DevSecOps 2.0 Campaign

Maintained by:

Campaign Overview

Business Objectives

Get Security DMs and Manager of App Dev to convert on our Security assets
Help sales land Ultimate deals by highlighting the value of a single DevSecOps platform

Campaign Visual

Mural of campaign flow»

Campaign Assets & Activities

Primary assets to be used in Always On Lead Generation:

:books: Dev focused content (Awareness stage): ebook: Building a Modern DevSecOps Software Factory
:books: Dev focused content (Consideration stage): eBook: How to achieve DevSecOps with CI/CD
:books: AppSec focused content (Purchase stage): 2021 Magic Quadrant for Application Security Testing

other assets available»

Relevant Powerpoint presentations:

New Assets and Upcoming events

See the FY22 Marketing Calendar for upcoming events & planned content around this campaign »

Research & Prep

Persona & Positioning

Users include both the developer and the security pro. We pride ourselves on having a united view of the software vulnerabilies and their status toward resolution. The buyer persona is usually the security manager who funds the delta from Premium to Ultimate.

Target Persona 1:

Level: Manager or Director
Function: Application Security. In large organizations, Application Security is a dedicated team or person. In smaller IT shops a group or individual security person may be responsible for application security along with network security, security operations, and more. While developers and DevOps teams like to use GitLab for security, the security pro is often skeptical, comparing it to their favorite incumbant scanner. They may have bet their career on justifying a very expensive scanner like Fortify or Veracode and are often reluctant to replace it, even if it can simplify their work as well as that of the developer.
Challenges we're trying to solve with this campaign:

Security struggles to fit traditional application scanning methods into an iterative, agile development environment.
1. Vulnerabilities often discovered in production causing project delays because security finds issues just before go-live.
2. Friction in the workflow causes rework and wastes time understanding context of a vuln reported today that was created a week ago.
3. Business improvements (a VP App goal) take a back seat to fixing security vulns (not my goal - this is a goal of the CISO) creating adversaries between groups.
4. Dependency backlog continues to grow (technical debt)
5. Integrating incumbent scanners into CI pipelines is complex with often unpredictable app sec license costs.
Recent software supply chain attacks are raising awareness of the need for greater application security that includes not only app sec testing but also policy automation, common compliance controls, and improved visibility and control over the SDLC tools and cloud native infrastructure. The USA Executive Order on Cybersecurty will only heighten the need for better security and compliance processes. Complexity is becoming an even bigger challenge!
How GitLab helps: Forrester research shows that complexity is one of the biggest challenges facing CISO's today. GitLab provides:
- simplicity - less tool integration and maintenance, one predictable cost
- earlier visibility into risk by scanning earlier and using single source of truth between dev and sec
- greater control over the security of the SDLC through use of one platform with end-to-end policies and auditability.
Why is GitLab a better solution than competitors:
1. For those struggling to 'shift left', GitLab can provide a path of least resistence: Developers already love GitLab and Security teams can harness that momentum to quickly scale their app sec program while adding defense-in-depth of multiple scan types (SAST, DAST, Dependencies, Containers, and License Compliance, Secrets detection, and fuzz testing) built-in and automatically applied. Security is more efficient with one UI to see all findings in one place, along with details about the vulnerabilities and their remediation efforts.
2. For those already trying to embed security within their CI pipeline, GitLab simplifies the complexity by offering one solution for all of your app sec testing needs, allowing you to test every code change with straightforward and predictable seat-based pricing.
3. A single platform can greatly simplify compliance and audit requirements allowing you to apply policies automatically for greater consistency and see who changed what/where/when across the SDLC.
4. GitLab not only helps your enterprise delivery more secure code, but also manage and monitor containers and kubernetes upon which cloud native apps depend.

Competitive solutions require substantial set-up and maintenance to integrate scans into the CI pipeline, with no end-to-end visibility across mutliple tools.

Target Persona 2:

Level: Practitioner
Function: Application Security The security pro cares most about managing risk to the enterprise/agency. They take a broad view of process looking for process improvement areas to reduce risk and avoid repeat mistakes. Because they care about risk, they want to identify unresolved vulnerabilities, their severity, and their remediation status. They care about trends over time and aggregate improvements. Often their metrics are mean time to remediation. It is rare that the security person themselves is able to remediate a software security flaw; they depend upon the developer to do this. This goal misalignment is often a reason for contention between the groups. In traditional app sec environments, where testing is done at the end of the SDLC, they may spend alot of their time tracking and reporting vulnerability statuses, vetting findings, and triaging to dev teams. Where development is more automated, they may be able to focus more on setting policies and allowing the tools to enforce them. They often want to avoid moving any new critical/high vulnerabilities into production and favor breaking the build to enforce this.
Challenges we're trying to solve with this campaign: Security struggles to fit traditional application scanning methods into an iterative, agile development environment.
1. Vulnerabilities ar4e often discovered in production, or right before, causing project delays because security finds issues just before go-live. The security practitioner becomes 'the bad guy', stopping a launch.
2. Siloed tools waste time understanding context of a vuln reported today that was created a week ago and translation may be required between findings from a security tool and where the flaw resides in the code.
3. The growing use of dependencies, APIs, containers, Kubernetes adds attack surfaces to assess and monitor while security teams struggle to keep up. Sadly, some practitioners may not even know they have this problem.
4. Tracking remediation status is difficult - often many spreadsheets and constantly asking others for updates.
5. Keeping up with wildly different licensing between multliple security scanners can waste time determining if current licensing is sufficient for each new project.
6. Security pros are outnumbered by the development teams they are aligned to - frustration, overworked.
Recent software supply chain attacks are raising awareness of the need for greater application security that includes not only app sec testing but also policy automation, common compliance controls, and improved visibility and control over the SDLC tools and cloud native infrastructure. More pressure on an already difficult job!
How GitLab helps:
- earlier visibility into risk by scanning earlier and using single source of truth between dev and sec
- greater control over the security of the SDLC through use of one platform with end-to-end policies and auditability.
Why is GitLab a better solution than competitors:
1. For those struggling to 'shift left', GitLab can provide a path of least resistence: Developers already love GitLab and Security teams can harness that momentum to quickly scale their app sec program while adding defense-in-depth of multiple scan types (SAST, DAST, Dependencies, Containers, and License Compliance, Secrets detection, and fuzz testing) built-in and automatically applied.
2. GitLab can help Security be more efficient with one UI to see all findings in one place, along with details about the vulnerabilities and their current remediation efforts. The A-F grading scale on the Security Dashboard helps security quickly identify projects with the most risk.
3. GitLab's single platform can greatly simplify compliance controls allowing you to enforce scan requirements and other controls consistently across projects. A united tool offers insight into dev actions and remediation status. Security can be a better helper not a hindrance/inspector.
4. GitLab not only helps your enterprise delivery more secure code, but also manage and monitor containers and kubernetes upon which cloud native apps depend.

Competitive solutions require substantial set-up and maintenance to integrate scans into the CI pipeline, with no end-to-end visibility across mutliple tools.

Target Persona 3:

Level: Manager
Function: Application Development or DevOps
The developer cares about security but does not want to become a security expert. Their primary driver to write secure code is to protect their personal/professional reputation. They don't want to be the one that brings their company down via vulnerable code that they wrote. At the same time, they are goaled mostly on quickly turning out code that meets their users' requirements. Often they are not measured on security flaws. Security can seem like a necessary nuisance. Tools that fit within their workflow, without context-switching are most acceptable. The clarity GitLab provides by reporting vulnerabilities at code commit (changes they just made, not someone else's) is helpful.
Challenges we're trying to solve with this campaign:

Security is important but we need new tools/methods in order to fit it into an iterative, agile development environment. Traditional app sec frustrates development efforts:
1. Vulnerabilities often discovered in production causing project delays because security finds issues just before go-live
2. Friction in the workflow causes rework and wastes time understanding context of a vuln reported today that was created a week ago
3. Business improvements (a VP App goal) take a back seat to fixing security vulns (not my goal - this is a goal of the CISO) creating adversaries between groups.
4. Security finds everything - but too late - it becomes technical debt to go back and fix later (and potential liability too)
5. Some security teams actually want developers to use the security scanners (like Fortify) directly!
Recent software supply chain attacks are raising awareness of the need for greater application security that includes not only app sec testing but also protecting the software supply chain. The USA Executive Order on Cybersecurty will only heighten the need for better security and compliance processes. I have a feeling things will get more complex with more people looking over my shoulder and more controls hindering my development efforts.
How GitLab helps:
- simplicity - I can stick with a tool I already use + less tool integration and maintenance, let's us focus on business needs not tool chains
- earlier visibility into risk with all scan results within the MR pipeline where I'm already working. No context switching. And because security teams can see what vulns remain when I'm done, along with remediation efforts, they don't constantly pull me away from my work asking for updates.
- control is built in. I don't have to hunt for policies. Requirements can be automatically applied via compliant pipelines and exceptions easily tracked.
Why is GitLab a better solution than competitors:
1. GitLab automatically provides security scans, seamlessly helping me find and fix my own security flaws. There is no added work to set these up, no new tools to learn, no context-switching. Comparitively, other build-your-own solutions require significant set-up effort. GitLab's AutoDevOps simplifies the set up of all of these scans into one command.
2. By providing the scan results within the merge request pipeline, the developer does not need to change context or use another tool. The results show vulnerabilities they created - not ones lurking for years in the code or that another developer created. It's easier to fix what I'm working on now then when someone asks me weeks later.
3. Built-in fuzz testing makes it easier to apply a pretty advanced method without much learning ramp. It can help me find quality/logic flaws as well.
4. Transparency of who changed what/where/when can save me time later when audit comes around asking questions.

Keyword Research

See the DevSecOps 2.0 keyword research doc »

Polished Messaging

Overall

| | Polished Messaging | | —— | —— | | Overall Message | The complexity of integrating security is one of the biggest challenges facing DevOps. GitLab simplifies DevSecOps efforts and improves compliance, by embedding robust security capabilities for both the developer and the security pro into one end-to-end DevOps platform. | | Headline | Simplify and scale security and compliance while adding visibility and control | | Statement | GitLab simplifies application security and compliance while protecting the integrity of the software supply chain. | | Key Messages | 1. Improve application security without adding complexity by uniting Dev and Sec within one DevOps platform. Stop building and maintaining tool integrations and stop juggling spreadsheets to track vulnerabilities. Built-in AppSec testing and vulnerability management allow teams to mitigate risk while maintaining development velocity. | || 2. Today's sophisticated attackers, along with new attack surfaces of cloud native applications, require greater defense in depth. GitLab provides SAST, DAST, Container and Dependency scanning, API testing, fuzz testing, secrets detection, and license compliance within the developer's CI workflow, with no integration required. | || 3. As developers push code faster and more iteratively, you need security scanning that can keep up, along with guardrails to ensure policy compliance. GitLab automates security scanning using compliant pipelines and controls that reflect your policies. | || 4. Gain visibility into risk while improving collaboration. Developers see the security flaws they just created before their changes are merged, providing actionable and timely insight. Security teams see unresolved vulnerabilities, including findings from dynamic scans, while code is in development. This single source of truth improves efficiencies and collaboration between dev and sec. | || 5. Recent attacks, along with the U.S. Executive Order on Cybersecurity, have elevated the need to secure software supply chains. GitLab's DevOps platform provides common controls for compliance from planning to production and enables you to see who changed what, where, and when across the entire SDLC. |

Topics	1. DevSecOps / security embedded within CI pipelines / shift left
	2. Managing the growing risk and scaling remediation of third-party code vulnerabilities.
	3. Container security / cloud native application security / IaC Security
	4. EO on Cybersecurity / compliance
Top-level Keywords	DevSecOps, application security, application security testing, software security, dependency scanning, container scanning, container security, compliance, secure software supply chain

Theme	Digestable Sound bytes (to be revised)
Simplify DevSecOps	Simplify DevSecOps by using a DevOps platform, loved by developers, with security already embedded.
	Stop managing complex tool chain plug-ins and fragile automation scripts. The GitLab DevOps platform includes robust app sec scanning within the CI pipeline, no integration necessary.
	GitLab provides a single source of truth that unites Dev and Sec efforts to resolve software vulnerabilities.
Shift left	Shift security left to empower developers to find and fix software vulnerabilities earlier in the DevOps lifecycle.
	Automate security scans with every code change to better defend your organization from attack.
	Reduce delays in production by finding and fixing vulnerabilities in development.
Visibility	GitLab's end-to-end DevOps platform helps you see who changed what, where, when from software planning through production.
	Harness the developer's existing workflow to scale your application security program, improve efficiency, and surface risks earlier.
Control and compliance	Apply and enforce security and compliance policies throughout your software development process.
	Apply security and compliance guardrails to your DevOps platform to provide consistency, simplify audits, and reduce risks.

Buyer Journeys, Content & Emails

SDR Follow up process

🔔 About the inbound leads

What did they do? They downloaded a relevant DevSecOps asset, registered/attended a DevSecOps webcast/workshop/demo or viewed DevSecOps assets in the campaign's PathFactory track.
Are they MQLs? If they did one of the actions above and consume additional assets in PF, they will reach the 90 point threshold and MQL.
What if they don't hit the threshold? They will receive additional related assets via an email nurture campaign in Marketo. As they engage more, their score increases toward the 90 point threshold.

Accessing leads in SFDC

In an effort to keep you focused on the prioritized lead and contact views, an Interesting Moment is triggered from Marketo.

Interesting Moment to look for: those that contains DevSecOpsphrase

Please prioritize lead AND contacts views per normal SLAs:

If they are in salesadmin / raw status / legacy AE owned, managers will monitor these leads for re-routing.

Outreach sequence

Please put leads tagged with relevant last interesting moments into the below master sequence:

Master Outreach sequence»