Ultimately it is up to development organization to develop secure code. Information Security can provide guidance and oversight as well as recommend tools to enable more integrated security processes. Information Security should also be part of the Change Control process where secure processes are documented and tested and submitted as part of the process. Information Security and the DevOPS organization need to partner in order to ensure a more secure application infrastructure.

In any development environment whether they are utilizing DevOps or not, the developers and the security group should be cooperating. Clearly the onus to develop code that has security "baked in" falls to the developers but the security group should be providing security input to the development team. The two groups should cooperate in order to ensure that enterprise security requirements are met and that all available tools both in code and outside of the code environment (infrastructure protections, etc.) are utilized in order to architect a truly secure system.

The security organization typically is responsible for defining acceptable security boundaries, the development teams are responsible for staying within those boundaries and either the security ops team, audit or other control function are responsible for ensuring that the overall process is working and that everyone is doing what they are supposed to do.

Another aspect to this is to bake a portion, not all, of that responsibility into the build/deployment process itself. For example, we have a continuous integration environment which incorporates a SonarQube scan of all code immediately upon commit. If that code fails to pass certain gates for quality and security it is immediately rejected and sent back to the development organization.