Protecting cloud-native applications, services, and infrastructure
GitLab Defend enables organizations to proactively protect their cloud-native environments by providing context-aware technologies to reduce your overall security risk. Defend is a natural extension of your existing operations practices providing security visibility across the entire DevSecOps lifecycle. This empowers your organization to apply DevSecOps best practices with visibility from the first line of code written all the way through monitoring and protecting your applications deployed into operations.
The Defend Stage focuses on providing security visibility across the entire DevSecOps lifecycle as well as providing monitoring and mitigation of attacks targeting your cloud-native environment. Defend reduces overall security risk by enabling you to be ready now for the cloud-native application stack and DevSecOps best practices of the future. This is accomplished by:
The Defend Stage is made up of two groups supporting the major categories focused on cloud-native security including:
The existing team members for the Defend Stage can be found in the links below:
In line with our Security Paradigm, Defend features will inform and report threats that occur as a first step. Once you explicitly tell GitLab to block traffic, users, or devices, we will record these decisions and then block and drop actions by those bad actors.
This is valuable to you because it means that you can introduce and configure security for your app gradually over time without disrupting your end users. Examining the information about what GitLab Defend reports in your app helps you ensure that the security settings are appropriate for your app and business will not introduce more false positves nor permit more potentially bad actions than you are comfortable with. Having recorded evidence of threats and your response ensures you can easily achieve your compliance goals and requirements.
One of GitLab's key advantages as a single DevOps platform is that all of our stages are integrated and tightly connected. Defend will identify and protect against threats as they happen, but we will strive to be informative to other stages to give you actionable next steps to close a vulnerability or point of exploit, not just defend it.
Not only does shifting left and acting on results earlier give your apps better security, it helps enable collaboration with everyone at your company. We believe that security is everyone's responsibility and that everyone can contribute, and informing other stages is a powerful way to do this.
Defend capabilities will be pre-configured to provide value to protecting your applications. Rather than require you to read documentation manuals and provide complex configuration files, GitLab will always provide reasonable defaults out of the box.
We will provide the ability for advanced and customized configurations, but these will only be needed based on your specific use case and when you feel comfortable doing so.
There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.
Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.
A Web Application Firewall (WAF) can examine traffic being sent to your web application and can detect then block malicious traffic before it reaches them. The ModSecurity WAF is installed via Auto DevOps behind the ingress controller in your Kubernetes cluster. It is configured by default to run the OWASP ModSecurity core ruleset. This category is at the "minimal" level of maturity.
Detect and respond to security threats at the Kubernetes, network, and host level. This category is planned, but not yet available.
Priority: high • Direction
View, triage, trend, track, and resolve vulnerabilities detected in your applications. This category is planned, but not yet available.
Priority: high • Direction
Container network security allows the implementation of network policies in Kubernetes to detect and block unauthorized network traffic between pods and to/from the Internet. This category is at the "minimal" level of maturity.
User and Entity Behavior Analytics (UEBA) is a solution that uses machine learning and other technologies to detect, alert, and block on anomalous behavior by users and systems. This category is planned, but not yet available.
Priority: high • Direction
GitLab believes in responsibly disclosing software vulnerabilities. As such, GitLab is becoming an authorized provider of CVE IDs to researchers and information technology vendors. We will be integrating CVE ID request solution which will be available within our Secure and Defend Categories.
There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.
Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!