I'm lucky enough to be with a company with a couple people on both sides. Originally we were all blue team (that was VERY poorly integrated with the engineering group), but ive started shifting one guy over to full time pentesting and working on integration with engineering.
> results in internal tickets/issues/BUGs, while the development/operation practices are kept the same.
You could not be more accurate; this also applies to groups that maybe started out as corporate infosec (virus protection, simple application scanning, etc...) and were never really tightly coupled with engineering. We have identified essentially identical authorization issues in a pre-release version of one of our products two or three times this year, which was also present in the last 3rd party pentest of the same product before my time (which was pretty scathing). Its incredible.
> results in internal tickets/issues/BUGs, while the development/operation practices are kept the same.
You could not be more accurate; this also applies to groups that maybe started out as corporate infosec (virus protection, simple application scanning, etc...) and were never really tightly coupled with engineering. We have identified essentially identical authorization issues in a pre-release version of one of our products two or three times this year, which was also present in the last 3rd party pentest of the same product before my time (which was pretty scathing). Its incredible.