Category Direction - Security Policy Management

Maintained by:

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.

Govern

Govern


Stage	Govern
Maturity	Minimal
Content Last Reviewed	`2024-02-20`

Introduction and how you can help

Thanks for visiting this category direction page on Security Policy Management in GitLab. This page belongs to the Security Policies group of the Govern stage and is maintained by Grant Hickman ([email protected]).

This direction page is a work in progress, and everyone can contribute. We welcome feedback, bug reports, feature requests, and community contributions.

Please comment and contribute in the linked issues and epics on this page. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.
Schedule a video call with the Security Policies Product Manager. If you're a GitLab user and have direct knowledge of your need for security policies, we'd especially love to hear from you.
Email the Security Policies Product Manager, Grant.
Can't find an issue? Make a feature proposal or a bug report. Please add the appropriate labels by adding this line to the bottom of your new issue /label ~"devops::govern" ~"Category:Security Policy Management" ~"group::security policies".
Consider signing up for First Look.

We believe everyone can contribute and so if you wish to contribute here is how to get started.

Overview

Security Policy Management is an overlay category that provides security and compliance policy enforcement across all the scanners and technologies used by GitLab's Secure and Govern stages. Security Policy Management gives organizations a central location to globally enforce policies to achieve a few core jobs:

Ensuring that security scanners run when and where necessary in development projects.
Helping security and compliance teams cut through the volume of vulnerabilities to identify what is actionable in terms of security risk or compliance risk.
Enabling compliance teams to implement compliance controls that can be enforced across an organization's GitLab instance, while leveraging our Compliance center and audit events to track compliance.
Engaging the right cross-functional team members within the DevSecOps lifecycle to address challenges while reducing the impact to velocity.
Blocking risky changes that may impact production code by requiring support and oversight to fix vulnerabilities.

GitLab was recently named as a Challenger in the 2022 Magic Quadrant for Application Security Testing. As highlighted by Gartner, "It's not enough to automate the process of scanning. When and how policies are applied, and how exceptions are handled, also needs to be automated to bring consistency and auditability. GitLab provides a broad range of policies and common controls for compliance." With GitLab's Security Policy Management, you can leverage automation to efficiently improve your security posture and gain some clarity amidst the chaos.

Current Capabilities

Security Policies

Security policies allow users to use a single, simple UI to define rules and actions that are then enforced. Two types of policies are currently supported: scan execution policies and merge request approval policies. Security policies themselves are fully audited and can be configured to go through a two-step approval process before any changes are made. All policies are supported at the group, sub-group, and project levels.

Scan Execution Policies allow users to require vulnerability scans to be run, either on a specified schedule or as part of a pipeline job. Currently we support requiring the execution of SAST, Secret Detection, Container Scanning, Dependency Scanning, and DAST scans. We do not plan on adding support for License Compliance as its functionality is planned to be merged into Dependency Scanning (now supported for SaaS behind feature flag). We do intend to add support for Fuzzing; however, this is not on our near-term roadmap.

Merge Request Approval Policies allow users to enforce approval on a merge request when policy conditions are violated. Currently criteria related to both security and license scanners are supported. For example, users can require approval on merge requests that introduce newly-detected, critical vulnerabilities into their application. Additionally, you may enforce and override particular project settings, such as blocking push/force pushing and ensuring that approvals are now allowed by a merge request author or committer on the MR.

Learn more

Security Approvals

Security approvals allow users to select the conditions that must be met to trigger the security approval rule, including which branches, scanners, vulnerability count, and vulnerability severity levels must be present in the MR. If all conditions are met, then the merge request is blocked unless an eligible user approves the MR. This extra layer of oversight can serve as an enforcement mechanism as part of a strong security compliance program.

Security approvals are a type of merge request approval policy and can be configured in the Security & Compliance > Policies page.

Learn more

License Approvals

License approvals allow users to select the conditions that must be met to trigger the license approval rule, including which licenses are expressly allowed or prohibited from being present in the MR. If all conditions are met, then the merge request is blocked unless an eligible user approves the MR. This extra layer of oversight can serve as an enforcement mechanism as part of a strong legal compliance program.

License approvals are a type of merge request approval policy and can be configured in the Security & Compliance > Policies page.

Learn more

Strategy and Themes

The traditional approach to application security was to enable scanners, detect all the vulnerabilities, then have AppSec triage vulnerabilities in a vacuum. Triaging large volumes of vulnerabilities is too noisy. It's a significant effort to identify what is actionable, filter out false positives, and determine when dependencies can be fixed and when the security or compliance team needs to be engaged to support.

In addition to this outdated and siloed approach, companies are required to navigate toolchain sprawl, connecting many different systems while creating controls at each different connection point. The more tools one has, the more connections are required and the more fickle they are to manage and secure.

GitLab offers a complete DevSecOps platform as a single application with integrated security and compliance controls that ensure visibility, auditability, and enforcement across the SDLC. This modern approach builds Security into the process and encourages collaboration, increasing velocity and improving innovation. And, while other solutions require you to stitch together tools and create complex systems to enforce policies, GitLab's Security Policy Management enables organizations to maintain global oversight while establishing the separation of duties between security, compliance, legal teams, and engineering departments. Security Policies feature also grants development teams a level of flexibility over their processes that ensure stable, reliable, and quality production-quality code. As businesses typically struggle with troubling gearing ratios between software engineers to security engineers (20:1 or worse), GitLab's tools can help enterprises automate and manage security and compliance risk at scale.

Critical Workflows in DevSecOps

The points between Dev and Sec are critical and underserved in our market today. Efficiently managing risk and collaborating between these two domains to delicately balance business requirements is an area that can provide immense value for our customers, especially those in highly regulated industries. These overlapping concerns include controlling what code is merged into production, identifying vulnerabilities and risk, and determining when this impacts how production code is developed and deployed.
The coordination between Sec and Ops is also lacking. Ops may manage golden images, automate deployment through IaC, and have complex steps to ensure software products are delivered to customers in a way that is stable and reliable and aligns with current legal and compliance requirements. Security and compliance teams must be acutely aware of CVEs, CWEs, and other common vulnerability exposures to ensure deployment processes that directly impact business revenue are not impacted. This, too, requires overlapping concerns and collaboration between approved code being merged to production, and the deployment pipelines that manage building images, pulling in packages and deploying SaaS containers cutting packaged software releases.

How Security Policies help GitLab Win

Security Policies aligns with our efforts in driving adoption of GitLab Ultimate, as we're satisfying a market need that truly differentiates GitLab as a DevSecOps platform.
Security Policies is core to one of our FY24 Product Investment themes,"Advanced security and compliance".
Investment in Security Policies is strategic as we focus on depth over breadth in the Security section and Govern stage to provide robust solutions that address DevSecOps adoption challenges (internal) (also highlighted as one of our FY24 Yearlies). Security Policies and the greater Security section vision will help reduce churn/contraction by delivering predictable high value to customers.

Key Security Policy Themes

GitLab's Security and Compliance Policy Management covers the many touch points across the DevSecOps platform to reduce risk and allow the business to operate efficiently. The top-level themes that will help our customers succeed are:

Robustness of Merge Request Approval Policies and Scan Execution Policies, which ensure scanners run when and where they must and that code is reviewed thoroughly to reduce the risk of introducing new vulnerabilities
Global and fine-grained management of policies, which will allow Organizations to manage policies at an Organization level, with enforcement flowing down through groups, subgroups, and projects.
Efficient and intelligent security orchestration will automate the steps required to configure and enforce scanners while also making pipelines more efficient, reducing CI minutes, and increasing developer productivity
Broader policy enforcement that better serves our diverse customers and satisfies diverse security and compliance requirements
Elegant cross-functional security, compliance, and developer workflows that encourage collaboration across domains
Tighter controls that mitigate circumvention without blocking developers
More customizable policy rules that support use cases across scanners, such as enabling support for Custom CI Variables in our UI Rule mode and Custom SAST/Secret Detection rulesets.
UX Improvements to eliminate or abstract away Security Policy Projects to provide more customized workflows for Security and Compliance professionals

1 year plan

See our prioritized roadmap here.

What is next for us

Maturing and releasing experimental features "security policy scopes" and "pipeline execution action" to GA
Surfacing policy violation details in bot comments
Handling more use cases and scenarios within merge request approval policies
Improve how AppSec teams handle Vulnerability Management while using Security Policies

What we are currently working on

We're working to mature our support for enforcing custom CI across projects. While today we have an experiment – the Pipeline Execution Action for Scan Execution Policies, based on customer feedback we will be releasing the new capability within a new policy type – the Pipeline Execution Policy type. This new policy type will support custom CI YAML input, which may be configured in a remote compliance yaml file and managed from the policy.yml.

As we mature these features we are adding the following capabilities:

A mechanism to ensure all jobs enforced through the pipeline execution action are unique and enforceable (such as using an index pattern in the job naming for jobs enforced).
Dynamic stage management, defining a new concept of "reserved" stages which may only be used by jobs created by policies.
UX improvements for creating custom yaml via the pipeline execution policy.
Proper handling of global variables and rules.

Additionally, we're working on:

Support for component filters in License Approval Policies
Surfacing policy violation details via bot comments

What we recently completed

Violations detected by merge request approval policies, along with additional details, are now surfaced in bot comments for MRs evaluated by merge request approval policies.
Security Policy Scopes were released as generally available in 16.11.
We've made improvements to align scan result policy data with the MR Widget, ensuring more accurate and expected results when blocking merge requests.
We've enabled Security Policy Scopes and the Pipeline Execution Action as experiments (enabled through group settings).
Enforce Scan Execution Policy Variables with the highest precedence
Compliance Enforcement of Security Policies
Support for Additional Filtering for Merge Request Approval Policies

What is Not Planned Right Now

We do not plan to be a full-featured SOAR solution capable of aggregating, correlating, and enriching events from multiple security vendors. We intend to remain focused on providing security management and security orchestration for the security tools that are part of the GitLab product only.

We are also not planning to support Network Policies (Container Host Security and Container Network Security). We previously offered this capability but learned that challenges related to GTM, pricing & packaging, and personas led to low adoption. This required a shift in our strategy. More details around the decision can be found in this internal issue.

Long-term Vision

In the long-term, we intend to add support for additional policy types, including Vulnerability Management, Compliance, Insider Threat, and Pipeline Execution policies. Furthermore, we intend to provide visibility into the impact (blast radius) a policy will have before it is deployed, add support for complex orchestration policies, and auto-suggest policies based on your unique environment and codebase.

Beyond policies, we also intend to add support for an Alert workflow that will allow users to be notified of events that require manual, human review to determine the next steps to take. This workflow will eventually support auto-suggested responses and recommended changes to policies to reduce false positives and automate responses whenever possible. It will also provide an interface for security and compliance teams to review and respond to policy violations that have occurred.

The matrixes below describe the scope of the work that is planned in the long-run for the Security Policy Management category as well as our progress toward the end goal. Our long-term vision is to add support for all of the boxes in the table.

Security Policy Management Roadmap

Best in Class Landscape

BIC (Best In Class) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.

BIC Capabilities

Security Policy Management enables global control of settings across an organizations technology assets and can extend to the processes and procedures used to enforce particular policies.

For GitLab, our focus is on supporting DevSecOps personas, which specifically involves AppSec, Security Operations, Compliance, and InfraSec personas. Each of these users is tasked with ensuring a business' applications are secure and compliant by preventing or reducing the risk of introducing vulnerabilities into production code and live applications. This involves securing each step of the SDLC as well as ensuring proper access and compliance within GitLab itself.

The most critical capabilities for a best-in-class DevSecOps Policy Management solution are as follows:

The ability to easily manage and enforce policies globally across all relevant development projects.
Two person approval of code changes, or change management workflows to reduce risk of introducing vulnerabilities.
Complete assurance that policies cannot be circumvented.
Audit capabilities to record and produce proof of any policy changes.
Granular configuration of policies to allow businesses to filter out false positives, non-material findings, or irrelevant changes.
Thorough alerting and notification capabilities to communicate high-risk changes, violations, or other policy related data into the communication tool of choice.
Enforcement of security scanning in development projects.
Risk-based Vulnerability Management workflows.
Insider threat policies to identify and protect against potential attacks.
Pipeline health policies that identify malicious or anomalous network/system calls.

BIC Roadmap

GitHub

We have a very competitive position against GitHub regarding policy management. We offer a UI for intuitively defining custom policies, in addition to YAML mode for advanced users. We're expanding to make group and organization-level management of policies a breeze across large organizations while increasing the accuracy and confidence in the enforcement of policies. GitHub offers a very basic solution for checking vulnerabilities and blocking the merge of a PR but lacks the depth as well as the strategic investment to solve this holistically for Enterprise customers.

GitHub includes the following capabilities today:

Code scanning results check can be used to find problems in code by severity.
Users can override default behaviors.
CodeQL can be integrated to require approval based on vulnerabilities found. If the code scanning results check finds any problems with the severity of the error, critical or high, the check fails, and the error is reported in the check results. If all the results found by code scanning have lower severities, the alerts are treated as warnings or notes, and the check succeeds.

There are prerequisites to utilizing GitHub, however:

Many types of scanning require integration with external scanners
It lacks the visual editor and native management of policy as code
The ability to intuitively manage policies across groups is limited or requires manual configuration and maintenance using CodeQL
It lacks the ability to limit who can give approval for failed code scanning checks. When critical or high vulnerabilities are found, anyone who is eligible to approve the PR can approve and allow the code to be merged in.

Synopsys

Synopsys offers Intelligent Orchestration, which allows users to optimize pipeline usage, in turn reducing pipeline costs and potentially impacting developer velocity due to optimizing pipeline duration.

However, leveraging Synopsys requires integration with your CI/CD and maintaining enforcement across the toolchain.

More details about Govern's Best-in-class position are captured in our internal handbook.

Target Audience

Pricing and Packaging

Security and Compliance policies are capabilities that serve the needs of Large, Ultimate tier customers, Mid-market customers, and customers working in highly regulated industries/sectors such as PubSec, Healthcare, and Financial Services.

All features under Security Policy Management target Ultimate-tier customers.

GitLab offers a simple pricing model based on monthly seats. Ultimate tier customers gain access to more powerful tools that unlock the power of DevSecOps, including Security Policy Management, Security Dashboards, Dependency Scanning, DAST, Fuzzing, and much more.

Analyst Landscape

We are beginning to engage analysts on this topic, but do not currently have research to provide.