[[_TOC_]] ### Release notes Identify risk across your software supply chain assets using GitLab's security asset inventory. ### Problem to solve Within the software supply chain (and within GitLab today), it is challenging for AppSec teams to identify: * Which assets need to be protected * The risks associated with those assets * How well those assets are currently protected * Which security controls have been configured to mitigate risk As the common security phrase goes, "you can't protect what you can't see." Asset inventories help AppSec teams better understand what needs to be protected in the SDLC. According to [Crowdstrike's 2024 State of Application Security Report](https://www.crowdstrike.com/en-us/2024-state-of-application-security-report/) (survey of \~400 companies), > Teams Rely Heavily on Manual Processes to Inventory/Catalog Application Microservices and APIs... teams are primarily using documentation (74%) and spreadsheets (68%) to catalog and inventory their applications and APIs. These methods rely heavily on humans, making them prone to error. Furthermore, a faster deployment velocity makes it difficult for teams to have up-to-date, accurate information. ### What are security assets? > An item of value to stakeholders. An asset may be... intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns. Source: [NIST SP 800-160 Vol. 2](https://csrc.nist.rip/glossary/term/asset) ### Why are AppSec/DevSecOps asset Inventories important? Within the context of software supply chain security, asset inventories provide visibility into projects (source code), SBOMs/components, licenses, secrets managers, applications, APIs, pipelines, artifacts, container images, IaC, and more. AppSec/DevSecOps asset inventories can help teams get better visibility into their security posture. Inventories help answer questions related to: ##### Risk Assessment * Which applications handle sensitive data (PII, PHI, financial data, etc.)? * What is the business risk tier/criticality level of each application? * Which applications are internet-facing vs. internal? * What's the potential business impact if each application is compromised? ##### Technology Stack * What programming languages and frameworks are in use? * Which applications are using outdated or unsupported versions of frameworks/libraries? * What third-party components and dependencies are in use? * Which applications share common components or dependencies? ##### Security Controls * Which applications have completed security assessments and when? * What security controls are implemented for each application? ##### Deployment and Infrastructure * Where is each application hosted (cloud provider, on-premise, hybrid)? * Which applications are in production vs. development/testing? * What is the deployment frequency for each application? * Which applications share infrastructure components? ##### Security Debt and Remediation * What are the known vulnerabilities for each application? * Which applications have pending security fixes? ##### Ownership and Response * Who are the application/code owners? * Who are the primary developers/maintainers? ##### Development Lifecycle * Which applications follow CI/CD practices? * What is the testing coverage (SAST, DAST, SCA) for each application? * What is the current SDLC maturity level of each application? ### Proposal Provide a top-down security-view into all projects (code), applications (projects grouped by customers), and APIs. #### MVC https://gitlab.com/groups/gitlab-org/-/epics/16484+ #### Post-MVC * Ability to assign business criticality/risk score per project * Customer-defined Application view (projects grouped together by customers) * API Inventory * Other inventories (artifacts, pipelines, etc)