Home
All Topics
Secure Code & Automation (DevSecOps)

Peer-Driven Insights

Secure Code & Automation (DevSecOps)

What sets us apart?

No selling.

No recruiting.

No self promotion.

Read Our GuidelinesTrusted peer advice and insights for technology professionals.

Related Topics

Awareness & Training
Data Privacy & Protection
Governance, Risk & Compliance
Identity & Access Management (IAM)
Regulatory Compliance

Community Guidelines Rules of Engagement FAQs Directory of ambassadors Privacy Terms of Service

© 2025 Gartner, Inc. and/or its affiliates. All rights reserved.

Community Posts

What interview questions should you ask when hiring a DevSecOps engineer?

Read More Comments

Non-human identities (NHIs), such as API keys, service accounts, and tokens, outnumber humans by 25 to 50 times and often go ungoverned. From Entro’s 2025 report:
• 90% have excessive permissions
• 44% are exposed in the wild
• 91% of stale secrets are never revoked

What helped us: inventory, assign owners, right-size access, monitor behavior, and test continuously.

How mature is your NHI program? Biggest barrier, tooling, ownership, or adoption?

How do you encourage your software staff to follow security best practices? Have you ever had problems with developers who aren’t following formal security processes after they’re in place?

Does anyone have experience or feedback regarding use of Wazuh as a SIEM, specifically for a small (~50 person) company and with all infrastructure in the public cloud?

Read More Comments

How are you keeping DevOps and security teams aligned when it comes to securing microservices and serverless architectures?

Read More Comments

How do you encourage your software team to work collaboratively on security — both within the team and with other departments?

Do you have dedicated teams for both DevOps and DevSecOps?

Yes27%

Only DevOps48%

Only DevSecOps11%

We don't have a dedicated team for either DevOps or DevSecOps12%

Other (please share in the comments)

View Results

Have you added any GenAI tools to your DevSecOps pipeline, or are you still worried about introducing security problems?

Read More Comments

How are you improving API security testing?

Read More Comments

Has anyone started exploring the incorporation of AI tools and training into their developer communities, particularly in the government space where we tend to be more risk-averse? I’m interested in hearing about the strategies you're using to evaluate these tools and how you distinguish between those offering real value and those that might be overhyped. While tools that simplify code reviews, generate test cases, and ensure automated test coverage are top of mind, I recognize there may be other valuable AI applications. I’d love to hear how others are navigating this space, especially in areas where risk management is a key consideration.

Read More Comments

If there’s only enough budget to send a few devs to one AppSec conference for the year, which one would you go with? Which conference would likely be most valuable to level up DevSecOps at your org?

Read More Comments

When do you think we'll see more standards introduced for code signing?

Within the next 6 months30%

Within the next 7-12 months55%

Within the next 1-2 years13%

I have no idea1%

View Results

Have you found success using NIST’s secure software development framework (SSDF)? Would you recommend it to a colleague as an effective way to mitigate risk during development?

Does your org use purple teaming currently?

Yes47%

Not yet – we're considering it39%

No13%

View Results

Any tips on ingraining the fundamentals of secure software development in your company culture? How have you secured support and ensured best practices permeate through every level of your org?

Read More Comments

Have you done cross training programs to train developers on cybersecurity skills? What should orgs keep in mind when attempting to start these sorts of initiatives?