Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Application Security Market Analysis

Security Lexicon

A uniform lexicon is important to distinguish the use of 'security' in various contexts.

GitLab helps our customers Secure and Manage all of the phases of the SDLC Create, Plan, etc.). To deliver secure applications, customers use GitLab Security Controls throughout the SDLC and Security Testing in validation. Eventually, GitLab will enable vulnerability prioritization for planning and Security Monitoring in production (Defend).

  1. Security Controls are capabilities of Gitlab that altogether provide GitLab customers auditability of code throughout the SDLC. (This is not SAST/DAST.) For example, see GitHub security. These controls help customers in their efforts to comply with various industry regulations that require policies for auditability and access control. Examples include:
    • Enforce security policies without interrupting your workflow
    • Complete change log for auditing
    • Two-factor authentication (2FA) for added access control
    • Automated security scanning during verification Check out the compliance page for a more thorough view.
  2. Application Security Testing is a capability or feature of GitLab, used in the Verify phase. It includes SAST and DAST, container scanning and dependency scanning. GitLab also includes license compliance in our software composition analysis.

  3. GitLab is a Secure Application (used as an adjective like GitLab is scalable, open, etc.) The security team, under the Director of Security, manages people, processes and technology to secure the GitLab software that may include SAST & DAST but also includes security policies (like using Macs), our own Security Controls, configurations, monitoring of GitLab in production, vulnerability management, etc. Learn more about how we secure the GitLab app at If a customer or prospect needs GitLab to respond to a questionnaire about how the GitLab app is secure, follow these instructions.

Application Security Market Overview

Cyber Security is on a dynamic trajectory. It has been traditionally focused on guarding the perimeter in a defensive approach. Enterprises would start with simple endpoint protection and network security and layer on tools for “Defense in Depth”. Today’s security is much more proactive and predictive combining internal and external data from a variety of sources and applying user behavior analytics and machine learning to identify suspicious activity.

Security investments followed a similar trajectory. Traditionally the bulk of the spending has been to protect infrastructure. In 2015, Gartner Analyst, Joseph Feiman, estimated for every $1 spent on application security, $23 was spent in other security. Application Security has only been a mainstream concern for recent years - but that’s changing! There are several dynamics making application security a bigger priority including:

Enterprises with advanced DevOps and/or Application Security programs are looking for remediation advice as the developer types the code as a means of not only reducing vulnerabilities, but also educating developers by teaching them security best practices real-time.  Fortify and a few other advanced app sec vendors provide this.


Compliance is always the lowest common denominator - think of it as the MVC for security. Enterprises that depend upon software and technology to run their business seldom rely on compliance alone to guide their security efforts.

That said, compliance is taking on more importance, not only in the traditional sense of scanning apps, but now in the sense of securing the code through the development processes. Compliance relies upon auditability to show who changed what code, when. GitLab offers audit features, Two-factor Authentication (2FA) and more to help enterprises comply with their industry regulations.

Compliance is not a product, but rather features embedded along the SDLC in the software factory. Some competitors may provide compliance reports that collect information useful to a given regulation and pull it together for simplification. GitLab has hired a compliance team to focus on GitLab's own compliance in preparation for IPO. This knowledgeable team may also guide the product team to create compliance reports for GitLab users.


The focus of our competitive view is on application security testing (App Sec) and our other software composition analysis capabilities (SCA).

The term Application Security Testing includes Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Dependency Scanning, and Container Scanning. It also includes Interactive Application Security Testing (IAST) and Runtime Application Security Protection (RASP) which GitLab does not yet offer.

The term Software Composition Analysis includes Static Application Security Testing (SAST), Dependency Scanning, Container Scanning, License Compliance, and Code Quality Testing. It often includes a Bill of Materials capability, though that is typically a feature of these others, not a product of its own. Industry analysts, such as Forrester, use SCA to group capabilities. As defined in our Solutions we are intentional in not including SAST and Code Quality in Software Composition Analysis.

Competitor Scope

Vendor/Scope SAST DAST Dep Scanning Cont Scanning License Mgmt
GitLab X X X X X
BlackDuck     X X X
CA Veracode X X X    
IBM AppScan X X X    
Fortify X X X    
SonarQube X   X    
Sonatype     X X X
WhiteSource     X   X
Snyk     X X  
Synopsys X   X X X
Checkmarx X   X    
TwistLock       X  
Aqua       X  

Who uses GitLab secure capabilities?

Within the MR pipeline report - the Developer

Within the Security Dashboard - the Security team

Market Segment Overview

Application Security is difficult. It is one of the smallest market segments of cyber security with lowest adoption. This is because it relies on a combination of people, processes and technology much more than network security, endpoint protection, etc. You will find sophisticated programs mostly in enterprises that depend upon custom software for their core business.

Companies with sophisticated Application Security programs



Value proposition

Companies with established Security Programs



Value Proposition

Companies with minimal security focus



Value Proposition