Integrating Security into DevSecOps

Application Security is hard - when it is a separate process

You want to test everything but you…

So you may…

Even though you know that…

Benefits of an integrated approach

Balancing business velocity with security is possible. With GitLab, application security testing is built into the CI/CD process. Every merge request is scanned for vulnerabilities in your code and that of its dependencies. This enables some magic to happen:

The GitLab Secure Paradigm

GitLab secure capabilities support the decision-makers. Instead of security being a blocker, we want to provide a very simple way to take the right action and learn from it. Keeping it simple is a key value so that security features will not be considered more effort than the perceived benefit. What is a false positive can be very subjective, and risk assessment will be mostly a human process. That's why we believe security features should not automatically block a pipeline or prevent a new version to be released to production. Key ideals of our design include:

Learn more about the GitLab Secure Paradigm.

Continuous security testing within CI/CD

When using GitLab CI/CD, every merge request is automatically testing using the following methods.

Static Application Security Testing (SAST)

  • Scan the application source code and binaries to spot potential vulnerabilities.
  • Because these open source tools are installed as part of GitLab Ultimate, there are no added costs.
  • Vulnerabilities are shown in-line with every merge request and results are collected and presented as a single report.
  • Evaluate vulnerabilities from the GitLab pipeline and dismiss or create an issue with one click.

Dynamic Application Security Testing (DAST)

  • Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capability of GitLab.
  • Test running web applications for known runtime vulnerabilities.
  • Users can provide HTTP credentials to test private areas.
  • Vulnerabilities are shown in-line with every merge request.

Open Source Dependency Scanning

  • Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD.
  • Identify vulnerable dependencies needing updating.
  • Vulnerabilities are shown in-line with every merge request.

Container Scanning

  • Check Docker images for known vulnerabilities in the application environment.
  • Avoid redistribution of vulnerabilities via container images.
  • Vulnerabilities are shown in-line with every merge request.

Why stop there? While GitLab runs application security scans on every code commit, why not also verify compliance with open source licenses.

License Management

  • Automatically search project dependencies for approved and blacklisted licenses defined by your policies.
  • Custom license policies per project.
  • License analysis results are shown in-line for every merge request for immediate resolution.

Want to know where we're headed? Learn about the future of GitLab's Secure capabilities

For more details, check out the product documentation

Resources