Product Stage Direction - Security Risk Management

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Security Risk Management

On this page

• Stage Overview
  • Stage Vision and Scope of Operations
  • Stage Strategy
  • Groups and Areas of Focus
  • Categories
    • Security Policy Management
    • Vulnerability Management
    • Security Testing Configuration
    • Security Asset Inventories
    • Security Testing Integrations

Driving Actionable Security Risk Management with Seamless Automation and Scalability

Stage Overview

Stage Vision and Scope of Operations

The Security Risk Management stage will deliver actionable insights and seamless workflows that empower Application Security (AppSec) and Development teams to rapidly assess risk through comprehensive visibility, intelligent prioritization, and automated resolution workflows across the software development lifecycle (SDLC).

The stage will own the end-to-end user journey, including:

• Seamless onboarding.
• Configuration and orchestration of our suite of analyzers.
• Assesment, proiritization and resolution of the security risks.
• Enhanced automation through security policies and integrations.

The Security Risk Management stage is also responsible for building and maintaining the underlying infrastructure that ensures high performance, scalability, and extensibility. This infrastructure will be foundational in driving continuous innovation, while addressing scale and efficiency needs as the landscape evolves

Stage Strategy

GitLab Security Stage stands at a unique position in the application security market by offering a broad set of integrated security scanners embedded directly within developers' daily workflows. Our strength lies in consolidating security capabilities within the platform developers already use, significantly reducing the integration costs typically associated with application security solutions. With integration across all stages of the software development lifecycle and strong AI investments, we enable security to shift left while maintaining visibility throughout the entire process, making security an accessible part of development rather than a specialized discipline requiring separate tooling.

Our strategy will focus on three key areas:

1. Deliver an enterprise-ready solution with broad deployment capabilities across the SDLC (IDE, CI, on-demand), comprehensive asset visibility, advanced reporting, and vulnerability management workflows.
2. Leverage the GitLab platform's advantages through integration with additional SDLC steps, utilizing our unique data for improved functionality, and enhancing capabilities with AI.
3. Build strategic partnerships with relevant security vendors for ingestion of risks and threat inteligence for broader and improved contextual analysis

Groups and Areas of Focus

The SRM stage is made up of four groups:

Security Insights - Enable application security and development teams to efficiently assess, prioritize, triage, and remediate application security risks while keeping an up-to-date, comprehensive view of their applications' structure. Core areas of focus include:

• Modern Security Dashboards to address modern application security posture management challenges
• Vulnerability report and dependency list management improvements to allow advanced risk assessment and seamless integration as part of the GitLab platform and developers' day-to-day workflows
• Introduction of Application/Business unit risk assessment to support modern distributed and cloud-native applications across different development teams
• Track vulnerabilities outside of the default branch

Security Platform Management - Enable application security and development teams to orchestrate and control their application security tools from within the GitLab platform, integrate seamlessly with external tools, and provide a frictionless, holistic operational experience across GitLab's suite of security offerings. Core areas of focus include:

• Asset inventory and scanner coverage to enhance orchestration and identify security gaps
• Simplified, scalable configuration to allow deployment of scanners across the different stages of the SDLC
• Guided and seamless onboarding to improve time-to-value for our customers

Security Policies - Enable Application security teams to define and enforce security policies across their organization’s fleet of applications and services. Empower developers to adhere to organizational security standards within the context of their daily workflows. Support the underlying frameworks for GitLab’s security and compliance enforcement functionality. Core areas of focus include:

• Security and compliance pipeline enforcement of relevant jobs within GitLab pipeline that scale reliably.
• Seamless and centralized policy management for application security team via improved accuracy, instance level management and easier management
• Faster triage through vulnerability management workflow automation for issue tracking, auto triage, improved filtering, etc.

Security Infrastructure Group - Provide the required infrastructure and database resources to meet enterprise customer demand and required functionalities as a competitive application security platform. Core areas of focus include:

• Next-generation Vulnerability and Dependency Data Layer, enabling faster feature development
• Enhanced data model for vulnerabilities to support vulnerabilities as Work Items
• Support Database Decomposition Effort

Categories

Security Policy Management

Unified security policy management provides security and compliance teams with a way to enforce controls across their organization for all of GitLab's scanners and security technologies. Policies can be used to ensure security scanners are enforced in development team pipelines with proper configuration, all scan jobs execute without any changes or alterations, and proper approvals are provided on merge requests based on results from those findings. This category is at the "viable" level of maturity.

Priority: medium • Documentation • Direction

Vulnerability Management

Vulnerability Management enables collaboration between security teams by providing a uniform interface to assess the security posture of their applications. Security teams can view, triage, trend, track, and resolve vulnerabilities detected by the various GitLab scanners. This category is at the "complete" level of maturity.

Priority: high • Documentation • Direction

Security Testing Configuration

Seamlessly configure and onboard application security testing. This category is at the "minimal" level of maturity.

Direction

Security Asset Inventories

Identify security gaps by understanding which assets are covered by security testing, and when and where security tests have run. This category is at the "minimal" level of maturity.

Direction

Security Testing Integrations

Integrate external security testing tools for complete visibility and consolidation of your security workflows. This category is at the "minimal" level of maturity.

Direction

Last Updated: 2025-03-18