Imagine a world where security is seamlessly integrated into your development workflow from ideation until production, so that development teams can completely focus on feature development while building secure applications. That is exactly what I presented at the OWASP Chapter Meetup Switzerland. In this talk, I show how platform engineering transforms modern application security and makes DevSecOps a reality at scale.
Today’s Challenges: Walls of Confusion#
When I join different companies, I often see the same picture. The business throws ideas over a wall of confusion to the development team. The development team builds something and throws it over another wall to testing. Testing passes it to operations, and operations duct-tapes it into production. The customer gets something they can barely use.
These walls of confusion come from the silo organization that still exists in many enterprises. Business, engineering, QA, and operations each have their own business unit, their own goals, and their own incentives. The result: misalignment, legacy processes, and security treated as an afterthought.
DevSecOps: Bringing Everyone Together#
DevSecOps is a mindset, a culture, and a set of technical practices that helps align everyone across the value stream. The debate about terminology (DevSecOps vs. DevBizOps vs. DevSecBizARCompQAOps) is pointless. In the end, DevOps is about bringing all people, processes, and technology together to continuously deliver secure value.
The numbers speak for themselves. The State of DevOps Report 2024 shows that high performers have 182 times more deployments, 127 times faster lead time, and significantly better security, quality, and customer satisfaction. This is what every CIO and CEO wants.
The Cognitive Load Problem#
But here is the challenge: implementing DevSecOps is complex. When you look at the CI/CD pipeline alone, baking in security is a huge effort. I have created 25 videos just on implementing DevSecOps in CI/CD pipelines for GitHub and GitLab.
And that is just one piece. Development teams also need infrastructure (cloud or on-prem), a runtime environment, monitoring, security tools, cost management, and access management. In larger companies, this creates an enormous cognitive load. Multiple application stacks, tool complexity, and constant maintenance drain productivity.
The question becomes: Can you scale DevSecOps at all? Or should we go back to silos?
The Digital Factory: Where the Industry Is Moving#
The answer is not silos. The answer is the digital factory model, where lean portfolio management aligns strategy with execution, product management organizes products and teams, product teams do DevSecOps with end-to-end responsibility, and the platform team builds the foundation that makes it all possible.
This is where platform engineering comes in. Platform engineering is the industrialization of software engineering. Instead of every team building their own toolchain and infrastructure, you standardize how software is built and delivered across the company.
Platform Engineering in Practice#
The target operating model is clear: product teams focus on feature development with a small technology stack, while a self-service platform built by a platform team handles the heavy lifting. The platform is an internal product. Its customers are the product teams.
The key principles are straightforward. The platform exposes all tools and capabilities the product teams need. Monitoring, for example, is provided as a capability by the platform team through tools like Grafana and Prometheus, but the actual monitoring is done by the product teams because they own the end-to-end responsibility for their product.
At Zühlke, we built such a platform together with LGT, a private bank. It supports 462 developers across 14 partners and 22 spaces with 15 Kubernetes clusters. Key features include instant onboarding and offboarding through identity federation, repository scanning with Trivy and secret detection at the platform level, container image scanning with AI-powered analysis, standardized observability with pre-built Grafana dashboards, a self-service catalog for databases, AI services, and infrastructure, and a release portal with vulnerability gating.
Codify Your Security Policies#
One of the most important lessons: do not write your security policies into Word documents or Confluence pages. Codify them into the platform. When policies are automated, no developer needs to read a 50-page security guideline. The rules are applied automatically, and teams get speed and security at the same time.
AI as a Capability on the Platform#
Where does AI fit? AI is just a capability on the platform. You expose it through an API to your product teams in a governed and standardized way. When you zoom in, that “small box” is actually quite large: application layer (chatbots, coding assistants, synthetic data tools), tools layer (prompt engineering, vector databases, RAG, fine-tuning), model hub (versioned models), and GenAI infrastructure (cloud and on-prem).
Having AI governed through the platform was a game changer for us. Before, everyone was doing their own AI experiments and our CISO was not happy. With the platform, AI usage became secure, governed, and productive.
From Ticket-Ops to Enabling IT#
The IT of the future is not about filing tickets and waiting weeks for infrastructure. It is about providing preconfigured services, golden path templates, and entire development factories through a self-service platform. This is what I call the enabling IT, and it is where the industry is heading.
Key Takeaways#
- DevSecOps is not dead: Platform engineering enables teams to do DevSecOps at scale
- Build a self-service platform: Your platform is an internal product with the development teams as customers
- Codify all policies: Security, compliance, and governance rules belong in the platform, not in documents
- Use the floating platform concept: Integrate tools over the platform, never directly together, so you can replace any tool without disruption
- AI is a capability, not a strategy: Provide AI through your platform in a governed, secure way
- New applications in 15 minutes: With certificates, backups, security, and monitoring baked in from day one