GitLab Named a ChallengerDownload the report
This page outlines how Gartner positions GitLab in their 2022 Magic Quadrant for Application Security Testing, how Gartner views our application security testing capabilities in relation to the larger market, and how GitLab is working with that information in our ongoing product evolution.
Gartner Market Definition:
In the published report, “Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. This market is highly dynamic and continues to experience rapid evolution in response to changing application architectures and enabling technologies.”
Gartner further notes, “In this analysis, and in vendor assessments, we continue to increase our focus on emerging technologies and approaches, and AST tools that address the new requirements they bring. Overall, the market comprises tools offering core testing capabilities — e.g., static, dynamic and interactive testing; software composition analysis (SCA); and various optional, specialized capabilities.”
Gartner view of GitLab:
In this report, GitLab is recognized as a Challenger, which Gartner defines this way: "Challengers in this Magic Quadrant are vendors that have executed consistently, often with strength in a particular technology (for example, SAST, DAST or IAST) or by focusing on a single delivery model (e.g., on AST as a service only). In addition, they have demonstrated substantial competitive capabilities against the Leaders in their particular focus area, and have demonstrated momentum in their customer base in terms of overall size and growth."
We are thrilled to be recognized again by Gartner as a Challenger in the 2022 Magic Quadrant for Application Security Testing report and we are excited to see continued momentum for our unique approach that embeds security into the DevOps workflow. GitLab believes our recognition as a Challenger in the Magic Quadrant represents an evolving market understanding of the value of an approach that empowers and enables developers to find and fix vulnerabilities — and the simplicity of leveraging a DevOps platform to do so.
As an end-to-end DevSecOps platform, GitLab includes Source Code Management, industry-leading Continuous Integration (CI) and robust Security capabilities. GitLab is uniquely positioned to seamlessly unite security and DevOps while helping our customers standardize their pipelines around security and compliance policies. GitLab provides the visibility and controls necessary to not only create more secure software but also to protect the integrity of your software factory and its deliverables.
If you are unfamiliar with GitLab's application security testing capabilities, here are a few things you should know.
Embedded security enables governance
GitLab Ultimate provides the single tool DevOps teams need to find and fix vulnerabilities in application code and cloud native environments and to manage their risk from detection through remediation. We empower and unite developers and security professionals alike using repeatable, defensible processes that automate security and compliance policies from development through production.
One platform can unite Dev and Sec
Having one tool for both developers and security professionals can unite efforts and improve collaboration. A single source of truth is more efficient and ensures that context isn't lost between multiple tools. When a vulnerability is found, the developer or the security analyst can open a confidential issue with one click. The issue remains tied to the vulnerability, making it easy to see the state of remediation efforts and to collaborate on the resolution.
Comprehensive, integrated security testing empowers developers
With GitLab Ultimate, all of our security scanners are seamlessly integrated into the CI pipeline out of the box - no additional licenses to manage. They run upon code commit and merge by default and can also be run on-demand outside of a pipeline. When run in the pipeline, vulnerabilities are shown in the “diff” (differential, or incremental code change), allowing the developer to see vulnerabilities they created — without noise from ones they did not — while they are still iterating on the code and best able to efficiently resolve them.
Policy Automation provides guardrails
It’s not enough to automate the process of scanning. When and how policies are applied, and how exceptions are handled, also needs to be automated to bring consistency and auditability. GitLab provides a broad range of policies and common controls for compliance. A couple of favorites include: MR approvals that allow you to define when to require active approval by an individual or a group; Compliance Pipelines, which ensure required scans are performed without modifying pipeline configurations; and Audit Events, which show who changed what, where, when across the entire lifecycle.
All-in-one, but you can use only what you need
GitLab makes it simple to embrace our security and governance capabilities. As a single platform, we offer all GitLab functionality (SCM, CI/CD, Security, and more) to the user for one price, with one product — no clumsy tool chain to manage. Subscriptions can be purchased by tier. You will find Static Application Security Testing (SAST) and Secret Detection in the Free tier and many other capabilities in the Ultimate tier, including all other security scanners (i.e., IaC Scanning, Dependency Scanning, Container Scanning, License Compliance, DAST, Fuzzing, and API Security), the Security Dashboard, Compliance, and Value Stream Management. We can include results from third-party security scanners or bug bounty platforms into our pipeline and dashboards — or we can replace them. The choice is yours.
We release on the 22nd of every month, delivering value and innovation to our customers. Recent improvements to our application security testing and vulnerability management capabilities include proprietary scanning engines for SAST and DAST to improve coverage, accuracy, and speed; container scanning improvements; and the addition of infrastructure-as-code (IaC) scanning and API security testing. Findings from these, and all of the other security scanners within GitLab, can be actioned from the MR pipeline pre-merge and from vulnerability reports once merged to a default branch. We also recently introduced integrated security training, which provides context-specific training content to help developers understand and remediate the vulnerabilities they introduce in an individual commit. Another favorite: we created a user interface to simplify policy customization — no YAML editing required.
Themes for what's next include:
We’re excited about our unique ability to lead the application security testing market into a modern approach that harnesses the software factory to create more secure code while better protecting the factory itself. It’s wonderful to see some of the world’s largest enterprises, in the most regulated industries, moving to GitLab for our security capabilities and the unique perspective we bring. These organizations are able to break down departmental silos and empower cross-functional teams to achieve transparency end-to-end in their DevOps lifecycle.
With GitLab, “Everyone Can Contribute.” We invite you to contribute to our product direction and roadmap, which we share publicly. Issues listed under upcoming releases are actual issues (aka stories) assigned to engineers. Please converse with them directly in the issue to share your feedback.
This page contains information related to upcoming products, features, and functionality.
It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes.
As with all projects, the items mentioned on this page are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. ___ Gartner, “Magic Quadrant for Application Security Testing,” Dale Gardner, Mark Horvath, Dionisio Zumerle, April 18, 2022.
GARTNER and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.