In my opinion, the only true solution is to slow down “velocity” in development teams. If the developers are to be held responsible for producing good, secure code, Only the developers can decide when a feature is ready, not the business.<p>If the business wants to dictate deadlines, the business is responsible for security.<p>Edit: I should say development team to include qa, but we don’t have those anymore at most places.
The industry response to this seems to be "DevSecOps," where the only real "Sec" is reactionary monitoring. Monitoring doesn't keep incidents from happening. It only raises internal awareness.<p>This is the best that most separate security teams do, too.<p>In all fairness, the "DevOps" part of things can manage deploys in ways to minimize exposure. But most teams that I've seen revert to manual "process" whenever something unusual occurs, so forget about the ideal automated responses to problems we were promised when we were trying to automate sysadmins out of their jobs. There are several layers of broken here that we're not allowed to talk about.
I wonder if eventually we'll go back to either "more open" or "more decentralised" versions of these, in the longer term. I know there are quite a few that exist, which is in a way already "somewhat decentralised", but some may need to be more "inter-connected" to at least have some of the core "moat" functionalities of GitHub e.g. "see all things this person worked on", "how active are they in the overall community", etc. I can think of some technical bridges, at least...?
Around 2021 a lot of higher-up people at my company pushed for moving from our local Gitlab instance (neatly hidden in our segmented VPN network) to the global one - because that's what all of the cool guys are doing.<p>I've resisted this, because I know that I can sleep peacefully at night when the inevitable monthly "GitLab Critical Patch Release" email comes.