Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - Vulnerability Management

   
Stage Defend
Maturity Planned
Content Last Reviewed 2020-05-21

Description

Vulnerability management is about ensuring that assets and applications are scanned for vulnerabilities, and then the processes to record, manage, and mitigate those vulnerabilities.

Goal

Traditionally, vulnerability management has focused on scans of live web apps and assets, and management of those vulnerabilities in a single tool. At GitLab, we have a broader vision. Specifically, vulnerabilities should not be collected and managed in isolation, but instead they should be integrated with the rest of your DevOps lifecycle.

Our goal is to identify meaningful sets of vulnerabilities, in both your assets and application code, that can be mitigated, managed, and acted upon by your whole team, not just the security organization.

Our goal is also to provide unified interfaces and integrate with the systems teams are already using for managing results from ~"devops::secure" stage, so there is always a single source of truth, and a single place for management of security results.

Additionally, our goal is to support teams with compliance and auditing efforts by effectively being able to show the lifecycle of identifying and mitigating identified vulnerabilities.

Roadmap

Planned to Minimal

What's Next & Why

We will start by creating an excellent experience around managing vulnerability results from scanners. This is a beneficial first step since the results from existing VM scanners can be then be imported into and managed within GitLab, rather than requiring multiple tools to be used.

Additionally, vulnerability results from SAST, DAST and container scanning can be used with the same workflow. This will give security teams a better view of the overall amount of risk associated with their apps, both from a pre-deployment and post-deployment perspective.

Key features

Standalone Vulnerabilities

Details here

Security Dashboards

Security Dashboards—available at instance, group and project level—are the primary tool for Security Teams and Directors of Security. They can use these dashboards to access the current security status of their applications and to start a remediation process.

The dashboards also provides stats and charts to figure out how the team is performing. This helps keep project security health at a proper level.

Pipeline Security Reports

Details here

Merge Request Security Reports

Details here

Responsible Disclosure

GitLab believes in responsibly disclosing software vulnerabilities. As such, GitLab is a CVE Numbering Authority (CNA) and can provide CVE IDs to researchers and information technology vendors. We will be integrating CVE ID request solution which will be available within our Secure and Defend Categories.

You can read more about reporting a vulnerability, our disclosure policy, and request a CVE ID at our Responsible Disclosure page.

Competitive Landscape

TODO

Analyst Landscape

TODO

Top Customer Success/Sales Issue(s)

There is no feature available for this category.

Top Customer Issue(s)

The category is very new, so we still need to engage customers and get feedback about their interests and priorities in this area.

Top Vision Item(s)