DevOps approach allows the team to build a product that meet the customer demands at fast speed. However, the approach isolates security in its cycle which results in a vulnerable products. GitLab.inc understood this crucial drawback and solve it by providing easy integration of security into its DevOps Platform by emphasising GitLab as the DevOps platform that simplifies DevSecOps. With GitLab being injected with security and compliance built-in, it provides organisation with visibility and control that are essential in protecting their product integrity.
GitLab as the DevOps platform that simplifies DevSecOps
GitLab is well-known for its reputation in Source Code Management (SCM) and Continuous Integration (CI). It is a complete platform that empowers organisations to optimise the overall return on software development through rapid and efficient software delivery as well as enhanced security and compliance.
DevSecOps features in GitLab:
1. Application security testing and remediation
GitLab offers actionable vulnerability findings to developers with each code commit. At the same time, it helps the security pros to manage remaining vulnerabilities through resolution.
2. Cloud Native Application Protection
GitLab helps the DevOps team to monitor and protect each of their deployed application.
3. Policy Compliance and Auditability
GitLab’s MR approvals, end-to-end transparency of who changed what, when, and where, along with a compliance dashboard and common controls allows organisations to fulfil their compliance requirements.
4. SDLC Platform Security
DevSecOps Features and Capabilities in GitLab Tier:
1. Static Application Security Testing (SAST)
Availability: All tiers (GitLab Premium and GitLab Ultimate)
Capabilities: GitLab has policy management that allows users to specify rules and policies to adhere to – both internal company policies and policies based on legal or regulatory frameworks. For example, GDPR, SOC2, PCI-DSS, HIPAA, ISO and much more.
2. Dynamic Application Security Testing (DAST)
Availability: GitLab Ultimate
Capabilities:
- Users can take full advantage of review app CI/CD capability in GitLab to run dynamic scanning earlier in the SDLC than ever possible.
- Users can carry out test running web applications for known runtime vulnerabilities.
- Users are able to give HTTP credentials to test private areas.
3. Dependency Scanning
Availability: GitLab Ultimate
Capabilities:
- Users can analyse external dependencies such as libraries for known vulnerabilities on every code commit using GitLab CI/CD.
- Users are able determine vulnerable dependencies that are in need of updating.
- Dependency List or Bill of Materials provides information to users on all dependencies used in a project.
4. Container Scanning
Availability: GitLab Ultimate
Capabilities: GitLab prevents redistribution of vulnerabilities through container images.
5. License Compliance
Availability: GitLab Ultimate
Capabilities:
- GitLab automatically search project dependencies for approved and unapproved licenses according to the users defined policies.
- Custom license policies per project.
- The analysis results of license are displayed in the merge request pipeline with security vulnerabilities for immediate resolution.
Additional Capabilities:
Auto Remediation: This feature allows users to automate vulnerability solution flow as well as create a fix.
Fuzz Testing: The acquisitions Fuzz Testing feature in GitLab have been integrated with other scanners in the merge request pipeline. This special feature helps users to automatically test for unknown security flaws with coverage-guided fuzzing and API fuzzing.