Actu
Beyond Identity Joins GitLab Inc.’s Alliance Partner Program to Secure Software Supply Chains From Malicious Attacks
June 2022 by Marc Jacob
Beyond Identity and GitLab Inc. announced a new partnership and integration that enables customers to prevent intentional vulnerabilities from being introduced into DevOps environments and to dramatically reduce the risk of supply chain attacks. The integration between Beyond Identity and GitLab enables companies to ensure that only authorized users working from company-approved and secure computers can access code repositories or sign source code during commit activities. Beyond Identity extends the continued security enhancements and API hooks the GitLab team has released to also add in the unique capability of associating an SSH or GPG key with a known corporate identity. These capabilities are available today.
GitLab’s One DevOps Platform supports essential security capabilities, including the ability to use cryptographic keys to control access and sign source code entering the repository. These advanced capabilities are critical to reducing vulnerabilities that most organizations, even advanced shops, currently have in their DevOps environments. This enables organizations to tightly control access to the source and infrastructure code in repositories and gain visibility into exactly who is committing code. In the past, DevOps teams have typically not required this, and in the rare cases where they have, the SSH and GPG keys used to access repos and sign commits are not bound to an authorized corporate identity. Further, there is no way to ensure that engineers work from an authorized and appropriately secure computer. These issues leave the door wide open to malicious code injection attacks.
Beyond Identity’s Secure DevOps solution is designed to prevent credential-based breaches by automating and securing digital access for developers, enabling secure repository access and check-ins. GitLab’s focus on security and essential integration hooks enable Beyond Identity to mint SSH and GPG keys that are cryptographically tied to a known and authorized corporate identity and to an authorized computer. This integration enables DevSecOps teams to lock down the repo and ensure that a valid corporate identity signs every piece of code committed to the repo. The integration also allows DevSecOps teams to validate that each piece of code entering the CI/CD pipeline is checked to ensure authorized users signed it – typically as the first step in the CI pipeline.
The Secure DevOps integration with GitLab can help with the following:
• Stop malicious actors or rogue insiders from injecting malware into source code and protect SaaS, PaaS, and IaaS services and apps from backdoors.
• Control repository access and stop introducing unauthorized malicious code to customers (e.g., SolarWinds).
• Prevent bad actors and insiders from making network/system infrastructure settings and introducing hard-to-detect vulnerabilities and backdoors by manipulating infrastructure as code now stored in repositories.
• Confirm that every piece of source or infrastructure code is signed and cryptographically bound to an authorized user so that organizations have perfect visibility into who contributed to every commit – ensuring that issues found by code scanning tools can be immutably tracked to a specific identity.
• Ensure that engineers and contractors are using authorized and proven secure computers to access or commit code – thwarting attacks by adversaries that prey on poorly secured endpoints.
