[{"data":1,"prerenderedAt":556},["ShallowReactive",2],{"/en-us/the-source/authors/gitlab":3,"footer-en-us":28,"the-source-banner-en-us":362,"the-source-navigation-en-us":368,"the-source-newsletter-en-us":391,"authors-en-us":398,"categories-en-us":437,"gitlab-articles-list-en-us":438},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":9,"description":6,"extension":19,"meta":20,"navigation":21,"path":22,"seo":23,"slug":24,"stem":25,"testContent":6,"type":26,"__hash__":27},"theSourceAuthors/en-us/the-source/authors/gitlab.yml","Gitlab",null,{"layout":8},"the-source",[10,17],{"componentName":11,"type":11,"componentContent":12},"TheSourceAuthorHero",{"name":13,"headshot":14},"GitLab",{"altText":13,"config":15},{"src":16},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463461/ts7io0hgpdyqylbzfire.png",{"componentName":18,"type":18},"TheSourceArticlesList","yml",{},true,"/en-us/the-source/authors/gitlab",{"title":13},"gitlab","en-us/the-source/authors/gitlab","author","PRj0sukZYyfz4kDVxOZQ0dNTWqLAGDqHl66chHWQE_o",{"data":29},{"text":30,"source":31,"edit":37,"contribute":42,"config":47,"items":52,"minimal":351},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":32,"config":33},"View page source",{"href":34,"dataGaName":35,"dataGaLocation":36},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":38,"config":39},"Edit this page",{"href":40,"dataGaName":41,"dataGaLocation":36},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":43,"config":44},"Please contribute",{"href":45,"dataGaName":46,"dataGaLocation":36},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":48,"facebook":49,"youtube":50,"linkedin":51},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[53,110,167,226,289],{"title":54,"links":55,"subMenu":71},"Pricing",[56,61,66],{"text":57,"config":58},"View plans",{"href":59,"dataGaName":60,"dataGaLocation":36},"/pricing/","view plans",{"text":62,"config":63},"Why Premium?",{"href":64,"dataGaName":65,"dataGaLocation":36},"/pricing/premium/","why premium",{"text":67,"config":68},"Why Ultimate?",{"href":69,"dataGaName":70,"dataGaLocation":36},"/pricing/ultimate/","why ultimate",[72],{"title":73,"links":74},"Contact Us",[75,80,85,90,95,100,105],{"text":76,"config":77},"Contact sales",{"href":78,"dataGaName":79,"dataGaLocation":36},"/sales/","sales",{"text":81,"config":82},"Support portal",{"href":83,"dataGaName":84,"dataGaLocation":36},"https://support.gitlab.com","support portal",{"text":86,"config":87},"Customer portal",{"href":88,"dataGaName":89,"dataGaLocation":36},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":91,"config":92},"Status",{"href":93,"dataGaName":94,"dataGaLocation":36},"https://status.gitlab.com/","status",{"text":96,"config":97},"Terms of use",{"href":98,"dataGaName":99,"dataGaLocation":36},"/terms/","terms of use",{"text":101,"config":102},"Privacy statement",{"href":103,"dataGaName":104,"dataGaLocation":36},"/privacy/","privacy statement",{"text":106,"config":107},"Cookie preferences",{"dataGaName":108,"dataGaLocation":36,"id":109,"isOneTrustButton":21},"cookie preferences","ot-sdk-btn",{"title":111,"links":112,"subMenu":123},"Product",[113,118],{"text":114,"config":115},"DevSecOps platform",{"href":116,"dataGaName":117,"dataGaLocation":36},"/platform/","devsecops platform",{"text":119,"config":120},"AI-Assisted Development",{"href":121,"dataGaName":122,"dataGaLocation":36},"/gitlab-duo-agent-platform/","ai-assisted development",[124],{"title":125,"links":126},"Topics",[127,132,137,142,147,152,157,162],{"text":128,"config":129},"CICD",{"href":130,"dataGaName":131,"dataGaLocation":36},"/topics/ci-cd/","cicd",{"text":133,"config":134},"GitOps",{"href":135,"dataGaName":136,"dataGaLocation":36},"/topics/gitops/","gitops",{"text":138,"config":139},"DevOps",{"href":140,"dataGaName":141,"dataGaLocation":36},"/topics/devops/","devops",{"text":143,"config":144},"Version Control",{"href":145,"dataGaName":146,"dataGaLocation":36},"/topics/version-control/","version control",{"text":148,"config":149},"DevSecOps",{"href":150,"dataGaName":151,"dataGaLocation":36},"/topics/devsecops/","devsecops",{"text":153,"config":154},"Cloud Native",{"href":155,"dataGaName":156,"dataGaLocation":36},"/topics/cloud-native/","cloud native",{"text":158,"config":159},"AI for Coding",{"href":160,"dataGaName":161,"dataGaLocation":36},"/topics/devops/ai-for-coding/","ai for coding",{"text":163,"config":164},"Agentic AI",{"href":165,"dataGaName":166,"dataGaLocation":36},"/topics/agentic-ai/","agentic ai",{"title":168,"links":169},"Solutions",[170,174,179,184,189,193,198,201,206,211,216,221],{"text":171,"config":172},"Application Security Testing",{"href":173,"dataGaName":171,"dataGaLocation":36},"/solutions/application-security-testing/",{"text":175,"config":176},"Automated software delivery",{"href":177,"dataGaName":178,"dataGaLocation":36},"/solutions/delivery-automation/","automated software delivery",{"text":180,"config":181},"Agile development",{"href":182,"dataGaName":183,"dataGaLocation":36},"/solutions/agile-delivery/","agile delivery",{"text":185,"config":186},"SCM",{"href":187,"dataGaName":188,"dataGaLocation":36},"/solutions/source-code-management/","source code management",{"text":128,"config":190},{"href":191,"dataGaName":192,"dataGaLocation":36},"/solutions/continuous-integration/","continuous integration & delivery",{"text":194,"config":195},"Value stream management",{"href":196,"dataGaName":197,"dataGaLocation":36},"/solutions/value-stream-management/","value stream management",{"text":133,"config":199},{"href":200,"dataGaName":136,"dataGaLocation":36},"/solutions/gitops/",{"text":202,"config":203},"Enterprise",{"href":204,"dataGaName":205,"dataGaLocation":36},"/enterprise/","enterprise",{"text":207,"config":208},"Small business",{"href":209,"dataGaName":210,"dataGaLocation":36},"/small-business/","small business",{"text":212,"config":213},"Public sector",{"href":214,"dataGaName":215,"dataGaLocation":36},"/solutions/public-sector/","public sector",{"text":217,"config":218},"Education",{"href":219,"dataGaName":220,"dataGaLocation":36},"/solutions/education/","education",{"text":222,"config":223},"Financial services",{"href":224,"dataGaName":225,"dataGaLocation":36},"/solutions/finance/","financial services",{"title":227,"links":228},"Resources",[229,234,239,244,249,254,259,264,269,274,279,284],{"text":230,"config":231},"Install",{"href":232,"dataGaName":233,"dataGaLocation":36},"/install/","install",{"text":235,"config":236},"Quick start guides",{"href":237,"dataGaName":238,"dataGaLocation":36},"/get-started/","quick setup checklists",{"text":240,"config":241},"Learn",{"href":242,"dataGaName":243,"dataGaLocation":36},"https://university.gitlab.com/","learn",{"text":245,"config":246},"Product documentation",{"href":247,"dataGaName":248,"dataGaLocation":36},"https://docs.gitlab.com/","docs",{"text":250,"config":251},"Blog",{"href":252,"dataGaName":253,"dataGaLocation":36},"/blog/","blog",{"text":255,"config":256},"Customer success stories",{"href":257,"dataGaName":258,"dataGaLocation":36},"/customers/","customer success stories",{"text":260,"config":261},"Remote",{"href":262,"dataGaName":263,"dataGaLocation":36},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":265,"config":266},"GitLab Services",{"href":267,"dataGaName":268,"dataGaLocation":36},"/services/","services",{"text":270,"config":271},"Community",{"href":272,"dataGaName":273,"dataGaLocation":36},"/community/","community",{"text":275,"config":276},"Forum",{"href":277,"dataGaName":278,"dataGaLocation":36},"https://forum.gitlab.com/","forum",{"text":280,"config":281},"Events",{"href":282,"dataGaName":283,"dataGaLocation":36},"/events/","events",{"text":285,"config":286},"Partners",{"href":287,"dataGaName":288,"dataGaLocation":36},"/partners/","partners",{"title":290,"links":291},"Company",[292,297,302,307,312,317,322,326,331,336,341,346],{"text":293,"config":294},"About",{"href":295,"dataGaName":296,"dataGaLocation":36},"/company/","company",{"text":298,"config":299},"Jobs",{"href":300,"dataGaName":301,"dataGaLocation":36},"/jobs/","jobs",{"text":303,"config":304},"Leadership",{"href":305,"dataGaName":306,"dataGaLocation":36},"/company/team/e-group/","leadership",{"text":308,"config":309},"Team",{"href":310,"dataGaName":311,"dataGaLocation":36},"/company/team/","team",{"text":313,"config":314},"Handbook",{"href":315,"dataGaName":316,"dataGaLocation":36},"https://handbook.gitlab.com/","handbook",{"text":318,"config":319},"Investor relations",{"href":320,"dataGaName":321,"dataGaLocation":36},"https://ir.gitlab.com/","investor relations",{"text":323,"config":324},"Sustainability",{"href":325,"dataGaName":323,"dataGaLocation":36},"/sustainability/",{"text":327,"config":328},"Diversity, inclusion and belonging (DIB)",{"href":329,"dataGaName":330,"dataGaLocation":36},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":332,"config":333},"Trust Center",{"href":334,"dataGaName":335,"dataGaLocation":36},"/security/","trust center",{"text":337,"config":338},"Newsletter",{"href":339,"dataGaName":340,"dataGaLocation":36},"/company/contact/#contact-forms","newsletter",{"text":342,"config":343},"Press",{"href":344,"dataGaName":345,"dataGaLocation":36},"/press/","press",{"text":347,"config":348},"Modern Slavery Transparency Statement",{"href":349,"dataGaName":350,"dataGaLocation":36},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":352},[353,356,359],{"text":354,"config":355},"Terms",{"href":98,"dataGaName":99,"dataGaLocation":36},{"text":357,"config":358},"Cookies",{"dataGaName":108,"dataGaLocation":36,"id":109,"isOneTrustButton":21},{"text":360,"config":361},"Privacy",{"href":103,"dataGaName":104,"dataGaLocation":36},{"visibility":21,"title":363,"button":364},"The Intelligent Software Development Era: How AI is reshaping DevSecOps teams",{"config":365,"text":367},{"href":366},"/resources/developer-survey/","Get the research report",{"logo":369,"subscribeLink":374,"navItems":378},{"altText":370,"config":371},"the source logo",{"src":372,"href":373},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":375,"config":376},"Subscribe",{"href":377},"#subscribe",[379,383,387],{"text":380,"config":381},"Artificial Intelligence",{"href":382},"/the-source/ai/",{"text":384,"config":385},"Security & Compliance",{"href":386},"/the-source/security/",{"text":388,"config":389},"Platform & Infrastructure",{"href":390},"/the-source/platform/",{"title":392,"description":393,"submitMessage":394,"formData":395},"The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":396},{"formId":397,"formName":340,"hideRequiredLabel":21},1077,{"amanda-rueda":399,"andre-michael-braun":400,"andrew-haschka":401,"ayoub-fandi":402,"bob-stevens":403,"brian-wald":404,"bryan-ross":405,"chandler-gibbons":406,"cherry-han":407,"dave-steer":408,"ddesanto":409,"derek-debellis":410,"emilio-salvador":411,"erika-feldman":412,"george-kichukov":413,"gitlab":13,"grant-hickman":414,"haim-snir":415,"iganbaruch":416,"jason-morgan":417,"jessie-young":418,"jlongo":419,"joel-krooswyk":420,"josh-lemos":421,"joshua-carroll":422,"julie-griffin":423,"kristina-weis":424,"lee-faus":425,"marco-caronna":426,"michelle-gill":427,"nathen-harvey":428,"ncregan":429,"rob-smith":430,"rschulman":431,"sabrina-farmer":432,"sandra-gittlen":433,"sharon-gaudin":434,"stephen-walters":435,"taylor-mccaslin":436},"Amanda Rueda","Andre Michael Braun","Andrew Haschka","Ayoub Fandi","Bob Stevens","Brian Wald","Bryan Ross","Chandler Gibbons","Cherry Han","Dave Steer","David DeSanto","Derek DeBellis","Emilio Salvador","Erika Feldman","George Kichukov","Grant Hickman","Haim Snir","Itzik Gan Baruch","Jason Morgan","Jessie Young","Joseph Longo","Joel Krooswyk","Josh Lemos","Joshua Carroll","Julie Griffin","Kristina Weis","Lee Faus","Marco Caronna","Michelle Gill","Nathen Harvey","Niall Cregan","Rob Smith","Robin Schulman","Sabrina Farmer","Sandra Gittlen","Sharon Gaudin","Stephen Walters","Taylor McCaslin",{"ai":380,"platform":388,"security":384},[439,482,518,538],{"id":440,"title":441,"body":6,"category":442,"config":443,"content":447,"description":448,"extension":19,"meta":473,"navigation":21,"path":474,"seo":475,"slug":478,"stem":479,"type":480,"__hash__":481,"date":449,"timeToRead":450,"heroImage":451,"keyTakeaways":452,"articleBody":456,"faq":457},"theSource/en-us/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox.yml","From fragmented tools to faster delivery: A modernization roadmap","platform",{"layout":8,"template":444,"featured":21,"author":24,"sourceCTA":445,"isHighlighted":446,"authorName":13},"TheSourceArticle","global-devsecops-report-2025",false,{"title":441,"description":448,"date":449,"timeToRead":450,"heroImage":451,"keyTakeaways":452,"articleBody":456,"faq":457},"AI coding tools speed up development but not delivery. Learn how DevOps, Security, and AI modernization work together to close the gap.","2026-03-05","5 min read","https://res.cloudinary.com/about-gitlab-com/image/upload/v1772560228/bxbyenstqjwgyryegvno.png",[453,454,455],"AI coding tools accelerate code creation, but the work that happens downstream — review, testing, security, deployment — still relies on fragmented tools. More code going in means more pressure on bottlenecks that already exist.","Closing the delivery gap requires three interconnected modernization journeys: DevOps (unified toolchains), Security (continuous and automated), and AI (agents across the full lifecycle, not just coding). Progress in one accelerates the others.","Organizations like Ericsson, Ally Financial, and Barclays are already seeing results by addressing all three dimensions. Use GitLab's five-minute maturity assessments to identify where to start and build a personalized modernization roadmap.","AI is generating code at speeds that were unimaginable three years ago. Unfortunately, the pace of deploying that code to production hasn’t kept up. In fact, AI coding has _slowed_ delivery for many organizations.\n\nThe authors of the [DORA State of DevOps Report](https://dora.dev/research/2024/dora-report/) identified this trend as far back as 2024 when they found that increased AI adoption correlated with lower software delivery throughput and stability. This pattern only intensifies as code volumes grow.\n\nWhat explains this paradox? [Coding represents only about 15%](https://about.gitlab.com/resources/developer-survey/) of the work involved in shipping software. The other 85% — code review, testing, security scanning, compliance, deployment — still relies on fragmented tools and manual processes. AI coding tools accelerate code creation while leaving the manual work downstream intact. More code translates to more bottlenecks.\n\nSolving the AI paradox for software delivery requires a coordinated transformation across three interconnected journeys: [DevOps modernization](https://about.gitlab.com/assessments/devops-modernization-assessment/), [Security modernization](https://about.gitlab.com/assessments/security-modernization-assessment/), and [AI modernization](https://about.gitlab.com/assessments/ai-modernization-assessment/).\n\n## DevOps modernization: The foundation\n### What is DevOps modernization?\nMost engineering organizations are running a patchwork of tools that were never designed to work together. Each tool has its own contract, security review, and support overhead. That fragmentation is expensive to maintain, but the hidden cost is even larger: every handoff between disconnected systems introduces latency, context loss, and the risk of errors. Developers spend time chasing status across tools instead of building. Managers lack a clear picture of where work is stalled. The more code AI generates, the more those handoffs hurt.\n\n**DevOps modernization** is the process of consolidating fragmented toolchains into a unified platform, automating manual processes, and standardizing how teams build and ship software. It tackles the infrastructure of the 85%: the pipelines, handoffs, and coordination overhead where AI-generated code gets stuck.\n\n### How do you progress?\nOrganizations typically start by auditing their current toolchain and identifying where handoffs introduce the most friction. Consolidation usually begins with source control and CI/CD — getting pipelines running consistently and replacing project-by-project configurations with shared templates and reusable components.\n\nFrom there, the focus shifts to performance and scale: optimizing pipeline execution times, automating deployments across multiple environments, and standardizing practices across teams.\n\nThe final frontier is enterprise-scale automation, organization-wide standardization, and AI agents that automate routine tasks across the development lifecycle, freeing engineers to focus on the work that requires human judgment.\n\n### What outcomes can you expect?\nEricsson, the global telecommunications company, lived this reality before consolidating their toolchain. They were stuck in long release cycles, manual processes, and thousands of hours lost to coordination across disconnected systems. After unifying with a single DevSecOps platform, they [saved 130,000 engineering hours in six months](https://about.gitlab.com/customers/ericsson/) and cut release cycles from years to months.\n\nFor most organizations, the early payoff is visibility: a clear, real-time picture of where software is in the delivery pipeline and what’s slowing it down. Every manual step eliminated frees engineering capacity and accelerates the next stage of the journey.\n\n## Security modernization: The safeguard\n### What is Security modernization?\nAI is rapidly generating staggering amounts of code while security reviews remain stuck at the old pace. All that code needs to be scanned, reviewed, and approved. Security teams simply can’t keep up. Things get worse when compliance evidence is scattered across multiple disconnected systems, requiring weeks of manual effort to aggregate for audits.\n\n**Security modernization** means shifting security and compliance from manual checkpoints late in development to automated, continuous processes embedded earlier in the lifecycle. In a modernized security posture, scanning runs automatically inside CI/CD pipelines. Vulnerabilities surface to developers in context, at the moment they can most efficiently fix them, rather than arriving as a list of findings weeks after the code was written. Compliance evidence is collected continuously rather than assembled manually before each audit.\n\n### How do you progress?\nSecurity modernization typically starts with embedding automated scanning (dependency scanning, SAST, and secret detection) directly into existing pipelines, beginning with the vulnerability types that carry the most regulatory or business risk.\n\nAs scanning becomes routine, the focus shifts to ownership and scale: moving from project-level to group-level security policies, establishing defined SLAs for vulnerability response, and putting findings in front of developers with enough context to act on them rather than routing everything through a security team bottleneck.\n\nFrom there, the work becomes predictive — leveraging risk-based prioritization, automating compliance evidence collection, and deploying AI agents that can explain, triage, and remediate vulnerabilities automatically.\n\nAt the highest level of maturity, security is embedded enterprise-wide with policy-as-code enforcement across every project and executive dashboards that connect security posture directly to business outcomes.\n\n### What outcomes can you expect?\nAlly Financial, one of the largest digital financial services companies in the U.S., shifted security left and embedded scanning directly into their DevOps platform. As a result, they were able to [increase deployments by 55%](https://about.gitlab.com/customers/ally/) while reducing downtime by 100 hours per month and saving $300,000 annually.\n\nSpeed and security improved in lockstep. Modernizing security removes the tradeoff between velocity and security by making security a built-in property of the delivery process rather than a gate at the end of it.\n\n## AI modernization: The multiplier\n### What is AI modernization?\nMost organizations have deployed AI coding tools and seen individual developers get faster. But productivity at the individual level doesn't automatically translate into faster delivery at the organizational level. AI assistance that stops at code generation still leaves the downstream steps of the lifecycle running on manual processes. The gains stall. Worse, more code entering the pipeline can actively increase pressure on review, testing, and security processes that haven’t scaled to match.\n\n**AI modernization** builds on top of DevOps and Security modernization. Once your DevOps workflows are unified and your security processes are continuous, you can extend AI from coding into the rest of the software lifecycle. AI modernization is the progression from individual developers using AI coding tools in isolation to teams orchestrating AI agents across every stage, from code review and testing to security remediation and deployment.\n\nThis is where you fully resolve the AI paradox.\n\n### How do you progress?\nAI modernization typically begins with individual developers adopting pre-built AI capabilities such as code suggestions and agentic chat for code assistance, building confidence through hands-on experimentation.\n\n\nFrom there, the focus shifts to the team level: creating custom agents tailored to specific workflows and coding standards, establishing governance and best practices, and building repeatable multi-step flows that automate handoffs between development stages. Integrating external tools through Model Context Protocol expands the context available to agents and enables more sophisticated orchestration across the broader toolchain.\n\n\nThe final stage is organization-wide deployment: autonomous agent workflows executing across the full software lifecycle. Agents execute traditionally manual processes in real time and in parallel across multiple teams, projects, and releases and always within enterprise-level governance. AI impact on organization-wide operational efficiency is measured in real time and can be closely associated with business outcomes.\n\n### What outcomes can you expect?\nBarclays is [scaling this approach to 18,000 team members](https://home.barclays/insights/2025/07/scaling-AI-at-Barclays/), and their developers report that AI assistance across the full lifecycle is freeing them to focus on architecture, design, and customer-facing innovation rather than manual coordination. In organizations with a modernized AI approach, the work that genuinely requires human expertise gets more human attention, while agents handle the coordination, verification, and execution.\n\n## From incremental gains to wholesale transformation\nImagine an engineering organization operating at the intersection of all three journeys.\n\nDevelopers work on a unified platform where AI agents handle routine code generation, documentation, and test creation. Engineers focus on architecture, design, and the work that genuinely requires creative problem-solving. Those agents are embedded in a delivery pipeline that runs in minutes, not hours, with automated testing at every stage and production deployments happening multiple times a day.\n\nSecurity is continuous and invisible. Vulnerabilities are detected and often remediated before code even reaches review. Compliance evidence is collected automatically with every pipeline run. The security team focuses on threat modeling and policy, not triage.\n\nWhen a developer opens a merge request, AI agents review the code, generate tests, run security scans, and flag issues — all before a human reviewer ever looks at it. When something breaks in production, agents diagnose the failure, identify the root cause, and recommend a fix. The cycle from incident to resolution is measured in minutes.\n\nAcross the organization, multiple teams ship releases in parallel, each supported by AI agents that maintain context across projects, enforce governance, and execute workflows end to end. Human engineers define the strategy and guardrails. Agents handle the execution.\n\nIndustry leaders are already building toward this vision. Those that move deliberately now will compound their advantage over those that wait.\n\n## Where to start\nYou can begin with whichever journey addresses your most pressing pain. A team drowning in toolchain complexity might start with DevOps consolidation. An organization under regulatory pressure might prioritize security. A team that has already unified their software lifecycle but wants to multiply output might lead with AI. The entry point matters less than recognizing that all three journeys are dimensions of the same transformation — and that progress in one accelerates the others.\n\nWe've created maturity assessments for each journey ([DevOps](https://about.gitlab.com/assessments/devops-modernization-assessment/), [Security](https://about.gitlab.com/assessments/security-modernization-assessment/), and [AI](https://about.gitlab.com/assessments/ai-modernization-assessment/)) that help you understand where you stand today and what steps will deliver the greatest impact. They take about five minutes and provide a personalized roadmap based on your results.\n\nThe AI coding gains are already here. Closing the delivery gap is what turns them into a competitive advantage.",[458,461,464,467,470],{"header":459,"content":460},"Why does AI coding make software delivery slower? ","AI coding tools accelerate code creation but leave the downstream 85% of work — code review, testing, security scanning, and deployment — relying on fragmented tools and manual processes. More code entering the pipeline increases pressure on bottlenecks that already exist, slowing overall delivery.",{"header":462,"content":463},"What are the three modernization journeys that solve the AI paradox? ","The three interconnected journeys are DevOps modernization (consolidating fragmented toolchains), Security modernization (embedding automated scanning continuously into pipelines), and AI modernization (extending AI agents across the full software lifecycle beyond just code generation).",{"header":465,"content":466},"What is DevOps modernization and what results can it deliver? ","DevOps modernization consolidates fragmented toolchains into a unified platform and automates manual handoffs. Ericsson implemented this approach and saved 130,000 engineering hours in six months while cutting release cycles from years to months.",{"header":468,"content":469},"How does security modernization improve both speed and compliance? ","Security modernization shifts scanning from manual end-of-cycle checkpoints to automated processes embedded directly in CI/CD pipelines. Ally Financial achieved a 55% increase in deployments, reduced downtime by 100 hours per month, and saved $300,000 annually using this approach.",{"header":471,"content":472},"Where should an organization start its modernization journey? ","Organizations can begin with whichever journey addresses their most pressing pain — toolchain complexity, regulatory pressure, or AI scaling. Each five-minute maturity assessment (DevOps, Security, or AI) provides a personalized roadmap, and progress in any one journey accelerates the other two.",{},"/en-us/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox",{"config":476,"title":477,"description":448},{"noIndex":446},"Turn AI coding gains into faster software delivery","more-code-more-bottlenecks-tackling-the-ai-paradox","en-us/the-source/platform/more-code-more-bottlenecks-tackling-the-ai-paradox","article","bzY8pt1bwUpS7p9yTuLjz9N9_gO_Ket8f-d4UbecbeU",{"id":483,"title":484,"body":6,"category":485,"config":486,"content":487,"description":489,"extension":19,"meta":512,"navigation":21,"path":513,"seo":514,"slug":515,"stem":516,"type":480,"__hash__":517,"date":488,"timeToRead":450,"heroImage":490,"keyTakeaways":491,"articleBody":495,"faq":496},"theSource/en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam.yml","How GitLab can help you prepare for your SOC 2 exam","security",{"layout":8,"template":444,"author":24,"featured":446,"isHighlighted":446,"authorName":13},{"title":484,"date":488,"description":489,"timeToRead":450,"heroImage":490,"keyTakeaways":491,"articleBody":495,"faq":496},"2024-07-18","Learn about features in the DevSecOps platform geared toward a SOC2 framework exam.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463759/yk7f6poowtw5y5d5oflv.png",[492,493,494],"Automated testing and code coverage reports enhance SOC 2 Availability and Processing Integrity.","GitLab's security scans and role-based controls ensure compliance with the SOC 2 framework, protecting data from vulnerabilities and unauthorized access.","GitLab's templates for browser and load performance testing simplify SOC 2 exams by validating application performance and security at every development stage.","GitLab customers have found that using GitLab as their platform for DevSecOps has simplified the SOC 2 exam process.  This blog reviews the SOC 2 framework and GitLab features that help customers with their SOC 2 exam.\n\n## Introduction to SOC 2\nSystem and Organization Controls 2, or [SOC 2](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement), is a voluntary compliance standard that specifies how organizations should manage customer data. The SOC 2 exam report allows companies to provide attestation to the trustworthiness of software it offers to business customers.\n\nDeveloped by the Association of International Certified Professional Accountants (AICPA), SOC 2 focuses on five Trust Services Criteria (TSC):\n- Security - protecting customer data from vulnerabilities and unauthorized access\n- Availability - ensuring systems are fault-tolerant and performant under high loads in order to meet availability service-level agreements\n- Processing Integrity - systems function as designed without vulnerabilities, errors, or bugs\n- Confidentiality - protecting confidential information such as application source code, usernames and passwords, credit card information, etc., so that only people who need access in order to do their jobs have access to it\n- Privacy - safeguarding sensitive personally identifiable information (PII) against unauthorized users\n\nSecurity is the only required criterion for every SOC 2 exam. The other criteria can be added to the exam in cases where they are deemed critical to the services being provided.\n\n## Security TSC\nThe security criterion pertains to not only the security of servers and physical systems, but also applications. Software vulnerabilities potentially open up an application to attackers, putting customers' data at risk, but this is an area where GitLab can help.\n\nGitLab provides security scans to identify potential vulnerabilities in the applications a company builds, including the following:\n- [Static Application Security Scanning (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/), which scans source code for potential bugs and vulnerabilities such as unsafe code that can lead to unintended code execution\n- [Dependency Scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/), which finds security vulnerabilities in the software dependencies of an application\n- [Container Scanning](https://docs.gitlab.com/ee/user/application_security/container_scanning/), which finds security vulnerabilities in the operating system dependencies of a containerized application\n- [Dynamic Application Security Scanning (DAST)](https://docs.gitlab.com/ee/user/application_security/dast/), which finds security vulnerabilities in a running web application that make it susceptible to an attack\n- [Infrastructure as Code (IaC) Scanning](https://docs.gitlab.com/ee/user/application_security/iac_scanning/), which scans infrastructure as code configuration files, including Terraform, Ansible, AWS CloudFormation, and Kubernetes, to find security vulnerabilities\n\nGitLab also provides a [vulnerability report](https://docs.gitlab.com/ee/user/application_security/vulnerability_report/), which shows all known vulnerabilities, based on the scans above, in the current application. GitLab also provides a software bill of materials ([SBOM](https://docs.gitlab.com/ee/user/application_security/dependency_list/)) in standard CycloneDX JSON format, that shows all software-level and operating system-level dependencies and known vulnerabilities for them.\n\nHaving regular vulnerability scans and robust vulnerability reporting helps satisfy three Security criteria:\n- CC7.1 – To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.\n- CC4.1 – COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.\n- CC4.2 – COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.\n\nA crucial piece of security scans is governance and enforcement. GitLab provides features to ensure that scans are happening regularly and that software development teams are not able to circumvent them. These features include:\n- [Role-based access controls](https://docs.gitlab.com/ee/user/permissions.html) to limit who can make changes to project-level configuration settings\n- [Scan execution policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html) to enforce that scans run on each code repository\n- [Merge request approval policies](https://docs.gitlab.com/ee/user/application_security/policies/merge_request_approval_policies.html) to ensure that scan results are reviewed and approved by the appropriate security stakeholders so that newly found vulnerabilities are not being introduced into deployed software\n- [Compliance reports](https://docs.gitlab.com/ee/user/application_security/) to show any changes to GitLab configurations that may violate security processes put in place\n\nWith these configurations in place, organizations can prove that software security is a top priority for their applications and security practices are being enforced.\n\n## Availability and Processing Integrity TSCs\nGitLab can also help with Availability and Processing Integrity TSCs. These criteria focus on the quality and performance of the application itself. To support these criteria, GitLab provides:\n- Unit test results and code coverage changes in the form of [code coverage reports](https://docs.gitlab.com/ee/ci/testing/code_coverage.html), which ensure that source code is being validated by a test suite\n- [Code quality](https://docs.gitlab.com/ee/ci/testing/code_quality.html), which analyzes the source code quality and complexity for ease of readability and maintainability\n\nWhile the above software development practices are used early in the software development lifecycle to ensure high-quality, tested code, GitLab additionally provides templates for various types of automated tests for a running application to ensure it is working as expected. These tests include:\n- [Browser performance testing](https://docs.gitlab.com/ee/ci/testing/browser_performance_testing.html), which measures the load time for web sites during the development lifecycle to test the impact of any ocde changes on browser performance\n- [Load performance testing](https://docs.gitlab.com/ee/ci/testing/load_performance_testing.html), which measures the system performance of an application's backend during the development lifecycle to test the impact of any code changes on performance\n- [Coverage-guided fuzz testing](https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/), which sends unexpected, malformed, or random data to an application and then monitors it for unstable behaviors and crashes\n- [Web API fuzz testing](https://docs.gitlab.com/ee/user/application_security/api_fuzzing/), which sends unxpected, malformed, or random data to API endpoints to look for bugs and security issues\n\nBy focusing on strong DevSecOps practices with GitLab to build high-quality, secure applications, organizations are able to more easily pass a SOC 2 exam to attest to the security of customer data.\n\n> **Learn more: [Strengthen your cybersecurity posture](https://about.gitlab.com/the-source/security/strengthen-your-cybersecurity-strategy-with-secure-by-design/) with Secure by Design principles.**",[497,500,503,506,509],{"header":498,"content":499},"How does GitLab help organizations achieve SOC 2 compliance?","GitLab supports SOC 2 compliance by providing advanced security scans (SAST, DAST, dependency scanning, and IaC scanning), vulnerability reporting, and role-based access controls. These features help organizations detect and mitigate security risks while maintaining robust internal controls and audit trails to demonstrate compliance.",{"header":501,"content":502},"How do GitLab's compliance features enhance governance and enforcement for SOC 2?","- Role-based access controls to limit configuration changes\n- Scan execution policies to mandate regular security scans\n- Merge request approval policies to review and approve vulnerabilities\n- Compliance reports to track configuration changes and ensure adherence to security policies",{"header":504,"content":505},"Which Trust Services Criteria (TSC) are covered by GitLab's security features?","GitLab helps organizations meet the Security, Availability, and Processing Integrity TSCs by providing:\n - Security scans to detect vulnerabilities\n - Role-based access controls and compliance reports to enforce security policies\n - Performance and code quality tests to ensure application integrity and availability",{"header":507,"content":508},"What are the benefits of using GitLab for SOC 2 exam preparation?","Using GitLab for SOC 2 exam preparation streamlines compliance by integrating security scans, vulnerability management, and compliance reporting within a single platform. This holistic approach reduces manual effort, ensures consistent security practices, and enhances the organization's ability to pass the SOC 2 exam with confidence.",{"header":510,"content":511},"What is SOC 2 compliance and why is it important for software companies?","SOC 2 is a voluntary compliance standard that specifies how organizations should manage customer data, focusing on security, availability, processing integrity, confidentiality, and privacy. It demonstrates trustworthiness and data protection to business customers, enhancing credibility and ensuring compliance with industry standards.",{},"/en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam",{"title":484,"description":489,"ogImage":490},"how-gitlab-can-help-you-prepare-for-your-soc-2-exam","en-us/the-source/security/how-gitlab-can-help-you-prepare-for-your-soc-2-exam","g1dvvpY5rRUbF9xEB1pvRLW2PfnyJ2aUuLzBdNKWyAI",{"id":519,"title":520,"body":6,"category":485,"config":521,"content":522,"description":524,"extension":19,"meta":532,"navigation":21,"path":533,"seo":534,"slug":535,"stem":536,"type":480,"__hash__":537,"date":523,"timeToRead":525,"heroImage":526,"keyTakeaways":527,"articleBody":531},"theSource/en-us/the-source/security/10-tips-to-prioritize-security-in-software-development.yml","10 tips to prioritize security in software development",{"layout":8,"template":444,"author":24,"featured":446,"isHighlighted":446,"authorName":13},{"title":520,"date":523,"description":524,"timeToRead":525,"heroImage":526,"keyTakeaways":527,"articleBody":531},"2024-04-16","Follow this advice to shift security earlier in the development cycle for greater efficiency and more secure software.","2 min read","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464607/pmqkaclogv0y5tf4hk3t.png",[528,529,530],"Shifting left enhances software security by detecting vulnerabilities early in the SDLC.","GitLab integrates security into DevSecOps for proactive risk management.","Streamline processes with GitLab to improve speed and compliance in development.","Cyber attacks and cybersecurity threats continue to be one of the highest priorities for organizations. As such, the developer's role continues to evolve. Over half of respondents surveyed in GitLab’s [2024 Global DevSecOps Survey](https://about.gitlab.com/developer-survey/) said they are responsible for application security as part of a larger team - signaling that security practices are continuing to shift left.\n\nShifting left - designing software with security best practices built in to detect and fix vulnerabilities earlier in the software development lifecycle (SDLC) - enables teams to run more efficiently and release software faster.\n\nWhile 67% of the security professionals GitLab surveyed said they have either shifted left or plan to in the next three years, you may be unsure how to get started.\n\nHere are 10 tips to help your teams shift left for more efficient DevSecOps:\n\n### 1. Measure time\n\nHow much time is lost remediating vulnerabilities after code is merged? Measure this, then look for a pattern in the type or source of those vulnerabilities, and make the necessary adjustments for improvement.\n\n### 2. Identify bottlenecks\n\nWhere are the pain points and bottlenecks between security protocols and processes? Identify these, and then create and execute a resolution plan.\n\n### 3. Start small\n\nMake small code changes - they are easier to review, secure, and launch more quickly than large project changes.\n\n### 4. Eliminate waterfall\n\nAre people still holding on to waterfall-style security processes within the SDLC? Eliminating or reducing waterfall will help your organization prevent the struggle to change direction as needs arise.\n\n### 5. Automate scans\n\nAre manual processes slowing down and hampering the process of discovering vulnerabilities? Automate findings into a merge request for easier review, finding sources, and accessibility for developers to address.\n\n### 6. Update workflows\n\nAre security scans included in your developers’ workflow? Building and integrating security into developer workflows enable them to find and fix vulnerabilities before the code ever leaves their hands.\n\n### 7. Demonstrate compliance\n\nIs unplanned and unscheduled work delaying releases? Automating and implementing compliance frameworks help with consistency across development environments, teams, and applications.\n\n### 8. Empower devs with security reports\n\nDo your developers have access to SAST and DAST reports? These valuable tools help dev teams build secure coding practices, fixing vulnerabilities as part of their workflow.\n\n### 9. Let teams work smarter\n\nEmpower the security team to work smarter with security dashboards into both resolved and unresolved vulnerabilities, where the vulnerabilities reside, who created them, and their status for remediation.\n\n### 10. Ditch the toolchain\n\nStreamline and reduce your toolchain so that employees can focus their attention on a single interface - a single source of truth.\n\n## Shift left with GitLab\n\nGitLab helps you initiate a proactive security strategy to discover vulnerabilities earlier in the SDLC. Security and compliance are embedded within the GitLab DevSecOps platform, with an end-to-end work-flow that enables you to understand and manage risk. Automatically scan for vulnerabilities on a feature branch so you can remediate vulnerabilities before pushing to production.\n\nGitLab has a history of supporting the DevSecOps initiatives of U.S. federal, state, and local government agencies, vendors, and educational institutions with one end-to-end software development platform that meets strenuous security and compliance requirements. Learn more about [how GitLab can help you shift left](https://about.gitlab.com/solutions/public-sector/) and secure your speed to mission.",{},"/en-us/the-source/security/10-tips-to-prioritize-security-in-software-development",{"title":520,"description":524,"ogImage":526},"10-tips-to-prioritize-security-in-software-development","en-us/the-source/security/10-tips-to-prioritize-security-in-software-development","cdG7msIw3pDjAsp3DRrSkKgP1gJyD0o7POYYUcga29w",{"id":539,"title":540,"body":6,"category":485,"config":541,"content":542,"description":543,"extension":19,"meta":550,"navigation":21,"path":551,"seo":552,"slug":553,"stem":554,"type":480,"__hash__":555,"timeToRead":450,"heroImage":544,"keyTakeaways":545,"articleBody":549},"theSource/en-us/the-source/security/the-future-of-devops-education-needs-to-include-security.yml","The future of DevOps education needs to include security",{"layout":8,"template":444,"author":24,"featured":446,"isHighlighted":446,"authorName":13},{"title":540,"description":543,"timeToRead":450,"heroImage":544,"keyTakeaways":545,"articleBody":549},"Learn how educators and students can prepare for the world of DevSecOps.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464659/e7y3ejbiaouubnc55l40.png",[546,547,548],"DevSecOps integrates security in DevOps, ensuring safer software and timely vulnerability detection.","Educators should focus on security principles, using platforms like GitLab to teach secure coding.","Students can join open-source projects or campus groups to gain DevSecOps skills and insights.","[DevSecOps](https://about.gitlab.com/topics/devsecops/) is the inclusion of security as an integral part of traditional DevOps development, a strategy known as [shifting left](https://about.gitlab.com/topics/ci-cd/shift-left-devops/). With DevSecOps, myriad security scans, including dynamic application security testing and static application security testing, and other security tasks are performed during the development process rather than waiting until later in the cycle. DevSecOps enables organizations to identify and mitigate vulnerabilities early to ensure safer software and avoid delivery delays.\n\nAs DevOps teams across industries evolve into DevSecOps teams, higher education should respond in kind to ensure students likely to enter tech careers [have the skills necessary to be competitive](https://about.gitlab.com/blog/whats-next-for-devsecops/). In GitLab’s [2022 Global DevSecOps survey](/resources/developer-survey/#download),  53% of respondents said security is everyone’s responsibility. Yet, many college computer science programs don’t [include security-related courses in their core requirements](https://www.appsecengineer.com/blog/developer-security-at-universities).\n\nEvery company that develops software – even for internal use only - must be proficient in security to protect their applications. Here is what educators and students need to know about melding security into their DevOps curricula to prepare their students for the world of DevSecOps.\n\n## How educators can teach DevSecOps\n\n\"Security education is not about finding specific issues, but about teaching the right mindset,\" said Gábor Pék, co-founder of security education company Avatao, in [TechBeacon](https://techbeacon.com/security/5-ways-better-educate-developers-application-security).\n\nThere are a variety of tools and techniques for security, but students don’t need to know all of them; it’s more important – and more valuable – to focus on the principles of security. Also, as an educator, you can use [a single platform](https://about.gitlab.com/blog/why-the-market-is-moving-to-a-platform-approach-to-devsecops/) to streamline teaching students about how to write secure code.\n\nWith a DevSecOps platform like GitLab, students can explore how to protect the software development lifecycle using [built-in security tools](https://about.gitlab.com/stages-devops-lifecycle/secure/). [GitLab’s docs](https://docs.gitlab.com/ee/user/application_security/) on securing your application are a great place to start learning about how GitLab approaches DevSecOps and will give students the base knowledge and skills to build upon as they continue to learn in their careers.\n\n### Resources for Educators\n- [An Open Source Security Foundation course](https://openssf.org/training/courses/) on writing Secure Programming that you can use to supplement your own courses\n- [Best Practices for Secure Development](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme)\n- [Understanding security vulnerabilities in student code: A case study in a non-security course](https://www.sciencedirect.com/science/article/abs/pii/S0164121221002430)\n- Bring the DevSecOps platform into your classroom with [GitLab for Education’s free license](https://about.gitlab.com/solutions/education/)\n\n## How students can learn DevSecOps\n\nIf a university isn’t offering direct instruction on security, students can still acquire the skills they need to succeed at a career in DevSecOps. Just knowing the term DevSecOps and understanding how it is changing software development can put a student ahead of the curve. Here are some more options for learning:\n\n### Participate in a security-focused open source project\n\nParticipating in security-focused open source projects is another excellent way to broaden your understanding of the role security plays in modern application development. Many security-focused open source projects call GitLab home, and just by using them, you become part of the communities developing and improving them.\n\nYou might consider tinkering with a single application – like popular disk encryption mainstay [cryptsetup](https://gitlab.com/cryptsetup) – or dive deeper into open source security by downloading, installing, and experimenting with [Kali Linux](https://gitlab.com/kalilinux), a Linux distribution built for security-minded engineers.\n\nNo matter what you choose, be sure to investigate how those communities incorporate security concerns and best practices into their programming. You could even start the conversation by creating an issue in their projects.\n\n### Find security-driven organizations\n\nLook into organizations like [OpenSSF](https://openssf.org/). OpenSSF seeks to inform and educate developers everywhere about the importance of secure software in the open source world. It’s an important enough consideration that OpenSSF is designated as a Linux foundation project. OpenSSF has several ways to not only learn, but get directly involved in projects that will sharpen skills and create networking opportunities outside of your classroom.\n\n## Start a security-focused campus group\n\nMany campuses have security-focused groups, and you don’t have to be a cybersecurity student to join. Odalis Estrada from Cal Polytechnic Pomona is a member of Forensics and Security Technology, a.k.a. FAST, a student chapter of the High Technology Crime Investigation Association. Estrada says that her club is a mix of computer science students and cybersecurity students. She says, “There are attacks and vulnerabilities evolving constantly…” and that the club has helped its members “understand old and new attacks.”\n\nIf there isn’t a security-focused campus group, consider starting one to explore the importance of security in computer science. It’s a great way to learn more about modern secure software development.\n\nLearning about security doesn’t just benefit developers. “If developers write more secure code, then security teams will have more time to concentrate on other issues,” Estrada said, adding this creates safer software development.",{},"/en-us/the-source/security/the-future-of-devops-education-needs-to-include-security",{"title":540,"description":543,"ogImage":544},"the-future-of-devops-education-needs-to-include-security","en-us/the-source/security/the-future-of-devops-education-needs-to-include-security","ZYTnCN3GZ719EhWC1U6Ngq5bnjh-kvX_g7al97nhd94",1776430030401]