Skip to main content
Jan 30, 2019

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

What are the key considerations and components of DevSecOps?

The intention of DevSecOps is to build the mindset that everyone is responsible for security — and that security needs to be built into your process, rather than as a perimeter around apps and data.

Normally during the Software Development Life Cycle (“SDLC”), traditional security teams were isolated to a specific team in the final stage of development. This waterfall approach was not a problem when development cycles lasted months or years. However with the rise of agile, Continuous Integration (“CI”) and Continuous Deployment (“CD”) models — this is no longer a feasible approach.

DevSecOps involves creating a flexible collaboration between release engineers and security teams in order to build security into the DevOps process. This seeks to avoid the bottleneck effect of older security models on the CI/CD pipeline — but requires increased communication and shared responsibility between development, IT and security teams to ensure that security testing and implementation is done in iterations during code development, as opposed to shortly before release.

The two primary benefits of DevSecOps are:

  1. Better ROI of existing security infrastructure
  2. Improved operational efficiencies across security and the rest of IT

DevSecOps

The six important components of a DevSecOps approach are:

  1. Code Analysis: Deliver code in small chunks, so vulnerabilities can be identified quickly
  2. Change Management: Increase speed and efficiency by allowing anyone to submit changes, then determine whether change is good or bad
  3. Compliance Monitoring: Be ready for an audit at any time
  4. Threat Investigation: Identify potential emerging threats with each code update and be able to respond quickly
  5. Vulnerability Assessment: Identify new vulnerabilities with code analysis, then analyze how quickly they are responded to and patched
  6. Security Training: Train software and IT engineers with guidelines for set routines

By integrating security into the agile development process, organizations will be able to address security threats more effectively, in real time. Making security a shared responsibility between development, IT and security teams should help change the perception that security is a burden and slows down the agile process — in addition to sensitizing the entire team to the need for speed and agility to deliver new solutions to market.

To learn more about how to start implementing a DevSecOps process into your organization, read our blog next week.

Chris Mizell

Chris has spent 10 years in the application security space, with experience securing embedded, mobile and desktop-based applications. His work has spanned multiple industries including automotive, aviation, and financial services.

More from the Blog
Feb 06, 2019

Part 2: App Security Should Be An Integral Part Of Your DevSecOps Process — Not an Afterthought

How to start implementing a DevSecOps process As you may have read in our
Read more
Feb 13, 2019

Part 3: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought

Situations When DevSecOps Won’t Work Though DevSecOps is getting more popular by the day, and has many benefits to an organi ...
Read more
Feb 20, 2019

Part 4: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought

How Arxan can help streamline and optimize your DevSecOps process One of the most important factors to keep in mind when dep ...
Read more