Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Product Vision - Defend

This is the product vision for Defend.

Overview

The Defend stage includes all features related to defending your applications and cloud infrastructure, identifying and cataloging threats, vulnerabilities, and risks, and giving you the ability to manage and remediate them.

GitLab helps you create, deliver, and manage secure applications in today's modern infrastructure while also enabling DevOps methodologies and Digital Transformations.

Our first capability in Defend will be in the Web Application Firewall category. The first Minimal Viable Change to add capabilities for that category is to Enable ModSecurity on your Kubernetes cluster ingress. This category is the first step to protecting your applications, by monitoring and being able to protect against malicious traffic, which includes attacks like SQL injection and cross-site scripting.

Categories

There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.

Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.

RASP

When applications are deployed to production, they are subject to real security threats that may lead to unauthorized access to sensitive data. Runtime Application Self Protection (RASP) actively monitor and block threats before they can exploit vulnerability in the target application. This category is planned, but not yet available.

Vision

WAF

A Web Application Firewall (WAF) is able to examine traffic being sent to an application and can block malicious traffic before they reach your application. This category is at the "minimal" level of maturity.

Vision

Threat Detection

Detect and respond to security threats. This category is planned, but not yet available.

Vision

UEBA

User and Entity Behavior Analytics (UEBA) is a machine learning solutions to analyze normal and aberrant behavior. This category is planned, but not yet available.

Vision

Vulnerability Management

Security dashboards to help you manage vulnerabilities in your application. This category is planned, but not yet available.

Vision

DLP

Data Loss Prevention (DLP) is a way to monitor systems for sensitive data and identify when that data is being moved to other systems and potentially shared outside your organization. This category is planned, but not yet available.

Vision

Storage Security

This category is planned, but not yet available.
Vision

Container Network Security

This category is planned, but not yet available.
Vision

Prioritization Process

In general, we follow the same prioritization guidelines as the product team at large. Issues will tend to flow from having no milestone, to being added to the backlog, to being added to this page and/or a specific milestone for delivery.

You can see our entire public backlog for Defend at this link; filtering by labels or milestones will allow you to explore. If you find something you're interested in, you're encouraged to jump into the conversation and participate. At GitLab, everyone can contribute!

Issues with the "direction" label have been flagged as being particularly interesting, and are listed in the sections below.

Guiding Principles

Listen first, then act

In line with our Security Paradigm, Defend features will inform and report threats that occur as a first step. Once you explicitly tell GitLab to block traffic, users, or devices, we will then block and drop those bad actors.

This is valuable to you because it means that you can introduce and configure security for your app gradually over time without disrupting your end users. Examining the information about what GitLab Defend reports in your app helps you ensure that the security settings are appropriate for your app and business will not introduce more false positves nor permit more potentially bad actions than you are comfortable with.

Inform action for other stages

One of GitLab's key advantages as a single DevOps platform is that all of our stages are integrated and tightly connected. Defend will identify and protect against threats as they happen, but we will strive to be informative to other stages to give you actionable next steps to close a vulnerability or point of exploit, not just defend it.

Not only does shifting left and acting on results earlier give your apps better security, it helps enable collaboration with everyone at your company. We believe that security is everyone's responsibility and that everyone can contribute, and informing other stages is a powerful way to do this.

Emphasize usability and convention over configuration

Defend capabilities will be pre-configured to provide value to protecting your applications. Rather than require you to read documentation manuals and provide complex configuration files, GitLab will always provide reasonable defaults out of the box.

We will provide the ability for advanced and customized configurations, but these will only be needed based on your specific use case and when you feel comfortable doing so.

Upcoming Releases

12.3 (2019-09-22)

12.4 (2019-10-22)

12.5 (2019-11-22)

Other Interesting Items

There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.

Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!