[{"data":1,"prerenderedAt":577},["ShallowReactive",2],{"/en-us/the-source/authors/joel-krooswyk/":3,"footer-en-us":34,"the-source-banner-en-us":341,"the-source-navigation-en-us":353,"the-source-newsletter-en-us":381,"joel-krooswyk-articles-list-authors-en-us":392,"joel-krooswyk-articles-list-en-us":423,"joel-krooswyk-page-categories-en-us":576},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":10,"content":12,"type":26,"slug":27,"_id":28,"_type":29,"title":11,"_source":30,"_file":31,"_stem":32,"_extension":33},"/en-us/the-source/authors/joel-krooswyk","authors",false,"",{"layout":9},"the-source",{"title":11},"Joel Krooswyk",[13,24],{"componentName":14,"type":14,"componentContent":15},"TheSourceAuthorHero",{"config":16,"name":11,"role":19,"bio":20,"headshot":21},{"gitlabHandle":17,"linkedInProfileUrl":18},"jkrooswyk","https://www.linkedin.com/in/joelrkrooswyk/","Federal CTO","Joel Krooswyk is the Federal CTO at GitLab. Joel has actively been involved in GitLab’s growth since 2017. His 25 years of leadership experience span not only the U.S. Public Sector, but also small, mid-market, and enterprise businesses globally. Joel combines deep government policy expertise with a wealth of experience in technology, software development, AI, and cybersecurity. He is frequently called upon by industry and agencies alike for policy commentary and response.",{"altText":11,"config":22},{"src":23},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463423/mkmdhuxsjggfvokdmdv7.jpg",{"componentName":25,"type":25},"TheSourceArticlesList","author","joel-krooswyk","content:en-us:the-source:authors:joel-krooswyk.yml","yaml","content","en-us/the-source/authors/joel-krooswyk.yml","en-us/the-source/authors/joel-krooswyk","yml",{"_path":35,"_dir":36,"_draft":6,"_partial":6,"_locale":7,"data":37,"_id":337,"_type":29,"title":338,"_source":30,"_file":339,"_stem":340,"_extension":33},"/shared/en-us/main-footer","en-us",{"text":38,"source":39,"edit":45,"contribute":50,"config":55,"items":60,"minimal":329},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":40,"config":41},"View page source",{"href":42,"dataGaName":43,"dataGaLocation":44},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":46,"config":47},"Edit this page",{"href":48,"dataGaName":49,"dataGaLocation":44},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":51,"config":52},"Please contribute",{"href":53,"dataGaName":54,"dataGaLocation":44},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":56,"facebook":57,"youtube":58,"linkedin":59},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[61,88,160,228,290],{"title":62,"links":63,"subMenu":69},"Platform",[64],{"text":65,"config":66},"DevSecOps platform",{"href":67,"dataGaName":68,"dataGaLocation":44},"/platform/","devsecops platform",[70],{"title":71,"links":72},"Pricing",[73,78,83],{"text":74,"config":75},"View plans",{"href":76,"dataGaName":77,"dataGaLocation":44},"/pricing/","view plans",{"text":79,"config":80},"Why Premium?",{"href":81,"dataGaName":82,"dataGaLocation":44},"/pricing/premium/","why premium",{"text":84,"config":85},"Why Ultimate?",{"href":86,"dataGaName":87,"dataGaLocation":44},"/pricing/ultimate/","why ultimate",{"title":89,"links":90},"Solutions",[91,96,100,105,110,115,120,125,130,135,140,145,150,155],{"text":92,"config":93},"Digital transformation",{"href":94,"dataGaName":95,"dataGaLocation":44},"/topics/digital-transformation/","digital transformation",{"text":97,"config":98},"Application Security Testing",{"href":99,"dataGaName":97,"dataGaLocation":44},"/solutions/application-security-testing/",{"text":101,"config":102},"Automated software delivery",{"href":103,"dataGaName":104,"dataGaLocation":44},"/solutions/delivery-automation/","automated software delivery",{"text":106,"config":107},"Agile development",{"href":108,"dataGaName":109,"dataGaLocation":44},"/solutions/agile-delivery/","agile delivery",{"text":111,"config":112},"Cloud transformation",{"href":113,"dataGaName":114,"dataGaLocation":44},"/topics/cloud-native/","cloud transformation",{"text":116,"config":117},"SCM",{"href":118,"dataGaName":119,"dataGaLocation":44},"/solutions/source-code-management/","source code management",{"text":121,"config":122},"CI/CD",{"href":123,"dataGaName":124,"dataGaLocation":44},"/solutions/continuous-integration/","continuous integration & delivery",{"text":126,"config":127},"Value stream management",{"href":128,"dataGaName":129,"dataGaLocation":44},"/solutions/value-stream-management/","value stream management",{"text":131,"config":132},"GitOps",{"href":133,"dataGaName":134,"dataGaLocation":44},"/solutions/gitops/","gitops",{"text":136,"config":137},"Enterprise",{"href":138,"dataGaName":139,"dataGaLocation":44},"/enterprise/","enterprise",{"text":141,"config":142},"Small business",{"href":143,"dataGaName":144,"dataGaLocation":44},"/small-business/","small business",{"text":146,"config":147},"Public sector",{"href":148,"dataGaName":149,"dataGaLocation":44},"/solutions/public-sector/","public sector",{"text":151,"config":152},"Education",{"href":153,"dataGaName":154,"dataGaLocation":44},"/solutions/education/","education",{"text":156,"config":157},"Financial services",{"href":158,"dataGaName":159,"dataGaLocation":44},"/solutions/finance/","financial services",{"title":161,"links":162},"Resources",[163,168,173,178,183,188,193,198,203,208,213,218,223],{"text":164,"config":165},"Install",{"href":166,"dataGaName":167,"dataGaLocation":44},"/install/","install",{"text":169,"config":170},"Quick start guides",{"href":171,"dataGaName":172,"dataGaLocation":44},"/get-started/","quick setup checklists",{"text":174,"config":175},"Learn",{"href":176,"dataGaName":177,"dataGaLocation":44},"https://university.gitlab.com/","learn",{"text":179,"config":180},"Product documentation",{"href":181,"dataGaName":182,"dataGaLocation":44},"https://docs.gitlab.com/","docs",{"text":184,"config":185},"Blog",{"href":186,"dataGaName":187,"dataGaLocation":44},"/blog/","blog",{"text":189,"config":190},"Customer success stories",{"href":191,"dataGaName":192,"dataGaLocation":44},"/customers/","customer success stories",{"text":194,"config":195},"Remote",{"href":196,"dataGaName":197,"dataGaLocation":44},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":199,"config":200},"GitLab Services",{"href":201,"dataGaName":202,"dataGaLocation":44},"/services/","services",{"text":204,"config":205},"TeamOps",{"href":206,"dataGaName":207,"dataGaLocation":44},"/teamops/","teamops",{"text":209,"config":210},"Community",{"href":211,"dataGaName":212,"dataGaLocation":44},"/community/","community",{"text":214,"config":215},"Forum",{"href":216,"dataGaName":217,"dataGaLocation":44},"https://forum.gitlab.com/","forum",{"text":219,"config":220},"Events",{"href":221,"dataGaName":222,"dataGaLocation":44},"/events/","events",{"text":224,"config":225},"Partners",{"href":226,"dataGaName":227,"dataGaLocation":44},"/partners/","partners",{"title":229,"links":230},"Company",[231,236,241,246,251,256,261,265,270,275,280,285],{"text":232,"config":233},"About",{"href":234,"dataGaName":235,"dataGaLocation":44},"/company/","company",{"text":237,"config":238},"Jobs",{"href":239,"dataGaName":240,"dataGaLocation":44},"/jobs/","jobs",{"text":242,"config":243},"Leadership",{"href":244,"dataGaName":245,"dataGaLocation":44},"/company/team/e-group/","leadership",{"text":247,"config":248},"Team",{"href":249,"dataGaName":250,"dataGaLocation":44},"/company/team/","team",{"text":252,"config":253},"Handbook",{"href":254,"dataGaName":255,"dataGaLocation":44},"https://handbook.gitlab.com/","handbook",{"text":257,"config":258},"Investor relations",{"href":259,"dataGaName":260,"dataGaLocation":44},"https://ir.gitlab.com/","investor relations",{"text":262,"config":263},"Sustainability",{"href":264,"dataGaName":262,"dataGaLocation":44},"/sustainability/",{"text":266,"config":267},"Diversity, inclusion and belonging (DIB)",{"href":268,"dataGaName":269,"dataGaLocation":44},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":271,"config":272},"Trust Center",{"href":273,"dataGaName":274,"dataGaLocation":44},"/security/","trust center",{"text":276,"config":277},"Newsletter",{"href":278,"dataGaName":279,"dataGaLocation":44},"/company/contact/","newsletter",{"text":281,"config":282},"Press",{"href":283,"dataGaName":284,"dataGaLocation":44},"/press/","press",{"text":286,"config":287},"Modern Slavery Transparency Statement",{"href":288,"dataGaName":289,"dataGaLocation":44},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":291,"links":292},"Contact Us",[293,298,303,308,313,318,323],{"text":294,"config":295},"Contact an expert",{"href":296,"dataGaName":297,"dataGaLocation":44},"/sales/","sales",{"text":299,"config":300},"Get help",{"href":301,"dataGaName":302,"dataGaLocation":44},"/support/","get help",{"text":304,"config":305},"Customer portal",{"href":306,"dataGaName":307,"dataGaLocation":44},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":309,"config":310},"Status",{"href":311,"dataGaName":312,"dataGaLocation":44},"https://status.gitlab.com/","status",{"text":314,"config":315},"Terms of use",{"href":316,"dataGaName":317,"dataGaLocation":44},"/terms/","terms of use",{"text":319,"config":320},"Privacy statement",{"href":321,"dataGaName":322,"dataGaLocation":44},"/privacy/","privacy statement",{"text":324,"config":325},"Cookie preferences",{"dataGaName":326,"dataGaLocation":44,"id":327,"isOneTrustButton":328},"cookie preferences","ot-sdk-btn",true,{"items":330},[331,333,335],{"text":314,"config":332},{"href":316,"dataGaName":317,"dataGaLocation":44},{"text":319,"config":334},{"href":321,"dataGaName":322,"dataGaLocation":44},{"text":324,"config":336},{"dataGaName":326,"dataGaLocation":44,"id":327,"isOneTrustButton":328},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":342,"_dir":343,"_draft":6,"_partial":6,"_locale":7,"visibility":328,"id":344,"title":345,"button":346,"_id":350,"_type":29,"_source":30,"_file":351,"_stem":352,"_extension":33},"/shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18","banner","The Economics of Software Innovation","The Economics of Software Innovation—AI’s $750 Billion Opportunity",{"config":347,"text":349},{"href":348},"/software-innovation-report/","Get the research report","content:shared:en-us:the-source:banner:the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18",{"_path":354,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":355,"subscribeLink":360,"navItems":364,"_id":377,"_type":29,"title":378,"_source":30,"_file":379,"_stem":380,"_extension":33},"/shared/en-us/the-source/navigation",{"altText":356,"config":357},"the source logo",{"src":358,"href":359},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":361,"config":362},"Subscribe",{"href":363},"#subscribe",[365,369,373],{"text":366,"config":367},"Artificial Intelligence",{"href":368},"/the-source/ai/",{"text":370,"config":371},"Security & Compliance",{"href":372},"/the-source/security/",{"text":374,"config":375},"Platform & Infrastructure",{"href":376},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":382,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":383,"description":384,"submitMessage":385,"formData":386,"_id":389,"_type":29,"_source":30,"_file":390,"_stem":391,"_extension":33},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":387},{"formId":388,"formName":279,"hideRequiredLabel":328},1077,"content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"amanda-rueda":393,"andre-michael-braun":394,"andrew-haschka":395,"ayoub-fandi":396,"bob-stevens":397,"brian-wald":398,"bryan-ross":399,"chandler-gibbons":400,"dave-steer":401,"ddesanto":402,"derek-debellis":403,"emilio-salvador":404,"erika-feldman":405,"george-kichukov":406,"gitlab":407,"grant-hickman":408,"haim-snir":409,"iganbaruch":410,"jlongo":411,"joel-krooswyk":11,"josh-lemos":412,"julie-griffin":413,"kristina-weis":414,"lee-faus":415,"ncregan":416,"rschulman":417,"sabrina-farmer":418,"sandra-gittlen":419,"sharon-gaudin":420,"stephen-walters":421,"taylor-mccaslin":422},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","GitLab","Grant Hickman","Haim Snir","Itzik Gan Baruch","Joseph Longo","Josh Lemos","Julie Griffin","Kristina Weis","Lee Faus","Niall Cregan","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"allArticles":424,"visibleArticles":575,"showAllBtn":328},[425,468,504,539],{"_path":426,"_dir":427,"_draft":6,"_partial":6,"_locale":7,"config":428,"seo":432,"content":436,"type":463,"slug":464,"category":427,"_id":465,"_type":29,"title":433,"_source":30,"_file":466,"_stem":467,"_extension":33,"date":437,"description":434,"timeToRead":438,"heroImage":435,"keyTakeaways":439,"articleBody":443,"faq":444},"/en-us/the-source/security/federal-cybersecurity-in-2025-looking-ahead","security",{"layout":9,"template":429,"articleType":430,"author":27,"featured":6,"gatedAsset":431,"isHighlighted":6,"authorName":11},"TheSourceArticle","Regular","source-lp-how-to-build-a-resilient-software-development-practice",{"title":433,"description":434,"ogImage":435},"Federal cybersecurity in 2025: Looking ahead","Learn how AI will transform federal cybersecurity in 2025, from preventing cyber attacks to modernizing legacy code and automating compliance processes.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464594/brhph5gzlyth9ko13d5d.jpg",{"title":433,"date":437,"description":434,"timeToRead":438,"heroImage":435,"keyTakeaways":439,"articleBody":443,"faq":444},"2025-02-26","5 min read",[440,441,442],"AI is becoming essential for federal cybersecurity, enabling agencies to detect and prevent cyber threats in minutes rather than days. However, human oversight remains crucial for guiding AI systems and validating their decisions.","Legacy code poses a major security risk, with 70% of vulnerabilities stemming from outdated systems. AI-powered tools will help agencies modernize their code bases and transition to more secure programming languages.","Software bills of materials (SBOMs) will become mandatory for federal contracts, giving agencies better visibility into their software supply chains and associated security risks. Vendors unable to provide SBOMs may lose opportunities.","In an era where a cyber attack happens [every 37 seconds](https://aag-it.com/the-latest-cyber-crime-statistics/), the federal government faces unprecedented challenges in protecting its IT systems and infrastructure. As nation-state actors and cybercriminals become more sophisticated, traditional security approaches are no longer sufficient.\n\nFederal agencies must remain secure while balancing new regulations, limited budgets, and the rise of artificial intelligence (AI). While not a silver bullet, AI technologies are proving to be powerful allies in the fight to secure federal systems. They help agencies do more with limited resources and quickly adapt to emerging threats. At the same time, the software development boom - driven in part by AI and open source - will require agencies to ensure they have more visibility into the license and security risks associated with their software.\n\nHere are four major changes we expect to see in federal cybersecurity during 2025:\n\n## AI will help stop cyber attacks before they happen\nIn the past, agencies would often react to cyber attacks after they happened. Now, AI is becoming essential for proactively preventing attacks. For example, the Department of Homeland Security uses AI to look through huge amounts of data to find possible threats.\n\nMore agencies will start using AI in 2025. [GitLab research](https://about.gitlab.com/the-source/platform/whats-next-in-devsecops-for-public-sector/) found that nearly half (47%) of public sector respondents were already using AI in the software development lifecycle in 2024; another 33% plan to start using AI by 2026. It makes sense that federal agencies would embrace AI tools that can spot dangerous activity much faster than humans can - sometimes in minutes instead of days. This is especially helpful for agencies that don't have many staff members.\n\nHowever, AI isn’t perfect on its own. People still need to check its work and ensure it’s making good decisions. Humans are also needed to guide AI and devise new ways to use it.\n\n## AI will help agencies modernize legacy code\nMany government systems use old programming languages that aren’t very secure. About 70% of security problems come from this legacy code. AI can help agencies [modernize legacy code to reduce the risk of security vulnerabilities](https://about.gitlab.com/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help/).\n\nThe federal government has prioritized memory-safe programming languages to help avoid common software vulnerabilities. AI can automate tasks like code refactoring and analysis, helping organizations transition from memory-unsafe languages like C to more secure alternatives such as Rust or Go.\n\nAI tools can also look at old code and suggest ways to make it better and more secure. This helps agencies modernize their systems more quickly and protect against new threats.\n\n## AI will simplify compliance\nDevSecOps, compliance, and AI are on a collision course. Automation is the key to making compliance integral to software development and making it a more real-time activity than the traditional clipboard or checkbox approach.\n\nGovernment leaders are increasingly grappling with the complexities of compliance. AI simplifies this process by automating monitoring. It can warn agencies about problems immediately and help fix them, reducing the burden on compliance teams.\n\nCompliance checks will become a natural part of creating and updating software as technology improves. AI tools will proactively scan code for compliance violations and enforce security policies. While AI won’t completely automate this process in the near term, the shift to intelligent automation will help improve security and efficiency.\n\n## SBOMs will become a requirement, not just a best practice\nAI requires testing, guardrails, and management by humans and other tools, especially regarding security. A dynamic software bill of materials (SBOM) can give agencies full visibility into the license and security risks associated with their software, including any open source components.\n\nSBOMs help agencies understand exactly what’s in their software and what security risks might exist. The lists update automatically to show real-time information about potential problems.\n\n[GitLab research](https://about.gitlab.com/developer-survey/) has shown that use of open source software is on the rise: 67% of developers say that at least a quarter of the code bases they work on is from open source libraries. However, only 21% of respondents say they are currently using SBOMs to improve the security of the software development lifecycle.\n\nAs we move into 2025, SBOMs will become central to federal cybersecurity efforts. Defense agencies will lead the way, and civilian agencies will follow. The increased adoption of SBOMs will help defense and civilian agencies verify that nation-state actors have not made malicious contributions, promoting transparency and accountability within the federal government.\n\nMany agencies will likely require companies they work with to provide SBOMs - and potentially refuse to work with vendors that cannot comply.\n\n> [Read more about SBOMs and why they’ve become an integral part of modern software development](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/).\n\n## Looking ahead: From risk to resilience\nAs cyber threats continue to evolve, a strong security posture is essential. Agencies are finding creative ways to use AI to improve their security. By using AI to automate tasks, find problems quickly, and modernize old systems, agencies can better protect their critical information and systems. These investments in AI and security will help agencies stay ahead of future threats and safeguard critical assets.",[445,448,451,454,457,460],{"header":446,"content":447},"How can AI improve compliance in federal agencies?","AI simplifies compliance by automating monitoring and enforcement. AI-driven tools can proactively scan code for compliance violations, apply necessary fixes, and ensure adherence to security policies. This shift to automation will help agencies integrate compliance into their development processes more seamlessly, reducing manual oversight while improving security.",{"header":449,"content":450},"Why are federal agencies prioritizing SBOMs in 2025?","With increased reliance on open source software, federal agencies need better oversight of their software supply chains. SBOMs will become a standard requirement to improve transparency, enhance security, and meet federal compliance mandates. Defense agencies are expected to lead this effort, with civilian agencies following closely behind.",{"header":452,"content":453},"How will AI help prevent cyber attacks before they happen?","AI will enable agencies to transition from a reactive to a proactive cybersecurity approach. By analyzing large datasets, AI can identify and flag potential threats much faster than humans, reducing the time it takes to detect malicious activity. Federal agencies, including the Department of Homeland Security, are already leveraging AI to enhance threat detection capabilities.",{"header":455,"content":456},"What is an SBOM, and why is it becoming a requirement for federal agencies?","A Software Bill of Materials (SBOM) is a detailed inventory of software components, including open source and third-party dependencies. SBOMs provide visibility into potential security risks and help ensure software integrity. As AI-generated software increases, SBOMs will become essential for tracking vulnerabilities, ensuring compliance, and preventing malicious code contributions from nation-state actors.",{"header":458,"content":459},"What role does AI play in modernizing legacy government code?","Many government systems rely on outdated programming languages that introduce security vulnerabilities. AI can assist in modernizing these legacy code bases by automating refactoring, analyzing security risks, and helping transition from memory-unsafe languages like C to more secure alternatives like Rust or Go. This modernization will help reduce vulnerabilities and improve overall security.",{"header":461,"content":462},"How is AI expected to impact federal cybersecurity in 2025?","AI is expected to play a critical role in federal cybersecurity by proactively preventing cyber attacks, modernizing legacy code, simplifying compliance processes, and enhancing software security through tools like SBOMs. AI-powered threat detection will allow agencies to identify and mitigate risks faster, while automation will improve compliance monitoring and vulnerability management.","article","federal-cybersecurity-in-2025-looking-ahead","content:en-us:the-source:security:federal-cybersecurity-in-2025-looking-ahead:index.yml","en-us/the-source/security/federal-cybersecurity-in-2025-looking-ahead/index.yml","en-us/the-source/security/federal-cybersecurity-in-2025-looking-ahead/index",{"_path":469,"_dir":427,"_draft":6,"_partial":6,"_locale":7,"config":470,"seo":472,"content":476,"type":463,"slug":500,"category":427,"_id":501,"_type":29,"title":473,"_source":30,"_file":502,"_stem":503,"_extension":33,"date":477,"description":474,"timeToRead":478,"heroImage":475,"keyTakeaways":479,"articleBody":483,"faq":484},"/en-us/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help",{"layout":9,"template":429,"articleType":430,"author":27,"featured":6,"gatedAsset":471,"isHighlighted":6,"authorName":11},"source-lp-how-a-devsecops-platform-drives-business-success-the-complete-guide",{"title":473,"description":474,"ogImage":475},"Why legacy code is a security risk — and how AI can help","Explore how AI-powered code refactoring can modernize legacy systems, enhance your security protocols, and propel your organization into the future.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463670/cdynzww9p2annh3mmbhl.png",{"title":473,"date":477,"description":474,"timeToRead":478,"heroImage":475,"keyTakeaways":479,"articleBody":483,"faq":484},"2025-01-15","6 min read",[480,481,482],"Legacy code is expensive and time-consuming to maintain and, if not compatible with the latest security tools, it can be a serious liability for organizations across industries.","Code refactoring is a strategy that can help make code more readable — improving the stability of the code base as well as the productivity and efficiency of developers.","Together with preventative security tools, AI-powered code refactoring can help teams modernize their legacy code while reducing their risk of security vulnerabilities in the process.","Today’s rapid acceleration of technology is exciting. It means new products and opportunities for growth and innovation are around every corner. And yet this speed of growth and change has its downsides, especially regarding security: just one bad actor can cause massive business disruption, reputation damage, and lost revenue.\n\nYou have likely heard industry leaders talk about their need for digital transformation and the worrisome dependency on outdated or “legacy” systems. While legacy code is not inherently problematic, it often isn’t compatible with modern security tools, leading to exploitable vulnerabilities. Coupled with open source code - which requires ongoing security vigilance - your code base may be putting your organization’s data, users, and reputation at risk.\n\nLegacy code is risky from a security and compliance perspective, and it’s also expensive and time-consuming for developers to maintain - if developers on your team even have the legacy knowledge to do the work.\n\nUltimately, this industry-wide reliance on legacy code is a concerning and costly practice. So, how do we work our way out of it?\n\nBelow, I’ll explore legacy code and how organizations can increase the security of their code base with AI-powered code refactoring. Together with AI-driven testing and security capabilities, code refactoring will propel your codebase into the future while empowering your whole team to look ahead, not behind.\n\n## What is legacy code?\n\nBroadly, legacy code refers to an existing code base that a team inherits from previous team members and continues to use and maintain. The code might work just fine, but several different developers have likely modified it over the years. The current team might struggle to identify which modifications are valuable and which are not. Additionally, the code might be written using an outdated framework or in a programming language that no one on the team knows (whether it’s simply old or completely obsolete).\n\nIt might seem strange that companies still rely on legacy code. While the reasons can vary, think of it like this: You live in an old house. It's cozy and familiar, but the plumbing's unreliable, the wiring is outdated, and every time you fix one thing, something else breaks. Sure, you could remodel, but that means a huge upheaval – contractors, permits, living in chaos for months, and costs that can spiral out of control.\n\nSo, you keep patching things up, hoping for the best. It's not ideal, but it works - for now. That's kind of what it's like with legacy code. It's the familiar, “working” solution, even if it's creaky and inefficient. Rewriting it from scratch is a daunting prospect with its own risks and costs. Plus, who has time for a massive overhaul when there are new features to build and urgent bugs to fix?\n\nWhen it comes to updating code, many companies decide to keep their legacy code because maintaining it can be less disruptive in the short term. Updating code involves a lot of developing and testing code. It can also involve training a team to ensure they have the skills to work with the outdated code language or framework. If there isn’t any documentation, it can be even more challenging to navigate.\n\n## What’s the problem with legacy code?\n\nIf your organization does decide to stick with your legacy code - and many do - you’re opening yourself up to a host of potential issues. Since this code wasn’t designed for newer tech, you might not be able to integrate it with the latest and greatest software (like AI tools, for example), which could also impact the performance and scalability of your products. This can hold you back and impact customer experience down the line.\n\nWhat’s most concerning about legacy code, whether it was written five years ago or 50, is that there may be no security scanners that work for this code. That means you can’t detect problems on your own while making updates. Moreover, developers making these updates may not understand the language or its structure well and might even accidentally create vulnerable code in the process. Finally, older applications are commonly written in C or C++, which are memory unsafe languages - proven to host [70% of identified vulnerabilities](https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products).\n\nThese three issues - the fact that there may be no way to secure legacy code, there are fewer ways to safely update it, and that the end result is far more likely to be vulnerable - should be warning signs for organizations across industries.\n\nIn developing a catalog of bad practices that can put critical infrastructure at risk, the U.S. [Cybersecurity and Infrastructure Security Agency](https://www.cisa.gov/stopransomware/bad-practices) added the following:\n\n“Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”\n\nEven if you aren’t working in national security or for national public health and safety, this warning is still applicable: Using old code is not a best practice. It’s a bad one.\n\n## The solution: Code refactoring\n\nAccording to software developer and author [Martin Fowler](https://www.martinfowler.com/), “Refactoring is a controlled technique for improving the design of an existing code base, a disciplined technique for restructuring an existing body of code, altering its internal structure without changing its external behavior.”\n\nIn other words, code refactoring allows you to secure and modernize your legacy code without obscuring its original functionality.\n\nThere are many refactoring techniques - from inline refactoring, which involves simplifying code by removing obsolete elements, to refactoring by abstraction, where duplicate code is deleted. What’s important to know is that code refactoring requires time and significant developer skills to do well. It also requires a lot of testing when developers are already busy working on other tasks.\n\nSo, while code refactoring is certainly the answer to bringing your legacy code into the future, making it readable, efficient, and secure, it is a project in and of itself, especially at scale.\n\n## How AI can help\n\nWe know that AI is already accelerating the software development lifecycle - and there’s a lot that [AI can do to help teams accelerate the refactoring process](https://about.gitlab.com/blog/refactor-code-into-modern-languages-with-ai-powered-gitlab-duo/), too. For example, tools like [GitLab Duo](https://about.gitlab.com/blog/gitlab-duo-chat-now-generally-available/) can help explain existing code and create new code, two of the biggest hurdles when modernizing legacy code. If a developer isn’t familiar with a language, AI can help fill in the blanks. Regarding testing and security, AI can also [analyze root causes, generate tests](https://about.gitlab.com/blog/developing-gitlab-duo-blending-ai-and-root-cause-analysis-to-fix-ci-cd/), and [help developers remediate vulnerabilities](https://about.gitlab.com/the-source/ai/understand-and-resolve-vulnerabilities-with-ai-powered-gitlab-duo/). With AI in your toolkit, code refactoring can finally be more accessible and achievable for organizations, so they can move this project off their backlog for good.\n\nAccording to [our research](https://about.gitlab.com/developer-survey/2024/ai/), 34% of all respondents using AI across the software development lifecycle already use AI to modernize legacy code. This is even higher in the financial services industry (46%).\n\nOf course, there are a few things to keep in mind as you start to implement AI in any of your practices.\n\nAI isn’t perfect. It still requires testing, guardrails, and human oversight. So, while it absolutely can facilitate and accelerate some of these critical, time-consuming manual tasks, it can’t do this work alone. Especially regarding security, you should implement other tools to keep your code as secure as possible. We recommend creating a [dynamic software bill of materials](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/) (also called an SBOM) to give you full visibility into the license and security risks associated with your software, including any legacy code you may have.\n\n## Bring your codebase into the future\n\nWhile the jump from legacy codebase maintenance to modernization might feel daunting, it is the best path forward if you want to keep your organization and user data secure. With the right tools and methods, it may be more efficient for your teams and cost-effective for your company.\n\nThe good news is that your teams don’t need to spend time and resources deciphering old languages and working with old frameworks - causing frustration, delays, and bottlenecks. By letting AI do the hard work of refactoring your code so that it’s safe, secure, and functioning as it should, developers can focus on what they do best: building new products and features and driving value for customers.",[485,488,491,494,497],{"header":486,"content":487},"What are the challenges of maintaining legacy code without AI?","Challenges include:\n - __Lack of modern security support__: Traditional security scanners may not be compatible with legacy code\n - __Complex and outdated frameworks__: Developers may lack the expertise to maintain or update the old code\n - __High maintenance costs__: Maintaining legacy systems is costly and time-consuming, diverting resources from innovation\n - __Security risks__: Outdated code is more prone to vulnerabilities and attacks, increasing the risk of data breaches",{"header":489,"content":490},"How does GitLab support AI-powered refactoring and legacy code modernization?","GitLab uses GitLab Duo to help developers understand legacy code by providing explanations and generating new code. It also offers:\n - AI-driven security scans for detecting vulnerabilities in legacy code\n - Automated testing and remediation to enhance code security\n - Dynamic Software Bills of Materials (SBOMs) for visibility into license and security risks, including legacy components",{"header":492,"content":493},"Why is legacy code considered a security risk?","Legacy code is risky because it often uses outdated frameworks or programming languages that lack modern security measures. This makes it incompatible with the latest security tools, increasing the risk of vulnerabilities. Additionally, unsupported or end-of-life software can be easily exploited by attackers, compromising data integrity and security.",{"header":495,"content":496},"How can AI-powered code refactoring enhance legacy code security?","AI-powered code refactoring modernizes legacy systems by:\n - Identifying outdated or insecure code patterns and suggesting secure alternatives\n - Automating code improvements without altering external behavior, enhancing readability and maintainability\n - Generating security tests and analyzing root causes of vulnerabilities, enabling faster remediation\nThis approach reduces manual effort and accelerates the transition to more secure, efficient, and scalable codebases.",{"header":498,"content":499},"What are the benefits of using AI for legacy code refactoring?","Benefits include:\n - __Enhanced security__: AI identifies and mitigates vulnerabilities, improving security posture\n - __Increased productivity__: Automating repetitive tasks allows developers to focus on innovation\n - __Cost efficiency__: Reduced maintenance costs by modernizing code to work with current frameworks and tools\n - __Scalable modernization__: AI enables scalable and consistent refactoring across complex codebases, future-proofing the organization’s software assets","why-legacy-code-is-a-security-risk-and-how-ai-can-help","content:en-us:the-source:security:why-legacy-code-is-a-security-risk-and-how-ai-can-help:index.yml","en-us/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help/index.yml","en-us/the-source/security/why-legacy-code-is-a-security-risk-and-how-ai-can-help/index",{"_path":505,"_dir":427,"_draft":6,"_partial":6,"_locale":7,"config":506,"seo":508,"content":512,"type":463,"slug":535,"category":427,"_id":536,"_type":29,"title":509,"_source":30,"_file":537,"_stem":538,"_extension":33,"date":513,"description":510,"timeToRead":478,"heroImage":511,"keyTakeaways":514,"articleBody":518,"faq":519},"/en-us/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design",{"layout":9,"template":429,"articleType":430,"author":27,"featured":6,"gatedAsset":507,"isHighlighted":6,"authorName":11},"source-lp-guide-to-dynamic-sboms",{"title":509,"description":510,"ogImage":511},"Strengthen your cybersecurity strategy with Secure by Design","Take a closer look at Secure by Design and related concepts, and learn steps you can take today to build security into your software development processes.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463932/pnfdgovoaq5qd1yprxuc.png",{"title":509,"date":513,"description":510,"timeToRead":478,"heroImage":511,"keyTakeaways":514,"articleBody":518,"faq":519},"2024-10-29",[515,516,517],"Secure by Design, Secure by Default, and Secure by Demand proactively prevent vulnerabilities and software supply chain attacks by encouraging software manufacturers to embed security into every aspect of product design and development.","Adopting a comprehensive DevSecOps approach and creating and maintaining software bills of materials (SBOMs) are key steps to becoming Secure by Design.","Incorporating AI into the software development lifecycle can also help teams expedite development processes, resolve vulnerabilities, and create more secure products.","An organization’s approach to cybersecurity must constantly evolve as attack surfaces increase and it learns more about potential threats. Understanding that security threats can enter from any point in the software supply chain, a Secure by Design approach integrates security into the design, coding, testing, and deployment phases of software development. As the standard for U.S. federal agencies - and any organization that touches their software - Secure by Design has become a go-to benchmark for building security measures into the software development lifecycle.\n\nOver time, Secure by Design has branched off into related concepts such as _Secure by Default_ and _Secure by Demand_, which emphasize different ways of  approaching Secure by Design:\n\n- [Secure by Default](#what-is-secure-by-default) focuses on ensuring that all software products are secure out of the box.\n- [Secure by Demand](#what-is-secure-by-demand) extends Secure by Design principles to the procurement process.\n\nHere’s a closer look at Secure by Design and these related approaches, including a [step-by-step guide](#building-a-secure-by-design-cybersecurity-strategy) to how organizations can adapt their strategies to prevent security risks such as exploitable vulnerabilities and software supply chain attacks.\n\n## What is Secure by Design?\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) introduced its [Secure by Design Initiative](https://www.cisa.gov/securebydesign) in April 2023, with a focus on three key software security principles:\n\n1. Take ownership of customer security outcomes\n1. Embrace radical transparency and accountability\n1. Build organizational structure and leadership to achieve these goals\n\nSecure by Design integrates security principles and protocols into every stage of the software development process. This means that security measures are built into the design, coding, testing, and deployment phases of software development rather than being added on as an afterthought.\n\nThe goal of Secure by Design is to create a secure foundation for software systems from the very beginning, reducing vulnerabilities and potential attack surfaces.\n\n### What is Secure by Default?\nSecure by Default is an offshoot of Secure by Design that focuses on ensuring that any software or hardware is set to its most secure configuration without requiring reconfiguration by the user. Products that are Secure by Default automatically enable the most important security controls needed to protect enterprises from unauthorized access by bad actors - meaning users do not have to go through additional steps to ensure that a product is protected against prevalent exploitation techniques.\n\nSecure by Default tactics include eliminating default passwords and mandating multi-factor authentication and single sign-on to allow only authorized users access to resources. This approach also includes automatic updates and patches, as well as secure configurations for all user accounts and devices.\n\n### What is Secure by Demand?\nSecure by Demand combines Secure by Design principles with budgeting and procurement contracts in order to drive Secure by Design as a mandate for vendors as well as contractors. [CISA’s Secure by Demand Guide](https://www.cisa.gov/resources-tools/resources/secure-demand-guide) provides a set of questions and resources that software purchasers, buyers, and procurers can use to better understand a potential vendor’s approach to cybersecurity. This includes questions about the vendor's authentication practices, software supply chain security, and vulnerability disclosure and reporting.\n\nBy requiring vendors to adhere to Secure by Design principles and protocols in their products and services, organizations can help prevent potential vulnerabilities from entering their software supply chain. The Secure by Demand approach also further incentivizes vendors to continuously improve their own cybersecurity posture.\n\n## Building a Secure by Design cybersecurity strategy\nAs organizations prioritize becoming Secure by Design, steps include utilizing effective DevSecOps practices, maintaining a software bill of materials (SBOM), and incorporating AI to defend against threats entering from any point in the software development lifecycle.\n\n### Adopting DevSecOps practices\nOne of the first steps to support a Secure by Design posture is a secure software development process: developing, building, securing, and deploying software using a comprehensive DevSecOps approach.\n\nToday, many developers utilize complex toolsets to create new programs. A [recent survey by GitLab](https://about.gitlab.com/developer-survey/) found that 62% of respondents use 6 or more tools for development, and 20% use 11 or more - an inefficiency that increases risk by introducing potential security vulnerabilities.\n\nDevelopers should be able to access all the tools necessary for DevSecOps workflows in a single, easy-to-use interface. With an end-to-end solution, like a [DevSecOps platform](/platform/), organizations can implement a Secure by Design approach without increasing the security burden on developers.\n\n### Creating and maintaining SBOMs\nEmbracing transparency is another significant part of being Secure by Design. Organizations must understand what’s in their software, especially when it may include components from multiple sources.\n\n[SBOMs are essential tools for achieving this transparency](https://about.gitlab.com/blog/the-ultimate-guide-to-sboms/). They offer detailed inventories of software components, including version, license, and dependency details, that enable greater awareness of potential vulnerabilities or malicious code.\n\nMaintaining this inventory allows organizations to fully understand potential vulnerabilities and risks that could arise when elements are lifted from open source repositories and licensed third-party components. A DevSecOps platform can help [automatically generate and update SBOMs](/solutions/security-compliance/), integrate them into existing workflows, and link them to associated vulnerabilities.\n\nWhile many organizations are now using SBOMs, they must be dynamic, connected with security scanning tools, and continuously updated to be fully effective. When integrated with scanning tools and dashboards, SBOMs can provide a way to identify the risks associated with an application. Even when not required, SBOMs can support compliance with security regulations by validating that code is secure.\n\n### Using AI in software development\nAs organizations explore ways to use AI, software development workflows provide a valuable entry point to the technology, which has the potential to accelerate development processes and enhance security.\n\nOrganizations across all industries are already beginning to explore these applications: 39% of respondents [in GitLab’s survey](https://about.gitlab.com/developer-survey/2024/ai/) said they are already using AI in the software development lifecycle.\n\nApplying AI across the software development lifecycle can help organizations avoid AI-driven silos and backlogs within development workflows. AI can perform key functions such as:\n\n* Code explanation and legacy code refactoring into [memory-safe languages](https://about.gitlab.com/blog/memory-safe-vs-unsafe/)\n* [Root cause analysis for DevSecOps pipelines](https://about.gitlab.com/blog/developing-gitlab-duo-blending-ai-and-root-cause-analysis-to-fix-ci-cd/), expediting solutions for complex problems during testing\n* [Vulnerability resolution](https://about.gitlab.com/the-source/ai/understand-and-resolve-vulnerabilities-with-ai-powered-gitlab-duo/) to help reconcile known vulnerabilities, supporting more thorough remediation\n\nAs leaders integrate AI into their workflows, it is crucial to prioritize privacy and data security. An essential aspect of adopting a Secure by Design approach is to develop an [AI strategy that safeguards sensitive data and protects intellectual property rights](https://about.gitlab.com/the-source/ai/building-a-transparency-first-ai-strategy-7-questions-to-ask-your-devops/).\n\n### What’s next\nSecure by Design may soon become the default approach to creating a more trustworthy software ecosystem. The [U.S. government](https://about.gitlab.com/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers/) is currently working with software manufacturers to create frameworks that legally incentivize the private sector to produce and release Secure by Design software, driving businesses to invest more in secure technology and practices.\n\nWith robust security built into software development from the start, transparency through effective SBOMs, and AI enhancing the development process, everyone involved in the software development lifecycle will be positioned for success.",[520,523,526,529,532],{"header":521,"content":522},"What is Secure by Demand, and how does it impact vendors?","Secure by Demand extends Secure by Design principles into procurement and vendor management. It requires organizations to mandate security best practices from their software providers, ensuring that third-party products meet high cybersecurity standards. This approach minimizes supply chain risks and encourages vendors to continuously improve their security posture to remain competitive.",{"header":524,"content":525},"How does AI enhance Secure by Design practices?","AI accelerates Secure by Design by automating security tasks, such as vulnerability detection, root cause analysis, and legacy code refactoring. AI-powered tools can analyze security risks in real time, generate secure coding suggestions, and streamline DevSecOps pipelines. However, organizations must implement AI responsibly by safeguarding privacy, data security, and intellectual property rights.",{"header":527,"content":528},"How does Secure by Default differ from Secure by Design?","Secure by Default is an extension of Secure by Design, ensuring that software products come pre-configured with the highest security settings. Users don’t need to manually adjust settings or apply additional safeguards to achieve a secure environment. Examples include eliminating default passwords, enforcing multi-factor authentication, and automating security updates to protect against common exploitation techniques.",{"header":530,"content":531},"How can organizations implement a Secure by Design strategy?","To adopt a Secure by Design strategy, organizations should integrate DevSecOps practices, maintain a software bill of materials (SBOM) for transparency, and use AI-driven security tools to detect vulnerabilities early. A DevSecOps platform helps unify security and development workflows, while SBOMs provide a comprehensive inventory of software components to track dependencies and potential risks.",{"header":533,"content":534},"What is Secure by Design, and why is it important?","Secure by Design is a cybersecurity approach that integrates security into every stage of software development, from design to deployment. Instead of applying security fixes reactively, it ensures that security measures are built into the development process from the start. This proactive strategy reduces vulnerabilities, strengthens software resilience, and aligns with federal security standards, such as those established by CISA.","strengthen-your-cybersecurity-strategy-with-secure-by-design","content:en-us:the-source:security:strengthen-your-cybersecurity-strategy-with-secure-by-design:index.yml","en-us/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/index.yml","en-us/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/index",{"_path":540,"_dir":427,"_draft":6,"_partial":6,"_locale":7,"config":541,"seo":543,"content":548,"type":463,"slug":571,"category":427,"_id":572,"_type":29,"title":544,"_source":30,"_file":573,"_stem":574,"_extension":33,"date":549,"description":545,"timeToRead":438,"heroImage":546,"keyTakeaways":550,"articleBody":554,"faq":555},"/en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers",{"layout":9,"template":429,"articleType":430,"author":27,"featured":6,"gatedAsset":542,"isHighlighted":6,"authorName":11},"application-security-in-the-digital-age",{"title":544,"description":545,"ogImage":546,"config":547},"National Cybersecurity Strategy: A wake-up call for software developers","The new White House policy puts liability for poor security on software makers. Learn how DevSecOps can protect your organization.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464383/klpmnmeqtsebmwgu1vps.png",{"ignoreTitleCharLimit":328},{"title":544,"date":549,"description":545,"timeToRead":438,"heroImage":546,"keyTakeaways":550,"articleBody":554,"faq":555},"2023-03-07",[551,552,553],"The 2023 National Cybersecurity Strategy places a strong emphasis on software security, shifting the responsibility to software makers for the development, deployment, and maintenance of secure products.","The main aspects highlighted by the policy include collaboration, digital transformation, automation, and transparency.","An end-to-end DevSecOps platform aligns well with the new strategy, offering comprehensive solutions for software supply chain security, software inventory generation, and assurance of software trustworthiness.","The 2023 National Cybersecurity Strategy, which the White House released last week, should serve as a wake-up call to all organizations that develop software, whether for internal or external use. The policy puts the liability for poor security on software makers and requires a strengthening of security at every step of the software development lifecycle.\n\nThe policy shines a spotlight on the importance of collaboration, digital transformation, automation, and transparency. The White House is seeking to advance security-first posturing, eliminate the top cybersecurity threats, rebalance software security responsibility and data stewardship, defend against malicious actors, and forge international partnerships.\n\n“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” the White House strategy states.\n\nA replacement of the [2018 National Cyber Strategy](https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf), the 2023 policy focuses on five key pillars designed to improve national and global cybersecurity for the public and private sectors.\n\nThe five pillars of the 2023 National Cybersecurity Strategy are:\n\n* Defend Critical Infrastructure\n* Disrupt and Dismantle Threat Actors\n* Shape Market Forces to Drive Security and Resilience\n* Invest in a Resilient Future\n* Forge International Partnerships to Pursue Shared Goals\n\n## What the strategy means for software makers\nThe White House’s strategy puts the onus for developing, deploying, and maintaining secure software on software makers. It states that too many vendors “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.”\n\nIn addition, the strategy notes that software makers “are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.”\n\nDevelopers who fail to take reasonable precautions to secure their software will be held liable, according to the strategy, with the ultimate goal of encouraging the development of safer and more secure products and services. The White House plans to work with Congress to create legislation that establishes liability for software products and services.\n\n## DevSecOps and National Cybersecurity Strategy\nOne scalable and dependable way to align with the National Cybersecurity Strategy is with [a comprehensive DevSecOps approach](/topics/devsecops/), which integrates security and compliance into the developer experience.\n\nGitLab’s DevSecOps Platform helps software makers:\n\n- Secure their end-to-end [software supply chain](/blog/the-ultimate-guide-to-software-supply-chain-security/), including source, build, dependencies, and release artifacts\n- Create an inventory of software used with a [software bill of materials (SBOM)](/blog/the-ultimate-guide-to-sboms/)\n- Demonstrate their software is trustworthy via [SLSA](/blog/achieve-slsa-level-2-compliance-with-gitlab/)\n\nGitLab automatically scans vulnerabilities in source code, containers, dependencies, and running applications. By centralizing end-to-end collaboration, GitLab ensures the [\"secure-by-design\" principle](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) recommended by the National Cybersecurity Strategy is applied in every phase of software  development.\n\nGitLab also helps companies track changes, implement necessary controls to protect what goes into production, and ensures adherence to license compliance and regulatory frameworks.\n\nThe White House’s strategy also proposes future legislation that will include safe harbor from liability for those that follow best practices like [NIST’s Secure Software Development Framework (SSDF)](/blog/comply-with-nist-secure-supply-chain-framework-with-gitlab/). GitLab has the built-in automation to support much of the NIST SSDF with little-to-no configuration required. Issue-based workflows, source code management, automated builds, broad-capability security scanning, code reviews, approvals, and environment visibility are all part of GitLab Ultimate.\n\nThe National Cybersecurity Strategy acknowledges that balancing short term imperatives with the vision for trust and safety in software will be a challenge for most organizations. Given the interdependencies and complexities of software development, organizations should assess the current state of their SDLC  and quickly identify what design, architectural, and operational changes they have to make to align with the White House’s proposed mandates.",[556,559,562,565,568],{"header":557,"content":558},"How does the strategy plan to hold software vendors accountable?","The strategy proposes working with Congress to establish legislation that enforces liability for software products and services that do not follow secure-by-design principles. By shifting legal accountability to those best positioned to prevent security flaws, the goal is to incentivize vendors to prioritize robust security throughout the software development lifecycle.",{"header":560,"content":561},"What does this mean for organizations building or maintaining software?","Organizations developing software will need to evaluate their entire development lifecycle to ensure alignment with the expectations outlined in the strategy. This includes adopting best practices for secure development, performing thorough testing, managing software components responsibly, and maintaining transparency through tools like SBOMs.",{"header":563,"content":564},"How can DevSecOps support compliance with the National Cybersecurity Strategy?","A DevSecOps approach ensures that security and compliance are integrated into every stage of the software development lifecycle. By using a unified platform, organizations can automate vulnerability scanning, track software components, manage security policies, and enforce compliance controls — all key aspects of aligning with the strategy’s objectives.",{"header":566,"content":567},"What role does GitLab play in supporting secure software practices?","GitLab’s DevSecOps platform provides built-in tools for vulnerability scanning, license compliance, source code protection, and regulatory adherence. It supports standards like the NIST Secure Software Development Framework (SSDF) with minimal configuration, helping teams implement secure-by-design principles and streamline reporting and accountability.",{"header":569,"content":570},"Why should software makers take this strategy seriously?","With the proposed legislative changes, software vendors that fail to adopt secure practices may face legal and financial consequences. This makes early alignment with the strategy not only a matter of national security, but also a proactive business decision.","national-cybersecurity-strategy-a-wake-up-call-for-software-developers","content:en-us:the-source:security:national-cybersecurity-strategy-a-wake-up-call-for-software-developers:index.yml","en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers/index.yml","en-us/the-source/security/national-cybersecurity-strategy-a-wake-up-call-for-software-developers/index",[425,468,504,539],{"ai":366,"platform":374,"security":370},1758662360474]