Peer-Driven Insights

Secure Code & Automation (DevSecOps)

About this topic

Secure code and automation refers to integrating security practices and automated tools into the software development lifecycle. These approaches reduce vulnerabilities and accelerate the secure delivery of applications.

Featured One-Minute Insights

Sept 2024

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
How are U.S. CISOs Addressing Liability Risk?

Community Posts

What interview questions should you ask when hiring a DevSecOps engineer?

Read More Comments

Purple teaming — can anyone recommend best practices for getting your org started?

Read More Comments

Are you interested in security service edge (SSE)? Which benefit is the most important to you?

Easier data management8%

More controlled access to company systems48%

Better UX for remote employees19%

Streamlined threat detection and mitigation15%

I’m not interested in SSE8%

Other (comment below)

View Results

Non-human identities (NHIs), such as API keys, service accounts, and tokens, outnumber humans by 25 to 50 times and often go ungoverned. From Entro’s 2025 report:
• 90% have excessive permissions
• 44% are exposed in the wild
• 91% of stale secrets are never revoked

What helped us: inventory, assign owners, right-size access, monitor behavior, and test continuously.

How mature is your NHI program? Biggest barrier, tooling, ownership, or adoption?

What sorts of issues/challenges would you anticipate if you were to take a ‘secure by design’ approach to GenAI tools? What are the most important differences in the context of AI compared to other software?

Do you think the backdoor in xz Utils is a sign of things to come? Are you expecting software supply chain attacks on open source to increase even further this year?

Any tips for establishing a security champions program for the software team? If you’ve done this, did you run into any internal pushback or skepticism?

Read More Comments

What can you do to safeguard proprietary secrets ahead of layoffs? Are code freezes enough?

Do you have an AI application security program?

Yes33%

We’re currently considering it49%

We’re currently developing one10%

No6%

View Results

When it comes to internal development, how often do security team members attend kickoff meetings for new software projects?

Always23%

Often46%

Sometimes20%

Rarely10%

Never1%

View Results

How do you foresee the data security and privacy landscape changing over the course of 2023?

Read More Comments

What kind of salary ranges have you seen for DevSecOps engineers?

Read More Comments

What’s your current process for generating SBOMs?

Read More Comments

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms.  Is this something many companies do?

Read More Comments

What are some limitations of red teaming as a method for testing GenAI tools/LLMs?

Read More Comments

What’s your current approach to preventing data injection into your commands framework? Do you place more focus on secure coding practices, testing, patching, user input validation or something else altogether?

Read More Comments