Primary assets to be used in Always On Lead Generation:
Relevant Powerpoint presentations:
See the FY22 Marketing Calendar for upcoming events & planned content around this campaign »
Users include both the developer and the security pro. We pride ourselves on having a united view of the software vulnerabilies and their status toward resolution. The buyer persona is usually the security manager who funds the delta from Premium to Ultimate.
Function: Application Security. In large organizations, Application Security is a dedicated team or person. In smaller IT shops a group or individual security person may be responsible for application security along with network security, security operations, and more. While developers and DevOps teams like to use GitLab for security, the security pro is often skeptical, comparing it to their favorite incumbant scanner. They may have bet their career on justifying a very expensive scanner like Fortify or Veracode and are often reluctant to replace it, even if it can simplify their work as well as that of the developer.
Challenges we're trying to solve with this campaign:
Security struggles to fit traditional application scanning methods into an iterative, agile development environment.
Recent software supply chain attacks are raising awareness of the need for greater application security that includes not only app sec testing but also policy automation, common compliance controls, and improved visibility and control over the SDLC tools and cloud native infrastructure. The USA Executive Order on Cybersecurty will only heighten the need for better security and compliance processes. Complexity is becoming an even bigger challenge!
Competitive solutions require substantial set-up and maintenance to integrate scans into the CI pipeline, with no end-to-end visibility across mutliple tools.
Function: Application Security The security pro cares most about managing risk to the enterprise/agency. They take a broad view of process looking for process improvement areas to reduce risk and avoid repeat mistakes. Because they care about risk, they want to identify unresolved vulnerabilities, their severity, and their remediation status. They care about trends over time and aggregate improvements. Often their metrics are mean time to remediation. It is rare that the security person themselves is able to remediate a software security flaw; they depend upon the developer to do this. This goal misalignment is often a reason for contention between the groups. In traditional app sec environments, where testing is done at the end of the SDLC, they may spend alot of their time tracking and reporting vulnerability statuses, vetting findings, and triaging to dev teams. Where development is more automated, they may be able to focus more on setting policies and allowing the tools to enforce them. They often want to avoid moving any new critical/high vulnerabilities into production and favor breaking the build to enforce this.
Challenges we're trying to solve with this campaign: Security struggles to fit traditional application scanning methods into an iterative, agile development environment.
Recent software supply chain attacks are raising awareness of the need for greater application security that includes not only app sec testing but also policy automation, common compliance controls, and improved visibility and control over the SDLC tools and cloud native infrastructure. More pressure on an already difficult job!
Competitive solutions require substantial set-up and maintenance to integrate scans into the CI pipeline, with no end-to-end visibility across mutliple tools.
Function: Application Development or DevOps
The developer cares about security but does not want to become a security expert. Their primary driver to write secure code is to protect their personal/professional reputation. They don't want to be the one that brings their company down via vulnerable code that they wrote. At the same time, they are goaled mostly on quickly turning out code that meets their users' requirements. Often they are not measured on security flaws. Security can seem like a necessary nuisance. Tools that fit within their workflow, without context-switching are most acceptable. The clarity GitLab provides by reporting vulnerabilities at code commit (changes they just made, not someone else's) is helpful.
Challenges we're trying to solve with this campaign:
Security is important but we need new tools/methods in order to fit it into an iterative, agile development environment. Traditional app sec frustrates development efforts:
Recent software supply chain attacks are raising awareness of the need for greater application security that includes not only app sec testing but also protecting the software supply chain. The USA Executive Order on Cybersecurty will only heighten the need for better security and compliance processes. I have a feeling things will get more complex with more people looking over my shoulder and more controls hindering my development efforts.
Why is GitLab a better solution than competitors:
See the DevSecOps 2.0 keyword research doc »
| | Polished Messaging | | —— | —— | | Overall Message | The complexity of integrating security is one of the biggest challenges facing DevOps. GitLab simplifies DevSecOps efforts and improves compliance, by embedding robust security capabilities for both the developer and the security pro into one end-to-end DevOps platform. | | Headline | Simplify and scale security and compliance while adding visibility and control | | Statement | GitLab simplifies application security and compliance while protecting the integrity of the software supply chain. | | Key Messages | 1. Improve application security without adding complexity by uniting Dev and Sec within one DevOps platform. Stop building and maintaining tool integrations and stop juggling spreadsheets to track vulnerabilities. Built-in AppSec testing and vulnerability management allow teams to mitigate risk while maintaining development velocity. | || 2. Today's sophisticated attackers, along with new attack surfaces of cloud native applications, require greater defense in depth. GitLab provides SAST, DAST, Container and Dependency scanning, API testing, fuzz testing, secrets detection, and license compliance within the developer's CI workflow, with no integration required. | || 3. As developers push code faster and more iteratively, you need security scanning that can keep up, along with guardrails to ensure policy compliance. GitLab automates security scanning using compliant pipelines and controls that reflect your policies. | || 4. Gain visibility into risk while improving collaboration. Developers see the security flaws they just created before their changes are merged, providing actionable and timely insight. Security teams see unresolved vulnerabilities, including findings from dynamic scans, while code is in development. This single source of truth improves efficiencies and collaboration between dev and sec. | || 5. Recent attacks, along with the U.S. Executive Order on Cybersecurity, have elevated the need to secure software supply chains. GitLab's DevOps platform provides common controls for compliance from planning to production and enables you to see who changed what, where, and when across the entire SDLC. |
Topics | 1. DevSecOps / security embedded within CI pipelines / shift left |
---|---|
2. Managing the growing risk and scaling remediation of third-party code vulnerabilities. | |
3. Container security / cloud native application security / IaC Security | |
4. EO on Cybersecurity / compliance | |
Top-level Keywords | DevSecOps, application security, application security testing, software security, dependency scanning, container scanning, container security, compliance, secure software supply chain |
Theme | Digestable Sound bytes (to be revised) |
---|---|
Simplify DevSecOps | Simplify DevSecOps by using a DevOps platform, loved by developers, with security already embedded. |
Stop managing complex tool chain plug-ins and fragile automation scripts. The GitLab DevOps platform includes robust app sec scanning within the CI pipeline, no integration necessary. | |
GitLab provides a single source of truth that unites Dev and Sec efforts to resolve software vulnerabilities. | |
Shift left | Shift security left to empower developers to find and fix software vulnerabilities earlier in the DevOps lifecycle. |
Automate security scans with every code change to better defend your organization from attack. | |
Reduce delays in production by finding and fixing vulnerabilities in development. | |
Visibility | GitLab's end-to-end DevOps platform helps you see who changed what, where, when from software planning through production. |
Harness the developer's existing workflow to scale your application security program, improve efficiency, and surface risks earlier. | |
Control and compliance | Apply and enforce security and compliance policies throughout your software development process. |
Apply security and compliance guardrails to your DevOps platform to provide consistency, simplify audits, and reduce risks. |
Overview of Prescriptive Buyer's journey»
Consideration pathfactory track»
In an effort to keep you focused on the prioritized lead and contact views, an Interesting Moment is triggered from Marketo.
Interesting Moment to look for: those that contains DevSecOps
phrase
Please prioritize lead AND contacts views per normal SLAs:
If they are in salesadmin / raw status / legacy AE owned, managers will monitor these leads for re-routing.
Please put leads tagged with relevant last interesting moments into the below master sequence: