A uniform lexicon is important to distinguish the use of 'security' in various contexts.
GitLab helps our customers Secure and Govern all of the phases of the SDLC Create, Plan, etc.). To deliver secure applications, customers use GitLab Security Controls throughout the SDLC and Security Testing in validation. Eventually, GitLab will enable vulnerability prioritization for planning and Security Monitoring in production.
Application Security Testing is a capability or feature of GitLab, used in the Verify phase. It includes SAST and DAST, container scanning and dependency scanning. GitLab also includes license compliance in our software composition analysis.
Cyber Security is on a dynamic trajectory. It has been traditionally focused on guarding the perimeter in a defensive approach. Enterprises would start with simple endpoint protection and network security and layer on tools for “Defense in Depth”. Today’s security is much more proactive and predictive combining internal and external data from a variety of sources and applying user behavior analytics and machine learning to identify suspicious activity.
Security investments followed a similar trajectory. Traditionally the bulk of the spending has been to protect infrastructure. In 2015, Gartner Analyst, Joseph Feiman, estimated for every $1 spent on application security, $23 was spent in other security. Application Security has only been a mainstream concern for recent years - but that’s changing! There are several dynamics making application security a bigger priority including:
Enterprises with advanced DevOps and/or Application Security programs are looking for remediation advice as the developer types the code as a means of not only reducing vulnerabilities, but also educating developers by teaching them security best practices real-time. Fortify and a few other advanced app sec vendors provide this.
Compliance is always the lowest common denominator - think of it as the MVC for security. Enterprises that depend upon software and technology to run their business seldom rely on compliance alone to guide their security efforts.
That said, compliance is taking on more importance, not only in the traditional sense of scanning apps, but now in the sense of securing the code through the development processes. Compliance relies upon auditability to show who changed what code, when. GitLab offers audit features, Two-factor Authentication (2FA) and more to help enterprises comply with their industry regulations.
Compliance is not a product, but rather features embedded along the SDLC in the software factory. Some competitors may provide compliance reports that collect information useful to a given regulation and pull it together for simplification. GitLab has hired a compliance team to focus on GitLab's own compliance in preparation for IPO. This knowledgeable team may also guide the product team to create compliance reports for GitLab users.
The focus of our competitive view is on application security testing (App Sec) and our other software composition analysis capabilities (SCA).
The term Application Security Testing includes Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Dependency Scanning, and Container Scanning. It also includes Interactive Application Security Testing (IAST) and Runtime Application Security Protection (RASP) which GitLab does not yet offer.
The term Software Composition Analysis includes Static Application Security Testing (SAST), Dependency Scanning, Container Scanning, License Compliance, and Code Quality Testing. It often includes a Bill of Materials capability, though that is typically a feature of these others, not a product of its own. Industry analysts, such as Forrester, use SCA to group capabilities. As defined in our Solutions we are intentional in not including SAST and Code Quality in Software Composition Analysis.
|Vendor/Scope||SAST||DAST||Dep Scanning||Cont Scanning||License Mgmt|
Within the MR pipeline report - the Developer
Within the Security Dashboard - the Security team
Application Security is difficult. It is one of the smallest market segments of cyber security with lowest adoption. This is because it relies on a combination of people, processes and technology much more than network security, endpoint protection, etc. You will find sophisticated programs mostly in enterprises that depend upon custom software for their core business.