Jul 7, 2020 - Fernando Diaz    

How application security engineers can use GitLab to secure their projects

GitLab Security features help application security engineers collaborate more efficiently and better assess the security posture of the projects they oversee.

Application Security (AppSec) engineers focus on enhancing an application's security, by finding, resolving, and preventing vulnerabilies. But managing all these vulnerabilites across different teams and projects is not an easy process. Managing vulnerabilities can be simplified by using the GitLab Secure features found in GitLab Ultimate.

One of the significant capabilities of GitLab Secure is the accurate, automated, and continuous assessment of the security of your applications and services through a unified dashboard.

In this blog post, I will show four ways GitLab Secure makes life easier for the AppSec engineer.


Finding vulnerabilities with security scans

The first capability that AppSec engineers will find useful is the robust security scanning capabilities in GitLab Ultimate.

These capabilities allow you to proactively identify vulnerabilities and weaknesses to minimize your security risk using a variety of defense-in-depth techniques. The security scans include the following:

pipeline with security scans GitLab pipeline running security scans

Simply add a template to your .gitlab-ci.yml or by enable Auto DevOps to set-up the scans.

When submitting a merge request (MR), the security scans will run and populate the MR with data on the vulnerabilities detected and how to resolve them. This data allows AppSec engineers to begin risk analysis and remediation.

Managing vulnerabilities with the Security Dashboard

The second most useful capability for AppSec engineers is the Security Dashboard, which helps keep projects organized and summarizes the relevant security details for an application, all in one place.

The Security Dashboard in GitLab Ultimate provides a high-level overview of the status of all the vulnerabilities detected in groups, projects, and pipelines.

security dashboard with group view Security Dashboard Group-Level view

By using the Security Dashboard, an AppSec engineer can drill down into each vulnerability to obtain additional information, such as how to resolve the vulnerability, how it was handled by the developer, and if a work ticket (or GitLab issue) has been opened for remediation.

The Security Dashboard also shows which file the vulnerability was detected in. Each vulnerability is assigned a severity and a report type. By using this information an AppSec Engineer can quickly identify which items is the most critical for the team to tackle first.

security dashboard with project view Security Dashboard project-level view

It's important to note the Security Dashboard supports integrations with third-party scanners. For example, if you are using WhiteSource, the scans results can added to and managed in the Security Dashboard.

Auditing with the Security Dashboard

A third capability GitLab Secure offers AppSec engineers is auditing. The engineer can use this capability to audit a project or group based on the vulnerabilities revealed in various tests. By using the Security Dashboard, the AppSec engineer can see which vulnerabilities have been dismissed, the developer who dismissed them, as well as the reason why they were dismissed. This is helpful for several reasons:

  • Check to make sure the development team is practicing secure coding
  • Confirm there are no malicious actors dismissing issues
  • Keep track of the status of vulnerabilities which could not be immediately resolved

security dashboard vulnerability info Vulnerability info displayed in Security Dashboard

An AppSec engineer can also track and create confidential issues from the Security Dashboard. A team can keep track of the status of a vulnerability in private, and make sure it is still on track to being resolved when using confidential issues. A confidential branch can be created along with the issue, so that the development team can work on a resolution without tipping off malicious actors.

security dashboard confidential issue creation Confidential issues created via Security Dashboard

Managing software licenses

The final capability we recommend AppSec engineers use is our license management.

Typically, developers will use a variety of open source dependencies instead of reinventing the wheel. There is a problem though: using a dependency with a restrictive license can invalidate your application.

An AppSec engineer is able to add a policy to mark licenses as acceptable or unacceptable for a project and its dependencies. If an unacceptable license is found, the MR can be blocked. The video below provides an overview:

GitLab Secure capabilities enhance the effiency of AppSec engineers, ultimately leading to the production of more secure applications and a more security-empowered development team. Learn more at DevSecOps and checkout the GitLab Secure direction page for more information on the upcoming features and integrations.

Level up your DevSecOps knowledge:

GitLab's security tools and the HIPAA risk analysis A deep dive into the Security Analyst persona Compliance made easy with GitLab

Cover image by Ralph Kayden on Unsplash

Learn more about DevSecOps

Free eBook: The GitLab Remote Playbook Learn to stabilize your work-from-home team and dive deep on topics including asynchronous workflows, meetings, informal communication, and management. Download now Arrow

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg