Gartner Names GitLab as a Niche Player in Magic Quadrant for AST
This page shares how Gartner positioned us on the Magic Quadrant and viewed our application testing capabilities in relation to the larger market and how we're working with that information in our ongoing product evolution.
In the published document, "Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities."
According to Gartner, "We identify four main AST technologies:
Gartner also explains how they see the AST market evolving over time: "Gartner has observed the major driver in the evolution of the AST market is the need to support enterprise DevOps initiatives. Customers require offerings that provide high-assurance, high-value findings while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier in the development process, with testing often driven by developers rather than security specialists. As a result, this market evaluation focuses more heavily on the buyer’s needs when it comes to supporting rapid and accurate testing capable of being integrated in an increasingly automated fashion throughout the software development life cycle. In addition, Gartner recognizes the growing relevance of containers as an attractive technology for application development, especially for cloud-native applications. We have added support for containers as a factor in the 2020 Magic Quadrant."
In this report, GitLab is named/positioned as a Niche Player. Gartner defines a Niche Player in the following way: "Niche Players offer viable, dependable solutions that meet the needs of specific buyers. Niche Players fare well when considered for buyers looking for “best of breed” or “best fit” to address a particular business or technical use case that matches the vendor’s focus. Niche Players may address subsets of the overall market. Enterprises tend to pick Niche Players when the focus is on a few important functions, or on specific vendor expertise or when they have an established relationship with the vendor. Niche Players typically focus on a specific type of AST technology or delivery model, or a specific geographic region."
We are thrilled to be included in the Magic Quadrant for Application Security Testing!
Validating the importance of security within CI
We have grown our capabilities quickly by focusing less on reinventing scanners and more on providing the results where they are most useful in the software development lifecycle - to the developer. While security teams typically find vulnerabilities, the developer is in the position to remediate them. GitLab's focus is on empowering the developer to find and fix as much as they can while they are still iterating on the code's development, an approach that is far less expensive and more efficient.
Enabling the developer
GitLab's strength is our workflow. Unlike traditional application security tools primarily intended for use by security pros, GitLab security testing capabilities are built into the CI/CD workflows where the developers live. At the same time, GitLab provides security professionals with a dashboard to view items resolved by the developer, across projects. This contextual approach helps each role deal with items that are most important and most relevant to their scope of work within their unique workflow.
Benefits of this approach:
Read more about our workflow in the whitepaper: A Seismic Shift in Application Security
In the publication, Gartner's SDLC Integration requirements capture the ability to deeply and seamlessly integrate the AST solution into the SDLC, particularly critical in DevOps environments. They go on to clarify that tools should support integration across multiple types of development environments via APIs and plug-ins.
We believe given that their client readership is comprised of a broad spectrum of enterprise application security professionals that spans traditional and more modern application security requirements, in this evaluation they valued app sec tools that integrate with many development environments types. Because of this, they placed GitLab as a Niche vendor.
Yet what makes us a niche, also makes us the very best solution for the growing number of GitLab users.
A valuable niche for GitLab users
While it was true at the time of the assessment that those not using GitLab for CI would find it impractical to use GitLab security scanning, we are working to show how you can use GitLab's security testing even if you are using Jenkins for CI. This would broaden the utility to customers that may be only using GitLab for Source Code Management (SCM).
In addition, recognizing that GitLab customers often have their favorite incumbent scanner, we are working to make it easier for other vendors to more seamlessly integrate their scan results into the GitLab CI pipeline and security dashboard found in the Ultimate/Gold tier. WhiteSource is one of the first to do this integration in a way that optimizes benefit to our joint customers.
The lack of an IDE plug-in is less important for our intended audience of GitLab users. GitLab has our own web IDE within SCM and so we see less need to plug into Visual Studio or Eclipse. We also do not have a spell-check-like functionality because those are typically a scaled down version of SAST. They cannot be relied upon as a scan replacement, and, since we do full SAST plus SCA and DAST right at the point of code commit, catching vulns as they are typed has been less important to our users. We may add it in the future, but haven’t seen the demand for it given our unique workflow.
We agree with Gartner that our features are less mature, our languages more limited than some vendors, and our dashboard not as customizable! Iteration is important at GitLab. We release useful capabilities to the market quickly and then add features quickly, releasing on 22nd each month. We are rapidly maturing our offering. Since the time of Gartner's assessment, (version 12.4), we have added many new features.
A couple favorite SAST improvements include:
Beyond SAST, we've added other key capabilities such as:
We have also expanded language coverage via our technology partnerships.
A complete list of features released since 12.4 can be found on the releases page.
In May we plan to launch Stand-alone Vulnerabilities, essentially a re-architecture of how we handle vulnerability findings aimed to help security pros by more easily tracking and reporting vulnerabilities and their status (even to people not using GitLab).
GitLab's security capabilities direction and product roadmap are both entirely transparent. We encourage everyone to contribute! Check out our upcoming releases, and weigh in with upvotes and comments as to how these planned features can be most impactful for you.
We are also Shifting Right
In addition to application security testing, GitLab is working to provide the best defensive protection of your cloud-native applications and their operating environments. Check out our Defend vision, along with key features most relevant to DevSecOps: Container Network Policy Automation and Container Behavior Analytics
Note: Gartner, Magic Quadrant for Application Security Testing, Mark Horvath, Dionisio Zumerle, Dale Gardner, 29 April 2020.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.