Kubefeeds Team A dedicated and highly skilled team at Kubefeeds, driven by a passion for Kubernetes and Cloud-Native technologies, delivering innovative solutions with expertise and enthusiasm.

GitLab’s Field CTO Predicts: When DevSecOps Meets AI

4 min read

Brian Wald

What’s in store for us in 2025 — and beyond? Brian Wald, GitLab‘s field CTO and global head, predicts we’re heading toward a future where security and operational responsibilities are handled by centralized platforms.

That’s not surprising — since GitLab is in the business of selling a “comprehensive AI-powered DevSecOps platform.” But Wald sees this functionality bringing more than just faster deployments and quicker security fixes (while liberating developers to get back to their coding).

With AI-powered vulnerability remediation, we could see technical debt being quickly and automatically identified. Humans would still vet the code and set guidelines for its correctness while also using AI to speed up testing, documentation and translations.

And eventually generative AI could enable a large-scale migration to the cloud — even for small operational tools — in a future where Wald sees it “unlocking efficiencies and reducing security risks across the board.”

But like all good prognosticators, Wald begins by reflecting on the problems in our present.

‘Unnecessary Burdens’

“Integrating Dev, Ops and Sec was necessary to reduce the siloed teams,” Wald explained in an email interview, “but doing so at the application-development level has introduced significant complexity. The ‘shift left’ movement correctly identified the need for earlier involvement in critical processes. But it also placed an unnecessary burden on engineers…”

Wald wants to see developers free again to focus just on the “Dev” of DevSecOps — that is, on building their applications.

As Wald sees it, developers are now “overextended”, burdened with “invisible tasks that consume significant time” that thanklessly “remain unseen by the broader organization.” (Whether it’s fast-changing requirements or orchestrating — and maintaining — tools and processes…) Wald cites “industry research, including insights from the GitLab DevSecOps study,” which found developers now spend less than 25% of their time on coding. “When we looked deeper, we discovered that much of the other time was spent managing/troubleshooting CI jobs, testing and handoffs between teams for security/deployment.”

What if instead there was a platform team creating standards for common CI jobs (like build, test, security and deployment) so that all that’s left for developers is some very light configuration. For developers, this means “optimized paths for most of their workloads” (along with the flexibility to define exceptions). But there’s quantifiable benefits beyond that, Wald says, that have been proven by industry research. “Organizations that have implemented baseline CI jobs across about 20% of their projects report substantial increases in deployment frequency,” while “standardizing workflows and CI jobs across the organization amplifies these gains.”

Two concrete examples:

  • If a security vulnerability is identified, it can be addressed at the platform level, ensuring consistent protection across all projects.
  • Any improvement to a CI job positively affects performance across all projects using it.

Shifting to OpSec-handling platforms “will improve efficiency, enhance quality and restore the velocity lost in the current approach,” as Wald sees it, ultimately letting businesses “do more with less.”

In short, this allows scaling of DevSecOps principles and tooling, all while leaving developers “to focus solely on building high-quality applications.”

And Wald sees this starting in the “near future.”

But what does it look like when operational and security responsibilities are handled by centralized platforms? GitLab, of course, is an example of this, offering a platform architecture with “composable functionality” that’s usable by any project in the portfolio. “Specifically, our CI Component catalog allows a platform engineering team to build, version and document automation tasks that developers can simply reference in their projects, eliminating the need to build it themselves.”

And more importantly, “you can create policies and compliance frameworks that can be applied to projects to ensure the proper guardrails are in place” — improving security and reducing compliance risks while making developers more productive.

But that’s just the beginning.

AI-Powered Remediation

One of the original goals of DevSecOps was to find (and fix) vulnerabilities faster, but we’ve recently taken a leap forward. Already AI-powered remediation tools are reducing technical debt, Wald says: automating, identifying, explaining and remedying vulnerabilities, ultimately leading us to more secure (and higher quality) software.

And looking ahead to the future, AI-powered vulnerability remediation could become “a game changer,” Wald predicts, “significantly reducing technical debt.” Not only would this functionality improve security. It will also free up even more time for developers. But most importantly, it could mean that any discovered vulnerabilities will be fixed quickly. “This will be huge for organizations that must adhere to regulation and compliance audits.”

As GitLab’s Brian Wald sees it, developers are now “overextended”, burdened with “invisible tasks that consume significant time” that thanklessly “remain unseen by the broader organization.”

Again, this is a prediction that’s extrapolating from our present. Already, several (fine-tuned) LLMs “show promising results in vulnerability remediation,” Wald says, “achieving high True Positive rates on benchmarks like Ghera and OpenAI’s HumanEval. With larger context windows capable of analyzing entire codebases and customized AI agents designed to address specific vulnerabilities, these models are already achieving over 90% accuracy in detection and resolution.” So looking further into that future, Wald thinks organizations will be deploying AI agents “to systematically address accumulated technical debt from unresolved vulnerabilities.

“These agents will suggest fixes, leaving only a final human review to confirm and implement the resolution.”

Wald stresses that, “even with advanced AI models, it’s crucial that humans carefully vet code generated by AI to ensure accuracy and quality. (He acknowledges that here in the present, we’ve “seen instances of both obvious and subtle inaccuracies, highlighting the need for human oversight.”) But the probability of hallucinations “is directly related to the quality and relevance of the context provided to the model,” with improvements coming through highly contextual prompts (along with specialized testing tools to measure the outputs). “For tasks like fixing security vulnerabilities, it’s essential to give the model detailed context on the codebase, dependencies, application architecture and infrastructure configuration.”

And even traditional development has always included unit tests, security analyzers and end-to-end testing frameworks. Those same checks could be applied to AI-powered vulnerability remediations.

AI Augmenting Humans

AI may even have a role in creating tests and other development-related tasks, ultimately making it easier for organizations to see clear returns on investments in AI-based software development tools. “Instead of asking, ‘How is AI helping?’ leaders should focus on specific tasks, such as test generation, documentation or language translation,” Wald says, “and measure the gains in efficiency and productivity for these AI-driven activities.

“Companies can more effectively quantify the ROI and justify further investment in these technologies by focusing on the tasks where AI excels.”

While he’s heard horror stories about a coming jobs apocalypse with AI replacing human workers, Wald sees a different future. “AI won’t replace humans; it will augment their work.” Humans will be the ones defining “correctness” — and establishing the guidelines that makes sure AI will deliver it.

But generative AI will do more than that, Wald predicts: “It’s poised to make large-scale application modernization economically viable for the first time.” Imagine small operational tools like internal portals and back-office tools upgraded with the cloud-first treatment. “While ‘app modernization’ has become a buzzword, the real barrier has always been cost,” Wald says. “Managing inefficiencies and risks was easier than overhauling these legacy systems.” GenAI changes this, Wald argues, by lowering the cost and complexity and “making it feasible to see meaningful return on investment within one to three years.

“This shift finally makes large-scale modernization practical for the overlooked systems that keep organizations running, unlocking efficiencies and reducing security risks across the board.”

The post GitLab’s Field CTO Predicts: When DevSecOps Meets AI appeared first on The New Stack.

Kubefeeds Team A dedicated and highly skilled team at Kubefeeds, driven by a passion for Kubernetes and Cloud-Native technologies, delivering innovative solutions with expertise and enthusiasm.

Leave a Reply