Application Security (AppSec) engineers focus on enhancing an application's security, by finding, resolving, and preventing vulnerabilies. But managing all these vulnerabilites across different teams and projects is not an easy process. Managing vulnerabilities can be simplified by using the GitLab Secure features found in GitLab Ultimate.
One of the significant capabilities of GitLab Secure is the accurate, automated, and continuous assessment of the security of your applications and services through a unified dashboard.
In this blog post, I will show four ways GitLab Secure makes life easier for the AppSec engineer.
Finding vulnerabilities with security scans
The first capability that AppSec engineers will find useful is the robust security scanning capabilities in GitLab Ultimate.
These capabilities allow you to proactively identify vulnerabilities and weaknesses to minimize your security risk using a variety of defense-in-depth techniques. The security scans include the following:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Container Scanning
- Dependency Scanning
- License Scanning
GitLab pipeline running security scans
Simply add a template to your .gitlab-ci.yml or by enable Auto DevOps to set-up the scans.
When submitting a merge request (MR), the security scans will run and populate the MR with data on the vulnerabilities detected and how to resolve them. This data allows AppSec engineers to begin risk analysis and remediation.
Managing vulnerabilities with the Security Dashboard
The second most useful capability for AppSec engineers is the Security Dashboard, which helps keep projects organized and summarizes the relevant security details for an application, all in one place.
The Security Dashboard in GitLab Ultimate provides a high-level overview of the status of all the vulnerabilities detected in groups, projects, and pipelines.
Security Dashboard Group-Level view
By using the Security Dashboard, an AppSec engineer can drill down into each vulnerability to obtain additional information, such as how to resolve the vulnerability, how it was handled by the developer, and if a work ticket (or GitLab issue) has been opened for remediation.
The Security Dashboard also shows which file the vulnerability was detected in. Each vulnerability is assigned a severity and a report type. By using this information an AppSec Engineer can quickly identify which items is the most critical for the team to tackle first.
Security Dashboard project-level view
It's important to note the Security Dashboard supports integrations with third-party scanners. For example, if you are using WhiteSource, the scans results can added to and managed in the Security Dashboard.
Auditing with the Security Dashboard
A third capability GitLab Secure offers AppSec engineers is auditing. The engineer can use this capability to audit a project or group based on the vulnerabilities revealed in various tests. By using the Security Dashboard, the AppSec engineer can see which vulnerabilities have been dismissed, the developer who dismissed them, as well as the reason why they were dismissed. This is helpful for several reasons:
- Check to make sure the development team is practicing secure coding
- Confirm there are no malicious actors dismissing issues
- Keep track of the status of vulnerabilities which could not be immediately resolved
Vulnerability info displayed in Security Dashboard
An AppSec engineer can also track and create confidential issues from the Security Dashboard. A team can keep track of the status of a vulnerability in private, and make sure it is still on track to being resolved when using confidential issues. A confidential branch can be created along with the issue, so that the development team can work on a resolution without tipping off malicious actors.
Confidential issues created via Security Dashboard
Managing software licenses
The final capability we recommend AppSec engineers use is our license management.
Typically, developers will use a variety of open source dependencies instead of reinventing the wheel. There is a problem though: using a dependency with a restrictive license can invalidate your application.
An AppSec engineer is able to add a policy to mark licenses as acceptable or unacceptable for a project and its dependencies. If an unacceptable license is found, the MR can be blocked. The video below provides an overview:
GitLab Secure capabilities enhance the effiency of AppSec engineers, ultimately leading to the production of more secure applications and a more security-empowered development team. Learn more at DevSecOps and checkout the GitLab Secure direction page for more information on the upcoming features and integrations.
Level up your DevSecOps knowledge:
GitLab's security tools and the HIPAA risk analysis A deep dive into the Security Analyst persona Compliance made easy with GitLab
Cover image by Ralph Kayden on Unsplash
Learn more about DevSecOps
- Efficient DevSecOps: 9 tips for shifting left
- Want better DevSecOps? Try cross-functional collaboration
- Compliance made easy with GitLab
Free eBook: The GitLab Remote Playbook
Learn to stabilize your work-from-home team and dive deep on topics including asynchronous workflows, meetings, informal communication, and management.Download now