Robert Beggs, CEO of Canadian incident response firm Digital Defence, said that CSOs have to remember that GitLab isn’t a passive folder where a user deposits and later retrieves data or source code. It’s a complex application that supports the entire DevOps lifecycle, from planning through to deployment and monitoring. To support this role, GitLab provides a large number of complex functions. This feature set increases the attack surface. In combination with the complexity of the application, any misconfigurations or vulnerabilities could have a significant impact for users.
“As with all applications, CSOs have to pay attention to vendor reports of vulnerabilities and any patches or upgrades to the application,” he said in an email. “They also have to be mindful of their own security hygiene and follow best practices for GitLab use.”
These include limiting access and access privileges to GitHub repositories — for example, ensuring that default visibility is set to Private — enabling multi-factor authentication for access and ensuring that passwords follow typical complexity rules, implementing role-based access controls and frequently reviewing access lists, implementing SSL and TLS certificates to secure communications, securing GitLab runners and pipeline variables, protecting the codebase by implementing branch protection rules and code signing, and more.
