The importance of a security-first approach: DevSecOps

By Santosh Matam

In today’s competitive landscape, where apps are the gateway to corporate and customer data, businesses are delivering smarter, faster and safer apps. The perks of becoming more agile, scalable, and cost-effective are also shifting the focus to cloud environments for apps.

A recent Dell EMC study, The Global Data Protection Index, conducted in collaboration with Vanson Bourne, highlights cloud use by organisations in Asia increasing from 27 percent of the total IT environment in 2016 to 41 percent in 2018, with almost 100 percent of respondents leveraging cloud as part of their data protection strategy.

In fact, in F5’s 2019 State of Application Services study, we found that 87 percent of businesses in Asia operate multi-cloud architectures, driven by an app-first methodology. Over 90 percent of respondents in Australia, New Zealand, China, and India showed that they are using more than one cloud provider. For many organizations in India, the cloud has become the sole route for faster market expansion for new application deployment and are increasingly adopting the multi-cloud approach—clearly the next era in cloud computing. Further, with an increased adoption of the technologies such as artificial intelligence and Big Data, the India cloud market is poised to grow three-fold to US$7.1 billion by 2022, according to a Nasscom report.

However, one of the biggest challenges that organisations in India experience is to manage their entire cloud ecosystem and deploy new apps seamlessly.

DevOps: A New Approach to Application Deployment

While DevOps is a foreign term to some; this approach to IT is rapidly gaining momentum as it unites people, processes, and services to enable continuous delivery of value to end users. DevOps delivers at a faster pace and fosters innovation while increasing employee productivity, communication, and engagement. Over 94 percent of enterprises across the Asia-Pacific region have adopted DevOps methods of working in their environments.

The move to create faster pipelines between the development code to the end value for the customer have led to increasing risks in app deployment, with 53 percent of data breaches targeting the app itself. It is therefore crucial that businesses move from a position of implementing security for compliance to a more proactive method by leveraging DevOps principles within their security tooling and processes.

DevOps is no longer a team of individuals in an organization’s innovation strategy—it is the new way of doing IT. The benefits of delivering apps at rapid speed, however, are inconsequential if security tooling and practices do not evolve and adapt to mitigate risks without slowing down app deployment pipelines.


DevSecOps to the rescue

To obtain the full potential of DevOps, it is essential that businesses integrate security and governance into the DevOps life cycle from the outset. Hence, the term ‘shift left’, which is about incorporating security closer towards the development stages (as opposed to current strategies which typically concentrate only at the deployment phase), and the growing momentum known as DevSecOps—a market estimated to be worth US$5.9 billion by 2023.

The long-term benefits of DevSecOps far outweigh inherent short-term pains. Organizations can integrate security controls like source code analysis, software supply chain controls, and dynamic application security testing within development pipelines. In addition, automation can be used to provide feedback loops, resulting in less friction in the application deployment process. Doing this enables rapid prototyping of different technologies, as it requires an API-driven method to maintain security controls.

As with existing DevOps practices, the success of DevSecOps relies on three foundational pillars for success—people, process and technology.

People: While DevSecOps is a journey enabled by technology, it is a process that begins with people. Organizations need to drive cultural change to bridge the gap between traditional silos in development, operations and security teams. This change involves empowering cross-functional teams for the end to end application life cycle.

Process: Keeping in mind that speed and quality are key to DevSecOps, businesses should try to automate manual processes as much as possible without sacrificing cybersecurity needs. Security should be viewed as a process through the development phases, not once the app is deployed. Introducing threat-modelling storyboards as part of the development phase help bake security into the design and eliminate the “security as a gatekeeper which causes delays” mentality.

Technology: Cloud-based solutions are gaining adoption because of DevOps.To keep up with the pace of modern app deployment, businesses should integrate security technologies earlier in development stages. To move towards a ‘shift left’ way of working, consider integrating security solutions that use an automation-first and API-driven approach. Implementing technologies that integrate within the software delivery pipelines without reducing deployment timelines provide the added benefit of being repeatable, auditable and are likely to introduce a shared responsibility for security across development, operations and security team members.

The number of headline articles for breaches and attacks is unlikely to decline. As attacks become more automated and distributed in nature, however, companies can embrace new ways of working, like DevSecOps, to minimize their threat exposure while increasing their time-to-value.

DevSecOps is a practice that will continue to grow in adoption in years to come. Sec (security) should be embedded into every part of the development process right from the start. If security remains at the end of the development pipeline, organizations adopting DevOps methodology can find themselves back to the long development cycles they are trying to avoid in the first place, therefore ‘Sec’ in ‘DevSecOps’ should not be an afterthought to the process, but baked into the overall DevOps cycle.

(The author is the Manager, Product Development at F5 Networks India)

agilecost-effectiveDevSecOpsscalablesecurity-first
Comments (1)
Add Comment
  • akhilpatel

    Thanks for your post! Through your pen I found the problem up interesting! I believe there are many other people who are interested in them just like me! Thanks your shared!… I hope you will continue to have similar posts to share with everyone! I believe a lot of people will be surprised to read this article!