Home / Companies / GitLab / Blog / April 2019

April 2019 Summaries

28 posts from GitLab

Filter
Month: Year:
Post Summaries Back to Blog
DevOps has transformed software delivery efficiency, yet security testing often causes delays, creating tension between speed and cost efficiency. Traditionally, software development resembles an assembly line where work is passed along, but security testing can send projects back to the beginning if vulnerabilities are found, disrupting workflow. To address this, embedding security into the development workflow through DevSecOps is recommended, allowing developers to address vulnerabilities in real-time as they write code. Tools like GitLab facilitate this by presenting vulnerability alerts within the developer's pipeline, enabling developers to resolve issues before passing projects to security analysts. This integration not only minimizes friction between development and security teams but also accelerates release times, enhancing collaboration and efficiency across the DevOps lifecycle. Static application security testing (SAST) further supports this by enabling developers to address code vulnerabilities within their working environment, transforming security from a bottleneck to an integral part of the workflow. By shifting security checks earlier in the process, teams can streamline workflows, focus on critical risks, and reduce the need for handoffs, thereby producing secure and high-quality software more quickly.
Apr 30, 2019 629 words in the original blog post.
The acquisition of Gemnasium by GitLab, initially fraught with typical concerns of losing team cohesion and culture, turned out to be a positive and transformative experience for both companies. Despite initial apprehensions about integration and the speed of the acquisition process, including challenges during the due diligence phase, the Gemnasium team found GitLab's collaborative and transparent work culture, particularly through tools like Slack and Git, to be beneficial. As part of GitLab, the Gemnasium team transitioned into the Secure Team, expanding their scope beyond dependency scanning to include SAST, DAST, and container scanning, while maintaining a sense of autonomy and innovation. The supportive leadership at GitLab, coupled with a reduction in bureaucratic processes, allowed the team to focus on product development and customer needs, culminating in successful projects like the auto-remediation feature. This integration not only preserved the innovative spirit of Gemnasium but also enriched it, enabling the team to pursue new opportunities and contribute significantly to GitLab's growth, while still retaining the freedom to explore and innovate, reflecting GitLab's commitment to empowering its teams.
Apr 30, 2019 1,516 words in the original blog post.
Debt, whether financial or technical, can serve as a useful tool if managed properly, but excessive debt can lead to problems. The concept of technical debt, coined by Ward Cunningham, refers to the accumulation of incomplete or rushed code in software projects, similar to financial debt that grows over time if not addressed. Effective management of technical debt involves identifying and documenting it, prioritizing issues, and embracing small, incremental improvements through approaches like Minimum Viable Change (MVC). GitLab emphasizes the importance of using continuous delivery and CI/CD automation to streamline the process of managing technical debt, making it possible to reduce the burden without overwhelming developers. The key to avoiding foreclosure on a project is not to eliminate technical debt entirely but to manage it proactively, ensuring that it does not spiral out of control and compromise the project's future.
Apr 29, 2019 468 words in the original blog post.
GitLab's Security Team focuses on two main missions: securing the product and service, and protecting the company, with an emphasis on balancing people, processes, and technology. The team employs a mix of proactive and reactive security measures, including internal application security reviews, developer education, code scanning, red teams, and a public bug bounty program launched in December 2018. The bug bounty initiative aims to enhance security through community engagement, having resolved 95 security findings and awarded over $300,000 in bounties so far. GitLab measures success by tracking report submissions, repeat reporters, transparency, responsiveness, and competitive rewards to ensure ongoing engagement and improvement. The program underscores the company's commitment to transparency by making vulnerability details public 30 days after patch releases and aims to be the leading payer in the industry to keep the community motivated. GitLab values the contributions of its reporters and seeks to enhance its incentive structures, including both financial rewards and branded merchandise.
Apr 29, 2019 888 words in the original blog post.
Michael Fahey, a manager of GitLab's Red Team, recounts his early experiences with the team, emphasizing the importance of iteration and adaptability in security practices. Shortly after joining, Fahey participated in the CEO Shadow Program, where he was encouraged by GitLab's CEO, Sid Sijbrandij, to conduct a social engineering exercise to test the company's security protocols. The exercise aimed to assess how employees would respond to impersonated requests from the CEO via a compromised Slack account, ultimately identifying weaknesses in security practices. Despite initial challenges in the exercise, the Red Team learned valuable lessons about the effective communication and response of GitLab's Security Operations Team. Fahey reflects on the necessity of rapid iteration over meticulous planning, underscoring the value of learning from failure and the importance of empowering employees to question authority in security contexts. The experience highlighted the need for continuous growth and collaboration between the Red Team and Security Operations to enhance GitLab's overall security posture.
Apr 26, 2019 1,610 words in the original blog post.
As organizations grow, they often face process challenges such as lack of visibility, instability from legacy systems, and inefficiencies that slow down deployments. Continuous integration and delivery (CI/CD) systems can help address these issues by enabling faster and more efficient deployments, and GitLab CI/CD has been highlighted as a solution that has transformed the workflows of various companies. For example, Verizon Connect significantly reduced their data center deployment time from 30 days to under eight hours, while Ticketmaster cut their pipeline execution time from two hours to eight minutes. Meanwhile, HumanGeo reduced administrative time and costs, and Wag! streamlined its development process by testing and deploying through GitLab. Paessler AG improved release frequency and quality assurance self-service. These examples demonstrate GitLab CI/CD's ability to enhance development speed, efficiency, and team satisfaction by replacing outdated systems and simplifying the integration process.
Apr 25, 2019 666 words in the original blog post.
GitLab's handbook serves as a comprehensive and evolving resource for both employees and the wider community, encapsulating the company's processes, values, and operational guidelines. Initially open-sourced by CEO Sid when there were fewer than 100 employees, the handbook now contains approximately 605,000 words spread across 550 web pages and is essential for the 550 current employees. It covers a broad range of topics, from engineering to marketing, with the most extensive content in the engineering section. Contributions are encouraged from all staff as part of their onboarding, reinforcing the collaborative nature of the handbook's development. A straightforward process involving merge requests allows for continuous updates and improvements, ensuring the handbook remains relevant and useful. The handbook's extensive content is frequently accessed through searches, with popular sections including Markdown guides, compensation, and company values, making it an invaluable tool for both internal use and potential recruits. Its ability to scale and adapt is highlighted as a key strength, with the handbook poised to evolve into a digital encyclopedia that continues to reflect GitLab's transparency and collaborative ethos.
Apr 24, 2019 944 words in the original blog post.
Digital transformation aims to reshape businesses by introducing new models, services, and customer connections, with the World Economic Forum highlighting its potential to enhance customer experiences, efficiencies, and business models. Essential to this transformation is agile and tech-savvy leadership, alongside a responsive technology infrastructure. Successful transformations leverage DevOps principles, integrating Agile planning to deliver business value swiftly, but these initiatives must align with business objectives and involve key stakeholders to avoid failure. Challenges include the disconnect between portfolio planning and development work, often resulting in inefficient reporting methods. Solutions emphasize increasing visibility, simplifying workflows through flexible planning, and automating routine tasks to optimize human resources, ultimately driving faster and more reliable application delivery. Modern automation emerges as a vital component in adapting to the fast-paced market, underscoring the necessity of transformation for sustained success.
Apr 23, 2019 736 words in the original blog post.
Progressive Delivery is an advanced set of practices evolving from continuous delivery, focusing on safer, more frequent production deployments by breaking down risks into smaller parts and enabling canary testing with feature flags and tracing. GitLab's Review Apps play a crucial role in this process by providing automatically generated staging environments for every branch or merge request, facilitating collaboration and validation of product changes. These apps allow stakeholders to view live changes using real data, enhancing rapid feedback and iteration. By integrating Review Apps with feature flags and tracing, developers can manage and validate changes similarly to production environments. GitLab CI/CD supports Progressive Delivery by offering a seamless, integrated workflow without needing complicated plugins, showcasing its potential in the continuous delivery landscape.
Apr 19, 2019 894 words in the original blog post.
GitLab CEO Sid Sijbrandij shares insights on managing a distributed company, emphasizing the advantages and strategies of remote work over hybrid models. He highlights the importance of digital documentation for maintaining alignment and facilitating decision-making in remote environments. Sijbrandij prefers remote interviews for their convenience and advises focusing more on candidates' questions to gauge their suitability effectively. He advocates for using tools like Google Docs over traditional whiteboards due to their accessibility and functionality. GitLab's approach includes organizing teams by similar roles for better management and career development, focusing on employee output rather than input, and swiftly addressing underperformance. Employee recognition is crucial, with systems in place for quick acknowledgment and rewards. Furthermore, GitLab treats customer-reported issues on par with internal ones, ensuring that all feedback is valued equally, which fosters extensive customer interaction.
Apr 18, 2019 795 words in the original blog post.
CloudBees' acquisition of ElectricCloud highlights a trend towards DevOps consolidation, echoing the path GitLab pioneered by integrating continuous integration into code-hosting services. This move by CloudBees, along with similar initiatives by Atlassian and GitHub, underscores the growing demand for comprehensive DevOps solutions that cover the entire lifecycle, a strategy that GitLab has long championed. GitLab's integrated application supports the software development process from creation to delivery, facilitating cloud-native deployments and enhancing collaboration across teams. By designing components to work cohesively rather than integrating disparate tools, GitLab aims to improve cycle times and streamline workflows, reinforcing its commitment to lead and innovate in the industry.
Apr 18, 2019 287 words in the original blog post.
Joining GitLab in June 2018, the author has focused on engaging with the community and enhancing its contributions, noting that since 2016, 15% of merged merge requests for the GitLab Community Edition were from community members. The author highlights the growth in first-time contributors, with over 200 joining between releases 11.5 and 11.9, and emphasizes the role of the Core Team, which consists of individuals with sustained contributions to GitLab, in improving community responsiveness and organizing monthly calls that are open to everyone. Recent changes to the Core Team include the addition of GitLab team members Rémy Coutable and Winnie Hellmann, along with top code contributors Ben Bodenmiller and George Tsiolis. To recognize regular contributors, a top contributors page has been created, complemented by a badging system and GitLab merchandise. The author also aims to improve contributor diversity and promote participation through initiatives like "Contribute for prize" issues, encouraging community members to work on priority issues, and provides resources for those interested in contributing to GitLab's various aspects.
Apr 17, 2019 668 words in the original blog post.
Google's significant focus on Kubernetes was highlighted at Google Next with the announcement of Anthos, a multi-cloud platform, and Cloud Run, its commercial Knative offering. Kubernetes, a dominant technology for container orchestration since its launch by Google in 2014, remains central to Google's strategy for application modernization. GitLab has integrated Kubernetes into its developer workflow, enabling enterprises to enhance their cloud-native application development processes. By offering seamless Kubernetes integration, GitLab allows teams to connect clusters across platforms, manage applications with ease, and utilize CI/CD capabilities, significantly increasing development efficiency. This integration has empowered organizations to scale their software development processes, as evidenced by a financial institution's dramatic increase in build frequency.
Apr 16, 2019 531 words in the original blog post.
The 11.10 release, scheduled for April 22, enhances the Premium tier of GitLab by including a feature that builds the combined reference for source and target branches as part of the merge request pipeline. Users utilizing MR Pipelines with private GitLab Runners must ensure their runners are upgraded to version 11.9 or newer to avoid encountering an error message indicating their runner is outdated, as detailed in gitlab-ee#11122. The upgrade can be performed by following the instructions provided in the Runner installation guide, and those using GitLab's shared Runner fleet will not experience this issue. Feedback and issues can be reported in the comments section.
Apr 16, 2019 115 words in the original blog post.
GitLab's Data Team embraces an open-source ethos by defaulting to public access for their code repositories, which are MIT licensed, enabling external contributions and fostering collaboration and transparency. This approach has led to beneficial contributions, such as an external update to make their SQL code compatible with Snowflake, and has facilitated easier communication within the analytics community by sharing their codebase and documentation. The openness not only invites community engagement and innovation but also underscores that the true competitive advantage lies in data-driven decisions rather than the analytics code itself. By promoting transparency and collaboration, GitLab aims to drive forward the analytics field, mirroring the transformation seen in software engineering through the DevOps movement, and is committed to advancing industry practices by sharing their methodologies and encouraging others to do the same.
Apr 15, 2019 600 words in the original blog post.
Marcel Amirault, originally from Halifax, Canada, now resides in Kagoshima, Japan, where he teaches English as a second language and actively contributes to GitLab, focusing on updating technical documentation. Initially working in IT Support, Marcel transitioned to teaching English in Japan, where he developed a passion for contributing to GitLab by correcting language errors and improving documentation during his free time. He emphasizes that contributing to GitLab was approachable and rewarding, thanks to the support from the community, and he advises newcomers not to hesitate in seeking help. Outside of work, Marcel enjoys home improvement projects, outdoor activities like hiking and camping, and playing board games with friends. He encourages others interested in contributing to GitLab to explore resources available on the Contributing to GitLab page and to reach out for guidance when needed.
Apr 12, 2019 964 words in the original blog post.
GitLab, traditionally known for its DevOps capabilities, is expanding its presence in application security by integrating security testing into its Continuous Integration/Continuous Deployment (CI/CD) pipeline, making it a notable challenger in the field. Despite being a newer entrant in security, GitLab's comprehensive platform covers the entire Software Development Lifecycle (SDLC) and offers features such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Dependency Scanning, enabling enterprises to streamline their security processes efficiently. GitLab's approach, focusing equally on developers and security professionals, aligns with market demands for remediation, policy management, and reporting, as highlighted by Forrester's analysis. The company is committed to iterative improvements, releasing new features monthly, and has already addressed several gaps identified in analyst evaluations. GitLab's single-application model allows for seamless integration of security testing, offering enterprises a cost-effective, efficient solution for compliance and risk reduction, as demonstrated by customer success stories like that of Glympse Inc.
Apr 12, 2019 1,079 words in the original blog post.
Efficient organizations aim to optimize IT spending by reducing costs while maintaining necessary operations, particularly as small companies often allocate a higher percentage of their revenue to IT compared to enterprises. A significant portion of this spending is dedicated to maintenance, suggesting a need for strategic cost reduction to fund innovation and competitiveness. Prioritizing cost-cutting measures involves reducing on-premise IT expenses through virtualization and cloud-based solutions, evaluating toolchain-management costs to eliminate inefficiencies, and adhering to best practices to minimize downtime. Moreover, modernizing applications and migrating to lower-cost infrastructures are pivotal strategies for long-term savings, as evidenced by surveys highlighting application rationalization and migration as key initiatives among IT executives. Successfully reducing IT costs requires careful prioritization and commitment, ultimately leading to increased revenue and sustained organizational competitiveness.
Apr 11, 2019 621 words in the original blog post.
The rapid digitization of healthcare underscores the importance of conducting thorough HIPAA risk analyses to protect against breaches, as evidenced by increased enforcement actions in 2018. As healthcare applications proliferate, the need to identify and mitigate software vulnerabilities becomes critical. GitLab offers a comprehensive suite of security tools integrated into the DevOps lifecycle, including Static Application Security Testing (SAST) for source code, Dynamic Application Security Testing (DAST) for web applications, container scanning for Docker images, and secret detection to prevent leakage of sensitive data. GitLab is also developing Interactive Application Security Testing (IAST) and fuzzing capabilities to further enhance vulnerability detection. These tools enable organizations, from startups to academic medical centers, to seamlessly incorporate security measures into their development processes, thereby automating a critical component of software security while maintaining compliance with risk analysis standards.
Apr 10, 2019 795 words in the original blog post.
GitLab has addressed a vulnerability involving Group Runner Registration Tokens, discovered through their public HackerOne program, by deploying a patch and resetting all group registration tokens on GitLab.com. Although there is no evidence of unauthorized access to projects on GitLab.com, the company took proactive measures to ensure security and has included the fix in critical security releases for GitLab Enterprise Edition versions 11.9.7, 11.8.7, and 11.7.11. While GitLab.com users do not need to take further action, self-managed instances of GitLab Enterprise Edition are advised to upgrade to the specified versions, whereas GitLab Community Edition instances remain unaffected by this issue. GitLab remains committed to monitoring potential impacts and encourages users experiencing related issues to consult their Runner documentation or reach out for support.
Apr 10, 2019 341 words in the original blog post.
Tom Friedman's book "Thank You for Being Late: An Optimist's Guide to Thriving in the Age of Accelerations" examines the rapid pace of change in today's world and its implications for business, society, and the environment, emphasizing the need for business leaders to adapt by operating at faster cycle times. Drawing parallels with Dr. Eli Goldratt's "The Goal," the text underscores the importance of identifying bottlenecks in the development lifecycle, suggesting that organizations can enhance operational efficiency by adopting DevOps practices as outlined by Gene Kim's "Three Ways." These principles focus on systems thinking, amplifying feedback loops, and fostering a culture of continual experimentation and learning. The concept of Kaizen, or continuous improvement through small changes, is advocated as a strategy to drive significant improvements in culture, productivity, and quality by addressing bottlenecks and enabling innovation. The text concludes with recommendations for increasing DevOps success, highlighting the benefits of simplifying scope, empowering teams, and measuring value streams to reduce cycle time and enhance software delivery.
Apr 09, 2019 717 words in the original blog post.
Participating in GitLab's CEO Shadow program provided an inside look at the company's unique approach to transparency and remote work, underscored by CEO Sid Sijbrandij's preference for virtual meetings and open sharing of company information. The experience included attending an agenda-less annual meeting with Khosla Ventures, a key investor, which highlighted GitLab's ambitious plans for growth, including potential acquisitions to enhance their DevOps lifecycle offerings and an upcoming IPO slated for November 18, 2020. The meeting underscored GitLab's commitment to maintaining independence and pursuing a bold vision, supported by strategic partnerships and acquisitions like Gitter and Gemnasium. Discussions with investors focused on long-term growth strategies, such as the development of Meltano, a start-up within GitLab aiming to create a comprehensive solution for data teams, and the concept of product-assisted digital transformation. This approach, while initially met with skepticism, showcased GitLab's dedication to innovation and its readiness to tackle future challenges, reaffirming its status as a forward-thinking company.
Apr 08, 2019 1,813 words in the original blog post.
GitLab task lists, integrated into areas like issue descriptions and merge requests using GitLab Flavored Markdown, faced performance issues as lists grew longer and more complex, resulting in delayed checkbox updates and data overwriting when multiple users interacted simultaneously. To address these challenges, GitLab 11.8 introduced enhancements that improved performance and robustness by focusing on updating individual checkboxes rather than the entire markdown, allowing concurrent user interactions without conflict. The frontend was adjusted to pass specific task data to the backend, which verified the task's existence and updated the cached HTML directly using the SOURCEPOS flag, thus avoiding markdown re-rendering. Despite not achieving instant updates, disabling checkboxes during requests further ensured data integrity and enhanced user satisfaction. These improvements were spearheaded by Brett Walker on the backend and Fatih Acet on the frontend, leading to a more efficient and reliable task list experience.
Apr 05, 2019 747 words in the original blog post.
Google Cloud Next 2019 is an event focused on innovation and hybrid cloud solutions, where GitLab is actively participating as a sponsor. GitLab highlights its partnership with Google, showcasing various integrations and functionalities such as their AutoDevOps for CI/CD, GitLab's serverless capabilities with Knative and Cloud Run, and security features aimed at achieving Zero Trust. Attendees are encouraged to visit GitLab's booth to learn about deploying GitLab on GKE, migrating projects, and setting up CI/CD pipelines. Additionally, GitLab offers insights from its experts, including a discussion on its migration from Azure to GCP and hands-on labs to enhance user engagement and understanding of their products. Visitors who engage with GitLab at the event have opportunities to contribute to charities and win prizes, underlining GitLab's commitment to community and innovation.
Apr 04, 2019 394 words in the original blog post.
GitLab, a commercial open source software business, faces the challenge of avoiding commoditization in the age of hyperclouds, where cloud providers like Amazon, Microsoft, and Google threaten open source businesses through service-wrapping. To address this, GitLab has adopted a buyer-based open core model, offering four software tiers tailored to different buyer personas, each priced according to the specific needs and budget authority of various organizational levels. This approach focuses on inserting proprietary functionality across most use cases, offering numerous proprietary features, providing interaction through a user interface rather than APIs, and targeting price-insensitive buyers who rarely contribute to open source. GitLab's CEO, Sid Sijbrandij, discussed these strategies at the Open Source Leadership Summit, highlighting their efforts to resist commoditization and ensure long-term viability.
Apr 03, 2019 281 words in the original blog post.
Speed in DevOps is crucial for competitive advantage, but as organizations grow, they face challenges such as complex integration points, high maintenance of brittle tools, and slow modernization, which hinder innovation and increase Total Cost of Ownership (TCO). GitLab CI/CD addresses these issues by providing a user-friendly, cloud-native solution with built-in container registry and Kubernetes integration, allowing for simple architecture and efficient operations. Unlike traditional CI/CD tools that require extensive maintenance and complicated integrations, GitLab offers a streamlined, single-application experience that enhances visibility and reduces complexity. This integration enables teams to focus more on creating and innovating rather than managing and maintaining disparate tools, making it an appealing option for modern DevOps practices.
Apr 02, 2019 581 words in the original blog post.
Zero Trust Networking emerged as a pivotal concept in cybersecurity, evolving through three major shifts: the demise of the network perimeter, the rise of cloud computing, and the increase in mobility and remote work. Initially sparked by the limitations of traditional perimeter defenses, Zero Trust gained momentum as attackers adapted to new technologies, exploiting weaknesses in cloud services and remote access systems. Notably, high-profile security breaches, such as Google's Operation Aurora and the RSA hack, underscored the necessity for a more robust security framework, prompting organizations to rethink their approaches. Zero Trust operates on the principle of verifying every user and device before granting access, demanding secure algorithms, valid transactions, and comprehensive audits to mitigate threats. While implementation remains complex, with many organizations navigating mixed environments, Zero Trust offers a promising strategy to enhance security resilience against sophisticated adversaries. GitLab, embracing its cloud-native and global workforce, plans to share its Zero Trust journey as part of an ongoing blog series, encouraging community interaction and shared learning.
Apr 01, 2019 2,827 words in the original blog post.
ZEIT Now is a serverless deployment platform designed to simplify cloud infrastructure management by allowing developers to deploy projects instantly and scale automatically without the need for manual configuration. Aimed at improving the developer workflow, Now integrates seamlessly with GitLab, enabling automatic deployments for GitLab projects and offering features such as global CDN, Anycast DNS, HTTPS support, and DDoS protection. Each commit pushed to GitLab triggers a unique deployment with a corresponding URL, facilitating comprehensive testing and reliable code integration. The integration supports automatic production deployments upon merging requests to the default branch, utilizing a now.json configuration file to manage build and deployment settings. With a focus on accessibility and user-friendliness, Now's usage-based pricing model ensures cost-effectiveness, while features like Instant Rollback provide efficient recovery options. ZEIT encourages users to explore the platform and contribute to its development, particularly through creating custom Builders for various technologies.
Apr 01, 2019 965 words in the original blog post.