Blog Engineering How GitLab's application security dashboard helps AppSec engineers
Published on: July 7, 2020
4 min read

How GitLab's application security dashboard helps AppSec engineers

GitLab Security features help application security engineers collaborate more efficiently and better assess the security posture of the projects they oversee.

ralph-kayden-4Cg5T03B_8s-unsplash.jpg

Application Security (AppSec) engineers focus on enhancing an application's security, by finding, resolving, and preventing vulnerabilities. But managing all these vulnerabilities across different teams and projects is not an easy process. Managing vulnerabilities can be simplified by using the GitLab Secure features found in GitLab Ultimate.

One of the significant capabilities of GitLab Secure is the accurate, automated, and continuous assessment of the security of your applications and services through a unified dashboard.

In this blog post, I will show four ways GitLab Secure makes life easier for the AppSec engineer.


Finding vulnerabilities with security scans

The first capability that AppSec engineers will find useful is the robust security scanning capabilities in GitLab Ultimate.

These capabilities allow you to proactively identify vulnerabilities and weaknesses to minimize your security risk using a variety of defense-in-depth techniques. The security scans include the following:

pipeline with security scans GitLab pipeline running security scans

Simply add a template to your .gitlab-ci.yml or by enable Auto DevOps to set-up the scans.

When submitting a merge request (MR), the security scans will run and populate the MR with data on the vulnerabilities detected and how to resolve them. This data allows AppSec engineers to begin risk analysis and remediation.

Managing vulnerabilities with the Security Dashboard

The second most useful capability for AppSec engineers is the Security Dashboard, which helps keep projects organized and summarizes the relevant security details for an application, all in one place.

The Security Dashboard in GitLab Ultimate provides a high-level overview of the status of all the vulnerabilities detected in groups, projects, and pipelines.

security dashboard with group view Security Dashboard Group-Level view

By using the Security Dashboard, an AppSec engineer can drill down into each vulnerability to obtain additional information, such as how to resolve the vulnerability, how it was handled by the developer, and if a work ticket (or GitLab issue) has been opened for remediation.

The Security Dashboard also shows which file the vulnerability was detected in. Each vulnerability is assigned a severity and a report type. By using this information an AppSec Engineer can quickly identify which items is the most critical for the team to tackle first.

security dashboard with project view Security Dashboard project-level view

It's important to note the Security Dashboard supports integrations with third-party scanners. For example, if you are using WhiteSource, the scans results can added to and managed in the Security Dashboard.

Auditing with the Security Dashboard

A third capability GitLab Secure offers AppSec engineers is auditing. The engineer can use this capability to audit a project or group based on the vulnerabilities revealed in various tests. By using the Security Dashboard, the AppSec engineer can see which vulnerabilities have been dismissed, the developer who dismissed them, as well as the reason why they were dismissed. This is helpful for several reasons:

  • Check to make sure the development team is practicing secure coding
  • Confirm there are no malicious actors dismissing issues
  • Keep track of the status of vulnerabilities which could not be immediately resolved

security dashboard vulnerability info Vulnerability info displayed in Security Dashboard

An AppSec engineer can also track and create confidential issues from the Security Dashboard. A team can keep track of the status of a vulnerability in private, and make sure it is still on track to being resolved when using confidential issues. A confidential branch can be created along with the issue, so that the development team can work on a resolution without tipping off malicious actors.

security dashboard confidential issue creation Confidential issues created via Security Dashboard

Managing software licenses

The final capability we recommend AppSec engineers use is our license management.

Typically, developers will use a variety of open source dependencies instead of reinventing the wheel. There is a problem though: using a dependency with a restrictive license can invalidate your application.

An AppSec engineer is able to add a policy to mark licenses as acceptable or unacceptable for a project and its dependencies. If an unacceptable license is found, the MR can be blocked. The video below provides an overview:

GitLab Secure capabilities enhance the effiency of AppSec engineers, ultimately leading to the production of more secure applications and a more security-empowered development team. Learn more at DevSecOps and checkout the GitLab Secure direction page for more information on the upcoming features and integrations.

Level up your DevSecOps knowledge:

GitLab's security tools and the HIPAA risk analysis A deep dive into the Security Analyst persona Compliance made easy with GitLab

Cover image by Ralph Kayden on Unsplash

Learn more about DevSecOps

<%= partial "includes/blog/blog-merch-banner" %>

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert