Embedding  security  into  software  development  from  the  start  is  best  achieved  through  DevSecOps
            practices. Integrating  security throughout  every stage of the software development  process allows fully
            automated  security  scanning  to identify  vulnerabilities  rapidly,  suggests  remediation  for vulnerabilities,
            and provides on-demand remediation training for developers.


            Next, SBOMs can provide buyers and operators with additional visibility into a software package's origins,
            vulnerabilities,  and risks. SBOMs  are detailed  inventories  of software  components,  including  versions,
            vulnerabilities,  and licenses,  that enable  greater awareness  of potential  vulnerabilities  and risks. While
            many agencies are now using SBOMs, they must be dynamic and continuously updated.

            Finally, AI is one of the newest tools for helping ensure software is Secure by Design. AI can generate
            new code using natural language processing, identify the function of uncommented code, refactor legacy
            code bases into memory-safe  languages, and understand  and resolve vulnerabilities.  However,  before
            adopting  any  AI  tools,  agencies  must  ensure  that  their  vendors  have  a  published  ethics  statement,
            provide clarity around data learning and retention, and offer complete model transparency.

            Secure by Design is a mindset shift toward radical transparency and truly embracing security as a priority.
            Those  who work with the federal  government  understand  that  cybersecurity  is essential  to protect our
            nation’s  critical  services.  We  can  all  learn  from  the  Secure  by  Design  initiative  and  embrace  a  more
            secure  and  transparent  future  for  software  development,  especially  as  the  government’s  guidance
            continues to evolve.



            About the Author

            Joel  Krooswyk  is the  Federal  CTO  at GitLab  Inc. He  is  a thought  leader  in
            software development, DevSecOps and other key IT practices within the public
            sector. In his current role, Joel ensures that GitLab has a voice in developing
            key  DevSecOps  practices  coming  from  standards  bodies,  Congressional
            committees,  industry  working  groups,  and other influential  organizations.  He
            has  25 years  of experience  in the software  industry  spanning  development,
            QA, product management, portfolio planning, and technical sales.

            LinkedIn: https://www.linkedin.com/in/joelrkrooswyk/

            GitLab Public Sector: https://about.gitlab.com/solutions/public-sector/
















            Cyber Defense eMagazine – July 2024 Edition                                                                                                                                                                                                          191
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.