The Importance of a Security-First Approach: DevSecOps

In today’s competitive landscape, where apps are the gateway to corporate and customer data, businesses are delivering smarter, faster and safer apps. The perks of becoming more agile, scalable, and cost-effective are also shifting the focus to cloud environments for apps.

A recent Dell EMC study, The Global Data Protection Index, conducted in collaboration with Vanson Bourne, highlighted that cloud use by organisations in Asia increased from 27 percent of the total IT environment in 2016 to 41 percent in 2018. 

In fact, in F5’s 2019 State of Application Services study, it is noted that 87 percent of businesses in Asia operate multi-cloud architectures, driven by an app-first methodology. Over 90 percent of respondents in Australia, New Zealand, China, and India showed that they are using more than one cloud provider. In Singapore, 57 percent of large enterprises plan for cloud adoption. And with 33 percent expecting to do so in the next 6 to 12 months, the shift to cloud shows no signs of slowing down in the near future. 

Unfortunately, companies only come to realise how complex cloud deployments is only after adoption. More often than not, the lack of a deeper cloud knowledge and tooling mean businesses become tangled with operational management of these new app environments.

While DevOps is a foreign term to some; this approach to IT is rapidly gaining momentum as it unites people, processes, and services to enable continuous delivery of value to end users. DevOps delivers at a faster pace and fosters innovation while increasing employee productivity, communication, and engagement. Over 94 percent of enterprises across the Asia-Pacific region have adopted DevOps methods of working in their environments. 

The move to create faster pipelines between the development code to the end value for the customer have led to increasing risks in app deployment, with 53 percent of data breaches targeting the app itself. It is therefore crucial that businesses move from a position of implementing security for compliance to a more proactive method by leveraging DevOps principles within their security tooling and processes.

DevOps is no longer a team of individuals in an organisation’s innovation strategy—it is the new way of doing IT. The benefits of delivering apps at rapid speed, however, are inconsequential if security tooling and practices do not evolve and adapt to mitigate risks without slowing down app deployment pipelines.

To obtain the full potential of DevOps, it is essential that businesses integrate security and governance into the DevOps life cycle from the outset. Hence, the term ‘shift left’, which is about incorporating security closer towards the development stages (as opposed to current strategies which typically concentrate only at the deployment phase), and the growing momentum known as DevSecOps—a market estimated to be worth US$5.9 billion by 2023.

The long-term benefits of DevSecOps far outweigh inherent short-term pains. Organisations can integrate security controls like source code analysis, software supply chain controls, and dynamic application security testing within development pipelines. In addition, automation can be used to provide feedback loops, resulting in less friction in the application deployment process. Doing this enables rapid prototyping of different technologies, as it requires an API-driven method to maintain security controls. 

As with existing DevOps practices, the success of DevSecOps relies on three foundational pillars for success—people, process and technology.

People: While DevSecOps is a journey enabled by technology, it is a process that begins with people. Organisations need to drive cultural change to bridge the gap between traditional silos in development, operations and security teams. This change involves empowering cross-functional teams for the end to end application life cycle.

Process: Keeping in mind that speed and quality are key to DevSecOps, businesses should try to automate manual processes as much as possible without sacrificing cybersecurity needs. Security should be viewed as a process through the development phases, not once the app is deployed. Introducing threat-modelling storyboards as part of the development phase help bake security into the design and eliminate the “security as a gatekeeper which causes delays” mentality. 

Technology: Cloud-based solutions are gaining adoption because of DevOps. To keep up with the pace of modern app deployment, businesses should integrate security technologies earlier in development stages. To move towards a ‘shift left’ way of working, consider integrating security solutions that use an automation-first and API-driven approach. Implementing technologies that integrate within the software delivery pipelines without reducing deployment timelines provide the added benefit of being repeatable, auditable and are likely to introduce a shared responsibility for security across development, operations and security team members.

The number of headline articles for breaches and attacks is unlikely to decline. However, companies can embrace new ways of working to minimise their threat exposure while increasing their time-to-value. DevSecOps is a practice that will continue to grow in adoption in years to come. The shift from security as an after-thought to baking it into agile development process with a shared responsibility will show significant benefits in an organisation’s efforts to minimise their threat exposure.

Together with Tegasus International, we are holding a series of cybersecurity workshops designed to help you understand proper cyber-hygiene and the technologies that can help negate or minimise impact of cyber-attacks.