[{"data":1,"prerenderedAt":487},["ShallowReactive",2],{"/en-us/the-source/authors/gitlab/":3,"footer-en-us":30,"the-source-navigation-en-us":338,"the-source-newsletter-en-us":365,"gitlab-articles-list-authors-en-us":377,"gitlab-articles-list-en-us":408,"gitlab-page-categories-en-us":486},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":10,"content":12,"type":21,"slug":22,"_id":23,"_type":24,"title":25,"_source":26,"_file":27,"_stem":28,"_extension":29},"/en-us/the-source/authors/gitlab","authors",false,"",{"layout":9},"the-source",{"title":11},"GitLab",[13,19],{"componentName":14,"type":14,"componentContent":15},"TheSourceAuthorHero",{"name":11,"headshot":16},{"altText":11,"config":17},{"src":18},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463461/ts7io0hgpdyqylbzfire.png",{"componentName":20,"type":20},"TheSourceArticlesList","author","gitlab","content:en-us:the-source:authors:gitlab.yml","yaml","Gitlab","content","en-us/the-source/authors/gitlab.yml","en-us/the-source/authors/gitlab","yml",{"_path":31,"_dir":32,"_draft":6,"_partial":6,"_locale":7,"data":33,"_id":334,"_type":24,"title":335,"_source":26,"_file":336,"_stem":337,"_extension":29},"/shared/en-us/main-footer","en-us",{"text":34,"source":35,"edit":41,"contribute":46,"config":51,"items":56,"minimal":326},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":36,"config":37},"View page source",{"href":38,"dataGaName":39,"dataGaLocation":40},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":42,"config":43},"Edit this page",{"href":44,"dataGaName":45,"dataGaLocation":40},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":47,"config":48},"Please contribute",{"href":49,"dataGaName":50,"dataGaLocation":40},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":52,"facebook":53,"youtube":54,"linkedin":55},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[57,84,157,225,287],{"title":58,"links":59,"subMenu":65},"Platform",[60],{"text":61,"config":62},"DevSecOps platform",{"href":63,"dataGaName":64,"dataGaLocation":40},"/platform/","devsecops platform",[66],{"title":67,"links":68},"Pricing",[69,74,79],{"text":70,"config":71},"View plans",{"href":72,"dataGaName":73,"dataGaLocation":40},"/pricing/","view plans",{"text":75,"config":76},"Why Premium?",{"href":77,"dataGaName":78,"dataGaLocation":40},"/pricing/premium/","why premium",{"text":80,"config":81},"Why Ultimate?",{"href":82,"dataGaName":83,"dataGaLocation":40},"/pricing/ultimate/","why ultimate",{"title":85,"links":86},"Solutions",[87,92,97,102,107,112,117,122,127,132,137,142,147,152],{"text":88,"config":89},"Digital transformation",{"href":90,"dataGaName":91,"dataGaLocation":40},"/topics/digital-transformation/","digital transformation",{"text":93,"config":94},"Security & Compliance",{"href":95,"dataGaName":96,"dataGaLocation":40},"/solutions/security-compliance/","security & compliance",{"text":98,"config":99},"Automated software delivery",{"href":100,"dataGaName":101,"dataGaLocation":40},"/solutions/delivery-automation/","automated software delivery",{"text":103,"config":104},"Agile development",{"href":105,"dataGaName":106,"dataGaLocation":40},"/solutions/agile-delivery/","agile delivery",{"text":108,"config":109},"Cloud transformation",{"href":110,"dataGaName":111,"dataGaLocation":40},"/topics/cloud-native/","cloud transformation",{"text":113,"config":114},"SCM",{"href":115,"dataGaName":116,"dataGaLocation":40},"/solutions/source-code-management/","source code management",{"text":118,"config":119},"CI/CD",{"href":120,"dataGaName":121,"dataGaLocation":40},"/solutions/continuous-integration/","continuous integration & delivery",{"text":123,"config":124},"Value stream management",{"href":125,"dataGaName":126,"dataGaLocation":40},"/solutions/value-stream-management/","value stream management",{"text":128,"config":129},"GitOps",{"href":130,"dataGaName":131,"dataGaLocation":40},"/solutions/gitops/","gitops",{"text":133,"config":134},"Enterprise",{"href":135,"dataGaName":136,"dataGaLocation":40},"/enterprise/","enterprise",{"text":138,"config":139},"Small business",{"href":140,"dataGaName":141,"dataGaLocation":40},"/small-business/","small business",{"text":143,"config":144},"Public sector",{"href":145,"dataGaName":146,"dataGaLocation":40},"/solutions/public-sector/","public sector",{"text":148,"config":149},"Education",{"href":150,"dataGaName":151,"dataGaLocation":40},"/solutions/education/","education",{"text":153,"config":154},"Financial services",{"href":155,"dataGaName":156,"dataGaLocation":40},"/solutions/finance/","financial services",{"title":158,"links":159},"Resources",[160,165,170,175,180,185,190,195,200,205,210,215,220],{"text":161,"config":162},"Install",{"href":163,"dataGaName":164,"dataGaLocation":40},"/install/","install",{"text":166,"config":167},"Quick start guides",{"href":168,"dataGaName":169,"dataGaLocation":40},"/get-started/","quick setup checklists",{"text":171,"config":172},"Learn",{"href":173,"dataGaName":174,"dataGaLocation":40},"https://university.gitlab.com/","learn",{"text":176,"config":177},"Product documentation",{"href":178,"dataGaName":179,"dataGaLocation":40},"https://docs.gitlab.com/","docs",{"text":181,"config":182},"Blog",{"href":183,"dataGaName":184,"dataGaLocation":40},"/blog/","blog",{"text":186,"config":187},"Customer success stories",{"href":188,"dataGaName":189,"dataGaLocation":40},"/customers/","customer success stories",{"text":191,"config":192},"Remote",{"href":193,"dataGaName":194,"dataGaLocation":40},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":196,"config":197},"GitLab Services",{"href":198,"dataGaName":199,"dataGaLocation":40},"/services/","services",{"text":201,"config":202},"TeamOps",{"href":203,"dataGaName":204,"dataGaLocation":40},"/teamops/","teamops",{"text":206,"config":207},"Community",{"href":208,"dataGaName":209,"dataGaLocation":40},"/community/","community",{"text":211,"config":212},"Forum",{"href":213,"dataGaName":214,"dataGaLocation":40},"https://forum.gitlab.com/","forum",{"text":216,"config":217},"Events",{"href":218,"dataGaName":219,"dataGaLocation":40},"/events/","events",{"text":221,"config":222},"Partners",{"href":223,"dataGaName":224,"dataGaLocation":40},"/partners/","partners",{"title":226,"links":227},"Company",[228,233,238,243,248,253,258,262,267,272,277,282],{"text":229,"config":230},"About",{"href":231,"dataGaName":232,"dataGaLocation":40},"/company/","company",{"text":234,"config":235},"Jobs",{"href":236,"dataGaName":237,"dataGaLocation":40},"/jobs/","jobs",{"text":239,"config":240},"Leadership",{"href":241,"dataGaName":242,"dataGaLocation":40},"/company/team/e-group/","leadership",{"text":244,"config":245},"Team",{"href":246,"dataGaName":247,"dataGaLocation":40},"/company/team/","team",{"text":249,"config":250},"Handbook",{"href":251,"dataGaName":252,"dataGaLocation":40},"https://handbook.gitlab.com/","handbook",{"text":254,"config":255},"Investor relations",{"href":256,"dataGaName":257,"dataGaLocation":40},"https://ir.gitlab.com/","investor relations",{"text":259,"config":260},"Sustainability",{"href":261,"dataGaName":259,"dataGaLocation":40},"/sustainability/",{"text":263,"config":264},"Diversity, inclusion and belonging (DIB)",{"href":265,"dataGaName":266,"dataGaLocation":40},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":268,"config":269},"Trust Center",{"href":270,"dataGaName":271,"dataGaLocation":40},"/security/","trust center",{"text":273,"config":274},"Newsletter",{"href":275,"dataGaName":276,"dataGaLocation":40},"/company/contact/","newsletter",{"text":278,"config":279},"Press",{"href":280,"dataGaName":281,"dataGaLocation":40},"/press/","press",{"text":283,"config":284},"Modern Slavery Transparency Statement",{"href":285,"dataGaName":286,"dataGaLocation":40},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":288,"links":289},"Contact Us",[290,295,300,305,310,315,320],{"text":291,"config":292},"Contact an expert",{"href":293,"dataGaName":294,"dataGaLocation":40},"/sales/","sales",{"text":296,"config":297},"Get help",{"href":298,"dataGaName":299,"dataGaLocation":40},"/support/","get help",{"text":301,"config":302},"Customer portal",{"href":303,"dataGaName":304,"dataGaLocation":40},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":306,"config":307},"Status",{"href":308,"dataGaName":309,"dataGaLocation":40},"https://status.gitlab.com/","status",{"text":311,"config":312},"Terms of use",{"href":313,"dataGaName":314,"dataGaLocation":40},"/terms/","terms of use",{"text":316,"config":317},"Privacy statement",{"href":318,"dataGaName":319,"dataGaLocation":40},"/privacy/","privacy statement",{"text":321,"config":322},"Cookie preferences",{"dataGaName":323,"dataGaLocation":40,"id":324,"isOneTrustButton":325},"cookie preferences","ot-sdk-btn",true,{"items":327},[328,330,332],{"text":311,"config":329},{"href":313,"dataGaName":314,"dataGaLocation":40},{"text":316,"config":331},{"href":318,"dataGaName":319,"dataGaLocation":40},{"text":321,"config":333},{"dataGaName":323,"dataGaLocation":40,"id":324,"isOneTrustButton":325},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":339,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":340,"subscribeLink":345,"navItems":349,"_id":361,"_type":24,"title":362,"_source":26,"_file":363,"_stem":364,"_extension":29},"/shared/en-us/the-source/navigation",{"altText":341,"config":342},"the source logo",{"src":343,"href":344},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":346,"config":347},"Subscribe",{"href":348},"#subscribe",[350,354,357],{"text":351,"config":352},"Artificial Intelligence",{"href":353},"/the-source/ai/",{"text":93,"config":355},{"href":356},"/the-source/security/",{"text":358,"config":359},"Platform & Infrastructure",{"href":360},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":366,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":367,"description":368,"submitMessage":369,"formData":370,"_id":374,"_type":24,"_source":26,"_file":375,"_stem":376,"_extension":29},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":371},{"formId":372,"formName":373,"hideRequiredLabel":325},1077,"thesourcenewsletter","content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"amanda-rueda":378,"andre-michael-braun":379,"andrew-haschka":380,"ayoub-fandi":381,"bob-stevens":382,"brian-wald":383,"bryan-ross":384,"chandler-gibbons":385,"dave-steer":386,"ddesanto":387,"derek-debellis":388,"emilio-salvador":389,"erika-feldman":390,"george-kichukov":391,"gitlab":11,"grant-hickman":392,"haim-snir":393,"iganbaruch":394,"jlongo":395,"joel-krooswyk":396,"josh-lemos":397,"julie-griffin":398,"kristina-weis":399,"lee-faus":400,"ncregan":401,"rschulman":402,"sabrina-farmer":403,"sandra-gittlen":404,"sharon-gaudin":405,"stephen-walters":406,"taylor-mccaslin":407},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Joel Krooswyk","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"allArticles":409,"visibleArticles":485,"showAllBtn":325},[410,449,468],{"_path":411,"_dir":412,"_draft":6,"_partial":6,"_locale":7,"config":413,"seo":416,"content":420,"type":444,"slug":445,"category":412,"_id":446,"_type":24,"title":417,"_source":26,"_file":447,"_stem":448,"_extension":29,"date":421,"description":418,"timeToRead":422,"heroImage":419,"keyTakeaways":423,"articleBody":427,"faq":428},"/en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam","security",{"layout":9,"template":414,"articleType":415,"author":22,"featured":6,"isHighlighted":6,"authorName":11},"TheSourceArticle","Regular",{"title":417,"description":418,"ogImage":419},"How GitLab can help you prepare for your SOC 2 exam","Learn about features in the DevSecOps platform geared toward a SOC2 framework exam.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463759/yk7f6poowtw5y5d5oflv.png",{"title":417,"date":421,"description":418,"timeToRead":422,"heroImage":419,"keyTakeaways":423,"articleBody":427,"faq":428},"2024-07-18","5 min read",[424,425,426],"Automated testing and code coverage reports enhance SOC 2 Availability and Processing Integrity.","GitLab's security scans and role-based controls ensure compliance with the SOC 2 framework, protecting data from vulnerabilities and unauthorized access.","GitLab's templates for browser and load performance testing simplify SOC 2 exams by validating application performance and security at every development stage.","GitLab customers have found that using GitLab as their platform for DevSecOps has simplified the SOC 2 exam process.  This blog reviews the SOC 2 framework and GitLab features that help customers with their SOC 2 exam.\n\n## Introduction to SOC 2\nSystem and Organization Controls 2, or [SOC 2](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement), is a voluntary compliance standard that specifies how organizations should manage customer data. The SOC 2 exam report allows companies to provide attestation to the trustworthiness of software it offers to business customers.\n\nDeveloped by the Association of International Certified Professional Accountants (AICPA), SOC 2 focuses on five Trust Services Criteria (TSC):\n- Security - protecting customer data from vulnerabilities and unauthorized access\n- Availability - ensuring systems are fault-tolerant and performant under high loads in order to meet availability service-level agreements\n- Processing Integrity - systems function as designed without vulnerabilities, errors, or bugs\n- Confidentiality - protecting confidential information such as application source code, usernames and passwords, credit card information, etc., so that only people who need access in order to do their jobs have access to it\n- Privacy - safeguarding sensitive personally identifiable information (PII) against unauthorized users\n\nSecurity is the only required criterion for every SOC 2 exam. The other criteria can be added to the exam in cases where they are deemed critical to the services being provided.\n\n## Security TSC\nThe security criterion pertains to not only the security of servers and physical systems, but also applications. Software vulnerabilities potentially open up an application to attackers, putting customers' data at risk, but this is an area where GitLab can help.\n\nGitLab provides security scans to identify potential vulnerabilities in the applications a company builds, including the following:\n- [Static Application Security Scanning (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/), which scans source code for potential bugs and vulnerabilities such as unsafe code that can lead to unintended code execution\n- [Dependency Scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/), which finds security vulnerabilities in the software dependencies of an application\n- [Container Scanning](https://docs.gitlab.com/ee/user/application_security/container_scanning/), which finds security vulnerabilities in the operating system dependencies of a containerized application\n- [Dynamic Application Security Scanning (DAST)](https://docs.gitlab.com/ee/user/application_security/dast/), which finds security vulnerabilities in a running web application that make it susceptible to an attack\n- [Infrastructure as Code (IaC) Scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/), which scans infrastructure as code configuration files, including Terraform, Ansible, AWS CloudFormation, and Kubernetes, to find security vulnerabilities\n\nGitLab also provides a [vulnerability report](https://docs.gitlab.com/ee/user/application_security/vulnerability_report/), which shows all known vulnerabilities, based on the scans above, in the current application. GitLab also provides a software bill of materials ([SBOM](https://docs.gitlab.com/ee/user/application_security/dependency_list/)) in standard CycloneDX JSON format, that shows all software-level and operating system-level dependencies and known vulnerabilities for them.\n\nHaving regular vulnerability scans and robust vulnerability reporting helps satisfy three Security criteria:\n- CC7.1 – To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.\n- CC4.1 – COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.\n- CC4.2 – COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.\n\nA crucial piece of security scans is governance and enforcement. GitLab provides features to ensure that scans are happening regularly and that software development teams are not able to circumvent them. These features include:\n- [Role-based access controls](https://docs.gitlab.com/ee/user/permissions.html) to limit who can make changes to project-level configuration settings\n- [Scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) to enforce that scans run on each code repository\n- [Merge request approval policies](https://docs.gitlab.com/ee/user/application_security/policies/merge_request_approval_policies.html) to ensure that scan results are reviewed and approved by the appropriate security stakeholders so that newly found vulnerabilities are not being introduced into deployed software\n- [Compliance reports](https://docs.gitlab.com/ee/user/application_security/) to show any changes to GitLab configurations that may violate security processes put in place\n\nWith these configurations in place, organizations can prove that software security is a top priority for their applications and security practices are being enforced.\n\n## Availability and Processing Integrity TSCs\nGitLab can also help with Availability and Processing Integrity TSCs. These criteria focus on the quality and performance of the application itself. To support these criteria, GitLab provides:\n- Unit test results and code coverage changes in the form of [code coverage reports](https://docs.gitlab.com/ee/ci/testing/code_coverage.html), which ensure that source code is being validated by a test suite\n- [Code quality](https://docs.gitlab.com/ee/ci/testing/code_quality.html), which analyzes the source code quality and complexity for ease of readability and maintainability\n\nWhile the above software development practices are used early in the software development lifecycle to ensure high-quality, tested code, GitLab additionally provides templates for various types of automated tests for a running application to ensure it is working as expected. These tests include:\n- [Browser performance testing](https://docs.gitlab.com/ee/ci/testing/browser_performance_testing.html), which measures the load time for web sites during the development lifecycle to test the impact of any ocde changes on browser performance\n- [Load performance testing](https://docs.gitlab.com/ee/ci/testing/load_performance_testing.html), which measures the system performance of an application's backend during the development lifecycle to test the impact of any code changes on performance\n- [Coverage-guided fuzz testing](https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/), which sends unexpected, malformed, or random data to an application and then monitors it for unstable behaviors and crashes\n- [Web API fuzz testing](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/), which sends unxpected, malformed, or random data to API endpoints to look for bugs and security issues\n\nBy focusing on strong DevSecOps practices with GitLab to build high-quality, secure applications, organizations are able to more easily pass a SOC 2 exam to attest to the security of customer data.\n\n> **Learn more: [Strengthen your cybersecurity posture](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) with Secure by Design principles.**",[429,432,435,438,441],{"header":430,"content":431},"How does GitLab help organizations achieve SOC 2 compliance?","GitLab supports SOC 2 compliance by providing advanced security scans (SAST, DAST, dependency scanning, and IaC scanning), vulnerability reporting, and role-based access controls. These features help organizations detect and mitigate security risks while maintaining robust internal controls and audit trails to demonstrate compliance.",{"header":433,"content":434},"How do GitLab's compliance features enhance governance and enforcement for SOC 2?","- Role-based access controls to limit configuration changes\n- Scan execution policies to mandate regular security scans\n- Merge request approval policies to review and approve vulnerabilities\n- Compliance reports to track configuration changes and ensure adherence to security policies",{"header":436,"content":437},"Which Trust Services Criteria (TSC) are covered by GitLab's security features?","GitLab helps organizations meet the Security, Availability, and Processing Integrity TSCs by providing:\n - Security scans to detect vulnerabilities\n - Role-based access controls and compliance reports to enforce security policies\n - Performance and code quality tests to ensure application integrity and availability",{"header":439,"content":440},"What are the benefits of using GitLab for SOC 2 exam preparation?","Using GitLab for SOC 2 exam preparation streamlines compliance by integrating security scans, vulnerability management, and compliance reporting within a single platform. This holistic approach reduces manual effort, ensures consistent security practices, and enhances the organization's ability to pass the SOC 2 exam with confidence.",{"header":442,"content":443},"What is SOC 2 compliance and why is it important for software companies?","SOC 2 is a voluntary compliance standard that specifies how organizations should manage customer data, focusing on security, availability, processing integrity, confidentiality, and privacy. It demonstrates trustworthiness and data protection to business customers, enhancing credibility and ensuring compliance with industry standards.","article","how-gitlab-can-help-you-prepare-for-your-soc-2-exam","content:en-us:the-source:security:how-gitlab-can-help-you-prepare-for-your-soc-2-exam:index.yml","en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam/index.yml","en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam/index",{"_path":450,"_dir":412,"_draft":6,"_partial":6,"_locale":7,"config":451,"seo":452,"content":456,"type":444,"slug":464,"category":412,"_id":465,"_type":24,"title":453,"_source":26,"_file":466,"_stem":467,"_extension":29,"date":457,"description":454,"timeToRead":458,"heroImage":455,"keyTakeaways":459,"articleBody":463},"/en-us/the-source/security/10-tips-to-prioritize-security-in-software-development",{"layout":9,"template":414,"articleType":415,"author":22,"featured":6,"isHighlighted":6,"authorName":11},{"title":453,"description":454,"ogImage":455},"10 tips to prioritize security in software development","Follow this advice to shift security earlier in the development cycle for greater efficiency and more secure software.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464607/pmqkaclogv0y5tf4hk3t.png",{"title":453,"date":457,"description":454,"timeToRead":458,"heroImage":455,"keyTakeaways":459,"articleBody":463},"2024-04-16","2 min read",[460,461,462],"Shifting left enhances software security by detecting vulnerabilities early in the SDLC.","GitLab integrates security into DevSecOps for proactive risk management.","Streamline processes with GitLab to improve speed and compliance in development.","Cyber attacks and cybersecurity threats continue to be one of the highest priorities for organizations. As such, the developer's role continues to evolve. Over half of respondents surveyed in GitLab’s [2024 Global DevSecOps Survey](https://about.gitlab.com/developer-survey/) said they are responsible for application security as part of a larger team - signaling that security practices are continuing to shift left.\n\nShifting left - designing software with security best practices built in to detect and fix vulnerabilities earlier in the software development lifecycle (SDLC) - enables teams to run more efficiently and release software faster.\n\nWhile 67% of the security professionals GitLab surveyed said they have either shifted left or plan to in the next three years, you may be unsure how to get started.\n\nHere are 10 tips to help your teams shift left for more efficient DevSecOps:\n\n### 1. Measure time\n\nHow much time is lost remediating vulnerabilities after code is merged? Measure this, then look for a pattern in the type or source of those vulnerabilities, and make the necessary adjustments for improvement.\n\n### 2. Identify bottlenecks\n\nWhere are the pain points and bottlenecks between security protocols and processes? Identify these, and then create and execute a resolution plan.\n\n### 3. Start small\n\nMake small code changes - they are easier to review, secure, and launch more quickly than large project changes.\n\n### 4. Eliminate waterfall\n\nAre people still holding on to waterfall-style security processes within the SDLC? Eliminating or reducing waterfall will help your organization prevent the struggle to change direction as needs arise.\n\n### 5. Automate scans\n\nAre manual processes slowing down and hampering the process of discovering vulnerabilities? Automate findings into a merge request for easier review, finding sources, and accessibility for developers to address.\n\n### 6. Update workflows\n\nAre security scans included in your developers’ workflow? Building and integrating security into developer workflows enable them to find and fix vulnerabilities before the code ever leaves their hands.\n\n### 7. Demonstrate compliance\n\nIs unplanned and unscheduled work delaying releases? Automating and implementing compliance frameworks help with consistency across development environments, teams, and applications.\n\n### 8. Empower devs with security reports\n\nDo your developers have access to SAST and DAST reports? These valuable tools help dev teams build secure coding practices, fixing vulnerabilities as part of their workflow.\n\n### 9. Let teams work smarter\n\nEmpower the security team to work smarter with security dashboards into both resolved and unresolved vulnerabilities, where the vulnerabilities reside, who created them, and their status for remediation.\n\n### 10. Ditch the toolchain\n\nStreamline and reduce your toolchain so that employees can focus their attention on a single interface - a single source of truth.\n\n## Shift left with GitLab\n\nGitLab helps you initiate a proactive security strategy to discover vulnerabilities earlier in the SDLC. Security and compliance are embedded within the GitLab DevSecOps platform, with an end-to-end work-flow that enables you to understand and manage risk. Automatically scan for vulnerabilities on a feature branch so you can remediate vulnerabilities before pushing to production.\n\nGitLab has a history of supporting the DevSecOps initiatives of U.S. federal, state, and local government agencies, vendors, and educational institutions with one end-to-end software development platform that meets strenuous security and compliance requirements. Learn more about [how GitLab can help you shift left](https://about.gitlab.com/solutions/public-sector/) and secure your speed to mission.","10-tips-to-prioritize-security-in-software-development","content:en-us:the-source:security:10-tips-to-prioritize-security-in-software-development:index.yml","en-us/the-source/security/10-tips-to-prioritize-security-in-software-development/index.yml","en-us/the-source/security/10-tips-to-prioritize-security-in-software-development/index",{"_path":469,"_dir":412,"_draft":6,"_partial":6,"_locale":7,"config":470,"seo":471,"content":475,"type":444,"slug":481,"category":412,"_id":482,"_type":24,"title":472,"_source":26,"_file":483,"_stem":484,"_extension":29,"description":473,"timeToRead":422,"heroImage":474,"keyTakeaways":476,"articleBody":480},"/en-us/the-source/security/the-future-of-devops-education-needs-to-include-security",{"layout":9,"template":414,"articleType":415,"author":22,"featured":6,"isHighlighted":6,"authorName":11},{"title":472,"description":473,"ogImage":474},"The future of DevOps education needs to include security","Learn how educators and students can prepare for the world of DevSecOps.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464659/e7y3ejbiaouubnc55l40.png",{"title":472,"description":473,"timeToRead":422,"heroImage":474,"keyTakeaways":476,"articleBody":480},[477,478,479],"DevSecOps integrates security in DevOps, ensuring safer software and timely vulnerability detection.","Educators should focus on security principles, using platforms like GitLab to teach secure coding.","Students can join open-source projects or campus groups to gain DevSecOps skills and insights.","[DevSecOps](https://about.gitlab.com/topics/devsecops/) is the inclusion of security as an integral part of traditional DevOps development, a strategy known as [shifting left](https://about.gitlab.com/topics/ci-cd/shift-left-devops/). With DevSecOps, myriad security scans, including dynamic application security testing and static application security testing, and other security tasks are performed during the development process rather than waiting until later in the cycle. DevSecOps enables organizations to identify and mitigate vulnerabilities early to ensure safer software and avoid delivery delays.\n\nAs DevOps teams across industries evolve into DevSecOps teams, higher education should respond in kind to ensure students likely to enter tech careers [have the skills necessary to be competitive](https://about.gitlab.com/blog/whats-next-for-devsecops/). In GitLab’s [2022 Global DevSecOps survey](/developer-survey/#download),  53% of respondents said security is everyone’s responsibility. Yet, many college computer science programs don’t [include security-related courses in their core requirements](https://www.appsecengineer.com/blog/developer-security-at-universities).\n\nEvery company that develops software – even for internal use only - must be proficient in security to protect their applications. Here is what educators and students need to know about melding security into their DevOps curricula to prepare their students for the world of DevSecOps.\n\n## How educators can teach DevSecOps\n\n\"Security education is not about finding specific issues, but about teaching the right mindset,\" said Gábor Pék, co-founder of security education company Avatao, in [TechBeacon](https://techbeacon.com/security/5-ways-better-educate-developers-application-security).\n\nThere are a variety of tools and techniques for security, but students don’t need to know all of them; it’s more important – and more valuable – to focus on the principles of security. Also, as an educator, you can use [a single platform](https://about.gitlab.com/blog/why-the-market-is-moving-to-a-platform-approach-to-devsecops/) to streamline teaching students about how to write secure code.\n\nWith a DevSecOps platform like GitLab, students can explore how to protect the software development lifecycle using [built-in security tools](https://about.gitlab.com/stages-devops-lifecycle/secure/). [GitLab’s docs](https://docs.gitlab.com/ee/user/application_security/) on securing your application are a great place to start learning about how GitLab approaches DevSecOps and will give students the base knowledge and skills to build upon as they continue to learn in their careers.\n\n### Resources for Educators\n- [An Open Source Security Foundation course](https://openssf.org/training/courses/) on writing Secure Programming that you can use to supplement your own courses\n- [Best Practices for Secure Development](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme)\n- [Understanding security vulnerabilities in student code: A case study in a non-security course](https://www.sciencedirect.com/science/article/abs/pii/S0164121221002430)\n- Bring the DevSecOps platform into your classroom with [GitLab for Education’s free license](https://about.gitlab.com/solutions/education/)\n\n## How students can learn DevSecOps\n\nIf a university isn’t offering direct instruction on security, students can still acquire the skills they need to succeed at a career in DevSecOps. Just knowing the term DevSecOps and understanding how it is changing software development can put a student ahead of the curve. Here are some more options for learning:\n\n### Participate in a security-focused open source project\n\nParticipating in security-focused open source projects is another excellent way to broaden your understanding of the role security plays in modern application development. Many security-focused open source projects call GitLab home, and just by using them, you become part of the communities developing and improving them.\n\nYou might consider tinkering with a single application – like popular disk encryption mainstay [cryptsetup](https://gitlab.com/cryptsetup) – or dive deeper into open source security by downloading, installing, and experimenting with [Kali Linux](https://gitlab.com/kalilinux), a Linux distribution built for security-minded engineers.\n\nNo matter what you choose, be sure to investigate how those communities incorporate security concerns and best practices into their programming. You could even start the conversation by creating an issue in their projects.\n\n### Find security-driven organizations\n\nLook into organizations like [OpenSSF](https://openssf.org/). OpenSSF seeks to inform and educate developers everywhere about the importance of secure software in the open source world. It’s an important enough consideration that OpenSSF is designated as a Linux foundation project. OpenSSF has several ways to not only learn, but get directly involved in projects that will sharpen skills and create networking opportunities outside of your classroom.\n\n## Start a security-focused campus group\n\nMany campuses have security-focused groups, and you don’t have to be a cybersecurity student to join. Odalis Estrada from Cal Polytechnic Pomona is a member of Forensics and Security Technology, a.k.a. FAST, a student chapter of the High Technology Crime Investigation Association. Estrada says that her club is a mix of computer science students and cybersecurity students. She says, “There are attacks and vulnerabilities evolving constantly…” and that the club has helped its members “understand old and new attacks.”\n\nIf there isn’t a security-focused campus group, consider starting one to explore the importance of security in computer science. It’s a great way to learn more about modern secure software development.\n\nLearning about security doesn’t just benefit developers. “If developers write more secure code, then security teams will have more time to concentrate on other issues,” Estrada said, adding this creates safer software development.","the-future-of-devops-education-needs-to-include-security","content:en-us:the-source:security:the-future-of-devops-education-needs-to-include-security:index.yml","en-us/the-source/security/the-future-of-devops-education-needs-to-include-security/index.yml","en-us/the-source/security/the-future-of-devops-education-needs-to-include-security/index",[410,449,468],{"ai":351,"platform":358,"security":93},1753981667182]