The CIS Benchmarks™ play a critical role in hardening software against evolving cyber threats and ensuring compliance with industry regulations. GitLab and the Center for Internet Security® (CIS®) created the just-published CIS GitLab Benchmark, which includes more than 125 recommended secure configuration guidelines for hardening GitLab installations. Establishing this benchmark in collaboration with CIS demonstrates GitLab’s commitment to fostering a culture of proactive risk management within the DevOps landscape. The benchmark provides actionable security guidelines, which are especially beneficial for GitLab Self-managed customers.
In the following sections, we will examine:
- What are CIS Benchmarks?
- How the CIS GitLab Benchmark was created
- Objectives of the CIS GitLab Benchmark
- How to implement the CIS GitLab Benchmark
Apply the CIS GitLab Benchmark today.
What are CIS Benchmarks?
The CIS Benchmarks are comprehensive sets of guidelines and best practices developed by CIS to assist organizations in bolstering their cybersecurity defenses. These benchmarks serve as authoritative references, offering detailed recommendations on securely configuring various components of an organization's infrastructure, including operating systems, network devices, databases, and software applications.
The CIS Benchmarks are based on a consensus-driven development process that draws upon the collective expertise of cybersecurity professionals, industry practitioners, and subject matter experts around the world. CIS develops the benchmarks that encapsulate industry-standard best practices for securing systems and software across diverse environments and use cases. The benchmarks encompass a wide range of security controls, covering areas such as access control, authentication, encryption, logging, and monitoring. By adhering to the CIS Benchmarks, organizations can align their security posture with recognized industry standards and leverage proven strategies for safeguarding their digital assets.
Organizations that implement the recommendations outlined in the CIS Benchmarks can achieve the following:
- proactively address common security issues
- minimize exposure to vulnerabilities
- enhance the resilience of their systems and software
The CIS Benchmarks create confidence among stakeholders, customers, and regulatory bodies as they have been used across the industry to harden key workloads and applications.
Creating the CIS GitLab Benchmark
The CIS GitLab Benchmark stemmed from a collaboration between CIS and GitLab's Field Security and Product Management teams. After numerous conversations with customers, we understood the need for a specific benchmark that would guide their hardening efforts. We conducted an in-depth review of GitLab’s product and documentation to understand how our offering mapped to CIS's Software Supply Chain Security Benchmark. After the initial draft was ready, it entered into the CIS consensus process, where the broader CIS Benchmark Community was able to review it and suggest edits prior to publication.
Objectives of the CIS GitLab Benchmark
The CIS GitLab Benchmark targets a range of specific security concerns and vulnerabilities inherent to the DevSecOps platform. These include issues related to access control, authentication mechanisms, data encryption, secure code development practices, vulnerability management, and secure configuration management.
Additionally, the Benchmark addresses concerns specific to DevSecOps workflows, such as the security of source code, build and pipelines, third-party packages, package registries and deployments. By ensuring users follow the recommended best practices, the GitLabBenchmark aims to enhance the overall security posture of organizations using the GitLab platform.
How to implement the CIS GitLab Benchmark
To apply the CIS GitLab Benchmark to your own environment, follow these four steps:
- Visit https://www.cisecurity.org/cis-benchmarks.
- Access the latest version of the CIS GitLab Benchmark by navigating to DevSecOps tools and then clicking "Download the Benchmark."
- Assess your current configuration against the benchmark recommendations.
- Determine your gaps and the level of effort related to completing these gaps.
- Work on a plan to make your configuration as close to the benchmark recommendations as possible while taking into account the specificities of your own deployment.
The CIS GitLab Benchmark provides a comprehensive set of measures, which map to specific configurable features so it is simple to understand what steps to take to use GitLab securely and why each step should be taken. CIS is a well-respected, community-driven non-profit organization that “makes the connected world a safer place for people, businesses, and governments.” By leveraging the CIS GitLab Benchmark, you can help your organization take the proper steps to reduce cybersecurity risk and secure your GitLab installation.
Apply the CIS GitLab Benchmark today.