GitLab’s commitment to enhanced application security in the modern DevOps world

With GitLab 14, we saw deep emphasis on modernizing our DevOps capabilities. This modernization enabled enhanced application security and strenghtened collaboration between developers and security professionals.

We saw enhancments such as:

  • global rule registry and customization for policy requriements with support for separation of duties
  • a newly developed browser-based Dynamic Application Security Testing (DAST) scanner used to test and secure modern APIs and Single Page
    Applications
  • more support for different languages using Semgrep
  • new vulnerability management capabilities to increase visibility

With the GitLab 15 release, we can see how our commitment to enhancing application security across the board is stronger than ever. In this blog post, I will provide details on how GitLab is commited to enhancing not only security, but efficiency.

Discover how GitLab 15 can help your team deliver secure software, while maintaining compliance and automating manual processes.
Save the date for our GitLab 15 launch event on June 23rd!

GitLab 15 security features

We see that with every GitLab release, there are plenty of enhancements to our security tools.
GitLab 15 is no exception! We can see a boatload ? of security enhacements released in GitLab 15 below:

These features run across different stages of the software development lifecycle. I have created a video showing some of the coolest new security features
in GitLab 15:

Scanners moved to GitLab Free Tier

A lot of our scanners were only part of GitLab Ultimate in the past. However, over time, certain scanners
have been moved over to GitLab Free Tier, enabling you to enhance the security of your application
no matter what tier of GitLab you are using.

Scanner Introduced Moved to Free
SAST 10.3 13.3
Container Scanning 10.4 15.0
Secret Detection 11.9 13.3

Within the free tier, you are able to download the reports generated by the security scanners.
This allows developers to see what vulnerabilites were detected within their source code and
container images.

Report on vulnerabilities

However, there are benefits to upgrading to Ultimate, which are described below.

Benefits of upgrading to Ultimate

Some organizations have multiple groups and projects they are working on, as well as a the security team,
which manages all the detected vulnerabilities. While having security scan reports ready for download
is useful, it is not exactly scalable across an organization. This is where Ultimate assists in enhancing
DevSecOps efficiency.

Scanners

While the GitLab Free Tier includes SAST, Secret Detection, and Container Scanning to find vulnerabilities
in your source code, when you upgrade to Ultimate, you are provided with even more scanners. Here are some
of the additional scanners provided in Ultimate:

Developer Lifecycle

In Ultimate, there is enhanced functionality within the developer lifecycle. The merge request a developer creates will
contain a security widget which displays a summary of the new security scan results. New results are determined by
comparing the current findings against existing findings in the default branch.

Ultimate security widget

The results contain not only detailed information on the vulnerability and how it affects the system, but also
solutions to mitigating or resolving the issue. These vulnerabilities are also actionable, meaning that a comment
can be added in order to notify the security team, so they may review – enhancing developer and appsec collaboration.
A confidential issue can also be created so that developers and security professionals can work together towards a
resolution safely and efficiently.

Confidential issue

While these features were avaliable in Ultimate on older versions of GitLab, within release 14 this feature was heightened
to include developer training within the vulnerability, helping to educate developers and make them more security-aware. GitLab 15
will provide even more enhancements to the developer lifecycle.

Ultimate enhancements

Security team lifecycle

There are also several features which greatly benefit members of a security team.

The security team is able to effectively manage and triage vulnerabilities using the Vulnerability Reports.

Vulnerability reports

The security dashboard allows the security team to assess the security posture
of a project or group of projects. This is helpful to see how many vulnerabilities were introduced/resolved over time, as well as which projects require more
attention than others

security dashboard

Separation of duties can be enforced using Compliance Frameworks
and Security Policies assuring code requires approval before making it to production.

Separation of duties

These are just some of the features GitLab has to offer in terms of security. For even more features, please see
the GitLab application security documentation.


Thanks for reading! To find out more about the newest security features in GitLab 15, check out
the release post. For upcoming
version features, see the Upcoming Releases page.

It is also helpful to check out our Secure and Protect roadmaps to get an idea of the direction we
are headed!

“Learn how @GitLab 15 commits to enhanced application security in the modern Devops world” – Fernando Diaz


Click to tweet