The intersection of software development, security, and government regulations is a challenging space; one where complexity often hinders progress. At Prodacity, a fireside chat session explored how DevSecOps has evolved, why security must become part of the development flow, and how organizations can reduce cognitive load for developers while maintaining compliance.
From DevOps to Platform Engineering Providing The Need for Guardrails
The rise of platform engineering is, in many ways, a response to early DevOps practices that prioritized speed over structure. The private sector learned quickly that “move fast and break things” can introduce risk. Platform engineering emerged as a way to provide a paved road offering developers flexibility without overwhelming them with configuration complexity.
In the public sector, agencies like the VA face even greater challenges. AWS, for example, provides extensive configuration options, but as pointed out, too much upfront complexity can slow development. Platform engineering helps by offering pre-configured environments that allow developers to focus on building, rather than getting lost in infrastructure decisions.
The Security Bottleneck and Why DevSecOps Needs a Rethink
DevSecOps has been around for a decade, but many of its implementations still struggle with friction between security and development teams. One of the biggest gaps? Developers can easily meet KPIs by delivering features and closing user stories, but there are often no direct consequences if applications ship with vulnerabilities. There’s no metric that ties software breaches directly to developer accountability.
Security bottlenecks happen when security is treated as an external function rather than an integrated process. As noted in the session, developers aren’t avoiding security best practices because they don’t care – often, they simply don’t know what’s required. Kubernetes security, for example, is still a mystery to many developers who are simply trying to ship applications.
A key takeaway? Security professionals need to be embedded into development teams in a ratio that allows them to understand the tech stacks they’re securing. This prevents bottlenecks before they start and turns security into an enabler rather than an obstacle.
What Actually Makes Developers Productive?
Productivity in software development is more than just code output. According to theCUBE Research, developers only spend 24% of their time actually writing code and the rest is lost to context-switching, security reviews, compliance processes, and other distractions. To be effective, engineers need:
- A flow state – uninterrupted time to focus on meaningful work
- Limited cognitive load – abstracting unnecessary complexity
- Short feedback loops – immediate, actionable responses
Currently, security processes often disrupt these three key elements. Instead of providing real-time guidance, security tends to act as a “slap on the wrist” after something goes wrong. The solution? Tools that offer inline feedback, like live security implications of code changes, rather than vague vulnerability reports that developers can’t immediately act on.
Reducing Complexity and The Role of AI Leveraging Policy-as-Code
One of the recurring themes in the discussion was complexity never truly gets simpler, it just gets hidden behind additional layers of software. There are too many tools, too many microservices, and too much information for developers to process effectively.
The open-source community has started to address this through policy-as-code which is a model where security and compliance rules are baked into automated workflows. Rather than leaving security decisions to chance, organizations can provide clear boundaries for developers while still allowing flexibility.
AI is another area with potential. As was pointed out in the session, AI and ML will inevitably play a role in security, but they must be used strategically. Instead of replacing humans, AI should position developers in the right place by offloading low-value tasks while allowing engineers to focus on understanding threats and making informed decisions.
What’s Next for DevSecOps?
The fireside chat closed with insights into where DevSecOps is heading:
- Kubernetes security needs better awareness – Too many developers lack experience with securing cloud-native applications.
- The VA is driving forward-thinking initiatives – There’s an effort to rethink how technology is built to solve real user problems.
- Platform engineering will continue to evolve – The goal isn’t just to simplify deployment, but to ensure that the risks organizations take on are worth the value they deliver.
Final Thought
The biggest challenge in modern development isn’t just security but balancing security, complexity, and developer productivity. The best security practices don’t slow developers down; they provide them with the right tools and immediate feedback to make better decisions.
For government agencies and enterprise organizations alike, the path forward isn’t just about shifting security left, it’s about making sure it’s actually useful when it gets there.
How Agentic AI is Reshaping AppDev and DevOps in 2025
Building the Future: How Developers Can Embrace 2025’s Challenges in Application Development and Cybersecurity
ZEDEDA Expands into Middle East, Secures Strategic Investments to Accelerate Edge AI Growth
StorMagic SvHCI: The Future of Hyperconverged Edge Solutions
Accelerating AI Workflows with Efficient Data Management
