,"_source":31,"_file":489,"_stem":490,"_extension":34,"date":480,"description":477,"heroImage":478,"keyTakeaways":481,"articleBody":485},"/en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services",{"layout":5,"template":472,"articleType":473,"featured":6,"gatedAsset":474,"isHighlighted":6,"authorName":-1},"TheSourceArticle","Guide","pf-the-key-to-innovation-and-compliance-in-financial-services",{"title":476,"description":477,"ogImage":478},"The key to innovation and compliance in financial services","Discover how financial services organizations can accelerate innovation while staying on top of complex regulatory requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464713/jc0ceajcrsgteyhtaibf.png",{"title":476,"date":480,"description":477,"heroImage":478,"keyTakeaways":481,"articleBody":485},"2025-05-20",[482,483,484],"Modern financial services firms face a critical challenge: balancing innovation against complex compliance requirements and regulatory frameworks. A comprehensiveDevSecOps approach transforms this traditional trade-off into a competitive advantage.","Financial institutions with fragmented toolchains experience significant friction points where each tool boundary introduces potential compliance gaps and security vulnerabilities — ultimately increasing compliance risks and exposure to hefty fines.","Organizations embracing unified software delivery platforms report 50-70% faster time-to-delivery, dramatically reduced operational disruptions, stronger compliance posture, and enhanced protection against cyber threats and financial crimes.","Decision-makers in financial services organizations face mounting pressure from multiple directions. Client expectations for digital innovation continue to rise while financial regulators simultaneously impose increasingly stringent compliance requirements.\n\nMany institutions have unwittingly positioned themselves on a seesaw where improving one side necessarily diminishes the other. When innovation accelerates, compliance struggles to keep pace - and when compliance processes tighten, development velocity slows.\n\nThis perceived incompatibility is not an inherent truth but rather a symptom of fragmented technology architecture.\n\n## The high cost of fragmentation\nMost established financial institutions - from investment banks to insurance companies and credit unions - operate with sprawling software delivery stacks cobbled together from disparate tools. This patchwork approach creates significant vulnerabilities across the organization:\n- Each tool boundary represents a potential security vulnerability and compliance gap\n- Disjointed workflows frequently result in compliance breaches\n- Limited visibility across teams hampers ongoing compliance efforts\n- Increased complexity drives higher costs for maintaining regulatory compliance\n- Fragmented systems significantly increase exposure to financial losses and reputational damage\n\nWith the exponential rise in cyberattacks targeting the financial industry - 3,348 cyber incidents were reported worldwide in 2023, up from 1,829 the previous year - maintaining this fragmented approach is increasingly risky.\n\n## The DevSecOps transformation advantage\nForward-thinking organizations are discovering that DevSecOps isn't merely a technical methodology - it's a strategic business transformation that fundamentally changes how financial services organizations adhere to regulatory requirements  and prepare for audits.\n\nBy building security and compliance directly into the development process rather than treating them as reactive, separate functions, modern platforms transform what was once a painful trade-off into a competitive advantage:\n- Automated vulnerability detection in real time as developers write code\n- Continuous monitoring and compliance verification against regulatory standards\n- Comprehensive audit trails satisfying regulatory audit requirements\n- Pre-configured compliance templates tailored to financial services industry needs\n- Granular access control maintaining separation of duties while enabling collaboration\n- Version control and advanced workflow controls ensuring proper approval processes\n- Real-time metrics on development velocity, security posture, and compliance risks\n\n## Proven results from industry leaders\nFinancial institutions implementing unified DevSecOps approaches consistently report transformative business outcomes:\n- 50-70% reduction in time-to-delivery of new solutions\n- Dramatic simplification of toolchain complexity\n- Enhanced protection against cyber risks and financial crimes\n- Significant reductions in operational costs\n- Improved ability to attract and retain top technical talent\n- Better compliance posture with fewer security incidents and higher compliance scores\n\n## Seize the opportunity\nThe future of financial services technology is one where institutions no longer need to make painful choices between speed, security, and innovation. By evolving to a unified platform approach, your organization can deliver on all three objectives simultaneously while reducing risk, improving operational efficiency, and building a more agile foundation for future growth.\n\nDownload our comprehensive guide to discover how your organization can implement this transformative approach, with detailed implementation frameworks, critical success factors, and real-world case studies from leading financial services companies who have successfully navigated this journey.","article","the-key-to-innovation-and-compliance-in-financial-services","content:en-us:the-source:security:the-key-to-innovation-and-compliance-in-financial-services:index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index.yml","en-us/the-source/security/the-key-to-innovation-and-compliance-in-financial-services/index",{"_path":492,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":493,"seo":496,"content":500,"type":486,"slug":527,"category":28,"_id":528,"_type":30,"title":497,"_source":31,"_file":529,"_stem":530,"_extension":34,"date":501,"description":498,"timeToRead":502,"heroImage":499,"keyTakeaways":503,"articleBody":507,"faq":508},"/en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc",{"layout":5,"template":472,"articleType":494,"author":495,"featured":329,"gatedAsset":26,"isHighlighted":6,"authorName":439},"Regular","ayoub-fandi",{"title":497,"description":498,"ogImage":499},"Compliance at the speed of AI: Reimagining GRC","Is your governance, risk, and compliance strategy keeping pace with AI-accelerated development? Learn how to prepare for secure software delivery at scale.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463857/sb6to0pyohg2ubpxf3ex.png",{"title":497,"date":501,"description":498,"timeToRead":502,"heroImage":499,"keyTakeaways":503,"articleBody":507,"faq":508},"2025-05-14","6 min read",[504,505,506],"Traditional GRC approaches fail in modern development environments because they operate on quarterly/annual cycles while DevSecOps teams deploy code multiple times daily, creating a fundamental timing mismatch and compliance that exists only on paper.","Successful GRC modernization requires shifting from a project to a product mindset, building continuous compliance into development pipelines, and automating evidence collection as a byproduct of normal development activities.","Organizations must create unified information flows between security functions, replace manual processes with API-driven automation, and redefine metrics to focus on risk reduction rather than compliance artifacts.","The software release calendar has been replaced by a continuous flow of updates and innovations. Yet many organizations still approach compliance like it's 2010.\n\nThe adoption of DevOps practices fundamentally changed the game, compressing release cycles from months to days or even hours. Organizations that once celebrated quarterly releases now deploy to production dozens or hundreds of times daily. This acceleration has delivered enormous business value - faster time to market, quicker feedback loops, and increased competitive advantage.\n\nNow add AI-powered development tools to the mix. Large language models, AI coding assistants, and [AI agents](https://about.gitlab.com/the-source/ai/agentic-ai-unlocking-developer-potential-at-scale/) have become sophisticated enough to generate substantial amounts of functional code with minimal human input.\n\nHowever, this creates a significant challenge for governance, risk, and compliance (GRC) teams, who are often still using approaches designed for a world where releases occur quarterly, rather than hourly. Traditional GRC approaches simply weren't designed for this velocity and scale - it’s like trying to monitor and track every car on every highway in the world with a pen and paper.\n\n## Why traditional GRC falls short\nThe fundamental mismatch between modern development and traditional GRC starts with timing. While DevSecOps teams operate continuously, traditional GRC functions typically operate on quarterly or annual cycles. Annual penetration tests, quarterly compliance control testing, and monthly risk assessments simply can't keep pace with environments that change hourly. By the time a traditional security assessment is complete, the system being evaluated may have undergone dozens of changes.\n\nThe gap between automated infrastructure and manual compliance processes compounds this timing mismatch. Cloud-native applications automatically scale resources up and down in response to demand. Infrastructure-as-code templates can spin up and tear down entire environments with a single command. Meanwhile, compliance verification still relies heavily on manual evidence collection and human review. GRC teams can spend days taking screenshots of configurations that were automatically changed minutes after they documented them.\n\nThe result is security compliance that exists largely on paper but bears little resemblance to operational reality. When your integrated DevSecOps platform supports hundreds of deployments daily, yet your GRC team still manually collects screenshots every quarter for audit purposes, you have a fundamental disconnect. Risk registers become outdated almost immediately. Compliance certifications verify controls that may no longer exist in the form originally documented. And security policies address threats to systems that have since been redesigned or replaced entirely.\n\n## Transforming GRC for modern DevSecOps\nI’ve seen this tension unfold in countless organizations. Here are a few steps you can take now to help GRC keep up:\n\n### Think about GRC as a product, not a project\nThe first step in transforming GRC for modern DevSecOps environments requires a fundamental shift in thinking. Traditional GRC operates as a project - a recurring set of activities with a defined beginning and end. Modern GRC needs to function as a product - a continuously evolving set of capabilities that deliver ongoing value.\n\nThis product mindset transforms how we approach compliance and security. Instead of preparing for an annual SOC 2 audit by scrambling to collect evidence in the weeks before the auditor arrives, think about building continuous compliance directly into your development pipeline. Instead of quarterly risk management assessments, aim for real-time visibility. And look for ways to embed governance in daily operations, with version-controlled policies managed like code using Markdown.\n\nWithin [a unified DevSecOps platform](https://about.gitlab.com/platform/), this product-based approach happens naturally. Security scans become part of the merge request process. Compliance requirements transform into pipeline rules that run with every commit. And audit evidence is automatically collected as a byproduct of normal development activities. The result? The focus shifts from \"passing the audit\" to \"[building securely by default](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/).\"\n\n### Create unified, automated information flows\nYou’ll also need to rethink both the architecture of your GRC program and the engineering approach behind it. Begin by establishing unified information flows among security, risk, and compliance functions. A vulnerability found in a security scan should automatically update your risk register and compliance status without manual intervention. This unified data model ensures everyone works from a single source of truth, breaking down siloes between security and development teams.\n\nThe next step is to replace manual evidence collection with API-driven automation. Instead of taking screenshots of access control settings, implement API calls that query your identity provider and generate access reports automatically. Rather than manually reviewing infrastructure settings, pull configuration data directly from your cloud providers. Every security setting that requires verification should be accessible programmatically.\n\nPerhaps most importantly, leverage the same pipeline-based approach for security that you use for code validation. [Integrated CI/CD pipelines](https://about.gitlab.com/blog/ultimate-guide-to-ci-cd-fundamentals-to-advanced-implementation/) allow you to define security and compliance requirements as code, running automated validation with every change. This infrastructure-as-code approach ensures that security controls are implemented consistently and verified continuously, eliminating the gap between documented controls and operational reality.\n\n### Connect GRC to business value\nThe practical implementation of these changes doesn't happen overnight, but organizations can follow a clear path to transform their GRC approach.\n\nFirst, bridge the cultural and language gap between GRC and engineering teams. Security professionals need to understand how developers work, while engineers need to appreciate security requirements. This mutual understanding creates the foundation for effective collaboration. Create joint working sessions where compliance teams learn basic Git workflows while developers understand compliance requirements in concrete terms.\n\nNext, redefine success metrics to focus on risk reduction rather than compliance artifacts. Instead of tracking the number of policies documented or controls tested, measure actual security outcomes: vulnerability remediation times, security issues found in production versus development, and the number of compliance exceptions. These outcome-based metrics drive real improvements in security posture.\n\nThis transforms GRC from a necessary evil to a business enabler. When [security and compliance are built into development workflows](https://about.gitlab.com/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/), they stop being roadblocks and become competitive advantages. Organizations with integrated security can ship faster and with greater confidence than those with traditional bolted-on approaches.\n\nThis transformation becomes even more powerful within a unified platform. End-to-end visibility across the entire software development lifecycle creates unmatched transparency into security status. The same controls that verify code quality can enforce security requirements, creating a seamless experience for developers while maintaining strong governance for security teams.\n\n## Security as an enabler, not a bottleneck\nAs AI-accelerated development transforms software development, GRC must evolve from a checkpoint process to an integral part of the development workflow. Organizations can maintain strong governance without sacrificing speed by adopting a product mindset, reimagining GRC architecture, and implementing engineering solutions that match the pace of modern development. The future of GRC isn't about slowing down development - it's about building security and compliance into every step of the process, enabling teams to move faster with greater confidence.",[509,512,515,518,521,524],{"header":510,"content":511},"Why do traditional GRC models struggle in modern software environments?","Traditional GRC models operate on quarterly or annual cycles, but DevSecOps teams now deploy code multiple times a day. This timing mismatch means compliance efforts often lag behind actual development changes, making them ineffective in dynamic environments.",{"header":513,"content":514},"What does it mean to treat GRC as a product instead of a project?","Viewing GRC as a product means continuously evolving and embedding compliance into daily workflows, rather than treating it as a periodic event. It’s about creating always-on capabilities like automated evidence collection and policy enforcement through code.",{"header":516,"content":517},"How can automation improve governance and compliance?","Automation reduces the reliance on manual reviews and paperwork by using API calls and pipeline integrations to validate security settings and collect audit data. This makes compliance scalable, real-time, and aligned with the pace of software delivery.",{"header":519,"content":520},"What tools or strategies support continuous compliance?","Unified DevSecOps platforms with integrated CI/CD pipelines support continuous compliance. They allow you to define security policies as code, apply them automatically with every change, and log evidence of compliance as part of normal workflows.",{"header":522,"content":523},"How should success be measured in modern GRC programs?","Instead of counting controls or documented policies, success should be measured through real-world outcomes like faster vulnerability remediation, fewer security exceptions, and better security hygiene from development to production.",{"header":525,"content":526},"How can AI development practices coexist with compliance requirements?","By embedding guardrails and governance into the software pipeline, AI-powered development can align with compliance needs. Structured policies, automated validation, and continuous monitoring ensure security isn’t compromised while enabling fast iteration.","compliance-at-the-speed-of-ai-reimagining-grc","content:en-us:the-source:security:compliance-at-the-speed-of-ai-reimagining-grc:index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index.yml","en-us/the-source/security/compliance-at-the-speed-of-ai-reimagining-grc/index",{"_path":532,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":533,"seo":535,"content":539,"type":486,"slug":566,"category":28,"_id":567,"_type":30,"title":536,"_source":31,"_file":568,"_stem":569,"_extension":34,"date":540,"description":537,"timeToRead":541,"heroImage":538,"keyTakeaways":542,"articleBody":546,"faq":547},"/en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain",{"layout":5,"template":472,"articleType":494,"author":534,"featured":329,"gatedAsset":26,"isHighlighted":6,"authorName":459},"lee-faus",{"title":536,"description":537,"ogImage":538},"Embedding risk intelligence into your software supply chain","Transform your security strategy by embedding risk assessment into development workflows instead of treating it as a final checkpoint.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463994/rexeefvqpj1xs8vq7ugl.jpg",{"title":536,"date":540,"description":537,"timeToRead":541,"heroImage":538,"keyTakeaways":542,"articleBody":546,"faq":547},"2025-04-22","5 min read",[543,544,545],"Focus on business impact instead of vulnerability counts by targeting security threats that pose actual danger to your business rather than trying to fix every potential issue.","Embed risk checks throughout development by adding quality metrics and automated testing early in your software pipeline to catch issues when they’re easier to fix.","Create audit trails for security decisions through “breadcrumbed” processes that document who approved changes and why, creating accountability and improving future decisions.","It’s a nightmare scenario for any business: Hackers have exposed the personal information of millions of your users. What if this wasn’t due to critical vulnerabilities in your application but simply poorly configured API endpoints that hackers could abuse to farm user data? That’s precisely what happened to a popular tech company in 2023, and it’s more common than you might think.\n\nSecurity resources are finite, and [not all threats pose equal business risk](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/). Organizations that are laser-focused on technical severity ratings rather than actual business impact could be leaving themselves open to unanticipated risks.\n\nMeanwhile, the urgency for better risk quantification has never been greater. Threat actors can now leverage multiple AI systems to execute sophisticated, multi-pronged attacks targeting exploitable vulnerabilities. These AI-accelerated campaigns can quickly identify and exploit business-critical weaknesses that traditional security approaches might overlook or deprioritize - turning yesterday's “medium-risk” vulnerability into today’s multimillion-dollar breach.\n\nTo counter these evolving threats and navigate this growing complexity, leading organizations are fundamentally reimagining their approach. Instead of treating security as a separate function that happens after development, they’re embedding **risk intelligence** throughout their software supply chain. This approach allows them to focus resources where they matter most, reduce time-to-market for secure products, and demonstrate due diligence to regulators and customers.\n\nThe key is distinguishing between vulnerabilities that might cause harm and those that will cause damage in your specific business context. Companies can achieve stronger security and faster innovation by rethinking how risk is evaluated and managed across development and operations.\n\n## Limiting risk through data-driven change management\n**Risk intelligence helps you focus on threats that matter. It’s the difference between knowing you have 3,000 vulnerabilities and understanding which 50 could harm your business.**\n\nKey elements of risk intelligence include:\n\n**Exploitability assessment (reachability)**: Not all vulnerabilities can be weaponized. Risk intelligence evaluates which security findings have actual attack paths versus those that exist in code but cannot be reached by malicious actors.\n\n**Dependency context**: Risk-based security recognizes that a vulnerable package doesn’t just affect one application - it can impact dozens or hundreds across your organization. Modern approaches map dependencies across projects, enabling teams to understand the cascading impact of vulnerabilities throughout the organization. This ecosystem view provides critical context for prioritization decisions.\n\n**Continuous risk monitoring**: Instead of point-in-time assessments, risk intelligence requires ongoing monitoring that adjusts as threat landscapes evolve. A vulnerability that was low risk yesterday may become critical today based on emerging exploit techniques.\n\nSo how can you move from reactive security scanning to proactive risk intelligence? The journey begins where your software does - in the software factory itself.\n\n## The software factory: Quality gates and risk signals\nThe software factory is where code transforms from an idea to a deployable package. This phase encompasses everything from initial code commits to unit testing to packaging, creating the foundation for your entire software supply chain. By adding risk checks early, teams can find and fix issues before they spread. Just as critical is establishing clear attribution for every code change, knowing exactly who made each change (contractor, consultant, or employee), why, and when - creating an audit trail providing crucial risk assessment context.\n\nThe software factory offers three key opportunities to embed risk assessment into your development process:\n\n### Collaboration through quality intelligence\nEstablishing cross-functional quality metrics can help organizations create a shared understanding of risk across teams. Potential metrics include code coverage trends, security vulnerability density, technical debt accumulation, performance regression patterns, API compatibility scores, and documentation completeness.\n\n### Transparency through correlated data\nRisk intelligence requires connecting disparate data points into a comprehensive view. Quality intelligence dashboards with real-time metrics and trend visualization help teams spot emerging risk patterns, while documentation traceability creates auditable trails linking requirements, changes, and security findings. Automated data collection enables cross-system correlation between code changes and security findings, with pattern recognition algorithms identifying unusual behaviors that manual review might miss. This democratized intelligence empowers all stakeholders to make risk-informed decisions instead of siloing information within security teams.\n\n### Automation for quality assurance\nManual risk assessment can’t scale to modern development speeds. Continuous testing pipelines with automated security scans and performance tests provide early feedback on potential risks without slowing velocity. Automated quality gates enforce minimum standards throughout development, and risk threshold monitoring flags concerning trends before they become critical. These automated guardrails maintain consistent risk assessment while allowing development teams to maintain productivity and improve safety without sacrificing speed.\n\n## Software logistics: Risk management through team-based scorecards\nAfter code is packaged, it enters the logistics phase - provisioning, deployment, configuration, monitoring, and maintenance. Here, potential bugs meet real-world exposure. This makes assessing risk in actual operating conditions vital. However, traditional approaches to risk assessment at this stage are often inflexible and inefficient.\n\n> [Learn how effective software logistics can enable operations teams to efficiently support developers and accelerate delivery](https://about.gitlab.com/the-source/platform/why-software-logistics-is-key-to-accelerating-innovation/).\n\nEffective risk intelligence means helping teams focus on why they should deploy instead of why they shouldn’t - replacing the binary, inflexible assessment methods of the past with an automated, metrics-driven approach. Here are three critical aspects to keep in mind:\n\n### Collaborative assessment model\nModern risk approaches replace binary go/no-go decisions with multi-stakeholder evaluations, sometimes called a Change Advisory Board (CAB), incorporating diverse perspectives. Security teams evaluate vulnerability context and exploitability, operations teams assess deployment impact and rollback capabilities, and business stakeholders weigh customer impact against needs. This team-based approach builds consensus around acceptable risk rather than imposing rigid standards, allowing for nuanced decisions that balance security with business objectives.\n\n### Scorecard transparency\nEffective risk evaluation requires visible criteria that consider multiple dimensions of impact. Comprehensive scorecards include security risk factors that assess severity and real-world exploitability, operational metrics that evaluate system stability implications, compliance requirements for relevant regulations, and business impact on customers and revenue. This transparent approach creates a holistic risk profile that provides the context necessary for informed deployment decisions while ensuring all stakeholders understand the basis for security choices.\n\n### Automated scorecard processing\nManual risk assessment creates bottlenecks that slow deployment cycles. Modern approaches use real-time processing with automated score calculation and threshold monitoring to evaluate changes continuously. Integration with CI/CD pipelines, security tools, and compliance systems ensures risk data flows automatically between systems without manual intervention. This automation maintains consistent evaluation standards while eliminating the delays typically associated with security reviews.\n\n## From vulnerability counts to business impact: The future of software security\nThe future of application security isn’t about finding more vulnerabilities - it’s about understanding the risk those vulnerabilities pose. By embedding risk intelligence throughout your software supply chain, you can drive team collaboration to help you create secure software faster.\n\nEstablishing this risk assessment process across both your software factory and logistics phases has an added benefit: You’ll create an auditable trail that documents who made security decisions, what evidence they considered, when changes were approved, and why specific actions were taken. This transparency provides accountability across the entire software supply chain, builds institutional memory of risk management approaches, and creates data to inform future decisions. The resulting traceability transforms security from a point-in-time assessment to an ongoing, verifiable process demonstrating due diligence to auditors, regulators, and customers.",[548,551,554,557,560,563],{"header":549,"content":550},"What is risk intelligence in software development?","Risk intelligence is the practice of evaluating security threats based on their real-world business impact rather than just technical severity. It helps teams focus on exploitable and high-priority vulnerabilities, streamlining security efforts.",{"header":552,"content":553},"How does embedding risk checks early improve software security?","Introducing risk assessments during early development phases allows teams to catch and resolve issues sooner, reducing costs and complexity. This shift from reactive to proactive security enhances both speed and safety.",{"header":555,"content":556},"Why should organizations move beyond vulnerability counts?","Counting vulnerabilities doesn't reflect the true risk landscape. Many may be unreachable or irrelevant. Prioritizing based on exploitability and business context ensures limited security resources are used effectively.",{"header":558,"content":559},"How do audit trails contribute to better risk management?","Audit trails document who made a change, why, and when. These records provide accountability, aid compliance, and offer valuable insight for improving future decision-making and demonstrating due diligence.",{"header":561,"content":562},"What role does automation play in risk intelligence?","Automation enables consistent, scalable risk evaluation across CI/CD pipelines. It helps enforce security standards, reduces manual bottlenecks, and ensures timely responses to emerging risks without slowing development.",{"header":564,"content":565},"What’s the benefit of team-based scorecards for deployment decisions?","Team-based scorecards bring together inputs from security, operations, and business teams. This collaborative model replaces rigid go/no-go decisions with nuanced assessments that balance innovation and acceptable risk.","embedding-risk-intelligence-into-your-software-supply-chain","content:en-us:the-source:security:embedding-risk-intelligence-into-your-software-supply-chain:index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index.yml","en-us/the-source/security/embedding-risk-intelligence-into-your-software-supply-chain/index",{"_path":571,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":572,"seo":574,"content":577,"type":486,"slug":584,"category":28,"_id":585,"_type":30,"title":412,"_source":31,"_file":586,"_stem":587,"_extension":34,"date":578,"description":575,"heroImage":576,"keyTakeaways":579,"articleBody":583},"/en-us/the-source/security/devsecops-the-key-to-modern-security-resilience",{"layout":5,"template":472,"articleType":473,"featured":6,"gatedAsset":573,"isHighlighted":6,"authorName":-1},"pf-devsecops-the-key-to-modern-security-resilience",{"title":412,"description":575,"ogImage":576},"Learn how embedding security in development can slash incident response time by 720x and saves millions in security costs annually.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464323/klfzphlaigbvoxr58a1a.png",{"title":412,"date":578,"description":575,"heroImage":576,"keyTakeaways":579,"articleBody":583},"2025-04-01",[580,581,582],"Security teams can reclaim 78+ hours annually for strategic initiatives by implementing integrated security practices that detect vulnerabilities early in the software development lifecycle, reducing remediation time from 30 days to just 1 hour.","Organizations that embed security requirements into the planning phase reduce new security vulnerabilities in production by 20-25%, avoiding costly breaches and significantly decreasing licensing costs through toolchain consolidation.","Automated governance enables a 90% reduction in compliance workload, with audit preparation times decreasing from several weeks to less than one week — all while maintaining high code quality and meeting security standards.","With cyber threats growing more sophisticated and compliance requirements tightening, traditional approaches to secure software development are no longer sufficient.\n\nThe problem isn’t just the expanding threat landscape - it’s how security is conventionally managed. Siloed tools slow down incident response, compliance audits consume valuable resources, and late-stage reviews create bottlenecks. Meanwhile, vulnerabilities slip through the cracks, exposing organizations to potential security breaches.\n\nSecurity professionals have long recognized that vulnerabilities discovered in production can cost approximately 30 times more than those found during development. Beyond the financial impact, these security flaws expose organizations to regulatory fines and reputational damage. The age-old debate between speed and security continues to challenge development teams.\n\n## Integrating security throughout the development journey\nForward-thinking organizations are flipping this narrative by incorporating security measures directly into the developer’s workflow. This approach allows security teams to find, prioritize, and fix vulnerabilities in the same environment where developers write code.\n\nUnlike traditional security testing tools that bolt onto the pipeline, integrated security capabilities eliminate the overhead and context switching that slows teams down. Security teams no longer need to chase developers across disconnected systems, and developers don’t have to pause their work to switch between tools.\n\nBy catching vulnerabilities earlier in the development process, organizations see new security findings in production decrease by 20-25%, reducing the likelihood of costly breaches. And when security incidents do arise, response times accelerate dramatically - reducing mean remediation time from up to 30 days to just one hour.\n\n## Addressing modern supply chain vulnerabilities\nThe software supply chain represents an increasingly critical attack vector. High-profile breaches have exposed vulnerabilities lurking in third-party dependencies and open-source components. As organizations increasingly rely on complex ecosystems of libraries, containers, and services, secure coding practices must extend beyond in-house code.\n\nModern security practices must include continuous scanning of dependencies, container images, and infrastructure as code for known vulnerabilities, ensuring every component is secure before reaching production. Software composition analysis becomes essential, providing transparency into third-party dependencies and automating compliance with emerging supply chain security standards.\n\n## Automating compliance without compromising speed\nCompliance is mandatory, but it shouldn’t slow development. As regulatory frameworks become more stringent and security accountability increases, organizations must maintain compliance without impeding innovation.\n\nBy automating governance and integrating compliance checks into CI/CD pipelines, security requirements can be built into every step of development. Automated policies align with industry standards like SOC 2, GDPR, and NIST, ensuring all code meets security standards before deployment.\n\nThis continuous compliance approach eliminates last-minute scrambles to meet regulatory requirements and reduces non-compliance risk. Automated evidence collection and detailed audit logs streamline reporting, with organizations reporting a 90% reduction in time spent on compliance tasks.\n\n## Moving forward with confidence\nThe path to secure applications with minimal security vulnerabilities requires a holistic approach that embeds security considerations throughout the software development process. By transforming security from a bottleneck into a competitive advantage, organizations can manage vulnerabilities proactively, secure complex software supply chains, and maintain continuous compliance - all while driving cost savings through toolchain consolidation.\n\nReady to see what a unified DevSecOps approach can do for your organization? Download our comprehensive guide to discover how organizations can save millions  in security costs by consolidating their toolchains with a unified DevSecOps platform.\n","devsecops-the-key-to-modern-security-resilience","content:en-us:the-source:security:devsecops-the-key-to-modern-security-resilience:index.yml","en-us/the-source/security/devsecops-the-key-to-modern-security-resilience/index.yml","en-us/the-source/security/devsecops-the-key-to-modern-security-resilience/index",{"_path":589,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":590,"seo":592,"content":597,"type":486,"slug":627,"category":28,"_id":628,"_type":30,"title":593,"_source":31,"_file":629,"_stem":630,"_extension":34,"date":598,"description":594,"timeToRead":599,"heroImage":595,"keyTakeaways":600,"articleBody":604,"faq":605},"/en-us/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale",{"layout":5,"template":472,"articleType":494,"author":591,"featured":329,"gatedAsset":27,"isHighlighted":6,"authorName":456},"josh-lemos",{"title":593,"description":594,"ogImage":595,"config":596},"Beyond “shift left”: Engineering supply chain safety at scale","Learn why the traditional “shift left” approach falls short and how supply chain safety can transform your software security approach at scale.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464122/kxhyozwsjf8ik6ssm3id.jpg",{"ignoreTitleCharLimit":329},{"title":593,"date":598,"description":594,"timeToRead":599,"heroImage":595,"keyTakeaways":600,"articleBody":604,"faq":605},"2025-03-27","3 min read",[601,602,603],"Most DevSecOps implementations are just DevOps with bolted-on security tools. True software supply chain safety requires engineering security directly into development processes, with tools serving as verification rather than primary protection.","Success in software supply chain safety depends on four pillars: infrastructure guardrails, language security features, automated dependency management, and security function abstraction through service mesh.","Align security and development team incentives through shared metrics and security champions. Focus on building systems that make secure development the path of least resistance rather than adding friction.","Your organization has probably already recognized the value of DevSecOps: removing silos between development, security, and operations teams. You’ve integrated security tools into your CI/CD pipeline, developers are scanning their code, and you have a dedicated security team reviewing findings. So why are you still struggling with security vulnerabilities, team burnout, and the constant tension between development velocity and security requirements? The truth is, most DevSecOps implementations today amount to little more than DevOps with security tools bolted on. It’s time to fundamentally change how we approach software supply chain security.\n\n## The promise and reality of the shift left\nThe journey to modern DevSecOps began with good intentions. As organizations moved to the cloud and adopted DevOps practices, security teams attempted to “shift left” by pushing security responsibilities earlier in the development cycle. However, this often meant taking the same noisy security tools - static analysis, dynamic testing, and software composition analysis - and simply making them the developers’ problem.\n\nThe results are predictable: With unrealistic security-to-developer ratios, [security teams are overwhelmed](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/) by the volume of findings from improperly tuned tools. Developers, already under pressure to deliver features quickly, face constant interruptions from release-gating security tools, with unacceptable false positive rates. The promised integration of security into development workflows has instead created new bottlenecks and friction points.\n\n## Why traditional approaches miss the mark\nThe fundamental flaw in many DevSecOps implementations is treating security as an add-on rather than a core platform engineering capability. Organizations implement basic continuous integration practices with security tools attached, but fail to address the underlying challenges:\n\n- Security tools produce overwhelming noise without proper tuning and context\n- Workflow interruptions and governance processes create frustrating slowdowns\n- Security and development teams operate in silos with misaligned incentives\n- Traditional security metrics fail to demonstrate meaningful risk reduction\n\nShifting security left isn’t enough. We need to transform how we think about security entirely.\n\n## Engineering for supply chain safety\nInstead of focusing on security as a state free from threats, we should embrace safety as our guiding principle - creating systems inherently protected from and unlikely to cause danger. **Supply chain safety** means implementing systematic safeguards throughout the software development lifecycle that protect both the code you write and the dependencies you consume. It encompasses everything from the infrastructure your applications run on to the third-party packages you integrate, ensuring that each component is verified, validated, and continuously monitored for potential risks. This approach builds on the success patterns we’ve seen in other areas of software security, like the adoption of memory-safe languages and ubiquitous Transport Layer Security (TLS) encryption.\n\nHere’s how you can implement supply chain safety effectively:\n1. **Infrastructure guardrails**: Leverage [platform engineering](https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/) to create pre-hardened templates that enforce security controls by default. This ensures teams inherit security best practices without additional cognitive load.\n1. **Language and framework security**: Take advantage of built-in security features in modern programming languages and frameworks. From automated memory management to deserialization filters, these features can prevent entire classes of vulnerabilities.\n1. **Automated dependency management**: Implement dependency proxies that automatically scan, validate, and cache third-party packages. Define clear policies for package verification and maintain a curated list of approved dependencies.\n1. **Security function abstraction**: Use service mesh and security sidecars to handle cross-cutting security concerns like authentication and authorization. This removes the burden of implementing security controls from individual service code.\n\n## Making it work: The human element\nTechnical solutions alone aren’t enough - success requires addressing the human factors that often derail security initiatives. Start by aligning incentives between security and development teams through shared goals and metrics that reward software resiliency improvements. Build a network of security champions within development teams who can act as bridges between security and engineering.\n\nCreate targeted training programs that focus on the security enablement features you’ve built, demonstrating how they reduce operational burden rather than add to it. Regular cross-team collaboration ensures both groups understand and support each other’s needs.\n\n## Moving forward\nThe path to true supply chain safety requires a fundamental shift in approaching security. Instead of bolting on security tools and hoping for the best, [build security directly into your engineering processes and practices](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/). You should layer in security tools for assurance and verification only after establishing strong engineering foundations.\n\nStart by evaluating your current DevSecOps implementation. Are you truly integrating security into your engineering practices, or just adding security tools to your pipeline? Focus first on building the infrastructure and platform capabilities that make secure development the path of least resistance. Remember, the goal isn’t to make developers think more about security - it’s about engineering safety from the ground up to help teams build secure software naturally through well-designed systems and processes.",[606,609,612,615,618,621,624],{"header":607,"content":608},"Why isn’t “shift left” enough to improve software security?","While shifting security earlier in the development cycle is a well-intentioned step, it often results in security tools being handed off to developers without adequate tuning or context. This creates noise, slows workflows, and introduces friction rather than improving safety or resilience.",{"header":610,"content":611},"What’s the difference between software security and software safety?","Security often focuses on reacting to threats, whereas safety is about proactively designing systems that are resistant to risk by default. A safety-driven approach builds protections into the software supply chain from the ground up, not just at the edges.",{"header":613,"content":614},"How does supply chain safety improve developer experience?","Supply chain safety reduces the operational burden on developers by integrating security controls into infrastructure and workflows. Pre-hardened templates, secure-by-default configurations, and abstracted security functions reduce the need for manual intervention.",{"header":616,"content":617},"What role do development frameworks and languages play in this approach?","Modern languages and frameworks offer built-in protections, such as memory management and deserialization controls. Leveraging these features helps eliminate entire categories of vulnerabilities without needing to create custom security logic.",{"header":619,"content":620},"How can organizations reduce risk from third-party dependencies?","Using automated tools like dependency proxies and curated package lists allows teams to validate, scan, and control third-party components. This helps ensure that all integrated packages meet security standards before reaching production.",{"header":622,"content":623},"What is the importance of aligning security and development teams?","Security outcomes improve when both teams share goals, metrics, and mutual understanding. Creating a network of champions and offering enablement training helps foster collaboration and encourages adoption of secure engineering practices.",{"header":625,"content":626},"How can engineering teams get started with supply chain safety?","Begin by assessing your current workflows. Prioritize infrastructure and platform investments that embed security into the development lifecycle. Focus on creating systems that naturally support secure behavior, and use tools to reinforce, not replace, these foundations.","beyond-shift-left-engineering-supply-chain-safety-at-scale","content:en-us:the-source:security:beyond-shift-left-engineering-supply-chain-safety-at-scale:index.yml","en-us/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/index.yml","en-us/the-source/security/beyond-shift-left-engineering-supply-chain-safety-at-scale/index",{"_path":632,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":633,"seo":636,"content":640,"type":486,"slug":666,"category":28,"_id":667,"_type":30,"title":637,"_source":31,"_file":668,"_stem":669,"_extension":34,"date":641,"description":638,"timeToRead":541,"heroImage":639,"keyTakeaways":642,"articleBody":646,"faq":647},"/en-us/the-source/security/federal-cybersecurity-in-2025-looking-ahead",{"layout":5,"template":472,"articleType":494,"author":634,"featured":6,"gatedAsset":635,"isHighlighted":6,"authorName":455},"joel-krooswyk","source-lp-how-to-build-a-resilient-software-development-practice",{"title":637,"description":638,"ogImage":639},"Federal cybersecurity in 2025: Looking ahead","Learn how AI will transform federal cybersecurity in 2025, from preventing cyber attacks to modernizing legacy code and automating compliance processes.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464594/brhph5gzlyth9ko13d5d.jpg",{"title":637,"date":641,"description":638,"timeToRead":541,"heroImage":639,"keyTakeaways":642,"articleBody":646,"faq":647},"2025-02-26",[643,644,645],"AI is becoming essential for federal cybersecurity, enabling agencies to detect and prevent cyber threats in minutes rather than days. However, human oversight remains crucial for guiding AI systems and validating their decisions.","Legacy code poses a major security risk, with 70% of vulnerabilities stemming from outdated systems. AI-powered tools will help agencies modernize their code bases and transition to more secure programming languages.","Software bills of materials (SBOMs) will become mandatory for federal contracts, giving agencies better visibility into their software supply chains and associated security risks. Vendors unable to provide SBOMs may lose opportunities.","In an era where a cyber attack happens [every 37 seconds](https://aag-it.com/the-latest-cyber-crime-statistics/), the federal government faces unprecedented challenges in protecting its IT systems and infrastructure. As nation-state actors and cybercriminals become more sophisticated, traditional security approaches are no longer sufficient.\n\nFederal agencies must remain secure while balancing new regulations, limited budgets, and the rise of artificial intelligence (AI). While not a silver bullet, AI technologies are proving to be powerful allies in the fight to secure federal systems. They help agencies do more with limited resources and quickly adapt to emerging threats. At the same time, the software development boom - driven in part by AI and open source - will require agencies to ensure they have more visibility into the license and security risks associated with their software.\n\nHere are four major changes we expect to see in federal cybersecurity during 2025:\n\n## AI will help stop cyber attacks before they happen\nIn the past, agencies would often react to cyber attacks after they happened. Now, AI is becoming essential for proactively preventing attacks. For example, the Department of Homeland Security uses AI to look through huge amounts of data to find possible threats.\n\nMore agencies will start using AI in 2025. [GitLab research](https://about.gitlab.com/the-source/platform/whats-next-in-devsecops-for-public-sector/) found that nearly half (47%) of public sector respondents were already using AI in the software development lifecycle in 2024; another 33% plan to start using AI by 2026. It makes sense that federal agencies would embrace AI tools that can spot dangerous activity much faster than humans can - sometimes in minutes instead of days. This is especially helpful for agencies that don't have many staff members.\n\nHowever, AI isn’t perfect on its own. People still need to check its work and ensure it’s making good decisions. Humans are also needed to guide AI and devise new ways to use it.\n\n## AI will help agencies modernize legacy code\nMany government systems use old programming languages that aren’t very secure. About 70% of security problems come from this legacy code. AI can help agencies [modernize legacy code to reduce the risk of security vulnerabilities](https://about.gitlab.com/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help/).\n\nThe federal government has prioritized memory-safe programming languages to help avoid common software vulnerabilities. AI can automate tasks like code refactoring and analysis, helping organizations transition from memory-unsafe languages like C to more secure alternatives such as Rust or Go.\n\nAI tools can also look at old code and suggest ways to make it better and more secure. This helps agencies modernize their systems more quickly and protect against new threats.\n\n## AI will simplify compliance\nDevSecOps, compliance, and AI are on a collision course. Automation is the key to making compliance integral to software development and making it a more real-time activity than the traditional clipboard or checkbox approach.\n\nGovernment leaders are increasingly grappling with the complexities of compliance. AI simplifies this process by automating monitoring. It can warn agencies about problems immediately and help fix them, reducing the burden on compliance teams.\n\nCompliance checks will become a natural part of creating and updating software as technology improves. AI tools will proactively scan code for compliance violations and enforce security policies. While AI won’t completely automate this process in the near term, the shift to intelligent automation will help improve security and efficiency.\n\n## SBOMs will become a requirement, not just a best practice\nAI requires testing, guardrails, and management by humans and other tools, especially regarding security. A dynamic software bill of materials (SBOM) can give agencies full visibility into the license and security risks associated with their software, including any open source components.\n\nSBOMs help agencies understand exactly what’s in their software and what security risks might exist. The lists update automatically to show real-time information about potential problems.\n\n[GitLab research](https://about.gitlab.com/developer-survey/) has shown that use of open source software is on the rise: 67% of developers say that at least a quarter of the code bases they work on is from open source libraries. However, only 21% of respondents say they are currently using SBOMs to improve the security of the software development lifecycle.\n\nAs we move into 2025, SBOMs will become central to federal cybersecurity efforts. Defense agencies will lead the way, and civilian agencies will follow. The increased adoption of SBOMs will help defense and civilian agencies verify that nation-state actors have not made malicious contributions, promoting transparency and accountability within the federal government.\n\nMany agencies will likely require companies they work with to provide SBOMs - and potentially refuse to work with vendors that cannot comply.\n\n> [Read more about SBOMs and why they’ve become an integral part of modern software development](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/).\n\n## Looking ahead: From risk to resilience\nAs cyber threats continue to evolve, a strong security posture is essential. Agencies are finding creative ways to use AI to improve their security. By using AI to automate tasks, find problems quickly, and modernize old systems, agencies can better protect their critical information and systems. These investments in AI and security will help agencies stay ahead of future threats and safeguard critical assets.",[648,651,654,657,660,663],{"header":649,"content":650},"How can AI improve compliance in federal agencies?","AI simplifies compliance by automating monitoring and enforcement. AI-driven tools can proactively scan code for compliance violations, apply necessary fixes, and ensure adherence to security policies. This shift to automation will help agencies integrate compliance into their development processes more seamlessly, reducing manual oversight while improving security.",{"header":652,"content":653},"Why are federal agencies prioritizing SBOMs in 2025?","With increased reliance on open source software, federal agencies need better oversight of their software supply chains. SBOMs will become a standard requirement to improve transparency, enhance security, and meet federal compliance mandates. Defense agencies are expected to lead this effort, with civilian agencies following closely behind.",{"header":655,"content":656},"How will AI help prevent cyber attacks before they happen?","AI will enable agencies to transition from a reactive to a proactive cybersecurity approach. By analyzing large datasets, AI can identify and flag potential threats much faster than humans, reducing the time it takes to detect malicious activity. Federal agencies, including the Department of Homeland Security, are already leveraging AI to enhance threat detection capabilities.",{"header":658,"content":659},"What is an SBOM, and why is it becoming a requirement for federal agencies?","A Software Bill of Materials (SBOM) is a detailed inventory of software components, including open source and third-party dependencies. SBOMs provide visibility into potential security risks and help ensure software integrity. As AI-generated software increases, SBOMs will become essential for tracking vulnerabilities, ensuring compliance, and preventing malicious code contributions from nation-state actors.",{"header":661,"content":662},"What role does AI play in modernizing legacy government code?","Many government systems rely on outdated programming languages that introduce security vulnerabilities. AI can assist in modernizing these legacy code bases by automating refactoring, analyzing security risks, and helping transition from memory-unsafe languages like C to more secure alternatives like Rust or Go. This modernization will help reduce vulnerabilities and improve overall security.",{"header":664,"content":665},"How is AI expected to impact federal cybersecurity in 2025?","AI is expected to play a critical role in federal cybersecurity by proactively preventing cyber attacks, modernizing legacy code, simplifying compliance processes, and enhancing software security through tools like SBOMs. AI-powered threat detection will allow agencies to identify and mitigate risks faster, while automation will improve compliance monitoring and vulnerability management.","federal-cybersecurity-in-2025-looking-ahead","content:en-us:the-source:security:federal-cybersecurity-in-2025-looking-ahead:index.yml","en-us/the-source/security/federal-cybersecurity-in-2025-looking-ahead/index.yml","en-us/the-source/security/federal-cybersecurity-in-2025-looking-ahead/index",{"_path":671,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":672,"seo":674,"content":678,"type":486,"slug":685,"category":28,"_id":686,"_type":30,"title":675,"_source":31,"_file":687,"_stem":688,"_extension":34,"date":679,"description":676,"timeToRead":541,"heroImage":677,"keyTakeaways":680,"articleBody":684},"/en-us/the-source/security/key-security-trends-for-cisos-in-2025",{"layout":5,"template":472,"articleType":494,"author":591,"featured":6,"gatedAsset":673,"isHighlighted":6,"authorName":456},"source-lp-ai-guide-for-enterprise-leaders-building-the-right-approach",{"title":675,"description":676,"ogImage":677},"Key security trends for CISOs in 2025","Explore essential security trends for 2025: how AI creates new risks and opportunities, reshapes identity management, and strengthens DevOps teams.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464506/hyue0lgqq2lqk3arwnel.jpg",{"title":675,"date":679,"description":676,"timeToRead":541,"heroImage":677,"keyTakeaways":680,"articleBody":684},"2025-02-25",[681,682,683],"AI adoption creates both security risks and opportunities. Organizations must track AI usage in vendor products, prepare for potential outages, and leverage AI to strengthen security controls.","Identity management needs modernization to handle complex machine-to-machine interactions, dynamic permissions, and AI system access, requiring more flexible and adaptive security tools.","AI tools can help bridge the DevOps security skills gap by automating security checks, suggesting secure code patterns, and integrating security throughout the software development lifecycle.","In 2025, many of your critical security tools will include AI models you can’t inspect or fully control. Your board is already asking how you’ll prevent the next headline-making security breach. Meanwhile, your competitors are using AI to automate security at a scale that was impossible just months ago. Evolving regulatory requirements add another layer of complexity, as new rules in the European Union and California affect how you can use AI systems.\n\nThe security landscape is rapidly evolving, but with the right approach, you can harness these challenges to build stronger defenses while protecting against new cyber threats. Here are three trends to prepare for that will dominate the enterprise security landscape this year.\n\n## 1. Vulnerabilities in proprietary LLMs\nMany vendors now use proprietary foundational large language models (LLMs) in their products, creating new risks for your organization. Most of these LLMs are black boxes - you can't see much about how they work or what safety controls they have. Security researchers have demonstrated the fragility of AI guardrails. There is a growing attack surface on the models themselves and reflectively on the products they serve.\n\nSince many products rely on the same few proprietary LLMs, an attack on one could simultaneously affect many of your systems. This concentration of risk is particularly concerning as more critical business functions depend on AI-enabled tools. You’ll need to:\n\n- Track which of your vendors use LLMs\n- Assess the security controls these vendors have in place\n- Plan for possible outages if an LLM-based service fails\n- Develop backup plans for critical AI-dependent systems\n\n> Read more: [7 questions to ask your DevOps provider to build a transparency-first AI strategy](https://about.gitlab.com/the-source/ai/building-a-transparency-first-ai-strategy-7-questions-to-ask-your-devops/)\n\n## 2. Identity management challenges\nCloud and AI systems are changing how we manage access to the systems we use every day. Your identity systems must now handle:\n\n- An increase in non-human, service-based identities\n- More machine-to-machine connections\n- Quick changes in who needs access to what\n- Complex chains of permissions between services\n- AI systems that need varying levels of data access\n\nTraditional identity and access management tools weren’t built for these challenges. You’ll need more flexible identity tools that can adapt quickly as your needs change. Consider implementing [zero-trust principles and just-in-time access](https://about.gitlab.com/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain/) to better control these dynamic environments.\n\nSecurity teams should also develop strategies and prepare for the growing complexity of agentic AI with the same level of rigor and auditability they apply to human users. As AI systems proliferate, [tracking and securing these non-human identities](https://about.gitlab.com/blog/improve-ai-security-in-gitlab-with-composite-identities/) becomes just as important as managing human user access.\n\n## 3. Making security work in DevOps\n[In a recent survey](https://about.gitlab.com/developer-survey/), 58% of developers said they feel some degree of responsibility for application security - but finding DevOps staff with security skills remains difficult. AI-powered tools can help by:\n\n- Checking code for security vulnerabilities and potential threats early in development before they cause problems\n- Suggesting secure coding patterns\n- Setting up the right access permissions automatically\n- Automating repetitive tasks throughout the development process\n\nThese tools can help your existing security team work more efficiently. They can also help developers catch common security issues before code reaches production. This means fewer emergencies for your team and better security outcomes overall.\n\nConsider investing in tools that integrate directly into developer workflows. The easier you make it for developers to work securely, the more likely they are to do so.\n\n## Taking action: Embracing AI to secure the threat landscape\nTo stay ahead of these changes:\n\n1. Map out where AI tools touch your systems and assess the risks\n1. Update your identity management approach for cloud and AI needs\n1. Look for ways AI can strengthen your security work\n1. Keep your board informed about new AI risks and regulations\n1. Build relationships with key vendors to understand their AI security measures\n1. Train your team on AI security risks and opportunities\n\nWhile AI brings new risks, it also gives you new tools to protect your organization. Focus on using AI to strengthen your security posture while watching out for new threats. Regular reviews of your AI security stance will help you stay ahead of emerging risks.\n\n## Looking ahead\nThe security landscape will keep evolving as AI technology advances. Stay flexible and ready to adapt your security strategy as new threats and opportunities emerge. Build strong relationships across your organization - especially with legal, development, and operations teams. These partnerships will help you respond more effectively to security challenges.\n\nRemember that while the technology changes, your core mission remains the same: protecting your organization’s assets and enabling secure business operations. Use new tools and approaches where they make sense, but don’t lose sight of security basics in the rush to adopt AI.","key-security-trends-for-cisos-in-2025","content:en-us:the-source:security:key-security-trends-for-cisos-in-2025:index.yml","en-us/the-source/security/key-security-trends-for-cisos-in-2025/index.yml","en-us/the-source/security/key-security-trends-for-cisos-in-2025/index",{"_path":690,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":691,"seo":693,"content":697,"type":486,"slug":720,"category":28,"_id":721,"_type":30,"title":694,"_source":31,"_file":722,"_stem":723,"_extension":34,"date":698,"description":695,"timeToRead":502,"heroImage":696,"keyTakeaways":699,"articleBody":703,"faq":704},"/en-us/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help",{"layout":5,"template":472,"articleType":494,"author":634,"featured":6,"gatedAsset":692,"isHighlighted":6,"authorName":455},"source-lp-how-a-devsecops-platform-drives-business-success-the-complete-guide",{"title":694,"description":695,"ogImage":696},"Why legacy code is a security risk — and how AI can help","Explore how AI-powered code refactoring can modernize legacy systems, enhance your security protocols, and propel your organization into the future.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463670/cdynzww9p2annh3mmbhl.png",{"title":694,"date":698,"description":695,"timeToRead":502,"heroImage":696,"keyTakeaways":699,"articleBody":703,"faq":704},"2025-01-15",[700,701,702],"Legacy code is expensive and time-consuming to maintain and, if not compatible with the latest security tools, it can be a serious liability for organizations across industries.","Code refactoring is a strategy that can help make code more readable — improving the stability of the code base as well as the productivity and efficiency of developers.","Together with preventative security tools, AI-powered code refactoring can help teams modernize their legacy code while reducing their risk of security vulnerabilities in the process.","Today’s rapid acceleration of technology is exciting. It means new products and opportunities for growth and innovation are around every corner. And yet this speed of growth and change has its downsides, especially regarding security: just one bad actor can cause massive business disruption, reputation damage, and lost revenue.\n\nYou have likely heard industry leaders talk about their need for digital transformation and the worrisome dependency on outdated or “legacy” systems. While legacy code is not inherently problematic, it often isn’t compatible with modern security tools, leading to exploitable vulnerabilities. Coupled with open source code - which requires ongoing security vigilance - your code base may be putting your organization’s data, users, and reputation at risk.\n\nLegacy code is risky from a security and compliance perspective, and it’s also expensive and time-consuming for developers to maintain - if developers on your team even have the legacy knowledge to do the work.\n\nUltimately, this industry-wide reliance on legacy code is a concerning and costly practice. So, how do we work our way out of it?\n\nBelow, I’ll explore legacy code and how organizations can increase the security of their code base with AI-powered code refactoring. Together with AI-driven testing and security capabilities, code refactoring will propel your codebase into the future while empowering your whole team to look ahead, not behind.\n\n## What is legacy code?\n\nBroadly, legacy code refers to an existing code base that a team inherits from previous team members and continues to use and maintain. The code might work just fine, but several different developers have likely modified it over the years. The current team might struggle to identify which modifications are valuable and which are not. Additionally, the code might be written using an outdated framework or in a programming language that no one on the team knows (whether it’s simply old or completely obsolete).\n\nIt might seem strange that companies still rely on legacy code. While the reasons can vary, think of it like this: You live in an old house. It's cozy and familiar, but the plumbing's unreliable, the wiring is outdated, and every time you fix one thing, something else breaks. Sure, you could remodel, but that means a huge upheaval – contractors, permits, living in chaos for months, and costs that can spiral out of control.\n\nSo, you keep patching things up, hoping for the best. It's not ideal, but it works - for now. That's kind of what it's like with legacy code. It's the familiar, “working” solution, even if it's creaky and inefficient. Rewriting it from scratch is a daunting prospect with its own risks and costs. Plus, who has time for a massive overhaul when there are new features to build and urgent bugs to fix?\n\nWhen it comes to updating code, many companies decide to keep their legacy code because maintaining it can be less disruptive in the short term. Updating code involves a lot of developing and testing code. It can also involve training a team to ensure they have the skills to work with the outdated code language or framework. If there isn’t any documentation, it can be even more challenging to navigate.\n\n## What’s the problem with legacy code?\n\nIf your organization does decide to stick with your legacy code - and many do - you’re opening yourself up to a host of potential issues. Since this code wasn’t designed for newer tech, you might not be able to integrate it with the latest and greatest software (like AI tools, for example), which could also impact the performance and scalability of your products. This can hold you back and impact customer experience down the line.\n\nWhat’s most concerning about legacy code, whether it was written five years ago or 50, is that there may be no security scanners that work for this code. That means you can’t detect problems on your own while making updates. Moreover, developers making these updates may not understand the language or its structure well and might even accidentally create vulnerable code in the process. Finally, older applications are commonly written in C or C++, which are memory unsafe languages - proven to host [70% of identified vulnerabilities](https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products).\n\nThese three issues - the fact that there may be no way to secure legacy code, there are fewer ways to safely update it, and that the end result is far more likely to be vulnerable - should be warning signs for organizations across industries.\n\nIn developing a catalog of bad practices that can put critical infrastructure at risk, the U.S. [Cybersecurity and Infrastructure Security Agency](https://www.cisa.gov/stopransomware/bad-practices) added the following:\n\n“Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”\n\nEven if you aren’t working in national security or for national public health and safety, this warning is still applicable: Using old code is not a best practice. It’s a bad one.\n\n## The solution: Code refactoring\n\nAccording to software developer and author [Martin Fowler](https://www.martinfowler.com/), “Refactoring is a controlled technique for improving the design of an existing code base, a disciplined technique for restructuring an existing body of code, altering its internal structure without changing its external behavior.”\n\nIn other words, code refactoring allows you to secure and modernize your legacy code without obscuring its original functionality.\n\nThere are many refactoring techniques - from inline refactoring, which involves simplifying code by removing obsolete elements, to refactoring by abstraction, where duplicate code is deleted. What’s important to know is that code refactoring requires time and significant developer skills to do well. It also requires a lot of testing when developers are already busy working on other tasks.\n\nSo, while code refactoring is certainly the answer to bringing your legacy code into the future, making it readable, efficient, and secure, it is a project in and of itself, especially at scale.\n\n## How AI can help\n\nWe know that AI is already accelerating the software development lifecycle - and there’s a lot that [AI can do to help teams accelerate the refactoring process](https://about.gitlab.com/blog/refactor-code-into-modern-languages-with-ai-powered-gitlab-duo/), too. For example, tools like [GitLab Duo](https://about.gitlab.com/blog/gitlab-duo-chat-now-generally-available/) can help explain existing code and create new code, two of the biggest hurdles when modernizing legacy code. If a developer isn’t familiar with a language, AI can help fill in the blanks. Regarding testing and security, AI can also [analyze root causes, generate tests](https://about.gitlab.com/blog/developing-gitlab-duo-blending-ai-and-root-cause-analysis-to-fix-ci-cd/), and [help developers remediate vulnerabilities](https://about.gitlab.com/the-source/ai/understand-and-resolve-vulnerabilities-with-ai-powered-gitlab-duo/). With AI in your toolkit, code refactoring can finally be more accessible and achievable for organizations, so they can move this project off their backlog for good.\n\nAccording to [our research](https://about.gitlab.com/developer-survey/2024/ai/), 34% of all respondents using AI across the software development lifecycle already use AI to modernize legacy code. This is even higher in the financial services industry (46%).\n\nOf course, there are a few things to keep in mind as you start to implement AI in any of your practices.\n\nAI isn’t perfect. It still requires testing, guardrails, and human oversight. So, while it absolutely can facilitate and accelerate some of these critical, time-consuming manual tasks, it can’t do this work alone. Especially regarding security, you should implement other tools to keep your code as secure as possible. We recommend creating a [dynamic software bill of materials](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/) (also called an SBOM) to give you full visibility into the license and security risks associated with your software, including any legacy code you may have.\n\n## Bring your codebase into the future\n\nWhile the jump from legacy codebase maintenance to modernization might feel daunting, it is the best path forward if you want to keep your organization and user data secure. With the right tools and methods, it may be more efficient for your teams and cost-effective for your company.\n\nThe good news is that your teams don’t need to spend time and resources deciphering old languages and working with old frameworks - causing frustration, delays, and bottlenecks. By letting AI do the hard work of refactoring your code so that it’s safe, secure, and functioning as it should, developers can focus on what they do best: building new products and features and driving value for customers.",[705,708,711,714,717],{"header":706,"content":707},"What are the challenges of maintaining legacy code without AI?","Challenges include:\n - __Lack of modern security support__: Traditional security scanners may not be compatible with legacy code\n - __Complex and outdated frameworks__: Developers may lack the expertise to maintain or update the old code\n - __High maintenance costs__: Maintaining legacy systems is costly and time-consuming, diverting resources from innovation\n - __Security risks__: Outdated code is more prone to vulnerabilities and attacks, increasing the risk of data breaches",{"header":709,"content":710},"How does GitLab support AI-powered refactoring and legacy code modernization?","GitLab uses GitLab Duo to help developers understand legacy code by providing explanations and generating new code. It also offers:\n - AI-driven security scans for detecting vulnerabilities in legacy code\n - Automated testing and remediation to enhance code security\n - Dynamic Software Bills of Materials (SBOMs) for visibility into license and security risks, including legacy components",{"header":712,"content":713},"Why is legacy code considered a security risk?","Legacy code is risky because it often uses outdated frameworks or programming languages that lack modern security measures. This makes it incompatible with the latest security tools, increasing the risk of vulnerabilities. Additionally, unsupported or end-of-life software can be easily exploited by attackers, compromising data integrity and security.",{"header":715,"content":716},"How can AI-powered code refactoring enhance legacy code security?","AI-powered code refactoring modernizes legacy systems by:\n - Identifying outdated or insecure code patterns and suggesting secure alternatives\n - Automating code improvements without altering external behavior, enhancing readability and maintainability\n - Generating security tests and analyzing root causes of vulnerabilities, enabling faster remediation\nThis approach reduces manual effort and accelerates the transition to more secure, efficient, and scalable codebases.",{"header":718,"content":719},"What are the benefits of using AI for legacy code refactoring?","Benefits include:\n - __Enhanced security__: AI identifies and mitigates vulnerabilities, improving security posture\n - __Increased productivity__: Automating repetitive tasks allows developers to focus on innovation\n - __Cost efficiency__: Reduced maintenance costs by modernizing code to work with current frameworks and tools\n - __Scalable modernization__: AI enables scalable and consistent refactoring across complex codebases, future-proofing the organization’s software assets","why-legacy-code-is-a-security-risk-and-how-ai-can-help","content:en-us:the-source:security:why-legacy-code-is-a-security-risk-and-how-ai-can-help:index.yml","en-us/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help/index.yml","en-us/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help/index",{"_path":725,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":726,"seo":727,"content":731,"type":486,"slug":754,"category":28,"_id":755,"_type":30,"title":728,"_source":31,"_file":756,"_stem":757,"_extension":34,"date":732,"description":729,"timeToRead":541,"heroImage":730,"keyTakeaways":733,"articleBody":737,"faq":738},"/en-us/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security",{"layout":5,"template":472,"articleType":494,"author":591,"featured":329,"gatedAsset":27,"isHighlighted":6,"authorName":456},{"title":728,"description":729,"ogImage":730},"Addressing the root cause of common security frustrations","Security frustrations are often framed as a cultural issue — but leaders also need to focus on issues like tech stack complexity and vulnerability management.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464489/mragusmxl1wz8ozdaoml.png",{"title":728,"date":732,"description":729,"timeToRead":541,"heroImage":730,"keyTakeaways":733,"articleBody":737,"faq":738},"2024-10-29",[734,735,736],"The shift to authenticated scanning in vulnerability management heightens effectiveness but may divert engineering efforts towards non-critical tasks, creating a division between security and engineering teams.","A minimalist approach to software development can minimize dependencies, reduce scanner noise, and lighten the developer's load, contributing to improved software security.","Adopting a \"paved roads\" approach, which involves tested and assured design patterns based on repeatable use cases, can reduce the burden on engineering teams and increase security.","This year, GitLab’s [annual survey of DevSecOps professionals](https://about.gitlab.com/developer-survey/) uncovered several issues related to organizational culture that could be preventing deeper alignment between engineering and security teams. A majority (58%) of security respondents said they have difficulty getting development to prioritize remediation of vulnerabilities, and 52% reported that red tape often slows their efforts to quickly fix vulnerabilities. In addition, security respondents pointed to several specific frustrations related to their jobs, including difficulty understanding security findings, excessive false positives, and testing happening late in the software development process.\n\n[DevSecOps](/topics/devsecops/) promises better integration between engineering and security, but it’s clear that frustrations and misalignment persist. That’s because these challenges are symptoms of a larger problem with how organizations view security, as well as how teams work together and how they allocate time to security.\n\n## Escaping the vulnerability hamster wheel\n\nVulnerability scanning surfaces all potential vulnerabilities - however, just because a software package has a common vulnerability or exposure (CVE) doesn’t mean it’s reachable or exploitable. Security teams and developers alike are still triaging and filtering through vulnerability findings that have grown exponentially over the years since authenticated vulnerability scanning became the norm.\n\nThe move to authenticated scanning has improved the effectiveness of security programs in many ways, but it’s also put developers on an endless hamster wheel of fixing things that don’t matter. When teams waste their efforts on patches that don’t address an exploitable vulnerability, they are diverted from more critical tasks, such as patching vulnerable and exploitable flaws. That’s the source of much of the division between security and engineering teams today.\n\nSo, how can organizations address the root cause of these issues and promote better integration between engineering and security? Here are three ways to prevent common security frustrations at the source.\n\n### 1. Silence the noise, focus on actionable high-fidelity signals\n\nExcessive false positives were the second highest rated frustration identified by security respondents in our survey. False positives are clearly a challenge, but they are often a vulnerability management problem in disguise.\n\nIf an organization sees many false positives, that could be a sign that they haven’t done all they can to ensure their security findings are high-fidelity. Organizations should narrow the focus of their security efforts to what matters. That means traditional static application security testing (SAST) solutions are likely insufficient. SAST is a powerful tool but loses much of its value if the results are unmanageable or lack appropriate context. For SAST to be most effective, it must be used [seamlessly with other security and development tools and be accessible to developers](https://about.gitlab.com/blog/oxeye-joins-gitlab-to-advance-application-security-capabilities/).\n\nAnother issue is that most scanning tools have a very narrow context window for understanding vulnerability findings. This is one of the areas where AI can help with [AI-powered features that explain security vulnerabilities](https://about.gitlab.com/the-source/ai/understand-and-resolve-vulnerabilities-with-ai-powered-gitlab-duo/).\n\n### 2. Minimize the tech stack, minimize the attack surface\n\nStaying focused on what matters doesn’t just apply to security testing - it should start with how an organization builds software in the first place.\n\nAlthough AI promises to help simplify software development processes, [our survey suggests that many organizations still have a long road ahead](https://about.gitlab.com/the-source/platform/3-surprising-findings-from-our-2024-global-devsecops-survey/). In fact, respondents who are using AI were significantly more likely than those not using AI to want to consolidate their toolchain, suggesting that the proliferation of different point solutions running different AI models could be adding complexity, not taking it away.\n\nThe ever-increasing complexity of organizations’ tech stacks is a major contributor to security frustrations. Some complexity is unavoidable when building large, multi-faceted software systems. However, organizations should take steps to avoid complexity resulting from suboptimal design decisions, such as difficult-to-maintain code and redundant dependencies. This unnecessary complexity creates a larger attack surface and generates more security scan findings for teams to sort through, prioritize, and address.\n\nOrganizations should approach development through the lens of software minimization - that is, being intentional about the tools they adopt and what they decide to build into their codebases. This will help minimize dependencies, improve the security of the software supply chain, reduce scanner noise, and ease the burden on developers to fix non-critical issues.\n\n### 3. Normalize paved roads\n\nSecurity testing happening too late in the software development lifecycle was another one of the top frustrations identified by our survey respondents. Teams might be frustrated when they want to ship something and it gets delayed because a vulnerability is detected late - but in many cases it might not have been possible to detect that vulnerability any earlier. What is possible, however, is operationalizing easily deployable, reusable security components, limiting the variables and potential vulnerabilities.\n\nTeams can avoid late-stage surprises by embracing [tested and assured design patterns based on repeatable use cases](https://about.gitlab.com/the-source/platform/how-devops-and-platform-engineering-turbocharge-efficiency/): the “paved roads” approach. A paved road is a recommended path, including a curated set of tools, processes, and components, that teams can follow to build secure applications more efficiently - for example, using GitOps to version and deploy well-architected and tested Infrastructure as Code that deploys at scale for all workloads.\n\nAdopting paved roads potentially removes some flexibility, but ultimately reduces the operational burden and rework on engineering teams and increases security. This needs to be a collaborative effort between security and development. Security can help to design paved roads, but engineering has to be involved to operate and maintain them as part of the codebase.\n\n## Security is a domain, not a team{class=\"no-anchor\"}\n\nWe’re already seeing security as a practice shift into engineering teams, and we can expect the boundaries between the two to continue to blur. However, with the rapid adoption of AI and the corresponding acceleration of software development - 66% of our survey respondents said they are releasing software twice as fast or faster than last year - it will be critical for organizations to establish systems and frameworks that optimize for the greatest security benefit. That’s why the idea of a cultural disconnect between development and security isn’t the whole story. Fostering a culture of collaboration is essential, but security and engineering teams must also work together to rethink foundational aspects of software development, such as optimizing existing codebases and building scalable engineering-centric solutions that can be seamlessly adopted by technical teams across the organization.",[739,742,745,748,751],{"header":740,"content":741},"What is the “paved roads” approach to security, and why is it effective?","The [\"paved roads\" or \"golden path\" approach](https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/) standardizes security best practices by providing pre-approved tools, design patterns, and infrastructure configurations that teams can follow. By using reusable, well-tested security components, organizations reduce late-stage security surprises, streamline development, and ensure applications are secure by default. This approach balances flexibility with security assurance.",{"header":743,"content":744},"How does toolchain complexity contribute to security risks?","A fragmented toolchain increases security risks by creating a larger attack surface, introducing redundant dependencies, and making security oversight more difficult. Many organizations are now consolidating their tech stacks to reduce complexity and improve security outcomes. A DevSecOps platform can help unify security, development, and operations, minimizing inefficiencies and reducing security blind spots.",{"header":746,"content":747},"Why is security shifting from a separate team to an engineering practice?","Security is increasingly being embedded within development teams to align with modern DevSecOps practices. As software releases accelerate, security must be built into the development process rather than treated as an afterthought. Organizations that integrate security into engineering workflows — through automation, AI-driven insights, and security-aware coding practices — achieve stronger, more scalable security outcomes.",{"header":749,"content":750},"How can organizations reduce security-related false positives?","False positives can be minimized by refining security testing tools, ensuring they provide actionable and high-confidence findings. AI-powered vulnerability analysis can help contextualize security issues and filter out irrelevant alerts. Additionally, consolidating security tools within a DevSecOps platform can improve accuracy by correlating security data across multiple sources.",{"header":752,"content":753},"Why do security teams struggle to get vulnerabilities prioritized?","Security teams often face challenges in getting vulnerabilities addressed because developers are overwhelmed by excessive security alerts, many of which are false positives. Without clear prioritization, teams waste time fixing non-exploitable issues instead of focusing on critical vulnerabilities. A more efficient approach involves using AI-powered security tools to surface high-fidelity signals and integrating security seamlessly into development workflows.","security-its-more-than-culture-addressing-the-root-cause-of-common-security","content:en-us:the-source:security:security-its-more-than-culture-addressing-the-root-cause-of-common-security:index.yml","en-us/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/index.yml","en-us/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/index",{"_path":759,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":760,"seo":761,"content":765,"type":486,"slug":787,"category":28,"_id":788,"_type":30,"title":762,"_source":31,"_file":789,"_stem":790,"_extension":34,"date":732,"description":763,"timeToRead":502,"heroImage":764,"keyTakeaways":766,"articleBody":770,"faq":771},"/en-us/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design",{"layout":5,"template":472,"articleType":494,"author":634,"featured":6,"gatedAsset":25,"isHighlighted":6,"authorName":455},{"title":762,"description":763,"ogImage":764},"Strengthen your cybersecurity strategy with Secure by Design","Take a closer look at Secure by Design and related concepts, and learn steps you can take today to build security into your software development processes.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463932/pnfdgovoaq5qd1yprxuc.png",{"title":762,"date":732,"description":763,"timeToRead":502,"heroImage":764,"keyTakeaways":766,"articleBody":770,"faq":771},[767,768,769],"Secure by Design, Secure by Default, and Secure by Demand proactively prevent vulnerabilities and software supply chain attacks by encouraging software manufacturers to embed security into every aspect of product design and development.","Adopting a comprehensive DevSecOps approach and creating and maintaining software bills of materials (SBOMs) are key steps to becoming Secure by Design.","Incorporating AI into the software development lifecycle can also help teams expedite development processes, resolve vulnerabilities, and create more secure products.","An organization’s approach to cybersecurity must constantly evolve as attack surfaces increase and it learns more about potential threats. Understanding that security threats can enter from any point in the software supply chain, a Secure by Design approach integrates security into the design, coding, testing, and deployment phases of software development. As the standard for U.S. federal agencies - and any organization that touches their software - Secure by Design has become a go-to benchmark for building security measures into the software development lifecycle.\n\nOver time, Secure by Design has branched off into related concepts such as _Secure by Default_ and _Secure by Demand_, which emphasize different ways of  approaching Secure by Design:\n\n- [Secure by Default](#what-is-secure-by-default) focuses on ensuring that all software products are secure out of the box.\n- [Secure by Demand](#what-is-secure-by-demand) extends Secure by Design principles to the procurement process.\n\nHere’s a closer look at Secure by Design and these related approaches, including a [step-by-step guide](#building-a-secure-by-design-cybersecurity-strategy) to how organizations can adapt their strategies to prevent security risks such as exploitable vulnerabilities and software supply chain attacks.\n\n## What is Secure by Design?\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) introduced its [Secure by Design Initiative](https://www.cisa.gov/securebydesign) in April 2023, with a focus on three key software security principles:\n\n1. Take ownership of customer security outcomes\n1. Embrace radical transparency and accountability\n1. Build organizational structure and leadership to achieve these goals\n\nSecure by Design integrates security principles and protocols into every stage of the software development process. This means that security measures are built into the design, coding, testing, and deployment phases of software development rather than being added on as an afterthought.\n\nThe goal of Secure by Design is to create a secure foundation for software systems from the very beginning, reducing vulnerabilities and potential attack surfaces.\n\n### What is Secure by Default?\nSecure by Default is an offshoot of Secure by Design that focuses on ensuring that any software or hardware is set to its most secure configuration without requiring reconfiguration by the user. Products that are Secure by Default automatically enable the most important security controls needed to protect enterprises from unauthorized access by bad actors - meaning users do not have to go through additional steps to ensure that a product is protected against prevalent exploitation techniques.\n\nSecure by Default tactics include eliminating default passwords and mandating multi-factor authentication and single sign-on to allow only authorized users access to resources. This approach also includes automatic updates and patches, as well as secure configurations for all user accounts and devices.\n\n### What is Secure by Demand?\nSecure by Demand combines Secure by Design principles with budgeting and procurement contracts in order to drive Secure by Design as a mandate for vendors as well as contractors. [CISA’s Secure by Demand Guide](https://www.cisa.gov/resources-tools/resources/secure-demand-guide) provides a set of questions and resources that software purchasers, buyers, and procurers can use to better understand a potential vendor’s approach to cybersecurity. This includes questions about the vendor's authentication practices, software supply chain security, and vulnerability disclosure and reporting.\n\nBy requiring vendors to adhere to Secure by Design principles and protocols in their products and services, organizations can help prevent potential vulnerabilities from entering their software supply chain. The Secure by Demand approach also further incentivizes vendors to continuously improve their own cybersecurity posture.\n\n## Building a Secure by Design cybersecurity strategy\nAs organizations prioritize becoming Secure by Design, steps include utilizing effective DevSecOps practices, maintaining a software bill of materials (SBOM), and incorporating AI to defend against threats entering from any point in the software development lifecycle.\n\n### Adopting DevSecOps practices\nOne of the first steps to support a Secure by Design posture is a secure software development process: developing, building, securing, and deploying software using a comprehensive DevSecOps approach.\n\nToday, many developers utilize complex toolsets to create new programs. A [recent survey by GitLab](https://about.gitlab.com/developer-survey/) found that 62% of respondents use 6 or more tools for development, and 20% use 11 or more - an inefficiency that increases risk by introducing potential security vulnerabilities.\n\nDevelopers should be able to access all the tools necessary for DevSecOps workflows in a single, easy-to-use interface. With an end-to-end solution, like a [DevSecOps platform](/platform/), organizations can implement a Secure by Design approach without increasing the security burden on developers.\n\n### Creating and maintaining SBOMs\nEmbracing transparency is another significant part of being Secure by Design. Organizations must understand what’s in their software, especially when it may include components from multiple sources.\n\n[SBOMs are essential tools for achieving this transparency](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/). They offer detailed inventories of software components, including version, license, and dependency details, that enable greater awareness of potential vulnerabilities or malicious code.\n\nMaintaining this inventory allows organizations to fully understand potential vulnerabilities and risks that could arise when elements are lifted from open source repositories and licensed third-party components. A DevSecOps platform can help [automatically generate and update SBOMs](/solutions/security-compliance/), integrate them into existing workflows, and link them to associated vulnerabilities.\n\nWhile many organizations are now using SBOMs, they must be dynamic, connected with security scanning tools, and continuously updated to be fully effective. When integrated with scanning tools and dashboards, SBOMs can provide a way to identify the risks associated with an application. Even when not required, SBOMs can support compliance with security regulations by validating that code is secure.\n\n### Using AI in software development\nAs organizations explore ways to use AI, software development workflows provide a valuable entry point to the technology, which has the potential to accelerate development processes and enhance security.\n\nOrganizations across all industries are already beginning to explore these applications: 39% of respondents [in GitLab’s survey](https://about.gitlab.com/developer-survey/2024/ai/) said they are already using AI in the software development lifecycle.\n\nApplying AI across the software development lifecycle can help organizations avoid AI-driven silos and backlogs within development workflows. AI can perform key functions such as:\n\n* Code explanation and legacy code refactoring into [memory-safe languages](https://about.gitlab.com/blog/memory-safe-vs-unsafe/)\n* [Root cause analysis for DevSecOps pipelines](https://about.gitlab.com/blog/developing-gitlab-duo-blending-ai-and-root-cause-analysis-to-fix-ci-cd/), expediting solutions for complex problems during testing\n* [Vulnerability resolution](https://about.gitlab.com/the-source/ai/understand-and-resolve-vulnerabilities-with-ai-powered-gitlab-duo/) to help reconcile known vulnerabilities, supporting more thorough remediation\n\nAs leaders integrate AI into their workflows, it is crucial to prioritize privacy and data security. An essential aspect of adopting a Secure by Design approach is to develop an [AI strategy that safeguards sensitive data and protects intellectual property rights](https://about.gitlab.com/the-source/ai/building-a-transparency-first-ai-strategy-7-questions-to-ask-your-devops/).\n\n### What’s next\nSecure by Design may soon become the default approach to creating a more trustworthy software ecosystem. The [U.S. government](https://about.gitlab.com/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers/) is currently working with software manufacturers to create frameworks that legally incentivize the private sector to produce and release Secure by Design software, driving businesses to invest more in secure technology and practices.\n\nWith robust security built into software development from the start, transparency through effective SBOMs, and AI enhancing the development process, everyone involved in the software development lifecycle will be positioned for success.",[772,775,778,781,784],{"header":773,"content":774},"What is Secure by Demand, and how does it impact vendors?","Secure by Demand extends Secure by Design principles into procurement and vendor management. It requires organizations to mandate security best practices from their software providers, ensuring that third-party products meet high cybersecurity standards. This approach minimizes supply chain risks and encourages vendors to continuously improve their security posture to remain competitive.",{"header":776,"content":777},"How does AI enhance Secure by Design practices?","AI accelerates Secure by Design by automating security tasks, such as vulnerability detection, root cause analysis, and legacy code refactoring. AI-powered tools can analyze security risks in real time, generate secure coding suggestions, and streamline DevSecOps pipelines. However, organizations must implement AI responsibly by safeguarding privacy, data security, and intellectual property rights.",{"header":779,"content":780},"How does Secure by Default differ from Secure by Design?","Secure by Default is an extension of Secure by Design, ensuring that software products come pre-configured with the highest security settings. Users don’t need to manually adjust settings or apply additional safeguards to achieve a secure environment. Examples include eliminating default passwords, enforcing multi-factor authentication, and automating security updates to protect against common exploitation techniques.",{"header":782,"content":783},"How can organizations implement a Secure by Design strategy?","To adopt a Secure by Design strategy, organizations should integrate DevSecOps practices, maintain a software bill of materials (SBOM) for transparency, and use AI-driven security tools to detect vulnerabilities early. A DevSecOps platform helps unify security and development workflows, while SBOMs provide a comprehensive inventory of software components to track dependencies and potential risks.",{"header":785,"content":786},"What is Secure by Design, and why is it important?","Secure by Design is a cybersecurity approach that integrates security into every stage of software development, from design to deployment. Instead of applying security fixes reactively, it ensures that security measures are built into the development process from the start. This proactive strategy reduces vulnerabilities, strengthens software resilience, and aligns with federal security standards, such as those established by CISA.","strengthen-your-cybersecurity-strategy-with-secure-by-design","content:en-us:the-source:security:strengthen-your-cybersecurity-strategy-with-secure-by-design:index.yml","en-us/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/index.yml","en-us/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/index",{"_path":792,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":793,"seo":795,"content":799,"type":486,"slug":822,"category":28,"_id":823,"_type":30,"title":796,"_source":31,"_file":824,"_stem":825,"_extension":34,"date":800,"description":797,"timeToRead":541,"heroImage":798,"keyTakeaways":801,"articleBody":805,"faq":806},"/en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam",{"layout":5,"template":472,"articleType":494,"author":794,"featured":6,"isHighlighted":6,"authorName":450},"gitlab",{"title":796,"description":797,"ogImage":798},"How GitLab can help you prepare for your SOC 2 exam","Learn about features in the DevSecOps platform geared toward a SOC2 framework exam.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463759/yk7f6poowtw5y5d5oflv.png",{"title":796,"date":800,"description":797,"timeToRead":541,"heroImage":798,"keyTakeaways":801,"articleBody":805,"faq":806},"2024-07-18",[802,803,804],"Automated testing and code coverage reports enhance SOC 2 Availability and Processing Integrity.","GitLab's security scans and role-based controls ensure compliance with the SOC 2 framework, protecting data from vulnerabilities and unauthorized access.","GitLab's templates for browser and load performance testing simplify SOC 2 exams by validating application performance and security at every development stage.","GitLab customers have found that using GitLab as their platform for DevSecOps has simplified the SOC 2 exam process.  This blog reviews the SOC 2 framework and GitLab features that help customers with their SOC 2 exam.\n\n## Introduction to SOC 2\nSystem and Organization Controls 2, or [SOC 2](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement), is a voluntary compliance standard that specifies how organizations should manage customer data. The SOC 2 exam report allows companies to provide attestation to the trustworthiness of software it offers to business customers.\n\nDeveloped by the Association of International Certified Professional Accountants (AICPA), SOC 2 focuses on five Trust Services Criteria (TSC):\n- Security - protecting customer data from vulnerabilities and unauthorized access\n- Availability - ensuring systems are fault-tolerant and performant under high loads in order to meet availability service-level agreements\n- Processing Integrity - systems function as designed without vulnerabilities, errors, or bugs\n- Confidentiality - protecting confidential information such as application source code, usernames and passwords, credit card information, etc., so that only people who need access in order to do their jobs have access to it\n- Privacy - safeguarding sensitive personally identifiable information (PII) against unauthorized users\n\nSecurity is the only required criterion for every SOC 2 exam. The other criteria can be added to the exam in cases where they are deemed critical to the services being provided.\n\n## Security TSC\nThe security criterion pertains to not only the security of servers and physical systems, but also applications. Software vulnerabilities potentially open up an application to attackers, putting customers' data at risk, but this is an area where GitLab can help.\n\nGitLab provides security scans to identify potential vulnerabilities in the applications a company builds, including the following:\n- [Static Application Security Scanning (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/), which scans source code for potential bugs and vulnerabilities such as unsafe code that can lead to unintended code execution\n- [Dependency Scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/), which finds security vulnerabilities in the software dependencies of an application\n- [Container Scanning](https://docs.gitlab.com/ee/user/application_security/container_scanning/), which finds security vulnerabilities in the operating system dependencies of a containerized application\n- [Dynamic Application Security Scanning (DAST)](https://docs.gitlab.com/ee/user/application_security/dast/), which finds security vulnerabilities in a running web application that make it susceptible to an attack\n- [Infrastructure as Code (IaC) Scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/), which scans infrastructure as code configuration files, including Terraform, Ansible, AWS CloudFormation, and Kubernetes, to find security vulnerabilities\n\nGitLab also provides a [vulnerability report](https://docs.gitlab.com/ee/user/application_security/vulnerability_report/), which shows all known vulnerabilities, based on the scans above, in the current application. GitLab also provides a software bill of materials ([SBOM](https://docs.gitlab.com/ee/user/application_security/dependency_list/)) in standard CycloneDX JSON format, that shows all software-level and operating system-level dependencies and known vulnerabilities for them.\n\nHaving regular vulnerability scans and robust vulnerability reporting helps satisfy three Security criteria:\n- CC7.1 – To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.\n- CC4.1 – COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.\n- CC4.2 – COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.\n\nA crucial piece of security scans is governance and enforcement. GitLab provides features to ensure that scans are happening regularly and that software development teams are not able to circumvent them. These features include:\n- [Role-based access controls](https://docs.gitlab.com/ee/user/permissions.html) to limit who can make changes to project-level configuration settings\n- [Scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) to enforce that scans run on each code repository\n- [Merge request approval policies](https://docs.gitlab.com/ee/user/application_security/policies/merge_request_approval_policies.html) to ensure that scan results are reviewed and approved by the appropriate security stakeholders so that newly found vulnerabilities are not being introduced into deployed software\n- [Compliance reports](https://docs.gitlab.com/ee/user/application_security/) to show any changes to GitLab configurations that may violate security processes put in place\n\nWith these configurations in place, organizations can prove that software security is a top priority for their applications and security practices are being enforced.\n\n## Availability and Processing Integrity TSCs\nGitLab can also help with Availability and Processing Integrity TSCs. These criteria focus on the quality and performance of the application itself. To support these criteria, GitLab provides:\n- Unit test results and code coverage changes in the form of [code coverage reports](https://docs.gitlab.com/ee/ci/testing/code_coverage.html), which ensure that source code is being validated by a test suite\n- [Code quality](https://docs.gitlab.com/ee/ci/testing/code_quality.html), which analyzes the source code quality and complexity for ease of readability and maintainability\n\nWhile the above software development practices are used early in the software development lifecycle to ensure high-quality, tested code, GitLab additionally provides templates for various types of automated tests for a running application to ensure it is working as expected. These tests include:\n- [Browser performance testing](https://docs.gitlab.com/ee/ci/testing/browser_performance_testing.html), which measures the load time for web sites during the development lifecycle to test the impact of any ocde changes on browser performance\n- [Load performance testing](https://docs.gitlab.com/ee/ci/testing/load_performance_testing.html), which measures the system performance of an application's backend during the development lifecycle to test the impact of any code changes on performance\n- [Coverage-guided fuzz testing](https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/), which sends unexpected, malformed, or random data to an application and then monitors it for unstable behaviors and crashes\n- [Web API fuzz testing](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/), which sends unxpected, malformed, or random data to API endpoints to look for bugs and security issues\n\nBy focusing on strong DevSecOps practices with GitLab to build high-quality, secure applications, organizations are able to more easily pass a SOC 2 exam to attest to the security of customer data.\n\n> **Learn more: [Strengthen your cybersecurity posture](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) with Secure by Design principles.**",[807,810,813,816,819],{"header":808,"content":809},"How does GitLab help organizations achieve SOC 2 compliance?","GitLab supports SOC 2 compliance by providing advanced security scans (SAST, DAST, dependency scanning, and IaC scanning), vulnerability reporting, and role-based access controls. These features help organizations detect and mitigate security risks while maintaining robust internal controls and audit trails to demonstrate compliance.",{"header":811,"content":812},"How do GitLab's compliance features enhance governance and enforcement for SOC 2?","- Role-based access controls to limit configuration changes\n- Scan execution policies to mandate regular security scans\n- Merge request approval policies to review and approve vulnerabilities\n- Compliance reports to track configuration changes and ensure adherence to security policies",{"header":814,"content":815},"Which Trust Services Criteria (TSC) are covered by GitLab's security features?","GitLab helps organizations meet the Security, Availability, and Processing Integrity TSCs by providing:\n - Security scans to detect vulnerabilities\n - Role-based access controls and compliance reports to enforce security policies\n - Performance and code quality tests to ensure application integrity and availability",{"header":817,"content":818},"What are the benefits of using GitLab for SOC 2 exam preparation?","Using GitLab for SOC 2 exam preparation streamlines compliance by integrating security scans, vulnerability management, and compliance reporting within a single platform. This holistic approach reduces manual effort, ensures consistent security practices, and enhances the organization's ability to pass the SOC 2 exam with confidence.",{"header":820,"content":821},"What is SOC 2 compliance and why is it important for software companies?","SOC 2 is a voluntary compliance standard that specifies how organizations should manage customer data, focusing on security, availability, processing integrity, confidentiality, and privacy. It demonstrates trustworthiness and data protection to business customers, enhancing credibility and ensuring compliance with industry standards.","how-gitlab-can-help-you-prepare-for-your-soc-2-exam","content:en-us:the-source:security:how-gitlab-can-help-you-prepare-for-your-soc-2-exam:index.yml","en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam/index.yml","en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam/index",{"_path":827,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":828,"seo":830,"content":834,"type":486,"slug":841,"category":28,"_id":842,"_type":30,"title":831,"_source":31,"_file":843,"_stem":844,"_extension":34,"date":835,"description":832,"heroImage":833,"keyTakeaways":836,"articleBody":840},"/en-us/the-source/security/whitepaper-taking-the-complexity-out-of-compliance-frameworks",{"layout":5,"template":472,"articleType":473,"featured":6,"gatedAsset":829,"isHighlighted":6,"authorName":-1},"pf-taking-the-complexity-out-of-compliance-frameworks",{"title":831,"description":832,"ogImage":833},"Taking the complexity out of compliance frameworks","Explore the importance of proactive compliance in today's cyber threat landscape and learn how an integrated DevSecOps strategy can fortify your defense.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464259/qpwx0cpn26ltfnb7qcke.png",{"title":831,"date":835,"description":832,"heroImage":833,"keyTakeaways":836,"articleBody":840},"2024-07-01",[837,838,839],"In the face of escalating cyber risk and rigorous regulatory requirements, organizations must adopt strategic, proactive approaches to cybersecurity, shifting from manual methods to automated DevSecOps platforms.","The White House Cybersecurity Executive Order 14028 and regulatory frameworks like the NIST SSDF highlight the need for software companies to prioritize security over speed, mitigating security risks through enhanced quality and secure supply chains.","Despite the complexities of regulation, organizations can achieve time and cost efficiencies by embedding compliance requirements from the inception of software development, utilizing advanced tools to seamlessly integrate security practices.","In today’s landscape, cyber attacks pose a threat to all organizations, particularly for those linked to the U.S. government, where digital vulnerabilities can swiftly escalate to national security issues. Amidst evolving global regulations, federal agencies and other organizations face challenges in keeping up with new regulatory frameworks and enforcement trends.\n\nAs cyber threats grow more sophisticated, regulatory bodies are intensifying their security mandates, such as the White House Cybersecurity Executive Order 14028. Non-compliance carries hefty penalties, emphasizing the need for specific cybersecurity protocols. Navigating complex regulatory requirements demands a strategic, agile approach. Manual methods are no longer sufficient; organizations need an end-to-end DevSecOps platform, like GitLab, that embeds security throughout the software development lifecycle and automates manual tasks. Forward-thinking organizations prioritize proactive compliance, utilizing advanced tools to mitigate cybersecurity risks and embed security practices seamlessly into the development process.\n\nHistorically, software companies have prioritized speed at the expense of security, leaving vulnerabilities in their products. This trend stems from the demand for rapid releases and has become particularly prominent with the widespread adoption of DevOps practices. White House Cybersecurity Executive Order 14028 intensified the push for software manufacturers to enhance quality and secure their software supply chains. As an outcome of this mandate, security compliance frameworks, such as the Secure Software Development Framework, or NIST SSDF, aim to ease the burden of managing security compliance.\n\nHowever, the responsibility still rests on the industry, rather than regulatory bodies, to shift towards a culture of building secure software from inception. While the goals of most regulatory programs enjoy broad public support, in practice, regulation involves manual and siloed processes that can be costly and complex to navigate. To proactively address this challenge, organizations should embed compliance requirements and industry standards into the development process from the outset. By codifying these requirements and seamlessly integrating compliance and security controls throughout the software development lifecycle, organizations can realize significant time and cost efficiencies.","whitepaper-taking-the-complexity-out-of-compliance-frameworks","content:en-us:the-source:security:whitepaper-taking-the-complexity-out-of-compliance-frameworks:index.yml","en-us/the-source/security/whitepaper-taking-the-complexity-out-of-compliance-frameworks/index.yml","en-us/the-source/security/whitepaper-taking-the-complexity-out-of-compliance-frameworks/index",{"_path":846,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":847,"seo":848,"content":852,"type":486,"slug":860,"category":28,"_id":861,"_type":30,"title":849,"_source":31,"_file":862,"_stem":863,"_extension":34,"date":853,"description":850,"timeToRead":854,"heroImage":851,"keyTakeaways":855,"articleBody":859},"/en-us/the-source/security/10-tips-to-prioritize-security-in-software-development",{"layout":5,"template":472,"articleType":494,"author":794,"featured":6,"isHighlighted":6,"authorName":450},{"title":849,"description":850,"ogImage":851},"10 tips to prioritize security in software development","Follow this advice to shift security earlier in the development cycle for greater efficiency and more secure software.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464607/pmqkaclogv0y5tf4hk3t.png",{"title":849,"date":853,"description":850,"timeToRead":854,"heroImage":851,"keyTakeaways":855,"articleBody":859},"2024-04-16","2 min read",[856,857,858],"Shifting left enhances software security by detecting vulnerabilities early in the SDLC.","GitLab integrates security into DevSecOps for proactive risk management.","Streamline processes with GitLab to improve speed and compliance in development.","Cyber attacks and cybersecurity threats continue to be one of the highest priorities for organizations. As such, the developer's role continues to evolve. Over half of respondents surveyed in GitLab’s [2024 Global DevSecOps Survey](https://about.gitlab.com/developer-survey/) said they are responsible for application security as part of a larger team - signaling that security practices are continuing to shift left.\n\nShifting left - designing software with security best practices built in to detect and fix vulnerabilities earlier in the software development lifecycle (SDLC) - enables teams to run more efficiently and release software faster.\n\nWhile 67% of the security professionals GitLab surveyed said they have either shifted left or plan to in the next three years, you may be unsure how to get started.\n\nHere are 10 tips to help your teams shift left for more efficient DevSecOps:\n\n### 1. Measure time\n\nHow much time is lost remediating vulnerabilities after code is merged? Measure this, then look for a pattern in the type or source of those vulnerabilities, and make the necessary adjustments for improvement.\n\n### 2. Identify bottlenecks\n\nWhere are the pain points and bottlenecks between security protocols and processes? Identify these, and then create and execute a resolution plan.\n\n### 3. Start small\n\nMake small code changes - they are easier to review, secure, and launch more quickly than large project changes.\n\n### 4. Eliminate waterfall\n\nAre people still holding on to waterfall-style security processes within the SDLC? Eliminating or reducing waterfall will help your organization prevent the struggle to change direction as needs arise.\n\n### 5. Automate scans\n\nAre manual processes slowing down and hampering the process of discovering vulnerabilities? Automate findings into a merge request for easier review, finding sources, and accessibility for developers to address.\n\n### 6. Update workflows\n\nAre security scans included in your developers’ workflow? Building and integrating security into developer workflows enable them to find and fix vulnerabilities before the code ever leaves their hands.\n\n### 7. Demonstrate compliance\n\nIs unplanned and unscheduled work delaying releases? Automating and implementing compliance frameworks help with consistency across development environments, teams, and applications.\n\n### 8. Empower devs with security reports\n\nDo your developers have access to SAST and DAST reports? These valuable tools help dev teams build secure coding practices, fixing vulnerabilities as part of their workflow.\n\n### 9. Let teams work smarter\n\nEmpower the security team to work smarter with security dashboards into both resolved and unresolved vulnerabilities, where the vulnerabilities reside, who created them, and their status for remediation.\n\n### 10. Ditch the toolchain\n\nStreamline and reduce your toolchain so that employees can focus their attention on a single interface - a single source of truth.\n\n## Shift left with GitLab\n\nGitLab helps you initiate a proactive security strategy to discover vulnerabilities earlier in the SDLC. Security and compliance are embedded within the GitLab DevSecOps platform, with an end-to-end work-flow that enables you to understand and manage risk. Automatically scan for vulnerabilities on a feature branch so you can remediate vulnerabilities before pushing to production.\n\nGitLab has a history of supporting the DevSecOps initiatives of U.S. federal, state, and local government agencies, vendors, and educational institutions with one end-to-end software development platform that meets strenuous security and compliance requirements. Learn more about [how GitLab can help you shift left](https://about.gitlab.com/solutions/public-sector/) and secure your speed to mission.","10-tips-to-prioritize-security-in-software-development","content:en-us:the-source:security:10-tips-to-prioritize-security-in-software-development:index.yml","en-us/the-source/security/10-tips-to-prioritize-security-in-software-development/index.yml","en-us/the-source/security/10-tips-to-prioritize-security-in-software-development/index",{"_path":865,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":866,"seo":868,"content":873,"type":486,"slug":893,"category":28,"_id":894,"_type":30,"title":869,"_source":31,"_file":895,"_stem":896,"_extension":34,"date":874,"description":870,"timeToRead":541,"heroImage":871,"keyTakeaways":875,"articleBody":879,"faq":880},"/en-us/the-source/security/how-to-implement-secret-management-best-practices-with-gitlab",{"layout":5,"template":472,"articleType":494,"author":867,"featured":6,"isHighlighted":6,"authorName":454},"jlongo",{"title":869,"description":870,"ogImage":871,"config":872},"How to implement secret management best practices with GitLab","Learn how companies tasked with storage and protection of customer data can reduce risk and increase trust with secure secret management.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463593/wgbh2snwpsyle9jom1k1.png",{"ignoreTitleCharLimit":329},{"title":869,"date":874,"description":870,"timeToRead":541,"heroImage":871,"keyTakeaways":875,"articleBody":879,"faq":880},"2024-03-12",[876,877,878],"Insecure secret management risks data breaches; GitLab's native integration enhances security.","Auditable and attributable secret management allows security teams to monitor for anomalous or malicious activity and quickly respond.","GitLab supports secret storage and usage with robust access controls and detection tools.","Insecure secret management practices (SMPs) pose a significant risk to any company, especially those tasked with the storage and protection of their customers' data. It's a common problem, and it is often at the core of a company's risk register. A leaked secret can result in a loss of confidentiality and potentially a data breach. These types of incidents can lead to significant financial losses and a loss of trust amongst an entity's customer base.\n\nFor many companies, insecure SMPs may result from a lack of expertise or being unaware of the tools and strategies that exist to solve this issue. Appropriate SMPs can help reduce the potential for compromise and increase trust in an organization's secret management strategy. In this post, we will discuss secret management best practices, GitLab's ability to support those practices, and our strategy for improving the DevSecOps platform's native secret management capabilities.\n\n## Develop a cryptographic strategy\n\nEvery company needs a cryptographic strategy as a foundation to ensure developers are operating in a standardized way and all applications and their components are being developed in accordance with the company's cryptographic requirements.\n\nUnderstanding the data your company processes, and your company's risk tolerance and threat landscape will help you develop a strong cryptographic strategy.\n\n### Secret generation\n\nSecrets, including access tokens and SSH keys, should be generated using cryptographic devices such as Hardware Security Modules (HSM). These devices help generate cryptographically strong secrets and store them in a tamper- and intrusion-resistant manner.\n\nWhile relying on physical devices can be costly and operationally prohibitive for companies, the leading cloud service providers offer cloud HSM services – for example, [AWS CloudHSM](https://aws.amazon.com/cloudhsm/) and [GCP Cloud HSM](https://cloud.google.com/kms/docs/hsm).\n\n### Secret storage\n\nStoring secrets is just as critical as generating them. Generated secrets must be stored in a manner that supports secure long-term storage and enables users to securely retrieve and use them when necessary.\n\nThe leading cloud service providers, as well as security companies such as [HashiCorp](https://www.vaultproject.io/), offer cloud-based services for securely storing and retrieving secrets. These services enable users to seamlessly leverage secrets within their processes and code, thereby eliminating the need to hardcode secrets.\n\n#### How does GitLab support secret storage?\n\nGitLab provides native support for the following [secret management providers](https://docs.gitlab.com/ee/ci/secrets/index.html):\n\n- Vault by HashiCorp\n- Google Cloud Secret Manager\n- Azure Key Vault\n\nBy configuring GitLab to connect with a secret management provider, secrets are explicitly requested only when needed by a CI job. When secrets aren't needed by CI jobs, they remain securely stored in the secret management service's environment, thereby reducing the potential for compromise. In addition to native support for the above secret management providers, GitLab also offers [OIDC authentication](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) to authenticate against other providers (i.e. AWS Secret Manager). This is a much more secure and preferred method of storing secrets when compared to storing and [masking](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) secrets as CI/CD variables.\n\n### Secret use\n\nSecrets should be used for a single purpose. Reusing secrets across different applications or services increases the potential for exposure and increases the impact if the secrets are compromised.\n\nTo reduce the potential for exposure or malicious activity, access to secrets should be controlled with the [principle of least privilege](https://about.gitlab.com/blog/the-ultimate-guide-to-least-privilege-access-with-gitlab/) in mind. Access should only be granted to the individuals or services that require such access in order to support their work and operational activities.\n\n#### How does GitLab support secret use?\n\nGitLab provides administrators with a strong [role-based access control model](https://docs.gitlab.com/ee/user/permissions.html) and also offers the ability to create [custom roles](https://docs.gitlab.com/ee/user/custom_roles.html), thereby allowing administrators to align access profiles with their organizational standards and risk tolerance.\n\nGitLab also allows users to perform [secret detection](https://docs.gitlab.com/ee/user/application_security/secret_detection/) to check for unintentionally committed secrets and credentials. GitLab Ultimate users can enforce [automatic responses to leaked secrets](https://docs.gitlab.com/ee/user/application_security/secret_detection/automatic_response/), such as revoking the secret, to mitigate the impact of leaked credentials.\n\n### Auditability\n\nAccess and use of secrets should be auditable and attributable. In an ideal scenario, individuals would not have access to view secrets in plaintext, but the state of a company's operations are not always ideal.\n\nAuditable and attributable secret management allows security teams to monitor for anomalous or malicious activity, and quickly respond to such activity through automated and manual intervention.\n\n#### How does GitLab support auditability?\n\nGitLab's [audit events](https://docs.gitlab.com/ee/administration/audit_events.html) capture activities related to tokens and keys that are created within GitLab. Some examples include:\n\n- personal access token events\n- deploy token events\n- cluster agent token events\n\nThese activities are saved to the database and are also available for [audit event streaming](https://docs.gitlab.com/ee/administration/audit_event_streaming/) for GitLab Ultimate customers.\n\n## Upcoming: GitLab Secret Manager\n\nGitLab plans to launch a native secret management experience in late 2024. GitLab Secret Manager is a multi-tenant, cloud-based solution and will be accessible to both GitLab.com and self-managed customers via our Cloud Connector service. This new service offers an easy-to-use interface, consistent with the current CI/CD variables interface, making adoption easier than a third-party product with a minimal learning curve. The GitLab Secret Manager will ensure the security and protection of sensitive information in your CI pipelines.\n\n> For more information or questions about GitLab Secret Manager, please visit our [MVC epic](https://gitlab.com/groups/gitlab-org/-/epics/10723) and leave a comment.",[881,884,887,890],{"header":882,"content":883},"What are the best practices for generating and using secrets?","- __Secret Generation__: Use cryptographic devices like Hardware Security Modules (HSMs) for generating strong secrets. Cloud HSM services (e.g., AWS CloudHSM, GCP Cloud HSM) offer cost-effective, tamper-resistant secret generation.\n- __Secret Use__: Implement the principle of least privilege, ensuring secrets are used for a single purpose and accessed only by authorized users or services. Refrain from hardcoding secrets to minimize exposure.",{"header":885,"content":886},"What is secret management and why is it important for software security?","Secret management involves securely storing, accessing, and using sensitive information such as API keys, access tokens, and passwords. Proper secret management prevents unauthorized access, reduces the risk of data breaches, and ensures the confidentiality and integrity of sensitive data in software development and deployment processes.",{"header":888,"content":889},"How does GitLab help with secret detection and auditability?","GitLab provides secret detection to check for inadvertently committed secrets and credentials. Administrators can enforce automated responses, such as revoking leaked secrets, to minimize security risks. Additionally, audit events capture and stream activities related to token and key usage, enabling continuous monitoring and anomaly detection.",{"header":891,"content":892},"How does GitLab support secure secret storage and retrieval?","GitLab integrates with leading secret management providers, including Vault by HashiCorp, Google Cloud Secret Manager, and Azure Key Vault. These integrations allow secrets to be securely stored and explicitly retrieved only when needed by CI jobs, reducing the risk of exposure and unauthorized access.","how-to-implement-secret-management-best-practices-with-gitlab","content:en-us:the-source:security:how-to-implement-secret-management-best-practices-with-gitlab:index.yml","en-us/the-source/security/how-to-implement-secret-management-best-practices-with-gitlab/index.yml","en-us/the-source/security/how-to-implement-secret-management-best-practices-with-gitlab/index",{"_path":898,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":899,"seo":901,"content":905,"type":486,"slug":912,"category":28,"_id":913,"_type":30,"title":902,"_source":31,"_file":914,"_stem":915,"_extension":34,"date":906,"description":903,"heroImage":904,"keyTakeaways":907,"articleBody":911},"/en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain",{"layout":5,"template":472,"articleType":473,"featured":6,"gatedAsset":900,"isHighlighted":6,"authorName":-1},"pf-a-field-guide-to-threat-vectors-in-the-software-supply-chain",{"title":902,"description":903,"ogImage":904},"A field guide to threat vectors in the software supply chain","Discover how to safeguard against software supply chain attacks by identifying and mitigating potential threats at each stage of the development lifecycle.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464282/r2ovpvmizpkcngy9kzqu.png",{"title":902,"date":906,"description":903,"heroImage":904,"keyTakeaways":907,"articleBody":911},"2024-03-08",[908,909,910],"The software supply chain, including source code, third-party dependencies, build pipeline, and post-release configurations, is a complex web of relationships vulnerable to attacks at any stage.","Implementing zero trust principles, such as continuous validation, securing access, and verifying dependencies, is key to securing each stage of the software supply chain.","DevOps teams need to understand common types of supply chain threats and adopt measures to mitigate these risks within their software development lifecycle.","Software isn’t developed in a vacuum. An entire ecosystem of components - the software supply chain - is involved in building, testing, and delivering software. This ecosystem offers fertile ground for developing new applications, with a wealth of open source packages, libraries, tools, and processes. However, there are significant challenges as well. The software supply chain is a complicated web of relationships, dependencies, and potential vulnerabilities that can be exploited by attackers. Recent high-profile incidents have highlighted the difficulty organizations face in keeping up with evolving security threats and changing compliance regulations, prompting them to reassess how they maintain software supply chain security.\n\n## Understanding the threats\nThreats can infiltrate the software supply chain at four key points: through security vulnerabilities in the software's source code, vulnerabilities in dependencies like open source components, vulnerabilities in the software build pipeline, and insecure configurations post-release.\n\n- **Compromised source control**: The source code is the foundation of the supply chain, and it is essential to ensure the source code’s security and integrity by closely managing who has access to the code and how changes to the code are reviewed and merged. If attackers gain unauthorized access to source code management (SCM) systems, they can take over source code repositories, impersonate users, and modify downstream aspects of the software build process, such as the CI/CD pipeline.\n- **Risky open source dependencies**: Just as failing to manage the quality of goods used in a manufacturing process will jeopardize the quality of the final product, using open source code without validating the quality and security of that code can increase the attack surface and open the door to cyber attacks. Risky dependencies can either be unintentional flaws in third-party components that are found and exploited by attackers, or malicious code deliberately inserted by attackers into public libraries and open source software to gain access to downstream targets.\n- **Compromised build pipeline**: The build pipeline is the assembly line of the software supply chain: where all the software components are assembled into a deployable package. If the build pipeline is compromised, attackers can inject malicious code into the build process and thereby distribute that code to downstream components of the software, including end users.\n- **Insecure web applications**: Even without direct access to source code, dependencies, and build pipelines, attackers can still exploit weaknesses in an application’s design or security configurations.\n\n## Improve your security posture with zero trust\nTo improve software supply chain security, organizations must enforce zero trust principles by:\n\n- Securing access to resources, including source code, with multi-factor authentication, authorization, and continuous validation of all human and machine identities within the environment.\n- Verifying that no open source or other dependencies used in software contain known vulnerabilities.\n- Preventing bad actors from gaining unauthorized access to build pipelines and rigorously testing configurations and APIs for weaknesses.\n\n## Strategies for securing the software supply chain\nUltimately, it’s essential to scrutinize everything and everyone - human, machine, open source components, or application configurations - for potential security threats. This guide will equip DevOps and security teams with the knowledge they need to understand the various types of attack vectors and identify steps to mitigate risks by establishing zero trust.\n\nAs you navigate through the guide, consider whether your organization is prepared to identify and address each type of supply chain attack vector - compromised source control, risky open source dependencies, compromised build pipelines, and insecure web applications - and evaluate how to incorporate software supply chain security into your development process, especially in the face of evolving security challenges and compliance demands.","field-guide-to-threat-vectors-in-the-software-supply-chain","content:en-us:the-source:security:field-guide-to-threat-vectors-in-the-software-supply-chain:index.yml","en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain/index.yml","en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain/index",{"_path":917,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":918,"seo":920,"content":925,"type":486,"slug":933,"category":28,"_id":934,"_type":30,"title":921,"_source":31,"_file":935,"_stem":936,"_extension":34,"date":926,"description":922,"timeToRead":927,"heroImage":923,"keyTakeaways":928,"articleBody":932},"/en-us/the-source/security/gitlab-second-front-systems-speed-secure-development-on-dod-networks",{"layout":5,"template":472,"articleType":494,"author":919,"featured":6,"isHighlighted":6,"authorName":463},"sandra-gittlen",{"title":921,"description":922,"ogImage":923,"config":924},"GitLab, Second Front Systems speed secure development on DoD networks","GitLab Ultimate leverages Second Front and AWS GovCloud to help orgs deliver software compliant with DoD Impact Levels 4 and 5.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464683/ixbliffzohn65bn0afmb.png",{"ignoreTitleCharLimit":329},{"title":921,"date":926,"description":922,"timeToRead":927,"heroImage":923,"keyTakeaways":928,"articleBody":932},"2023-11-28","4 min read",[929,930,931],"GitLab and Second Front Systems teamed up to help orgs deliver solutions compliant with the U.S. Department of Defense Impact Levels 4 and 5.","Impact Level 4 and 5 customers benefit from GitLab's code collaboration and management, advanced security scanning, and more.","Organizations can leverage the DevSecOps platform in a managed and accredited cloud deployment of GitLab Ultimate.","GitLab and Second Front Systems are partnering to bring the power of GitLab’s AI-powered DevSecOps platform to organizations striving to deliver solutions compliant with U.S. Department of Defense Impact Levels 4 and 5. GitLab Ultimate is leveraging Second Front and AWS GovCloud (US) to create a managed cloud environment for highly secure software development.\n\n[Second Front](https://www.secondfront.com/) provides an offering called [Game Warden](https://www.secondfront.com/game-warden) that enables the delivery of commercial SaaS to the government with built-in accreditation. Game Warden is a DoD-compliant DevSecOps platform-as-a-service (PaaS) that accelerates software delivery onto DoD networks while supporting modern DevSecOps practices and adhering to stringent cybersecurity controls. Game Warden enables hosted applications to inherit an Authority to Operate (ATO) while running on the platform and meet the stringent requirements of higher impact levels, including Levels 4 and 5.\n\n## Understanding Impact Levels 4 and 5\n\nImpact levels, as defined by the DoD, categorize information systems based on the potential impact that a breach could have on national security. Impact Levels 4 and 5 represent systems that handle classified information at the controlled unclassified level, with Impact Level 5 including information used for national security systems. Achieving compliance at these levels demands robust security measures and stringent controls to protect sensitive data.\n\n## GitLab: A comprehensive DevSecOps solution\n\nBringing the power of [GitLab’s AI-powered DevSecOps platform](https://about.gitlab.com/why-gitlab/) to an accredited cloud environment like AWS GovCloud enables developers to leverage the benefits of the cloud and GitLab while working to continuously deliver capabilities for national security use cases.\n\nHere are the GitLab features that benefit Impact Level 4 and 5 customers:\n\n**Code collaboration and management**\n- GitLab Ultimate offers powerful version control features, enabling teams to collaboratively manage code repositories securely.\n- Merge requests, code reviews, and collaboration tools facilitate efficient development workflows while maintaining a focus on security.\n\n**Advanced security scanning**\n- Security and compliance capabilities are built into GitLab Ultimate. With support for Impact Levels 4 and 5, organizations can leverage advanced security scanning tools to identify and remediate vulnerabilities early in the development process.\n- Organizations can identify vulnerabilities with a broad range of security tools such as static application security testing (SAST), dynamic application security testing (DAST), fuzz testing, API security, and dependency scanning.\n\n**Compliance and audit trails**\n- Meeting the stringent compliance requirements of Impact Levels 4 and 5 is simplified with GitLab Ultimate.\n- The platform provides comprehensive audit trails and system-wide reporting to ensure transparency and accountability in the development process.\n\n**Container and Kubernetes orchestration**\n- GitLab Ultimate supports secure container registries and Kubernetes integration, aligning with modern development practices.\n- GitLab Ultimate also supports infrastructure as code security scanning.\n\n**CI/CD pipelines with security gates**\n- GitLab's continuous integration/continuous delivery (CI/CD) pipelines now include enhanced security gates, ensuring that only secure code is deployed into production environments.\n\n**AI-powered workflows**\n- GitLab Duo Chat simplifies the software development journey by assisting in daily tasks such as code assistance and issue management.\n- Value Stream Forecasting predicts productivity metrics and identifies anomalies across the software development lifecycle.\n- AI can help developers remediate vulnerabilities more efficiently with GitLab Duo Vulnerability Summary.\n\n## Get started\n\nGitLab Ultimate's availability in a managed cloud environment at Impact Levels 4 and 5 marks a significant milestone in the realm of secure software development on AWS GovCloud. Organizations can now benefit from a single, integrated DevSecOps platform that seamlessly combines collaboration, code management, and advanced security features in a managed and accredited cloud deployment of GitLab Ultimate.\n\nAs the software development landscape continues to evolve, GitLab's commitment to security and compliance positions it as a leader in empowering organizations to build and deploy software with confidence at the highest security levels.\n\nTo learn how you can get started with GitLab’s DevSecOps platform for your secure projects, [contact us to set up a call and demo today](https://about.gitlab.com/sales/).\n\n> Next up: Discover how to [strengthen your cybersecurity posture](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) with Secure by Design principles.","gitlab-second-front-systems-speed-secure-development-on-dod-networks","content:en-us:the-source:security:gitlab-second-front-systems-speed-secure-development-on-dod-networks:index.yml","en-us/the-source/security/gitlab-second-front-systems-speed-secure-development-on-dod-networks/index.yml","en-us/the-source/security/gitlab-second-front-systems-speed-secure-development-on-dod-networks/index",{"_path":938,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":939,"seo":941,"content":946,"type":486,"slug":970,"category":28,"_id":971,"_type":30,"title":942,"_source":31,"_file":972,"_stem":973,"_extension":34,"date":947,"description":943,"timeToRead":948,"heroImage":944,"keyTakeaways":949,"articleBody":953,"faq":954},"/en-us/the-source/security/enterprise-scale-security-and-compliance-policy-management-in-the-ai-era",{"layout":5,"template":472,"articleType":494,"author":940,"featured":6,"isHighlighted":6,"authorName":451},"grant-hickman",{"title":942,"description":943,"ogImage":944,"config":945},"Enterprise-scale security and compliance policy management in the AI era","A look at how GitLab Security Policy Management can help your security and compliance keep up with the pace of software development.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464499/qriml3qncnibzphitcax.png",{"ignoreTitleCharLimit":329},{"title":942,"date":947,"description":943,"timeToRead":948,"heroImage":944,"keyTakeaways":949,"articleBody":953,"faq":954},"2023-10-17","8 min read",[950,951,952],"Security teams struggle to keep pace with rapid software development, intensified by AI; effective vulnerability management becomes crucial to ensure robust security.","GitLab's security policies automate compliance, fostering collaboration between AppSec and development teams for efficient vulnerability detection and remediation.","Prioritization techniques like CVSS and risk-based scoring help manage vulnerabilities, ensuring focus on critical issues amid increasing AI-generated code vulnerabilities.","Security teams have been challenged to keep up with the pace of software development. And they continue to face obstacles such as leaders who errantly overlooked the importance of security in the development process and the gearing ratio of developers to security personnel. Now AI is here - pushing that pace even more. The speed of development will only increase as companies scale to enterprise levels. Therefore, the security tools used to govern development processes must match that growth.\n\nApplication security teams need to effectively manage and prioritize vulnerabilities. With [GitLab's security policies](https://docs.gitlab.com/ee/user/application_security/policies/), along with our suite of security tools, organizations can foster collaboration between AppSec and development teams, enabling efficient vulnerability detection, triage, and remediation. Security policies also provide a mechanism for automating security compliance and managing it at enterprise scale.\n\nWhile scanning more potential sources of vulnerabilities offers greater opportunities for early detection and issue resolution, the sheer volume of findings can overwhelm AppSec teams. Identifying what is actionable is only becoming more of a challenge as we collectively gain insight into vulnerabilities from additional scanning.\n\n## Processes for vulnerability management triage\nToday, there are a few common approaches to handling vulnerability triage:\n\n- **Common Vulnerability Scoring System:** CVSS provides a standardized method for assessing vulnerability severity. By leveraging CVSS scores, organizations can prioritize vulnerabilities based on their potential impact and allocate resources accordingly.\n\n- **Risk-based scoring:** Risk-based scoring allows organizations to assess vulnerabilities based on their likelihood of exploitation and potential business impact. By considering contextual factors, such as asset value, threat actor capabilities, and exploit prevalence, organizations can effectively prioritize vulnerabilities.\n\n- **Threat modeling:** Threat modeling is an approach that involves identifying and evaluating potential threats to an application or system. By conducting a comprehensive analysis of the system's architecture, data flow, and potential attack vectors, organizations can prioritize vulnerabilities based on their relevance to likely threats. This approach helps allocate resources effectively by focusing on vulnerabilities that are more likely to be exploited.\n\n- **Business Impact Analysis (BIA):** BIA is a technique used to assess the potential impact of vulnerabilities on business operations and objectives. It involves identifying critical assets, evaluating their importance to the organization, and quantifying the potential consequences of a successful attack. By considering the potential financial, reputational, and operational impact, organizations can prioritize vulnerabilities that pose the most significant risk to their core business functions.\n\nAs the proliferation of AI-generated code increases, so does the number of unintentional vulnerabilities that are introduced. Techniques such as these become vital in helping businesses triage and understand how to prioritize. So how do we take these conceptual frameworks and apply them in the real world? Let's explore how we can put these techniques into practice.\n\n## Security policy management\n[Security policies](https://docs.gitlab.com/ee/user/application_security/policies/) are the answer for decomposing business-level policies and compliance requirements into tangible operating instructions that are baked into your DevSecOps practices and the software development lifecycle. By creating rules within GitLab's security policies, organizations can define granular criteria for vulnerability assessment, ensuring that only actionable findings are flagged for further attention.\n\nSecurity policies allow you to execute on your security and compliance requirements and best practices by instantiating them in code. [Scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) enforce scanners to run within specific projects based on your needs and requirements, ensuring that any vulnerabilities and exposures are detected before merging code to production.\n\nYou can also leverage [merge request approval policies](https://docs.gitlab.com/ee/user/application_security/policies/merge_request_approval_policies.html) to create customized workflows to address vulnerabilities. The policies evaluate security and compliance scanner results to prevent or block merge requests from merging unless they’ve been thoroughly reviewed and approved based on the rules you’ve defined.\n\nBy utilizing merge request approval policies and scan execution policies, you can add a layer of oversight into the development process. This can ensure that code written by humans - or otherwise - has been automatically scanned and that policy violations encourage collaboration between Engineering and AppSec where it's most actionable.\n\n### Define granular rules in merge request approval policies\nTo take it a step further, you can define granular rules within merge request approval policies based on the filters and attributes shared below. These rules can help you determine which vulnerabilities are most actionable and find a signal in the static:\n\n- **Vulnerability status:** Security policies can be targeted based on the status of a vulnerability, often focused on newly detected vulnerabilities that need triage. It’s also possible to create rules based on previously detected vulnerabilities with a given severity, or to include/exclude vulnerabilities if they have been dismissed.\n\n- **Branch:** Target enforcement only on particular branches, such as by focusing enforcement on the default branch of critical projects, or by targeting any protected branches.\n\n- **Fix available:** Filter out findings from dependency and containers scanning results where a fix is not available. Often these depend on upstream changes from third parties, and are not yet actionable. Issues can be created from the vulnerabilities and tracked with a due date to address them when a fix becomes available.\n\n- **False positive:** When our GitLab scanners determine a finding to be a false positive (for container and dependency scanning), we’ll mark the state within the vulnerability. Security policies can then utilize this to filter false positives from the security policy oversight, allowing AppSec engineers and developers to ignore these findings and merge code undeterred. Vulnerabilities will still be available in the vulnerability report for deeper analysis if required.\n\n- **Age or service-level agreement (SLA):** At times, lower severity vulnerabilities can be tolerated by organizations for a time, but should be planned and addressed within a reasonable SLA. With security policies, you can set an SLA based on the severity of a finding, such as allowing medium vulnerabilities to be merged without requiring approvals for an SLA of 60 days (which can be addressed in a follow-up issue with a due date). But if the vulnerability is detected as exceeding the 60-day SLA, it will block merge requests and require the vulnerability to be addressed.\n\n![security-policies-rules-ds-all-filters](https://res.cloudinary.com/about-gitlab-com/image/upload/v1752175811/Blog/k0bror5vmcosg8jm4zi1.png)\n\n### Prioritize critical findings across the organization\nOne common approach for handling large volumes of vulnerabilities is to start small and prioritize the most critical findings discovered across your organization. A vulnerability management triage SLA can help you achieve this, by defining rules to address vulnerabilities within a given SLA based on the vulnerability severity. Here's a quick demo of leveraging a GitLab merge request approval policy to enforce a different SLA for each vulnerability severity level. In this case, if a High severity finding is detected, merge requests will not be blocked for 30 days, giving developers time to remediate the issue within the SLA window.\n\n\u003C!-- blank line -->\n\u003Cfigure class=\"video_container\">\n  \u003Ciframe src=\"https://www.youtube.com/embed/cOsAaLXdV2k\" frameborder=\"0\" allowfullscreen=\"true\"> \u003C/iframe>\n\u003C/figure>\n\u003C!-- blank line -->\n\n### Ensure separation of duties\n\nSecurity policies can be managed in a number of ways, but are best managed in an isolated GitLab project that ensures separation of duties between security professionals and development teams. Policies are stored in YAML. This policy-as-code approach empowers your security team and offers many benefits, including a Git history of any changes to the policies for visibility, version control to more easily roll back disruptive changes, oversight and required approvals of any policy changes (if required), auditability through GitLab audit events, and concrete controls that can be shared as evidence to auditors.\n\n![gitlab security-policies policy-yml](https://res.cloudinary.com/about-gitlab-com/image/upload/v1752175821/Blog/bqfig4ufupuitbarasuj.png)\n\n## Tying it all together\nManaging the ever-growing influx of vulnerabilities requires a precision approach that balances thorough scanning with efficient triaging and remediation. GitLab's security policies provide a powerful solution that enables collaboration, offers flexibility in defining customized policy rules, and a means to precisely operationalize business requirements and compliance frameworks. By leveraging GitLab's security tools and applying custom filters and attributes, organizations can streamline vulnerability management and focus their efforts on addressing the most critical risks, ultimately enhancing their overall security posture, and meeting the requirements of external bodies. And while fears may loom over AI-generated code, the three pillars of security (people, processes, and technology) still stand. By incorporating security policies into your business processes, you can protect your business against such risks.\n\nBeyond utilizing security policies to enforce policy-as-code at scale, the GitLab DevSecOps Platform offers a robust suite of security tools. In our recent [2023 Global DevSecOps Report](https://learn.gitlab.com/devsecops-survey-2023/), 57% of security professionals said they use six or more tools for software development and 69% of security professionals said they want to consolidate their toolchain. Consolidation of tools is on the minds of many CISOs and GitLab helps reduce the toolchain sprawl. We offer the core security scanning solutions – static application security testing (including for infrastructure as code), secret detection, dynamic application security testing (including for APIs), dependency scanning, and API security. We also enable vulnerability management for AppSec teams with dynamic vulnerability reports. And we close the loop on compliance with compliance frameworks, compliance adherence reports, and audit events.\n\nLearn more about how to manage [application security](https://docs.gitlab.com/ee/user/application_security/#use-security-scanning-tools-with-merge-request-pipelines) using GitLab.\n\n> **Next up:** GitLab CISO Josh Lemos shares how to [resolve some common security frustrations](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/).",[955,958,961,964,967],{"header":956,"content":957},"Why should enterprises consolidate their security toolchain?","Many security teams use six or more tools, leading to inefficiencies and increased costs. A unified DevSecOps platform like GitLab consolidates security scanning, compliance reporting, and vulnerability management, reducing toolchain complexity while improving visibility, automation, and security posture.",{"header":959,"content":960},"How does AI impact security policy enforcement?","As AI-generated code increases, automated security policies become even more essential. AI-powered security tools help detect and remediate vulnerabilities faster, but policy enforcement ensures that only secure AI-generated code is merged into production. AI also helps reduce false positives by providing risk-based context for vulnerability assessments.",{"header":962,"content":963},"What are the best approaches to vulnerability triage in large-scale enterprises?","Enterprises can prioritize vulnerabilities using frameworks such as the Common Vulnerability Scoring System (CVSS), risk-based scoring, threat modeling, and Business Impact Analysis (BIA). These methods help organizations focus on the most exploitable or business-critical vulnerabilities, reducing false positives and ensuring efficient resource allocation.",{"header":965,"content":966},"How can security policies help manage vulnerabilities in enterprise DevSecOps?","Security policies automate vulnerability detection, triage, and remediation by enforcing predefined security rules throughout the development lifecycle. Organizations can set up scan execution policies to ensure vulnerabilities are identified before merging code and use merge request approval policies to block insecure code until security concerns are addressed.",{"header":968,"content":969},"How does GitLab’s security policy management improve compliance?","GitLab enables policy-as-code, allowing security teams to define, track, and enforce compliance policies directly within GitLab projects. Security policies stored as YAML files provide version control, auditability, and separation of duties between security and development teams, ensuring compliance with external regulations and internal governance requirements.","enterprise-scale-security-and-compliance-policy-management-in-the-ai-era","content:en-us:the-source:security:enterprise-scale-security-and-compliance-policy-management-in-the-ai-era:index.yml","en-us/the-source/security/enterprise-scale-security-and-compliance-policy-management-in-the-ai-era/index.yml","en-us/the-source/security/enterprise-scale-security-and-compliance-policy-management-in-the-ai-era/index",{"_path":975,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":976,"seo":978,"content":982,"type":486,"slug":989,"category":28,"_id":990,"_type":30,"title":979,"_source":31,"_file":991,"_stem":992,"_extension":34,"date":983,"description":980,"timeToRead":502,"heroImage":478,"keyTakeaways":984,"articleBody":988},"/en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security",{"layout":5,"template":472,"articleType":494,"author":977,"featured":6,"isHighlighted":6,"authorName":464},"sharon-gaudin",{"title":979,"description":980,"ogImage":478,"config":981},"FinServ startup Constantinople uses DevSecOps to build in security","With a DevSecOps platform, Constantinople has minimized security and compliance risks while maximizing efficiency.",{"ignoreTitleCharLimit":329},{"title":979,"date":983,"description":980,"timeToRead":502,"heroImage":478,"keyTakeaways":984,"articleBody":988},"2023-05-17",[985,986,987],"Constantinople integrates security early using GitLab's DevSecOps Platform, ensuring software is secure from the start and compliant with industry standards.","The platform fosters collaboration across teams, creating a seamless environment where developers work together efficiently, avoiding overlap and errors.","By relying on GitLab's mature features, Constantinople enhances development efficiency, reducing toolchain complexity and focusing resources on product innovation.","Constantinople, a startup in the financial services space, is using GitLab’s DevSecOps Platform to incorporate security into their software development lifecycle from the very beginning, while also fostering critical, long-term collaboration across the business.\n\n“Security is a non-negotiable in our industry, and something neither we nor our clients will compromise on,” says Jeremy Smith, Vice President of Engineering at [Constantinople](https://www.cxnpl.com/), which has fewer than 70 employees and is based in Sydney, Australia. “By building in best practices through use of the DevSecOps platform from day zero, we are building a platform with [security baked in](/blog/its-time-to-put-the-sec-in-devsecops/). Trying to retrofit it in the future would not only leave us exposed until then, it also would result in a lesser end product.”\n\nBefore diving further into Constantinople’s story, here's a snapshot of what they’re doing and achieving with GitLab:\n- They’ve used GitLab to create a cloud-native backend platform, comprising six interconnected services, along with a mobile banking customer app.\n- Developers are deploying code 20 to 30 times per day.\n- The company is using automation built into the platform for more than a dozen processes, including testing, security scanning, and updating hosted API documentation.\n- The platform’s analytics and dashboards are continually displayed on a TV in the office for company-wide visibility.\n\nFor Macgregor Duncan, co-founder and co-CEO of Constantinople, it’s all about making sure security is at the forefront of everything they do.\n\n“Our customers entrust us to handle their most sensitive financial data and mission-critical operations. There is no margin for error,” he says. “As a result, we have treated security as a top priority from day one, building it into every aspect of our software lifecycle. GitLab’s DevSecOps Platform has been a key part of ensuring this. And as we continue to scale our business, we are placing more reliance on other platform features, like visibility, measurability, and collaboration.”\n\n## Starting out with a DevSecOps platform\nConstantinople delivers fully managed digital banking services to financial institutions. The venture capital-backed business, which was founded in 2022, is building a cloud-native operating platform and operational service software, along with customer-facing applications that each client bank can configure as its own.\n\nBy hosting customers directly on their platform and managing all operational aspects for their client banks, Constantinople is looking to radically simplify how banks operate.\n\nAll of this is being built with GitLab, using the [DevSecOps](/topics/devsecops/) Platform to create mission-critical software for everything from customer experience to transaction and lending products, digital servicing, and compliance solutions.\n\nFor Constantinople, [security](/blog/its-time-to-put-the-sec-in-devsecops/) needs to be part of every aspect of their software lifecycle now so they [don’t have to go back and fix vulnerabilities](/blog/devsecops-platforms-give-smbs-security-muscle/) when it’s more costly and time-consuming. Using GitLab’s DevSecOps Platform from the very beginning has been a key part of their startup strategy. They also want visibility, measurability, and collaboration to be part of their process at the earliest stages of their company.\n\n## Beginning with a security focus\nConstantinople, which uses the AWS cloud, is creating software and a multi-tenant platform that a number of banks will use, so strong security must be foundational. Moving security earlier in the software development lifecycle - all the way to the planning stages - is crucial. So is using [automated security testing](/blog/want-faster-releases-your-answer-lies-in-automated-software-testing/) to catch vulnerabilities when they’re created, instead of when software is about to be deployed. [Gaining those abilities](/the-source/security/how-to-strengthen-security-by-applying-devsecops-principles/) inside a single, end-to-end platform is the best way for Constantinople developers to make sure all of this happens.\n\n“Security is always front of mind for all of our developers, especially since we are working within a high-security industry,” says Smith. “A critical part of our secure software lifecycle is making it as easy as possible for developers to build secure code, and make sure any issues are quickly fixed, long before merge and release. By shortening our security feedback cycle, we have both happier developers, and a cleaner and more secure codebase.”\n\nIt’s key for Constantinople to not only offer its customers software that is [compliant](/blog/top-5-compliance-features-to-leverage-in-gitlab/) with industry and government regulations, but to ease the process for becoming and remaining compliant.\n\n“Compliance is obviously vital to any business operating within the regulated perimeter, especially financial services,” says Smith. “Automated compliance capabilities in the DevSecOps platform are a key differentiator for us, precisely because it makes the process easy, reliable, and repeatable.”\n\n## Creating an atmosphere of collaboration\nThe leadership team also is focused on building into their company - in development teams and across the entire business - an [atmosphere of collaboration](/blog/5-ways-collaboration-boosts-productivity-and-your-career/). They don’t want to wait until the number of employees has expanded from tens to hundreds or thousands, and then begin to try to convince people to work together. They want that happening right now, from the very beginning, so the collaboration mentality is part of the Constantinople experience that scales with the company.\n\n“[Collaboration](/blog/6-ways-smbs-can-leverage-the-power-of-a-devops-platform/) is absolutely critical,” says Smith, noting that about 80% of the company is directly responsible for delivering software products. “Without developers being able to collaborate, no complex system could be built because developers would tread on each other's toes and break each other’s work. While the software we build is at the heart of what we do, we’re so much more than just a software provider. With operations, compliance, and a multitude of other functions layered on top of the software, enabling multiple features to work together is key to us.”\n\nHe adds, “Having a group of self-driven developers each contributing seamlessly is like seeing a piece of art come together. Collaboration is the difference between a team that works and one that doesn’t.”\n\n## Getting started with GitLab’s platform\nConstantinople didn’t want to start with a complicated and costly bunch of DevOps tools strung together into an unwieldy toolchain. Developers and leaders wanted to launch the company using a full DevSecOps platform. They evaluated BitBucket, GitHub, and Snyk, but decided to go with GitLab Ultimate. This was largely because of its feature maturity as well as its [security](/blog/getting-started-with-gitlab-application-security/) and [CI/CD](/topics/ci-cd/) capabilities. Using a single application also means that they aren’t building a toolchain that would have their developers and engineers spending time integrating, updating, and maintaining a plethora of tools, instead of focusing on creating products, according to Smith.\n\n“We’ve been able to do all of our technical tooling within GitLab,” says Smith. “For a startup, especially, using a DevSecOps platform allows us to focus on building our product without all the overhead and risk that comes with trying to manage development and security in isolation. We can maximize the efficiency of, and minimize the rework for, both software and DevOps engineers.”\n\nAnd it’s working well for the company’s team of developers. Smith notes that everyone surveyed said they either “liked” or “loved” GitLab’s DevSecOps Platform.\n\n> **Next:** GitLab CISO Josh Lemos shares advice for [addressing the root cause of common security frustrations](https://about.gitlab.com/the-source/security/security-its-more-than-culture-addressing-the-root-cause-of-common-security/).\n","finserv-startup-constantinople-uses-devsecops-to-build-in-security","content:en-us:the-source:security:finserv-startup-constantinople-uses-devsecops-to-build-in-security:index.yml","en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security/index.yml","en-us/the-source/security/finserv-startup-constantinople-uses-devsecops-to-build-in-security/index",{"_path":994,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":995,"seo":997,"content":1002,"type":486,"slug":1009,"category":28,"_id":1010,"_type":30,"title":998,"_source":31,"_file":1011,"_stem":1012,"_extension":34,"date":1003,"description":999,"timeToRead":541,"heroImage":1000,"keyTakeaways":1004,"articleBody":1008},"/en-us/the-source/security/guide-to-dynamic-sboms",{"layout":5,"template":472,"articleType":473,"featured":6,"gatedAsset":996,"isHighlighted":6,"authorName":-1},"pf-guide-to-dynamic-sboms",{"title":998,"description":999,"ogImage":1000,"config":1001},"Guide to dynamic SBOMs: Securing software supply chains in modern development","Learn how SBOMs enhance software supply chain security and help teams identify potential vulnerabilities across the software development lifecycle.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464291/pcipekvy5bnabud9zfk2.png",{"ignoreTitleCharLimit":329},{"title":998,"date":1003,"description":999,"timeToRead":541,"heroImage":1000,"keyTakeaways":1004,"articleBody":1008},"2023-03-07",[1005,1006,1007],"Security teams struggle to manage risks in complex software supply chains as open-source components dominate modern applications. Organizations need visibility into third-party components and software dependencies.","As development environments and continuous integration accelerate delivery, security vulnerabilities become harder to track. Teams need tools for informed decisions about vulnerability management.","Software composition analysis and license compliance are critical as regulations expand. Organizations must validate open-source and third-party components throughout the development lifecycle.","In today's threat landscape, comprehensive security solutions are essential for protecting your software ecosystem. A software bill of materials (SBOM) - a detailed inventory of software components - enables security teams to identify and address cyber threats proactively and maintain continuous visibility into their software supply chains.\n\nGitLab research reveals that 69% of global CXOs are shipping software products twice as fast as last year, even as software supply chains grow more complex. With software liability discussions intensifying, clear visibility into potential vulnerabilities is essential. Organizations must understand their exposure across all software dependencies.\n\nImplementing comprehensive SBOMs enables teams to identify vulnerabilities and strengthen software supply chain security through systematic analysis and triage.\n\nIntegrating external software dependencies requires sophisticated vulnerability management - and SBOMs make this possible.\n\n## The role of SBOMs in code management\nBeyond basic code snippets and source files, SBOMs provide a complete view of your software components. This visibility is crucial for:\n\n- Tracking compliance with licensing requirements across the development lifecycle\n- Maintaining detailed software inventories for regulatory compliance\n- Managing potential risks in third-party and open-source components\n- Implementing proactive security measures throughout the software ecosystem\n\n## Security and compliance for modern applications\nAs development processes evolve, security solutions must adapt to new challenges. Organizations need:\n\n- Real-time visibility into software inventories and component relationships\n- Automated tools for tracking licensing terms and compliance issues\n- Standardized formats for sharing software inventories across teams\n- Proactive management of security measures and compliance requirements\n\nGitLab's 2024 DevSecOps Report found that while 67% of developers rely heavily on open-source software and third-party components, only 21% leverage SBOMs in their software development lifecycle. This visibility gap in software supply chains creates significant risk - especially as continuous integration practices accelerate development.\n\nSBOMs benefit diverse use cases beyond basic open-source software management. They provide critical insights for projects incorporating commercial third-party components, cross-project integrations, and external code contributions - any scenario where software dependencies impact your broader development environment. Security teams can make more informed decisions about vulnerability management when they have comprehensive visibility into their entire software supply chain.\n\n## Future-proofing your software security\nImplementing comprehensive SBOMs is essential for maintaining robust supply chain security. With a robust SBOM strategy, organizations can:\n\n- Maintain accurate software inventories throughout the development lifecycle\n- Address compliance requirements proactively\n- Manage potential risks in real time\n- Ensure consistent security measures across the software ecosystem\n","guide-to-dynamic-sboms","content:en-us:the-source:security:guide-to-dynamic-sboms:index.yml","en-us/the-source/security/guide-to-dynamic-sboms/index.yml","en-us/the-source/security/guide-to-dynamic-sboms/index",{"_path":1014,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":1015,"seo":1016,"content":1021,"type":486,"slug":1043,"category":28,"_id":1044,"_type":30,"title":1017,"_source":31,"_file":1045,"_stem":1046,"_extension":34,"date":1003,"description":1018,"timeToRead":541,"heroImage":1019,"keyTakeaways":1022,"articleBody":1026,"faq":1027},"/en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers",{"layout":5,"template":472,"articleType":494,"author":634,"featured":6,"gatedAsset":27,"isHighlighted":6,"authorName":455},{"title":1017,"description":1018,"ogImage":1019,"config":1020},"National Cybersecurity Strategy: A wake-up call for software developers","The new White House policy puts liability for poor security on software makers. Learn how DevSecOps can protect your organization.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464383/klpmnmeqtsebmwgu1vps.png",{"ignoreTitleCharLimit":329},{"title":1017,"date":1003,"description":1018,"timeToRead":541,"heroImage":1019,"keyTakeaways":1022,"articleBody":1026,"faq":1027},[1023,1024,1025],"The 2023 National Cybersecurity Strategy places a strong emphasis on software security, shifting the responsibility to software makers for the development, deployment, and maintenance of secure products.","The main aspects highlighted by the policy include collaboration, digital transformation, automation, and transparency.","An end-to-end DevSecOps platform aligns well with the new strategy, offering comprehensive solutions for software supply chain security, software inventory generation, and assurance of software trustworthiness.","The 2023 National Cybersecurity Strategy, which the White House released last week, should serve as a wake-up call to all organizations that develop software, whether for internal or external use. The policy puts the liability for poor security on software makers and requires a strengthening of security at every step of the software development lifecycle.\n\nThe policy shines a spotlight on the importance of collaboration, digital transformation, automation, and transparency. The White House is seeking to advance security-first posturing, eliminate the top cybersecurity threats, rebalance software security responsibility and data stewardship, defend against malicious actors, and forge international partnerships.\n\n“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” the White House strategy states.\n\nA replacement of the [2018 National Cyber Strategy](https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf), the 2023 policy focuses on five key pillars designed to improve national and global cybersecurity for the public and private sectors.\n\nThe five pillars of the 2023 National Cybersecurity Strategy are:\n\n* Defend Critical Infrastructure\n* Disrupt and Dismantle Threat Actors\n* Shape Market Forces to Drive Security and Resilience\n* Invest in a Resilient Future\n* Forge International Partnerships to Pursue Shared Goals\n\n## What the strategy means for software makers\nThe White House’s strategy puts the onus for developing, deploying, and maintaining secure software on software makers. It states that too many vendors “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.”\n\nIn addition, the strategy notes that software makers “are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.”\n\nDevelopers who fail to take reasonable precautions to secure their software will be held liable, according to the strategy, with the ultimate goal of encouraging the development of safer and more secure products and services. The White House plans to work with Congress to create legislation that establishes liability for software products and services.\n\n## DevSecOps and National Cybersecurity Strategy\nOne scalable and dependable way to align with the National Cybersecurity Strategy is with [a comprehensive DevSecOps approach](/topics/devsecops/), which integrates security and compliance into the developer experience.\n\nGitLab’s DevSecOps Platform helps software makers:\n\n- Secure their end-to-end [software supply chain](/blog/the-ultimate-guide-to-software-supply-chain-security/), including source, build, dependencies, and release artifacts\n- Create an inventory of software used with a [software bill of materials (SBOM)](/blog/the-ultimate-guide-to-sboms/)\n- Demonstrate their software is trustworthy via [SLSA](/blog/achieve-slsa-level-2-compliance-with-gitlab/)\n\nGitLab automatically scans vulnerabilities in source code, containers, dependencies, and running applications. By centralizing end-to-end collaboration, GitLab ensures the [\"secure-by-design\" principle](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) recommended by the National Cybersecurity Strategy is applied in every phase of software  development.\n\nGitLab also helps companies track changes, implement necessary controls to protect what goes into production, and ensures adherence to license compliance and regulatory frameworks.\n\nThe White House’s strategy also proposes future legislation that will include safe harbor from liability for those that follow best practices like [NIST’s Secure Software Development Framework (SSDF)](/blog/comply-with-nist-secure-supply-chain-framework-with-gitlab/). GitLab has the built-in automation to support much of the NIST SSDF with little-to-no configuration required. Issue-based workflows, source code management, automated builds, broad-capability security scanning, code reviews, approvals, and environment visibility are all part of GitLab Ultimate.\n\nThe National Cybersecurity Strategy acknowledges that balancing short term imperatives with the vision for trust and safety in software will be a challenge for most organizations. Given the interdependencies and complexities of software development, organizations should assess the current state of their SDLC  and quickly identify what design, architectural, and operational changes they have to make to align with the White House’s proposed mandates.",[1028,1031,1034,1037,1040],{"header":1029,"content":1030},"How does the strategy plan to hold software vendors accountable?","The strategy proposes working with Congress to establish legislation that enforces liability for software products and services that do not follow secure-by-design principles. By shifting legal accountability to those best positioned to prevent security flaws, the goal is to incentivize vendors to prioritize robust security throughout the software development lifecycle.",{"header":1032,"content":1033},"What does this mean for organizations building or maintaining software?","Organizations developing software will need to evaluate their entire development lifecycle to ensure alignment with the expectations outlined in the strategy. This includes adopting best practices for secure development, performing thorough testing, managing software components responsibly, and maintaining transparency through tools like SBOMs.",{"header":1035,"content":1036},"How can DevSecOps support compliance with the National Cybersecurity Strategy?","A DevSecOps approach ensures that security and compliance are integrated into every stage of the software development lifecycle. By using a unified platform, organizations can automate vulnerability scanning, track software components, manage security policies, and enforce compliance controls — all key aspects of aligning with the strategy’s objectives.",{"header":1038,"content":1039},"What role does GitLab play in supporting secure software practices?","GitLab’s DevSecOps platform provides built-in tools for vulnerability scanning, license compliance, source code protection, and regulatory adherence. It supports standards like the NIST Secure Software Development Framework (SSDF) with minimal configuration, helping teams implement secure-by-design principles and streamline reporting and accountability.",{"header":1041,"content":1042},"Why should software makers take this strategy seriously?","With the proposed legislative changes, software vendors that fail to adopt secure practices may face legal and financial consequences. This makes early alignment with the strategy not only a matter of national security, but also a proactive business decision.","national-cybersecurity-strategy-a-wake-up-call-for-software-developers","content:en-us:the-source:security:national-cybersecurity-strategy-a-wake-up-call-for-software-developers:index.yml","en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers/index.yml","en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers/index",{"_path":1048,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":1049,"seo":1051,"content":1055,"type":486,"slug":1078,"category":28,"_id":1079,"_type":30,"title":1052,"_source":31,"_file":1080,"_stem":1081,"_extension":34,"date":1056,"description":1053,"timeToRead":927,"heroImage":1054,"keyTakeaways":1057,"articleBody":1061,"faq":1062},"/en-us/the-source/security/how-to-strengthen-security-by-applying-devsecops-principles",{"layout":5,"template":472,"articleType":494,"author":1050,"featured":6,"isHighlighted":6,"authorName":460},"ncregan",{"title":1052,"description":1053,"ogImage":1054},"How to strengthen security by applying DevSecOps principles","Learn how to apply DevSecOps principles today and discover the power of DevSecOps.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464433/bdwagz0bt5bpgghjkout.png",{"title":1052,"date":1056,"description":1053,"timeToRead":927,"heroImage":1054,"keyTakeaways":1057,"articleBody":1061,"faq":1062},"2023-02-23",[1058,1059,1060],"DevSecOps integrates security into the software development lifecycle, helping to reduce security issues without delaying delivery.","Automation in DevSecOps boosts security, streamlining threat detection and response.","Collaboration in DevSecOps shares the responsibility for security and fosters a unified approach to secure, rapid software development.","By following the DevSecOps principles, companies can ensure their applications are safe from malicious actors while delivering value quickly and efficiently. In this article, we'll take an in-depth look at DevSecOps principles and how they can help organizations stay ahead of the curve in terms of security. Let’s dive in.\n\n## What is DevSecOps?\n[DevSecOps](/topics/devsecops/) is an approach to software development that combines DevOps practices with security. This integration of security practices enables teams to create a secure and reliable product while delivering value quickly and efficiently. The successful execution of DevSecOps involves continuous integration, automation, and testing with the goal of accelerating time-to-market without sacrificing quality or security.\n\n## DevSecOps principles: An overview\n[DevSecOps principles](/blog/4-must-know-devops-principles/) enable a development team to build secure and dependable applications at speed through the execution of ingrained security testing and vulnerability scanning. By executing a DevSecOps approach, teams integrate security into the software development lifecycle (SDLC) from the initial design to continuous delivery and deployment. Doing so helps to prevent malicious actors from creating security issues by exploiting system vulnerabilities and reducing the overall risk of cyber attacks.\n\nDevSecOps principles include:\n\n### Automation and integration\nAutomation and integration are core principles of DevSecOps. The automation of security processes eliminates manual processes and assists in the development of secure and dependable applications while reducing the risk of future malicious attacks. You can set up and run security measures at multiple points during the development cycle to simplify and maximize security practices through the application of continuous security.\n\n### Continuous delivery and deployment\nContinuous delivery and deployment is another process that allows teams to respond to potential threats quickly and protect their software supply chain from malicious actors. [Continuously deploying applications using automated processes](/blog/cd-solution-overview/) makes it possible to rapidly develop new features and products while ensuring application security and quality.\n\n### A collaborative approach to security\nSecurity is a fundamental part of DevSecOps. Ensuring that applications remain secure and reliable requires [a highly collaborative approach](/topics/version-control/software-team-collaboration/) with ongoing and multiple security checks. It is necessary for all stakeholders involved in the development process to be engaged in the security process.\n\nSecurity teams must work with developers to ensure that applications are designed with [appropriate security controls](/topics/devsecops/devsecops-security-checklist/) and minimum security vulnerabilities. Simultaneously, for applications to get deployed and monitored securely, operations need to collaborate with security teams. This cross-functional collaboration ensures that all phases of the SDLC are interwoven with security best practices, resulting in a more resilient codebase.\n\n### Security at every stage of the SDLC\nEmploying security at every stage of the SDLC ensures the efficient development of secure applications without sacrificing quality. It is essential to cover  [every stage of the lifecycle](/blog/top-10-gitlab-hacks/) from design to development, and deployment.\n\nFor the process to be effective, developers must design applications with appropriate security controls, and operations teams should deploy and monitor them securely.\n\n### Proactive monitoring and response strategies\nProactive monitoring and response strategies are essential for maintaining the security of applications throughout their lifespan. [Monitoring](/blog/working-with-performance-metrics/) is achieved through the deployment of automated tools that identify potential vulnerabilities and alert teams when they arise.\n\nDoing so helps to minimize risk and ensure consistency across the organization. The employment of a comprehensive response strategy allows for issues to be identified and solved before they compound into security risks.\n\n## Benefits of implementing DevSecOps\nImplementing DevSecOps offers numerous benefits to organizations:\n1. It helps create trust with customers by providing more secure software.\n2. It prevents malicious actors from exploiting system vulnerabilities and improves the security of systems.\n3. The DevSecOps methodology enables teams to deliver value quickly while ensuring the highest levels of security and adherence to compliance requirements.\n4. By integrating security practices into the software development pipeline from design to deployment, teams can identify and address potential risks promptly, thus reducing the risk of malicious attacks.\n5. DevSecOps helps organizations stay ahead of potential threats and remain competitive in their markets.\n\n[Implementing DevSecOps](/blog/whats-next-for-devsecops/) is essential for any organization looking to protect its systems from malicious attacks while delivering value quickly and efficiently. Additionally, integrating security into the entire software development lifecycle ensures that all new applications are secure from the very beginning. Instilling a DevSecOps culture and approach maximizes the overall efficiency and quality of the software development process.",[1063,1066,1069,1072,1075],{"header":1064,"content":1065},"What are the benefits of implementing DevSecOps for organizations?","Key benefits include:\n- Enhanced security by preventing vulnerabilities from entering the codebase\n- Faster time-to-market with secure, continuous delivery pipelines\n- Improved compliance with regulatory standards through automated security checks\n- Increased customer trust and confidence due to more secure software products\n- Reduced risk of cyberattacks by proactively identifying and mitigating security threats",{"header":1067,"content":1068},"How can organizations successfully implement DevSecOps principles?","Organizations can successfully implement DevSecOps by:\n- Automating security checks within CI/CD pipelines\n- Promoting a collaborative culture where security is a shared responsibility among developers, operations, and security teams\n- Training development teams on secure coding practices\n- Integrating proactive monitoring and incident response strategies to address security threats swiftly\n- Using comprehensive DevSecOps platforms like GitLab that provide built-in security tools, vulnerability scanning, and compliance monitoring",{"header":1070,"content":1071},"What is DevSecOps and how does it differ from traditional DevOps?","DevSecOps is an approach that integrates security practices into every phase of the software development lifecycle (SDLC). Unlike traditional DevOps, which focuses on continuous integration and delivery, DevSecOps embeds security checks, vulnerability scanning, and compliance controls throughout the development and deployment processes, ensuring secure and reliable applications.",{"header":1073,"content":1074},"What are the core principles of DevSecOps?","Core principles of DevSecOps include:\n- __Automation and integration__: Automating security checks and vulnerability scans throughout the CI/CD pipeline to minimize human error and accelerate secure deployments.\n- __Continuous delivery and deployment__: Ensuring rapid development and deployment of secure applications with automated security validations.\n- __Collaboration across teams__: Fostering cross-functional collaboration between development, security, and operations teams for integrated security practices.\n- __Security at every stage__: Embedding security controls from design to deployment to ensure comprehensive protection.\n- __Proactive monitoring and response__: Implementing continuous monitoring and response strategies to identify and mitigate risks promptly.",{"header":1076,"content":1077},"How does DevSecOps improve security without slowing down development?","DevSecOps automates security checks and integrates them into the CI/CD pipeline, allowing security validations to occur alongside development and testing. This approach minimizes manual security interventions, reducing bottlenecks and enabling rapid, secure deployments without compromising speed or agility.","how-to-strengthen-security-by-applying-devsecops-principles","content:en-us:the-source:security:how-to-strengthen-security-by-applying-devsecops-principles:index.yml","en-us/the-source/security/how-to-strengthen-security-by-applying-devsecops-principles/index.yml","en-us/the-source/security/how-to-strengthen-security-by-applying-devsecops-principles/index",{"_path":1083,"_dir":28,"_draft":6,"_partial":6,"_locale":7,"config":1084,"seo":1085,"content":1089,"type":486,"slug":1095,"category":28,"_id":1096,"_type":30,"title":1086,"_source":31,"_file":1097,"_stem":1098,"_extension":34,"description":1087,"timeToRead":541,"heroImage":1088,"keyTakeaways":1090,"articleBody":1094},"/en-us/the-source/security/the-future-of-devops-education-needs-to-include-security",{"layout":5,"template":472,"articleType":494,"author":794,"featured":6,"isHighlighted":6,"authorName":450},{"title":1086,"description":1087,"ogImage":1088},"The future of DevOps education needs to include security","Learn how educators and students can prepare for the world of DevSecOps.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464659/e7y3ejbiaouubnc55l40.png",{"title":1086,"description":1087,"timeToRead":541,"heroImage":1088,"keyTakeaways":1090,"articleBody":1094},[1091,1092,1093],"DevSecOps integrates security in DevOps, ensuring safer software and timely vulnerability detection.","Educators should focus on security principles, using platforms like GitLab to teach secure coding.","Students can join open-source projects or campus groups to gain DevSecOps skills and insights.","[DevSecOps](https://about.gitlab.com/topics/devsecops/) is the inclusion of security as an integral part of traditional DevOps development, a strategy known as [shifting left](https://about.gitlab.com/topics/ci-cd/shift-left-devops/). With DevSecOps, myriad security scans, including dynamic application security testing and static application security testing, and other security tasks are performed during the development process rather than waiting until later in the cycle. DevSecOps enables organizations to identify and mitigate vulnerabilities early to ensure safer software and avoid delivery delays.\n\nAs DevOps teams across industries evolve into DevSecOps teams, higher education should respond in kind to ensure students likely to enter tech careers [have the skills necessary to be competitive](https://about.gitlab.com/blog/whats-next-for-devsecops/). In GitLab’s [2022 Global DevSecOps survey](/developer-survey/#download),  53% of respondents said security is everyone’s responsibility. Yet, many college computer science programs don’t [include security-related courses in their core requirements](https://www.appsecengineer.com/blog/developer-security-at-universities).\n\nEvery company that develops software – even for internal use only - must be proficient in security to protect their applications. Here is what educators and students need to know about melding security into their DevOps curricula to prepare their students for the world of DevSecOps.\n\n## How educators can teach DevSecOps\n\n\"Security education is not about finding specific issues, but about teaching the right mindset,\" said Gábor Pék, co-founder of security education company Avatao, in [TechBeacon](https://techbeacon.com/security/5-ways-better-educate-developers-application-security).\n\nThere are a variety of tools and techniques for security, but students don’t need to know all of them; it’s more important – and more valuable – to focus on the principles of security. Also, as an educator, you can use [a single platform](https://about.gitlab.com/blog/why-the-market-is-moving-to-a-platform-approach-to-devsecops/) to streamline teaching students about how to write secure code.\n\nWith a DevSecOps platform like GitLab, students can explore how to protect the software development lifecycle using [built-in security tools](https://about.gitlab.com/stages-devops-lifecycle/secure/). [GitLab’s docs](https://docs.gitlab.com/ee/user/application_security/) on securing your application are a great place to start learning about how GitLab approaches DevSecOps and will give students the base knowledge and skills to build upon as they continue to learn in their careers.\n\n### Resources for Educators\n- [An Open Source Security Foundation course](https://openssf.org/training/courses/) on writing Secure Programming that you can use to supplement your own courses\n- [Best Practices for Secure Development](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme)\n- [Understanding security vulnerabilities in student code: A case study in a non-security course](https://www.sciencedirect.com/science/article/abs/pii/S0164121221002430)\n- Bring the DevSecOps platform into your classroom with [GitLab for Education’s free license](https://about.gitlab.com/solutions/education/)\n\n## How students can learn DevSecOps\n\nIf a university isn’t offering direct instruction on security, students can still acquire the skills they need to succeed at a career in DevSecOps. Just knowing the term DevSecOps and understanding how it is changing software development can put a student ahead of the curve. Here are some more options for learning:\n\n### Participate in a security-focused open source project\n\nParticipating in security-focused open source projects is another excellent way to broaden your understanding of the role security plays in modern application development. Many security-focused open source projects call GitLab home, and just by using them, you become part of the communities developing and improving them.\n\nYou might consider tinkering with a single application – like popular disk encryption mainstay [cryptsetup](https://gitlab.com/cryptsetup) – or dive deeper into open source security by downloading, installing, and experimenting with [Kali Linux](https://gitlab.com/kalilinux), a Linux distribution built for security-minded engineers.\n\nNo matter what you choose, be sure to investigate how those communities incorporate security concerns and best practices into their programming. You could even start the conversation by creating an issue in their projects.\n\n### Find security-driven organizations\n\nLook into organizations like [OpenSSF](https://openssf.org/). OpenSSF seeks to inform and educate developers everywhere about the importance of secure software in the open source world. It’s an important enough consideration that OpenSSF is designated as a Linux foundation project. OpenSSF has several ways to not only learn, but get directly involved in projects that will sharpen skills and create networking opportunities outside of your classroom.\n\n## Start a security-focused campus group\n\nMany campuses have security-focused groups, and you don’t have to be a cybersecurity student to join. Odalis Estrada from Cal Polytechnic Pomona is a member of Forensics and Security Technology, a.k.a. FAST, a student chapter of the High Technology Crime Investigation Association. Estrada says that her club is a mix of computer science students and cybersecurity students. She says, “There are attacks and vulnerabilities evolving constantly…” and that the club has helped its members “understand old and new attacks.”\n\nIf there isn’t a security-focused campus group, consider starting one to explore the importance of security in computer science. It’s a great way to learn more about modern secure software development.\n\nLearning about security doesn’t just benefit developers. “If developers write more secure code, then security teams will have more time to concentrate on other issues,” Estrada said, adding this creates safer software development.","the-future-of-devops-education-needs-to-include-security","content:en-us:the-source:security:the-future-of-devops-education-needs-to-include-security:index.yml","en-us/the-source/security/the-future-of-devops-education-needs-to-include-security/index.yml","en-us/the-source/security/the-future-of-devops-education-needs-to-include-security/index",[469,491,531,570,588,631],{"ai":367,"platform":374,"security":11},1758747483250]