Skip to content
Snippets Groups Projects
Open Group-level Security Inventory (MVC)
  • Group-level Security Inventory (MVC)

  • Group-level Security Inventory (MVC)

    Open Epic created by Sara Meadzinger

    Release Notes

    The Group Level Inventory gives you visibility into your organization's security posture at the group-level.

    Problem to solve

    AppSec teams are focused on securing their company's assets, but today, it is challenging to understand the security posture of those assets. GitLab's current workflows focus primarily on vulnerabilities and begin at the project-level. Without asset inventories, customers cannot understand their coverage gaps or properly make efficient, risk-based prioritization decisions.


    What's an Asset?

    NIST defines assets as

    The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes...

    The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns.

    Asset Inventories

    Inventories enable teams to visualize the assets they need to secure and to understand the actions that need to be taken to improve security. As it's commonly said in security, "you can't secure what you can't see."

    Within the context of software supply chain security, asset inventories provide visibility into projects (source code), SBOMs/components, licenses, secrets managers, applications, APIs, pipelines, artifacts, container images, IaC, and more.

    Practitioner Interview: Leveraging Security Asset Inventories

    Why are AppSec/DevSecOps asset Inventories important?

    Inventories help answer questions related to:

    Risk Assessment
    • Which applications handle sensitive data (PII, PHI, financial data, etc.)?
    • What is the business risk tier/criticality level of each application?
    • Which applications are internet-facing vs. internal?
    • What's the potential business impact if each application is compromised?
    Technology Stack
    • What programming languages and frameworks are in use?
    • Which applications are using outdated or unsupported versions of frameworks/libraries?
    • What third-party components and dependencies are in use?
    • Which applications share common components or dependencies?
    Security Controls
    • Which applications have completed security assessments and when?
    • What security controls are implemented for each application?
    Deployment and Infrastructure
    • Where is each application hosted (cloud provider, on-premise, hybrid)?
    • Which applications are in production vs. development/testing?
    • What is the deployment frequency for each application?
    • Which applications share infrastructure components?
    Security Debt and Remediation
    • What are the known vulnerabilities for each application?
    • Which applications have pending security fixes?
    Ownership and Response
    • Who are the application/code owners?
    • Who are the primary developers/maintainers?
    Development Lifecycle
    • Which applications follow CI/CD practices?
    • What is the testing coverage (SAST, DAST, SCA) for each application?
    • What is the current SDLC maturity level of each application?

    Proposal

    Build an inventory view that displays: Groups, sub-groups, projects contained in those groups, and that also indicates which scanners have been applied to each project.

    Scope

    Phase I/Internal dogfooding

    Visualize

    • Groups, sub-groups, projects contained in those groups
    • Which scanners have been configured for each project
    • What number of vulnerabilities of each severity level is associated with each group/group of projects
    • Includes pagination

    Navigation

    • Page should live at the group-level under the "Secure" left-nav section
    • Left-nav item should be titled "Security Inventory" unless otherwise decided in Security Inventory Naming Ideas (gitlab#514688)
    • "Configure scanners" button (may be named otherwise based on design issue) will redirect users to the project-level "Security Configuration" page.

    Phase 2/Beta

    Search/Filter

    • Does not support free text search
    • Should be possible to filter and/or search on projects which have applied each of these scanners:
      • SAST (includes both SAST and advanced SAST)
      • Dependency Scanning
      • Container Scanning
      • Secret Detection (includes both pipeline and push protection)
      • DAST
      • IaC
    • Conversely, should be possible to search/filter on which projects have not applied each scanner
    • Must be able to search for 2 scanners at one time (display for example projects that have both SAST and DAST enabled)
    • User experience should emulate the search (chip-based)/filter capabilities on the vulnerability report.

    Future phases

    To be further refined based on research and customer feedback. Potential additions may include:

    • Sticky search/filters
    • Scanner configuration workflows
    • Dashboard-like summary widgets at the top of the page
    • Additional attributes
      • Associated policies that have been applied to projects
      • Business risk/criticality score (customer-defined)
      • Aggregated risk score (created by VR and/or insights team)
      • Environment (internal, external, on-prem, frontend, backend)
      • Lifecycle stage (development, production)
      • Handles sensitive data/PII
      • Programming languages
      • Code owners, maintainers, and/or developers
    • Additional potential future inventories
      • Applications (customer-grouped projects)
      • APIs
    Edited by Sara Meadzinger

    Linked items 0

  • Link items together to show that they're related or that one is blocking others.

    Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first