The page below is intended to align GitLab sales and marketing efforts with a single source of truth for our go-to-market efforts around DevSecOps.
|Product Marketing||Technical Marketing|
|Cindy Blake ( @cblake )||Fernando Diaz ( @fjdiaz )|
The Software Compliance solution is applicable for customers who are concerned about securing their software supply chain and simplifying their compliance with common industry regulations while at the same time speeding their software velocity.
GitLab's platform approach seamlessly embeds security and compliance within the DevOps platform, providing simplicity, visibility, and control.
While compliance and auditability has always been important, these requirements have greater attention following high-profile attacks on software supply chains and the related US President's Executive Order to improve cyber security. The Executive Order (EO) directs NIST to publish preliminary guidelines for enhancing software supply chain security by November 8, 2021. It is anticipated that NIST, the National Institute of Standards and Technology, will provide even more guidance. This article explains clearly why it's important to anyone developing software. It says, while the EO is "directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline."
Application security testing is still a foundational part of compliance, but now visibility and control across the entire software factory is even more paramount than before, a capability that is made challenging by complex DevOps tool chains.
Cameron the Compliance Manger needs to be sure all the company's development processes are compliant. Given the amount of data that a software development and delivery lifecycle produces, and the complexity of typical DevOps tool chains, he finds it difficult to find, aggregate, and report on all of the necessary data and changes made across systems for audit purposes. He needs to easily see who changed what, where, and when from end-to-end across the SWDLC. He needs the information to be available quickly and easily so he can reduce the time and disruption involved in the evidence collection process.
Sasha the Software Developer uses GitLab primarily within the MR pipeline report. The developer cares about compliance and security but does not want to become a compliance expert. Capabilities that help them run fast while staying compliant are appreciated.
Sam the Security Analyst may be tasked with automating and reporting on compliance policies so would like them to be simple, efficient, and automated wherever possible. Sam finds it difficult to control which policies are applied within the development prociess (e.g. CI pipelines) and to keep them from being circumvented. In fact, he may not even know they've been circumvented.
The CTO or head of DevOps Architecture is usually the buyer for when compliance is the primary driver.
The key capability that addresses the CTO's need is Compliant Pipelines and the Compliant workflow automation. They need the ability to prescribe scans and policies in the CI pipeline and ensure individual developers cannot bypass them.
The Security Manager or CISO (Sam's boss) is usually the buyer for the Ultimate tier when security gets involved.
The key to winning their hearts is to focus on Simplicity and control
Analysts have not identified a market segment for software compliance. They have been writing articles about it though. Forrester spoke about the Executive Order at GitLab's Commit event in Fall of 2021.
|Market Requirements||Description||Typical capability-enabling features||Value/ROI|
|Common compliance controls||Controls necessary to protect the integrity of the software development and deployment process||Role-based access, MR approvals, and many others||Simplify audit and compliance and reduce risk of noncompliance.|
|Automated policy enforcement||Automation can reduce the audit burden. Enforcing policies within the MR shifts compliance left where developers can resolve problems early in the life cycle||locked CI templates that enforce policies in the pipeline||Avoids late rework. In regulated industries, there is an approved change order window. if it is missed for rework, the change management process must start over.|
|Audit reporting||Audit events should be automatically captured and reported. Changes to code, controls, and IaC should be traceable and captured as audit events across the entire SDLC.||Audit events, audit reporting||reduce risk of non-compliance and efficiently identify root causes following a security or compliance incident|
|Security Governance||The solution must automatically apply security policies against code changes to ensure that only appropriate risks are taken. Application vulnerabilities, representing risk, are tracked, managed, and reported. The solution must enable routine assessments of security practices to evaluate for risk, compliance, audit and process improvement opportunities (usually for education purposes).||Security policy automation, Risk and compliance reporting, Audit reporting, Variety of security metrics and process reporting, Vulnerability database and management||Efficiently monitor, manage and mitigate risk. Ability to identify exceptions and refine policies over time.|
|Security guardrails (Preventative - Pre CI/CD)||Preventative Application Security uses guardrails to help teams consistently build things that are secure from the start.||Compliant pipelines that cannot be circumvented by a developer, pre-approved code libraries, and auto-discovery that catalogs all third party code.||Prevents creating new vulnerabilities.|
GitLab Software Compliance solution overview
|Market Requirements||How GitLab Delivers||GitLab Category||Demos|
|Common compliance controls||GitLab provides many common controls throughtout the SDLC, Audit events Compliance Management||Access and Compliance within the Manage stage|
|Automated policy enforcement||Security policies can be managed in one place while compliant workflow automation helps admins easily apply compliance policies across projects.||Govern||Compliance pipelines|
|Audit reporting||GitLab tracks audit events across the entire SDLC and report them||Access and Compliance within the Manage stage|
|Security Governance||Security Policy Automation, Compliant workflow automation, Security Dashboards and Vulnerability Reports, MR approvals, License compliance||Govern, Secure|
|Security guardrails (Preventative - Pre CI/CD)||GitLab falls short of providing pre-approved dependencies as some other vendors do, bill of materials feature||Govern, Secure||Manage your Application Dependencies with GitLab|
|Single Application for Entire DevOps Lifecycle||a single application eliminates complex integrations, data chokepoints, and toolchain maintenance, resulting in greater productivity|
|End-to-End Insight and Visibility||GitLab's common data model enables enables end-to-end visibility and traceability throughout the DevOps lifecycle, correlating and aggregating data automatically|
|Deploy Your Software Anywhere||GitLab is infrastructure-agnostic (supporting GCP, AWS, Azure, OpenShift, VMware, On Prem, Bare Metal, and more), offering a consistent workflow experience - irrespective of the environment|
|Leading SCM and CI in One Application||having the backbone of a DevOps toolchain in one application streamlines code review & collaboration (one interface, one user model, one data model)|
|Built-in Security and Compliance||move security testing earlier in the development lifecycle with out-of-the-box security features (code scanning, dependency scanning, secrets detection, etc.) and automated security testing and audit controls to facilitate policy compliance|
|MR approval based on Security Policy||Bring Development and Security Teams closer by allowing security teams to apply organizational security policies before hand and review/approve security exceptions before the code is merged||Merge-Request Approvals as Displayed in DevSecOps Overview|
|Compliance Management||GitLab makes compliance easier by providing a single source of truth for Dev, Sec and Ops through a single data-store. Everything is audited and for every change, there is a single thread that contains the full audit log of every decision and action - making audit compliance a breeze||Manage Compliance with GitLab|
|Compliant pipelines||Admin can choose a compliance framework and apply it to the project. It will override any changes developers make to the pipeline||Compliant pipelines|
The message house for compliance provides a structure to describe and discuss the value and differentiators for the Software compliance solution.
Top message: GitLab helps you take control of your software development with a single platform that helps you automate and standardize the development process and policies while providing end-to-end visibility/traceability so that development can run fast with less risk.
The GitLab DevOps platform approach helps you achieve Compliance with better visibility and control while simplifying audits and forensics. Governance is simplified with one place to manage policies, apply them, assess exceptions, and measure policy affect.
Because developers see compliance concerns in the MR pipeline alongside security vulnerabilities, these can also be fixed while the developer is still iterating on the code, rather than waiting until pre-production when changes cost more time and money.
See how we compare against other DevOps approaches
Key Compliance features with Free/Premium:
In addition, some security scanning is available in the Free tier:
Key Compliance features with Ultimate:
In addition, more security scanners are available, along with Vulnerability management and security dashboard. See the DevSecOps solution for details.
|Feature / Scenario||Free||Premium||Ultimate||Product Analytics||Notes|
|Merge Request Approval Flow / Rules||X||X||counts.merged_merge_requests_using_approval_rules|
|SAST (Static Application Security Testing)||X||X||X||user_sast_jobs|
|API Fuzzing||X||user_api_fuzzing_jobs, user_api_fuzzing_dnd_jobs on self-managed|
The table includes free/community and paid tiers associated with GitLab's self-managed and cloud offering.
We partner with key industry vendors to extend GitLab's ability to address customer needs and fulfil the market requirements.
If you or your customer has a third party they'd like to see integrated into GitLab, send them to the partner integration page for instructions.
Many great opportunities will not entirely fit this ideal profile. An ideal customer profile is the description of our "perfect" customer (company, not individual or end user). The profile takes into consideration firmographic, environmental, and additional factors to develop our focus list of highest value accounts.
|DevOps maturity||adopted DevOps for at least several projects or departments||adopted DevOps for at least several projects or departments||adopting DevOps for at least half of their projects|
|Tool complexity||complex tool chains hinder end-to-end visibility||complex tool chains hinder end-to-end visibility||wanting to avoid a complex tool chain|
|CI pipeline control||Integrated security into DevOps but lacks pipeline consistency across projects||Integrated security into DevOps but lacks pipeline consistency across projects||Integrated security into DevOps but lacks pipeline consistency across projects|
|Cloud native||using Docker and Kubernetes, APIs, but not confident in th security of these||using Docker and Kubernetes, APIs, but not confident in th security of these||using Docker and Kubernetes, APIs, but not confident in th security of these|
|Public sector or vendor who sells to public sector||Concerned about Executive Order on Cybersecurity and potential new regulations||Concerned about Executive Order on Cybersecurity and potential new regulations||Concerned about Executive Order on Cybersecurity and potential new regulations|
|General Software supply chain security concern||non-specific concerns about not becoming a victim||non-specific concerns about not becoming a victim||non-specific concerns about not becoming a victim|
|Regulated industry||Strict change control means missed change windows when compliance issues are found late in the process||Strict change control means missed change windows when compliance issues are found late in the process||Strict change control means missed change windows when compliance issues are found late in the process|
4. For public sector and regulated industries only
5. Related security questions
|Before state||Negative consequences|
|1. A complex tool chain makes it difficult to see who changed what, where, when across the entire SDLC||Audits are difficult and in the event of a breach, it could take days/weeks/months to identify root cause|
|2. Audits are difficult and time consuming to show controls that cross multiple systems||A lack of traceability may require manual or other supplemental processes that are inefficient. Or you simply cannot show controls consistently across systems for a given project, opening yourself to risk.|
|3. Non-compliance may be discovered right before production.||Rework and lost velocity. For Regulated industries, must restart change management proecess|
|4. Policies are set but developers and other users can simply turn them off||This opens the door for security and compliance problems, including insider attacks. The lack of control lengthens audit efforts.|
|5. Inconsistent pipelines across projects||Every project must be inspected uniquely for compliance.|
For public sector and regulated industries only
|After scenarios||Positive business outcomes|
|1. End-to-end visibility of who changed what, where, when for application code, its dependencies, its IaC||Easier audits, less risk of insider threats, compromises more quickly discovered|
|2. End-to-end consistent execution of policies across projects||Simplified audits and less risk|
|3. Software development that is compliant with industry regulations||less risk of fines and other noncompliance consequences|
|4. Discovery of compliance issues early, while developer is still iterating on the code||Less rework and therefore less developer time. For regulated industries, fewer missed change management windows. Improved velocity.|
|1. End-to-end visibility of who changed what, where, when for application code, its dependencies, its IaC||time to identify root cause|
|2. Policy enforcement for the entire SDLC from one console||time spent tracking exceptions and integrating policies between systems|
|3. One role-based access control for the entire SDLC||time spent in work-arounds|
|4. Inherited policies from instance to group to project||time spent setting up and reviewing compliance for individual projects|
|5. Reporting of compliance concerns to the developer in the MR||time spent in rework late in the SDLC|
SFDC report of referenceable secure customers Note: Sales team members should have access to this report. If you do not have access, reach out to the customer reference team for assistance.
The following will link to enablement and training videos and content.
GitLab offers a variety of pre-packaged and custom services for our customers and partners. The following are service offers specific to this solution. For additional services, see the full service catalog.
Inventory of key assets in the buyer's Journey