Peter Birkholm-Buch

Stuff about Software Engineering

Tag: DevSecOps

Move the Security Boundary to the Software Supply Chain

2026-03-13 /

Introduction

Something interesting is happening in software engineering right now. For a long time, infrastructure was the constraint. In the early days of enterprise IT, creating an environment meant ordering hardware, waiting for deliveries, configuring networks, and physically installing machines in data centers. It was slow, expensive, and operationally heavy.

Cloud computing changed that. With infrastructure-as-code and software-defined infrastructure, environments could suddenly be created in minutes. For the first time, infrastructure could move faster than the software being built on top of it. Developers could spin up databases, networks, and compute resources almost instantly, and many of the traditional operational bottlenecks disappeared.

But something has shifted again.

With the arrival of AI coding agents and increasingly powerful developer tooling, software can now be produced faster than compliant infrastructure can be created inside many enterprises. A developer with modern tools can explore ideas and produce working solutions at a remarkable pace. Meanwhile, creating environments that satisfy internal compliance requirements, governance processes, and security reviews can take days or weeks.

Infrastructure has become slow again—not because of technology, but because of process.

The result is a growing mismatch between the speed at which developers can innovate and the speed at which corporate governance allows experimentation to happen.

The Traditional Model

Most corporate security models are built on a simple assumption: control must begin at the developer machine. Developers work inside tightly managed environments, with locked-down laptops, restricted networks, controlled development environments, and tightly governed access to infrastructure.

The intention is understandable. These controls are meant to reduce risk and protect corporate systems and data.

In practice, however, they often produce the opposite outcome. Developers end up spending significant time navigating internal restrictions rather than experimenting with new ideas. The environment becomes optimized for compliance rather than exploration.

The problem is not security itself. The problem is where security is applied.

A Different Boundary

There is another way to think about this.

Instead of trying to tightly control the environments in which developers work, we can move the security boundary. Developers can operate in open, flexible environments outside the corporate firewall—using their own machines, cloud sandboxes, or experimental infrastructure where they can explore ideas quickly.

In this model the corporate firewall does not attempt to contain developer experimentation. Instead, it protects production systems and enterprise infrastructure.

The boundary between these two worlds becomes the one artifact that truly matters: the code.

Code as the Gateway

If code becomes the mechanism through which innovation enters the enterprise, then the logical place to apply security controls is at that gateway.

Platforms such as GitHub already provide the building blocks for this approach. Modern development platforms make it possible to apply automated verification whenever code enters a repository. Static analysis, secret scanning, dependency checks, policy enforcement through workflows, automated testing, and mandatory peer review can all be applied before code moves further downstream.

Security moves away from controlling developer workstations and toward controlling the software supply chain.

This shift aligns closely with several modern security frameworks. The recommendations from the Open Source Security Foundation and the model defined in SLSA both focus on protecting the integrity of builds, artifacts, and deployment pipelines rather than attempting to control the environments where developers write code. The same philosophy is reflected in the NIST Secure Software Development Framework.

In these models, the build pipeline itself becomes the security boundary.

Platform Engineering Inside the Enterprise

Once code passes these verification gates, it can move into the enterprise environment where platform engineering and DevOps teams take over. At this stage the organization can apply its full set of governance controls. Infrastructure patterns can be standardized, network policies enforced, runtime security monitoring enabled, and additional compliance checks applied.

Governance does not disappear in this model. It simply moves to a more effective location in the process.

Instead of governing experimentation, the organization governs what ultimately runs in production.

Why This Matters Now

The pace of technological change has accelerated dramatically. AI-assisted development means that developers can prototype ideas, test technologies, and explore new architectures faster than ever before.

If corporate processes require weeks to create compliant environments for experimentation, developers simply cannot move at the speed modern tools allow. When that happens, organizations risk something more serious than slow development. They risk becoming unable to explore new technologies at all.

Innovation requires the ability to try things quickly, discard ideas that do not work, and double down on the ones that do. When experimentation becomes difficult, innovation quietly disappears.

Trust the Process, Not the Laptop

Traditional enterprise security assumes that control must begin with the developer workstation. Modern software supply chain thinking suggests a different perspective.

What matters most is not where code is written. What matters is how code is verified before it reaches production systems.

The open source ecosystem has operated this way for decades. Thousands of developers contribute code from anywhere in the world, yet the most critical infrastructure software on the planet is built using this model. The security controls focus on review, testing, and artifact verification rather than on controlling contributor laptops.

Enterprises can adopt the same principle.

A Practical Balance

Allowing developers to experiment outside the firewall while enforcing strong controls on the code entering the enterprise creates a more balanced system. Developers retain the freedom required to explore ideas and work with modern tooling, while organizations maintain governance, compliance, and security verification where it matters most.

In an age where AI is accelerating the speed of software creation, the most effective place to apply control is no longer the developer machine.

It is the software supply chain.

References

  • OpenSSF – Software Supply Chain Security: https://openssf.org
  • SLSA – Supply-chain Levels for Software Artifacts: https://slsa.dev
  • NIST Secure Software Development Framework (SSDF): https://csrc.nist.gov/Projects/ssdf
  • GitHub Advanced Security: https://github.com/security/advanced-security

The Intersection of DevEx and DevSecOps: We need a New Way Forward

2024-10-14 /

Developer Experience (DevEx) is critical for productivity, impact and retaining talent. In a world where software engineers are constantly asked to deliver more, faster, and more securely, companies can’t afford to treat DevEx and DevSecOps as separate priorities.

When these areas are siloed, we end up with fragmented workflows, frustrated developers, and disjointed experiences—counteracting the benefits of initiatives like unified development platforms. To move forward, we need an integrated approach to DevEx and DevSecOps, making security a seamless part of the development process while avoiding the fragmentation that current approaches have caused.

The current fragmented approach to DevSecOps is undermining Developer Experience. DevEx and DevSecOps serve different purposes, but poorly implemented DevSecOps practices can harm DevEx, reducing efficiency and developer satisfaction. It’s about ensuring security practices support developer productivity rather than interfere with it.

The Fragmentation Problem: A Warning for Growing Complexity

As organizations scale, it’s easy to fall into the trap of adding more tools to address new challenges—especially in security. Each new vulnerability or compliance requirement often results in adopting yet another tool. On the surface, this might seem like progress, but in reality, it adds complexity.

Each new platform comes with its own requirements, logins, and signals. Developers must toggle between different tools, piecing together information from multiple sources. This disrupts their workflow and increases the risk of errors. The very tools intended to improve security end up creating friction.

This fragmented approach seems common in many organizations. As more platforms are introduced, workflows become disjointed, and maintaining a unified process becomes harder. The result? Security becomes reactive, and developers spend less time building and improving software.

We need to rethink how we integrate security into the development process. A consolidated approach can help avoid these pitfalls while enhancing both security and productivity.

Our Success with Platform Consolidation: Improving Security and Developer Experience

At Carlsberg, we took a deliberate approach to consolidating our software development tools onto a single platform—GitHub—and used GitHub Advanced Security (GHAS) to shift security left into the developer workflow. This allowed us to address security vulnerabilities at their source, directly within the tools developers are already familiar with.

By integrating security into the developer workflow, our developers could use AI-powered tools like GitHub Copilot to write more secure code as they worked. This approach streamlined the process, reducing the need for developers to toggle between multiple platforms and ensuring that the code we deployed was free from known security vulnerabilities at the time of writing. The impact on Developer Experience (DevEx) has been significant—security is now a natural part of the development process, not an afterthought.

This consolidation not only raised our security posture but also improved developer productivity. By reducing context-switching and embedding security into the natural flow of work, we created a more cohesive, efficient development environment where developers felt empowered to take ownership of both the code and its security.

The Opposite Trend in DevSecOps: Tool Fragmentation and Complexity

While we’ve seen success in consolidating our platform and raising both security and Developer Experience, it’s the norm for many organizations to face the opposite challenge. When implementing DevSecOps, the introduction of more security tools often leads to a fragmented workflow. Developers are required to interact with multiple platforms, each with its own set of logins, signals, and processes, which disrupts their focus and lowers productivity.

Research has shown that this tool-centric approach to DevSecOps can lead to operational gaps, inefficiencies, and a disjointed developer experience. The very tools designed to improve security end up creating friction, making it harder for developers to get their work done. In addition, the immaturity of some automated DevSecOps tools further complicates integration into continuous delivery pipelines, undermining both security and efficiency.

This fragmentation isn’t specific to any one organization; it’s a widespread challenge as security teams strive to keep up with growing threats and compliance demands. The proliferation of tools, however, often leads to more silos and increased complexity—exactly the opposite of what we’ve achieved through platform consolidation.

A Call for Streamlining DevSecOps: Learning from Consolidation

The lesson here is clear: adding more tools to the mix isn’t the answer. To fully realize the potential of DevSecOps, we need to move away from tool fragmentation and focus on embedding security into the developer workflow, as we did with our consolidated platform on GitHub. By simplifying the development process and integrating security from the start, we can achieve better outcomes for both security and Developer Experience.

Security needs to be central, not an afterthought. Rather than bolting on security measures after the fact or adding layers of complexity with new tools, security should be a seamless part of how developers work. By making security a core aspect of the development process, we ensure that it is baked in from the very beginning. This approach not only improves security itself but also enhances the overall Developer Experience by reducing the friction and overhead often associated with traditional security processes.

References

1. DevSecOps People: “Identifying the Primary Dimensions of DevSecOps: A Multi-vocal Literature Review,” discusses the fragmentation of DevSecOps and the challenge of integrating multiple tools into a seamless workflow. https://www.sciencedirect.com/science/article/pii/S0164121224001080

2. AI for DevSecOps: A Landscape and Future Opportunities: This paper outlines the potential of AI in automating and enhancing security tasks within DevSecOps pipelines, but also highlights challenges around tool complexity and immaturity. https://arxiv.org/abs/2404.04839

Peter Birkholm-Buch
Søvej 6
2665 Vallensbæk Strand
Mobil 26560203
Email peterbb@gmail.com
CVR: 34513287
Bank: Nordea
Konto: 5510-0747692815
SWIFT: NDEADKKK
IBAN: DK3620000747692815
Bitcoin: 1NiBdnmFGhZN2hpM5BRNHqCSD8wpyYNvZf

Follow me on Twitter

See my profile on LinkedIn

© 2026 Peter Birkholm-Buch

Theme by Anders NorenUp ↑