Product Stage Direction - Govern

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Govern

On this page

• Stage Overview
  • Groups
  • Resourcing and Investment
• 3 Year Stage Themes
  • Top-down security controls
  • No compromises with compliance
  • Coordinate governance across GitLab
  • Emphasize usability and convention over configuration
  • Secure the software supply chain
• 3 Year Strategy
• 1 Year Plan
  • What We're Not Doing
• Key Performance Metrics
• Target Audience
  • Today
  • Medium Term (1-2 years)
• Pricing
  • Free
  • Premium
  • Ultimate
• Categories
  • User Management
  • System Access
  • Permissions
  • Audit Events
  • Compliance Management
  • Security Policy Management
  • Vulnerability Management
  • Dependency Management
  • Software Bill of Materials
  • Insider Threat
  • Instance Resiliency
  • Release Evidence
• Upcoming Releases
  • 16.9 (2024-02-15)
  • 16.10 (2024-03-21)
  • 16.11 (2024-04-18)
  • 17.0 (2024-05-16)
  • 17.1 (2024-06-20)
• Other Interesting Items

Organization-wide security vulnerability, policy, compliance, and user management

The Govern stage helps organizations to reduce their overall risk by applying appropriate management and governance oversight across the entire DevSecOps lifecycle. Govern provides management tools to secure the GitLab platform itself by restricting access to authenticated users and ensuring they are provisioned with the least amount of required privileges. To help manage and monitor risk levels, the Govern stage provides visibility into user permissions and activity; project dependencies; security findings; and aderence to compliance standards. This visibility is then coupled with enforcement capabilities to proactively prevent risks by automating compliance and securing the software supply chain.

Stage Overview

The Govern stage provides the capabilities necessary to meet security and compliance requirements for organizations at any scale, from one project to tens of thousands of projects. This includes the ability to manage policies centrally, at scale, and have them apply to projects across the organization.

Groups

The Govern Stage is made up of six groups:

• Anti-Abuse - Ensure that the GitLab platform itself is resistant to abusive behaviors and attacks
• Authentication
• Authorization - Ensure that users have roles and permissions that balance security and ease of performing their job within GitLab.
• Compliance - Provide users with the tools and features necessary to manage their compliance programs.
• Security Policies - Apply policies to enforce scans and to require security approvals for MRs when necessary.
• Threat Insights - Holistically view, manage, and reduce potential risks across the entire DevSecOps lifecycle.

Resourcing and Investment

The existing team members for the Govern Stage can be found in the links below:

• Development
• User Experience
• Product Management
• Quality Engineering

3 Year Stage Themes

Top-down security controls

Security teams need centralized management for their security and compliance workflows. Features such as user management, compliance labels, security policies, and the vulnerability and dependency lists need to allow for centralized management that applies across all of an organization's projects.

No compromises with compliance

Govern capabilities will ensure that compliance regulations are strictly followed in a way that they cannot be bypassed without the proper approvals. This includes providing the necessary tools to audit, monitor, and manage the compliance controls that are enforced.

Coordinate governance across GitLab

Govern capabilities will serve as a connection point for a seamless workflow spanning across the DevSecOps lifecycle. By enabling collaboration between types of users, Govern can help solidify the advantages GitLab has to offer as a single application. For example, these areas might include the following:

• Facilitating a continuous experience for scanning across repositories, registries, and production environments.
• Centralizing security and compliance controls across GitLab, including merge request approvals, anomalous user activity, and anomalous pipeline/job activity.
• Leveraging data about production environment configuration to reduce false positives in scanners.
• Leveraging data about vulnerabilities in development to inform and drive threat mitigation in production.

Emphasize usability and convention over configuration

Govern capabilities will be pre-configured with reasonable defaults out-of-the-box whenever possible. When not possible, they will be easy to configure either through code or through a guided UI workflow that is friendly to users without coding knowledge. Regardless of how the capabilities are configured, they will be stored as code for ease of management.

For example, GitLab's security policy editor supports editing policies in both a rule mode and in yaml mode.

Secure the software supply chain

Govern capabilities allow organizations to lock down every aspect of their supply chain. This includes securely authenticating users into GitLab, hardening the GitLab platform itself, and verifying every step along the DevSecOps lifecycle as code is created, built, and deployed.

3 Year Strategy

Building on those themes, some specific capabilities that we envision developing over the next 3 years include the following:

Anti-Abuse

1. Adaptive user-based rate limiting based on a trust score.
2. Insider threat policies to allow organizations to monitor and reduce risk.
3. Monitoring and alert system for new URLs in a pipeline network.

Authentication

1. Remove friction from authentication flows across GitLab. Focus on non-UI based authentication, both for humans and bot accounts.

2. Allow administrators to have a bird's eye view of the credentials across their instance and be able to enforce policies on them that increase security while minimizing disruption to automated worklows

3. Create a more robust OAuth integration

Authorization

1. Add more flexibility to the custom roles framework - allow a role to be created from scratch (not dependent on a base role), allow customers to define policies that combine various factors to ensure the right level of access

2. Add more robust logic before granting access to a resource - consider not only the role of the user, but also other attributes such as security policies, trust score, etc.

Compliance

1. Even more comprehensive visibility and security related to access tokens, keys, and credentials.
2. Added support to view how projects adhere to an expanded list of compliance and regulatory requirements.

Security Policies

1. A unified, global policy management experience for all security policies, spanning across GitLab's stages, including support for policies that automate vulnerability management workflows, automate compliance, protect against pipeline abuse, and policies to protect against insider threats.
2. A more robust and intelligent policy engine that can consider multiple data sources and aide in decisioning based on your use case for security enforcement or compliance use cases.
3. Improved policy change management tools, including visibility into the scope/impact of policy changes, as well as improved visibility into the history and approvals for changes made to policies.
4. The ability to proactively notify users about newly discovered vulnerabilities in production or in the default branch.

Threat Insights

1. Enhanced visibility provided by proactive alerts, configurable dashboards, and customizable reports will put the right information in the right form at the right time.
2. Custom risk profiles to let your organization determine the business criticality of projects and assets. This will enable risk-based decision making to maximize return on security efforts.

In addition to these areas specific to our individual groups, we also plan to expand our use of ML and AI across all of the Govern features.

1 Year Plan

Over the next 12 months, the Govern stage is focused on addressing critical needs for security and compliance teams. Some of the key initiatives include the following:

1. Additional controls for managing enterprise users.
2. A tighter authentication integration with GCP.
3. Support for additional custom role permissions.
4. Improved searching and filtering for both vulnerabilities and dependencies.
5. The ability to track vulnerabilities across all branches.
6. Improvements to the Compliance Standards Report, including availability at the project and sub-group levels.
7. Scan execution policies that support execution of custom jobs and scripts.
8. A unified way of viewing and searching across all audit events.
9. Added support for managing security (vulnerabilities, dependencies, policies, compliance) at the organizational level so self-managed instances can manage security centrally across all of their groups.

In addition to adding new features, we plan to improve the reliability of our features by increasing our test coverage. We maintain a prioritized list of these testing priorities.

We also regularly perform UX research and also maintain a prioritized list of these UX research priorities.

What We're Not Doing

Although we will likely address many of these areas in the future (as described above in our 3 year strategy), we are not planning to make progress on the following initiatives in the next 12 months:

• Attempting to build our own Security Information and Event Management (SIEM) system
• Building analytics or algorithms to auto-tune or auto-recommend policy improvements

Key Performance Metrics

The following metrics are used to evaluate the success of the Govern stage:

• Anti-Abuse: Monthly active users are not relevant for this group. Instead success is measured in the observed abuse rate combined with the impact to paid conversion.
• Authentication Group Monthly Active Users: This is the total number of users in a paid SAML group.
• Authorization Group Monthly Active Users: The number of unique users who are assigned to a custom role.
• Compliance Group Monthly Active Users: This is the total number of unique users viewing the Audit Events, Compliance Dashboard, or Credential Inventory pages in the last 28 days of the given month.
• Security Policies Group Monthly Active Users: This is the total number of users that have interacted with GitLab's Vulnerability Management in the last 28 days of the given month.
• Threat Insights Group Monthly Active Users: This is the total number of unique sessions viewing a security dashboard, pipeline security report, or expanding MR security report in the last 28 days of the given month.

Note: We do not yet have a single metric to track the success of the Govern stage as a whole. This is being tracked in this issue.

Target Audience

GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.

• 🟩- Targeted with strong support
• 🟨- Targeted but incomplete support
• ⬜️- Not targeted but might find value

Today

To capitalize on the opportunities listed above, the Govern Stage has features that make it useful to the following personas today.

1. 🟩 Developers / Development Teams
2. 🟩 Application Security Teams
3. 🟨️ Compliance Specialists / Manager
4. 🟨️ Legal Teams
5. 🟨 Infrastructure Security Teams

Medium Term (1-2 years)

As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables SecOps to work collaboratively with DevOps and development to mitigate vulnerabilities in production environments.

1. 🟩 Developers / Development Teams
2. 🟩 Application Security Teams
3. 🟩 Compliance Specialists / Manager
4. 🟩 Legal Teams
5. 🟨 Infrastructure Security Teams

Pricing

Govern is focused on providing governance and compliance features that span across the DevSecOps lifecycle. Govern’s tiering strategy aligns with the GitLab approach of selecting the tier based on who cares most about the feature. Because Executives generally care most about governance features, it is expected that most Govern features will land in the Ultimate tier.

Free

This tier is the primary way to increase broad adoption of the Govern stage, as well as encouraging community contributions and improving security across the entire GitLab user base.

As a general rule of thumb, features will fall in the Free tier when they meet one or more of the following criteria:

• The feature is highly useful for an individual with a few small projects rather than meeting the needs of an organization or enterprise that is operating at scale.
• The feature is provided by an integration with an open source project rather than being natively developed by GitLab.

Premium

This tier is not a significant part of Govern's pricing strategy; however, a few features features that primarily appeal to Directors rather than Executives may fall into the Premium tier. One example of this is our audit event functionality that is available in this tier.

Ultimate

This tier is the primary focus for the Govern stage as most Govern features enable executives to ensure that their organization meets compliance requirements and maintains an acceptable security posture.

As a general rule of thumb, features will fall in the Ultimate tier when they meet one or more of the following criteria:

• The feature is focused on enabling an organization or enterprise to operate at scale rather than an individual with a few small projects.
• The feature is natively developed by GitLab rather than being provided by an open source project.

Categories

There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.

Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.

User Management

GitLab user lifecycle management. Includes provisioning users and their attributes. Does not include user profile, groups, projects, or sharing.

Priority: high • Documentation • Direction

System Access

Authentication through all points of GitLab - UI, CLI, API. Does not include authentication within other stages of GitLab (for example, job tokens). Also includes what the individual/process has access to once they authenticate, determined by their role.

Documentation • Direction

Permissions

Authorization evaluates what access or rights an identity should have in an environment.

Documentation • Direction

Audit Events

Track important events for review and compliance such as who performed certain actions and the time they happened. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Compliance Management

Provide customers with the tools and features necessary to manage their compliance programs. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Security Policy Management

Unified security policy management capabilities across all of GitLab's scanners and security technologies. Apply policies to enforce scans and to require security approvals when vulnerabilities are found. This category is at the "minimal" level of maturity.

Priority: medium • Documentation • Direction

Vulnerability Management

View, triage, trend, track, and resolve vulnerabilities detected in your applications. This category is at the "complete" level of maturity.

Priority: high • Documentation • Direction

Dependency Management

Track dependencies detected in your applications. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Software Bill of Materials

Track dependencies detected in your applications. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Insider Threat

Insider Threat identifies attacks and high risk behaviors by correlating different data sources and observing behavioral patterns

Direction

Instance Resiliency

We want to prevent malicious activity from occurring within GitLab Instances.

Documentation • Direction

Release Evidence

Release Evidence includes all the assurances and evidence collection that are necessary for you to trust the changes you're delivering. This category is at the "viable" level of maturity.

Documentation • Direction

Upcoming Releases

16.9 (2024-02-15)

• External Status Check Approval
• Compliance Framework report ability to link Security Policies
• Compliance pipelines maintenance mode and deprecation
• Destination streaming audit events improvements
• Standards Adherence Report Improvements
• Project and License filters Ultimate
• Prevent branch modification when a policy disables the setting for the given branches Ultimate
• Dependency list grouping Ultimate
• Streaming audit events to AWS S3 Ultimate
• Security Policy Scopes Ultimate
• ✅ Project Level Access Tokens
• Force total re-auth on SAML IdP when approving MR in the UI, regardless of existing session
• Prefix SCIM tokens Premium Ultimate

16.10 (2024-03-21)

• Policy Violations Bot Comment Ultimate
• Show compliance progress for SOC2 based on the starting seven criteria
• Compliance Framework report show linked Security Policies MVC
• Compliance Adherence Report Checks
• Improve manage/edit compliance frameworks MVC
• Display security policy violation details to users Ultimate
• Compliance violation export
• Security Policy Impact Assessment and Audit Mode Ultimate
• Use bot users to trigger scan execution policies pipelines
• Prevent security policy limitations
• Allow component specific filters to Scan Result Policies for License Approval rules Ultimate
• Add support for the Vulnerability Report and Dependency List at the Organization Level Ultimate

16.11 (2024-04-18)

• Compliance Violations Report improvements Ultimate
• Security Policy Management Viable to Complete
• Comprehensive audit log

17.0 (2024-05-16)

• Instance Streaming Audit Events Improvements
• Compliance feature exports MVC
• Granular Security Permissions Ultimate
• Improved Admin and Group-level branch protection settings Premium
• Allow filtering of streamed audit events Ultimate
• Remove admin_vulnerability from developers Ultimate
• Project-level audit event export for self-managed and GitLab.com Premium
• Group-level audit event export for self-managed and GitLab.com Premium

17.1 (2024-06-20)

• Security Policy Management Vision

Other Interesting Items

There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.

Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!

Last Reviewed: 2023-10-31
Last Updated: 2023-10-31