DevOps is fundamentally all about agility and collaboration. The message becomes distorted when compliance and security are added to the mix.DevSecOps was created to seamlessly integrate security and compliance within the DevOps framework. The reality is not ideal. Security tools were added to the DevOps process with new automation layers. This is an inefficient approach that does not embrace agile and collaboration.To deliver DevSecOps, security must be integrated into DevOps. This requires a shift in mindsets, processes, and technologies. Security and risk management leaders must respect the collaborative, agile nature DevOps in order for security testing to be seamless in its development. This will make the Sec in DevSecOps transparent. Neil MacDonald, GartnerAll developers should be proficient in security coding practices, from front to back. They should also be trained in how to prevent SQL injection and authorization framework exploits. Developers would have all the information needed to make security-related decisions at an early stage of the design phase.An organization should offer the necessary training to a developer who is trying to implement a new type of security control.Unfortunately, reality is not as ideal. Despite the fact that CI/CD automation gives developers control over the deployment and management of their code, developers still lack visibility to relevant information that could help them make better decisions.In some ways, the whole concept of detecting and repairing vulnerabilities early in development is outdated. Better is to give developers the information and training that they need to avoid potential vulnerabilities becoming ones.Imagine a developer who is given the task of adding PII fields into an API that exposes to the internet. Security of the new feature is dependent on the authorization controls in the cloud gateway. While it is not necessary that security architects or scanners should be able to detect security risks earlier, it does mean that developers should have all the information they need to avoid the vulnerability from ever happening. Continuous feedback is crucial to improving security knowledge for developers by an order of magnitude.
