Building a Secure Software Supply Chain: 5 Key Insights from GitLab’s Field CTO

The pace of modern software development is driven by speed, scale, and open collaboration. But that evolution has introduced new risks across the software supply chain. In our recent Chainguard webinar, A Field CTO’s Insights on Secure Software Supply Chain, I had a great conversation with George Kichukov, Field CTO at GitLab. George shared a clear and practical perspective on the current state of supply chain security. Drawing from his work with organizations across the technology and financial services industries, George outlined the challenges companies face today and the critical steps they need to take to move from awareness to meaningful action.

Here are my five biggest takeaways from our conversation:

1. Organizations know security is important—now they need to act

Organizations are no longer asking if software supply chain security matters. They know it does. The challenge is in moving from awareness to action. According to George, most companies are still early in their journey—they lack centralized programs, cohesive tooling, and clear ownership. A mature approach requires more than a patchwork of scanners and policies. It takes governance, resourcing, and education to build secure practices that scale.

2. Toolchain sprawl creates hidden risk

Today’s software supply chains are often stitched together from dozens of disconnected systems: source code repositories, CI/CD platforms, scanners, deployment tools, and more. Each has its own APIs, permissions, and integration quirks. This complexity not only overwhelms engineering teams, but also introduces serious security gaps. Organizations need to simplify, streamline, and secure how these tools interact, especially around access tokens, secrets, and privilege boundaries.

3. Security must shift into developer workflows

George emphasized that effective security doesn’t have to come at the cost of developer experience. In fact, when security checks are embedded into familiar touchpoints, like code reviews, merge requests, or build pipelines, they become part of the natural flow. Rather than reacting to incidents, engineering teams can proactively remediate issues. The key is surfacing the right data at the right time, with clear guidance on what matters and why.

4. Transparency in open source is non-negotiable

Open source is foundational to modern development, and it’s not going away. But using open source responsibly means knowing what you’re using, where it comes from, and how deeply it’s embedded. George stressed the importance of visibility into dependency trees and SBOMs. Security is not about avoiding open source, it’s about bringing transparency and hygiene into the process, and forming good habits around updates and risk evaluation.

5. Unified platforms can reduce risk and friction

As GitLab’s Field CTO, George sees firsthand the benefits of an integrated DevSecOps platform. When source code management, CI/CD, scanning, and policy enforcement all live in one system, engineering teams spend less time wiring things together and more time improving outcomes. Centralized secrets management, embedded scanners, and tight access controls become default rather than afterthought. This cohesion allows organizations to secure their pipelines without slowing down.

George’s message is simple: security doesn’t have to be disruptive, but it does have to be intentional. The sooner engineering and security teams align around that idea, the safer and more resilient their software will be. Watch the full conversation here.