Hey infosec, developers are not stupid. In general, developers want their code to be secure. However, where we run into issues, especially in DevOps, is the complexity of what we ask them to do to keep their code secure. Secure code training, SAST tools that identify massive lists of vulnerabilities, post-deployment pen-tests that result in even more bugs on the backlog. It's never ending and overwhelming. How would you respond if every time you completed a task, another group or tool they made you use, told you about all the mistakes you made.
So remember this when you're considering that next process, that next training, or that next security tool to introduce to the pipeline. Ask yourself, is this something a developer would want to use? If not, ask yourself why you're doing it then. Is your goal to help them produce safer code or is it to make your life easier? Are your developers participating stakeholders in you tool selections? They should be.
Make them the focus of your efforts, not the afterthought.
Read more about how our friends at Segment approach this concept here.