 All right, well, thank you so much for coming to GovLab, GitLab in the federal government. My name is Solomon Rubin, as you said, and I am a software and security engineer and a longtime federally funded research and development center employee. And I've worked at two premier laboratories in the US being MITRE and MIT Lincoln Laboratory. Now, I've worked in the government open source arena for more than six years. And in doing that, I've worked in areas like cyber defense, military research, and aerospace research. Now, today, we've heard a lot about kind of the open source government area, like with NASA earlier, but I want to give you a bit of a larger overview. And I really want to look at how and where the government uses open source and how we can facilitate open source within government. And of course, I want to look at how GitLab fits into open source within government. So the first thing we need to look at is how the government actually uses code. Well, as we've seen a bunch today, there's a lot more than just software industries that are using code. Banks and insurance companies use code at the core of what they do every single day. And the government is no exception to that. While, of course, it's not a software industry, it is absolutely an organization that uses code in almost every part of what it does. And that is extremely important. So what kind of code does the government actually use? Well, there's tons of stuff the government does, and there's tons of code within that. And I cannot reasonably go over all of that, but I want to give you just a couple examples. So for one, data science is a massive area, especially right now, as ad tracking and all of this becomes more and more popular. But a really cool example of this within government is something like logistic simulation, perhaps looking at how much fuel a Humvee might need to fulfill its mission, or perhaps just getting your mail from a post office to your door the most efficiently. Another big area is helping the IRS to figure out and determine where mass financial fraud is occurring. Data science is core in doing that. Another big area right now is cybersecurity and digital forensics. Federal law enforcement uses this every single day to rebuild digital crime scenes and to track digital criminal activity. And of course, full stack in web engineering, something that we're all extremely familiar with as we use that almost every day throughout our normal lives. Now, a couple examples of this is if you've ever had to fill out an application for a public trust or perhaps a clearance, or if you've ever been on a government website, you've probably seen something like that banner. Now, of course, if you've done that, if you've seen this before, you have been a part of that full stack environment within the government. But something perhaps a little bit closer to home is if you've ever filed your taxes, and I really hope that you have filed your taxes, you've probably done this through the IRS tax e-file system, which of course is part of that full stack in web engineering infrastructure that the government provides. And of course, there's so much more that I cannot reasonably go over. And some of it, I'm not allowed to go over. But at the core of all of it is open source. And that's the thing I wanna drive home today, is that the government is highly invested in open source software, and it has been for a really, really long time, for decades. However, with that high engagement, there are also large challenges. And a big part of that is purely because the government exists within a politically charged environment, especially in today's day and age. The other portion of this is that there are both external and internal actors that are pushing against the usage of open source within government. And lastly, there are extreme sensitivities within the US government that make it very hard to do open source work. So there's a lot of examples of external actors pushing against open source, but a really good one that pops up probably too often is Oracle. And specifically in 2017, an Oracle executive commented on a GSA modernization repo with a scathing review of open source. And they made two different claims. The first thing they said is that the US government should not be emulating the fast paced environment of Silicon Valley. But in order for any organization, but in particular the government, to stay current with software, to stay current with what's going on in the software industry, it needs to be able to innovate at a reasonable pace, at a pace similar to the rest of the software industry, at a pace similar to that of Silicon Valley. Now, the other thing that they claimed is that in-house government IT is not necessary. But in order to innovate at that level that is required, you need to have people on the ground who understand what's going on, both from a business perspective, but also from a technical perspective. If you don't have people within an organization who understand what's happening, you cannot reasonably move forward at a good pace. The other thing that they suggested was regarding open source itself. The first thing they said is that open source security is not good enough for government. But we've seen this time and time again that open source security is better than its proprietary alternatives, simply because there are more eyes on that code, which means there's more chance for issues to be found and fixed faster. Now, on top of that, they said that code maintained by a community is not safe. But once again, as we've seen here at GitLab, that generally speaking, code maintained by a community is safer because you have more eyes on that code. And you can fix those issues faster and that you know what's actually going on, which is not the case in proprietary software. In conclusion, Oracle basically said, please buy our software and don't use the free stuff. But what about internal actors? Because there's no shortage of people within the government saying, hey, maybe we shouldn't be doing this open source thing. Maybe it's not safe. Well, and there's a number of reasons for this. For one, for just simply using open source software. Well, the general policies and habits within the US government have led to this general distrust. And this largely comes from the security community. We are trained not to trust people we don't know. And we're trained to think that way as a child, don't talk to strangers. But like we just talked about, the unknown communities are generally very safe. Even if someone is doing something nefarious, you usually catch that before it becomes an issue. And that's important. The other half of this is that the internal code verification process to simply use open source in a project and government is extremely slow. And this disincentivizes any means to use open source within government. If it's gonna take so long and it's gonna be so much of a hassle to use open source, why should I bother? And lastly, there have been negative opinions voiced by agencies themselves. For example, DHS voiced security concerns regarding not only the use of open source but also contributing to open source, which partially was valid but mostly didn't make a whole lot of sense. And when it comes to actually contributing to open source in government, well, that's also really difficult because again, those sensitivities are huge and it's hard to open source something if it contains something that shouldn't be public. And naturally you need to remove those things but on top of that, you have to go through an intense code review process as well as the legal process and it just takes so much time which makes me as a government developer say, well, why should I bother? So in 2016 I was at OSCON and I had a chance to talk to an NSA cryptologist. And she happened to work in a highly classified environment where of course as a cryptologist you wanna work and use open source libraries but she explained to me that it was faster for her rather than to get approval to use a library to go outside of her lab, print out a library, the code for her library on paper, walk it back into her lab and then physically type it out in the classified environment. And that's crazy. No one should be rewriting code by hand. That's not how this works. We have copy and paste for a reason and granted those classified environments make it much more difficult but there is an approval process for this but when those security and approval processes take so long that they work against us there is clearly a problem and that's not good. So given all this negativity about open source and government where is it actually occurring? Cause I'm not here just to complain to you guys. Well, it is occurring and it has been occurring for a long time and like I said before and the key is you have to know where to look. Well, about five years ago and kind of prior to that the policies and habits of the US government didn't allow for easy open source contribution or use across anywhere in the government. But today not only is it a lot easier to use and contribute to open source but there are even open source centers that exist within the government and on top of that almost all agencies and organizations within the government are not only using open source but contributing to it and that is phenomenal on its own. Now, AT&F is a really great example of one of these organizations. AT&F is a digital services agency that operates similar to a startup within the federal government and they operate with total transparency meaning that you can go look at in their GitHub repos their request for comments, their planning process, their code and not only can you look at them but you can also go and interact with them and contribute to them and be a part of what the government is doing every day and they've also been this massive force for cultural change which is another thing we've heard a lot about in terms of agile and GitLab and government is that the cultural change is at the core of what we're trying to do and AT&F has done quite a bit of that and they've been doing this by pushing modern software and agile software approaches to the federal government and they're a huge part of the reason why our websites, the federal government's websites don't look like they're straight out of the 90s and that on its own is amazing because perception is a big part of looking competent. Now another place to look is federally funded research and development centers which is of course where I come from and these places conduct research for the government and generally operate in closer proximity to the government than a traditional contractor and generally they will be creating open source frameworks and tools as a result of their research and in turn create open data standards in libraries and places like this are gonna be organizations like Lincoln Laboratory, MIT, Lincoln Laboratory, MITRE, Sandia National Laboratory and Pacific Northwest National Laboratory and there's over 30 others throughout the US so there's quite a bit of them but the other big question is what about the actual agencies? Well there's clearly a massive amount of agencies that are doing open source and I don't just mean using open source I mean contributing and generating their own projects between all of these organizations there is more than 6,000 unique repos and that's a phenomenal amount of code that is being created and open sourced by the government and all of this information is available at code.gov which is essentially the US government's platform for sharing America's open source software and not only does it provide a list of existing projects but it also provides agency compliance and what that means is whether or not an agency is consistent with federal source code policy how much custom software they've inventoried and how much custom software has actually been open sourced. So with all that, what does open sourcing government actually look like? Well in order to understand that we need to take a look at what kinds of code contribution can actually look like. So the first thing is open source which is external contributions and then of course there's inner source which is internal contributions within an organization. Now just to give you a couple examples of big name open source projects from the government we have projects like common vulnerabilities and exposures or CVE, sticks and taxi which is a threat analysis tool, Ghidra which is a reverse engineering tool, Shaw and Simon and Speck which are encryption algorithms and of course code.gov which we just talked about but then there's inner source and there's a lot of that going on within government. For one the US government provides a license for government wide reuse so as long as that license is on code is on a repo rather. Anyone in government can use it, no questions asked but more common than that is enter and inner agency reuse and that's essentially when an agency, agency A says to agency B, hey I heard you were working on this project we would love to be a part of that. We think that we could help your mission and you can help our mission, can we collaborate? Or perhaps that happens within one agency between departments. I myself have led an effort that worked with two different agencies, a contractor and of course my organization and it's really phenomenal to see that kind of massive collaboration happening within the federal government because traditionally we think of this organization as a very siloed organization where every single place is kind of their own area that doesn't really share information or code and that's really not the case. So given that, how is open source actually facilitated? This is ultimately why we're here at this conference today and there are tons of ways that we share code and I hope that you are familiar with quite a few of these. Now, one of the ways is simply sharing a keyboard, two people at the same computer or perhaps sharing a flash drive or maybe sending stuff via email but the problem with all of this is that they obviously don't scale well and you'd be surprised how often this gets used in government. But then you have actual source control and something like GitHub is a very powerful tool it's something I use for a lot of my personal projects but when it comes to government it's not a great tool because in order to put anything on there you need to have a public release approval which is as we've already talked about very hard to get and even if you want to use their private repo GitHub itself is not approved for government use for that kind of code so it's really not an option. But then you have a tool like Bitbucket which is an improvement upon GitHub simply because you can host it on premises but unfortunately it doesn't provide a whole lot of tools outside of your simple source code management and it's not free, it's very expensive especially at the enterprise level. So then of course we have GitLab and once again that is literally why we're here and GitLab's really nice because not only can it be a free tool but it can also provide features that will help you do a lot more than other vendors might and it can work towards a lot of different needs depending on what is going on within your organization and that's important because when you're working with the US government you have to understand that their needs differ from most other organizations and a big part of that is for starters there's special sensitivities we need to keep in mind and that is of course the sensitive code and the sensitive matter that we work with every single day and that simply means we need to store that code securely and that means storing that code in highly vetted cloud solutions or on-premises hosting solutions and then of course there's classified code which is a whole other beast and what that really means is it's always going to be in an air-gapped environment and that means you can't go off and use your normal enterprise version of GitLab or BitBucket you need to use the infrastructure within that classified environment because there's no internet, there's no external access and you definitely cannot bring your phone in there so it's not like you can Google for stuff. So part of the problem with this is let's say I have seven classified environments well suddenly I need seven licenses for BitBucket or let's say I have 40 of these across my entire organization that is a lot of licenses at $10,000 a piece for these environments and I need one for each that's a lot but I can make an assumption that I probably don't need a full-fledged development environment within my classified environment. So something like GitLab CE becomes very powerful because not only is it free but it deploys within that classified environment very easily. So who is using GitLab right now? There's a lot of individuals within government who are and this is not a complete list this is just the people who say hey, by the way we're doing this and just to go through it, I mean it's Air Force and Army and Navy and DOD Homeland Security Department of State, NASA and it's also approved for the JSA schedule program so if you need the enterprise features it's very easy to purchase from a government standpoint but the question is why are people using GitLab? What makes GitLab so special for government use? Well for one, it provides a comprehensive tool chain all in one place. It also complies with the stringent security regulations that the government puts in place and lastly there's a lot of flexibility with deployment whether you wanna put it on premises or in AWS GovCloud or Azure Gov or any authorized government cloud provider you can do that or if you wanna deploy it in a classified environment it's very easy to do that unlike some other vendors and on top of that, GitLab provides a lot of additional security that is hard to find elsewhere and that flexibility for example in deployment for example provides that security right off the bat. Now of course it's very easy to say all right I want one GitLab instance for the entire organization but something we've done time and time again is if we're collaborating between a couple of different agencies I don't wanna give the three individuals from this one agency access to my entire agency's GitLab repo there's a security risk in that. So what we can do instead is say I'm gonna throw up an AWS L3 account put GitLab on there and give them access to that with my project and then when another agency comes on all I have to do is give them access to that and suddenly there's a contractor there too well they have access to that and I haven't breached the entire organization for this collaboration project it becomes so much safer and it's super easy to do that with GitLab and it happens quite a bit within government that that is how we operate. On top of that GitLab provides FIPS compliance which is something the government loves and there's common access card authentication which is the preferred method of authentication throughout the government and lastly there's support for a very cool feature called one way transfers which is essentially a mechanism to move code from an unclassified to classified environment with literally a click of a button where you would normally have to take a CD burn the code to that CD bring it through document control and then bring it into the lab which is annoying and I've done it hundreds of times and clicking a button is so much easier I basically call this a diode for code. So when working with government we have to remember that there's always gonna be some additional complications and specifically within this we have to remember that historically the US government has not been agile and when we're building agile workflows into a non agile organization there's always gonna be a lot of challenge in that and the tooling for agile adds that additional complication tools like Jira and BitBucket and Artifactory and New Relic and that list goes on are very hard to manage but once again GitLab provides a lot of that functionality all in one place and that is really key for government. Now we have to remember that agile is not just a workflow as we've said a couple of times and we've heard earlier today it is at its core a cultural change and providing this tooling under one name and one UI is really important in that because not only does it decrease the learning curve required for people that were trying to indoctrinate in this cultural change but it also makes that training much easier and the maintenance for the people who are gonna maintaining this long term quite a bit easier. Maintaining seven tools, eight tools, nine tools is a lot especially for someone who hasn't had to do that traditionally. The other thing to realize is that the government has a huge amount of variance in what it does. One agency may have a very different work protocol than another agency perhaps one uses GitFlow and the other one uses Scrum and another uses agile no matter what they use no matter what tools they need you can pick and choose what you want to do for GitLab GitLab is able to fit in in whatever organization simply because it was designed to be very versatile and that's again very important for government because there's so much variance and like we just talked about it provides a decision between do you want that enterprise scale development platform or do you want something simple that one-off collaboration environment that you can use for one project between a couple of agencies. So, GitLab itself has a massive commitment to government they've increased their federal workforce team to more than 200 individuals over the last couple of years and they've also been developing a lot of government specific features like that CAC feature I mentioned and the one-way transfers and on top of that there's been executive level support for the federal workforce which is phenomenal and they've also shown not only support for open sources they are a massively open source organization but also for government open source which is something I am deeply passionate about and something I have worked in for a long time and it's something I want to see continue to grow because I think the transparency of that level and the code we use in government is important and that continued commitment to open source in government is at the core of what I want to convey. I think that we need to continue to educate on value, the availability and the safety of open source and I think that GitLab really helps to do that and I think that we can do that as well by supporting not only the initiatives within the government by looking at the projects on code.gov and whether you want to contribute to them or just look at them and see what's there it's well worth it but also by being here and supporting organizations like GitLab which are committed to not only working with open source in government but making sure that they do it in a way that is transparent and that is what I really want to see continue forward into the future. Thank you so much for coming. There is additional information and then slides available here and of course there's time for questions if anyone has any. Thank you again. All right, so this is probably your one chance today to try and pry classified information out of a speaker. Anyone have questions? Could you elaborate a little bit on the one way file transfer feature you were talking about in GitLab? I have not heard of that and it's very interesting in my use case. Yeah, absolutely. So it was specifically developed for government use cases. Essentially the government use case is you're gonna have two different instances of GitLab. One is gonna be on the unclassified environment and the other one's gonna be on a classified environment and it basically enables you to click a button and transfer code in a unidirectional manner from that unclassified environment to the classified environment. Where normally you would have to take a flash drive or something with that code and move it over to the other instance. It basically allows you to move the code and document that you've done so basically by clicking a button. There is not. So it's all done through secure network tabs. I've not looked at the specifics of it but I've used it and it's literally just, it's clicking a button and it's really useful because normally the use case in government is you burn a CD, it's green, it says unclassified and then you bring it in, you get document control to put a number on it and you've done it. But that takes away the effort of having to log all that and it's done automatically for you. You mentioned a specific license that repro's could include that meant that the code was immediately usable by government agencies. Could you say a bit more about that license? Yeah, sure. I haven't looked at the text for it specifically but there is a license that exists for government use. It's like any other license but basically what it allows for is as long as that license is included, any government agency or organization can use it for whatever they need to. Much like MIT allows you to use whatever that repo is for whatever you wanna do with it. It's the same thing but specifically internal to government usage. The unfortunate piece about that is if you see code with that license on it, you as a private citizen, probably can't use that without getting into some legal issue but if you happen to work for an agency, you can say, oh, neat, I'm gonna go check that out and maybe use it in one of my projects. I can definitely add that license text to this post after the talk.