Robert Beggs, CEO of Canadian incident response company Digital Defense, said civil society organizations must remember that Gitlab is not a passive folder where users deposit money and then fill in data or source code. This is a complex application that supports the entire DevOps lifecycle, from planning to deployment and monitoring. To support this role, GitLab provides a lot of complex features. This feature set adds attack surfaces. Combined with the complexity of the application, any misconfiguration or vulnerability can have a significant impact on the user.
“As with all apps, civil society organizations must pay attention to vendor vulnerabilities and reports of any patches or upgrades to the app,” he said in an email. “They also have to be careful about their own safety and hygiene and follow best practices for Gitlab use.”
These include limiting access and access privileges to GitHub repositories — for example, ensuring that default visibility is set to Private — enabling multi-factor authentication for access and ensuring that passwords follow typical complexity rules, implementing role-based access controls and frequently reviewing access lists, implementing SSL and TLS certificates to secure communications, securing GitLab runners and pipeline variables, protecting the codebase by implementing branch protection rules and code signatures, etc.
