GitLab teams up with Rezilion to add a workload analysis tool
Rezilion has has integrated its workload analysis tool with the continuous integration (CI) framework provided by GitLab. The move is part of an effort to make it easier for developers to find issues like vulnerabilities before uploading code to a repository.
Sam White, senior product manager for GitLab, said this integration will provide developers with an instant feedback loop that will allow them to fix a wide range of issues before their code is ever reviewed. Rather than feeling shame at, say, missing a vulnerability, the Rezilion platform allows developers to quickly write code while relying on a code analysis tool to surface common errors they can correct as they see fit, he added.
Rezilion CEO Liran Tancman added that the proprietary workload composition analysis engine, dubbed Unison, on which the Rezilion platform is built, helps shift responsibility for application security further. without forcing developers to become cybersecurity experts.
Unison automatically creates a model of all applications that includes the underlying infrastructure and runtime environments. It reverse engineers and maps this environment in memory to dynamically track inventory, provenance, runtime execution, exposure and interdependencies between each piece of code and can generate a software bill of materials (SBOM) .
Code that needs immediate attention the most is also presented directly with the GitLab UI, Tancman said. This capability can reduce the time to resolve the backlog of vulnerabilities that an organization might address over time by up to 70 percent, he added. Rezilion enables organizations to achieve this goal as non-exploitable vulnerabilities are marked as “false positives” which should not delay a release.
Tancman said that without this level of automation, it would be extremely difficult for an organization to implement a set of DevSecOps best practices.. It could take developers years to reach the level of cybersecurity training that would be required absent the automation enabled by the Unison engine, he noted.
Historically, relationships between app developers and cybersecurity teams have been strained. Cybersecurity teams tend to postpone reviewing code until it’s about to be deployed to a production environment. It’s not uncommon for an app to be taken down at the last minute due to a vulnerability discovered by a cybersecurity team. In some cases this vulnerability is a legitimate concern, but in others it turns out to be a false positive because the reported piece of code is not actually included in the application.
By providing developers with a workload composition analysis tool as part of a CI framework, GitLab attempts to reduce the level of friction that the process tends to create between developers and cybersecurity teams.
It may take some time for most organizations to fully master DevSecOps, but clearly simply telling developers that they will be held accountable for application security without providing the proper tools will not make safer applications.