Technology teams are under intense pressure. They are resource constrained, but still need to have one foot firmly on the gas pedal to drive innovation and deliver value to their customers. And they need to do that while protecting their software supply chain – the seemingly endless amount of integrations and add-ons in today’s modern development environment.
The dynamic is brutal. Security engineers are outnumbered. One customer told me that for every 100 developers, there is only 1 security engineer. Couple that with dwindling budgets – according to the 2023 GitLab Global DevSecOps Report: Security Without Sacrifices, 85% of respondents said security budgets are flat or reduced – and you get a dynamic where speed and convenience will trump security and compliance.
But that dynamic does not need to be the norm.
We believe in a simple mantra: Velocity with guardrails. Artificial intelligence technologies and automation solutions accelerate code creation and, when paired with a comprehensive DevSecOps platform, create the security and compliance guardrails that every company needs. Velocity with guardrails means no more trading off the need for fast software innovation with the need for secure software development. Velocity with guardrails only happens in a world where AI and automation extend beyond code creation. In fact, our Global DevSecOps Report found that 62% of developers said they use AI/ML to check code and 65% of developers are using – or plan to use in the next three years – AI/ML in testing efforts.
Given the resource constraints DevSecOps teams face, automation and artificial intelligence become a strategic resource. Our DevSecOps Platform helps teams fill critical gaps while automatically enforcing policies, applying compliance frameworks, performing security tests using GitLab’s automation capabilities, and providing AI-assisted recommendations - which frees up resources.
In the past few months, we’ve introduced a host of new features and capabilities to bring this mantra to life. Here’s a taste.
Increase velocity with Code Suggestions
Every day, millions of developers use GitLab to contribute code. In February, we launched a Beta for our Code Suggestions feature, and since then, we’ve been working hard to make Code Suggestions available to more developers. During Beta, Code Suggestions is free for all Ultimate and Premium customers. GitLab Code Suggestions can improve developer productivity, focus, and innovation without context switching and within a single DevSecOps platform.
Code Suggestions is only the start of our journey infusing AI/ML into all aspects of the software development lifecycle. Along with Suggested Reviewers, we have been sharing previews of these AI/ML-powered features on our blog every Thursday in a weekly series.
AI-assisted vulnerability guidance
According to our Global DevSecOps Report, security respondents who don’t use a DevSecOps platform were more likely to struggle to identify who can perform remediation and consider it difficult to understand vulnerability findings. To help teams identify an effective way to fix a vulnerability within the context of their specific code base, we have released an experimental feature that provides GitLab AI-assisted vulnerability recommendations leveraging the explanatory power of large language models. This capability combines basic vulnerability information with insights derived from the customer’s code to explain the vulnerability in context, demonstrate how it can be exploited, and provide an example fix. Initial testing shows significant promise in reducing the time to determine a fix for a vulnerability.
This is just one of a number of experimental AI-assisted capabilities we’ve shared in the past few months to improve developer productivity and software delivery efficiency.
Gain a new level of visibility with Value Streams Dashboard
With AI accelerating productivity, visibility and transparency have never been more important. Our new Value Streams Dashboard provides strategic insights into metrics that help decision makers identify trends and patterns to optimize software delivery. This data is grounded in DORA4 metrics and the flow of value delivery across projects and groups.
The Value Streams Dashboard offers visibility across every step of the software development lifecycle, without needing to buy or maintain a third-party tool. The result: Fewer tools, increased visibility, and more transparency, all within GitLab.
Set license policies and scan software licenses for compliance
Violating or breaching a license by using software with an incompatible license may result in an expensive lawsuit or many developer hours to remove problematic code. We recently released a new and improved license compliance scanner along with license approval policies. The new scanner extracts license information from packages that are dual-licensed or have multiple licenses that apply and automatically parses and identifies more than 500 different types of licenses, a substantial increase from previously identifying only 20 types of licenses.
License approval policies help minimize the risk that unapproved licenses are in use, saving organizations time and effort to manually ensure compliance.
Protect secrets from being leaked
A recent string of attacks pointed to leaked personal access tokens (PATs) in source code as the culprit. GitLab Secret Detection can protect against that. We now automatically revoke PATs leaked in public GitLab repositories, mitigating the risk of a developer mistakenly commiting a PAT into their code. This capability helps protect GitLab users and their organizations from credential exposure and reduces risk to production applications.
We are not stopping at remediating GitLab managed credentials. We now support responding to leaked secrets in public projects by revoking the credential or notifying the vendor who issued it. We’re actively expanding the list of supported vendors which any SaaS vendor can join to help us secure any secret a developer might use.
Automatically enforce security policies
Manually enforcing security policies for different projects and code commits can be time-consuming. Applying automation to policy enforcement can prevent security rules from being bypassed without proper approval. Security teams can configure policy rules, such as requiring multiple approvers across various teams (e.g., QA, Business, Legal), a two-step approval process, and approval for exceptions for using out-of-policy licenses. Such policies can be applied to multiple development projects, at the group or subgroup level, to allow for ease in maintaining a single, centralized ruleset.
Avoid false positives in security testing
Security professionals report that too many false positives rank among their top three frustrations, according to the GitLab 2023 Global DevSecOps Survey. Our DAST API Analyzer is now more accurate and reduces false positives by an estimated 78%, making it easier for DevSecOps teams to hone in on true security threats.
We’ve also just introduced vulnerability dismissal reasons to help track why vulnerabilities were resolved to improve compliance tracking and audit reports.
We've introduced a lot of new capabilities that enable our customers to achieve velocity with guardrails. Watch this 90-second video to see how GitLab secures your end-to-end software supply chain.
More velocity, more guardrails coming soon
GitLab has an ambitious roadmap for 2023 to make it easier to integrate security into our customers’ software development lifecycle so they can deliver secure code easier and more efficiently. Capabilities coming soon include:
- Group and subgroup level dependency lists provide users a simple way to view their projects’ dependencies, as managing dependencies at the project level can be problematic for organizations with hundreds of projects.
- Continuous container and dependency scanning improves visibility and timeliness of vulnerability discovery by automatically scanning for new findings any time a new security advisory is published or code is changed.
- Management tools for compliance frameworks allow customers to apply the compliance frameworks to existing projects and multiple projects at once. Currently, customers can apply compliance frameworks and policies individually per project.
- SBOM ingestion will allow GitLab to import CycloneDX files from third-party tools to create a single source for all of the software’s dependencies giving greater system-wide visibility and helping to create actionable insights.
Learn how to increase velocity securely with Secure by Design principles.