Peer-Driven Insights

Secure Code & Automation (DevSecOps)

Featured One-Minute Insights

Sept 2024

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
How are U.S. CISOs Addressing Liability Risk?

Community Posts

Purple teaming — can anyone recommend best practices for getting your org started?

Read More Comments

What are you using to do software composition analysis (SCA) scans?

Read More Comments

Any recommendations for secure software development assessment tools? What’s your preference?

Read More Comments

What sorts of issues/challenges would you anticipate if you were to take a ‘secure by design’ approach to GenAI tools? What are the most important differences in the context of AI compared to other software?

What are some limitations of red teaming as a method for testing GenAI tools/LLMs?

Read More Comments

Do you have dedicated teams for both DevOps and DevSecOps?

Yes27%

Only DevOps48%

Only DevSecOps11%

We don't have a dedicated team for either DevOps or DevSecOps12%

Other (please share in the comments)

View Results

Have you ever had to defend DevSecOps to a skeptical C-suite exec? How did you convince them of the importance of security in software development?

Read More Comments

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms.  Is this something many companies do?

Read More Comments

Anyone doing purple teaming currently? Looking for recommendations for an automated security validation platform that's aligned to MITRE ATT&CK.

Read More Comments

What’s your current approach to preventing data injection into your commands framework? Do you place more focus on secure coding practices, testing, patching, user input validation or something else altogether?

Read More Comments

How do you encourage your software staff to follow security best practices? Have you ever had problems with developers who aren’t following formal security processes after they’re in place?

How does your org securely integrate acquired code after M&A? Do you have a set process, or does it vary based on the company being acquired?

I'm looking for a tool to manage application security requirements for our organization. The requirements need to include both regulatory requirements (healthcare) and threat-based requirements through a lightweight threat modeling component.  So far, SD Elements looks like a lone winner in this market segment. Does anyone have experience with them or one of their competitors? SD Elements is intriguing as it would also help us track compliance to the requirements thereby helping to measure progress and outcomes.

What can you do to safeguard proprietary secrets ahead of layoffs? Are code freezes enough?

Are you interested in security service edge (SSE)? Which benefit is the most important to you?

Easier data management9%

More controlled access to company systems48%

Better UX for remote employees19%

Streamlined threat detection and mitigation15%

I’m not interested in SSE8%

Other (comment below)

View Results

Does your org incorporate input from development teams before deciding which AppSec tool to purchase?

Yes, always32%

Sometimes58%

No9%

Unsure1%

View Results