Reviving DevSecOps: How Snyk’s new framework builds trust and collaboration

It’s been over a decade since DevSecOps was introduced as a transformative approach to software development, but adoption remains uneven. Despite its promise of seamless integration between development, security, and operations, only 38% of organizations report fully automating the addition of new projects, branches, or repositories into their security testing queues. 

This leaves the majority still relying on manual processes, which not only slow down workflows but create critical gaps in security coverage. The result? Persistent friction between security and engineering teams and an ongoing struggle to balance speed and safety in modern development pipelines.

Traditionally, implementing security into developer workflows results in long build and test times, blocking failures, and difficult integrations, leading to negative perceptions of security among developers. But it doesn’t have to be this way. By adopting a maturity model and framework designed for modern engineering practices and software construction, organizations can improve productivity and communication across engineering and security teams. 

Snyk’s latest whitepaper, DevSecOps is Dead, covers how organizations can move forward and fully embrace DevSecOps by building trust between engineers and security professionals to create more secure applications. 

Download the full whitepaper here. 

How DevOps became DevSecOps

The role of a software engineer has changed significantly since the early 2000s as agile methodologies, cloud computing, and open source were introduced, giving developers more flexibility and autonomy while enabling them to work faster. With this change came the idea of DevOps, which promoted the shared responsibility of the software development lifecycle (SDLC) and the embrace of continuous integration and delivery (CI/CD) practices. 

However, while the creation of these practices and tools sped up developer workflows, an increase in security issues began appearing due to a lack of visibility and an incomplete understanding of risk. To offset this increase, leaders began to move security to the forefront and DevSecOps was born. 

The role of DevEx in DevSecOps

Shifting left emerged as a response to the growing need for earlier integration of security in the software development lifecycle, prioritizing proactive measures like automated testing and secure coding practices. However, this sudden integration became a point of friction for developers, as many felt security testing tools were put into workflows without consideration for their needs and preferences. 

When looking at DevSecOps and where it’s gone wrong, developer experience (DevEx) is key. Recent research shows three trends that result in higher productivity for developers: uninterrupted flow state, limited cognitive load, and short feedback loops. In its current state, DevSecOps doesn’t cultivate any of these preferences. 

Flow states aren’t respected as security teams often operate on perceived risks, cognitive loads are increased as most security tools and processes don’t provide all the relevant facts, and developers rely on AppSec teams for decisions, creating unnecessarily long feedback loops. The list goes on, but in its current iteration, DevSecOps limits developers’ ability to efficiently triage, prioritize, and manage vulnerabilities. 

Reviving DevSecOps with Snyk

When looking at the challenges facing developers currently, it’s clear that there is a lack of trust between developers and security teams. Often, developers feel limited by security protocols, while security feels that risks and vulnerabilities are overlooked during development. Snyk’s DevSecOps Maturity aims to align developers and security teams on organizational goals and application security outcomes by fostering collaboration and trust through three guiding principles:

• Transparency: There must be transparency about vulnerabilities, controls, processes, documentation, and technical decisions. This creates trust across teams and automates security decisions. 

• Structured accountability: Clear responsibilities and documented contracts enable teams to create and execute plans and infrastructures efficiently.  

• Collaborative risk reduction: A shared framework for assessing and reducing risk aligns security teams and developers, enabling continuous improvement and self-service workflows. 

The six key pillars are:

• DevOps foundations: Use automation and reliable processes and tools to empower teams.

• Strategy and culture: Invest in long-term software risk management through values, goals, and planning. 

• Security design: Aim to make the default choice for developers the most secure one through controls. 

• Testing and monitoring: Use real-world threat intelligence to develop and implement software testing protocol. 

• Response and remediation: Build an accountable program that reacts appropriately to risk findings. 

• Analysis and governance: Use KPIs and key outcomes to drive continuous improvement.  

By using Snyk’s DevSecOps Maturity Framework, organizations can build a modern developer security program. Snyk’s framework helps reduce friction and siloed workflows between developer and security teams, promoting a culture dedicated to risk reduction and trust. 

With this shift, developers and security can move beyond traditional AppSec practices to one that truly integrates security through every step without slowing developers down. To learn more about developer security and building trust through modern principles, read the Snyk whitepaper, DevSecOps is Dead.