Peer-Driven Insights

Secure Code & Automation (DevSecOps)

About this topic

Secure code and automation refers to integrating security practices and automated tools into the software development lifecycle. These approaches reduce vulnerabilities and accelerate the secure delivery of applications.

Community Posts

Purple teaming — can anyone recommend best practices for getting your org started?

Read More Comments

How is the 2023 US cyber strategy impacting software development so far, based on what you’re seeing in the industry? Is the push for software liability having an impact yet?

What are you using to do software composition analysis (SCA) scans?

Read More Comments

Does your org ever send developers to app sec conferences?

Yes, regularly 52%

Yes, on occasion/if requested by team or managers42%

No6%

Unsure / show results

View Results

Any recommendations for secure software development assessment tools? What’s your preference?

Read More Comments

What sorts of issues/challenges would you anticipate if you were to take a ‘secure by design’ approach to GenAI tools? What are the most important differences in the context of AI compared to other software?

What are some limitations of red teaming as a method for testing GenAI tools/LLMs?

Read More Comments

Have you ever had to defend DevSecOps to a skeptical C-suite exec? How did you convince them of the importance of security in software development?

Read More Comments

Do you have an AI application security program?

Yes33%

We’re currently considering it50%

We’re currently developing one10%

No6%

View Results

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms. Is this something many companies do?

Read More Comments

Anyone doing purple teaming currently? Looking for recommendations for an automated security validation platform that's aligned to MITRE ATT&CK.

Read More Comments

What’s your current approach to preventing data injection into your commands framework? Do you place more focus on secure coding practices, testing, patching, user input validation or something else altogether?

Read More Comments

Has anyone started exploring the incorporation of AI tools and training into their developer communities, particularly in the government space where we tend to be more risk-averse? I’m interested in hearing about the strategies you're using to evaluate these tools and how you distinguish between those offering real value and those that might be overhyped. While tools that simplify code reviews, generate test cases, and ensure automated test coverage are top of mind, I recognize there may be other valuable AI applications. I’d love to hear how others are navigating this space, especially in areas where risk management is a key consideration.

Read More Comments

When it comes to internal development, how often do security team members attend kickoff meetings for new software projects?

Always23%

Often46%

Sometimes20%

Rarely10%

Never1%

View Results

How does your org securely integrate acquired code after M&A? Do you have a set process, or does it vary based on the company being acquired?

I'm looking for a tool to manage application security requirements for our organization. The requirements need to include both regulatory requirements (healthcare) and threat-based requirements through a lightweight threat modeling component. So far, SD Elements looks like a lone winner in this market segment. Does anyone have experience with them or one of their competitors? SD Elements is intriguing as it would also help us track compliance to the requirements thereby helping to measure progress and outcomes.