Original broadcast 8/20/25
Presented by Carahsoft
Rich Savage, Sales Director at Carahsoft, brings a unique vantage point to the current state of the DevSecOps community. Working at the intersection of government customers, original equipment manufacturers (OEMs), and system integrators, Savage sees the ecosystem as one that has reached an inflection point—armed with lessons learned, proven models, and a renewed drive to accelerate secure software delivery in the public sector. In his view, the sector has “seen what’s possible,” knows “what works,” and is ready to scale those successes.
Savage describes a community that has built a strong foundation over the last six to seven years, developing the processes, controls, and cultural norms needed to adopt DevOps and DevSecOps practices in a government context. This groundwork has been essential for enabling a faster pace of software delivery without compromising the stringent security requirements that federal missions demand.
At the center of the current momentum is the rapid rise of artificial intelligence. Savage calls AI the “gas pedal” for the industry—capable of automating more processes, accelerating decision-making, and enabling previously unimaginable efficiencies. AI, he explains, offers a new level of automation that allows government teams to move with a speed that would have been impossible just a few years ago. However, he’s quick to note that with AI comes new challenges.
Security, in this analogy, is the “brake.” The more powerful and capable the AI tools become, the more important it is to ensure that their integration into government software environments is done securely. This means being able to identify AI-generated code, verify its trustworthiness, and confidently insert it into applications. Savage points out that many of the companies Carahsoft works with are already addressing these challenges—developing solutions that can certify AI-generated components quickly and securely.
Importantly, Savage rejects the idea that security and speed must exist in opposition. Instead, he argues, they must operate in parallel. For DevSecOps to deliver on its promise, development and security teams must be integrated, working together throughout the lifecycle rather than handing work off from one group to another. This parallel approach prevents the delays and rework that come from treating security as an afterthought.
The question of “what’s next” in DevSecOps, Savage says, is not something that can be rigidly defined. One of the strengths of the methodology is its inherent agility—the ability to pivot in response to emerging mission needs and technological developments. The next step, whatever it may be, will be driven by the next mission requirement, not a static roadmap. This flexibility allows the government to respond to evolving threats, changing priorities, and emerging technologies without being constrained by outdated plans.
Savage also emphasizes the cultural dimension of DevSecOps adoption, particularly within government. While the private sector often encourages a “fail fast” mentality, public sector missions have far less room for error. In commercial contexts, failure might mean lost revenue; in defense or intelligence contexts, it could mean loss of life. This reality shapes how government teams balance the drive for speed with the imperative for security. The result is an environment where innovation must be tempered with caution, and where the industry partners must deeply respect those boundaries.
That respect, Savage notes, is evident in the way the OEM and integrator communities work with government customers. They understand that security cannot be compromised for the sake of speed, and that cultural change must accompany technological change. This is why culture is such a frequent topic in DevSecOps discussions—it’s not just about adopting new tools and processes, but about aligning people, policies, and priorities around a shared understanding of risk and mission.
Carahsoft’s role in this ecosystem is to act as a bridge—connecting government agencies with the technologies, expertise, and partners they need to move forward. By facilitating these connections, Savage and his team help ensure that agencies can adopt best-in-class solutions, benefit from industry innovation, and do so in a way that aligns with their unique mission requirements.
Savage’s outlook is decidedly optimistic. He sees a community that has matured beyond the experimental phase, that understands both the opportunities and the pitfalls, and that is positioned to scale DevSecOps practices across more agencies and mission areas. The enthusiasm he encounters is not just rhetorical—it’s grounded in real progress, tangible results, and a shared recognition that the work being done today will define the government’s ability to deliver secure, effective digital services for years to come.
The future, he suggests, will be one where AI and automation continue to expand what’s possible, but where security remains firmly embedded in the process. It will be shaped by agile practices that allow the government to adapt quickly, and by a culture that understands the unique stakes of public sector missions. For Savage, the goal is clear: move faster, stay secure, and always keep the mission at the center of the effort.
Key Takeaways
-
AI is accelerating government software delivery, but must be integrated securely.
-
Security and development must operate in parallel, not sequentially, to maintain speed without sacrificing safety.
-
Culture remains a decisive factor in DevSecOps success, especially in the public sector’s low-tolerance-for-failure environment.
Please fill out the requested information below