GitLab’s interest in Peach Tech and Fuzzit’s fuzzing technologies will enable developers to identify, fix, and remediate security vulnerabilities in their codes, and seamlessly integrate the code to Continuous Integration/Continuous Deployment (CI/CD) pipeline.
Developer-driven open-source code collaboration platform GitLab has turned its attention to the security aspect of DevOps, or DevSecOps, with its acquisition of two software testing firms, Peach Tech and Fuzzit. The Seattle-based company, Peach Test provides fuzz testing and Dynamic Application Security Testing (DAST) whereas Israeli-based Fuzzit offers coverage-guided testing. The combination of these technologies into GitLab’s security will deliver a profound application security testing experience while ensuring security is shifted to the earliest point in the development process (shift security left).
Sid Sijbrandij, CEO of GitLab shares, “Bringing the fuzzing technologies of Peach Tech and Fuzzit into GitLab’s security solutions will give our users an even more robust and thorough application security testing experience while enabling them to shift security left. This simultaneously simplifies their workflows and creates collaboration between development, security, and operations teams.â€
DevSecOps: Need of the Hour
According to the 2019 State of DevOps ReportOpens a new window , 61% of firms with the highest level of security integration in their DevOps lifecycle were able to deploy to production at a higher rate than the firms at other levels of integration. The booming DevSecOpsOpens a new window adoption by enterprises signifies the importance of security in software delivery. So, what exactly is DevSecOps? It is a strategic collaboration of development, security, and operations right from the inception of the code. DevSecOps integrates security practices and tools within the DevOps lifecycle, bridges the gaps between IT and security and ensures safe and fast delivery of software code.
The next logical question is, why do organizations need DevSecOps? The growing cloud usage and cloud migration saw a proliferation of hackers or bad actors. In fact, between January 2020 and April 2020, McAfee reportedOpens a new window enterprise cloud adoption spiked by 50% and during this period, cyberattacks rose to a whopping 630%. The surge of cyberattacks shows how hackers creatively insert malware into any web application and make end users potential victims. DevSecOps plays an important role in controlling cyberattacks. Over the years, GitLab has increased its focus on creating the DevSecOps platform for its users, and that is where these acquisitions play a role.
The Concept of Fuzz Testing
Last year, Gitlab introducedOpens a new window Gitlab 12.0 to create an inclusive approach and unite developers, operations professionals, and the security team together in a single application. Strengthening its DevSecOps mission, this year GitLab has gone a step ahead, by offering fuzz testing as a product. Developed by Barton Miller at the University of Wisconsin in 1989, fuzz testing or fuzzing is a software testing process to identify potential vulnerabilities in the code. It provides bad inputs or random data called FUZZ into the code to find bugs, crashes, and security loopholes. Unfortunately, the fuzzing technique is also used by hackers to identify the security vulnerabilities and inject malware into the codes.
Felix from F-secure Labs explains in his blog postOpens a new window , “To start with fuzzing you need a target that takes input. The more complex the application is the more likely is it to find bugs with a fuzzer. It can be in-house or third-party software depending on the use case. You need to think about the types of bugs you want to catch. A fuzzer needs to know when it found a bug so the easiest found bugs are those that lead to a crash, as that would indicate a potential security vulnerability.â€
David DeSanto, Director of Product of GitLab Secure & Defend, in an exclusive commentary shared with Toolbox said, “With these acquisitions, GitLab is focusing on shifting fuzz testing left while also focusing on the user experience. Traditionally, fuzz testing has been a tool within the security team as the barrier to adoption has been high due to the complexity of fuzz testing tools. GitLab’s primary user persona has been the developer and the plan is to integrate fuzz testing into the developer’s workflow by making it easier to setup and interpret the results. This will help drive fuzz testing adoption and help organizations test deeper into their applications than they can do with traditional application security testing (AST) solutions.â€
The Future of This Acquisition
To stem the tide of security breaches, GitLab will integrate Peach Tech and Fuzzit technologies into GitLab Secure and eliminate the dependence of standalone fuzz testing solutions. Development and security teams can combine the application security testing with shift security left approach to test codes early, and often and work towards scaling down the organization’s overall security risk. With fully integrated security solutions, users will have the necessary tools to meet application development security testing and Quality Assurance testing (QA) needs to identify, fix, and remediate security loopholes that are potential for a malware attack.
Yevgeny Pats, Fuzzit founder and CEO, sharesOpens a new window , “Fully integrating Fuzzit will make GitLab the first security solution that provides continuous coverage-guided fuzz testing natively within the CI/CD pipeline. Fuzzit’s support for multiple coverage-guided fuzzers combined with its crash analysis and correlation technology will add an important capability to the DevSecOps for GitLab users.â€
“Providing GitLab users with the best security testing tools is key to GitLab’s DevSecOps core mission,†said Michael Eddington, Peach Tech founder and CEO. “The integration of Peach Tech’s technologies expands GitLab’s shift security left capabilities making the future of security and DevSecOps a reality today for all GitLab users.â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!