8/14/25
At the recent Carahsoft DevSecOps Conference, industry leaders underscored the transformative potential of automation in strengthening security while accelerating software delivery. Chris Holmes, CEO and founder of graymatter.io, and Luke Deschenes, Solution Architect at Veracode, each brought distinct perspectives shaped by their work with government and enterprise clients. Together, their insights paint a picture of a DevSecOps future defined by speed, precision, and adaptability—anchored in standards and driven by continuous automation.
From Manual Burden to Autonomous Security
Holmes pointed to the Authority to Operate (ATO) process as one of the most challenging—and most promising—targets for automation. Many agencies still rely on “antiquated, manual check boxes” for both initial accreditation and ongoing management of software security postures. In his view, automation can remove subjectivity from continuous ATO efforts by aligning on standardized frameworks like NIST guidelines, enabling repeatable, scalable processes.
Holmes emphasized that true success requires more than superficial automation: “It’s got to be autonomous. It’s got to be as hands off as possible. It’s got to be fire and forget… I need a real AI to make decisions on [whether] this security posture [is] compromised, and if it is…redirect…or turn this…into a honeypot.” For him, the benchmark is not just speed, but the ability to make intelligent, proactive security decisions without constant human intervention.
Embedding Security in the Pipeline
Deschenes approached automation from the angle of developer workflow, stressing its role in providing continuous integration, secure remediation, and deep visibility into the software supply chain. Veracode’s approach focuses on integrating seamlessly into CI/CD systems to deliver instant feedback to developers, ensuring vulnerabilities are addressed before code moves forward.
According to Deschenes, the payoff is immediate: “One of the main benefits people see right off the bat is visibility into their actual risk and vulnerabilities… later on…[they see] reduction in median time to remediate flaws and security.” Automation here is not just about detection—it’s about creating enforceable security gates that keep noncompliant code from advancing, ensuring both security and compliance requirements are met without slowing delivery.
Shared Themes: Standards, Visibility, and Trust
While Holmes stressed the need for universal agreement on automation steps and repeatable frameworks, Deschenes highlighted the visibility and policy enforcement that automation brings to developers and security teams alike. Both agree that automation’s value lies in its ability to give organizations confidence—whether through an autonomous cybersecurity layer making split-second decisions or a CI/CD pipeline that stops vulnerabilities before they’re deployed.
The convergence of these perspectives suggests that the industry’s most effective DevSecOps solutions will combine Holmes’ vision of autonomous, intelligent security with Deschenes’ focus on pipeline-embedded visibility and compliance enforcement. In a landscape where threats evolve quickly and compliance requirements remain non-negotiable, automation is poised to be the bridge between speed and security.
Key Takeaways
-
Automation can transform the ATO process from a manual, subjective burden into a repeatable, scalable, and universally accepted standard.
-
Embedding automated scans and security gates into CI/CD pipelines delivers immediate visibility and reduces remediation times.
-
The future of DevSecOps lies in combining intelligent, autonomous decision-making with real-time, developer-centric security feedback.