--- layout: feature title: "DevSecOps makes your applications more secure" description: "How to use GitLab as a Security tool using SAST, DAST, Dependency & Container Scanning and License Compliance" suppress_header: true canonical_path: "/solutions/dev-sec-ops/" extra_css: - gitlab-feature-landing-page.css - features.css --- .wrapper.gitlab-ee-page .blank-header = image_tag "/images/home/icons-pattern-left.svg", class: "image-border image-border-left", alt: "Gitlab hero border pattern left svg" = image_tag "/images/home/icons-pattern-right.svg", class: "image-border image-border-right", alt: "Gitlab hero border pattern right svg" .header-content = image_tag "/images/devops-tools/gitlab-logo.svg", class: "hero-image-small", alt: "Gitlab logo svg" %h1 DevSecOps with GitLab %p Join a webcast to learn how Zero Trust principles can help you secure your applications in a Cloud Native world. = link_to "Join Zero Trust livestream", "/webcast/zerotrust-cloudnative/", class: "btn cta-btn orange" .sub-wrapper .container .grid-layout.grid-layout2.margin-top50 .grid-item %h2.margin-top0 Application Security %p %strong Application Security is hard when security is separated from your DevOps flow. Security has traditionally been the final hurdle in the development life cycle. Iterative development workflows can make security a release bottleneck. Your team doesn't have enough people to test all of your code, and hiring more analysts won't automatically reduce the friction between your app sec and engineering teams. Only testing major releases, or limiting tests to certain apps, leaves weak spots hackers can exploit. You need a way to balance risk and business agility. Instead of waiting for security at the end of the development process, you can include it with your DevOps workflow. You need DevSecOps process. = link_to "Learn more", "/demo/", class: "btn cta-btn orange margin-top20" .grid-item %iframe{:allow => "accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture", :allowfullscreen => "", :frameborder => "0", :height => "315", :src => "https://www.youtube.com/embed/U2_dqwTRUVk", :width => "560"} %hr.divider .row.advantages .col-xs-1.col-md-1 .col-xs-10.col-md-10 %h2.margin-top0 What is DevSecOps? %p %strong DevSecOps integrates security controls and best practices in the DevOps workflow. DevSecOps automates security and compliance workflows to create an adaptable process for your development and security teams. %h2 Why is DevSecOps needed? %p %strong Balancing business velocity with security is possible. With GitLab, DevSecOps architecture is built into the CI/CD process. Every merge request is scanned through its pipeline for security issues and vulnerabilities in your code and its dependencies using automated tests. This enables some magic to happen. %hr.divider .row.advantages .col-xs-1.col-md-1 .col-xs-10.col-md-10 %h2.margin-top0 Benefits of DevSecOps %ul %li %strong Every piece of code is tested upon commit for security threats, without incremental cost. %li %strong The developer can remediate now, while they are still working in that code, or create an issue with one click. %li %strong The dashboard for the security pro is a roll-up of vulnerabilities remaining that the developer did not resolve on their own. %li %strong Vulnerabilities can be efficiently captured as a by-product of software development. %li %strong A single tool also reduces cost over the approach to buy, integrate and maintain point solutions throughout the DevOps pipeline. .col-xs-10.col-md-10.col-md-offset-1 = image_tag "/images/secure/security-diagram.svg", alt: "CI/CD Overview", style: "margin-top: 40px;" %hr.divider .row.advantages .col-xs-1.col-md-1 .col-xs-10.col-md-10 %h2 What Are The GitLab Advantages? %p %strong %ul %li %strong Contextual. Unlike traditional application security tools primarily intended for use by security pros, GitLab secure code capabilities are built into the %a{ href: "https://about.gitlab.com/product/continuous-integration/"} CI/CD workflows where the developers live. We empower developers to identify vulnerabilities and remove them early in the development cycles. While at the same time, providing security professionals a dashboard to view items not already resolved by the developer, across projects. This contextual approach helps each role deal with items that are most important and most relevant to their scope of work within the delivery process. %li %strong Congruent with DevOps processes. GitLab secure capabilities support the decision-makers, within their natural workflow. Reports are interactive, actionable, and iterative and most important immediate and relevant to changes made. Developers immediately see the cause and affect of their own specific changes so they may iteratively address security flaws alongside code flaws. %li %strong Integrated with DevOps tools. When triaging vulnerabilities, users can confirm (creating an issue to solve the problem), or dismiss them (in case they are false positives or there are compensating controls). When using GitLab, no additional integration is needed between app sec and ticketing, CI/CD, etc. %li %strong Efficient and automated. Eliminates mundane work wherever possible. %a{ href: "https://gitlab.com/groups/gitlab-org/-/epics/759"} Auto remediation applies patches to vulnerable dependencies and even re-runs the pipeline to evaluate the viability of the patch. Learn more about the GitLab Secure %a{ href: "https://about.gitlab.com/direction/secure/#security-paradigm" } Paradigm. %hr.divider .col-xs-10.col-md-10.col-md-offset-1 %h3{:align => "center"} Security Deep Dive %iframe{:allow => "accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture", :allowfullscreen => "", :frameborder => "0", :height => "315", :src => "https://www.youtube.com/embed/k4vEJnGYy84", :width => "560"} %hr.divider .row.more-features .col-xs-1.col-md-1 .col-xs-10.col-md-10 %h2 Capabilities %ul %li %strong Static Application Security Testing (SAST): Prevents %a{ href: "https://docs.gitlab.com/ee/user/application_security/sast/" } vulnerabilities early in the development process, allowing to be fixed before deployment %li %strong Dynamic Application Security Testing (DAST): Once code is deployed, %a{ href: "https://docs.gitlab.com/ee/user/application_security/dast/" } prevents exposure to your application from a new set of possible attacks as you are running your web applications %li %strong Dependency Scanning: Automatically finds security vulnerabilities in your %a{ href: "https://docs.gitlab.com/ee/user/application_security/dependency_scanning/" } dependencies while you are developing and testing your applications, such as when you are using an external (open source) library with known vulnerabilities %li %strong Container Scanning: Analyze your %a{ href: "https://docs.gitlab.com/ee/user/application_security/license_compliance/" } container images for known vulnerabilities %li %strong Auto Remediation: Auto %a{ href: "https://gitlab.com/groups/gitlab-org/-/epics/759" } remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production. %li %strong Secret Detection: There are several types of %a{ href: "https://docs.gitlab.com/charts/installation/secrets.html" } secrets that need to be protected. Each commit is scanned for secrets within SAST. %li %strong IAST and Fuzzing: Future features GitLab will be adding to its Security capabilities, see the visions for %a{ href: "https://gitlab.com/groups/gitlab-org/-/epics/344" } IAST %a{ href: "https://gitlab.com/groups/gitlab-org/-/epics/818" } and Fuzzing .col-xs-1.col-md-1 %hr.divider %h1{:align => "center"} Continuous security testing within CI/CD %hr.divider .row .col-xs-12.col-md-6.col-md-offset-1 %h2 Static Application Security Testing (SAST) %p %ul %li Scan the application source code and binaries to spot potential vulnerabilities. %li Because these open source tools are installed as part of GitLab Ultimate, there are no added costs. %li Vulnerabilities are shown in-line with every merge request and results are collected and presented as a single report. %li Evaluate vulnerabilities from the GitLab pipeline and dismiss or create an issue with one click. .hidden-xs.hidden-sm.col-md-4 = image_tag "/images/secure/sast-screen-shot.png", alt: "Gitlab Static Application Security Testing", style: "margin-top: 150px;" %hr.divider .row .hidden-xs.hidden-sm.col-md-4.col-md-offset-1 = image_tag "/images/secure/dast-findings-detail.png", class: "hidden-xs", alt: "Gitlab Dynamic Application Security Testing", style: "margin-top: 50px;" .col-xs-12.col-md-6 %h2 Dynamic Application Security Testing (DAST) %p %ul %li Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capability of GitLab. %li Test running web applications for known runtime vulnerabilities. %li Users can provide HTTP credentials to test private areas. %li Vulnerabilities are shown in-line with every merge request. %hr.divider .row .col-xs-12.col-md-6.col-md-offset-1 %h2 Dependency Scanning %p %ul %li Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD. %li Identify vulnerable dependencies needing updating. %li Vulnerabilities are shown in-line with every merge request. .hidden-xs.hidden-sm.col-md-4 = image_tag "/images/secure/dependency-findings-detail-full-screen.png", alt: "GitLab Dependency Scanning", style: "margin-top: 50px;" %hr.divider .row .hidden-xs.hidden-sm.col-md-4.col-md-offset-1 = image_tag "/images/secure/container-findings-detail.png", class: "hidden-xs", alt: "GitLab Container Scanning", style: "margin-top: 50px;" .col-xs-12.col-md-6 %h2 Container Scanning %p %ul %li Check Docker images for known vulnerabilities in the application environment. %li Avoid redistribution of vulnerabilities via container images. %li Vulnerabilities are shown in-line with every merge request. %hr.divider .row .col-xs-12.col-md-6.col-md-offset-1 %h2 License Compliance %p %ul %li Automatically search project dependencies for approved and blacklisted licenses defined by your policies. %li Custom license policies per project. %li License analysis results are shown in-line for every merge request for immediate resolution. .hidden-xs.hidden-sm.col-md-4 = image_tag "/images/secure/license-management-in-mr.png", alt: "GitLab License Management", style: "margin-top: 50px;" %hr.divider .row.links .col-xs-1.col-md-1 .col-xs-11.col-md-6 %h2 Help and More Information %ul %li Please see = link_to "/get-help/" do Get help for GitLab if you have questions %li Security %a{ href: "https://youtu.be/U2_dqwTRUVk" } Dashboard demo %li Deep Dive into a %a{ href: "https://youtu.be/k4vEJnGYy84" } Security demo %li %a{ href: "https://docs.gitlab.com/ee/user/application_security/sast/" } Static Application Security Testing %li %a{ href: "https://docs.gitlab.com/ee/user/application_security/dast/" } Dynamic Application Security Testing %li %a{ href: "https://docs.gitlab.com/ee/user/application_security/dependency_scanning/" } Dependency Scanning %li %a{ href: "https://docs.gitlab.com/ee/user/application_security/container_scanning/" } Container Scanning %li %a{ href: "https://docs.gitlab.com/ee/user/application_security/license_compliance/" } License Compliance %li See how %a{ href: "https://about.gitlab.com/blog/2018/09/11/what-south-africa-taught-me-about-cybersecurity/" } integration is the key to successful DevSecOps %li See how we %a{ href: "https://about.gitlab.com/devops-tools/" } compare against other Security tools .hidden-xs.hidden-sm.col-md-4 = image_tag "/images/logos/gitlab-logo.svg", class: "gitlab-arch hidden-xs", alt: "GitLab Agile", style: "margin-top: 100px;"