Blog Security Tired of afterthought security? Take a fresh look at GitLab Ultimate
Published on: December 8, 2020
4 min read

Tired of afterthought security? Take a fresh look at GitLab Ultimate

Security may not be the first thing that comes to mind when thinking of our DevOps platform, but we’re going to make the case it should be. Here’s a look at some of the too-often-overlooked security features in GitLab Ultimate.

gitlabultimatesecurity.jpg

At GitLab, we have worked hard to make application security testing a natural by-product of software development. We started with the developer, bringing scan results into their native workflow, then we added a dashboard for the security pro. We acquired Gemnasium and most recently Peach Tech and Fuzzit. We have a board goal to be a world-class security product and have allocated just under 25% of our R&D budget to these capabilities.

We know our SAST, dependency, container, and other scanners are great but we’d also bought into the idea that people choose to use our DevOps platform largely because of CI or SCM and our security is just an added bonus.

But it seems we are our own worst critic, especially on how we determine product maturity. Data points include:

And customers are noticing too:

  • “GitLab Secure replaced Veracode, Checkmarx, and Fortify in my DevOps toolchain. GitLab scans faster, is more accurate, and doesn’t require my developers to learn new tools.”

  • “GitLab Secure enables us to ship faster. Our other scanner tools could take up to a day to finish scanning whereas GitLab scans finish in as little a few minutes.”

Here’s a look at other built-in security features in Ultimate for self hosted and Gold for SaaS.

Vulnerability scans (no assembly required)

If there are two truths in security, it’s these: The more you scan, the less risk you will have, and it’s cheaper to find and fix vulnerabilities in development than later in the lifecycle. Developers need access to that data in their workflow. GitLab Ultimate/Gold offers comprehensive scanning, out of the box with no integration required: dynamic and static (now including mobile apps), container scanning, dependency scanning, API scanning, and fuzz testing, along with scanning for secrets and license compliance. All of these scans are built into the workflow with results presented in the MR pipeline – meaning busy developers don’t have to go hunting for results.

The scans are also easy to apply for security pros. With one click, you can choose what to do via AutoDevOps, or add in third-party scanners via the ci.yml. Just start with a CI job definition. We’ve even added a handy UX so non-developers can modify the ci.yml without coding (add link). By using CI templates you can easily set and apply security policies for merge approvals and more. You can also limit security scanning to running offline for highly sensitive environments.

Comprehensive dashboards

While this developer-first perspective will reduce vulnerabilities, they can’t all be fixed on the spot. So our security dashboard capability (included with GitLab Ultimate/Gold) helps security pros manage remaining vulnerabilities. It provides a single source of truth, eliminating translation and friction between development and security, and makes it simple for anyone to see the status of remediation work, who changed what, where and when, and even who approved merge requests across the entire software development lifecycle.

And because we know compliance also plays a key role in security, we have a dedicated compliance dashboard that gathers key data to ensure quick and accurate reporting.

Container monitoring

DevOps teams taking advantage of the modularity of containers also need a way to keep all the moving parts safe. Gitlab Ultimate offers container threat monitoring in addition to container scanning.

Integrated fuzz testing

Thanks to our acquisition of Peach and FuzzIt, GitLab Ultimate now offers integrated coverage-guided fuzzing and continuous fuzzing, adding new types of testing previously unavailable.

Cover image by Zhen Hu on Unsplash

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert