Category Direction - Security Orchestration

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Protect
4. Category Direction - Security Orchestration

Maintained by:

G

• Protect
  • Introduction and how you can help
  • Overview
    • Target Audience
  • Where we are Headed
    • Security Alert Management - Key goals and guiding principles
    • Security Policy Management - Key goals and guiding principles
    • Security Approvals - Key goals and guiding principles
• Key Features
  • Security Alert Dashboard
  • Security Approvals
    • What is our Vision (Long-term Roadmap)
    • What's Next & Why (Near-term Roadmap)
    • What is Not Planned Right Now
    • Maturity Plan
  • User success metrics
• Competitive Landscape
• Analyst Landscape

Protect

Introduction and how you can help

Thanks for visiting this category direction page on Security Orchestration in GitLab. This page belongs to the Container Security group of the Protect stage and is maintained by Sam White (swhite@gitlab.com).

This direction page is a work in progress, and everyone can contribute. We welcome feedback, bug reports, feature requests, and community contributions.

• Please comment and contribute in the linked issues and epics on this page. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.
• Please share feedback directly via email or on a video call. If you're a GitLab user and have direct knowledge of your need for container security, we'd especially love to hear from you.
• Can't find an issue? Make a feature proposal or a bug report. Please add the appropriate labels by adding this line to the bottom of your new issue /label ~"devops::protect" ~"Category:Security Orchestration" ~"group::container security".
• Consider signing up for First Look.

We believe everyone can contribute and so if you wish to contribute here is how to get started.

Overview

Security Orchestration is an overlay category that provides policy, alert, and security approval orchestration support for all the scanners and technologies used by GitLab's Secure and Protect stages. The goal is to provide a single, unified user experience that is consistent and intuitive.

Target Audience

1. Cameron (Compliance Manager)
2. Devon (DevOps Engineer)
3. Alex (Security Operations Engineer)
4. Delaney (Development Team Lead)

Where we are Headed

The work done in the Security Orchestration category spans three key areas: Security Alert Management, Security Policy Management, and Security Approvals.

Security Alert Management - Key goals and guiding principles

1. Engage security teams - build a pathway to get security departments involved in GitLab
2. Single app vision - users should not be required to use an external system to view security alerts related to GitLab or their Kubernetes application
3. Unified experience - Provide a single location where users can triage, investigate, and respond to security alerts regardless of the underlying technology

Security Policy Management - Key goals and guiding principles

1. Scalability - Allow organizations with large numbers of projects to centrally manage and enforce when scans are run
2. Ease of use - Lower the knowledge requirement to use GitLab’s scanners
3. Appropriate permissions - Limit who can make policy changes; support auditing and approvals
4. Unified experience - Provide a consistent way to manage policies regardless of scanner or technology type
5. Flexibility - Allow users to work in either a GUI or code based on their preferences

Security Approvals - Key goals and guiding principles

1. Ease of use - Make the entire approval experience from start to finish as easy as possible
2. Unified experience - Integrate the security approvals workflow into the rest of the security policy experience
3. Flexibility - Allow users to define security approval rules at a granular level so they are only involved when necessary

Key Features

Security Alert Dashboard

The security alert dashboard provides a workflow for viewing and managing security alerts. Users can configure Network Policies to generate alerts when traffic is detected that matches the policy. These alerts then show up on the security alert dashboard where they can be triaged by a security team.

Learn more

Security Approvals

Security approvals are an optional feature for merge requests. You create a security approval group much like you would a regular merge request approval group. Then, when merging to the default branch, if a vulnerability with severity of Critical, High, or Unknown is present, the merge is blocked unless someone in the security approval group approves. This extra layer of oversight can serve as an enforcement mechanism as part of a strong security compliance program.

Learn more

What is our Vision (Long-term Roadmap)

Although this category is new, our vision is broad. We plan to support both scan schedule and scan results policies for all of GitLab's scanners at the Workspace, Group, and Project levels. In addition, we intend to add full support for two-step approvals and proper audit trails of any changes made. In the long-run, we intend to provide visibility into the impact (blast radius) a policy will have before it is deployed, add support for complex orchestration policies, and auto-suggest policies based on your unique environment and codebase. Policy changes will need to be fully audited and optionally run through a two-step approval process.

Beyond policies, we also intend to add support for an Alert workflow that will allow users to be notified of events that require manual, human review to determine the next steps to take. This workflow will eventually support auto-suggested responses and recommended changes to policies to reduce false positives and automate responses whenever possible.

The matrixes below describe the scope of the work that is planned in the long-run for the Security Orchestration category as well as our progress toward the end goal. Eventually we would like to have support for most, if not all of the boxes in the tables below.

What's Next & Why (Near-term Roadmap)

We recently brought this category to a Minimal maturity level in %13.9 with the release of a Security Alert Dashboard. Since then, we have iterated to refine that experience. The next few incremental improvements that we have planned are as follows:

1. Allow users to be assigned and unassigned from alerts
2. Allow users to create an incident from an alert
3. Allow users to open a drawer when selecting an alert to avoid always needing to drill into the details page to see relevant log information
4. Add support for a kanban-style view to allow users to more easily triage their work based on the current status

Our initial security policy management work has been started and is available behind a feature flag. Users can currently require DAST scans to be run anytime their project pipeline is run. The next steps are to also allow enforced scans to be run on a regular schedule and also to create a user-friendly UI for managing these security policies. This initial work will allow us to build a framework that we can then extend to other scanners, and also extend to the group and instance levels.

Our first step for security approvals is to research how we can iterate toward our end goals of having the capabilities tightly integrated with the security policy editor.

What is Not Planned Right Now

We do not currently plan to be a full-featured SOAR solution capable of aggregating, correlating, and enriching events from multiple security vendors. We intend to remain focused on providing security management and security orchestration for the security tools that are part of the GitLab product only.

Maturity Plan

Planned to Viable

User success metrics

We plan to measure the success of this category based on the total number of users that interact with the Policy and Alert pages in the GitLab UI.

Competitive Landscape

As this category is new, we are still completing our evaluation of the competitive landscape.

Analyst Landscape

As this category is new, we have not yet engaged analysts on this topic.