Part 3: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought
Situations When DevSecOps Won’t Work
Though DevSecOps is getting more popular by the day, and has many benefits to an organization, there are certain projects which aren’t suitable for DevSecOps.
Typically, a successful DevSecOps process should be reserved for those applications running in a zero-trust environment, i.e. applications that are deployed into the outside world, via app stores or available on the public web.
What kind of applications or projects are not suitable for DevSecOps?
Legacy applications should typically be avoided when considering projects/applications to put through your organizations DevSecOps team. Typically, these applications should be assessed using a formal Pen Test. Often the source code for these applications may not be readily available or were written by a third party. As such they should be assessed by an external team for serious violations and remediated when resources and time permit.
Applications that will be running within your organizations security perimeter or behind it’s physical walls without access to the outside world should be avoided. These applications may contain weaknesses or not fall in line with traditional secure coding practices, but the risk of these weaknesses being exploited is significantly less as they most likely would never be available to a potential attacker. As such the stringent requirements made for your public facing applications can be deferred and you can prioritize your DevSecOps efforts on protecting your most critical applications.
For internal applications, you may want to consider another approach to ensure secure deployment and a level of protection via an application management solution. Arxan offers a solution which does not require a device management solution. With an app beta testing solution, deployment solutions for any device, and the ability to customize compliance or security policies, it provides an easy way to manage and secure internal apps without having to utilize your new DevSecOps process.