Wallgren points out that DevSecOps is hot now and changing the industry in the sense that security and quality are inextricably linked. DevSecOps is increasingly something that engineering teams, engineering managers, developers, and the developer community realize
the value of and the need to prioritize and incorporate into their process earlier—from the beginning—instead of sprinkling it on at the end as an afterthought.
For example, the financial services industry is a big adopter of DevOps and agile, but everything it does must be auditable, controllable, and governable. Wallgren says that one of their largest customers in the finance industry refers to this as “policy as code.”
And organizations want to shift governance left in an organizationally scalable way. From a security perspective, they need to delegate authority by teams instead of having one team with visibility over everything, which can create a bottleneck. “It's one thing to do this when you've got a team of 20 developers. It's another thing to do it when you've got 500 teams each with 50 developers on them, and to be able to do it at that kind of scale,” says Wallgren.
Once employees start to see that their peers and other teams in their organization prioritize security, the bar is raised. Organization-wide visibility and transparency of security practices can help demonstrate to laggards that it’s something you must do, and not something that some do for extra credit.
Wallgren further notes that organizations that prioritize security want to do this “as code” because code can be inspected, tested, and documented. To close the loop, they must focus on not just the security of their code or third-party code, whether it's open source or commercial, but also on the security of the systems they use to build, test, qualify, release, and deploy their code. So the pipeline itself must be secure.
In addition, one of the largest CloudBees/Synopsys joint customers says that when it’s running security scans, it doesn't want just anybody in the organization to be able to change those configurations. Intelligent Orchestration allows customers to say that not only are they making sure their code is secure, the pipeline itself is secure. Wallgren adds, “It's no longer good enough to be secure only at the border. You must be secure in the interior as well.”