Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - Vulnerability Management

   
Stage Secure
Maturity Minimal
Features & Demos Our Youtube playlist
Content Last Reviewed 2020-06-18

Introduction and how you can help

Thanks for visiting this category strategy page on Vulnerability Management in GitLab. This category belongs to the ~"Threat Insights" group of the Defend stage and is maintained by Matt Wilson (mwilson@gitlab.com).

At GitLab, we believe everyone can contribute. One of the simplest ways is by contributing your feedback! If you're a GitLab user or an interested security professional, we especially would love to hear from you.

Send Us Feedback

Overview

Vulnerability management is the process of identifying, prioritizing, and tracking vulnerabilities in assets and applications. At its very simplest, vulnerability management aims to help security professionals efficiently and effectively determine what weaknesses to address in what order. In this mature, relatively crowded space, programs and solutions try to differentiate how broadly beyond this core function they stretch. Starting farther “to the left”, some vendors include their own vulnerability scanners (typically DAST or, more recently, container scanning) to capture new weaknesses before they are introduced into production. Others extend farther “to the right” by providing integration and feedback loops with infrastructure tools such as IPSes, WAFs, and patch management. Ultimately, all of these additional capabilities will fall well short of their potential if not built around a rock-solid system for not just prioritizing the ever-growing pile of vulnerability information the modern security professional must face but one that reduces the friction and breaks through the silos that prevent quick, efficient remediation.

Goal

We want to extend beyond the capabilities of current vulnerability management systems.

Traditionally, vulnerability management has focused on scans of live web apps and assets along with management of those vulnerabilities in a single tool. At GitLab, we have a broader vision: vulnerabilities should not be collected and managed in isolation but rather should be integrated with the rest of your DevOps lifecycle. To that end, we will continue shifting security left and provide visibility into potential weaknesses during the development phase. Rather than scan only the final running application, we will leverage our powerful Secure stage tools to proactively identify weaknesses in the code before it ever runs.

We will also continue to shift right as we integrate "downstream" with our Container Network Security, Web Application Firewall, and Container Behavior Analytics solutions. Not only do we plan to consume information on potential vulnerabilities from these tools, we will help complete the loop by tracking remediations and mitigations as they are pushed back out into live enviornments.

We want to show with vulnerability management that security really is a team effort. We will enable identifying meaningful sets of vulnerabilities, in both your assets and application code, that can be mitigated, managed, and acted upon by your whole team—not just the security organization. We will also support teams with compliance and auditing efforts by effectively being able to show the lifecycle of identifying and mitigating identified vulnerabilities.

We will increase visibility and decrease friction in the DevSecOps workflow by providing unified interfaces and integrations with the systems teams are already using for managing results from the ~"devops::secure" stage, so that there is always a single source of truth and single place for management of security results. And we will continue to faciliate integrations with 3rd-party tools through robust, open APIs and our technology partners.

Key features

Standalone Vulnerabilities

Details here

Security Dashboards

Security Dashboards—available at instance, group and project level—are the primary tool for Security Teams and Directors of Security. They can use these dashboards to access the current security status of their applications and to start a remediation process. The dashboards also provides stats and charts to figure out how the team is performing. This helps keep project security health at a proper level.

Pipeline Security Reports

Details here

Merge Request Security Reports

Details here

Responsible Disclosure

GitLab believes in responsibly disclosing software vulnerabilities. As such, GitLab is a CVE Numbering Authority (CNA) and can provide CVE IDs to researchers and information technology vendors. We will be integrating CVE ID request solution which will be available within our Secure and Defend Categories.

You can read more about reporting a vulnerability, our disclosure policy, and request a CVE ID at our Responsible Disclosure page.

Strategy

Understanding that an effective, well-defined, repeatable system for assessing the risk and relative priority of a given vulnerability is crucial to success in the Vulnerability Management space. This understanding is what will drive our thinking as we mature the category. To help frame our thinking, three key themes will serve as lenses through which to view how we can improve both the breadth and depth of functionality. Each step up in maturity will include initiatives that improve on all three themes, which are:

Visibility

Visibility is what information we present to the users, when we present it, and in what format. This will encompass everything from dashboard visualizations to reports geared towards non-GitLab users such as CISOs, auditors, and compliance officers. Having the right information in the right context at the right time not only allows for better decision making, it serves as an enabler of the next theme.

Efficiency

The majority of modern security departments are overworked and understaffed. The sheer month-over-month increase in the number of threats, rate of change in environments, accelerating adoption of new technologies, and novel potential attack vectors makes staying on top of things manually effectively impossible. Security software can help—but only if it cuts down more noise than the new signal it detects. This is why making our vulnerability management process as efficient as possible is essential for successful adoption. We will start by making the tedious and time consuming easier through UX enhancements. Longer-term, we will look to automate more and lean on analytics techniques (including ML) to help users make quicker, smarter decisions.

Situational Awareness

The final theme is perhaps most important of all from a business standpoint. Situational awareness means we will provide the best available information so the user can make a risk-informed decision. This will start by simply adding more depth to the information we show from the existing scanners to help better quantify risk more granularly than a few basic severity levels. Over time, users will have the ability to set custom policies based on configurable definitions of risk tolerance. We will help our customers maintain compliance with industry and internal policies by making it easy to map our Vulnerability Management program to risk management and compliance frameworks. We will also start tying in additional sources of information such as external vulnerability feeds, reports from responsible disclosure programs, and alert data from our own Contain Security applications. Ultimately, we want our customers to have the best possible understanding of their risk posture as it relates to their entire SDLC.

Roadmap

Minimal to Viable Viable to Complete

What's Next & Why

Now that Vulnerability Management is Minimal, we are focusing on what it will take to move to Viable. We will start by improving the vulnerability triage and management experience. This will include enhancing the MR security report and Security Dashboards.

The other area of focus will be on laying the groundwork to move from the current severity-based vulnerability classification system to a risk-based classification. Organizations want to understand more context around the potential impact of a given vulnerability. By understanding not just the severity but also the business criticality of the impacted assest along with the likelihood of compromise (how exposed is the asset), the responsible teams can more effectively assess threats and focus mitigation and remediation efforts on the highest risk areas first.

Competitive Landscape

While many vendors offer point solutions or products covering a part of the vulnerability management space, few are in a position to span the entire DevSecOps lifecycle. There are a number of notable vendors focused heavily on the scanning, tracking, and remediation aspects. Many include policy-drive workflows and automation. A few integrate into the left side of the DevOps lifecycle.

These vendors broad offerings classifies them more as Vulnerability Assessment (and Management) and are considered leaders in the space:

One of the most challenging aspects of vulnerability management is triaging the large volume of vulnerability findings many security professions must handle. It is worth calling out that some vendors have chosen to focus on this vulnerability prioritization aspect. Many offer multiple pre-built integrations with various scanners and vulnerability data sources to provide deeper insights than most of the broader vulnerability assessment/management solutions provide.

Some notable vendors focused on prioritization include:

Analyst Landscape

Vulnerability management is covered slightly differently, depending on the analyst.

GIT is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license