DevOps

Why so many companies still find moving to DevSecOps hard

March 1, 2021
Allianz Insurance has been a leader in fostering a DevSecOps culture. Today’s columnist, Matias Madou of Secure Code Warrior, offers advice on how to bring the App Sec and DevOps teams together to create a collaborative DevSecOps approach. (sebastian.rittau CreativeCommons Credit: CC BY 2.0)
  • More tools do not equate to fewer problems.
  • Scanning tools are slow, which impacts release agility.
  • There are too many false positives (and negatives), ensuring a security expert still has to sit there and do a manual review to sort the real bugs from the phantom bugs.
  • Far too many common vulnerabilities are revealed that should have been picked up before the code was deployed. Do companies really want their very expensive security experts distracted from big, complex security problems with the small stuff?
  • Scanners find issues, they don’t fix them.
  • Some tech-lead automation can lead to diminished code quality
  • It’s hard to strike a balance between tools and people.
prestitial ad