Gitlab hero border pattern left svg Gitlab hero border pattern right svg

DevOps Solution: Software Compliance

Who to contact

Product Marketing Technical Marketing
Cindy Blake ( @cblake ) Fernando Diaz ( @fjdiaz )

The Market Viewpoint

Software compliance

The Software Compliance solution is applicable for customers who are concerned about securing their software supply chain and simplifying their compliance with common industry regulations while at the same time speeding their software velocity.

GitLab's platform approach seamlessly embeds security and compliance within the DevOps platform, providing simplicity, visibility, and control.

Why is compliance a new concern?

While compliance and auditability has always been important, these requirements have greater attention following high-profile attacks on software supply chains and the related US President's Executive Order to improve cyber security.

Application security testing is still a foundational part of compliance, but now visibility and control across the entire software factory is even more paramount.

Desired business outcomes

Personas

User Personas

Cameron the Compliance Manger

Cameron needs to be sure all the company's development processes are compliant. Given the amount of data that a software development and delivery lifecycle produces, and the complexity of typical DevOps tool chains, he finds it difficult to find, aggregate, and report on all of the necessary data and changes made across systems for audit purposes. He needs to easily see who changed what, where, and when from end-to-end across the SWDLC. He needs the information to be available quickly and easily so he can reduce the time and disruption involved in the evidence collection process.

The Developer uses GitLab primarily within the MR pipeline report

The developer cares about security but does not want to become a compliance expert. Capabilities that help them run fast while staying compliant are appreciated.

Sam the Security Analyst may be tasked with automating and reporting on compliance policies so would like them to be simple, efficient, and automated wherever possible.

Buyer Personas

The Security Manager or CISO (Sam's boss) or head of risk is usually the buyer for the Ultimate tier

The key to winning their hearts is to focus on Simplicity and control

Industry Analyst Coverage

Analysts have not identified a market segment for software compliance. They have been writing articles about it though. Forrester spoke about the Executive Order at GitLab's Commit event in Fall of 2021.

Market Requirements (in priority order)

Market Requirements Description Typical capability-enabling features Value/ROI
Common compliance controls Controls necessary to protect the integrity of the software development and deployment process Role-based access, MR approvals, and many others Simplify audit and compliance and reduce risk of noncompliance.
Automated policy enforcement Automation can reduce the audit burden. Enforcing policies within the MR shifts compliance left where developers can resolve problems early in the life cycle locked CI templates that enforce policies in the pipeline Avoids late rework. In regulated industries, there is an approved change order window. if it is missed for rework, the change management process must start over.
Audit reporting Audit events should be automatically captured and reported. Changes to code, controls, and IaC should be traceable and captured as audit events across the entire SDLC. Audit events, audit reporting reduce risk of non-compliance and efficiently identify root causes following a security or compliance incident
Security Governance The solution automatically applies security policies against code to ensure that only appropriate risks are taken. Application vulnerabilities, representing risk, are tracked, managed, and reported. The solution enables routine assessments of security practices to evaluate for risk, compliance, audit and process improvement opportunities (usually for education purposes). Security policy automation, Risk and compliance reporting, Audit reporting, Variety of security metrics and process reporting, Vulnerability database and management Efficiently monitor, manage and mitigate risk. Ability to identify exceptions and refine policies over time.
Security guardrails (Preventative - Pre CI/CD) Preventative Application Security uses guardrails to help teams consistently build things that are secure from the start. Compliant pipelines that cannot be circumvented by a developer, pre-approved code libraries, and auto-discovery that catalogs all third party code. Prevents creating new vulnerabilities.

The GitLab Solution

How GitLab Meets the Market Requirements

GitLab Software Compliance solution overview

Market Requirements How GitLab Delivers GitLab Category Demos
Common compliance controls GitLab provides many common controls throughtout the SDLC Access and Compliance within the Manage stage Compliance pipelines Compliance pipelines
Automated policy enforcement      
Audit reporting      
Security Governance Security Policy Automation, Compliance Assessment, Security Risk Assessment, Audit Assessment Security Dashboards, Audit events Compliance Management  
Security guardrails (Preventative - Pre CI/CD)   bill of materials feature Manage your Application Dependencies with GitLab Manage your Application Dependencies with GitLab

Top Differentiators

Differentiator Value Proof Point Demos
Block MR based on Security Policy Bring Development and Security Teams closer by allowing security teams to apply organizational security policies before hand and review/approve security exceptions before the code is merged - Merge-Request Approvals as Displayed in DevSecOps Overview Merge-Request Approvals as Displayed in DevSecOps Overview
Compliance Management GitLab makes compliance easier by providing a single source of truth for Dev, Sec and Ops through a single data-store. Everything is audited and for every change, there is a single thread that contains the full audit log of every decision and action - making audit compliance a breeze The auditor for Glympse observed that the company had remediated security issues faster than any other company that he had worked with before in his 20-year career. Within one sprint, just 2 weeks, Glympse was able to implement security jobs across all of their repositories using GitLab’s CI templates Manage Compliance with GitLab Manage Compliance with GitLab
Compliant pipelines tbd - tbd

How the GitLab DevOps platform helps achieve DevSecOps

Simplicity/efficiency

Visibility

Control

What Are The GitLab Advantages?

Platform approach. With a single platform for the entire SDLC, governance is greatly simplified and it is more effective.

Contextual.

Seamless.

Efficient and automated.

Message House

The message house for compliance provides a structure to describe and discuss the value and differentiators for the use case. (to be added)

Key message: GitLab helps you take control of your software development with a single platform that helps you automate and standardize the development process and policies while providing end-to-end visibility/traceability so that development can run fast with less risk.

Competitive Comparison

See how we compare against other DevOps approaches

  1. Role-based access control (RBAC) for separation of duties. Competitive products's roles are broader and when a person changes roles, his/her permissions must be changed manually. Why is this important? If someone has access to push to prod and is demoted or moves to another group, you'd want the permissions to change automatically to avoid insider threats.
  2. Our workflows include compliance within MR approvals. No manual checks that impact velocity. (In essence, we shift left compliance also.)
  3. External status checks is an important feature for regulated industries. Changes are approved and must be pushed to production within a given timeframe. Delays can cause the approval process to start over.
  4. With GitLab we have projects and groups where projects inherit policies from the group. Competitors cannot structure policies as flexibly as GitLab, an important feature for enterprise users. Examples include group level runners.
  5. Compliant pipelines allow GitLab users to select their compliance framework (e.g. PCI, HIPPA, etc) and those policies are used - and the developer cannot disable it (due to RBAC)

Key Value by tier

Free and Premium

Key Compliance features with Free/Premium:

In addition, some security scanning is available:

Ultimate

Key Compliance features with Ultimate:

In addition, more security scanners are available, along with Vulnerability management and security dashboard. See DevSecOps solution for details.

Feature / Scenario Free Premium Ultimate Product Analytics Notes
Adopt GitLab Flow X X X    
Try / Utilize Auto DevOps Partial Partial X    
Automated Testing with CI X X X   Only SAST at all tiers
Review app X X X   Needed to run DAST in CI/CD pipeline
Merge Request Approval Flow / Rules   X X counts.merged_merge_requests_using_approval_rules  
Protected Environments   X X    
Container Registry X X X container_registry_enabled  
Package Registry X X X counts_monthly.packages  
SAST (Static Application Security Testing) X X X user_sast_jobs  
Secret Detection X X X user_secret_detection_jobs  
Container Scanning     X user_container_scanning_jobs  
Dependency Scanning     X user_dependency_scanning_jobs  
License Compliance     X user_license_management_jobs  
API Fuzzing     X user_api_fuzzing_jobs, user_api_fuzzing_dnd_jobs on self-managed  
Coverage Fuzzing     X user_coverage_fuzzing_jobs  
Security Approvals     X    
Compliance Dashboard     X    

The table includes free/community and paid tiers associated with GitLab's self-managed and cloud offering.

Technology Partnerships

We partner with key industry vendors to extend GitLab's ability to address customer needs and fulfil the market requirements.

Hashicorp Vault

A more complete list of technology partners can be found on our security partners page. If you or your customer has a third party they'd like to see integrated into GitLab, send them to the partner integration page for instructions.

Selling the Software Compliance Solution

Customer Facing Slides

Discovery Questions

Initial probe for direction. Where’s the pain?

Integrating application security testing into Agile DevOps software development is difficult with many potential challenges. Use these 6 questions to probe a bit to see which areas are of most concern, then go deeper on those topics further below.

1. Policy Automation

2. Managing Risk

Potential Objections

Proof Points - customers

Quotes and reviews

Customer Case Studies

Glympse

Chorus

References to help you close

SFDC report of referenceable secure customers Note: Sales team members should have access to this report. If you do not have access, reach out to the customer reference team for assistance.

Enablement and Training

The following will link to enablement and training videos and content.

Professional Service Offers

GitLab offers a variety of pre-packaged and custom services for our customers and partners. The following are service offers specific to this solution. For additional services, see the full service catalog.

Resources

Software security guide

Blogs

Clickthrough & Live Demos

Roadmap

Technical Resources for Solution Architects

Buyer's Journey

Inventory of key assets in the buyer's Journey

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license