Who owns software supply chain security? Developers? Or the platform and security engineering teams supporting them?
In the past, the CIO, CISO, or CTO and their security team would decide which Linux distribution, operating system, and infrastructure platform the company would be getting its support contracts and security SLAs from. Today, developers do this all in Docker Files and GitHub Actions, and there isn’t the same kind of organizational oversight that existed before things shifted left to developers.
Today, compliance and security teams define the policies and higher level requirements, while developers get the flexibility of choosing whatever tooling they want, provided it meets those requirements. It’s a separation of concerns that greatly accelerates developer productivity.