Peer-Driven Insights

Secure Code & Automation (DevSecOps)

About this topic

Secure code and automation refers to integrating security practices and automated tools into the software development lifecycle. These approaches reduce vulnerabilities and accelerate the secure delivery of applications.

Featured One-Minute Insights

Sept 2024

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
How are U.S. CISOs Addressing Liability Risk?

Community Posts

Purple teaming — can anyone recommend best practices for getting your org started?

Read More Comments

Are you interested in security service edge (SSE)? Which benefit is the most important to you?

Easier data management10%

More controlled access to company systems48%

Better UX for remote employees18%

Streamlined threat detection and mitigation15%

I’m not interested in SSE8%

Other (comment below)

View Results

Do you have dedicated teams for both DevOps and DevSecOps?

Yes28%

Only DevOps45%

Only DevSecOps13%

We don't have a dedicated team for either DevOps or DevSecOps12%

Other (please share in the comments)

View Results

Does your org incorporate input from development teams before deciding which AppSec tool to purchase?

Yes, always33%

Sometimes57%

No9%

Unsure1%

View Results

How is the 2023 US cyber strategy impacting software development so far, based on what you’re seeing in the industry? Is the push for software liability having an impact yet?

What are you using to do software composition analysis (SCA) scans?

Read More Comments

Any recommendations for secure software development assessment tools? What’s your preference?

Read More Comments

What sorts of issues/challenges would you anticipate if you were to take a ‘secure by design’ approach to GenAI tools? What are the most important differences in the context of AI compared to other software?

What are some limitations of red teaming as a method for testing GenAI tools/LLMs?

Read More Comments

Have you ever had to defend DevSecOps to a skeptical C-suite exec? How did you convince them of the importance of security in software development?

Read More Comments

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms.  Is this something many companies do?

Read More Comments

Anyone doing purple teaming currently? Looking for recommendations for an automated security validation platform that's aligned to MITRE ATT&CK.

Read More Comments

What’s your current approach to preventing data injection into your commands framework? Do you place more focus on secure coding practices, testing, patching, user input validation or something else altogether?

Read More Comments

Anyone have experiences or POVs on TruffleHog Open Source vs Commercial license?

How does your org securely integrate acquired code after M&A? Do you have a set process, or does it vary based on the company being acquired?

I'm looking for a tool to manage application security requirements for our organization. The requirements need to include both regulatory requirements (healthcare) and threat-based requirements through a lightweight threat modeling component.  So far, SD Elements looks like a lone winner in this market segment. Does anyone have experience with them or one of their competitors? SD Elements is intriguing as it would also help us track compliance to the requirements thereby helping to measure progress and outcomes.