How has DevSecOps matured over the years? Can AI help with developer security? Ashish sat down with David DeSanto, Chief Product Officer at GitLab, at the RSA Conference to talk about how DevSecOps has advanced through the year, the practical applications of AI in security, the reduction of false positives, and the importance of fostering a collaborative culture between development and security teams.
Questions asked:
00:00 Introduction
01:08 A bit about David
01:24 DevSecOps in 2024
02:17 Maturity of DevSecOps
03:22 Integrating security into SDLC
05:02 Addressing false positives
07:18 How GitLab is using AI
09:39 Use case for AI adoption
12:06 The Fun Section
David DeSanto: [00:00:00] We recently just released the ability to scan secrets before the commit is pushed into the project. And so we were always able to catch it at commit time. Now we can catch a pre commit. And so the developer, let's say has a branch they're working on.
Ashish Rajan: Yeah.
David DeSanto: A vulnerability is in that new code in their little description window for the vulnerability.
They're able to then click resolve with AI, resolve with duo. Dual will create a merge request off their code branch, fix the vulnerability, and they can merge it back into their branch. We call the whole thing vulnerability summary, and so the summary part actually explains it in natural language to them.
When I was a developer and I believe this is true about developers today, When they wake up, they don't go, you know what I want to do today? Write a zero day vulnerability in my application, right? No, they would just want to write secure code. Vulnerability explanation will actually explain them the code in natural language, give them an example of code that's vulnerable, and give them an example of how to fix it.
Ashish Rajan: Hello, welcome to Cloud Security Podcast. For people who are watching this or listening to this later on, this is being shot at RSA conference. That's why David and I, David's from GitLab, and I'm going to let you [00:01:00] talk about yourself, but him and I just discovered a new word that has made us a lot more friendlier than what we would have been comfortable with.
David DeSanto: We do. It doesn't work for us, though. Yeah,
Ashish Rajan: it doesn't work in our context, could you share about a bit about yourself, David?
David DeSanto: Yeah, sure. So I am Chief Product Officer for GitLab. I joined GitLab in 2019 to actually add security to DevOps and into GitLab, and over the course of the time, I took on more product and a little over two years ago at this point I became CPO of the company.
Ashish Rajan: It rhymes with the whole DevSecOps and as soon as I say that word I imagine some people rolled their eyes like oh my god one more person talking about DevSecOps. How would you define DevSecOps for people who just rolled their eyes in 2024 considering we've been talking about for some time now?
David DeSanto: For GitLab DevSecOps is really about bringing security and compliance into DevOps, and that can come in a lot of different forms. Initially, we were looking at shifting security testing left and making more developer friendly, and that's what our secure stage capabilities do. We are able to scan on all the major types of application security scanning.
And then the other part is our governance, functionality, compliance and helping security teams know they've got the [00:02:00] guardrails in place to make sure software shipping securely. And so for us, it really is like GitLab puts the second DevSecOps. As it's becoming more and more as a security player, including we're here at RSA.
And I'm just very much looking forward to our conversation and talking about how DevSecOps has really evolved and what that actually means for organizations.
Ashish Rajan: And how has it evolved? So as a CISO in my previous role, I tried to apply implementing DevSecOps.
It's not a one day thing. It's not a tool that solves your problem, but how are you finding the maturity in DevSecOps over the years?
David DeSanto: For organizations, it's really about their journey. It's not a day one, day two thing, but it's about where are you going to go as a company. And so when we engage with customers on DevSecOps and bringing security and compliance in, there are different parts of their journey as a company.
They could already have security tools that they want to embed into their CICD process. They could be wanting to just disrupt the entire thing and rebuild it. For me, what has been very interesting to see is when I started, there was definitely the SEC versus the ops teams or the dev versus the SEC team.
Yeah. [00:03:00] And over the course of the last almost five years of being at GitLab, that has actually changed, and now we're starting to see security teams partner better with their developer counterparts. And that actually came out in our DevSecOps survey. Every year when we're doing the survey, we're seeing, are you finding value in your counterpart?
Are you able to work with them? And that percentage of finger pointing keeps on going down, and you're seeing a lot more collaboration. And for me, I think the best way to see that is actually in our customers, where we've had customers who have been siloed in their organization, And the security team doesn't work closely with the traditional DevOps team.
And now it's actually security teams are bringing GitLab into their organization to say, I know you want to write more secure code, you want to write better code. If we do this, we can scan Delta code changes, find the vulnerability before it gets pushed into production. And then now it's about a partnership and less so finger pointing and blaming.
Ashish Rajan: In terms of partnership, how are you seeing your customers integrate security into their SDLC?
David DeSanto: Yeah, so it generally starts with trying to shift security left. And so they come to GitLab to say, I [00:04:00] want my scans to run. In a timeline that will allow the developers to react to it. Traditional security scanning can take hours if not days.
Especially when you talk about things like DAST and SAST. And so GitLab's focused on scanning the delta code change. And if the developer pushes in 100 lines of new code, we scan the 100 lines of new code. And because of our knowledge of the product or in their project, we can actually build out like an abstract syntax tree.
Ashish Rajan: Yeah.
David DeSanto: To be able to validate that this new code does involve or introduce a new vulnerability in parts that they're not working on. That's where they generally start. They want to be able to do that.
Ashish Rajan: Yeah.
David DeSanto: And you can't necessarily do that with traditional scanning. The other thing is the guardrails I mentioned at the beginning.
Companies need to know whether it's generating software build materials, looking at their attack surface. Yeah. You know what is in their software. Yeah. And so leveraging GitLab for that, you can actually put in policies of what can be merged, what requires approval, what has been merged recently, compliance reports, the things that they need to be able to have the visibility and the controls in place, as opposed to if you had [00:05:00] a bunch of point solutions that don't talk to each other.
Ashish Rajan: Just to add another layer to this as well, because I normally find that sometimes when we talk about SaaS tools, the biggest pain that even I had was the whole false positive thing as well. Yeah. How are you guys addressing that?
David DeSanto: So we actually just acquired a company named Oxeye. Oh, okay. Yeah, they're based in Israel. Okay. And their focus has been reachability of vulnerabilities. Yeah. And so we were a partner with them initially and we've now had them join GitLab. Oh, nice. But our focus has been on how do we reduce the false positives and Oxeye has technology that will actually validate the reachability vulnerability and based off your background and I know our earlier conversations that SaaS trips a lot of false positives because it's just looking at the single line of code and goes, Oh, that's a local file include or whatever the vulnerability is.
But you may find out that path is actually not exploitable. If you follow the we'll call it the historical path of that vulnerability or that variable. And so they're able to actually do that in a very efficient way. And we can then mark things as a false [00:06:00] positive and not waste of time on the developer looking at how to fix it.
Ashish Rajan: Is there a pattern in your customers for between SAST, DAST, IAC, Secret Scanning, there's so many options to go for. Which one seems to be like the one that popping out as like the first thing they're starting off with?
David DeSanto: More recently, it's actually been DAST and API security.
Okay. I think it's because, we did actually acquired a company several years ago, Peach Tech. It's actually my first time. at RSA as a GitLab employee. We've been coming for decades at this point. I know people look and they go, He's 29. He's only been there once or twice. But definitely not that young.
And they start with DAST, I think, because that is a pain point for organizations. They're trying to test single page apps. A lot of people are building React, Angular today. Traditional DAST can't test that. They need URLs. And our DAST can actually look at the DOM and trace it. And so we don't need to actually see a URL change to see a change on the page.
And so that's allowed us to have differentiation there. Once they've tried DAST and they're like, this works for us. They generally then move to SAST and secret detection. [00:07:00] And we recently just released the ability to scan secrets before the commit is pushed into the project. And so we were always able to catch it at commit time, now we can catch it pre commit.
And so between that and SaaS, and definitely with the acquisition of Oxeye improving what we're already doing with SaaS, I think that gives them like the nice path into what DevSecOps could mean for them.
Ashish Rajan: Are there any, like in the customers you're working with, are there any privacy or security concerns you're thinking or seeing in that?
What are you hearing from customers about the AI space? Yeah, I figured we'd talk about AI. I always say you can't spell David without AI. Oh, that's a good one, yeah. And so I always have to talk about it, right? Yeah, wow. Ha. So what we've seen is that our customers want to adopt security, or adopt AI, but they need guardrails and controls for it.
David DeSanto: And so what we've been focusing on is how do you make AI responsible and safe to adopt, especially if you're an enterprise, heavily regulated industry. And so really the two things that we've seen is one you can actually with GitLab Duo control what projects can use AI.
Ashish Rajan: Yeah,
David DeSanto: it's actually I refer to as like the kill switch like flip it off and now it doesn't work.
[00:08:00] And so that's been a big conversation is like I want to use AI, but I can't use it on this project. This project. This project.
Ashish Rajan: Yeah.
David DeSanto: The other thing is, how do I make my developers more effective? And last year we launched a feature of GitLab Duo called Vulnerability Resolution. And actually with a single click, our Duo, our AI suite, can actually resolve the vulnerability on behalf of the developer.
Oh. And because you're using GitLab, and we're a DevSecOps platform, so we've got everything from planning, to coding, to building, deploying, securing. You actually can let Duo fix the vulnerability. Your scans that found the vulnerability rerun again. They can confirm the vulnerability is no longer there and the developer can just click the button to merge that code change.
Ashish Rajan: Also, would that be like a pull request or would that appear as a Yeah,
David DeSanto: it shows up as a merge request in GitLab. Okay, and so the developer, let's say, has a branch they're working on. Yeah. A vulnerability is in that new code.
Ashish Rajan: Yeah.
David DeSanto: In their little description window for the vulnerability, they're able to then click resolve with AI, resolve with Duo.
Duo will create a merge request off their code branch, fix the vulnerability, and they can merge it back into [00:09:00] their branch.
Ashish Rajan: And would it give them some context as well as to why the vulnerability is important?
David DeSanto: Yeah, absolutely. We call the whole thing vulnerability summary.
Ashish Rajan: Oh, okay. And
David DeSanto: so the summary part actually explains it in natural language to them.
When I wake up or I should say when I was a developer, right? And I believe this is true about developers today. When they wake up, they don't go, you know what I want to do today, write a zero day vulnerability in my application, right? No, they would just want to write secure code. And so vulnerability explanation will actually explain them the code in natural language, give them an example of code that's vulnerable, and give them an example of how to fix it. And that can partner with our built in security training. Those two things help the developer actually become a better developer and not introduce vulnerabilities.
Ashish Rajan: What do you see as the advantage of, for people who may be a bit hesitant in using Duo and other AI capabilities, because whatever concern they may have right now, what are the business use cases you're seeing in your customers that are going, oh, this makes sense.
To your point about the vulnerability summary and all of that, What are you seeing as the ROI for spending time using the AI suite ?
David DeSanto: [00:10:00] So what we're seeing is the trend to help everyone be more effective with AI, not just developers. There's a lot of attention on developer efficiency. It's one of the areas that you make a little bit of a tweak, you get a big payoff.
But if you were to accelerate developers, say, a hundred times, it's going to break everything else around it. This is RSA, so we talk about our security teams, right? If you're out 10x ing the amount of code that they're having to deal with,
it can be very hard for them to keep up. And our customers are gravitating not just to our code suggestions, which helps developer productivity, but it's that vulnerability resolution, Duo can auto resolve failures in your CI CD pipelines for you, it can help you get through planning, it can help you identify other areas that you can be more effective.
And That's what our customers are gravitating towards. They go, yes, I need the developer productivity, but I also need everything else for the security teams, the platform engineering teams. Yeah. So they get the same boost from AI. Yeah.
Ashish Rajan: I don't know if this is, I'm throwing you a bit in the corner on this one, but I'm curious.
What are some of the skills? So you get some scale of the kind of [00:11:00] customers using this. Is there some scale of the number of commits per week or per month or how many are we talking like thousands, hundreds? What's the scale?
David DeSanto: Yeah. So we generally let our customers set what their metrics are important.
Yeah. I give an example of two former employers are mine. Yeah. One company I work for, we ship software once a quarter. And so measuring whether or not my delivery is faster is not a good measurement. And then there's companies like GitLab who ship code every month and, Actually, for GitLab. com we publish code three or four times a week.
Ashish Rajan: Oh my god, okay.
David DeSanto: So for us, it's gonna be about merge request rate, because then we're merging more code to hit those targets, right?
Ashish Rajan: Yeah.
David DeSanto: But for that my former employer and a GitLab customer, the metric's actually maybe the quality of the code that's being shipped, right? And so leveraging GitLab's value stream analytics, which is built on top of Duo four metrics and get less specific metrics.
You can actually see that improvement to give you a sense. Our customers have talked about everything from a 30 percent boost in their company's efficiency, upwards of 90 percent leveraging Duo. So it just depends on what you're trying to solve. What are your guardrails? What are [00:12:00] you wanting to measure and leveraging the data that you have today in GitLab to see that
Ashish Rajan: to improve the overall quality of the code that you have as well.
Awesome. Now, those are the most technical questions I had. Yeah. I've got three fun questions for you as well. Sure. We're not gonna,
David DeSanto: we're not eating jelly beans, right? No, not this time.
Ashish Rajan: I was gonna put the jelly bean in it. I do have them in the bag. I like, I'm gonna make this simpler considering its RSA
what do you spend most time on when you're not trying to do DevSecOps or platform building?
David DeSanto: There's two things that take up my time when I'm not the first is just spending time with my wife and my dogs. Yeah, I travel a lot I've been on the road almost five weeks now home on the weekend So I'm looking forward to being home for several weeks and going on walks hikes just getting out of nature normal things getting away from tech.
Yeah The other thing is I actually build Lego. It started in the pandemic. And so I just ordered the new tie interceptor. It's just arrived today. Yeah, it's the UCS one just arrived. So that'll be my next like month or so of fun.
Ashish Rajan: Yeah. I was going to say that's going to take a while for you to go through that.
Okay. Fair. Second question. What is something that you're proud of that is not on your social [00:13:00] media?
David DeSanto: I would say work wise, I'm really proud of what the GitLab team has been able to accomplish. It's one of those things where people can't keep up with how fast we release.
We're very proud of our cadence, and seeing the collaboration side of GitLab and Living the Valleys is something I'm really proud of work wise.
I would say, personal wise, it would probably be just the time my wife and I are able to give back. We both grew up in families that were able to take care of their kids, but we want to be able to help other people have that same experience. And whether that's us donating our time, donating to the cause, whatever the case is just being able to give back and have a job where I can do that and it's able to do.
That's awesome, man. And
Ashish Rajan: final question, what's your favorite cuisine or restaurant that you can share?
David DeSanto: So here, In RSA, at RSA in San Francisco, it's probably Izumo.
Ashish Rajan: What kind of food do they have?
David DeSanto: They're a Japanese restaurant.
Ashish Rajan: Okay.
David DeSanto: They're a block off the port.
Ashish Rajan: Okay.
David DeSanto: My favorite thing about it is I'm pescatarian.
I'm mostly vegetarian, but I do eat fish. And they've got some of the best sushi I think I've had. Alright. It's fantastic. [00:14:00] Outside of that, I would say I just enjoy Thai food, Vietnamese food, Japanese food. Oh, Asian food in general. A lot of Asian food. Indian food.
Ashish Rajan: Indian food as well.
David DeSanto: Oh yeah, there's a great restaurant near us in Pennsylvania that is fantastic.
Ashish Rajan: Oh wow. And
David DeSanto: yeah, I would say Asian cuisine is probably the best way to sum it up.
Ashish Rajan: And for context, this is like 9 30 a. m. already feeling hungry after talking about all of this.
David DeSanto: But by the way, I haven't had breakfast yet, so I'm like five times hungrier than I was.
Ashish Rajan: Where can people find you on the internets of the world to talk more about the devsecops platform, the SaaS work you guys are doing?
David DeSanto: I always recommend people to go to about dot get lab dot com. You can read all about what we're doing. Our solutions pages walk through all the things we could do to help you out, including with GitLab Duo. Yep. Me personally, I am david.santo on X. David, the beard on threads. Oh, we didn't comment on our beards.
We both have very majestic beards. Yeah. So technically, I guess my beard has a handle on threads on it. I'm also on blue sky as well as you can find me at, I think it's D DeSanto on LinkedIn. Yeah,
Ashish Rajan: [00:15:00] I'll put the, I'll put those links in. But yeah,
David DeSanto: we can send them to you so you have them.
But yeah, please. Everyone can comment.
Ashish Rajan: Talk about the beard. Talk about the beards.
David DeSanto: I post a lot on what we're doing at GitLab and so it's a great way to stay up to date. And of course, GitLab has at GitLab as well on every social platform. Of course.
Ashish Rajan: Yeah. I'll put those things in. But thank you so much for coming on the show. Absolutely. No, thanks for having me. Thank you so much.
Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on cloud security podcast, or make a training video on tutorials on cloud security bootcamp, definitely reach out to us on info at cloud security podcast dot tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI cybersecurity podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about cybersecurity.
Everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of chat [00:16:00] GPT and everything else continues. If you have any other suggestions, definitely drop them on info at cloud security podcast dot TV. I'll drop them in the description and the show notes as well.
So you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.