GitlLab, as part of its effort to extend the reach of its DevOps platform into the realm of security, has acquired Gemnasium, a provider of tools to mitigate vulnerabilities in open source code.

The goal is to incorporate the IT security tools Gemnasium has developed within a single software development lifecycle (SDLC) platform, said GitLab CEO Sid Sijbrandij.

Because both companies relied on the Ruby on Rails programming language to write their respective applications, integration of the Gemnasium software into the core GitLab platform will be easier, he said.

Sijbrandij noted a growing number of organizations are looking to extend the reach and scope of their DevOps processes to include security, also known as DevSecOps. The pitfall they face will be trying to integrate disparate DevOps and security management tools. GitLab is moving to integrate both classes of tools within a single SDLC environment that will make it easier for organizations to make the transition to DevSecOps.

GitLab, Sijbrandij said, already had been moving down that path prior to the acquisition of Gemnasium. Previous releases of the company’s platform have included support for static application security testing (SAST), dynamic application security yesting (DAST) and container scanning. The separate software that Gemnasium developed will no longer be supported after May 15.

Related Content:

How Developers Can Take a More Proactive Approach to Security

CA Technologies Survey Uncovers DevSecOps Challenges

Longer term, Sijbrandij said GitLab is moving toward being able to host its software on top of the open source Kubernetes container orchestration platform. That approach will make it easier to automate deployment of its software on multiple public clouds and on-premises IT environments using a zero-touch provisioning framework.

Ultimately, embracing DevSecOps should result in more secure applications. But just as importantly, IT organizations need to be able to adroitly remediate software vulnerabilities whenever required. There’s a direct correlation between how long malware goes undiscovered and the amount of potential damage caused. It’s not uncommon these days for malware to go undetected for months; as such, eliminating as many of the vulnerabilities that cybercriminals routinely exploit must be a much higher priority for developers.

Achieving that goal, however, is as much about process as it is tooling. Most developers are not security experts. Conversely, IT security experts typically know little about building applications. Developers are under more pressure than ever to roll out applications faster. But that pressure also often leads to them to short-shrift testing processes that otherwise would have uncovered a vulnerability. Organizations that embrace DevSecOps are trying to address security issues earlier in the process because fixing them once an application is in production is expensive. At the same time, however, no one wants to slow down the speed at which applications are being developed. That creates something of a chicken-and-egg dilemma for IT leaders trying to determine degree to which new tooling will foster changes to processes and culture, or whether they need to accomplish the latter before investing in new tooling.

There’s always been a natural tension between developers and IT security teams. The hope is that by making them all part of the same DevSecOps team, that tension is either eliminated or sharply reduced. That outcome stands a better chance of being achieved when everyone involved is employing a common framework.

— Mike Vizard