Security isn’t an add-on. It’s an integral part of how you build, test, and deliver software. That’s what’s at the heart of DevSecOps – and why it matters for every modern development team. 

In season three of Grey Matter Talks Tech, we sat down with Richard Fennell, CTO at Black Marble, to unpack what DevSecOps really means, and how you can make it second nature. 

Here are five practical insights you can apply today. 

DevSecOps is just good DevOps  

First up, we heard from Richard, who established that DevSecOps shouldn’t be seen as separate from DevOps, but as an extension of best DevOps practices.  

Instead, security should be embedded throughout the development lifecycle, not just bolted on at the end. This is part of a shift left mentality – moving security testing earlier in the development process. As finding issues in testing isn’t as costly as discovering them in production.  

Make security a part of the culture of your business 

Another key point the trio discussed was around the culture of your business. Our security expert, Scott emphasises the importance of making security a shared responsibility, rather than just a gatekeeping function. The security of your business shouldn’t rest on just one team. 

A part of doing this effectively is implementing training and awareness around security fundamentals. You can achieve this through some of our key vendors who offer security awareness training - including KnowBe4, Acronis and ESET. 

Tooling and automation  

Manual checks slow you down and leave gaps. Automation is essential in the modern workplace.  

In our podcast, we gave an overview of the tools available for you to use to automate your static and dynamic analysis, integrating seamlessly into your pipelines: 

• Dependency Analysis: Tools like GitHub Advanced Security (Dependabot), OWASP Dependency Checker, and SonarCube help identify vulnerabilities in third-party packages. 

• Code Analysis: Tools like CodeQL and SonarCube flag insecure coding practices (e.g., SQL injection risks). 

• Integration: These tools should be wired into build pipelines and run on every commit or pull request. 

Another of our key vendors, JetBrains, offer static code analysis tools such as Qodana, a smart code quality platform for continuous integration. Plus, Scott recommends using partners like AppCheck, who offer automatic API and other testing to help you identify and remediate vulnerabilities. 

Stay ahead of frameworks and compliance  

In the modern digital world, there’s a growing number of cyber security frameworks, and compliance requirements that you need to remain informed on. We couldn’t skip over such an essential part of your DevSecOps strategy. 

External frameworks like Cyber Essentials and ISO 27001 aren’t optional – they’re often required by customers or regulators, but they don’t prescribe specific secure development practices.  

While these frameworks don’t dictate secure coding practices, compliance platforms like CyberSmart are available to help you track progress and prove your credentials. Make this part of your DevSecOps strategy, not an afterthought. 

Pitfalls and common mistakes  

The biggest mistake you can make? Deferring security.  

In our podcast episode, we discussed how this must be a consideration from day one (part of the shift left approach).  

Excessive permissions. Shared accounts. Lack of MFA. All of these are strong considerations and issues you need to be aware of. Monitoring is just as important as deploying the right tools, it’s an ongoing process. 

Listen to the episode 

We’ve just barely scratched the surface of the insights and topics covered in our podcast episode with Black Marble. Listen to the full episode to gain more key insights and learn how you can adopt a DevSecOps mindset. 

Keen to discuss how you can leverage these insights for your security strategy? Fill in the form below to get in touch with a member of our team.