Reduce supply chain risk with smarter vulnerability prioritization

Application Security teams face a constant uphill battle in risk reduction due to the ever-growing number of vulnerabilities. This year alone, 36,000 Common Vulnerabilities and Exposures (CVEs) have been reported — a 25% increase from last year. The sharp rise intensifies the challenge of prioritization in vulnerability management, especially for lean AppSec teams.

To help, we’ve introduced several new enhancements to our Software Composition Analysis (SCA) solution. These improvements are available for all GitLab Ultimate customers:

• Static Reachability Analysis identifies the exploitable vulnerabilities from open source components in your applications.
• Known Exploited Vulnerabilities (KEV) Indicator highlights known, actively exploited vulnerabilities.
• Exploit Prediction Scoring System (EPSS) predicts the likelihood of a vulnerability being exploited.

By prioritizing exploitable vulnerabilities, AppSec teams can reduce triage times, accelerate remediation cycles, and improve collaboration with their development counterparts. Powered by our recent acquisitions of Oxeye and Rezilion's intellectual property, these new capabilities align with our vision of providing best-in-class application security solutions, natively built into developer workflows.

What is SCA and why does it matter?

Software Composition Analysis helps organizations identify and manage open source components within their applications. By scanning the codebase, SCA provides insights into the component versions, licenses, and importantly, known vulnerabilities. With 90% of Fortune 500 companies dependent on open source components for their applications, SCA provides much-needed visibility to mitigate software supply chain risk.

High-profile breaches like SolarWinds and Log4Shell highlight how vulnerabilities in third-party components can compromise countless downstream applications. SCA tools act as proactive measures, enabling teams to identify vulnerabilities and enforce compliance early in the software development lifecycle, ensuring software security while maintaining development velocity.

Filter out the noise for targeted remediation

With our latest SCA enhancements, GitLab helps you cut through the noise to prioritize real risks, reduce backlogs, and remediate faster – all within your existing workflows.

Focus on vulnerabilities that pose the greatest risk

• Static Reachability Analysis leverages the proprietary detection engine of our Advanced SAST solution to surface vulnerabilities from dependencies that can actually be exploited in your application.

Reduce triage times

• With KEV indicators and EPSS scoring, GitLab gives security teams actionable insights into vulnerabilities that are actively being exploited or likely to be targeted. Incorporating risk-based scoring helps teams effectively triage their vulnerability backlog.

Faster remediation to mitigate supply chain risk

• Our SCA enhancements are built into developer workflows, providing contextual remediation guidance while maintaining developer productivity.

What’s next for SCA

We’re continuing to integrate Rezilion’s technology into our platform to help teams secure their software supply chains more effectively. Rezilion will be key to powering future innovations, including:

• Supporting faster remediation workflows by automatically opening merge requests with fixes for detected vulnerabilities
• Enriching package metadata using OpenSSF scorecard ratings to provide security teams with more information on dependencies such as authors and end-of-life status
• Improving open-source software license detection to ensure compliance and reduce legal risks

Get started with SCA

If you’re an existing GitLab Ultimate customer and would like to learn more about how Software Composition Analysis can enhance your application security program, visit our documentation. There, you’ll find details on implementation requirements, use cases, and more. Or if you’re not yet a GitLab Ultimate customer, get started with a free trial today to explore how GitLab enhances your ability to write secure software, achieve compliance goals, and improve development velocity.

Disclaimer: This blog contains information related to upcoming products, features, and functionality. It is important to note that the information in this blog post is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab.