[{"data":1,"prerenderedAt":524},["ShallowReactive",2],{"/en-us/the-source/security/building-resilient-software-through-secure-development":3,"footer-en-us":32,"the-source-banner-en-us":375,"the-source-navigation-en-us":387,"the-source-newsletter-en-us":415,"footer-source-/en-us/the-source/security/building-resilient-software-through-secure-development/":426,"article-site-categories-en-us":432,"building-resilient-software-through-secure-development-article-hero-category-en-us":434,"building-resilient-software-through-secure-development-the-source-source-cta-en-us":458,"building-resilient-software-through-secure-development-category-en-us":470,"building-resilient-software-through-secure-development-the-source-resources-en-us":482},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"slug":8,"type":9,"category":5,"config":10,"seo":13,"content":17,"_id":25,"_type":26,"title":27,"_source":28,"_file":29,"_stem":30,"_extension":31},"/en-us/the-source/security/building-resilient-software-through-secure-development","security",false,"","building-resilient-software-through-secure-development","guide",{"layout":11,"template":12,"featured":6,"gatedAsset":8},"the-source","TheSourceArticle",{"config":14,"title":15,"description":16},{"noIndex":6},"Building resilient software through secure development","Discover how to automate compliance, reduce security risks, and build resilient software. Learn proven strategies for integrating security into your SDLC.",{"title":15,"description":16,"date":18,"heroImage":19,"keyTakeaways":20,"articleBody":24},"2025-09-22","https://res.cloudinary.com/about-gitlab-com/image/upload/v1761157735/hfazekmlyinw8pvxcm2r.png",[21,22,23],"With 80% of Chief Compliance Officers foreseeing escalating compliance pressures, automating security processes throughout your development lifecycle is critical for maintaining competitive advantage and meeting evolving standards.","Organizations implementing automated compliance solutions eliminate manual audit tasks, allowing developers to focus on innovation while security and governance controls operate seamlessly in the background.","Modern DevSecOps platforms enable organizations to enforce compliance directly in CI/CD pipelines, providing comprehensive audit trails, vulnerability management, and provenance tracking required by federal standards.","In today's threat landscape, software vulnerabilities can swiftly escalate to national security issues. Foreign adversaries conduct sophisticated cyber campaigns costing billions of taxpayer dollars while undermining organizational security and privacy. With Executive Order 14306 reinforcing the government's commitment to secure software development and strengthening NIST's Secure Software Development Framework as the definitive best practice, the question isn't whether to prioritize security, it's how to implement it effectively.\n\n## The challenge: Speed vs. security\nHistorically, organizations have prioritized development speed at the expense of security, leaving critical vulnerabilities in their products. This trade-off became more prominent with widespread DevOps adoption, as rapid release cycles often outpaced security considerations. Manual compliance tracking pulls developers away from core development work, with teams spending significant time on audit tasks and regulatory documentation.\n\nOrganizations navigating multiple compliance frameworks (NIST, FedRAMP, FISMA, ISO 27001, SOC 2) face an even greater challenge. While these frameworks share common controls, they rarely align perfectly, creating manual tracking burdens that scale poorly across complex development environments.\n\n## A strategic approach to embedded security\nThe path forward requires more than checkbox compliance. Organizations that proactively embed compliance requirements into development processes from the outset realize significant competitive advantages, time savings, and cost efficiencies. This means codifying standards and seamlessly integrating security throughout the software development lifecycle rather than treating it as a final gate.\n\nEffective implementation demands automated guardrails that enforce security policies without slowing development velocity. Protected branches, merge request approvals, and automated scanning ensure code stability while maintaining rapid delivery cycles. Security policies act as automated safeguards throughout the software development lifecycle, enforcing specific security actions at each pipeline stage.\n\n## Visibility and control across the supply chain\nModern development environments require answers to fundamental questions: What assets do we have? Are they being scanned? Where are we most at risk? Software bill of materials generation, dependency scanning, and continuous vulnerability monitoring provide the visibility needed to manage risk across sprawling codebases.\n\nStatic reachability analysis enables teams to prioritize remediation based on actual threat exposure rather than scanning all vulnerable dependencies. Comprehensive vulnerability risk assessment data, including EPSS scores and Known Exploited Vulnerabilities status, allows teams to focus on real-world threats.\n\n## From principle to practice\nThe Principle of Least Privilege, developed in the 1970s, remains fundamental to modern security. Implementing sophisticated role-based access control ensures each user and system has precisely the permissions required for designated responsibilities. Fine-grained permissions for both human users and non-human identities minimize blast radius if credentials are compromised.\n\nOrganizations that successfully navigate today's compliance landscape don't treat security as an afterthought. They embed it into every stage of development, automate verification processes, and maintain continuous monitoring. This comprehensive approach transforms compliance from a burden into a competitive advantage.\n\n**Download the complete guide to learn how leading organizations can automate compliance, implement secure guardrails, and build truly resilient software.**","content:en-us:the-source:security:building-resilient-software-through-secure-development.yml","yaml","Building Resilient Software Through Secure Development","content","en-us/the-source/security/building-resilient-software-through-secure-development.yml","en-us/the-source/security/building-resilient-software-through-secure-development","yml",{"_path":33,"_dir":34,"_draft":6,"_partial":6,"_locale":7,"data":35,"_id":371,"_type":26,"title":372,"_source":28,"_file":373,"_stem":374,"_extension":31},"/shared/en-us/main-footer","en-us",{"text":36,"source":37,"edit":43,"contribute":48,"config":53,"items":58,"minimal":363},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":38,"config":39},"View page source",{"href":40,"dataGaName":41,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":44,"config":45},"Edit this page",{"href":46,"dataGaName":47,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":49,"config":50},"Please contribute",{"href":51,"dataGaName":52,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":54,"facebook":55,"youtube":56,"linkedin":57},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[59,117,174,233,301],{"title":60,"links":61,"subMenu":77},"Pricing",[62,67,72],{"text":63,"config":64},"View plans",{"href":65,"dataGaName":66,"dataGaLocation":42},"/pricing/","view plans",{"text":68,"config":69},"Why Premium?",{"href":70,"dataGaName":71,"dataGaLocation":42},"/pricing/premium/","why premium",{"text":73,"config":74},"Why Ultimate?",{"href":75,"dataGaName":76,"dataGaLocation":42},"/pricing/ultimate/","why ultimate",[78],{"title":79,"links":80},"Contact Us",[81,86,91,96,101,106,111],{"text":82,"config":83},"Contact sales",{"href":84,"dataGaName":85,"dataGaLocation":42},"/sales/","sales",{"text":87,"config":88},"Support portal",{"href":89,"dataGaName":90,"dataGaLocation":42},"https://support.gitlab.com","support portal",{"text":92,"config":93},"Customer portal",{"href":94,"dataGaName":95,"dataGaLocation":42},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":97,"config":98},"Status",{"href":99,"dataGaName":100,"dataGaLocation":42},"https://status.gitlab.com/","status",{"text":102,"config":103},"Terms of use",{"href":104,"dataGaName":105,"dataGaLocation":42},"/terms/","terms of use",{"text":107,"config":108},"Privacy statement",{"href":109,"dataGaName":110,"dataGaLocation":42},"/privacy/","privacy statement",{"text":112,"config":113},"Cookie preferences",{"dataGaName":114,"dataGaLocation":42,"id":115,"isOneTrustButton":116},"cookie preferences","ot-sdk-btn",true,{"title":118,"links":119,"subMenu":130},"Product",[120,125],{"text":121,"config":122},"DevSecOps platform",{"href":123,"dataGaName":124,"dataGaLocation":42},"/platform/","devsecops platform",{"text":126,"config":127},"AI-Assisted Development",{"href":128,"dataGaName":129,"dataGaLocation":42},"/gitlab-duo/","ai-assisted development",[131],{"title":132,"links":133},"Topics",[134,139,144,149,154,159,164,169],{"text":135,"config":136},"CICD",{"href":137,"dataGaName":138,"dataGaLocation":42},"/topics/ci-cd/","cicd",{"text":140,"config":141},"GitOps",{"href":142,"dataGaName":143,"dataGaLocation":42},"/topics/gitops/","gitops",{"text":145,"config":146},"DevOps",{"href":147,"dataGaName":148,"dataGaLocation":42},"/topics/devops/","devops",{"text":150,"config":151},"Version Control",{"href":152,"dataGaName":153,"dataGaLocation":42},"/topics/version-control/","version control",{"text":155,"config":156},"DevSecOps",{"href":157,"dataGaName":158,"dataGaLocation":42},"/topics/devsecops/","devsecops",{"text":160,"config":161},"Cloud Native",{"href":162,"dataGaName":163,"dataGaLocation":42},"/topics/cloud-native/","cloud native",{"text":165,"config":166},"AI for Coding",{"href":167,"dataGaName":168,"dataGaLocation":42},"/topics/devops/ai-for-coding/","ai for coding",{"text":170,"config":171},"Agentic AI",{"href":172,"dataGaName":173,"dataGaLocation":42},"/topics/agentic-ai/","agentic ai",{"title":175,"links":176},"Solutions",[177,181,186,191,196,200,205,208,213,218,223,228],{"text":178,"config":179},"Application Security Testing",{"href":180,"dataGaName":178,"dataGaLocation":42},"/solutions/application-security-testing/",{"text":182,"config":183},"Automated software delivery",{"href":184,"dataGaName":185,"dataGaLocation":42},"/solutions/delivery-automation/","automated software delivery",{"text":187,"config":188},"Agile development",{"href":189,"dataGaName":190,"dataGaLocation":42},"/solutions/agile-delivery/","agile delivery",{"text":192,"config":193},"SCM",{"href":194,"dataGaName":195,"dataGaLocation":42},"/solutions/source-code-management/","source code management",{"text":135,"config":197},{"href":198,"dataGaName":199,"dataGaLocation":42},"/solutions/continuous-integration/","continuous integration & delivery",{"text":201,"config":202},"Value stream management",{"href":203,"dataGaName":204,"dataGaLocation":42},"/solutions/value-stream-management/","value stream management",{"text":140,"config":206},{"href":207,"dataGaName":143,"dataGaLocation":42},"/solutions/gitops/",{"text":209,"config":210},"Enterprise",{"href":211,"dataGaName":212,"dataGaLocation":42},"/enterprise/","enterprise",{"text":214,"config":215},"Small business",{"href":216,"dataGaName":217,"dataGaLocation":42},"/small-business/","small business",{"text":219,"config":220},"Public sector",{"href":221,"dataGaName":222,"dataGaLocation":42},"/solutions/public-sector/","public sector",{"text":224,"config":225},"Education",{"href":226,"dataGaName":227,"dataGaLocation":42},"/solutions/education/","education",{"text":229,"config":230},"Financial services",{"href":231,"dataGaName":232,"dataGaLocation":42},"/solutions/finance/","financial services",{"title":234,"links":235},"Resources",[236,241,246,251,256,261,266,271,276,281,286,291,296],{"text":237,"config":238},"Install",{"href":239,"dataGaName":240,"dataGaLocation":42},"/install/","install",{"text":242,"config":243},"Quick start guides",{"href":244,"dataGaName":245,"dataGaLocation":42},"/get-started/","quick setup checklists",{"text":247,"config":248},"Learn",{"href":249,"dataGaName":250,"dataGaLocation":42},"https://university.gitlab.com/","learn",{"text":252,"config":253},"Product documentation",{"href":254,"dataGaName":255,"dataGaLocation":42},"https://docs.gitlab.com/","docs",{"text":257,"config":258},"Blog",{"href":259,"dataGaName":260,"dataGaLocation":42},"/blog/","blog",{"text":262,"config":263},"Customer success stories",{"href":264,"dataGaName":265,"dataGaLocation":42},"/customers/","customer success stories",{"text":267,"config":268},"Remote",{"href":269,"dataGaName":270,"dataGaLocation":42},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":272,"config":273},"GitLab Services",{"href":274,"dataGaName":275,"dataGaLocation":42},"/services/","services",{"text":277,"config":278},"TeamOps",{"href":279,"dataGaName":280,"dataGaLocation":42},"/teamops/","teamops",{"text":282,"config":283},"Community",{"href":284,"dataGaName":285,"dataGaLocation":42},"/community/","community",{"text":287,"config":288},"Forum",{"href":289,"dataGaName":290,"dataGaLocation":42},"https://forum.gitlab.com/","forum",{"text":292,"config":293},"Events",{"href":294,"dataGaName":295,"dataGaLocation":42},"/events/","events",{"text":297,"config":298},"Partners",{"href":299,"dataGaName":300,"dataGaLocation":42},"/partners/","partners",{"title":302,"links":303},"Company",[304,309,314,319,324,329,334,338,343,348,353,358],{"text":305,"config":306},"About",{"href":307,"dataGaName":308,"dataGaLocation":42},"/company/","company",{"text":310,"config":311},"Jobs",{"href":312,"dataGaName":313,"dataGaLocation":42},"/jobs/","jobs",{"text":315,"config":316},"Leadership",{"href":317,"dataGaName":318,"dataGaLocation":42},"/company/team/e-group/","leadership",{"text":320,"config":321},"Team",{"href":322,"dataGaName":323,"dataGaLocation":42},"/company/team/","team",{"text":325,"config":326},"Handbook",{"href":327,"dataGaName":328,"dataGaLocation":42},"https://handbook.gitlab.com/","handbook",{"text":330,"config":331},"Investor relations",{"href":332,"dataGaName":333,"dataGaLocation":42},"https://ir.gitlab.com/","investor relations",{"text":335,"config":336},"Sustainability",{"href":337,"dataGaName":335,"dataGaLocation":42},"/sustainability/",{"text":339,"config":340},"Diversity, inclusion and belonging (DIB)",{"href":341,"dataGaName":342,"dataGaLocation":42},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":344,"config":345},"Trust Center",{"href":346,"dataGaName":347,"dataGaLocation":42},"/security/","trust center",{"text":349,"config":350},"Newsletter",{"href":351,"dataGaName":352,"dataGaLocation":42},"/company/contact/","newsletter",{"text":354,"config":355},"Press",{"href":356,"dataGaName":357,"dataGaLocation":42},"/press/","press",{"text":359,"config":360},"Modern Slavery Transparency Statement",{"href":361,"dataGaName":362,"dataGaLocation":42},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":364},[365,367,369],{"text":102,"config":366},{"href":104,"dataGaName":105,"dataGaLocation":42},{"text":107,"config":368},{"href":109,"dataGaName":110,"dataGaLocation":42},{"text":112,"config":370},{"dataGaName":114,"dataGaLocation":42,"id":115,"isOneTrustButton":116},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":376,"_dir":377,"_draft":6,"_partial":6,"_locale":7,"visibility":116,"id":378,"title":379,"button":380,"_id":384,"_type":26,"_source":28,"_file":385,"_stem":386,"_extension":31},"/shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18","banner","The Economics of Software Innovation","The Economics of Software Innovation—AI’s $750 Billion Opportunity",{"config":381,"text":383},{"href":382},"/software-innovation-report/","Get the research report","content:shared:en-us:the-source:banner:the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18",{"_path":388,"_dir":11,"_draft":6,"_partial":6,"_locale":7,"logo":389,"subscribeLink":394,"navItems":398,"_id":411,"_type":26,"title":412,"_source":28,"_file":413,"_stem":414,"_extension":31},"/shared/en-us/the-source/navigation",{"altText":390,"config":391},"the source logo",{"src":392,"href":393},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":395,"config":396},"Subscribe",{"href":397},"#subscribe",[399,403,407],{"text":400,"config":401},"Artificial Intelligence",{"href":402},"/the-source/ai/",{"text":404,"config":405},"Security & Compliance",{"href":406},"/the-source/security/",{"text":408,"config":409},"Platform & Infrastructure",{"href":410},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":416,"_dir":11,"_draft":6,"_partial":6,"_locale":7,"title":417,"description":418,"submitMessage":419,"formData":420,"_id":423,"_type":26,"_source":28,"_file":424,"_stem":425,"_extension":31},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":421},{"formId":422,"formName":352,"hideRequiredLabel":116},1077,"content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"slug":8,"type":9,"category":5,"config":427,"seo":428,"content":430,"_id":25,"_type":26,"title":27,"_source":28,"_file":29,"_stem":30,"_extension":31},{"layout":11,"template":12,"featured":6,"gatedAsset":8},{"config":429,"title":15,"description":16},{"noIndex":6},{"title":15,"description":16,"date":18,"heroImage":19,"keyTakeaways":431,"articleBody":24},[21,22,23],{"categoryNames":433},{"ai":400,"platform":408,"security":404},{"_path":435,"_dir":11,"_draft":6,"_partial":6,"_locale":7,"type":436,"config":437,"seo":438,"content":441,"slug":5,"_id":455,"_type":26,"title":7,"_source":28,"_file":456,"_stem":457,"_extension":31},"/en-us/the-source/security","category",{"layout":11},{"title":404,"description":439,"ogImage":440},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",[442,447],{"componentName":443,"type":443,"componentContent":444},"TheSourceCategoryHero",{"title":404,"description":439,"image":445},{"config":446},{"src":440},{"componentName":448,"type":448,"componentContent":449},"TheSourceCategoryMainSection",{"config":450},{"sourceCTAs":451},[452,453,454],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age","content:en-us:the-source:security:index.yml","en-us/the-source/security/index.yml","en-us/the-source/security/index",{"_path":459,"_dir":460,"_draft":6,"_partial":6,"_locale":7,"title":15,"config":461,"link":464,"_id":467,"_type":26,"_source":28,"_file":468,"_stem":469,"_extension":31},"/shared/en-us/the-source/gated-assets/building-resilient-software-through-secure-development","gated-assets",{"formId":462,"utmCampaign":463,"slug":8},"1002","eg_global_cmp_gated-content_speedsecurity_en_buildingresilientsoftwaresecuredev&utm_content=x_x_ps",{"config":465},{"href":466},"https://learn.gitlab.com/the-source-security/whitepaper-bulding-resiliant-software-secure","content:shared:en-us:the-source:gated-assets:building-resilient-software-through-secure-development.yml","shared/en-us/the-source/gated-assets/building-resilient-software-through-secure-development.yml","shared/en-us/the-source/gated-assets/building-resilient-software-through-secure-development",{"_path":435,"_dir":11,"_draft":6,"_partial":6,"_locale":7,"type":436,"config":471,"seo":472,"content":473,"slug":5,"_id":455,"_type":26,"title":7,"_source":28,"_file":456,"_stem":457,"_extension":31},{"layout":11},{"title":404,"description":439,"ogImage":440},[474,478],{"componentName":443,"type":443,"componentContent":475},{"title":404,"description":439,"image":476},{"config":477},{"src":440},{"componentName":448,"type":448,"componentContent":479},{"config":480},{"sourceCTAs":481},[452,453,454],[483,498,511],{"_path":484,"_dir":485,"_draft":6,"_partial":6,"_locale":7,"config":486,"title":487,"description":488,"link":489,"_id":495,"_type":26,"_source":28,"_file":496,"_stem":497,"_extension":31},"/shared/en-us/the-source/source-lp-ctas/application-security-in-the-digital-age","source-lp-ctas",{"slug":454},"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":490,"config":491},"Read the report",{"href":492,"dataGaName":493,"dataGaLocation":494},"/developer-survey/2024/security-compliance/","Application Security in the Digital Age","thesource","content:shared:en-us:the-source:source-lp-ctas:application-security-in-the-digital-age.yml","shared/en-us/the-source/source-lp-ctas/application-security-in-the-digital-age.yml","shared/en-us/the-source/source-lp-ctas/application-security-in-the-digital-age",{"_path":499,"_dir":485,"_draft":6,"_partial":6,"_locale":7,"config":500,"title":501,"description":502,"link":503,"_id":508,"_type":26,"_source":28,"_file":509,"_stem":510,"_extension":31},"/shared/en-us/the-source/source-lp-ctas/source-lp-devsecops-the-key-to-modern-security-resilience",{"slug":453},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":504,"config":505},"Download the guide",{"href":506,"dataGaName":507,"dataGaLocation":494},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience","content:shared:en-us:the-source:source-lp-ctas:source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/source-lp-ctas/source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/source-lp-ctas/source-lp-devsecops-the-key-to-modern-security-resilience",{"_path":512,"_dir":485,"_draft":6,"_partial":6,"_locale":7,"config":513,"title":514,"description":515,"link":516,"_id":521,"_type":26,"_source":28,"_file":522,"_stem":523,"_extension":31},"/shared/en-us/the-source/source-lp-ctas/source-lp-guide-to-dynamic-sboms",{"slug":452},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":517,"config":518},"Read the guide",{"href":519,"dataGaName":520,"dataGaLocation":494},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs","content:shared:en-us:the-source:source-lp-ctas:source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/source-lp-ctas/source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/source-lp-ctas/source-lp-guide-to-dynamic-sboms",1761814447088]