Peer-Driven Insights

Secure Code & Automation (DevSecOps)

Active Ambassadors in This Topic

Sriram Lakshmanan

Sriram Lakshmanan

Genpact

, 10k+

India
Kevin Tambascio

Kevin Tambascio

Cleveland Clinic

Healthcare and Biotech, 10k+

United States
Dr Aaron Isaacs

Dr Aaron Isaacs

VXI GLOBAL SOLUTIONS, LLC

Services (non-Government), 10k+

United States
View All Community Ambassadors

Community Posts

Non-human identities (NHIs), such as API keys, service accounts, and tokens, outnumber humans by 25 to 50 times and often go ungoverned. From Entro’s 2025 report:
• 90% have excessive permissions
• 44% are exposed in the wild
• 91% of stale secrets are never revoked

What helped us: inventory, assign owners, right-size access, monitor behavior, and test continuously.

How mature is your NHI program? Biggest barrier, tooling, ownership, or adoption?

Does your org incorporate input from development teams before deciding which AppSec tool to purchase?

Yes, always32%

Sometimes58%

No8%

Unsure1%

View Results

When it comes to internal development, how often do security team members attend kickoff meetings for new software projects?

Always23%

Often46%

Sometimes20%

Rarely10%

Never1%

View Results

How do you encourage your software staff to follow security best practices? Have you ever had problems with developers who aren’t following formal security processes after they’re in place?

Does anyone have experience or feedback regarding use of Wazuh as a SIEM, specifically for a small (~50 person) company and with all infrastructure in the public cloud?

Read More Comments

How are you keeping DevOps and security teams aligned when it comes to securing microservices and serverless architectures?

Read More Comments

How do you encourage your software team to work collaboratively on security — both within the team and with other departments?

Have you added any GenAI tools to your DevSecOps pipeline, or are you still worried about introducing security problems?

Read More Comments

How are you improving API security testing?

Read More Comments

Has anyone started exploring the incorporation of AI tools and training into their developer communities, particularly in the government space where we tend to be more risk-averse? I’m interested in hearing about the strategies you're using to evaluate these tools and how you distinguish between those offering real value and those that might be overhyped. While tools that simplify code reviews, generate test cases, and ensure automated test coverage are top of mind, I recognize there may be other valuable AI applications. I’d love to hear how others are navigating this space, especially in areas where risk management is a key consideration.

Read More Comments

Do you have an AI application security program?

Yes36%

We’re currently considering it50%

We’re currently developing one7%

No6%

View Results

If there’s only enough budget to send a few devs to one AppSec conference for the year, which one would you go with? Which conference would likely be most valuable to level up DevSecOps at your org?

Read More Comments

Have you found success using NIST’s secure software development framework (SSDF)? Would you recommend it to a colleague as an effective way to mitigate risk during development?

Any tips on ingraining the fundamentals of secure software development in your company culture? How have you secured support and ensured best practices permeate through every level of your org?

Read More Comments

Have you done cross training programs to train developers on cybersecurity skills? What should orgs keep in mind when attempting to start these sorts of initiatives?

Do you think the backdoor in xz Utils is a sign of things to come? Are you expecting software supply chain attacks on open source to increase even further this year?