GitLab gets fuzzy about security, acquires Peach Tech and Fuzzit


GitLab, the company behind the DevOps platform of the same name, has announced the acquisition of testing companies Peach Tech and Fuzzit, in a bid to help customers improve their products’ security. Financial details of the deal haven’t been disclosed. 

According to an official statement, “These acquisitions will add fully mature testing solutions including protocol fuzzing, API fuzzing, DAST API testing, and coverage-guided fuzz testing”. Once integrated, customers “will no longer need to depend on standalone fuzz testing solutions to meet their application security testing needs”, making GitLab more into the DevSecOps product it tries to be. 

Fuzz testing is a testing approach in which programs are fed with random or invalid data to check how the system reacts in order to find bugs or exploitation opportunities other tests wouldn’t normally unveil. Adopting such a strategy can be especially useful in companies that use open source or other third party components in their applications. Since it often takes a while to really get what’s happening with them, looking at varying outputs can help to prevent crashes etc early on.

In the upcoming months, both Peach Tech and Fuzzit’s products are planned to become part of the GitLab platform. The company also wants to extend both start-ups’ technologies to “accelerate [GitLab’s] roadmap for interactive application security testing”. The result is thought to mostly benefit GitLab’s Gold and Ultimate subscribers, since security tooling can mainly be found on this tier and since “GitLab Secure customers” receive a specific mention in the announcement. 

How the deal will affect customers of the smaller companies is a bit unclear. Fuzzit has stopped paid sign-ups, with founder Yevgeny Pats informing his customers that “all data will be available for 6 more months so you can download and back up corpuses, crashes, etc. at your convenience. After 6 months, all data will be permanently deleted.” Other than that “open-source free CPU will be available until 11 of July”. 

Peach Tech users who haven’t heard from the company yet, will meanwhile have to get in touch with their sales representative to learn how things will change for them. 
Speaking of security, GitLab recently released versions 13.0.6, 12.10.11, 12.9.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). The updates are meant to fix a critical security issue that affects GitLab EE 10.6 and later versions.

Unmitigated, the authorisation issue can be used by attackers to gain read access to private repositories, which is why installing the fix is strongly recommended. More information on this will become available in about 30 days. A CVE ID hasn’t been assigned yet.