GitLab

vs

MicroFocus Fortify

Decision Kit

Summary

Both Fortify and GitLab Ultimate offer open source component scanning along with Static and Dynamic Application Security Testing. Fortify uses Sonatype for open source scanning in its SaaS product as an OEM service. Fortify on-premise is integrated with SonaType and BlackDuck for open source scanning on-premise, both of those require separate licensing and set up.

Fortify is a mature product. Fortify offers IAST (with DAST) and RASP, though it does not offer container scanning. In spite of its strengths as a stand-alone product, Fortify is a separate process outside of the developer’s merge request workflow. The Fortify RASP product, Application Defender, is limited to Java and .Net applications. The Fortify Security Center (SSC) is needed if you want to pull results together from across the various Fortify scanners.

Fortify can be easily integrated into GitLab CI process using Command Line and API integrations. A key difference is that Fortify does not yet provide incremental scanning while GitLab clearly shows the scan results based upon the diff, or code changed since the last commit.

GitLab automatically includes broad security scanning with every code commit including Static and Dynamic Application Security Testing, dependency scanning, container scanning, license management, secrets detection, and most recently fuzz testing. Results are provided to the developer in the CI pipeline (Merge Request) with no integration required. GitLab also aggregates and displays all results in a single dashboard both at Group and Project levels.

Finding vulnerabilities is only the beginning. Delivering those findings to the developer for immediate remediation is key to shifting left to reduce both cost and risk. GitLab does so without added integrations to maintain.

Feature Comparison

FEATURES
Static Application Security Testing SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE GitLab allows easily running Static Application Security Testing (SAST) in CI/CD pipelines; checking for vulnerable source code or well known security bugs in the libraries that are included by the application. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. Learn more about Static Application Security Testing
Secret Detection SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE GitLab allows you to perform Secret Detection in CI/CD pipelines; checking for unintentionally committed secrets and credentials. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. Learn more about Secret Detection
Dependency Scanning SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE GitLab automatically detects well known security bugs in the libraries that are included by the application, protecting your application from vulnerabilities that affect dependencies that are used dynamically. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. Learn more about Dependency Scanning
Dynamic Application Security Testing SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE Once your application is online, GitLab allows running Dynamic Application Security Testing (DAST) in CI/CD pipelines; your application will be scanned to ensure threats like XSS or broken authentication flaws are not affecting it. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. Learn more about application security for containers
Interactive Application Security Testing SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE IAST combines elements of static and dynamic application security testing methods to improve the overall quality of the results. IAST typically uses an agent to instrument the application to monitor library calls and more. GitLab does not yet offer this feature.
Vulnerability Management SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE GitLab’s vulnerability management is about ensuring assets and applications are scanned for vulnerabilities. It also includes the processes to record, manage, and mitigate those vulnerabilities. Vulnerability management helps identify meaningful sets of vulnerabilities, in both your assets and application code, that can be mitigated, managed, and acted upon by your whole team—not just the security organization. It also provides a unified interface to the systems teams are already using for managing results from the ~”devops::secure” stage so there is always a single source of truth and single place for managing security results. Learn more about Vulnerability Management
Cloud Native Network Firewall SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE Cloud native network firewall provides container-level network micro segmentation which isolates container network communications to limit the “blast radius” of compromise to a specific container or microservice. A container-aware virtual firewall identifies valid traffic flows between app components in your cluster and limits damage by preventing attackers from moving through your environment when they have already compromised one part of it. Learn more about Container Network Security
Container Scanning SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE When building a Docker image for your application, GitLab can run a security scan to ensure it does not have any known vulnerability in the environment where your code is shipped. Results are then shown in the Merge Request and in the Pipeline view. This feature is available as part of Auto DevOps to provide security-by-default. Learn more about container scanning
License Compliance SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE Check that licenses of your dependencies are compatible with your application, and approve or deny them. Results are then shown in the Merge Request and in the Pipeline view. Learn more about License Compliance
On-demand Dynamic Application Security Testing SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE There’s no reason to wait for the next CI pipeline run to find out if your site if vulnerable or to reproduce a previously found vulnerability. GitLab offers scanning your running application with On-demand Dynamic Application Security Testing (DAST), independent of code changes or merge requests. Learn more about On-demand DAST
Site and Scanner profiles for On-demand DAST scans SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE Reuse configuration profiles quickly with on-demand DAST scans, instead of reconfiguring scans every time you need to run one. Mix different scan profiles with site profiles to quickly conduct scans that cover different areas or depths of your application and API. Learn more about application security for containers
DAST Configuration UI SaaS FREE PREMIUM ULTIMATE Self-Managed FREE PREMIUM ULTIMATE Enabling DAST is now as simple as three clicks. This guided configuration experience makes it easier for non-CI experts to get started with GitLab DAST. The tool helps a user create a merge request to enable DAST scanning while leveraging best configuration practices like using the GitLab-managed `DAST.gitlab-ci.yml` template. Learn more about the DAST Configuration UI

GitLab vs MicroFocus Fortify

Decision Kit

Decision Kit

Summary

GitLab

vs

MicroFocus Fortify