While GitLab is best known in the traditional DevOps space, we have also begun to grow out our expertise in application security, which may come as a surprise to security professionals, who may not have encountered us previously. We may have started out focused on traditional developer tools, however, as GitLab has added capabilities to cover the entire Software Development Lifecycle (SDLC), this now includes not only a market-leading Continuous Integration solution but also, more recently, integrated application security testing built into the CI/CD pipeline. Our single, end-to-end application enables security testing that is tightly aligned to today’s rapid, iterative cycles of DevOps development and the modern infrastructure that accompanies cloud native applications.
Who was included?
For The Forrester Wave™: Software Composition Analysis, Q2 2019, participating vendors were required to have most of the following capabilities out of the box:
- Ability to provide remediation advice on both open source license risk and vulnerabilities;
- Ability to integrate into SDLC automation tools;
- Ability to provide proactive vulnerability management;
- Ability to edit and create policies; and
- Ability to visually report on open source risk.
Participating vendors were also required to have more than $10M in revenue and have interest from Forrester clients or relevance to them.
GitLab is a new challenger
Having only added security capabilities in December 2017, GitLab has been excluded from other analyst application security reports that only look at more established players. In our first official security-oriented analyst evaluation, we are excited not only to get the word out about GitLab’s security capabilities, but also to have this opportunity for analyst feedback and insight into how GitLab compares. We take to heart not only areas where we shine – but also where improvement is needed. With GitLab, “everyone can contribute,” and the feedback gained from Forrester is another valuable contribution. We also welcome your participation and invite you to help us understand what you would like to see as our security capabilities grow.
Based on this analyst report and analyst interaction feedback, we are already addressing improvement opportunities in our roadmap and vision.
Check out our complete SCA response for links to specific updates and response comments.
As a company dedicated to releasing incrementally, delivering first on breadth and then on depth, it is not uncommon for GitLab to initially place in more of a challenger position, as our feature set generally does not have the same maturity as established players in the space. However, when GitLab enters a space, we do so boldly, with clear intentions and a solid strategy. GitLab’s strategy for application security testing and software composition analysis focuses more equally on both the developer and the security professional than traditional solutions. You will find some areas in strategy where we were not scored as highly as we believe we should be, due to our more aggressive focus on development.
Updates since the evaluation
GitLab has shipped a major new release every month for 90 consecutive months. Forrester evaluated GitLab 11.6 for this report while versions 11.7, 11.8, and 11.9 have since been released. You will find several features that Forrester felt were lacking have already been added, including improvements to the security dashboard, additional languages added to SAST scanning, and secrets detection. When using Forrester’s scoring tool, be sure to adjust the criteria for our current capabilities. A list of what’s been added since Forrester’s evaluation can be found on our complete SCA response.
Forrester’s key takeaway: “Remediation, policy management, and reporting are key differentiators”
Forrester says, “As developers continue to use open source to accelerate the release of new application functionality, remediation, policy management, and reporting will dictate which providers will lead the pack. Vendors that can provide developers with remediation advice and even create patches position themselves to significantly reduce business risk.”
This takeaway is closely aligned with GitLab's vision for application security testing and our work in progress for auto remediation. While not available in the evaluated version (11.6), today’s GA release, (11.9), can detect a more current patch available and enable the developer to create a new branch and apply the patch with one click. Upcoming versions will automatically run the pipeline and present the results to the developer to accept or reject. By automating remediations that are readily apparent, developers and security can focus on vulnerabilities whose remediation is not as straightforward.
The fact that GitLab is a single application for the entire SDLC enables us to take remediation even further – actually running the pipeline in a separate branch, even measuring the performance impact of the patch. We isolate the cause and effect: the developer makes a code change, that code is tested and they see the results before merging the code with others’. It also allows us to do Dynamic scanning in the same manner, before the code is merged with anyone else’s. We do this by spinning up a review app in the pipeline report. This fully functioning app reflects the developer’s code changes and can be used for user testing, performance testing, and dynamic app security scanning.
GitLab's advice
We believe GitLab is ideal for enterprises who are:
- Using GitLab for CI/CD.
- Practicing iterative development via DevOps.
- Using containers and serverless.
For the enterprise that has not invested in app sec tools, GitLab can quickly provide scanning, often necessary for regulatory compliance, with a single application. GitLab offers SAST, DAST, Dependency, Container Scanning, and License Management with one app – no need to evaluate and buy from multiple vendors, then stitch together integration with the DevOps toolchain. In fact, GitLab customer, Glympse Inc., stood up 40 repos with automated security testing, using all of the GitLab scans, in less time than they could have installed just the individual tools – and as a bonus, they impressed their auditors with their process.
For the enterprise already deeply invested in traditional app sec tools, GitLab affords a broader and earlier scanning effort, using a tool that developers are already using. GitLab can scan every code change, much the way that every airplane passenger gets scanned through security. Save the deeper scans for later and/or less frequent evaluation by the security team. Consider using GitLab on select projects to experience the more efficient workflow and potentially reduce your scanning costs from costlier tools.
Our response
We invite you to see our complete response, and as always, welcome your contributions!
Cover image by Scott Webb on Unsplash
