Implementing DevSecOps: Lessons learned