Software Engineering Institute

In aiming for correctness and security of product, as well as for development speed, software development teams often face tension in their objectives. During a recent customer engagement that involved the development of a continuous-integration (CI) pipeline, developers wanted to develop features and deploy to production, deferring non-critical bugs as technical debt, whereas cyber engineers wanted compliant software by having the pipeline fail on any security requirement that was not met. In this SEI Podcast Alejandro Gomez, a researcher in the SEI’s CERT Division who worked on the customer project, talks with principal researcher Suzanne Miller about how the team explored—and eventually resolved—the two competing forces of developer velocity and cybersecurity enforcement by implementing DevSecOps practices.