The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Stage | Govern |
| Maturity | Viable |
| Features & Demos | Our Youtube playlist |
| Content Last Reviewed | 2022-10-05 |
| Content Last Updated | 2023-03-15 |
Thanks for visiting this category strategy page on Vulnerability Management in GitLab. This category belongs to the Threat Insights group of the Govern stage and is maintained by Alana Bellucci (abellucci@gitlab.com).
At GitLab, we believe everyone can contribute. One of the simplest ways is by contributing your feedback! If you're a GitLab user or an interested security professional, we especially would love to hear from you. Check out all the ways you can engage with us and chose which one is right for you.
Note: At GitLab, we record most of our video calls and will post them to our Youtube channel unless there is sensitive information.
Vulnerability management is the process of identifying, prioritizing, and tracking vulnerabilities in assets and applications. At its simplest, vulnerability management aims to help security professionals efficiently and effectively determine what weaknesses to address in what order. In this mature, crowded space, programs and solutions often differentiate by how much they facilitate these various aspects by way of additional tools or capabilities. Depending on the extras, you may encounter solutions classified under different terms to distinguish their specific focus areas. Vulnerability assessment vendors scan running applications—often with their own vulnerability scanners (typically DAST or, more recently, container scanning)&mdsash;to capture new weaknesses. Others extend farther “to the right” by providing integration and feedback loops with infrastructure tools such as IPSes, WAFs, and patch management. More recently, Application Security Orchestration and Correlation (ASOC) vendors are focusing holistically on the application development process by aggregating numerous code and infrastructure scanners, often combined with SCM and even CI/CD integrations. Capabilities fall short of their potential. Solutions need to be built around systems that can identify and prioritize constantly changing vulnerability information. They also need to help the modern security professional break through silos to enable quick and efficient remediation.
GitLab was recently named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.
We want to extend beyond the capabilities of current vulnerability management systems. Our vision is to provide the most complete solution for managing all aspects of vulnerability-related risks across the entire application lifecycle.
Traditionally, vulnerability management has focused on scans of live web apps and assets along with management of those vulnerabilities in a single tool. At GitLab, we have a broader vision: vulnerabilities should not be collected and managed in isolation but are integrated with the rest of the DevOps lifecycle. To that end, we will continue shifting security left and provide visibility into potential weaknesses during the development phase. Rather than scan only the final running application, we will leverage our powerful Secure stage tools to proactively identify weaknesses in the code before it is merged.
With vulnerability management, security is a team effort. We will enable meaningful sets of vulnerabilities, in assets and in application code, that can be mitigated, managed, and acted upon by your whole team—not just the security organization. We will also support teams with compliance and auditing efforts, enabling these teams to show the lifecycle of identifying and mitigating identified vulnerabilities.
We will increase visibility and decrease friction in the DevSecOps workflow by providing unified interfaces and integrations with the systems teams are already using. With vulnerability management, teams will be able to manage the output from all of our security features, so that there is always a single source of truth for security results. We will continue to facilitate integrations with 3rd-party tools through robust, open APIs and our technology partners.
Vulnerabilities are critical to track throughout the software development lifecycle from discovery through remediation. The way a vulnerability is handled will be highly dependent on its severity, remediation strategy, and the unique internal processes of the teams involved. This need for visibility, traceability, and flexibility requires that we treat vulnerabilities as the unique entities that they are. That's why in GitLab, vulnerabilities are first-class citizens (objects) like an Issue or an MR.
A dashboard should provide a centralized overview of the most relevant information to support informed decision making and evaluating performance toward specific goals. We provide Security Dashboards at the Project and Group level as well as a personal Security Center to support these needs at various levels of organizations. Primarily geared toward security teams and engineering management, they are a key tool for assessing the current security status of your organization's applications as well as gauging vulnerability management performance over time. Vulnerability reports are the central place to manage the triage and remediation process as they reflect vulnerabilities present in the default branches of projects. Vulnerability reports help keep your organization's application security health at a proper level.
Learn more about Security Dashboards and Vulnerability Reports.
Shifting security left is about more than just scanning your application code pre-deployment. It's about catching and fixing potential vulnerabilities before they can make it into the codebase. Merge request security reports present the results of security scans as a diff of the current branch against the target (default) branch. This allows a developer to see the isolated impact of their changes by highlighting any new vulnerabilities introduced. It is now easy to take corrective action against these new security issues as part of the normal development cycle. By addressing them in the MR, it maintains the security level of the default branch and keeps new vulnerabilities from reaching production environments. Merge request security reports can be used in conjunction with Security Gates for a more controlled secure development process.
Pipeline security reports provide a total picture of all security issues present in a branch. Whereas the merge request security report shows only vulnerabilities newly introduced by a given branch and Security Dashboards show only vulnerabilities already present in the default branch, the pipeline security report shows the combination of both. This provides a quick way to see a total snapshot of the "risk load" that will exist in the default branch were the current branch to be merged.
Vulnerability management helps security professionals efficiently and effectively determine what weaknesses to address in what order. An effective, well-defined, repeatable system for assessing the risk and relative priority of a given vulnerability is crucial to success of a vulnerability management tool. We will focus on three key themes. These themes help us improve both the breadth and depth of functionality. Each step up in maturity will include initiatives that improve on all three themes, which are:
The security industry has no shortage of standards and best practices and every organization is unique to the practices they adopt—and how they choose to implement them. There is no one size fits all solution when it comes to security (or even one aspect of security). At the same time, unlimited flexibility can be undesirable as it can lead to long setup times and over-complicated customizations. Our philosophy is to provide a best practices-informed set of defaults with settings-driven configuration where we see most need. This will allow rapid rollout and adoption of vulnerability management. Over time, you can adapt the features and workflows to suit your organization's needs. Flexibility will include top-down configurations. You will be able to apply settings at the Instance level, establishing defaults and internal best practices org-wide. Where you chose to allow it, these settings can be overridden at the Group or Project level.
Flexibility also means what information we present to the users, when we present it, and in what format. There are multiple roles that will interact with and benefit from various aspects of vulnerability management outside of engineers and security professionals. Serving these roles will encompass everything from dashboard visualizations to reports geared towards non-GitLab users such as CISOs, auditors, and compliance officers. Having the right information in the right context at the right time not only allows for better, more efficient decision making.
The majority of modern security departments are overworked and understaffed. The sheer month-over-month increase in the number of threats, rate of change in environments, accelerating adoption of new technologies, and novel potential attack vectors manually remediating vulnerabilities becomes impossible. Security software can help—but only if it cuts down more noise than the new signal it detects. We aim to make our vulnerability management process as efficient as possible. We will start by making the tedious and time consuming tasks easier through UX enhancements. Longer-term, we will look to automate repetitive tasks and lean on analytics techniques (including ML) to help users make quicker, smarter decisions.
We will provide the best available information so the user can make a risk-informed decision. To start we'll add more depth to the information we show from the existing scanners. This will go beyond severity and quantify risk more granularly. Over time, users will have the ability to set custom policies based on configurable definitions of risk tolerance. We will help our customers maintain compliance with industry and internal policies by making it easy to map our Vulnerability Management program to risk management and compliance frameworks. We will also start tying in additional sources of information such as external vulnerability feeds, reports from responsible disclosure programs, and alert data from our own Contain Security applications. Ultimately, we want our customers to have the best possible understanding of their risk posture as it relates to their entire SDLC.
The following is provided as a guide to understand our current thinking and general direction. As with all roadmaps, this is subject to change at any time and is not a commitment of delivery or timing.
For a more detailed list of features we are currently planning, refer to this high-level Epic:
We're also hard at work designing features the help move us toward our vision of a best-in-class vulnerability management experience that's an integral part of GitLab's single application for DevSecOps. Here's what we're up to:
The majority of work in Vulnerability Management so far has focused on the core triage and remediation experience. This primarily benefits AppSec teams as it is crucial to their ability to adequately track and manage application vulnerabilities. With Vulnerability Management at Viable, we are focusing on what it will take to move to Complete. A heavy focus will be new automations that also take advantage of our rapidly-expanding policy and compliance capabilities. New policy types will allow automation for auto-resolving vulnerabilities as well as auto-dismissing irrelevant ones. We will continue to add features that make vulnerability management more efficient and effective at large scale. Examples include enhanced filtering and search, vulnerability grouping, and customizable saved views. In the background, we will continue making incremental improvements to our existing features. We will also continue our ongoing architectural improvements to ensure we continue to scale with the every-increasing usage needs of our largest customers.
Further out, there are larger initiatives such as laying the groundwork to move from the current severity-based vulnerability classification system to a risk-based classification. Organizations want to understand more context around the potential impact of a given vulnerability. By understanding not just the severity but also the business criticality of the impacted asset along with the likelihood of compromise (how exposed is the asset), the responsible teams can more effectively assess threats and focus mitigation and remediation efforts on the highest risk areas first. We want to enable defensible risk management processes and provide enhanced security visibility and control.
There are dozens of vendors providing vulnerability management as a standalone offering or as part of a larger solution. Some chose to rely heavily on integrations to broaden their capabilities while others chose to build and bundle additional functionality. As DevSecOps continues to mature as a concept, the pressure to expand further with traditional DevOps capabilities alongside support for multiple security scan types increases. A sudden spike in acquisitions in the space over just a few months in 2021 (noted below) supports this thesis. However, rather than the vendors below making acquisitions to bolster their DevOps chops, many of the upstarts and smaller players have been acquired by much larger entities in the security space presumably looking to increase the footprint of their own DevSecOps capabilities. To understand the competitive landscape, it is helpful to group vendors based on the capabilities that they offer.
These vendors have broad offerings and are considered leaders in the space by the major analyst firms. These are also some of the oldest solutions in a space that is evolving beyond focusing on just the management and tracking of vulnerabilities from a given vendor's own tools. Most are more focused on post-deployment application and/or infrastructure scanning (DAST, container). They include their own scanning tools as part of or as an additional option with their vulnerability management tool:
One of the most challenging aspects of vulnerability management is triaging the large volume of vulnerability findings many security professionals must handle. Some vendors have chosen to focus specifically on this vulnerability prioritization aspect. While they typically do not provide scanners, most offer multiple pre-built integrations with various commercial and open source products as well as vulnerability data sources to provide deeper insights than most of the broader vulnerability assessment/management solutions.
Some notable vendors focused on prioritization include:
Gartner distinguishes these vendors by their heavy use of automation in testing application security. They pull data from multiple sources including code scanners (SAST, DAST, SCA) and vulnerability assessments. Some vendors also have begun to ingest infrastructure vulnerability findings to provide an end-to-end view of application security flaws. These tools help prioritize remediation efforts by centralizing the correlation and analysis of findings from a broad source of inputs. You will often find bundled open source security scanners alongside extensive integration capabilities with other commercial security tools. Some of these offerings can also be tightly integrated into CI/CD workflows, making ongoing security assessment part of the DevSecOps flow. This set of tools has seen both the most heavy acquisitions as well as the most new entrants over the last few years. GitLab's vulnerability management and broader Application Security Testing features best align with the capabilities of ASOC vendors.
Notable ASOC vendors include:
There are also a few competitors that aren't a direct competitor in the vulnerability management space but offer a much broader challenge to GitLab as a whole. These vendors typically include some security tools that overlap with our own Secure scanners. They also provide closer integrations with or their own CI/CD and SCM solutions. It is conceivable that any of these vendors could add or expand their vulnerability management capabilities, making their value proposition closer to GitLab's. In the case of Harness, their recent acquisition of ZeroNorth again supports this industry acknowledgement of the need for a single solution that covers the entire DevSecOps lifecycle.
Vulnerability management is covered slightly differently, depending on the analyst.
GitLab believes in responsibly disclosing software vulnerabilities. As such, GitLab is a CVE Numbering Authority (CNA) and can provide CVE IDs to researchers and information technology vendors. We will be integrating CVE ID request solution which will be available within our Secure and Govern Stages.
You can read more about reporting a vulnerability, our disclosure policy, and request a CVE ID at our Responsible Disclosure page.
