Black Hat 2024: How AI Fits into Today's DevSecOps Requirements

AI is no stranger to the software development world, since code writers have used machine learning for years. So Josh Lemos, CISO at GitLab Inc., is an advocate for "shifting down" (instead of left), by which he means using AI to automate processes and procedures wherever developers can. "Software security is one of those areas that's very uniquely suited for large language model use," Lemos tells Terry Sweeney during his News Desk appearance during Black Hat USA. "Large language models are text based, language based, and we have source code that is basically language constructs." In fact, just about every part of the software development life cycle can benefit from AI, he adds.

"We're seeing a lot of benefit in software and software security, where a security practitioner or developer already knows what they want and AI really becomes an accelerant," Lemos explains. "With a higher velocity, the developer doesn't have to look at every step. They don't have to have the intimate knowledge or work with the application security team to say, 'How do I fix this?'" Security professionals are already seeing similar dynamics in vulnerability management, remediation cycles, and security operations, he adds.

And there's more to the technology buffet for developers and security professionals than just AI. Lemos has noticed more discussion and attention devoted to cyber resilience -- including how well security technologies are instrumented and if you have runbooks for when things go wrong. "You're going to find a lot of CISOs talking this year about their responsibility to their organizations and the technologies they manage already," Lemos says. "I don't see anything eclipsing AI just yet, but I don't have a crystal ball."

Josh Lemos is the Chief Information Security Officer at GitLab, where he brings 20 years of experience leading information security teams to his role. He is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, fortifying the GitLab DevSecOps platform and ensuring the highest level of security for customers. He believes in technology's potential to transform the world and the need to secure it against emerging threats. Josh has led security teams at numerous high-growth technology companies including ServiceNow, Cylance, and most recently Block (formerly known as Square).