While GitLab is best known in the traditional DevOps space, we have also begun to grow out our expertise in application security, which may come as a surprise to security professionals, who may not have encountered us previously. We may have started out focused on traditional developer tools, however, as GitLab has added capabilities to cover the entire Software Development
Lifecycle (SDLC), this now includes not only a market-leading Continuous Integration
solution but also, more recently, integrated application security testing built into the CI/CD pipeline.
Our single, end-to-end application enables security testing that is tightly aligned to today’s
rapid, iterative cycles of DevOps development and the modern
infrastructure that accompanies cloud native applications.
Who was included?
For The Forrester Wave™: Software Composition Analysis, Q2 2019, participating vendors were required to
have most of the following capabilities out of the box:
- Ability to provide remediation advice on both open source license risk and vulnerabilities;
- Ability to integrate into SDLC automation tools;
- Ability to provide proactive vulnerability management;
- Ability to edit and create policies; and
- Ability to visually report on open source risk.
Participating vendors were also required to have more than $10M in revenue and have
interest from Forrester clients or relevance to them.
GitLab is a new challenger
Having only added security capabilities in December 2017, GitLab has been excluded from
other analyst application security reports that only look at more established players.
In our first official security-oriented analyst evaluation, we are excited not only to get the
word out about GitLab’s security capabilities, but also to have this opportunity for analyst
feedback and insight into how GitLab compares. We take to heart not only areas where we
shine – but also where improvement is needed. With GitLab,
“everyone can contribute,” and the feedback gained from
Forrester is another valuable contribution. We also welcome your participation and invite you to help us
understand what you would like to see as our security capabilities grow.
Based on this analyst report and analyst interaction feedback, we are already addressing improvement opportunities in our
roadmap and vision.
Check out our complete SCA response for links to specific updates and response comments.
As a company dedicated to releasing incrementally, delivering first on breadth and then
on depth, it is not uncommon for GitLab to initially place in more of a challenger position,
as our feature set generally does not have the same maturity as established players in the space.
However, when GitLab enters a space, we do so boldly, with clear intentions and a solid strategy.
GitLab’s strategy for application security testing and software composition analysis focuses
more equally on both the developer and the security professional than traditional solutions.
You will find some areas in strategy where we were not scored as highly as we believe we
should be, due to our more aggressive focus on development.
Updates since the evaluation
GitLab has shipped a major new release every month
for 90 consecutive months. Forrester evaluated GitLab 11.6 for this report while versions
11.7, 11.8, and
11.9 have since been released. You will find several features
that Forrester felt were lacking have already been added, including improvements to the
security dashboard, additional languages added to SAST scanning, and secrets detection.
When using Forrester’s scoring tool, be sure to adjust the criteria for our current capabilities.
A list of what’s been added since Forrester’s evaluation can be found on our complete SCA response.
Forrester’s key takeaway: “Remediation, policy management, and reporting are key differentiators”
Forrester says, “As developers continue to use open source to accelerate the release of new
application functionality, remediation, policy management, and reporting will dictate which
providers will lead the pack. Vendors that can provide developers with remediation advice
and even create patches position themselves to significantly reduce business risk.”
This takeaway is closely aligned with GitLab's vision for application security testing
and our work in progress for auto remediation. While not available in the evaluated version (11.6), today’s GA release, (11.9), can detect a more current patch available and
enable the developer to create a new branch and apply the patch
with one click. Upcoming versions will automatically run the pipeline and present the results to the developer to accept or reject.
By automating remediations that are readily apparent, developers and security can focus on
vulnerabilities whose remediation is not as straightforward.
The fact that GitLab is a single application for the entire SDLC enables us to take
remediation even further – actually running the pipeline in a separate branch,
even measuring the performance impact
of the patch. We isolate the cause and effect: the developer makes a code change, that code is
tested and they see the results before merging the code with others’. It also allows us to do Dynamic scanning in the same manner, before the
code is merged with anyone else’s. We do this by spinning up a
review app in the pipeline report.
This fully functioning app reflects the developer’s code changes and can be used for user testing,
performance testing, and dynamic app security scanning.
GitLab's advice
We believe GitLab is ideal for enterprises who are:
- Using GitLab for CI/CD.
- Practicing iterative development via DevOps.
- Using containers and serverless.
For the enterprise that has not invested in app sec tools, GitLab can quickly provide
scanning, often necessary for regulatory compliance, with a single application.
GitLab offers SAST, DAST, Dependency, Container Scanning, and License Management with one app – no need to evaluate and buy from multiple vendors, then stitch together integration with the DevOps toolchain. In fact, GitLab customer, Glympse Inc.,
stood up 40 repos with automated security testing, using all of the GitLab scans, in less time
than they could have installed just the individual tools – and as a bonus, they impressed their
auditors with their process.
For the enterprise already deeply invested in traditional app sec tools, GitLab affords a
broader and earlier scanning effort, using a tool that
developers are already using. GitLab can scan every code change, much the way that
every airplane passenger gets scanned through security. Save the deeper scans for
later and/or less frequent evaluation by the security team. Consider using GitLab on select
projects to experience the more efficient workflow and potentially reduce your scanning costs from costlier tools.
Our response
We invite you to see our complete response, and as always, welcome
your contributions!
Cover image by Scott Webb on Unsplash
