Cloud Services / DevOps / Security

GitLab Adds Security Fuzzing with Double Acquisition

11 Jun 2020 6:00am, by

In its bid to become the “complete DevOps platform,” GitLab has acquired two security companies — Peach Tech and Fuzzit — adding fuzzing to its long list of DevOps and DevSecOps capabilities. Peach Tech is a security software firm that does protocol fuzz testing and dynamic application security testing (DAST) API testing, while Fuzzit provides continuous fuzz testing with coverage-guided whitebox testing.

With the acquisition, GitLab will be able to provide the full breadth of fuzzing to its users, and GitLab director of product David DeSanto explains that the acquisition goes beyond intellectual property or talent.

“We’re not just doing an acquihire, where we’re just taking people or an intellectual property acquisition. We’re actually acquiring the companies. They’re going to be working here at GitLab, helping with the integration, as well as continuing the missions that they were focused on, around making fuzzing the easiest tool to use,” said DeSanto in an interview.

Fuzzing involves sending pseudorandom payloads to an application and monitoring for things like memory leaks and crashes, which could provide a means for infiltration. Fuzzing is broken down into two general types, white-box and black-box, with white-box involving access to the source code, while black-box entails sending these payloads to a compiled and running application.

With the acquisition, GitLab will be able to provide both types of fuzzing, with Fuzzit providing white-box, while Peach provides black-box, which DeSanto says will give GitLab customers visibility into their applications that was previously unavailable.

“By offering both sides of that fuzzing paradigm, we’re going to help our customers find the vulnerabilities in their applications better than they can today,” said DeSanto. “Fuzzing has always been one of those things that’s been a challenge for developers to pick up due to the fact that you have to become an expert in that tool to be able to be successful. That’s where GitLab is changing that paradigm. We’re bringing fuzzing to the developer and making it easy to use and approachable.”

Until now, GitLab users had to use third-party integrations to run fuzzing tools in their continuous integration (CI) pipelines, but this integration will bring everything into a single application.

“All the results were still in those third-party tools that weren’t actually integrated into our vulnerability management, and so it was having to use two different products at once. As these get fully integrated in, that need goes away. We’ll be able to work within a single environment like they can today for their dependency scanning and so forth,” explained DeSanto.

Currently, integration of the tools into GitLab is slated for a “minimal release” by October, with CI configuration, Go fuzzing, and DAST API functionality, said DeSanto. GitLab is starting with Go support as the company abides by dogfooding its own tools and it uses Go to develop many of its own application, but the features are slated to support all 16 languages otherwise supported by the company. A “viable maturity” release is expected for the beginning of next year, with configuration within the user interface instead of YAML and results available in a dashboard offered as key functionality, making the tools easy to use and ready to replace third-party alternatives.

Overall, the acquisition is part of GitLab’s continuing push into DevSecOps, which DeSanto framed as something that streamlines development and bakes security into the process.

“Security is a team sport. You only win if everybody’s participating. We’re helping shift security left to the developer and have tools that they can run, they can understand the output, and they can fix issues. That benefits them because they’re able to streamline their development and not wait until the end of a cycle to get those findings. It also enables the security team to be more actively involved in the development process, and so we’re providing not just tools that developers can understand, but tools that security teams can understand, and then together they can collaborate to make a more secure application,” said DeSanto.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.

GitLab is a sponsor of The New Stack.

A newsletter digest of the week’s most important stories & analyses.