The days of security and development working side by side in separate silos are over. With the DevOps-induced security “shift left,” security testing now falls in the realm of the developer, and leaves security in more of an enabling, rather than enforcing, role. And this new role requires a new understanding of developer priorities and processes. The security function cannot be effective in a DevSecOps world without a thorough grasp of how developers work, the tools they use, the challenges they face and how security fits into this picture.
In a DevSecOps environment, developers own the testing of applications in their development environment, fixing flaws to pass policy and continuing to build code. Security owns setting policies, tracking KPIs and providing security coaching to developers. In addition, security is responsible for providing developers with support in integrating scalable tools like Veracode into their SDLC.
With the traditional security role of running scans on comp