Petes Linkedin Blog

Rust, an open source programming language, has been the "most loved language" on developer community Stack Overflow's annual survey for the last four years. At the same time only a very, very small number of developers actually use Rust today – a July 2020 look at the PYPL PopularitY of Programming Languages Index ranks it at number 18 with just .81% interest. (For comparison Python is at nearly 32% and Java is over 17%.) So why the intense love of Rust? To put it simply, it was created to solve problems present in other languages and if you can take the time to unlock its (admittedly difficult) secrets, you're rewarded with cleaner, faster, and most importantly, safer code. Antony Saba , a senior security engineer with Strategic Security at GitLab, recently talked about Rust during a company-wide series of meetings ( Contribute 2020 ). He speaks from experience as his last employer was a Rust-based company. "Okay, so what's Rust's promise?" Saba ...

This is the fifth in our five-part series on DevSecOps basics. Part one offers nine tips to truly shift left . Part two outlines the steps needed to create silo-free collaboration . Part three looks at the importance of automated security testing . And part four details how to create a strong security culture . Standardizing security policies comes in a variety of forms: regulatory compliance, access controls, acceptable use policies, security as code, and automation, to name a few. Ultimately, the idea is that your security team knows exactly what policies and methods have been used or applied to each project. The goals of standardization are consistency, traceability, and repeatability. By consistently using the same security methods across all work, security knows what has been protected and what hasn’t. This helps them apply additional measures where necessary, and makes them aware of any needed exceptions. Ensuring that security methods are repeatable helps to expand adoption an...

GitLab recently acquired two of the leading companies in the fuzz testing space - Peach Tech and Fuzzit ! These two companies bring amazing technology into GitLab. Read on the learn more about the technology and how you can easily integrate fuzz testing into your workflow. What is fuzz testing? Fuzz testing is a powerful way to test your apps to find security issues and flaws in business logic that traditional QA methods miss. Fuzz testing works by passing randomly generated inputs to your app, and assesses the results. When the app being tested crashes or behaves in an unexpected way, this is called a "fault." When a fault is discovered, that means there is a way for a user to provide a similar, but potentially malicious, input to your app in a production environment to crash or exploit it. Discovering faults lets you track down bugs in your code that you wouldn't find otherwise and lets you fix them before an attacker can exploit these weaknesses. There are a few d...

When it comes to CI/CD and DevOps, the benefits are obvious: Get it right and cleaner code is released (a lot) faster. But our 2020 Global DevSecOps Survey found more subtle – and far less talked about – benefits. CI/CD doesn't just allow developers to move faster and do more, it also allows them (and their operations counterparts) to do less . The automation required by CI/CD has drastically reduced the manual tasks involved in software development. With fewer time-consuming tasks, Dev and Ops roles and responsibilities are changing, in some cases dramatically. But don't just take our word for it. We asked our survey takers to tell us in their own words how their roles and responsibilities are changing. The back story To understand the impact of CI/CD and DevOps, it helps to have the full picture. In our survey 83% of developers said they're releasing code faster than ever before. In fact, nearly 60% of them deploy multiple times a day, once a day, or once every few ...

This is the fourth in our five-part series on DevSecOps basics. Part one offers nine tips to truly shift left . Part two outlines the steps needed to create silo-free collaboration . And part three looks at the importance of automated security testing . Are you responsible for security? Even if it’s not in your title or job description, the answer is yes. Every employee is responsible for the security of their work. Unfortunately, many organizations don’t make this clear and don’t enforce it as policy. As vulnerabilities pile up on the desks of security engineers, developers wonder what’s taking so long – how many times does code have to be fixed before it’s deemed secure? DevSecOps flips traditional security on its head, but needs a strong security culture for sustainable success. What is security culture? A security culture means that everyone – from board members to interns – must care about security and take actions to maintain it. Security should be considered in every piece o...

Infrastructure management isn’t a new problem. After all, AWS has been publicly available since 2006. While the software development lifecycle is mostly automated, infrastructure remains a largely manual process that requires specialized teams. Infrastructure needs to be elastic, and automation would make that a much easier process than it is today. GitOps is an emerging technology term that could be the answer many infrastructure teams have been searching for. At its core, GitOps is a process that helps teams automate IT infrastructure through processes they already use in application development. It’s a framework we’re excited about. Naturally, we took it to Twitter. Where are YOU at with #GitOps ? — GitLab (@gitlab) June 29, 2020 What is GitOps? What makes GitOps unique is that it’s not a single product, plugin, or platform. Before we dive into what we can learn from these results, let’s define what exactly GitOps is . At GitLab, we define GitOps as this: GitOps is an o...

Recently, I have been working with users who are using GitLab for Source Code Management (SCM) that are still in the process of migrating to GitLab for CI/CD. In this case, the users are not ready to move everything from Jenkins directly to GitLab just yet, but want to take advantage of all the Security benefits of GitLab Ultimate/Gold . In this blog, I will walk you through setting up external Jenkins jobs along with deterministic security scans. Deterministic security scans block the pipeline from proceeding if a vulnerability was detected. You can follow along with the video below to configure Jenkins and GitLab. The sample project I am using contains code showing how to call Jenkins as well as how to setup deterministic security scans. How to add external Jenkins jobs to GitLab You can call jobs from external CI platforms such as Jenkins, from GitLab. You can use the Jenkins REST API to start a Jenkins job. In this demo, I show you how to do it in Python using python-jenkin...