Accurics and GitLab: Contextualizing Risk for Effective DevSecOps
Security has long been a speed bump – some might consider it more of a hill, mountain, or wall – in DevOps transformations. Development teams applaud the goal but struggle with the implementation. The reality in most organizations is that effective security cannot be automated with the tools available–there is a need for manual expertise which runs counter to automation.
Our partnership with GitLab introduces a new approach for implementing effective, automated, DevOps-friendly security controls by minimizing that need for manual effort. By leveraging information about Infrastructure as Code (IaC) and application vulnerabilities, we can programmatically prioritize the most significant, exploitable risks that require developer attention.
Security Risk is Contextual
Security tools are good at finding potential problems. So good, in fact, that they quickly create large backlogs that need to be investigated before their real risk can be understood. Often, that means manual investigation of each finding by development and security experts just to decide whether findings require a fix. How can you embed such tools into automated DevOps workflows?
The answer, for too many teams, is that they don’t. They use the parts that help them accelerate innovation and they sideline the manual parts that slow them down. Or they avoid security in their pipelines altogether and let the security team deal with it separately.
The crux of the problem is that application security tools are finding potential problems. It’s the best they can do when they don’t know whether applications are exposed to the internet or in a secure VPC; they don’t know if a SSRF exposes a honeypot or a private network. Without context, they cannot understand actual risk. Ideally, teams wouldn’t have to worry about such details; they would just fix everything. But teams don’t have time to fix everything immediately if their DevOps initiatives are to be successful, and effective security requires that the most severe risks are addressed. The lack of context translates into a lack of effective security.
Accurics and GitLab Contextualize Security Findings
And that’s why we’re so excited about our new partnership and integration with GitLab. We’ve long been able to automate IaC scans via GitLab, and we’re opening a whole new dimension in that story.
Accurics already understands the IaC – the resources, configurations and connections – and we can help you ensure that infrastructure is configured securely. GitLab does a great job of finding vulnerabilities in applications, and automating DevOps processes. Most teams are happy with that, enabling DevOps teams to address IaC problems and developers to address application problems. But that leads to a lot of wasted effort, because IaC fixes – and existing configurations – may neutralize application risks. And fixing application risks is where most of the effort goes.
Our enhanced integration leverages our knowledge of the infrastructure to understand the context within which application vulnerabilities exist. That means we can differentiate between SQL injections that are exposed to the internet and those that are not. We can tell if a SSRF exploit might expose sensitive data. This enables us to more accurately assess the real risk represented by vulnerabilities, and to do so without relying on manual expertise – it happens automatically, right inside your automated processes.
This release focuses on risks identified by the GitLab SAST workflow, and we’re already hard at work extending that to other forms of risk identified in CI and CD workflows. Because Accurics uses the same policy engine throughout the application lifecycle, you gain consistent visibility and enforcement from coding through runtime leveraging standard GitLab pipeline operations.
The end result is that development and DevOps teams can integrate effective security controls into their automated processes. They gain insight into the most important, exploitable vulnerabilities so they know where to focus remediation efforts. Just as you can break the build based on the severity or number of findings, you can now break the build according to the actual risk posed by the findings. As a result, fewer builds and deployments will be blocked due to potential problems.
To learn more about how Accurics and GitLab can help you streamline your DevOps practices while improving security, please visit our integration page.