Quite a lot of debate is going on as to which term is more correct: DevSecOps, SecDevOps, or in general the “sec” part of this term is superfluous. At GitLab, we have developed a fairly clear point of view: DevSecOps principles position security as the centerpiece of the DevOps development and cycle, where it belongs. We believe that security issues should remain a transparent and as standardized part of the process as possible, they should not be hidden or buried somewhere deep. Automation of processes and policies allows you to equip both developers and information security professionals with the information they need to perform their duties.
GitLab actively continues to build the DevSecOps platform in the form of an integrated and secure software solution that helps to plan, implement, deploy, protect and maintain modern applications and the infrastructure necessary for them (not everyone knows that GitLab invests a significant part in the development of information security components today. engineering effort). GitLab already provides transparency throughout the development cycle and a range of controls needed to protect the integrity of the software factory and the artifacts it generates.
GitLab is already a catalyst for change in the evolution of DevSecOps over more traditional application security testing tools today. Let’s see what this evolution actually consists of.
Security testing
Traditional tools: Testing is performed by information security specialists using their own tools, as a rule, at the end of the development cycle.
New features of GitLab: Testing is automated through Continuous Integration pipelines, and the results are available to the developer before the end of the current iteration.
The test results focus on vulnerabilities that emerged only in the context of the current iteration, making the analysis and resolution of the resulting deficiencies extremely easy for the developer who created them. Minimizes efforts to maintain a backlog of risks and vulnerabilities, as well as technical debt, involve additional specialists
Continuous Integration and Security
Traditional tools: Commands executed by CI pipelines are used to invoke external security scanners and pass the results back to the pipeline. However, both of these tools remain disconnected, functioning on their own. This often requires additional custom integration, which also requires ongoing support. The licenses for CI tools and scanners are also separate from each other, which complicates the process of managing them, especially if they use different pricing policies (number of users, applications, lines of code, and so on).
New features of GitLab: Features are combined into one tool, do not require expensive integration and maintenance; require only one license.
Eliminating vulnerabilities
Traditional tools: Information security professionals have to constantly monitor the status of vulnerability remediation, problem-solving and risk mitigation. Security professionals must constantly monitor the status of elimination of critical vulnerabilities (risks). Scan results are usually collected in one tool, and developers’ efforts to fix the situation are in another, which leads to constant friction and ineffective communication between the two teams.
New GitLab Features: Using a single tool, security professionals can see the patch status of specific vulnerabilities in a common dashboard in a familiar context. And, when teams use GitLab’s task scheduling tools, both teams can collaborate to work together to fix bugs.
On the technical side of the issue, GitLab was one of the first vendors to collect a large number of scanners in one tool:
- SAST
- DAST
- Dependency Scan
- Scanning containers
- Secrets Detection
- Fuzz testing
- Scanning and analyzing licenses
Displaying all used libraries, flexible reporting of all detected problems and vulnerabilities are also a standard part of GitLab. Replacing many specialized tools with a single solution remains, perhaps, the most important goal for them today.
Thanks to all these efforts and the results obtained, GitLab was included in the Gartner Magic Quadrant for Application Security Testing in 2021 for its completeness and ability to implement them. We believe that this only confirms our belief that the future of DevSecOps is in involving developers in information security processes and equipping them with adequate tools.
It should also be noted that we are not resting on our laurels and continue to actively invest in improving the product components associated with lowering risks and increasing the level of security of software products. Here are just a few of the improvements that have been added to GitLab over the past 6 months (since it was included in the Gartner quadrant):
- Compliance pipelines using Compliance Frameworks,
- Alert panel for container network policies,
- The ability to massively change the status of vulnerabilities, as well as other improvements related to the work of risk management,
- Administrator mode requiring additional authentication to perform administrative functions,
- Semgrep for custom vulnerability analysis rules,
- E-mail notifications about the expiration of keys,
- Force SAML to work with Git.
- On-demand scheduled DAST scan, and
- New browser-based crawler for DAST with significantly larger reach
Following many recent attacks (such as SolarWinds and the subsequent attack on a gas pipeline in the United States), the attention of specialists is increasingly drawn to the issue of securing applications.
And GitLab has many unique capabilities to address these issues. The true DevSecOps methodology represents a new era of software security with much more power than the tools we have traditionally known. We believe that GitLab has brought the market to this evolution and will continue to move in that direction.