Hey infosec, let's be clear, Devs are not stupid, nor are they uncaring about security. Consider what we've done to them:
We gave them pen-tests, conducted after software was live, opened a bunch of bugs but with little context of how to fix them and shamed them for having vulnerabilities in the first place.
So then we mandated secure code training, we based it on the OWASP Top 10 with no practical guidance or language specific remediations.
So then we introduced SAST. Great intentions of breaking the build/release cycle but the results were fraught with false positives and no clear direction for prioritization.
The list goes on. But each time we implement a tool or process without starting first with the developer perspective, we lose credibility and frustrate our devs. To succeed in #DevOps, developers must come first and we must #DoBetterBeBetter. Stop building security tools and processes and forcing them on devs. Build developer tools that make securing software easier.
Check out our DevSecOps Hub to learn more, and feel free to comment below with your thoughts.