Q&A: GitLab empowers DevOps while making CISOs happy
There is a deep relationship between app development speed and security. It seems that as one goes up, the other goes down. And, of course, to thrive in the app development operations world, we need a well-balanced formula of both.
Chief information security officers might not agree to speedy prototypes and quick implementation of unproven infrastructure, which slows down the DevOps delivery process. To accelerate this, the security would have to belong to the entire software lifecycle.
GitLab Inc. was built with this idea in mind — to provide support for the entire DevOps lifecycle, including security. The company accomplishes this by taking the Git basics and using CI/CD pipelines. This combination helps organizations focus on the software lifecycles and deliver frequent code changes. The continuous integration, delivery, and deployment formula can empower DevSecOps to push security and collaborate with DevOps. Teams can ship their applications faster and go with a security passport in hand, according to Brandon Jung, board of directors at the Linux Foundation and vice president of alliances at GitLab Inc.
“Being able to do the security earlier is so much faster because you’re not having to iterate later … Devs are more and more saying, “That’s not going to change any time soon,” Jung said, Brandon Jung, board of directors at the Linux Foundation and vice president of alliances at GitLab Inc. “Empowering those devs to own the security … they love that.”
Jung spoke with Stu Miniman (@stu) and John Walls (@JohnWalls21), hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the AWS re:Invent event in Las Vegas. They discussed alliances at GitLab, GitLab for DevOps lifecycle, the debate around development speed versus security, and the open-source community. (* Disclosure below.)
[Editor’s note: The following has been condensed for clarity.]
Walls: Let’s talk about what you do at GitLab? What does that encompass?
Jung: It covers all of the big key partnerships with us. So that’s going to be obviously Amazon, the other big cloud providers, a lot of strategic technology partnerships, and then all your system integrators … and then functionally anything else that comes in.
Miniman: Git, of course, is one of the predominant drivers for the proliferation of open source. Tell us a little bit about … why GitLab is so critical to what [your customers are] doing?
Jung: We’re Git, so that was where our base was when we started in 2012, 2013. So Git continues to be that core piece you need. So whether you’re doing GitOps, infrastructure as a code, or application development, you’ve got to have the estate. And then a couple of years later, we picked up and did a bunch of stuff in the CI/CD space. And, initially, we had them separate, and customers kept saying, these might work well together. And to the Linux world, it has always been a single tool, very sharp, very narrow. So we held off on that for a long time. Then we finally said, “We’re going to give it a go.” We shipped them together, and that led to where we are now, which is we think of GitLab as a single tool for the entire DevOps lifecycle.
Walls: When you talk about security, is it being reflected in budgets? Are people making these kinds of investments?
Jung: For us, a big growth area is application security in a pipeline. The notion of shift left. And it’s actually one of the easier conversations, because the CISOs really want to make sure that every piece of code is tested. Be it static code, dynamic code, license scanning, or all of the above. The way they’ve traditionally done it is at the end of a pipeline, and they make every dev unhappy because they throw it all the way back to the front with the dev. And [CISOs] kill the most important thing, which is cycle time, [which] is time from idea to shipping. So by shifting it left, there’s plenty of money, and the CISOs love it because they get all the code tested. And the devs love it because they get [instant] feedback.
Being able to do the security earlier is so much faster because you’re not having to iterate later. Devs are … more and more saying, “That’s not going to change any time soon.” Empowering those devs to own the security … they love that.
Miniman: So CI/CD, I think, leads to greater security. Do you have some stats around that for your customers as to how they measure that?
Jung: We have some pretty good velocity. So, Goldman Sachs … started with us and went from about a two-week release cycle down to 10, 20, 100 times a day. That’s a company that does a great job on dev, but it can also be smaller companies like Wag Labs. And they went from a week down to … 20 to 30 deployments a day. And again it just makes you break the pieces smaller, less likely that you’re going to introduce dependencies that break something.
Miniman: How are you hearing about [transformation] from your customers? How is GitLab helping customers along those transformation journeys?
Jung: We’ve seen when you go from a Word doc to a Google Doc and everyone can edit at the same time. And that’s really, in many ways, that’s what GitLab is doing — is just helping the front-end product manager know exactly what’s going on on the infrastructure side, and you communicate in a similar language.
The other piece, though, that we are working a lot in is GitLab operates an extremely open culture, so we publish how we run the company in a handbook that’s 2,500 pages; we’re always updating it. When things go wrong, we publish it. So we have an outage, we have live broadcast how we get back out from an outage, and we publish all of it for someone to understand.
Walls: What impact does that have on a customer when they see you in real time solving your problems?
Jung: They know that if they have a question for us that we both take it seriously and that we’re going to do it in a way that they know when it’s going to be resolved. And that doesn’t mean that we always deliver at the time that a customer asks, but that level of transparency breeds trust. And it also helps a customer quantify what do they want; it helps a huge amount in communication because they know what we’re prioritizing and they understand why.