TechRepublic’s Karen Roby spoke with Jonathan Hunt, VP of security for GitLab, about the security challenges companies face today and how the concept and practice of DevSecOps can help developers build end-to-end security into their applications. The following is a transcript of the interview, edited for readability.
SEE: DevSecOps tutorial: What is it, and how can it improve application security? (TechRepublic)
Karen Roby: Jonathan, I’m happy to talk with you about this today. And certainly, it’s something that you talk about, I’m sure, in your sleep or could. I appreciate you being with us here today. First, just tell us, just for a second, about GitLab and your role there.
Jonathan Hunt: Yeah, absolutely. So, it’s an absolute pleasure to be here. Thank you for having me. My role at GitLab is the VP of security for the entire company. And my security department is roughly four sub-departments, 11 teams, and 60 people, which isn’t bad for our company and our size. So, we definitely take security matters to heart is definitely our priority here at GitLab. The company itself is a complete DevOps pipeline that is designed to be a unified tool chain, to not only promote the security and efficiencies that DevSecOps brings developers, but also to be a complete DevOps pipeline for engineering teams and developers as well.
Karen Roby: And when we talk, Jonathan, a little bit about here, we’re at the beginning of 2022, looking ahead and down the line. When we talk about DevSecOps, where do you see things going, maybe paths changing, things just evolving in a different way, where do you see it going?
Jonathan Hunt: Yeah, absolutely. When we talk about trends for DevSecOps, what I tend to do is try to take a look back at the last 12 to 18 months and see what’s happening in the industry, what’s happening in this space, and what the customer and our stakeholders are demanding of us. And what I’ve seen over the last year or so is the increasing amount of global security events. We remember all the way back from SolarWinds, all the way to the more recent phenomena of Log4j, I would call it in terms of dependency, security. And what I’ve seen is, is that there’s a couple things that have really been made prominent from these recent events. Number one is I think that people want to see more secure products and services, especially around their data.
They’re calling for it in their vendors. They’re calling for it in their contracts. They’re searching for solutions that’s going to meet these needs. Secondly, is I’m seeing a demand for greater visibility and auditability of software. In addition to that, I would say that there’s definitely a demand for more consistent application and administration of compliance and security policies within the software. So, from that, what I see then happening in the near term is that I believe the DevSecOps process is going to begin providing more end-to-end visibility and auditability, which is designed to ensure that everyone, all of our stakeholders in the process understand who changed what, where, and when, which is key to security management.
I also see better implementation and application of compliance. So, this is important, because today, we don’t have a great holistic view of compliance within our software frameworks. So, it’s challenging for our security teams to go in and identify where policies are being met, where policies are being broken. It’s difficult to gather evidence. It’s difficult to get all of our internal stakeholders together and aligned with the objectives and goals of what the compliance of software security is all about. And so, really, by implementing better compliance policies and visibility within the software, what that’s doing is it’s bringing the developers and our entire CICD pipeline closer to the compliance team, closer to audit evidence, closer to our auditors themselves.
Karen Roby: And when we talk about changes and things that we’ve seen, Jonathan, COVID-19 has obviously changed and impacted us in every way, from personal to work, everything in between. How about with DevSecOps? I mean, how do you see that having changed and continuing to, as a result of this pandemic?
Jonathan Hunt: Yeah. So, DevSecOps is actually a great solution and ideology, if you will, around solving the security of remote workspaces. So, if you recall before the pandemic, a lot of companies were confined to an office, their network boundaries were siloed to an intranet within a single local area network, if you will, within a building. And now, companies are challenged with understanding, not only how to secure, but even how to monitor the security of remote employees. So, DevSecOps actually provides that solution. What it does is, is it provides the security built in, not only to our software development life cycle, but even all the way to the end points.
So, whereas today, many companies lack the visibility on the endpoints, on where employees are connecting to the network, whether they’re working from home, whether they’re working from the airports or their favorite coffee lounges. So, what we’re doing with DevSecOps is providing the visibility and complete security from end-to-end. So, it starts with the developer, it starts with the laptop. It starts with the engineers on their local machines and provides that automated security implemented throughout that entire pipeline.