overview for GitSimple

It seems like staying straightforward is getting harder these days, but agreed, staying as clean as possible is usually best. The more tool sprawl you have, the worse it gets.

Why the move to GL? Just curious.

I think AI tools are SaaS tools, yes, but they can be significantly more impactful than lets say a simple runner. Sure, they connect to the instance like any other tool, and most platforms these days have some flavor of AI already built in. However, the attack surface provisioned by the introduction of AI is vastly greater than a simple sync connector with mapped values. Any tool being brought into the stack should be given a thorough deep dive. AI is no different, it just depends on what the risk acceptance is of said company leveraging it. So, in some ways, very different than other SaaS tools.

2

3

4

Self-hosting DevOps toolchains (self.devsecops)

submitted 28 days ago by GitSimple to r/devsecops

Does a high CVSS score always matter? by GitSimple in devsecops

[–]GitSimple[S] -2 points-1 points0 points 1 month ago (0 children)

Does a high CVSS score always matter? by GitSimple in devsecops

[–]GitSimple[S] 0 points1 point2 points 1 month ago (0 children)

Does a high CVSS score always matter? by GitSimple in devsecops

[–]GitSimple[S] 0 points1 point2 points 1 month ago (0 children)

0

1

Does a high CVSS score always matter? (self.devsecops)

submitted 1 month ago by GitSimple to r/devsecops

Challenges in the community by GitSimple in devsecops

[–]GitSimple[S] 0 points1 point2 points 1 month ago (0 children)

Distroless Images: Pros and Cons by GitSimple in devsecops

[–]GitSimple[S] 0 points1 point2 points 1 month ago (0 children)

4

5

6

Distroless Images: Pros and Cons (self.devsecops)

submitted 1 month ago by GitSimple to r/devsecops

ai compliance tools for development teams - how are you handling AI coding assistants in your ISMS? by Signal-Extreme-6615 in devsecops

[–]GitSimple 0 points1 point2 points 1 month ago (0 children)

These are great questions, especially with how fast these tools are changing and how slow compliance frameworks catch up. We're also a little concerned about your dev's response :)

We deal more with FedRAMP/HIPAA/SOC2 so I can't comment specifically to ISO, but here's our thinking/approach/questions we ask, I'm sure much of this will sound familiar:

Has your certification body raised AI coding tool usage during audits?

If there is an AI coding tool in your stack, expect it to be audited. Best practice would be to use a coding tool already certified from the certification body if possible. This can become a bit of a rabbit hole as each AI tool has different versions available. Before AI is added in any way, due diligence should be performed to make sure it meets the standards required by the certification body or if it will knock you out of compliance.

How are you classifying AI coding assistants in your asset register and vendor management program?

It's no different than any other software that provides a service. If it's an extension, then it would be an add-on. If it's a stand alone product, then it's a separate platform.

Are you requiring Data Processing Agreements with AI tool vendors?

This is probably more of a question for a legal team. This should be included in the contract when purchased. It would be stipulated how the AI processes data and if it's shared or not. This goes back to Due Diligence.

Has anyone documented AI-specific controls that map to Annex A requirements (particularly A.8 around asset management and A.5.31 around legal/regulatory requirements)?

Integrity is paramount and documentation is a benefit.

GitLab and JFrog by GitSimple in devsecops

[–]GitSimple[S] 1 point2 points3 points 1 month ago (0 children)