Gitlab hero border pattern left svg Gitlab hero border pattern right svg
GitLab
vs
MicroFocus Fortify
Decision Kit
Decision Kit

Summary

Both Fortify and GitLab Ultimate offer open source component scanning along with Static and Dynamic Application Security Testing. Fortify uses Sonatype for open source scanning in its SaaS product as an OEM service. Fortify on-premise is integrated with SonaType and BlackDuck for open source scanning on-premise, both of those require separate licensing and set up.

Fortify is a mature product. Fortify offers IAST (with DAST) and RASP, though it does not offer container scanning. In spite of its strengths as a stand-alone product, Fortify is a separate process outside of the developer’s merge request workflow. The Fortify RASP product, Application Defender, is limited to Java and .Net applications. The Fortify Security Center (SSC) is needed if you want to pull results together from across the various Fortify scanners.

Fortify can be easily integrated into GitLab CI process using Command Line and API integrations. A key difference is that Fortify does not yet provide incremental scanning while GitLab clearly shows the scan results based upon the diff, or code changed since the last commit.

GitLab automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, dependency scanning, container scanning, license management, secrets detection, and most recently fuzz testing. Results are provided to the developer in the CI pipeline (Merge Request) with no integration required. GitLab also aggregates and displays all results in a single dashboard both at Group and Project levels.

Finding vulnerabilities is only the beginning. Delivering those findings to the developer for immediate remediation is key to shifting left to reduce both cost and risk. GitLab does so without added integrations to maintain.

Feature Comparison
FEATURES

静态应用安全测试

极狐GitLab支持在 CI/CD 流水线中轻松地运行静态应用安全测试 (SAST),检查易受攻击的源代码或应用程序包含的库中的已知安全问题,并将结果显示在合并请求和流水线视图中。此特性作为 Auto DevOps 的一部分来提供缺省的安全。

Learn more about Static Application Security Testing

密钥检测

极狐GitLab 允许您在流水线中运行密钥检测,检查是否有包含未察觉的密钥和证书代码提交。检查结果将被展示在合并请求和流水线中。这一特性将作为 Auto DevOps 的一部分来提供默认安全策略。

Learn more about Secret Detection

依赖项扫描

极狐GitLab 自动检测该应用所包含的库中已知的安全问题,从而保护您的应用在动态使用依赖项时免遭漏洞影响。检测结果会显示在合并请求和流水线视图中,此特性作为 Auto DevOps 一部分来提供缺省的安全性。

Learn more about Dependency Scanning

动态应用安全测试

在应用运行后,极狐GitLab 支持在 CI/CD 流水线中运行动态应用安全测试(DAST),通过扫描您的应用以确保诸如 XSS 或无效身份验证之类的威胁不会影响到它。检测结果会显示在合并请求和流水线视图中,此特性作为 Auto DevOps 一部分来提供缺省的安全性。

Learn more about application security for containers

Interactive Application Security Testing

IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature.

漏洞管理

极狐GitLab 的漏洞管理旨在确保对资产和应用执行漏洞扫描,并且还包含记录、管理和减轻这些漏洞的过程。漏洞管理可帮助您识别资产和应用代码中有意义的漏洞集,您的整个团队都可以借此减轻、管理和采取行动,而不仅是依靠安全组织。它还为系统团队提供了一个统一的接口,用于管理 DevOps 安全步骤的结果,因此始终都只会有一个可信源和一个地方来管理安全结果。

Learn more about Vulnerability Management

Cloud Native Network Firewall

Cloud native network firewall provides container-level network micro segmentation which isolates container network communications to limit the “blast radius” of compromise to a specific container or microservice. A container-aware virtual firewall identifies valid traffic flows between app components in your cluster and limits damage by preventing attackers from moving through your environment when they have already compromised one part of it.

Learn more about Container Network Security

容器扫描

在为您的应用程序构建 Docker 镜像时,极狐GitLab 可以运行安全扫描以确保它没有任何已知的代码交付环境中的漏洞。结果随后显示在合并请求和流水线视图中。此功能作为 Auto DevOps 的一部分来提供缺省的安全策略。

Learn more about container scanning

许可证合规

检查依赖项的许可是否与应用程序兼容,然后批准或拒绝它们。最终结果会显示在合并请求和流水线的视图中。

Learn more about License Compliance

按需动态应用安全测试

一直等待下一次 CI 流水线的运行来检查您的站点是否存在漏洞,或是重现以前发现的漏洞是不合理的。极狐GitLab 提供了按需动态应用安全测试(DAST)来扫描正在运行的应用,它可以独立于代码更改和合并请求执行。

Learn more about On-demand DAST

按需 DAST 扫描的站点配置文件

通过按需 DAST 扫描快速重用配置文件,而不是每次需要运行时重新配置。将不同的扫描配置文件与站点配置文件混合,以快速执行涵盖应用程序和 API 不同区域或不同深度的扫描。

Learn more about application security for containers