Product Stage Direction - Protect

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Protect

On this page

• Stage Overview
  • Groups
  • Resourcing and Investment
• 3 Year Stage Themes
  • Cloud native first
  • Visibility first, protection second
  • Blur the line between development and security operations
  • Improve OSS security standards
  • Emphasize usability and convention over configuration
• 3 Year Strategy
• 1 Year Plan
  • High-level 12-month Roadmap
  • What's Next for Protect
  • What We're Not Doing
• Competitive Landscape
• Key Performance Metrics
• Target Audience
  • Today
  • Medium Term (1-2 years)
  • Security Teams
  • User Adoption Journey
• Pricing
  • Core/Free
  • Starter/Bronze
  • Premium/Silver
  • Ultimate/Gold
• Categories
  • Container Scanning
  • WAF
  • Security Orchestration
  • Container Host Security
  • Container Network Security
• Other Top Level Features
  • Alert Dashboard Vision
  • Policy Management Vision
  • Security Approvals Vision
• Upcoming Releases
  • 13.12 (2021-05-22)
  • 14.0 (2021-06-22)
  • 14.1 (2021-07-22)
  • 14.2 (2021-08-22)
• Other Interesting Items

Protecting cloud-native applications, services, and infrastructure

The Protect stage enables organizations to proactively protect cloud-native environments by providing context-aware technologies to reduce overall security risk. Protect is a natural extension of your existing operation's practices and provides security visibility across the entire DevSecOps lifecycle. This visibility empowers your organization to apply DevSecOps best practices from the first line of code written and extends all the way through to greater monitoring and protection for your applications that are deployed in production.

Stage Overview

The Protect Stage focuses on providing security visibility across the entire DevSecOps lifecycle as well as providing monitoring and mitigation of attacks targeting your cloud-native environment. Protect reduces overall security risk by enabling you to be ready now for the cloud-native application stack and DevSecOps best practices of the future. This is accomplished by:

• protecting your applications and services deployed within your cloud-native environment by leveraging context-aware technologies across the entire application stack
• monitoring for misuse within your GitLab deployment—including its associated runners—and alerting when anomalies in usage are detected

Groups

The Protect Stage is made up of one group supporting the major categories focused on cloud-native security including:

• Container Security - Monitor and protect your cloud-native applications and services by leveraging context-aware knowledge to improve your overall security posture.

Resourcing and Investment

The existing team members for the Protect Stage can be found in the links below:

• Development
• User Experience
• Product Management
• Quality Engineering

3 Year Stage Themes

Cloud native first

Protect will focus first on providing reactive security solutions that are cloud native. Whenever possible, Protect capabilities will be cloud platform agnostic, including support for self-hosted cloud native environments.

For example, GitLab's current Protect capabilities leverage numerous open source cloud-native projects that integrate cleanly with Kubernetes to provide additional security in containerized environments. Any future expansion of security capabilities will come after the cloud native capabilities are mature.

Visibility first, protection second

Protect will focus on detecting and alerting on malicious traffic and activity as a first step followed by introducing prevention as a second step. This is valuable to you because it means that you can introduce Protect within your cloud native applications, services, and infrastructure gradually over time without disrupting your end users. This allows you to examine the alerts generated by Protect using detection policies to ensure all security settings are appropriate and accurate for your cloud native deployment prior to moving to protection policies. This allows you to eliminate false positives and prevents your users from having a poor user experience with your applications and services. Furthermore, Protect will provide you with evidence of malicious traffic and activity as well as any actions taken, allowing you to meet and exceed your compliance goals and requirements.

As examples, GitLab will provide:

• Allow mode first, allowing your organization to have security visibility within your cloud native environment.
• Block mode second, allowing your organization to take action on malicious traffic and activities.
• Logging of all events, both internally to your cluster as well as to an external SIEM (like GitLab Monitor).
• Alerts, notifications, and workflows for responding to those Alerts including the ability to, as an example, create GitLab issues or send ChatOps notifications automatically.

Blur the line between development and security operations

One of the key advantages to GitLab being a single application for the entire DevOps lifecycle is that all of our stages are tightly integrated. This empowers Protect to both provide information into other stages, such as Plan, as well as to receive information from other stages, such as Secure.

Protect will leverage knowledge from the Secure Stage and provide virtual patching of security policies within Protect Categories. Additionally, Protect will eventually leverage Secure scanning capabilities to provide on-going scanning of applications after they have been deployed to production. This allows for detection of any new threat vectors or vulnerabilities that were published after the original push to production.

Protect will identify and protect against threats as they happen, and will also strive to provide actionable next steps to close a vulnerability or point of exploit, not just protect it.

Not only does shifting left and acting on results earlier give your apps better security, it helps enable collaboration with everyone at your company. We believe that security is everyone's responsibility and that everyone can contribute. Informing other stages is a powerful way to do this.

As examples, GitLab will provide:

• Suggested code corrections or package updates to fix vulnerabilities at the source
• Suggested changes to access controls or permissions to better follow the Principle of Least Privilege

Improve OSS security standards

Protect will leverage OSS security projects to build our solutions. Protect will contribute improvements to these projects upstream helping everyone be more secure.

For example, GitLab recently added a Policy Audit Mode to the upstream open source Cilium project to allow users to test their policies before enforcing them.

Emphasize usability and convention over configuration

Protect capabilities will be pre-configured to provide value to protecting your applications. Rather than require you to read documentation manuals and provide complex configuration files, GitLab will always provide reasonable defaults out of the box.

We will provide the ability for advanced and customized configurations, but these will only be needed based on your specific use case and when you feel comfortable doing so.

For example, GitLab is currently working on an intuitive policy editor UI to allow for configuration of Network Policies. While advanced Network Policies can be created and managed by editing the .yaml file, the majority of policy use cases can be accomplished with the simpler UI.

3 Year Strategy

Effectively protecting applications running in production requires the following key software capabilities that will be developed over the next 3 years:

1. A streamlined workflow for triaging, investigating, and mitigating application attacks. This workflow will be tightly integrated into the rest of the GitLab product.
2. Seamless two-way integrations with other security products to both allow GitLab to share alerts with other tools as well as to allow other tools to share information about attacks with GitLab.
3. A unified policy management experience for all security policies, spanning across GitLab's stages. The policy editor will be both versatile and easy to use. By providing clear information about what policies are deployed, misconfigurations and accidental security holes can be avoided.
4. Analytics that save time and reduce errors by leveraging GitLab's knowledge of the application code to reduce false positives by tuning policies, effectively prioritizing alerts, and auto-suggesting security best practices.
5. In-depth introspection into the overhead, uptime, and performance of Protect technologies to ensure that security protections are always up and running without interfering with application performance.
6. Enterprise-grade user permissions, audit logging, change control, and reporting to ensure that the GitLab application itself is safe from threats.
7. Managed Security Service Provider (MSSP) support to allow partners to effectively and efficiently monitor the security posture of their clients' applications.

1 Year Plan

Although the Protect stage has grandiose aspirations and a broad vision, the next 12 months of effort are entirely focused on building a foundation of security tools and capabilities that can be expanded later as the stage matures.

High-level 12-month Roadmap

Please note that all roadmap items and timelines are subject to change. The roadmap for security approvals is currently being researched and is not reflected in the list below.

Q2 FY'22 - (May 2021 - July 2021)

• Follow-on design updates for the alert dashboard
• Kanban style view for the alert dashboard
• Project-level DAST scan execution policies (scheduled scan)
• Allow users to edit security policies in yaml-mode in the Policy UI
• Default container scanning engine Trivy to replace Clair

Q3 FY'22 - (August 2021 - October 2021)

• Add security policy support for Secret Detection and SAST scans
• Support group and workspace level security policies
• Ability to do vulnerability scans against running container images
• Improve container scanning matching
• Test and publish a UBI-based container scanning image
• Usage metric collection for container host security

Q4 FY'22 - (November 2021 - January 2022)

• Improve security policy approval workflow
• Allow users to edit security policies in rule-mode in the Policy UI
• Allow users to enable container scanning in the UI via an MR
• Move the container scanning engine to core
• Consolidate similar container scanning findings
• Container Host Security Statistics
• Ability to export Container Host Security logs to a SIEM

Q1 FY'23 - (February 2022 - April 2022)

• Ability to view the alert dashboard at the group and workspace levels
• Add security policy support for compliance CI files
• Provide a UI to audit security policy changes
• Improve default permissions for security policy projects
• [Ability to scan images in GitLab's container registry on demand](https://gitlab.com/gitlab-org/gitlab/-/issues/3714
• Policy management UI for Container Host Security
• Default policy pack for Container Host Security

What's Next for Protect

Key initiatives in this group over the next 3-6 months will include finishing the work to establish a baseline level of functionality in the following areas:

• A standard, baseline UI for managing security policies across GitLab's stages
• A dashboard for viewing and responding to security alerts across GitLab's stages
• Improved container scanning functionality, including the ability to scan container images that are running in a production Kubernetes instance

Next steps involve extending those core capabilities to include other types of scanners and other areas inside GitLab.

What We're Not Doing

Although we will likely address many of these areas in the future (as described above in our 3 year strategy), we are not planning to make progress on the following initiatives in the next 12 months:

• Adding support for applications running in serverless environments
• Adding support for applications running in non-Kubernetes containerized environments (such as OpenShift or Docker Swarm)
• Adding support for applications running in bare-metal / non-containerized environments
• Attempting to build our own Security Information and Event Management (SIEM) system
• Building analytics or algorithms to auto-tune or auto-recommend policy improvements

Competitive Landscape

In our opinion, the Protect Stage aligns with the market that Gartner defines as the Cloud Workload Protection Platform (CWPP) Market.

Gartner “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 14 April 2020 (Gartner subscription required)

We believe that GitLab currently aligns to the workload protection controls that Gartner defines in this market as follows:

1. Hardening, configuration and vulnerability management - This control is included in the charter for the Container Scanning category. Functionality to scan containers running in production for vulnerabilities is on the roadmap.
2. Identity-based segmentation and network visibility - This control is the charter of the Container Network Security category. This control was initially released in GitLab 12.8 and has had several improvements since its release.
3. System integrity assurance - Gartner defines two parts to this control: preboot and postboot. Currently GitLab does not have plans to address the preboot portion of this control other than through Container Scanning capabilities pre-deployment as part of GitLab's CI pipeline. The postboot portion of the control is addressed by the Container Host Security category in functionality that was released in GitLab 13.2.
4. Application control/whitelisting - GitLab is capable of addressing this control today through functionality that was released in GitLab 13.2 as part of the control is addressed by the Container Host Security category.
5. Exploit prevention/memory protection - GitLab does not have plans to directly address this control at this time. Some limited capabilities to address this control are available through GitLab's integration with Pod Security Policies which can limit which system calls that are available to a pod.
6. Server Workload EDR, Behavioral Monitoring and Threat Detection/Response - GitLab has some EDR capabilities as part of the Container Host Security category today that address this control. Additional capabilities, including behavioral analytics, are an aspirational part of our long-term vision.
7. HIPS with vulnerability shielding - This control is jointly provided by three categories: Container Host Security, Container Network Security, and Container Scanning. Because GitLab provides IDS/IPS capabilities at both the network and host-based layers, there is some overlap and defense in depth, especially when this is coupled with regular vulnerability scans of containers running in production.
8. Anti-malware scanning - This control is included in the charter for the Container Host Security category. Functionality to scan containers running in production for malware is on the roadmap.

Key Performance Metrics

The following metrics are used to evaluate the success of the Protect stage:

• Overall Performance Indicator: This is the total number of activities analyzed across all groups in the Protect stage, including network traffic packets, process starts, and files accessed.
• Stage Monthly Active Clusters: This is the total number of clusters that have one or more Protect stage feature enabled
• Stage Monthly Active Paid Clusters: This is the total number of clusters belonging to paying customers that have one or more Protect stage feature enabled

Target Audience

GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.

• 🟩- Targeted with strong support
• 🟨- Targeted but incomplete support
• ⬜️- Not targeted but might find value

Today

To capitalize on the opportunities listed above, the Protect Stage has features that make it useful to the following personas today.

1. 🟨 Security Operations Engineer / SecOps Teams
2. 🟨 Security Analyst
3. ⬜️ DevOps Engineer / DevOps Teams
4. ⬜️ Security Consultants

Medium Term (1-2 years)

As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables SecOps to work collaboratively with DevOps and development to mitigate vulnerabilities in production environments.

1. 🟩 Security Operations Engineer / SecOps Teams
2. 🟩 Security Analyst
3. 🟨 DevOps Engineer / DevOps Teams
4. 🟨 Security Consultants

Security Teams

Security teams and Security Operations teams are the primarily day-to-day users of Protect features. Over time, GitLab aims to become the primary tool they use to protect, monitor, and manage the security of their production environments. As most organizations have limited resources and/or security talent, we will strive to make the entire user experience as simple and easy to use as possible so as to minimize the skill set and number of individuals required. Additionally, summary-level dashboards and reports will eventually be provided to allow for clear reporting up to executives.

Personas

• Alex - Security Operations Engineer
• Sam - Security Analyst
• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Internal Security Analyst (primarily responsible for insider threat monitoring)

User Adoption Journey

Protect's Container Scanning and Security Orchestration categories are intended to be used by a wide range of personas, including Software Developers, Compliance Managers, DevOps Engineers, and Security Engineers. To adopt these categories, the only prerequisite is for the user to adopt GitLab's CI pipelines. For Container Scanning, users must also either use GitLab's Registry or have a Kubernetes instance connected to GitLab.

Protect's Container Network and Host Security categories are fundamentally different from all other GitLab stages because their primary target user sits outside the Development organization in a Security team that is most commonly within a larger IT department. Consequently there are two primary paths to adopting these categories:

1. Start with the security team; expand to the development organization later - this user adoption journey involves the security team adopting Configure and then Protect to use GitLab to provide security for their production environment. Initially another tool may even be used for their source code management, their CI/CD pipelines, and any other DevOps functions. Once Protect is being used by the Security Team, additional user adoption then follows along the traditional GitLab user adoption journey model with the development organization typically starting with the Create stage.
2. Start with the development organization; expand to the security team later - this user adoption journey involves the customer first using GitLab for any one or more of our other stages, such as Secure, as part of their development workflow. At any point along that adoption journey, the Security Team can then choose to start using Configure to connect to their production environment and then Protect to manage the security of their deployed applications. The development organization does not need to have adopted Configure first.

Pricing

Protect is focused on providing enterprise-grade security capabilities to protect production environments. The intent is to provide enough value in paid features so as to allow Protect to contribute in a significant way over the next 3 years toward GitLab's company-level financial goals.

Although paid features are the primary focus, there are several reasons why features for unpaid tiers might be prioritized above paid features:

1. The Protect stage has a powerful potential to help improve the security of projects everywhere. Features with the potential to significantly improve the security posture of all projects will be highly prioritized and made available in an unpaid tier.
2. To continue to be good stewards in the open source community, any basic integration with open source projects will be available in an unpaid tier, along with the "table stakes" set of functionality required to allow that feature to be usable with GitLab.

Core/Free

This tier is the primary way to increase broad adoption of the Protect stage, as well as encouraging community contributions and improving security across the entire GitLab user base.

As a general rule of thumb, features will fall in the Core/Free tier when they meet one or more of the following criteria:

• The feature is highly useful for an individual with a few small projects rather than meeting the needs of an organization or enterprise that is operating at scale
• The feature is provided by an integration with an open source project rather than being natively developed by GitLab
• The feature has the potential to increase the security posture of all GitLab projects in a significant way, or there is a reasonable ethical/moral obligation to make the feature available to all users

Some examples include:

• Basic installation and use of the security capabilities, especially when the underlying technology leverages an open source project
• The ability to collect security logs
• Documentation and directions on how to configure policies for those security tools (this may require use of the command line)

Starter/Bronze

This tier is not a significant part of Protect's pricing strategy.

Premium/Silver

This tier is not a significant part of Protect's pricing strategy.

Ultimate/Gold

This tier is the primary focus for the Protect stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that successfully protect against those types of attacks tend to be valued with equal weight. The types of capabilities that fall in the Ultimate/Gold tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to provide for adequate security of their production environment.

As a general rule of thumb, features will fall in the Ultimate/Gold tier when they meet one or more of the following criteria:

• The feature is focused on enabling an organization or enterprise to operate at scale rather than an individual with a few small projects
• The feature is natively developed by GitLab rather than being provided by an open source project

Some examples include:

• A dashboard to aggregate alerts, along with analytics to prioritize those alerts and a workflow for responding to those alerts
• A UI-driven policy management editor, along with any analytics that are built to auto-suggest or auto-tune policies
• Introspection into the up-time and performance of the security tools, along with any auto-generated recommendations for tuning the configuration of those tools
• Enterprise-grade permissions and audit logging to monitor and limit any single individual's ability to make changes

Categories

There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.

Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.

Container Scanning

Check Docker images for known vulnerabilities in the application environment. Analyze image contents against public vulnerability databases using the open source tool, Clair, that is able to scan any kind of Docker (or App) image. Vulnerabilities are shown in-line with every merge request. This category is at the "viable" level of maturity.

Priority: medium • Documentation • Direction

WAF

A Web Application Firewall (WAF) can examine traffic being sent to your web application and can detect then block malicious traffic before it reaches them. The ModSecurity WAF is installed via Auto DevOps behind the ingress controller in your Kubernetes cluster. It is configured by default to run the OWASP ModSecurity core ruleset.

Priority: medium • Documentation • Direction

Security Orchestration

Unified policy and alert security orchestration capabilities across all of GitLab's scanners and security technologies. This category is at the "minimal" level of maturity.

Priority: medium • Documentation • Direction

Container Host Security

Detect and respond to security threats at the Kubernetes, network, and host level. This category is at the "minimal" level of maturity.

Priority: high • Documentation • Direction

Container Network Security

Container network security allows the implementation of network policies in Kubernetes to detect and block unauthorized network traffic between pods and to/from the Internet. This category is at the "minimal" level of maturity.

Priority: medium • Documentation • Direction

Other Top Level Features

The Security Orchestration category's features span across multiple stages in GitLab, including the Secure and Protect stages:

Alert Dashboard Vision

The alert dashboard is the central location for viewing and managing alerts. The long-term plan is to aggregate alerts from all categories at the project, group, and workspace levels and visualizing those alerts in both a list-view as well through explorable charts and graphs. Alerts will be eventually be capable of being prioritized based on the severity of the alert (defined by the policy that generated the alert) as well as an analytical algorithm that scores the alert based on its level of risk. The alert dashboard will also host the central workflow for taking action on alerts, including any auto-suggested remediation actions or recommended policy tuning changes.

Policy Management Vision

The policy management experience is the central location for policies across both the Secure and Protect stages. Here users will be able to have the flexibility of managing policies directly in code or in a streamlined UI editor. As part of the long-term vision for the policy management experience, users will be able to view a complete history of all changes and easily revert to a previous version. A two-step approval process can optionally be enforced for all policy changes. Eventually the policy management UI will be extended to provide visibility into the performance overhead of each policy. Suggestions into policy adjustments that might help either reduce false positives or increase overall security coverage will be provided in this section as well.

Security Approvals Vision

Security approvals define when and how security teams get involved in the development workflow. The vision for this area is to provide a highly granular level of approval definition functionality at the project, group, and workspace levels. The near-term roadmap in this area is currently being researched.

Upcoming Releases

13.12 (2021-05-22)

• Allow Users to View Policy History in the Policy UI Ultimate
• Hide the Security Policy Project and Automate Permissions Ultimate
• Project-level DAST Scan Execution Policies (scheduled scans) Ultimate

14.0 (2021-06-22)

• Remove GitLab WAF

14.1 (2021-07-22)

• Remove GitLab WAF
• Follow-on Improvements to Trivy Integration Ultimate

14.2 (2021-08-22)

• Allow Users to Edit yaml-mode Scan Execution Policies in the Policy UI Ultimate
• MVC: Project-level DAST Scan Execution Policies (pipeline) Ultimate

Other Interesting Items

There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.

Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!

Last Reviewed: 2021-04-28
Last Updated: 2021-04-28