Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
GitLab CISO Josh Lemos on DevSecOps, AI Security, and Supply Chain Defense at RSA 2025

vmblog-qa-rsac-2025 

The RSA Conference (RSAC), the premier cybersecurity industry event, returns to San Francisco's Moscone Center April 28-May 1, 2025, bringing together thousands of security professionals, vendors, and thought leaders from across the globe. This annual gathering serves as the definitive forum for the latest cybersecurity innovations, trends, and best practices, featuring hundreds of educational sessions, keynotes from industry luminaries, and an expansive expo floor showcasing cutting-edge security solutions. For organizations navigating today's complex threat landscape, RSAC provides unparalleled networking opportunities, hands-on training, and essential insights to help bolster defense strategies against evolving cyber threats.

In this exclusive VMblog interview, Josh Lemos, CISO of GitLab, shares insights about how GitLab's AI-powered DevSecOps platform is revolutionizing secure software development ahead of RSA Conference 2025. Visitors can find GitLab at booth #4324, where the company will showcase advanced SAST capabilities, GitLab Duo vulnerability remediation features, and tools to address emerging supply chain security threats.

Lemos discusses how GitLab's unified platform approach helps organizations build security directly into the developer workflow—enabling faster detection and remediation of vulnerabilities while maintaining robust governance for security teams in an increasingly complex threat landscape.

++

VMblog:  Give VMblog readers a quick overview of your company and its core mission in the cybersecurity space.

Josh Lemos:  GitLab is the most comprehensive AI-powered DevSecOps platform for software innovation. We help organizations build secure software by consolidating every aspect of the software development lifecycle into a single platform for both developers and security teams.

With GitLab, security is built directly into the developer's workflow for earlier detection and faster remediation of vulnerabilities while still giving AppSec teams extensive controls to automate governance, define policies, and manage vulnerabilities.

VMblog:  Where can attendees find you at RSA 2025? What's your booth number, and what kind of experience can visitors expect when they stop by?

Lemos:  We'll be at booth 4324 and encourage visitors to stop by to experience our demos and have thoughtful conversations with our team about the most significant security challenges they're facing in the software development process.

We'll have demos on site that allow attendees to experience our advanced SAST, GitLab Duo Vulnerability Explanation and Resolution, vulnerability reports, and security policy features.

VMblog:  With AI being a major focus in cybersecurity, how is your company leveraging or addressing AI both as an opportunity and a potential threat vector?

Lemos:  AI presents a significant opportunity to improve cybersecurity and the development process. At GitLab, we are building AI into offerings like GitLab Duo, which applies AI across the entire software development lifecycle from planning to deployment.

AI-powered vulnerability remediation is also changing the game for secure development. Features such as "Explain this vulnerability" empower developers to learn from security anti-patterns while decreasing time to resolution. AI is improving  security posture by automating the identification, explanation, and remediation of insecure coding practices and known vulnerabilities.. As developers focus on more strategic tasks and higher value production, we'll see faster development cycles and more secure software.

That said, AI also has the potential to introduce threats. As software vendors rush to add AI they increase their attack surface and there's the potential for security incidents. If attackers use AI to accelerate the discovery of vulnerabilities, the time investment decreases. Additional advantages may include the use of  LLMs by a lower-skilled attacker to prompt their way to a functional exploit. . As organizations take advantage of AI's benefits, they also must be aware of the potential threats it introduces and continue to focus on software security fundamentals.

VMblog:  What specific market challenges or pain points is your company addressing at RSA 2025? How have these evolved from previous years?

Lemos:  Companies understand that efficient software development is central to organizational success, but the complexity and inefficiency of typical security toolchains hinders many. To thrive, companies need to be 10x faster to market, which demands a new approach to securing software.

GitLab is helping them eliminate this dynamic through a more efficient and unified approach to software development.

We are constantly looking for ways to improve this process for our customers. Moving into 2025, AI is a significant element of further increasing efficiencies. Last year, we saw the impact of the first wave of AI in software development, which applied reactive code assistants for code generation and completion.

Moving forward, agentic AI will continue to enhance the development process, surpassing the limitations of traditional software development.

VMblog:  What sets your solution apart in today's crowded cybersecurity marketplace? Why should RSA attendees prioritize visiting your booth?

Lemos:  GitLab helps organizations build secure software by consolidating every aspect of the software development lifecycle into a single platform for developers and security teams.

GitLab takes a platform engineering approach where security is built in from day one. Security capabilities run natively within CI pipelines, eliminating the need for external tools and reducing context switching. Developers can fix issues earlier without disruption, while security teams gain centralized visibility across the entire development lifecycle. GitLab also provides advanced governance, allowing granular controls to require approval when vulnerabilities are detected.

This approach consolidates tools, reduces complexity, and lowers costs while making security an inherent part of development, not an afterthought.

VMblog:  How is your company addressing the growing concerns around supply chain security and third-party risk management?

Lemos:  From the attempted backdoor in XZ Utils to the takeover and successful malware distribution via the Polyfill JS project, software supply chain attacks are challenging the DevSecOps community. These incidents have underscored such threats' inevitability and potential disastrous consequences.

Organizations must bolster their resilience by emphasizing three critical components within their software build environments: visibility, governance, and continuous deployment. By focusing on these areas, organizations can enhance their defenses and reduce the time it takes to recover from the next cyberattack.

Strong security programs understand their attack surface through a focus on inventory and observability. Tools like software bills of materials (SBOMs) are valuable for providing a comprehensive inventory of software components. Starting with this baseline of visibility enables rapid identification of vulnerabilities when threats emerge.

The final piece to support software supply chain security is continuous validation testing and monitoring. These processes can be automated stages in build pipelines to simplify this step for developers while ensuring software security and quality.

VMblog:  What role does zero trust play in your security strategy and solutions? How are you helping organizations implement zero trust effectively?

Lemos:  To GitLab, Zero Trust means the device identity, user identity, and level of assurance are all validated by an appropriate set of controls for the requested resource. Zero Trust requires a structured framework with the ability to set, enforce, and authenticate granular role-based access for all users and machines, audit resource access in real time, understand the business criticality of a given system, and more.

VMblog:  Are you participating in any speaking sessions or panel discussions at RSA 2025? Can you tell us more about these presentations?

Lemos:  GitLab's Principal Product Marketing Manager for Security, Salman Ladha, will present a briefing session on streamlining security products.

Cybersecurity spending is increasing as organizations pay for a growing number of tools, but breaches continue to rise. This is because, to optimize security, organizations don't need more security tools; they need fewer tools that are inherently more secure. 

As threat actors follow the code and exploit vulnerabilities at the source, starting with secure software is much more effective than bolting on security tools. 

Join Salman on Thursday, May 1 at 11:30 AM at Moscone South Briefing Center to explore this topic and ask your questions about streamlining security products.

VMblog:  What exciting demos or interactive experiences can attendees expect at your booth?

Lemos:  Attendees can experience demos at our booth to learn more about our Advanced SAST, GitLab Duo Vulnerability Expansion and Resolution, Vulnerability Report and Security Policies features.

Our Advanced SAST offering illustrates how a developer can go from finding a vulnerability to remediating it, with features including our MR widget and Code Flow view. 

GitLab Duo Vulnerability Explanation and Resolution will walk attendees through the vulnerability resolution process. This includes detecting a vulnerability from a scan, explaining the results to the developer in plain language, and creating a MR to fix, and demonstrating the developer has full control to approve or reject.

VMblog:  How is your company addressing the challenges of securing hybrid and multi-cloud environments?

Lemos:  We recognize that all organizations have different preferences when it comes to cloud environments. GitLab is a Cloud agnostic DevSecOps platform and we offer different SaaS offerings as well as a self-hosted solution for customers who prefer their own data center or private cloud. GitLab provides options that take advantage of the cloud or allow organizations to set up self-hosted instances of the GitLab platform, depending on their needs and preferences.

VMblog:  What's your perspective on the most critical cybersecurity trends that will shape the industry in 2025-2026?

Lemos:  Security teams have always had to bring order to the chaos, but new developments that will play out over the next year could make 2025 particularly challenging. The accelerating pace of AI innovation, increasing sophistication of threat actors, agentic AI operating with autonomy and the relentless pace of software innovation all contribute to the challenging conditions we will operate in for the foreseeable future. 

Despite the potential security challenges posed by generative AI (GenAI), it also offers opportunities to improve the security of software development processes. By proactively identifying vulnerabilities and enabling greater automation, AI has the potential to improve security for known issues and could potentially help close the gap between developers and security teams.

Below are three trends that will dominate the enterprise security landscape in 2025.

1. Vulnerabilities in Proprietary LLMs Open the Possibility of Broad-Impact Security Incidents

Software vendors often rush to add AI-enabled features to their products by leveraging proprietary foundational LLMs. As attackers start to find vulnerabilities in these models, they will open a new attack vector with potentially wide-scale consequences. Industry consolidation increases risk and with a limited number of foundational models, we increase our dependence on a handful of companies.

Proprietary models reveal little information about their provenance or internal guard rails, making them much harder for security professionals to understand and manage. As such, attackers can embed malware or exploit lesser-known attack surfaces in a model's feature space.

Because the industry relies heavily on a few proprietary LLMs, these attacks could have cascading effects throughout the software ecosystem, potentially leading to wide-scale impacts.

2. AgenticAI Will Increase Demand for Composite Identity Management

The emergence of agentic AI represents a significant inflection point in computing that requires strategic recalibration of our traditional assumptions of access-control frameworks.

As autonomous systems evolve beyond traditional automation boundaries, over-provisioned access patterns between disparate systems will be exposed aggressively and at-scale.

With AI systems increasingly mirroring human decision patterns, establishing clear attribution mechanisms becomes essential for effective security investigation and oversight. Adapting  access provisioning  to support composite identities is a first step in properly attributing agents to their human operators.

The path forward requires balancing innovation with adaptable and extensible governance frameworks. While presenting significant challenges, agentic AI also offers substantial opportunities to enhance our operational capabilities and security posture through thoughtful governance.

3. AI Will Help Scale Security Within DevOps

In a recent survey, 58% of developers said they feel some degree of responsibility for application security. However, the demand for security-skilled DevOps professionals still outpaces supply.

AI will continue democratizing security expertise within DevOps teams by automating routine tasks, providing smart coding recommendations, and further bridging the skills gap. Security will be integrated throughout the build pipeline, enabling the early identification of potential vulnerabilities at the design stage by leveraging reusable security templates that can be integrated into developer workflows.

The net result will be improved security outcomes, reduced risk, and enhanced collaboration between developers and their security peers.

VMblog:  How does your solution help organizations address regulatory compliance and emerging privacy requirements?

Lemos:  Regulatory compliance is built into the GitLab platform-security is audit-ready by default. Internally we practice in policy-as-code through GRC engineering. There is considerable opportunity to reduce audit fatigue on engineering teams by using metadata in services and collecting the appropriate audit evidence throughout the SDLC.

Functions built into the platform allow teams to define merge request approval policies and enforce security guardrails as needed for their organizations.

GitLab's platform also allows users to generate automated compliance reports to meet a range of frameworks, such as SOC 2, ISO 27001, and FedRAMP, supporting compliance needs without adding manual overhead.

VMblog:  What success stories or case studies will you be highlighting at RSA 2025?

Lemos:  We'll be sharing a variety of customer success stories in our booth. These customers have seen impressive results using GitLab, from 50% faster vulnerability detection to identifying 30% of vulnerabilities earlier in the software development lifecycle.

We'll share the story of the Netherlands-based software development company CUBE, which adopted AI functionality through GitLab Duo and saved 40 hours a week. Thanks to the AI features, CUBE also achieved 50% faster release cycles and vulnerability detection.

Another customer we'll discuss is Carfax, which began using GitLab to reduce the time and money spent supporting its DevOps toolchain. CARFAX gathers information from more than 139,000 sources, requiring a complex toolchain including a dozen tools. Streamlining this process using GitLab led to a 20% boost in deployments YOY and earlier discovery of 30% of vulnerabilities. 

Our customers are also innovating in the defense space. Sigma Defense made GitLab the center of its DOD-focused DevSecOps environment, Black Pearl. Implementing GitLab helped them tame software factory sprawl, boost collaboration and expand access to the platform. The results were dramatic, including a 97% reduction in time to fix bugs and a 98% reduction in onboarding time.

The work these customers do is fascinating and dramatically impacts their respective industries. We encourage you to stop by our booth to learn more.

VMblog:  Is your company giving away anything special or interesting at your booth this year?

Lemos:  In addition to our demos and the opportunity to discuss cybersecurity, AI, DevSecOps, and more with our talented team, we have some exciting giveaways!

We'll have Audrey Tote bags, Tanuki Socks, Wheat Straw travel mugs, and GitLab stickers at our booth. Low on battery? Stop by our booth for a high-speed charger.

VMblog:  As an experienced RSA sponsor, what advice would you give to attendees to make the most of their conference experience?

Lemos:  Attend sessions, visit booths, meet security practitioners and ask questions. There are very few opportunities to have so many security companies and practitioners from all over the globe at one event. It's an exceptional learning opportunity and an experience I look forward to every year.

##

Published Friday, April 11, 2025 8:05 AM by David Marshall
Get This Featured White Paper: Minimize the Risk of Ransomware Attacks
You may also be interested in this white paper: AIOps Operating Model & Its Economic Benefits
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Customer Connect
Global Digital
DTX
DTW-NA
innovatrix
GISEC
global-digital-cx
vExpert
Calendar
<April 2025>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910