So security, if we could agree, it's a catch up game.
I have more than 15 years of security experience and every single time I felt that I was running behind, behind developers, business goals, release times, policy, and many many more reasons.
Trying to reason a deadline or QA, Threat modeling constantly and getting into the CD/CI in the development environment is always a struggle.
Either you have an backlog of the size of Iguazu falls, and can barely catch up, and let's face it, developers are extremely clever to back channel to get faster their feature request from an extremely ever hungrier business development.
And security can wait right? After all nothing can really happen in a few days, or hours and we can always add more firewall and so on.
But that's not the case ever, as we struggle to automate tests, incorporate more checklist and be in every meeting, every decision. One things is obvious, we are an intrinsic part of development and we should become the extra step friend that make it easier and tell everybody to wear a coat because is cold, or take an umbrella because might rain... without being the paranoid or a pain.
For that reason I started a small repo on GitHub , and a meet up weekly, to tell stories, and share advises, small recipes, little pieces of code, that can go a long way in the SecDevOps, helping fellow Security Engineers and Architects to evangelize caution.
Security should be about protecting, oversight, recommendations and thoughtful watch, we are here to help. Not to be an inconvenience or a barrier to business.