GitLab: Tackling the Core Challenges of Enterprise Security

In today’s complex software landscape, security challenges often go beyond cultural disconnects. GitLab’s CISO, Josh Lemos, believes it’s time for leaders to rethink how they approach tech stack complexity, vulnerability management, and collaborative processes.

As the CISO of GitLab—an AI-powered DevSecOps platform—Josh helps organizations navigate the growing challenges of building secure, efficient, and scalable software. In this piece, he explores the root causes of common enterprise security frustrations and shares actionable insights for modern teams.

What’s Really Frustrating Security Teams?

While organizational culture plays a role, many of the frustrations security teams face stem from:

• Tech stack complexity
• Process inefficiencies
• Unmanageable vulnerability data

A GitLab survey of DevSecOps professionals found:

• 62% of UK security pros struggle to get developers to prioritize vulnerability remediation
• 52% report red tape slows down vulnerability fixes
• Other pain points include late-stage testing, unclear security insights, and excessive false positives

These aren’t just technical glitches—they reflect deeper issues in how teams work together and manage security workflows.

The Double-Edged Sword of Vulnerability Scanning

Authenticated scanning has significantly improved security programs, but it also burdens developers:

“The move to authenticated scanning has improved the effectiveness of security programmes in multiple ways, but it’s also put developers on an endless cycle of fixing things that don’t matter.” says Lemos.

Why? Just because a vulnerability is detected doesn’t mean it’s exploitable. When developers waste time fixing low-priority issues, they lose focus on truly critical, exploitable flaws.

The result: widening disconnects between security and engineering teams.

Shift Focus to High-Fidelity, Actionable Insights

False positives remain one of the biggest frustrations. But Lemos argues they often signal a deeper vulnerability management problem:

• Many tools provide no context or overwhelm users with data
• Traditional SAST tools, while powerful, can become noise if not well-managed
• Most scanning tools offer narrow context windows, making it hard to act with confidence

Here’s where AI can step in—contextualizing security alerts and helping teams prioritize what truly matters.

Minimizing Tech Stack Complexity

A bloated tech stack doesn’t just slow teams down—it expands the attack surface. Lemos advises:

• Avoid outdated dependencies and hard-to-maintain code
• Embrace software minimization: use only what’s essential
• Reduce unnecessary dependencies to cut scanner noise and lighten dev workloads

Interestingly, GitLab’s research shows that companies using AI are more likely to want to simplify their toolchains, suggesting AI can sometimes add complexity if not thoughtfully integrated.

Proactive Security, Not Last-Minute Fixes

Late-stage vulnerability detection is a common frustration. But instead of chasing perfect timing, Lemos recommends adopting reusable, security-tested components.

Enter the “Paved Roads” approach: standard, secure paths that teams can follow.

These paved roads include:

• Pre-approved design patterns
• Secure infrastructure-as-code
• Tools like GitOps for scalable deployment

While they may reduce flexibility, they boost security and cut rework, making life easier for devs and security teams alike.

Security as a Built-In Engineering Practice

The line between engineering and security is fading fast. Just like observability or performance monitoring, security is becoming a core development practice.

With AI accelerating software release cycles—65% of UK DevSecOps pros say they ship code at least twice as fast as a year ago—teams must:

• Rethink how they write, scan, and manage code
• Build engineering-centric, scalable security tools
• Collaborate early and often

Ultimately, culture matters—but so do systems. By breaking down silos and embracing secure-by-design development, organizations can build better, safer software.

Final Thought

Security isn’t just a checkbox or a team—it’s a shared responsibility. And in a world moving faster than ever, success depends on simplifying complexity, prioritizing what matters, and fostering deep collaboration between dev and security teams.