Blog Post: Venafi guest blog post on GitLab platform on secure software supply chain with automated code signing (Aug 30)
Triage (REQUIRED)
The Inbound Marketing team prioritizes requests that drive results and meet our goals of generating organic traffic and inquiries.
Please note that there is a different process for when you want to announce something via the blog. Please see announcement requests in the handbook and open an announcement request issue instead of a blog post issue.
Generally speaking, engineering blog posts that are tutorials/how-tos or which share how we built or debugged something, are popular with our audience. If your proposed blog post is aligned with our Attributes of a successful blog post guidelines, you can skip straight to your proposal.
If you are pitching something outside of those guidelines, please fill in the below to help us prioritize. You can check out examples of high- and low-performing blog posts to help with your rationale.
This issue fulfills one of these goals:
-
Drive traffic to our website -
Convert traffic into leads -
Thought leadership/share expertise -
Build relationships with potential customers -
Drive long-term results (please explain below in your proposal) -
Announcement Link to announcement request issue (required, see https://about.gitlab.com/handbook/marketing/corporate-marketing/#requests-for-announcements)
-
Cross-functional support Link to OKR (required if this box is checked)
Proposal
Title: Proposed Title: The Importance of Signing Intermediate Software Artifacts to Protect Against Software Supply Chain Attacks
Key points:
- Software supply chain attacks are on the rise: example Codecov & SolarWinds
- One of the steps needed to combat these attacks is for developers to digitally sign all intermediate artifacts that they use to build their software:
- Source code
- Build scripts Build virtual machines or containers
- 3rd party open source software (after it has gone through security scans)
- 3rd party libraries (after it has gone through security scans)
- To do this effectively, requires two things:
- Easy for developers to code sign using the tools they already use (e.g. Gitlab) and already integrated with their automated build process
- Compliments GitLab’s comprehensive/robust app sec scanning and vulnerability mgmt.
- Code signing policy enforcement automatically managed/enforced by a solution such as Venafi CodeSign Protect to eliminate burden on dev teams
- Intermediate artifacts signed as part of check-in process
- Intermediate digital signatures automatically validated when used for a build -For code signing to be an effective security measure against software supply chain attacks, the process needs to be secure:
- All code signing keys & certs must be centrally stored & protected; never to leave the secured storage
- Access and signing security policies need to be defined & automatically enforced without direct dev intervention
- Which certificate authorities are authorized to be used
- Key strength & other parameters
- InfoSec needs visibility into all code signing operations including who signed, what was signed, what certs were used, date/time signed, who approved
- InfoSec needs intelligence to spot risky patterns associated with code signing
Roles and Responsibilities
Person | Role |
---|---|
@jing.xie.v |
requestor |
@cblake |
editor |
@eglenn |
editor |
@mlebeau |
approver (optional) |
Checklist
-
If you have a specific publish date in mind (please allow 3 weeks' lead time) -
Include it in the issue title and apply the appropriate marketing milestone (e.g. Mktg: 2021-03-28
) -
Give the issue a due date of a minimum of 2 working days prior -
If your post is likely to be >2,000 words, give a due date of a minimum of 4 working days prior
-
-
If time sensitive -
Add ~"Blog: Priority" label and supplied rationale in description
-
-
If wide-spread customer impacting or sensitive, mention @nwoods
to give her a heads up ASAP, apply the sensitive label, and check the PR handbook in case you need to open an announcement request instead of a blog post issue -
If the post is about one of GitLab's Technology Partners, including integration partners, mention @dpduncan
, apply the Partner Marketing label, and see the blog handbook for more on third-party posts -
If the post is about one of GitLab's customers, mention @FionaOKeeffe
, apply the Customer Reference Program label, and see the blog handbook for more on third-party posts -
Indicate if supporting an event or campaign -
Indicate if this post requires additional approval from internal or external parties before publishing (please provide details in a comment)
Production
-
Requestor to complete issue template (Triage, Proposal, Roles and Responsibilities, Checklist ) -
Issue sent through triage for consideration (pitch, planning/in progress, review, scheduled) -
Issue assigned to requestor to draft blog post and open MR -
MR created and linked to issue - issue is now deprecated in favor of MR and will close once MR is complete