In the world of software development, speed and security are often viewed as natural enemies: Development teams, under pressure to move ever faster, complain of security measures creating \u201cfriction\u201d that slows them down.But it doesn\u2019t have to be that way. It\u2019s possible to build high-quality software products, with security built-in, at the speed the market demands. It just takes automation\u2014automated security testing tools and policies. While the human element will always be necessary, manual everything won\u2019t cut it.That\u2019s the key takeaway from a recent survey by the SANS Analyst Program. The \u201cSANS 2022 DevSecOps Survey: Creating a Culture to Significantly Improve Your Organization\u2019s Security Posture\u201d found that while it takes a significant, ongoing investment to bring together the three teams involved in building software products\u2014development, security, and operations (DevSecOps)\u2014"the benefits are well documented.\u201dWhy should you care? For the same reasons you care that your vehicle is built with quality parts and safety features. Your safety is at stake. Today, software is embedded in every element of your life\u2014even if you don\u2019t create it, you rely on it.And if that software contains vulnerabilities that criminal hackers can exploit, not only can it undermine all the conveniences software provides, it can also hurt you in multiple ways\u2014financial, personal, and physical.Indeed, it doesn\u2019t really matter how cool and edgy a product purports to be if it doesn\u2019t work as intended or isn\u2019t secure.That\u2019s why it\u2019s so important that those three teams work well together. There is a natural tension between Sec and DevOps that has been dissected at security conferences for more than a decade. The major pressure on the security team is what the name implies\u2014to make the software in a product as bulletproof as possible. The major pressure on developers and operations teams though is speed\u2014to get a product to the market before the competition does.Developers have responded to that push for speed\u2014deployments have increased exponentially over the past decade. Understandably, they don\u2019t want anything to slow them down, and for years the perception has been that security testing does just that.But security teams have been working just as hard to eliminate friction through automation. James Rabon, senior product manager with the Synopsys Software Integrity Group, noted that \u201cautomation is king, and the only way forward for DevSecOps.\u201dFortunately, automation is available. Even better, 83.3% of survey respondents said they have \u201cbuild automation.\u201d And the percentage of respondents reporting that they consider \u201cautomated test coverage\u201d to be a key performance indicator jumped from 28.4% to 45.1% in a single year.Automated testing tools can conduct static and dynamic application security testing that, respectively, expose defects as code is being written and as it\u2019s being run. Another tool, software composition analysis, helps developers find and fix known vulnerabilities and potential licensing conflicts in open-source software components.Yet another automated tool, application security orchestration and correlation, can be configured to do the right test at the right time at any point within the software development life cycle, depending on the needs and priorities of an organization.And policy-as-code lets the security team create digital guardrails that, among other things, prevent developers from getting overwhelmed with notifications about trivial defects.All that helps eliminate the friction that can slow development. Indeed, finding and fixing defects early and throughout development is both much cheaper and much faster than doing it at the end.Of course, there is always room for improvement, and the survey yielded a number of recommendations to help DevSecOps function more efficiently and effectively.Cloud benefits and risks: SANS says cloud-managed services generally provide improved security and financial benefits worth exploring. But the report also notes that as organizations move toward using multiple cloud-hosting providers, \u201cthe work of securing each cloud environment increases exponentially.\u201d Cloud security posture management software can help address that.Be agnostic with tools: An organization\u2019s testing policy should be able to work seamlessly with different tools and vendors.Evaluate, evaluate, evaluate: It\u2019s not enough simply to measure performance if you\u2019re not measuring the right things. For example, tracking the number of open (as in, not fixed) security vulnerabilities is good. But it\u2019s much better to track how many of those rank as trivial, severe, or critical.All of which, as the SANS report concludes, can help organizations \u201cfocus on the path to DevSecOps excellence.\u201dTo learn more, visit us here.