This was a panel webinar with CloudBees and Snyk where we discussed whether you can actually trust your devsecops pipeline. I was joined by Anders Wallgren from CloudBees and Mitch Ashley from Accelerated Strategies Group, moderated by Sam Bell.
My main point was that most people think about security as a separate concern, but in reality there are three backlogs competing for attention: developers optimizing for features, ops optimizing for stability, and security optimizing for risk avoidance. The friction comes from treating these as three separate priorities. The business has to find the right balance between all three, and the only way to do that is by having the groups collaborate and talk to each other. The goal is to empower each team with guidance and policies so they can make security decisions themselves, rather than funneling everything through a central security team.
Anders made the point well: security is not a condiment you sprinkle on top of the plate before serving. It is a core ingredient in the meal. If you do not think about it from the start – where to source it, how to integrate it – it will not happen by accident. The old waterfall approach of adding security after all the code is written simply does not work.
The parallel to devops was clear. Just like devops was about getting dev and ops to work together and learn from each other, devsecops is about adding security to that collaboration. Shift left is part of it, but the real goal is getting people to understand each other’s functions. When developers understand security constraints and security people understand delivery pressures, the right decisions get baked in rather than bolted on.
Watch on YouTube – available on the jedi4ever channel
This summary was generated using AI based on the auto-generated transcript.