Blog Security How elite DevOps teams secure the software supply chain
Published on: January 6, 2022
3 min read

How elite DevOps teams secure the software supply chain

The time is now to integrate security into your DevOps processes - your business will be better for it.

GitLab-Sec.png

In 2022, the question is not if DevOps teams will integrate security into the software supply chain, but when and how quickly. The high-profile supply chain attacks of 2020 and 2021 have forced organizations to do more to protect themselves and their customers. Every DevOps team should strive to be an elite team in this area, aka DevSecOps, as doing less will leave your software supply chains vulnerable.

While many organizations might have been hesitant to blend security and DevOps over fears of how it would impact deployment schedules and performance, Google Cloud’s DevOps Research and Assessment (DORA) team concluded in its “Accelerate State of DevOps 2021 Report” that “development teams that embrace security see significant value driven to the business.”

Teams that integrate security practices throughout their development process are 1.6 times more likely to meet or exceed their organizational goals, according to the report, which is co-sponsored by GitLab. Meantime, elite performers that met or exceeded their reliability targets were twice as likely to have security integrated into their development process.

To get to this elite level, though, security has to be baked into DevOps processes at the earliest stages. DevOps and security teams need to collaborate to ensure that they understand one another’s goals and speak the same technical language so they can develop DevSecOps best practices that effectively and efficiently satisfy those goals.

Our newly released “Guide to Software Supply Chain Security” explains the urgency of protecting the supply chain now – no one wants a repeat of the SolarWinds or Colonial Pipeline attacks – and how the U.S. government will soon require many organizations to do so.

We help DevOps teams frame what it means to be elite, including moving beyond basic protections (using strong passwords, applying software patches in a timely manner, and implementing multi-factor authentication) to deploying these best practices:

  • Apply common controls for security and compliance
  • Automate common controls and CI/CD
  • Apply zero-trust principles
  • Inventory all tools and access, including infrastructure as code
  • Consider unconventional scale to find unconventional vulnerabilities
  • Secure containers and orchestrators

The guide also explains in detail the types of security scans that bolster supply chain security, including container scanning, dependency scanning, fuzz testing, dynamic application security testing (DAST) and static application security testing (SAST), license compliance, and secret detection.

For those unsure where they fall on the spectrum of supply chain security readiness, we’ve developed a two-minute quiz that examines how you handle the security of APIs, dependencies, and other critical areas.  Use your ranking to plot your transformation to an elite team.

As the DORA report showed, there is room for improvement across the industry as fewer than two-thirds of DevOps teams are doing these simple security practices:

  • 63% invite InfoSec teams early and often
  • 60% perform security reviews
  • 58% test for security
  • 54% integrate security reviews into every phase
  • 49% build pre-approved code

There is little doubt that 2022 will have more high-profile supply chain attacks, but our guide can help you develop DevOps security processes that will protect your organization and your customers.

Read more on elite teams and supply chain security here:

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert