Merge branch 'russell/improve-application-security-overview' into 'master'

Improve Application Security overview See merge request gitlab-org/gitlab!60688

Merge branch 'russell/improve-application-security-overview' into 'master'
Improve Application Security overview See merge request gitlab-org/gitlab!60688
082a61c2 · Evan Read · 04be8d17 · 7af0f762 · 082a61c2
Commit 082a61c2 authored Apr 30, 2021 by Evan Read
Hide whitespace changes
Inline Side-by-side

Showing with 51 additions and 40 deletions

doc/user/application_security/index.md doc/user/application_security/index.md +51 -40

No files found.
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -7,9 +7,16 @@ type: reference, howto

 # Application security **(ULTIMATE)**

-GitLab can check your application for security vulnerabilities that may lead to unauthorized access,
-data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you
-can fix them before you merge.
+GitLab can check your application for security vulnerabilities including:
+
+- Unauthorized access.
+- Data leaks.
+- Denial of service attacks.
+
+Statistics and details on vulnerabilities are included in the merge request. Providing
+actionable information _before_ changes are merged enables you to be proactive.
+
+GitLab also provides high-level statistics of vulnerabilities across projects and groups:

 - The [Security Dashboard](security_dashboard/index.md) provides a
  high-level view of vulnerabilities detected in your projects, pipeline, and groups.
@@ -18,13 +25,45 @@ can fix them before you merge.
  you can immediately begin risk analysis and remediation.

 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
-For an overview of GitLab application security, see
-[Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84).
+For an overview of GitLab application security, see [Shifting Security Left](https://www.youtube.com/watch?v=XnYstHObqlA&t).
+
+## Security scanning tools
+
+GitLab uses the following tools to scan and report known vulnerabilities found in your project.
+
+| Secure scanning tool                                                         | Description                                                            |
+|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
+| [Container Scanning](container_scanning/index.md) **(ULTIMATE)**             | Scan Docker containers for known vulnerabilities.                      |
+| [Dependency List](dependency_list/index.md) **(ULTIMATE)**                   | View your project's dependencies and their known vulnerabilities.      |
+| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)**           | Analyze your dependencies for known vulnerabilities.                   |
+| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)**  | Analyze running web applications for known vulnerabilities.            |
+| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)**                           | Find unknown bugs and vulnerabilities in web APIs with fuzzing.        |
+| [Secret Detection](secret_detection/index.md)                                | Analyze Git history for leaked secrets.                                |
+| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)**             | View vulnerabilities in all your projects and groups.                  |
+| [Static Application Security Testing (SAST)](sast/index.md)                  | Analyze source code for known vulnerabilities.                         |
+| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)**                 | Find unknown bugs and vulnerabilities with coverage-guided fuzzing.    |
+
+## Security scanning with Auto DevOps
+
+To enable all GitLab Security scanning tools, with default settings, enable
+[Auto DevOps](../../topics/autodevops/):
+
+- [Auto SAST](../../topics/autodevops/stages.md#auto-sast)
+- [Auto Secret Detection](../../topics/autodevops/stages.md#auto-secret-detection)
+- [Auto DAST](../../topics/autodevops/stages.md#auto-dast)
+- [Auto Dependency Scanning](../../topics/autodevops/stages.md#auto-dependency-scanning)
+- [Auto License Compliance](../../topics/autodevops/stages.md#auto-license-compliance)
+- [Auto Container Scanning](../../topics/autodevops/stages.md#auto-container-scanning)
+
+While you cannot directly customize Auto DevOps, you can [include the Auto DevOps template in your project's `.gitlab-ci.yml` file](../../topics/autodevops/customize.md#customizing-gitlab-ciyml).

-## Quick start
+## Security scanning without Auto DevOps

-Get started quickly with Dependency Scanning, License Scanning, Static Application Security
-Testing (SAST), and Secret Detection by adding the following to your [`.gitlab-ci.yml`](../../ci/yaml/README.md):
+To enable all GitLab security scanning tools, with the option of customizing settings, add the
+GitLab CI/CD templates to your `.gitlab-ci.yml` file.
+
+To enable Static Application Security Testing, Dependency Scanning, License Scanning, and Secret
+Detection, add:

 ```yaml
 include:
@@ -34,8 +73,8 @@ include:
  - template: Security/Secret-Detection.gitlab-ci.yml
 ```

-To add Dynamic Application Security Testing (DAST) scanning, add the following to your
-`.gitlab-ci.yml` and replace `https://staging.example.com` with a staging server's web address:
+To enable Dynamic Application Security Testing (DAST) scanning, add the following to your
+`.gitlab-ci.yml`. Replace `https://staging.example.com` with a staging server's web address:

 ```yaml
 include:
@@ -45,17 +84,8 @@ variables:
  DAST_WEBSITE: https://staging.example.com
 ```

-To ensure the DAST scanner runs *after* deploying the application to the staging server, review the [DAST full documentation](dast/index.md).
-
-To add Container Scanning, follow the steps listed in the [Container Scanning documentation](container_scanning/index.md#requirements).
-
-To further configure any of the other scanners, refer to each scanner's documentation.
-
-### SAST configuration
-
-You can set up and configure Static Application Security Testing
-(SAST) for your project, without opening a text editor. For more details,
-see [configure SAST in the UI](sast/index.md#configure-sast-in-the-ui).
+For more details about each of the security scanning tools, see their respective
+[documentation sections](#security-scanning-tools).

 ### Override the default registry base address

@@ -63,27 +93,8 @@ By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/securit
 base address for Docker images. You can override this globally by setting the CI/CD variable
 `SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.

-## Security scanning tools
-
-GitLab uses the following tools to scan and report known vulnerabilities found in your project.
-
-| Secure scanning tool                                                         | Description                                                            |
-|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
-| [Container Scanning](container_scanning/index.md) **(ULTIMATE)**             | Scan Docker containers for known vulnerabilities.                      |
-| [Dependency List](dependency_list/index.md) **(ULTIMATE)**                   | View your project's dependencies and their known vulnerabilities.      |
-| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)**           | Analyze your dependencies for known vulnerabilities.                   |
-| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)**  | Analyze running web applications for known vulnerabilities.            |
-| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)**                           | Find unknown bugs and vulnerabilities in web APIs with fuzzing.        |
-| [Secret Detection](secret_detection/index.md)                                | Analyze Git history for leaked secrets.                                |
-| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)**             | View vulnerabilities in all your projects and groups.                  |
-| [Static Application Security Testing (SAST)](sast/index.md)                  | Analyze source code for known vulnerabilities.                         |
-| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)**                 | Find unknown bugs and vulnerabilities with coverage-guided fuzzing.    |
-
 ### Use security scanning tools with Pipelines for Merge Requests

-The security scanning tools can all be added to pipelines with [templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security).
-See each tool for details on how to use include each template in your CI/CD configuration.
-
 By default, the application security jobs are configured to run for branch pipelines only.
 To use them with [pipelines for merge requests](../../ci/merge_request_pipelines/index.md),
 you may need to override the default `rules:` configuration to add: