Petes Linkedin Blog

While presumably no one likes an audit, DevOps teams do have some built-in advantages when it comes to intense levels of internal and external scrutiny. Here’s a quick look at DevOps audits, why they matter, and how teams can set themselves up for audit success. Looking under the hood In most organizations, there are two types of audits: internal and external. At their most simplistic, internal audits are conducted by people within the existing organization, while external audits are conducted by third parties. Either way, audits look to ensure an organization is compliant, and that’s where things can get a bit complicated. Being “compliant” can mean an organization is meeting standards set by the government (like NIST frameworks or HIPAA regulations), living up to its own governance rules regarding data, security policies and processes, and more, or it can mean some combination of the two. Also, depending on the type of organization and its vertical industry, compliance can have w...

For three years, developers, security team members, and operations professionals have suggested to us in our annual surveys that their responsibilities were shifting. But this year that “shift” became a tidal wave of change. In our 2022 Global DevSecOps Survey , more than 5,000 practitioners shared details of DevOps roles in a state of flux: devs taking on ops and security tasks, security working hand-in-hand with dev teams, and ops wearing an improbable number of hats. These are big changes, but surprisingly not chaotic ones. In fact, at a time of great technical and macroeconomic upheaval, the evolution of DevOps jobs and responsibilities seems to be designed to bring teams more tightly together. DevOps is more than 14 years old at this point – an argument could be made that [true collaboration][/blog/2020/11/23/collaboration-communication-best-practices/) is finally underway. Whatever is at play, it’s clear substantive changes are happening. Here’s what our respondents told us ab...

Today we are releasing versions 15.3.2, 15.2.4 and 15.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for August. These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ . You can see all of our regular and security release blog posts here . In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We a...

Threats to the software supply chain are forcing a sea change in DevOps. Organizations are feeling internal pressure to embed security deep into their software development life cycles and external pressure to comply with numerous federal and industry mandates. What is emerging is a DevSecOps strategy that helps govern how code, applications, and infrastructure are protected across the software supply chain. The pairing of DevSecOps with software supply chain security also ensures that, where possible, automation will be used to make processes repeatable, increasing security and reducing the opportunity for human error or malicious activity. This comprehensive guide provides deeper dives into all the aspects of software supply chain security so make sure to follow the embedded links. The need for software supply chain security Securing code is not a new concept. However, promoting security early on in the development life cycle is. The movement to shift security left has taken off, ...

Small and medium-sized businesses (SMBs) face a litany of potentially crippling obstacles, but there’s a single step executives can take that will create multiple business benefits. Migrating to an end-to-end DevOps platform for SMBs will not only greatly improve an SMB’s odds of survival, but it will increase their chance of actually thriving in an environment that sees half of all small businesses failing within their first five years. That’s right. All businesses face competition and obstacles, but SMBs and small and medium-sized enterprises (SMEs), in particular, are looking at an uphill battle so steep that 20% of U.S. small businesses fail within just the first year, according to the U.S. Bureau of Labor Statistics . So why not grab onto any advantage available, especially one this beneficial? Here’s how a full DevOps platform can help any SMB : Multiply tech muscle Large enterprises might have an IT department, or even a separate DevOps group, made up of dozens or hundreds ...

What’s the most likely reason for a software release delay? From 2019 through 2021, respondents to our Global DevSecOps Surveys always blamed software testing. This year, however, was dramatically different. More than 5,000 DevOps practitioners took our 2022 Global DevSecOps Survey, and, for the first time, they offered five equally valid reasons why releases might be tardy: code development, code review, security analysis, test data management, and, of course, testing. Processes and priorities are clearly changing in DevOps teams today, and they’re affecting release delays. Here’s how to understand the forces at work. Join us at GitLab Commit 2022 and connect with the ideas, technologies, and people that are driving DevOps and digital transformation. Code development and code review Over the past three years, code development and code review were the second- and third-ranked culprits for release delays. That’s to be expected: No one ever said code development was easy and co...

When making your DevOps platform migration plan, less really is more, at least when it comes to tools. Our 2022 Global DevSecOps Survey found that not only do teams have lots of tools, they spend a significant amount of time managing them. All told 40% of developers spend between one quarter and one half of their time on toolchain maintenance and integration, and another 33% spend between 50% and all of their time on this task. So it’s hardly a surprise that 69% of survey takers said they want to consolidate their toolchains. One obvious way to consolidate is migrating to a DevOps platform. DevOps platform migration does take some planning and teamwork, but it can be done. Here’s a 3-step plan (and a self-evaluation checklist) to get teams started. Choose the right path The most important thing to know about migrating to an end-to-end DevOps platform is that everyone's needs are different so there isn’t one “right way” to carry out your migration. A company that has 1,000 u...

By adopting DevOps tools without an end-to-end platform, teams have been adding complexity, mounting costs, and headaches to their job. Migrating to a true Devops platform is the way to get out from under all of that and gain control of projects, break down silos, and cultivate collaboration. Companies are increasingly turning to DevOps to create software more efficiently and securely. However, not all of them have adopted a single DevOps platform , instead opting to cobble together a myriad of tools to handle everything in the software development lifecycle – from planning to delivery. Of course, DevOps tools are helpful, but there can be too much of a good thing. This do-it-yourself, or DIY, effort creates a mish-mash of tools that force team members to continuously jump back and forth between multiple interfaces, passwords, and ways of working. It also creates a chaotic environment that needs to be endlessly updated and held together with digital duct tape. And by using a plethor...

APIs are more than just an interface. From a development lifecycle perspective, an API includes source code, definition files, tests, performance measurements, documentation, security audits, deployments, and feedback from API consumers. All of these elements are required for a successful API implementation. So, in partnership with GitLab, Postman created a git integration that allows users to link APIs in Postman to their GitLab cloud repos (on-prem versions of GitLab are only supported on Postman Enterprise ). The Postman API Platform is designed to help teams collaborate seamlessly by providing tools for the entire API lifecycle. We understand that a fundamental part of the API lifecycle includes developer workflows centered around code and source control. 4 key benefits for better collaboration The launch of this integration earlier in the year provides four key benefits that empower teams to work faster and better together: 1. It introduces the concept of version control i...

📣 We're issuing a challenge to all the amazing bug bounty hunters out there who make products and organizations like ours more secure. 👇 Capture the Flag (CTF) first and a $20,000 USD bounty is yours. It's that simple. The idea… not capturing the flag… at least that's our hope. But show us what you got, please. 😛 Why are we doing this? Our aim with this CTF is to tackle potential vulnerabilities with lower CVSS scores but high business impact that may not get as much attention in our bug bounty program. We want to show those vulns the love through this CTF. Join us at GitLab Commit 2022 and connect with the ideas, technologies, and people that are driving DevOps and digital transformation. How do you get started? We've created a private group with a private project that contains a file with a flag. Be the first person to use a permission-related vulnerability to bypass access control, without user interaction, read the flag. and voilà, the $20,000 USD bon...

The days of security as a “nice to have” are officially over. In our 2022 Global DevSecOps Survey of more than 5,000 practitioners, security was the driving force behind technology choices, team structure, DevOps platform use, and more. The findings from our sixth annual survey represent a dramatic shift from past years, when security teams – and security concerns – were often siloed and silenced in the push to get software out the door faster. Nothing could be further from the truth today: The number one reason to implement a DevOps platform? Security. (And 75% of DevOps teams use a DevOps platform currently or plan to this year.) The number one benefit of a DevOps platform? Security. The number one investment priority for 2022? Security. The attention to security in DevOps teams doesn’t stop there. As our surveys have shown since 2020, DevOps roles continue to shift , and this year, many of those shifts were laser-focused on security. 53% of developers told us they...

Today we are releasing versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ . You can see all of our regular and security release blog posts here . In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer...

Today, we are excited to announce the release of GitLab 15.3 with tasks in issues , free GitOps features , SAML group link API maintenance , advanced password complexity requirements , and much more! These are just a few highlights from the 63 improvements in this release. Read on to check out all of the great updates below. We thank the wider GitLab community for the 348 contributions they provided to GitLab 15.3! At GitLab, everyone can contribute and we couldn't have done it without you! To preview what's coming in next month’s release, check out our Upcoming Releases page , which includes our 15.4 release kickoff video. This month's Most Valuable Person ( MVP ) is Marco Zille This month we recognize Marco Zille, who has provided consistent contributions to GitLab, as our MVP! Marco has been contributing a series of UI polish improvements across GitLab 15.2 and GitLab 15.3, as well as iteratively building out the Time tracking feature in collaboration with o...