The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Stage | Govern |
| Maturity | Viable |
| Features & Demos | Our Youtube playlist |
| Content Last Reviewed | 2024-02-05 |
| Content Last Updated | 2024-02-05 |
Thanks for visiting this category strategy page on Vulnerability Management in GitLab. This category belongs to the Threat Insights group of the Govern stage and is maintained by Alana Bellucci ([email protected]).
This direction page is a work in progress, and everyone can contribute:
Vulnerability management is the process of identifying, prioritizing, and tracking vulnerabilities in assets and applications. At its simplest, vulnerability management aims to help security professionals efficiently and effectively determine what weaknesses to address in what order. In this mature, crowded space, programs and solutions often differentiate by how much they facilitate these various aspects by way of additional tools or capabilities. Depending on vendor's differentiation focus area, you may encounter solutions classified under different terms.
These point-solution capabilities fall short of their potential. Holistic solutions need to be built around systems that can identify and prioritize constantly changing vulnerability information. They also need to help the modern security professional break through silos to enable quick and efficient remediation.
GitLab was named a Challenger in the 2022 Magic Quadrant for Application Security Testing.
Our vision captures what we want to deliver to customers in the next 10 years.
We want to extend beyond the capabilities of current vulnerability management systems and elevate the baseline for software security everywhere. GitLab aims to provide the most complete solution for managing all aspects of vulnerability-related risks across the entire software development lifecycle.
Traditionally, vulnerability management has focused on scans of live web apps and assets along with management of those vulnerabilities in a single tool. At GitLab, we believe vulnerabilities should should be seamlessly integrated with the rest of the DevSecOps lifecycle. GitLab can provide the most context on security findings thanks to our role in running test jobs, deploying staging apps, and deploying to production through GitOps. To that end, we will continue shifting security left and providing visibility into potential weaknesses during the development phase. We will leverage our powerful Secure stage tools to proactively identify weaknesses in the code before it is merged.
With vulnerability management, security is a team effort. We will surface vulnerabilities, in assets and in application code, that can be mitigated, managed, and acted upon by your whole team—not just the security organization. We will also support teams with compliance and auditing efforts, enabling these teams to show the lifecycle of identifying and mitigating identified vulnerabilities.
We will increase visibility and decrease friction in the DevSecOps workflow by providing unified interfaces and integrations with the systems teams are already using. With vulnerability management, teams will be able to manage the output from all of our security features, so that there is always a single source of truth for security results. We will continue to facilitate integrations with 3rd-party tools through robust, open APIs and our technology partners.
Vulnerability management helps security professionals efficiently and effectively determine what weaknesses to address in what order. An effective, well-defined, repeatable system for assessing the risk and relative priority of a given vulnerability is crucial to success of a security program.
We are currently working to mature the Vulnerability Management category from viable to complete. Definitions of these maturity levels can be found on [GitLab's Maturity page](https://about.gitlab.com/direction/#maturity. This epic groups the functionality we have planned to mature Vulnerability Management to complete.
We are currently focusing on making sure leadership can see a project, sub-group, group or instance level view of their vulnerabilities and dependencies at each level. We will also be working to make sure teams have an enhanced triage experience for dependencies and vulnerabilities. This will include enhancements to filtering, searching, sorting and grouping on both the project and group vulnerability reports. Specific issues and epics are prioritized on the Threat Insights Priorities page. In parallel, we will be working on incorporating AI features. To learn more, please check out our Security AI Vision.
Vulnerabilities as First-class Citizens
Vulnerabilities are critical to track throughout the software development lifecycle from discovery through remediation. The way a vulnerability is handled will be highly dependent on its severity, remediation strategy, and the unique internal processes of the teams involved. This need for visibility, traceability, and flexibility requires that we treat vulnerabilities as the unique entities that they are. That's why in GitLab, vulnerabilities are first-class citizens (objects) like an Issue or an MR.
Security Dashboards and Vulnerability Reports
A dashboard should provide a centralized overview of the most relevant information to support informed decision making and evaluating performance toward specific goals. We provide Security Dashboards at the Project and Group level as well as a personal Security Center to support these needs at various levels of organizations. Primarily geared toward security teams and engineering management, they are a key tool for assessing the current security status of your organization's applications as well as gauging vulnerability management performance over time. Vulnerability reports are the central place to manage the triage and remediation process as they reflect vulnerabilities present in the default branches of projects. Vulnerability reports help keep your organization's application security health at a proper level.
Learn more about Security Dashboards and Vulnerability Reports.
Merge Request Security Reports
Shifting security left is about catching and fixing potential vulnerabilities before they can make it into the codebase. Merge request security reports present the results of security scans as a diff of the current branch against the target (default) branch. This allows a developer to see the isolated impact of their changes by highlighting any new vulnerabilities introduced. It is now easy to take corrective action against these new security issues as part of the normal development cycle. By addressing them in the MR, it maintains the security level of the default branch and keeps new vulnerabilities from reaching production environments. Merge request security reports can be used in conjunction with Security Policies for a more controlled secure development process.
Pipeline Security Reports
Pipeline security reports provide a total picture of all security issues present in the source and target branches. Whereas the merge request security report shows only vulnerabilities newly introduced by a given branch and Security Dashboards show only vulnerabilities already present in the default branch, the pipeline security report shows the combination of both. This provides a quick way to see a total snapshot of the "risk load" that will exist in the default branch were the current branch to be merged.
There are dozens of vendors providing vulnerability management as a standalone offering or as part of a larger solution. Some chose to rely heavily on integrations to broaden their capabilities while others chose to build and bundle additional functionality. As DevSecOps continues to mature as a concept, the pressure to expand further with traditional DevOps capabilities alongside support for multiple security scan types increases. A sudden spike in acquisitions in the space over just a few months in 2021 (noted below) supports this thesis. However, rather than the vendors below making acquisitions to bolster their DevOps chops, many of the upstarts and smaller players have been acquired by much larger entities in the security space presumably looking to increase the footprint of their own DevSecOps capabilities. To understand the competitive landscape, it is helpful to group vendors based on the capabilities that they offer.
These vendors have broad offerings and are considered leaders in the space by the major analyst firms. These are also some of the oldest solutions in a space that is evolving beyond focusing on just the management and tracking of vulnerabilities from a given vendor's own tools. Most are more focused on post-deployment application and/or infrastructure scanning (DAST, container). They include their own scanning tools as part of or as an additional option with their vulnerability management tool:
One of the most challenging aspects of vulnerability management is triaging the large volume of vulnerability findings many security professionals must handle. Some vendors have chosen to focus specifically on this vulnerability prioritization aspect. While they typically do not provide scanners, most offer multiple pre-built integrations with various commercial and open source products as well as vulnerability data sources to provide deeper insights than most of the broader vulnerability assessment/management solutions.
Some notable vendors focused on prioritization include:
Gartner distinguishes these vendors by their heavy use of automation in testing application security. They pull data from multiple sources including code scanners (SAST, DAST, SCA) and vulnerability assessments. Some vendors also have begun to ingest infrastructure vulnerability findings to provide an end-to-end view of application security flaws. These tools help prioritize remediation efforts by centralizing the correlation and analysis of findings from a broad source of inputs. You will often find bundled open source security scanners alongside extensive integration capabilities with other commercial security tools. Some of these offerings can also be tightly integrated into CI/CD workflows, making ongoing security assessment part of the DevSecOps flow. This set of tools has seen both the most heavy acquisitions as well as the most new entrants over the last few years. GitLab's vulnerability management and broader Application Security Testing features best align with the capabilities of ASOC vendors.
Notable ASOC vendors include:
Application security posture management (ASPM) evolved from ASOC. ASPM aims to manage an organization's Application Security program based on business risk. ASPM provides visibility throughout the software development lifecycle from commit to release to facilitate risk management and vulnerability resolution.
Notable ASPM vendors include:
There are also a few competitors that aren't a direct competitor in the vulnerability management space but do overlap with GitLab functionality as a whole. These vendors typically include some security tools that overlap with our own Secure scanners. They also provide closer integrations with or their own CI/CD and SCM solutions. It is conceivable that any of these vendors could add or expand their vulnerability management capabilities, making their value proposition closer to GitLab's. In the case of Harness, their recent acquisition of ZeroNorth again supports this industry acknowledgement of the need for a single solution that covers the entire DevSecOps lifecycle.
All of the features for Vulnerability Management are only included in GitLab Ultimate.
Vulnerability management is covered slightly differently, depending on the analyst.
