Harness Security Testing Orchestration vs GitLab Ultimate

Summary:

While Harness and GitLab seem to share many of the same capabilities across their software delivery platforms, one major difference is that Harness takes a modular approach. This means that individual modules can be used and integrated with other solutions as part of a DevOps toolchain. In contrast, with GitLab users must purchase the complete solution with the Ultimate license package.

Integrates With Any CI/CD Tool: 

Harness STO operates independently or integrated with any CI/CD solution. 

GitLab Ultimate’s Advanced Security Testing features must be purchased with the full GitLab platform. GitLab Advanced Security Testing does not integrate with other CI/CD solutions.

Normalization and Deduplication of Scanner Results: 

A challenge with shift-left security is that developers can be subjected to additional workload of scanner result analysis. This workload grows with every scanner execution performed by a pipeline and can take hours for every pipeline execution. 

Harness STO ingests the output from all scanners, then automatically normalizes, deduplicates, and creates a prioritized list of vulnerabilities to remediate. This saves developers hours of manual analysis work.

GitLab Advanced Security Testing provides scanner output without any additional analysis, placing that workload on the developers.

Automated Prioritization of Vulnerabilities: 

While it’s important to know all application vulnerabilities, it’s more important to know which vulnerabilities should be prioritized based on their severity. This can be difficult for developers to assess when they have multiple application security scanners running in their CI/CD pipelines. Each scanner provides results in different output formats that need to be looked at individually and then manually merged.

Harness STO solves this problem by automatically merging the output from all scanners and creating a unified prioritization of all vulnerabilities.

GitLab security does not provide a prioritized vulnerability list across all scanners.

Security Pipelines as Code:

Dedicated security pipelines offer a way for any CI/CD solution to invoke a robust security scanning process. 

Harness STO provides application security pipelines that can be configured using YAML. These configurations are automatically updated using a bidirectional sync between Harness and Git.

GitLab Advanced Security Testing does not offer a stand-alone security pipeline solution.

Security Pipeline Visual Builder:

Dedicated security pipelines offer a way for any CI/CD solution to invoke a robust security scanning process. 

Harness STO provides application security pipelines that can be configured via a graphical UI. This makes it easy for anyone in an organization to build new security pipelines to ensure application security scanning is conducted via CI/CD pipelines.

GitLab Advanced Security Testing does not offer a stand-alone security pipeline solution.

Custom Vulnerability Reporting:

Most organizations want to see vulnerability reports in formats that are customized for their unique requirements. 

Harness STO offers out-of-the-box reports, as well as fully customizable reporting capabilities.

GitLab provides out-of-the-box reporting, but at this time, there are no options for customization.

Security Exemption Tracking:

Security exemptions management is an integral component of managing security testing outcomes.  STO offers a common venue for security practitioners and developers to collaborate and actively manage security exemptions. Security findings often contain a mix of issues. Some need immediate attention. Some will be false positives or won’t apply to specific product scope or mode of operation. In some instances, there will be complex factors in remediating security issues and need additional planning. To effectively manage these different scenarios, security exemption management will be vital and can be fashioned in a way that fits your organizational needs via STO. 

Gitlab offers alternative approaches to manage security findings, but it does not support security exemption management.