APJ

From DevOps to DevSecOps: challenges and benefits of integrating security into DevOps

Prashanth Nanjundappa, Head of Products, Chef Business, Progress

IDC predicts that public cloud services spending in Asia Pacific will reach US$48.5 billion in 2021. This is not a surprise as cloud has proven to be a key driver of innovation in our increasingly digitised economy, and a core contributor to resilience in the context of the pandemic.

But the increased reliance on cloud also means more complexity for IT teams. This is why, for many years now, businesses have invested in DevOps practices to help accelerate development time without compromising quality and stability.

While the benefits of DevOps are indisputable, we are at a point where it needs to address another important dimension: the growing security and compliance challenges faced by organisations.

Indeed, securing applications and platforms in the cloud is a major concern for enterprises. Not a day passes without a headline on the rising importance of cybersecurity or a new data compromise or compliance scandal.

DevSecOps is the next DevOps frontier and an essential practice organisations need to invest in if they want to fully integrate security and compliance into their application development process.

Now, DevSecOps is easier said than done. But for those who roll out a successful DevSecOps strategy the benefits are priceless.

Security still an afterthought

The first challenge IT and DevOps teams often run into is that security tends to come in very late in software development lifecycles. This is usually because DevOps teams stress on speed and quicker time to market.

As a result, security tends to be discussed and brought in once a new service or application is going to production or is ready to be rolled out to the market. By then, going back to fix potential security problems identified by the security team’s tests is too time-consuming and expensive.

This clash between speed and security is a real challenge that is increasingly hindering IT teams’ ability to deliver applications that the business can trust, and that will withstand cyber threats and compliance requirements after the application is out in market.

This challenge can be addressed by allowing security – and compliance – teams to be brought together into the development process earlier on. This is the promise of DevSecOps.

Periodic audits aren’t the solution, continuous audit and remediation is

In the traditional approach, security testing usually happens after the development and staging test. These reviews happen once every three to six months to identify the problems to be fixed and generate reports.

Although a good practice, it is not completely efficient as this approach assumes that the level of compliance is steady and that these periodic checks are enough to validate the constant level of compliance.

It leaves the windows open to risks in-between the periodic audits where the product is susceptible to security attacks. It also leaves the company highly vulnerable.

Adopting a DevSecOps model can help organisations mitigate this challenge and shift to a continuous model where compliance and security tests are done at every stage, and incremental remediations can be rolled out to fix the gaps in audit. 

More than collaboration, it’s about integration of teams and codification

There are three different teams in charge when it comes to securing systems, each with their own specific perspectives and tools. The compliance team adheres to regulations, while the security team uses scanning tools to validate things. The DevOps team then fixes the problems.  

However, as the different teams use different languages, it increases the time taken to resolve a problem and makes it expensive to fix as the messages have to go through several loops.

Everyone in the organisation needs to have a common language and set of tools to ensure security and compliance can be codified and automated. It makes the process simpler, more consistent and straightforward. It also helps teams know when they are non-compliant, so there are no surprises. 

“As A Code”: a model, and a mindset

 We have seen how the successful integration of security practices into every stage of development helps businesses address security issues early on and improves compliance.

An “as a code” method adoption is what will bring the widening security and compliance gaps and what will take the burden off DevOps’ hands. Once security and compliance are embedded, automated and everything is codified security doesn’t have to be an afterthought anymore, it actually can’t as it is intrinsically weaved in at the core of people, pre-established processes and products.

For those who adopt a successful DevSecOps strategy and a “As A Code” mindset the benefits are countless. Not only does this save application teams from having to start each round of testing from scratch, it also reduces the risk that developers inadvertently choose the wrong technical platform.

A DevSecOps strategy means more peace of mind – and time – for dev teams and much stronger security and compliance levels for the entire organisation, in the long run, no matter how the cyber threat and compliance landscape evolve.

Ultimately, this is what will build resilience, competitiveness and foster innovation in the post-pandemic, hyper-digitised world. 

Related posts

The ERP revolution is here: Why point solutions might be failing your business

enterpriseitworld

Publicis Sapient to Create a BU for Google Cloud AI

enterpriseitworld

Merck and Digital Trust Centre at Nanyang Technological University, Singapore, collaborate

enterpriseitworld
x