Security is on everyone's radar, from board members to inquisitive grandparents. Everyone wants to know what software development teams are doing to protect their applications from attacks like that of Colonial Pipeline, Solarwinds, and others. With the launch of GitLab 14, we accelerated modern DevOps by bringing velocity with confidence, built-in security, and visibility, into DevOps success.
The modern DevOps solution is platform-driven, has a unified data store, and has security embedded throughout the software development lifecycle (SDLC). We find that it is these three attributes that drive demand for a modern DevOps solution among many different types of businesses.
Security in the modern DevOps solution goes beyond just shifting security features left to empower the developers to find and fix security flaws, but also provides end-to-end visibility and control over the entire SDLC to create, deliver, and run the applications.
Shifting security left is just the beginning
Many organizations have shifted security left, or at least started on their journey, in an effort to improve development velocity while also managing security risks. When starting with their incumbent tools, many organizations find it difficult to cobble together a variety of different security scanners and trying to integrate them into a complex DevOps toolchain. We hear from customers that siloed tooling has hindered collaboration. Many of our customers turned to GitLab to simplify their DevSecOps process.
GitLab is often at the forefront of the DevSecOps and "shift security left" conversations among developers and businesses because of the simplicity and effectiveness of embracing security capabilities via a single platform. Developers need to find and fix vulnerabilities within their natural workflow earlier, without friction or distractions, while businesses must protect their IP in an age when the stakes of security have never been higher.
When security capabilities are embedded into the end-to-end software processes, then developers can spend time writing code instead of managing tools. It is also easier for Development and Security teams to truly collaborate when they're working on the same platform. Also, security policies can be automated and applied consistently without intervention. As a result, GitLab customers have matured and scaled their application security programs in ways that were not possible with traditional siloed solutions.
We gathered quotes from GitLab customers about using GitLab Secure. These customers opted to stay anonymous as an added security measure.
- HackerOne has reduced velocity disruptions while bringing predictability to their security costs as they scale their app sec programs.
- A global financial services organization says, "GitLab Secure replaced Veracode, Checkmarx, and Fortify in my DevOps toolchain. GitLab scans faster, is more accurate, and doesn't require my developers to learn new tools."
- A large North American grocery retailer says, "GitLab Secure gives us unlimited scanning capability across our entire GitLab repo. This is obviously a very "shift-left" move as issues will be identified directly in the repo for review and triage. We will be able to get the most coverage this way …".
In addition, we are excited that GitLab customer, HERE Technologies, has shared their experience with using GitLab to Shift Left and will present at Commit, GitLab's upcoming user conference, August 3-4. Be sure to attend for the live Q&A.
Beyond just empowering developers, GitLab's security dashboard and vulnerability report have evolved into powerful tools for security pros. The vulnerability report offers streamlined vulnerability management integrated into the GitLab workflow for earlier risk visibility, simplified vulnerability tracking, and easier remediation. Be sure to catch Lindsey Kerr, frontend engineering manager for GitLab Secure, at Commit where she will share more about the evolution of our vulnerability management capabilities.
Security must be part of the DevOps platform
In an era of attacks that focus on software supply chains, it's not enough to just find and fix security vulnerabilities earlier in the SDLC. Shifting security left is still a vital element, but even more is required. For DevSecOps 2.0, integration and simplification is necessary for success, and we must also test, monitor, and protect the security of an application's surrounding infrastructure. This infrastructure, which usually accompanies cloud native apps, relies upon containers and orchestrators with configurations that are themselves codified as Infrastructure-as-code (IaC). We will cover securing IaC on the second day of the GitLab Commit conference. Attend and judge, are you ready for DevSecOps 2.0?
What's important looking ahead?
Built-in security has become a prerequisite to not only automate a comprehensive security scanning process but also automate the policies and actions taken when exceptions are found. A recent blog post describes how a platform can help with supply chain attacks. With all eyes on the security of the software supply chain, it's even more important to have end-to-end visibility and controls to help protect the software factory along with its deliverables. Compliance management is a key part of DevSecOps 2.0. Check out where GitLab is headed and contribute your thoughts and feedback to the top issues.
This is part one of a three-part series on some of the key features of GitLab 14. Check the GitLab Blog to learn more about how GitLab 14 powers greater visibility in part two of the series.
“Are you ready for DevSecOps 2.0?” – Cindy Blake
Click to tweet