Original broadcast 8/20/25
Presented by Synack & Carahsoft
Katie Bowen, Senior Vice President of Global Revenue at Synack, has spent her career helping organizations bring software to production faster, more securely, and with fewer bottlenecks. In the DevSecOps space, she sees a growing number of government agencies striving for what she calls the “golden path”—the enterprise-approved route to getting software into production quickly and safely. For the most advanced teams, that golden path is leading beyond continuous delivery into the more ambitious territory of continuous deployment.
Bowen explains the distinction clearly. Continuous delivery ensures that every change is automatically built, tested, and prepared for release to production, but still requires human approval before deployment. Continuous deployment removes that manual gate. Once a developer pushes code, it is automatically tested, validated, and released into production without human intervention. The appeal of this model is obvious: it minimizes cycle time, increases responsiveness, and delivers new features or fixes to users almost immediately.
For government agencies, moving toward continuous deployment means rethinking the software supply chain. Every step from code commit to production release must be automated, secured, and monitored. That requires not only modern CI/CD pipelines but also integrated security testing that can run at the speed of automation.
Traditionally, certain security steps—especially penetration testing—have been human-led, manual processes that could take weeks or even months to complete. In many agencies, a significant code change would trigger a pen test requirement, creating a bottleneck that stalled delivery. This delay was not just inconvenient; it often meant developers had to revisit code written weeks earlier, slowing their ability to fix vulnerabilities quickly and accurately.
Synack’s approach addresses this by integrating security testing directly into the development lifecycle. Bowen describes it as creating a “security testing fabric” woven through every stage of the process. Using hooks into source code repositories and integrations with any CI/CD platform, Synack can automatically notify vetted security researchers to begin targeted testing as soon as relevant changes are made. The result is on-demand, always-on penetration testing that happens in parallel with development, not after the fact.
This model enables agencies to maintain high security standards without sacrificing speed. Bowen notes that the most effective organizations map their entire path to production, identify every human touchpoint, and then target those points for automation. They prioritize eliminating delays between “code complete” and “production live,” reducing the window for vulnerabilities to be introduced and allowing developers to address issues while the changes are still fresh in their minds.
She also points out that agencies should design multiple “paths to production” to fit different security requirements. For example, a crown jewel system with high mission criticality might follow a more stringent path with additional testing layers, while a less sensitive internal application could use a faster, lighter process. Having three to six standardized paths gives teams flexibility while maintaining security discipline.
The conversation inevitably turns to AI, which Bowen sees as both a powerful enabler and a potential risk factor. Today’s AI copilots and agentic AI tools can dramatically accelerate software development, but they can also introduce new vulnerabilities—whether through insecure code suggestions, over-reliance on AI-generated components, or gaps in validation. She predicts that the dynamic application security testing (DAST) market will see a “revolution” in response, as tools evolve to address the unique risks of AI-assisted development.
In this context, pre-production and post-production testing become even more critical. Automated, integrated security checks can help catch issues introduced by AI earlier, preventing them from reaching production. Continuous monitoring in live environments can provide a safety net, quickly detecting and mitigating problems that slip through.
Bowen is realistic about the cultural and operational challenges involved in moving toward continuous deployment. Some systems—particularly externally facing, mission-critical applications—will always require a human in the loop for final approval. But she believes agencies should challenge the assumption that every deployment needs manual intervention. By focusing on developer experience, shortening cycle times, and building trust in automated security processes, agencies can get much closer to the ideal of frictionless deployment.
Her advice for agencies looking to make progress is straightforward: start by understanding your existing path to production, document where the slowdowns occur, and attack the biggest bottlenecks first. Look for opportunities to automate security testing and integrate it directly into developer workflows. And prepare now for the implications of AI, which will likely reshape the development and security landscape in ways we are only beginning to understand.
Bowen’s vision is of a government development environment where speed and security are not competing priorities but mutually reinforcing goals. In such an environment, developers can ship updates and fixes rapidly, users benefit from faster access to features and improvements, and security teams can focus on proactive risk management rather than reacting to problems after the fact.
This is the future she sees for agencies that embrace the golden path and push toward continuous deployment—not as an abstract goal, but as a concrete, achievable outcome of disciplined process mapping, targeted automation, and integrated security. With the right approach, she believes, government can match or even surpass the private sector in delivering secure, responsive software that meets mission needs in real time.
Key Takeaways
-
Continuous deployment minimizes cycle time by removing manual release gates, but requires fully automated, integrated security testing.
-
On-demand penetration testing embedded in the development lifecycle eliminates traditional security bottlenecks.
-
AI-assisted development will increase the need for rigorous pre- and post-production testing to prevent new vulnerabilities.
Please fill out the requested information below