When you think about security you probably imagine locks, gates, and closed systems. This is the more traditional approach to security but modern security is much more open and collaborative. If you want to build the most secure systems, there is nothing better than building those systems in the open. Open security practices allow you to get fast feedback from a broad audience with diverse perspectives, helping you build better more holistic solutions. That's our approach to building GitLab Secure at GitLab. We're leveraging amazing open source security projects, the collective contribution of the wider community, and providing an open integration system for anyone to build on top of GitLab security scanners.
Shifting left
Traditional security approaches are opaque and late in the development life cycle. Security scans are performed by isolated security experts long after developers write code, often after it's deployed to production. GitLab aims to make security an integrated and continuous process. That's why we've built GitLab Secure directly integrated into the DevOps life cycle. We are taking security tools and "shifting left" to make these tools more accessible to developers earlier in the development life cycle and integrated directly into developers' workflows.
We created a detailed survey to learn more about the 2020 DevSecOps Landscape. The results of the survey indicated that security is still a significant hurdle for most organizations that use DevOps, and show:
- Only 13% of companies give developers access to the results of application security tests
- Over 42% said testing happens too late in the lifecycle
- 36% reported it was hard to understand, process, and fix any discovered vulnerabilities
- 31% found prioritizing vulnerability remediation an uphill battle
These statistics illustrate why we are building security scanning directly into GitLab with our Secure features. We want to provide integrated security tools to broaden access and make it easier for everyone using GitLab to write more secure code.
Integrating security tools into everyday workflows
GitLab Secure enables accurate, automated, and continuous assessment of your applications and services, allowing users to proactively identify vulnerabilities and weaknesses to minimize security risk. Secure is not an additional step in your development process nor an additional tool to introduce to your software stack. It is woven into your DevOps cycle, which allows you to adapt security testing and processes to your developers (and not the other way around).
Today GitLab Secure offers support for a variety of security scanning tools including:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Container Scanning
- Dependency Scanning
- License Scanning
- Secret Detection
- API Fuzzing
- Coverage Fuzzing
All of these tools provide unique approaches to finding security problems. No one tool is best at everything, so we wanted to provide a way to leverage many tools in an integrated way, so you're always getting the most relevant security results. Take a look at how GitLab Secure integrates all these tools into common developer workflows on GitLab:
Democratizing security
With GitLab Secure, we've laid the foundation for bringing security tools directly into developers' workflows. At GitLab, we believe in a world where everyone can contribute. Collaboration and transparency are part of our core values. This approach changes the way we build security features. That's why as part of our community stewardship promise we've made all our open source based SAST scanners available for all users, we offer open source projects and nonprofits free access to our best features, and we've created a security scanner integration framework to allow anyone to contribute security scan tools. Our entire product strategy and vision is also open source, so everyone can understand our vision for an integrated, accessible, and democratic approach to security. Together we can build a more open and modern security approach that helps developers everywhere write more secure code.
Integrate with GitLab Secure
Out of the box, GitLab provides a variety of pre-integrated and actively managed open source security tools, such as SAST's 16 analyzers that all support automatic language detection to always run the most relevant security tool. While GitLab will continue to update and build first-party integrations we wanted to ensure that GitLab contributors and integration partners could easily extend GitLab Secure for third-party tools. Our open integration framework makes it easy for anyone to leverage all of the features of GitLab Secure with any scanning tool they may want to integrate. You can see all the tools GitLab users have requested support for and even add your own request in our tracking epic.
Community contributions
With our open integration framework we've seen members of the GitLab community contribute additional security scanners, help maintain the existing open source scanners we offer and expand the list of supported languages and frameworks we support. Our community contributors are helping every GitLab user have access to more accurate, sophisticated, and relevant security results. Here are some recent community contribution highlights:
- Mobile SAST support via MobSF (contribution by @williams.brian-heb) - GitLab 13.5 Release MVP
- Adding Helm Chart support (contribution by @agixid)
- Performance improvements to Fuzz testing (contribution by @jvoisin)
- Updates to secret detection (contribution by @tnir)
- Dependency scanning buxfixes (contribution by @fcbrooks)
- Updates to Security Scanner underlying operating systems (contribution by @J0WI)
- Contributions for .NET Framework Support (contribution by @agixid)
- See the full list of Secure community contributions
The open source nature of GitLab allows the community to help improve, maintain, and contribute features within GitLab. This is the ultimate value of open source. Even if we don't offer something, you can always extend or modify the behavior of GitLab to accomplish your goal. When compared to closed-source Security vendors, this is a huge benefit. The impact these contributions have is massive as GitLab Secure is used by tens of thousands of customers and performs hundreds of thousands of security scans every month. If you are interested in contributing, check out our contributor program and contributor documentation.
Integration partners
Community contributions aren't the only way GitLab Secure is being extended. We have a variety of integration partners who provide security integrations that further expand the suite of security tools available to GitLab users. Check out the GitLab Security integrations our partners offer. If you are a security vendor interested in integrating with GitLab, join our partner program today.
Looking ahead
We've come a long way in the past few years with GitLab Secure and we're not done yet. Our vision is bold (and open source) and our investment in security is large. Security is a team effort and we hope you'll join us on our mission to help developers write more secure code.
Read more about GitLab SAST:
- GitLab Secure Direction
- Learn more about integrating with GitLab Secure
- View the latest October 2020 GitLab security trends
Cover image by Mitchell Luo on Unsplash
