How are you keeping DevOps and security teams aligned when it comes to securing microservices and serverless architectures?

In my current role within CISO, we have implemented a Secure Improvement Framework that bridges DevOps and Security Teams. We called the team DevOps Security = DevSecOps. I started building this team exactly 2 years ago and I focus on embedding security as a shared responsibility, instead of creating separate capability DevSecOps. 

How we aligned all of this: 

1. We started with Threat modeling in the Design phase = We discussed it first with the Architects and then with the DevOps Teams. 
2. We create a DevSecOps Community (something similar to the Security Champions program) but with different activities. 
3. Based on the other capabilities within DevSecOps like: Secure Coding, Secure Monitoring, Pen Test, and Container Security instead of you need to do this, we said how can we help you. In the beginning was Yes we know everything we didn't need help, but then issues started coming out and then they started contacting us, hey we have an issue with this Vulnerability, we have an issue with Monitoring and etc. 
4. All this said we started creating training with best practices about all the capabilities and most common issues within the organization. 
5. We are far away from that, but the goal is to create something called a DevOps Profile and security score for all the DevOps Teams, what and how they do, and how they are mature. 

In total is not so an easy journey in the last 2 years but we are getting there because Security is a Team Sport :) :) :) 

As part of the SRE/DevOps team, I work closely with security to integrate best practices and automate security audits. We handle implementation—like integrating agents and tools for vulnerability scanning—while the security team manages and monitors the broader security products outside cloud accounts. This ensures clear ownership while maintaining alignment.

To align DevOps and security teams effectively, we integrate comprehensive security checks into CI/CD pipelines, ensuring continuous validation through static and dynamic analysis. Further, we incorporate threat modeling to proactively identify and mitigate potential security threats by thoroughly analyzing system designs. Additionally, our architecture team perform reviews to embed security considerations into the design of microservices and serverless architectures. This collaborative approach ensures early identification and resolution of security gaps, fostering a robust and secure development process.

We collaborate with our enterprise architecture team to balance developers' needs with security requirements. It's crucial to provide developers with the tools they need while ensuring these tools don't compromise security. We focus on securing the development lifecycle, using CI/CD tools for static and dynamic analysis to identify and fix security issues early. Addressing risks at the beginning is essential, as it becomes more costly to resolve them closer to production. Our approach is to identify and resolve security issues early on to avoid complications later.

Our program structure emphasizes horizontal integration across all teams involved in software development. We have an app management function that acts as a hub, aligning developers, the app security team, and other stakeholders as applications progress through their versions. The key is ensuring that people and processes are synchronized, as tools alone are insufficient without effective communication and alignment.