At GitLab, we have worked hard to make application security testing a natural by-product of software development. We started with the developer, bringing scan results into their native workflow, then we added a dashboard for the security pro. We acquired Gemnasium and most recently Peach Tech and Fuzzit. We have a board goal to be a world-class security product and have allocated just under 25% of our R&D budget to these capabilities.
We know our SAST, dependency, container, and other scanners are great but we’d also bought into the idea that people choose to use our DevOps platform largely because of CI or SCM and our security is just an added bonus.
But it seems we are our own worst critic, especially on how we determine product maturity. Data points include:
- The technology review site G2 shows GitLab’s static application security testing (SAST) is top rated.
- As of Dec. 4, 2020, GitLab has an Overall Rating of 4.6 out of 5 in the Application Security Testing market on Gartner Peer Insights, based on 32 reviews.
- Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates.
- Dev-Insider 2020 Platinum award for best code and composition analysis.
And customers are noticing too:
-
“GitLab Secure replaced Veracode, Checkmarx, and Fortify in my DevOps toolchain. GitLab scans faster, is more accurate, and doesn’t require my developers to learn new tools.”
-
“GitLab Secure enables us to ship faster. Our other scanner tools could take up to a day to finish scanning whereas GitLab scans finish in as little a few minutes.”
Here’s a look at other built-in security features in Ultimate for self hosted and Gold for SaaS.
Vulnerability scans (no assembly required)
If there are two truths in security, it’s these: The more you scan, the less risk you will have, and it’s cheaper to find and fix vulnerabilities in development than later in the lifecycle. Developers need access to that data in their workflow. GitLab Ultimate/Gold offers comprehensive scanning, out of the box with no integration required: dynamic and static (now including mobile apps), container scanning, dependency scanning, API scanning, and fuzz testing, along with scanning for secrets and license compliance. All of these scans are built into the workflow with results presented in the MR pipeline – meaning busy developers don’t have to go hunting for results.
The scans are also easy to apply for security pros. With one click, you can choose what to do via AutoDevOps, or add in third-party scanners via the ci.yml. Just start with a CI job definition. We’ve even added a handy UX so non-developers can modify the ci.yml without coding (add link). By using CI templates you can easily set and apply security policies for merge approvals and more. You can also limit security scanning to running offline for highly sensitive environments.
Comprehensive dashboards
While this developer-first perspective will reduce vulnerabilities, they can’t all be fixed on the spot. So our security dashboard capability (included with GitLab Ultimate/Gold) helps security pros manage remaining vulnerabilities. It provides a single source of truth, eliminating translation and friction between development and security, and makes it simple for anyone to see the status of remediation work, who changed what, where and when, and even who approved merge requests across the entire software development lifecycle.
And because we know compliance also plays a key role in security, we have a dedicated compliance dashboard that gathers key data to ensure quick and accurate reporting.
Container monitoring
DevOps teams taking advantage of the modularity of containers also need a way to keep all the moving parts safe. Gitlab Ultimate offers container threat monitoring in addition to container scanning.
Integrated fuzz testing
Thanks to our acquisition of Peach and FuzzIt, GitLab Ultimate now offers integrated coverage-guided fuzzing and continuous fuzzing, adding new types of testing previously unavailable.
