How to use Jihu GitLab to support ISO 27001 compliance

News 2023-09-19 10:33:51 views: null

Table of contents

organizational control

technical control

learn more

Source of this article : about.gitlab.com

Author: Joseph Longo

Translator: Wu Rangjihu GitLab Senior Solutions Architect

picture

As an integrated platform, Jihu GitLab can easily implement DevSecOps full life cycle management. JiHu GitLab enables developers to build better software applications faster. However, its capabilities are not limited to DevSecOps.

In October 2022, the ISO organization released the latest version of the ISO 27001 standard. ISO/IEC 27001:2022 contains some changes compared to its previous version, including new requirements for secure coding and configuration management in Annex A.

Utilize the functional features of Jihu GitLab products to support the security compliance program within the Jihu GitLab enterprise. This is our internal  corporate culture called DogFooding . An overview of the compliance and assurance credentials maintained by GitLab can be viewed on the Trust Center page of GitLab.

Next, we can review together how to use Jihu GitLab to support your ISO 27001 compliance journey.

organizational control

With GitLab, you can assign roles to users when you add them to a project or group . A user's role determines the operations they can perform within a GitLab instance. The roles that can be assigned are as follows:

  • Guest (private and internal projects only);

  • reporter;

  • Developer;

  • maintainer;

  • owner;

  • Minimal access (applies to top-level groups only).

GitLab's roles enable you to limit user permissions based on the principle of least privilege and your business and information security requirements.

Through the JiHu GITLAB SAML SSO integration, JiHu GitLab enables you to centralize authentication and accountability authorization to support the authentication and authorization of JiHu GitLab instances. Jihu GitLab can be integrated with a variety of identity providers (such as Auth0, ADFS, Okta, Oauth2.0, LDAP) to support customers' diverse technology stacks. Jihu GitLab also supports Cross-Domain Identity Management System ( SCIM ). With GitLab's SSO and SCIM integration, you can automate the lifecycle management of user identities in a secure and efficient way.

For private deployments of GitLab, SSO    and SCIM are also available.

NOTE:  8.2 and 8.4 of ISO/IEC 27001:2022 Annex A regarding technical controls are also included in the chart above as they are closely related to 5.3, 5.15 and 5.16 of organizational controls. The functionality of JiFox GitLab can also be used to support these control requirements.

With GitLab, you can use our planning tools to support project management efforts and ensure that information security is properly considered at all stages of the project lifecycle.

  • The team planning function of Jihu GitLab allows users to organize, plan, coordinate and track project work from ideation to concept;

  • Epics , issues , and tasks can be used for ideation collaboration, problem solving, and working collaboratively with the information security team. Description templates and checks enable users to apply consistent information descriptions and workflows to issues or merge requests . These templates are great for integrating information security consistently into the project management lifecycle;

  • Tags allow users to customize the type of issue according to their own requirements. To support information security, tags can be used to identify the level of risk associated with a project, the stage of the project, or the information security team associated with the project. The scope label is a label similar to a KV key-value pair. It is exclusive and prevents topics from having logically conflicting labels at the same time (for example, if an topic has the devops::configure tag, it cannot also have the devops::create tag). In GitLab, you can use scope tags to identify the work assigned to different teams, the project stage in which the work is located, and the product or feature set related to the work;

picture

  • Group and project issue boards can be used to further organize your work and provide a summary view of all work associated with a group or project.

technical control

Using GitLab, you can store your hardware and software configurations, maintain version control, update your configurations through merge requests , and leverage GitLab's CI/CD pipeline to push these configurations to your applications and infrastructure. JiHu GitLab enables organizations to implement GitOps through a single platform .

GitLab's Infrastructure as Code scanning feature enables you to scan your IaC configuration files for known vulnerabilities. Jihu GitLab's IaC scanning supports multiple IaC profiles and languages, making it adaptable to different technology stacks.

For compliance professionals, GitLab enables you to implement unified, enforced, automated processes through compliance frameworks and compliance pipelines to support your security practices and promote compliance with compliance requirements within and outside your organization.

For Ultimate customers, GitLab's Compliance Center provides a centralized view of the different compliance frameworks applied in projects within the portfolio. You can see whether your project complies with GitLab standards .

With GitLab, you can use audit events to track important events, including who performed relevant actions and when. Audit events cover a wide range of categories, including:

  • Group management;

  • Authentication and authorization;

  • User Management;

  • compliance and security;

  • CI/CD;

  • Jihu GitLab Runner.

picture

For Ultimate customers, audit event streaming can be enabled . Audit Event Streaming enables users to set a streaming destination for a top-level group or instance to receive structured JSON of all audit events for groups, subgroups, and projects

You can use the features in GitLab's security phase to enhance your software development lifecycle and improve the security of your products. JiHu GitLab’s Secure phase functions include:

And more!

picture

Sensitive information leakage is one of the major concerns of security breaches. GitLab's secret key detection function can scan your code base to prevent your sensitive information from being leaked.

The security policy function of JiFox GitLab enables users to customize scan execution policies and scan result policies . These policies combine security stage scan results with merge request approval capabilities to create secure gates that can further meet compliance requirements.

Taken together, GitLab's security features lay the foundation for a secure software development lifecycle process and enable you to practice secure coding principles according to your organization's requirements.

JiHu GitLab provides many features to support comprehensive change management.

JiHu GitLab's source code management feature enables users to use protected branches . Protected branches allow GitLab users to impose restrictions on important branches to achieve:

  • Which users can merge changes into the branch;

  • Which users can push to branches;

  • Whether users can force push to branches;

  • When certain files and folders are changed, does it need to be reviewed by the relevant person in charge ( code owner );

  • Which users can unprotect a protected branch.

Default branches in the code base (such as master and main branches) are automatically designated as protected branches.

picture

Merge requests (MRs) are a core component of the software development lifecycle. GitLab users can configure their merge requests so that changes must be approved before they can be merged. Merge request approval allows users to customize the approval process, including:

  • Multiple approval rules can be set;

  • Each rule can take effect on different branches;

  • Each rule can set different reviewers and minimum number of reviewers, even if they do not have merge permissions for the code base;

  • Code owners can approve the files and folders they are responsible for;

  • Code submitters and merge request creators cannot participate in the review.

As mentioned before, issues and tasks can be used to record and collaborate on change requests. Description templates enable users to apply consistent information descriptions to issues or merge requests , enabling unified management of changes.

learn more

As an integrated DevSecOps platform, Jihu GitLab supports a wider range of needs. ISO has added additional controls around secure coding and configuration management in the 2022 ISO standards. This shows that the certification body has further paid attention to the overall security of the software. As a strategic partner, Jihu GitLab can help you better support the ISO 27001 standard and help you develop better software faster.

To learn more, check out our tutorials  library.

Guess you like

Origin blog.csdn.net/weixin_44749269/article/details/132865880
Recommended
Open Source Daily | Angular v18; Inference optimization under large model price war; Mistral AI targets the US market with open source models; Silicon Valley has its own Lu Xun
Ranking
ACM summary twelve
Understand high performance and high concurrency from the root (2): Deepen the operating system, understand I/O and zero-copy technology
Ali cloud OSS web end of the forward pass is not dependent on official pupload plug
ServiceMesh study notes 20200418
Complete Guide to BERT Model Distillation (Principle & Technique & Code)
With Nginx proxy requests, the front and rear side cross-domain processing
Digital twin museum solution
How to be a good project manager of R&D projects
ssh:ssh-agent、ssh-add
解决mac ida在中文输入状态下crash问题
Daily
More
2024-05-29(1)
2024-05-28(1)
2024-05-27(1)
2024-05-26(0)
2024-05-25(3)
2024-05-24(12)
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)

Code World

© 2018 codetd.com