* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/)
* The Key to DevSecOps Succ...

# The Key to DevSecOps Success: Cross-Team Knowledge Sharing

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fthe-key-to-devsecops-success-cross-team-knowledge-sharing%2F)  
[](https://twitter.com/share?text=The+Key+to+DevSecOps+Success%3A+Cross-Team+Knowledge+Sharing&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fthe-key-to-devsecops-success-cross-team-knowledge-sharing%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fthe-key-to-devsecops-success-cross-team-knowledge-sharing%2F&title=The+Key+to+DevSecOps+Success%3A+Cross-Team+Knowledge+Sharing&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/the-key-to-devsecops-success-cross-team-knowledge-sharing/&ts=markdown)  
\[\](mailto:?subject=The Key to DevSecOps Success: Cross-Team Knowledge Sharing)  
Link copied  
By [Taylor Smith](https://www.paloaltonetworks.com/blog/author/taylor-smith/?ts=markdown "Posts by Taylor Smith")  
Feb 02, 2023  
5 minutes  
[Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)  
[IaC](https://www.paloaltonetworks.com/blog/tag/iac/?ts=markdown)  
[Open Source](https://www.paloaltonetworks.com/blog/tag/open-source/?ts=markdown)

A good DevSecOps strategy goes beyond having the right tools and processes in place: it requires consistent and crucially, bi-directional feedback and learning. Both security and engineering teams have such different priorities and strengths, but that doesn't mean they don't have anything to learn from each other. This year, make it a resolution to create a culture of bi-directional learning between these two teams and reap the benefit of improved collaboration. Here are the top things one can learn from the other to break down silos in the name of [DevSecOps](https://www.paloaltonetworks.com/blog/prisma-cloud/a-primer-on-secure-devops-learn-the-benefits-of-these-3-devsecops-use-cases/?ts=markdown).

## What Security Teams Can Learn From Developers

Part of [embracing DevSecOps](https://www.paloaltonetworks.com/blog/prisma-cloud/building-the-business-case-for-devsecops/?ts=markdown) requires relinquishing some amount of control. Security isn't going anywhere anytime soon, but to fully embrace DevSecOps, they have to relinquish some amount of control. They have to rely on training and automation and trust that developers are capable of securing their own code.

A lot of the current DevSecOps narrative is focused on how developers need to take more security ownership or learn how to be better at security. While we do know we can always be improving, we also think [security teams can make strides to be more collaborative](https://www./cyberpedia/what-is-devsecops) and proactive. So let's look at some tactical things security teams can take out of developers' books to improve their own workflows.

#### 1. Always Be Testing

Developers are always testing, going so far as doing [test-driven development](http://agiledata.org/essays/tdd.html), where tests---such as unit and integration tests---are built-in before the first line of code is even typed. This is something security teams should get in the habit of doing to some extent to ensure application architecture is secure by design. At the design phase, security teams can ideate on new attack surfaces and incorporate the necessary testing to [identify misconfigurations and vulnerabilities from the start](https://www.paloaltonetworks.com/prisma/cloud/cloud-code-security?ts=markdown).

#### 2. If It's Repeatable, It's Automatable

The [advantage of DevOps](https://www.paloaltonetworks.com/blog/prisma-cloud/scaling-in-the-cloud/?ts=markdown) is increased speed and agility, meant to accelerate time to market. This is only accomplished by automating away the toil of manual operations tasks. The same goes for DevSecOps. Automating security testing at every stage of the development lifecycle is the only way to automate the manual task of finding common misconfigurations or known vulnerabilities. Automate the security testing from the previous learning into developer tools.

#### 3. Leverage Open Source

Developers know there is no reason to reinvent the wheel: good code only needs to be written once. That's why developers often look to incorporate open source components into their apps and services to fulfill basic requirements, so they can focus on building the new capabilities and functionality that differentiate their offerings. Security teams can do the same, implementing [open source tools](https://www.checkov.io/) that have been vetted by the community and customizing it to their team's specific needs.

If security teams can incorporate some of these developer traits and tap into the developer mindset, it will help them work more efficiently and better with their developer counterparts. Plus, security teams may be able to repay the favor and impart a few things that will help developers improve their workflows and outcomes.

## What Developers Can Learn From Security Teams

This is not a post about how making developers into "security champions" is the only way to have secure code. It's about recognizing the different working styles of engineering and security teams and identifying security engineers' practices that could be useful to developers.

Here are a few security-centric skills and mantras that can help reduce friction between teams and benefit each mutually.

#### 1. Ignorance Is Not Bliss

If you spend any time with security teams, you'll know that visibility is the number one priority. Knowing your attack surface is more important than trying to fix everything. That way, teams can make a conscious decision about which risks they are willing to accept as necessary to enable the business. Like security, developers would be better served by getting visibility into all of the risks---including stability, cost and security---as early and consistently as possible. That way, engineering can weigh the cost-benefit of ignoring or fixing these issues.

#### 2. Prioritize the Low Hanging Fruit

Like developers, security teams enjoy hunting down and finding that advanced threat. However, they know that although it's fun (and oftentimes terrifying) to find that super intense zero-day, the likelihood of being popped by a bot trying all the [known misconfigurations and vulnerabilities](https://www.gartner.com/smarterwithgartner/focus-on-the-biggest-security-threats-not-the-most-publicized) is much higher than a nation-state with a targeted attack. Developers can follow a similar model, knocking out the low-hanging fruit bugs that are well documented, such as [publicly available S3 buckets](https://securityboulevard.com/2021/03/another-s3-bucket-leads-to-breach-of-50k-patient-records/), and then worrying about the multi-dependency, undiscovered zero-day.

#### 3. Defense in Depth

Going back to recommendation number one, Security teams are aware that not all bugs are patchable. Many times a new vulnerability, like Log4Shell, is easy to exploit but hard to patch everywhere. That's when it pays to have a compensating control in place. Developers with known vulnerabilities can add additional protections like a [WAF](https://www.paloaltonetworks.com/prisma/cloud/web-application-API-security?ts=markdown) to their [infrastructure as code](https://www.paloaltonetworks.com/blog/prisma-cloud/what-is-infrastructure-as-code-the-best-way-to-fully-control-your-cloud-configuration/?ts=markdown) templates that can block attempted exploits. This isn't as good as patching the source, but it does buy time to do the patching right.

## Conclusion

If developers and security teams work together and cross-pollinate, both organizations benefit. Security teams can help themselves by learning from developers to automate and scale their practices to maintain even better posture. And developers benefit from fewer blockers leading to higher velocity---without compromising security.

Want to learn more about shift-left security? Read our [DevSecGuide to Infrastructure as Code (IaC) Security](https://start.paloaltonetworks.com/devsecguide-to-infrastructure-as-code) and discover how you can leverage IaC and DevSecOps to secure your cloud.

This post originally appeared on [DZone](https://dzone.com/articles/2022-new-years-resolution-dev-and-sec-cross-team-l).

*** ** * ** ***

## Related Blogs

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### It's Not All Bad! Using Cloud Drift for Teachable Moments](https://www.paloaltonetworks.com/blog/cloud-security/using-cloud-drift-for-teachable-moments/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### From Manifest to Workload: Embedding Kubernetes Security at Each Phase of the DevOps Lifecycle](https://www.paloaltonetworks.com/blog/cloud-security/devops-lifecycle-embedding-kubernetes-security/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Exposed Credentials Across the DevSecOps Pipeline: 5 Places Secrets Hide in Plain Sight](https://www.paloaltonetworks.com/blog/cloud-security/exposed-credentials-across-the-devsecops-pipeline/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Full-Stack Code Visibility With Prisma Cloud Software Bill of Materials (SBOM) Generation](https://www.paloaltonetworks.com/blog/cloud-security/full-stack-visibility-with-software-bill-of-materials-generation/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Checkov 3.0: Upgraded Open-Source Infrastructure-as-Code Security](https://www.paloaltonetworks.com/blog/cloud-security/checkov-upgrade-iac-security/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### How to Embrace Kubernetes Security With Checkov's Graph Connections](https://www.paloaltonetworks.com/blog/cloud-security/kubernetes-security-with-checkov-graph-connections/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language