I couldn't agree more. At Mozilla, the Services Security team is part of the team that develops and builds services. We work with devs and ops every day. We write application and infrastructure code. We share successes and failures.

The traditional bystander/compliance security team approach shows its limits very quickly. Being embedded that deeply into the DevOps team is by far the most efficient way to secure services.