DevSecOps: Building Continuous Security Into IT and App Infrastructures
Last updated on: September 6, 2020
With software now at the heart of essential business processes, organizations must build security into their IT and application development pipeline to prevent breaches, avoid compliance violations, and protect digital transformation initiatives.
This especially applies to organizations creating and deploying applications quickly and continuously using DevOps, in which development and operations teams add agility and efficiency to software lifecycles with automation tools, pre-built third-party code and constant collaboration.
DevOps replaces the traditional, linear “waterfall” method in which each team works in silos with minimal communication and coordination, often resulting in lengthy software lifecycles and code that is buggy and insecure.
But for all the speed and flexibility that DevOps adds to IT and application development and delivery — and to the business initiatives powered by the software — it can backfire if security is an afterthought or left out altogether.
Instead, security pros, processes and tools must be threaded seamlessly into DevOps to end up with DevSecOps.
“When we’re talking about DevSecOps, what we’re talking about is securing the supply chain, reaching out to software whether it’s being developed internally, by third parties or in cloud services,” John Pescatore, a SANS Institute analyst, said during the Qualys-sponsored webcast “DevSecOps: Building Continuous Security Into IT & App Infrastructures.”
“[We must] make sure we’re building, buying and selecting the most secure software infrastructure possible because everything we do in business is all dependent on that software,” Pescatore said.
Integrating security into DevOps pipelines gives InfoSec teams a golden opportunity to get a seat the business table and become a partner in digital transformation initiatives so that security is seamlessly integrated into the IT fabric, not bolted on as an afterthought, according to Chris Carlson, VP Product Management at Qualys.
Digital transformation — the adoption of new technologies and processes like cloud computing, mobility, artificial intelligence and IoT to sharpen business strategies and revamp operations — has become a key driver of growth and competitive advantage for organizations worldwide.
When implemented effectively, digital transformation projects boost business agility, efficiency and precision, improving customer satisfaction, employee productivity and product development, which in turns helps grow revenue, profits, market share and innovation.
Carlson cited a recent Microsoft study that found that 80% of business leaders in the Asia Pacific region believe digital transformation is a must for keeping their organizations competitive and growing. Yet, when these executives were asked to name barriers to digital transformation, “cyber threats and security concerns” topped the list.
“When business leaders are saying that cyber threats are the number one barrier for their digital transformation projects, and for their goals to deliver value and grow revenue and market share, that’s a strong encouragement in adopting and supporting security capabilities and practices,” Carlson said during the webcast.
This is how the need to protect digital transformation projects offers InfoSec teams an opportunity to shed their reputation as gatekeepers that frown upon and delay business innovation efforts, objecting to technology changes out of security concerns.
When DevSecOps processes and tools are properly adopted, an organization generates and deploys much more secure and compliant code continuously in short iterations. Those chunks of code get automatically scanned for vulnerabilities, misconfigurations and other problems, prior to deployment, slashing instances of security and operational issues in production software.
DevSecOps gives organizations the software development and delivery pipeline they need for their digital transformation projects: It’s agile, automated and scalable, and yields apps with significantly fewer bugs, vulnerabilities and misconfigurations. Equally important, software can be launched and updated as frequently as needed to address changing competitive market trends, according to Carlson.
During the hour-long webcast, Pescatore and Carlson provide in-depth explanations about multiple technology and business aspects of DevSecOps, including:
- How to build security into DevOps, avoiding common mistakes such as trying to bolt on and jam in InfoSec tools and procedures indiscriminately into the process
- How to evaluate the level of DevOps “friendliness” of security tools, using criteria such as availability of APIs and self-service UIs
- Concrete steps your organization can take today, next quarter and in six months to adopt DevSecOps
- How three large Qualys customers are successfully using DevSecOps processes for digital transformation initiatives
- The importance of collecting metrics showing the improvements and advantages triggered by DevSecOps adoption, and the beneficial impact on business efficiency and effectiveness
We invite you to listen to a recording of the webcast, which we’re confident will provide you with a lot of practical tips, useful best practices and valuable insights about DevSecOps and digital transformation.