Community: security

Back to Listing

Garrett Adams

14 September 2020

GitLab’s built-in Continuous Integration (CI) tools are some of the best in the industry. Onyx Point, LLC. has been continuing our efforts to improve GitLab’s CI security. Continue reading to learn more about integrating GitLab CI with high-performance computing (HPC) resource schedulers.

programming, open-source, gitlab, DoE, security

Kara Pritchard

11 February 2019

What matters more, compliance or security? Not to recreate the dilemma of “Which came first, the chicken or the egg?”, but this terminology gets interchanged so frequently, you may mistakenly dismiss them as being the same thing. Can your infrastructure be secure without being compliant? Yes. Can your systems be compliant without being secure? Definitely. So what is more important? How are they even related, and can you have both?

security, compliance, standards, NIST, HIPAA, DISA

judy johnson

25 December 2018

During this season of cheer
We hope to have something to share
If you are on call
Or just bored of it all
Try singing the verses we’ve here!

simp, puppet, git, security, devops, love where you work, holidays

Jesse Roland

09 August 2018


So you want to propose a serious software solution to your team but find yourself hesitating before stepping forward to suggest using a blockchain. The term has come to have a skewed meaning in today’s world with the hysteria surrounding the cryptocurrency phenomena. In reality, a blockchain is essentially a chain of data that uses hashes to ensure integrity.

programming, open-source, security, blockchain

Clayton Mentzer

24 July 2018

This post follows up on the previous SetUID Runners article by taking a deeper look at code and rationale for specific features. In the previous post we outlined our goals and process for the first phase of ongoing work to improve security and functionality of GitLab CI Runners at the Department of Energy’s (DoE) High Performance Computing (HPC) labs. If you haven’t seen it, you can read it here

programming, gitlab, open-source, DoE, security

Clayton Mentzer

18 July 2018

GitLab’s built in continuous integration (CI) tools are some of the best in the industry. Onyx Point has been leading an effort to improve GitLab’s CI security. Continue reading to learn more about how Onyx Point has implemented more secure job access controls in high-performance computing infrastructures.

programming, open-source, gitlab, DoE, security

Nick Markowski

12 January 2018

If you’ve ever had to work in an IT shop bound by regulations and policies, you know how much of a hassle it can be to integrate new infrastructure and application components, while maintaining a compliant posture.

simp, compliance engine, automation, security, inspec

Russ Holmes

04 January 2018

2018 has barely begun and we’ve already been hit with significant bad news about cyber vulnerabilities. Among others already disclosed during the new calendar year, both Intel and VMware have announced that major cyber flaws have been discovered in their products. And, of course, attempts to fix these issues are having negative impacts on some common anti-virus products.

This is certainly not unique to these tech giants since barely a week goes by without some significant cybersecurity flaw or breach being uncovered. It’s safe to say that these disturbing reports will not be coming to an end anytime soon.

Although it may sometimes feel like it, this doesn’t mean that we should all throw our hands up about how hopeless the cybersecurity situation has become. We can only play the hands we’ve been dealt, and that requires continued efforts at locking down our systems with the many powerful tools we have at our disposal.

Cyber Hygiene Best Practices

Whichever tools you determine are appropriate for your security needs, none will be effective unless one first follows sound cyber hygiene practices. Among the most important of these is ensuring your underlying system adheres to the latest security best practices and is, at the very least, compliant with industry standards and government cybersecurity regulations. Breaches that are advanced by either willful or negligent disregard for these universally acknowledged best practices can be hard to explain – or forgive.

While best practice “table stakes” can be overwhelmingly voluminous and complex to implement and maintain, one does not have to go it alone. In many cases, it’s now possible to transition an existing DevOps platform to a best practices DevSecOps approach, then maintain systems compliance via automated self-healing Continuous Diagnostics and Mitigation (CDM) routines.

Open Source Help

A powerful Open Source offering now available to help address this is known as SIMP (Systems Integrity Management Platform). SIMP was originally developed within the US Intelligence Community to enhance their own ATO (Authority to Operate, federal-speak for C&A) and compliance efforts and is now available for anyone to leverage via GitHub. It only seems fair that we can take advantage of SIMP since it was our tax dollars that funded its development!

Currently riding on the open source DevOps automation technology known as Puppet, SIMP continually scans an environment (in either a development and/or production phase) and provides current system status against a range of cybersecurity benchmarks. Among these are NIST 800-53, NIST 800-171, FIPS 140-2, HIPAA, SOX, PCI-DSS, DISA STIG and others. SIMP can operate within either an on-prem and/or cloud environment and, should a vulnerability be found, can automatically apply remediation actions to immediately correct the flaw, or simply report this information back for further study and action.

With SIMP’s ability to enhance the C&A process, as well as help ensure systems remain compliant once deployed, an organization’s human IT assets can confidently turn their focus to other urgent cyber issues that require attention.

For more information on this Open Source tool, visit the SIMP project website at, or download it at

simp, compliance, automation, security

We work with these Technologies + Partners